chore: quick wins from OSS audit (#203, #204, #211, #212) #469
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Extralit server package | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.sha }} | |
| cancel-in-progress: true | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| - releases/** | |
| paths: | |
| - "extralit-server/**" | |
| - ".github/workflows/extralit-server.yml" | |
| pull_request: | |
| paths: | |
| - "extralit-server/**" | |
| - ".github/workflows/extralit-server.yml" | |
| permissions: | |
| id-token: write | |
| jobs: | |
| build: | |
| name: Build `extralit-server` package | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash -l {0} | |
| working-directory: extralit-server | |
| services: | |
| elasticsearch: | |
| image: docker.elastic.co/elasticsearch/elasticsearch:8.17.0 | |
| ports: | |
| - 9200:9200 | |
| env: | |
| discovery.type: single-node | |
| xpack.security.enabled: false | |
| postgres: | |
| image: postgres:14 | |
| env: | |
| POSTGRES_HOST: localhost | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: extralit | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| - 5432:5432 | |
| redis: | |
| image: redis | |
| options: >- | |
| --health-cmd "redis-cli ping" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| - 6379:6379 | |
| minio: | |
| image: lazybit/minio | |
| volumes: | |
| - /data:/data | |
| env: | |
| MINIO_ACCESS_KEY: minioadmin | |
| MINIO_SECRET_KEY: minioadmin | |
| options: --name=minio --health-cmd "curl http://localhost:9000/minio/health/live" | |
| ports: | |
| - 9000:9000 | |
| env: | |
| HF_HUB_DISABLE_TELEMETRY: 1 | |
| EXTRALIT_S3_ENDPOINT: http://localhost:9000 | |
| EXTRALIT_S3_ACCESS_KEY: minioadmin | |
| EXTRALIT_S3_SECRET_KEY: minioadmin | |
| steps: | |
| - name: Checkout Code 🛎 | |
| uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 | |
| with: | |
| pyproject-file: "extralit-server/pyproject.toml" | |
| enable-cache: true | |
| cache-local-path: ~/.cache/uv | |
| cache-dependency-glob: "extralit-server/uv.lock" | |
| - name: Install dependencies | |
| run: uv sync --group test --extra postgresql | |
| - name: Run tests 📈 | |
| id: run-tests | |
| continue-on-error: true | |
| env: | |
| HF_TOKEN_EXTRALIT_INTERNAL_TESTING: ${{ secrets.HF_TOKEN_EXTRALIT_INTERNAL_TESTING }} | |
| EXTRALIT_DATABASE_URL: postgresql://postgres:postgres@localhost:5432/extralit | |
| EXTRALIT_ELASTICSEARCH: http://localhost:9200 | |
| EXTRALIT_SEARCH_ENGINE: elasticsearch | |
| run: | | |
| uv run pytest tests/unit --cov=extralit_server --cov-report=term --cov-report=xml --verbosity=0 --disable-warnings | |
| - name: Upload test coverage | |
| if: always() | |
| uses: codecov/codecov-action@v5.4.3 | |
| with: | |
| files: coverage.xml | |
| flags: extralit-server | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| - name: Check test status | |
| if: steps.run-tests.outcome == 'failure' | |
| run: exit 1 | |
| - name: Upload test results to Codecov | |
| if: ${{ !cancelled() }} | |
| uses: codecov/test-results-action@v1 | |
| with: | |
| flags: extralit-server | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| # This section is used to build the frontend and copy the build files to the server. | |
| # In the future, static files should be downloaded after the frontend is built and uploaded as an artifact. | |
| - name: Setup Node.js for frontend dependencies | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - name: Install frontend dependencies | |
| working-directory: extralit-frontend | |
| env: | |
| BASE_URL: "@@baseUrl@@" | |
| DIST_FOLDER: ./dist | |
| run: | | |
| npm install | |
| npm run build | |
| # End of frontend build section | |
| - name: Build package | |
| run: | | |
| cp -r ../extralit-frontend/dist src/extralit_server/static | |
| uv build | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: extralit-server | |
| path: extralit-server/dist | |
| build_docker_images: | |
| name: Build docker images | |
| uses: ./.github/workflows/extralit-server.build-docker-images.yml | |
| if: | | |
| github.ref == 'refs/heads/main' | |
| || github.ref == 'refs/heads/develop' | |
| || contains(github.ref, 'releases/') | |
| || github.event_name == 'workflow_dispatch' | |
| || (github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft) | |
| needs: | |
| - build | |
| with: | |
| is_release: ${{ github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' }} | |
| publish_latest: ${{ github.ref == 'refs/heads/main' }} | |
| secrets: inherit | |
| # This job will publish extralit-server python package into PyPI repository | |
| publish_release: | |
| name: Publish Release | |
| runs-on: ubuntu-latest | |
| if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' }} | |
| needs: | |
| - build | |
| - build_docker_images | |
| defaults: | |
| run: | |
| shell: bash -l {0} | |
| working-directory: extralit-server | |
| permissions: | |
| # This permission is needed for private repositories. | |
| # contents: read | |
| # IMPORTANT: this permission is mandatory for trusted publishing on PyPI | |
| id-token: write | |
| steps: | |
| - name: Checkout Code 🛎 | |
| uses: actions/checkout@v4 | |
| - name: Update repo visualizer | |
| uses: githubocto/repo-visualizer@0.7.1 | |
| with: | |
| root_path: "extralit-server/" | |
| excluded_paths: "dist,build,node_modules,docs,tests,.swm,assets,.github,package-lock.json,uv.lock" | |
| excluded_globs: "*.spec.js;**/*.{png,jpg,svg,md};**/!(*.module).ts,**/__pycache__/,**/__mocks__/,LICENSE*,**/.gitignore,**/*.egg-info/,**/.*/" | |
| output_file: "repo-visualizer.svg" | |
| should_push: false | |
| - name: Upload repo visualizer diagram as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: repo-visualizer | |
| path: repo-visualizer.svg | |
| retention-days: 10 | |
| - name: Download python package | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: extralit-server | |
| path: extralit-server/dist | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 | |
| with: | |
| pyproject-file: "extralit-server/pyproject.toml" | |
| - name: Read package info | |
| run: | | |
| PACKAGE_VERSION=$(grep '__version__' src/extralit_server/_version.py | cut -d'"' -f2) | |
| PACKAGE_NAME="extralit-server" | |
| echo "PACKAGE_VERSION=$PACKAGE_VERSION" >> $GITHUB_ENV | |
| echo "PACKAGE_NAME=$PACKAGE_NAME" >> $GITHUB_ENV | |
| echo "$PACKAGE_NAME==$PACKAGE_VERSION" | |
| - name: Publish Package to PyPI test environment 🥪 | |
| continue-on-error: true | |
| run: | | |
| uv publish --index-url https://test.pypi.org/legacy/ --token ${{ secrets.AR_TEST_PYPI_API_TOKEN }} dist/* | |
| - name: Test Installing 🍿 | |
| continue-on-error: true | |
| run: | | |
| pip install --index-url https://test.pypi.org/simple --no-deps $PACKAGE_NAME==$PACKAGE_VERSION | |
| - name: Publish Package to PyPI 🥩 | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| uv publish --token ${{ secrets.AR_PYPI_API_TOKEN }} dist/* |