Merge branch 'staging' into feature/limit-photo-visibility

Author: lodewiges

.env.example

@@ -11,3 +11,8 @@ POSTGRES_PASSWORD=<password>
 HOST=csvalpha.nl
 
 NGROK_HOST=<subdomain>.ngrok.io
+
+NOREPLY_EMAIL=[email protected]
+ICT_EMAIL=[email protected]
+PRIVACY_EMAIL=[email protected]
+MAILADMIN_EMAIL=[email protected]

.github/problem-matchers/actionlint.json

@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^([^:]+):(\\d+):(\\d+):\\s(.+)\\s\\[(\\S+)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}

.github/renovate.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["github>csvalpha/.github"]
+}

.github/workflows/cleanup-registry.yml

@@ -5,20 +5,14 @@ on:
     - cron: '0 0 * * 1' # https://crontab.guru/#0_0_*_*_1
   workflow_dispatch:
 
-env:
-  IMAGE_NAMES: amber-api
-
 jobs:
   cleanup:
     name: Cleanup
     runs-on: ubuntu-latest
     steps:
-      - name: Delete old versions
-        uses: snok/container-retention-policy@81ba73785bb8207a451a0de928aa6a3c57d6fd77 # tag=v1.4.0
+      - name: Delete untagged images
+        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
         with:
-          image-names: ${{ env.IMAGE_NAMES }}
-          cut-off: 2 days ago UTC
-          account-type: org
-          org-name: ${{ github.repository_owner }}
-          skip-tags: latest,staging
-          token: ${{ secrets.PAT }}
+          package-name: ${{ github.event.repository.name }}
+          package-type: container
+          delete-only-untagged-versions: true

.github/workflows/continuous-delivery.yml

@@ -4,17 +4,21 @@ on:
   workflow_dispatch:
     inputs:
       merge:
-        description: Merge staging into master first? (y/N)
+        type: boolean
+        description: Merge staging into master first?
         required: false
-        default: 'n'
+        default: false
+      ignore_metadata_diff:
+        type: boolean
+        description: Perform all jobs, regardless of whether there are actual changes?
+        required: false
+        default: false
 
 concurrency:
   group: cd-${{ github.ref_name }}
 
 env:
   PROJECT_NAME: amber-api
-  SENTRY_ORG: csvalpha
-  APP_ID: 152333
 
 jobs:
   branch_check:
@@ -23,7 +27,7 @@ jobs:
     steps:
       - name: Validate branch
         run: |
-          if [ $GITHUB_REF_NAME != 'staging' ] && [ $GITHUB_REF_NAME != 'master' ]; then
+          if [ "$GITHUB_REF_NAME" != 'staging' ] && [ "$GITHUB_REF_NAME" != 'master' ]; then
             echo 'This workflow can only be run on branches staging and master.'
             exit 1
           fi
@@ -37,41 +41,41 @@ jobs:
       stage: ${{ steps.get_metadata.outputs.stage }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Get metadata
         id: get_metadata
         env:
-          INPUT_MERGE: ${{ github.event.inputs.merge }}
+          INPUT_MERGE: ${{ inputs.merge }}
         run: |
-          if [ $GITHUB_REF_NAME = 'master' ]; then
-            if [ "${INPUT_MERGE,,}" = 'y' ]; then
+          if [ "$GITHUB_REF_NAME" = 'master' ]; then
+            if [ "$INPUT_MERGE" == 'true' ]; then
               git fetch origin staging
               if ! git diff origin/master origin/staging --exit-code; then
-                echo '::set-output name=has_diff::true'
+                echo 'has_diff=true' >> "$GITHUB_OUTPUT"
               else
-                echo '::set-output name=has_diff::false'
+                echo 'has_diff=false' >> "$GITHUB_OUTPUT"
               fi
             fi
 
-            echo '::set-output name=stage::production'
+            echo 'stage=production' >> "$GITHUB_OUTPUT"
           else
-            echo '::set-output name=stage::staging'
+            echo 'stage=staging' >> "$GITHUB_OUTPUT"
           fi
 
   merge:
     name: Merge
     runs-on: ubuntu-latest
     needs: metadata
-    if: github.event.inputs.merge == 'y'
+    if: inputs.merge
     outputs:
       sha: ${{ steps.get_sha.outputs.sha }}
     steps:
       - name: Validate inputs
         env:
           HAS_DIFF: ${{ fromJSON(needs.metadata.outputs.has_diff || false) }}
         run: |
-          if [ $GITHUB_REF_NAME != 'master' ]; then
+          if [ "$GITHUB_REF_NAME" != 'master' ]; then
             echo 'Can only merge when the workflow target branch is master.'
             exit 1
           fi
@@ -82,11 +86,11 @@ jobs:
 
       - name: Checkout code
         if: fromJSON(needs.metadata.outputs.has_diff)
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run merge
-        if: fromJSON(needs.metadata.outputs.has_diff)
-        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # tag=v1.4.0
+        if: fromJSON(needs.metadata.outputs.has_diff) || inputs.ignore_metadata_diff
+        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # v1.4.0
         with:
           type: now
           from_branch: staging
@@ -95,26 +99,27 @@ jobs:
 
       - name: Get merge commit SHA
         id: get_sha
-        if: fromJSON(needs.metadata.outputs.has_diff)
+        if: fromJSON(needs.metadata.outputs.has_diff) || inputs.ignore_metadata_diff
         run: |
           git fetch origin master
-          echo '::set-output name=sha::'$(git rev-parse origin/master)
+          echo 'sha='"$(git rev-parse origin/master)" >> "$GITHUB_OUTPUT"
 
   continuous_integration:
     name: Continuous Integration
     needs: [metadata, merge]
-    if: fromJSON(needs.metadata.outputs.has_diff)
-    uses: csvalpha/amber-api/.github/workflows/continuous-integration.yml@staging
+    if: fromJSON(needs.metadata.outputs.has_diff) || inputs.ignore_metadata_diff
+    uses: ./.github/workflows/continuous-integration.yml
     with:
       sha: ${{ needs.merge.outputs.sha }}
     secrets:
+      codecov_token: ${{ secrets.CODECOV_TOKEN }}
       rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
 
   publish_image:
     name: Publish Image
     needs: [metadata, merge]
-    if: fromJSON(needs.metadata.outputs.has_diff)
-    uses: csvalpha/amber-api/.github/workflows/publish-image.yml@staging
+    if: fromJSON(needs.metadata.outputs.has_diff) || inputs.ignore_metadata_diff
+    uses: ./.github/workflows/publish-image.yml
     with:
       sha: ${{ needs.merge.outputs.sha }}
     secrets:
@@ -126,37 +131,36 @@ jobs:
     needs: [metadata, merge, continuous_integration, publish_image]
     if: |
       (github.ref_name == 'staging' || github.ref_name == 'master') && ((github.ref_name == 'master' &&
-      github.event.inputs.merge == 'y' && fromJSON(needs.metadata.outputs.has_diff) && success()) ||
-      ((github.event.inputs.merge != 'y' || !fromJSON(needs.metadata.outputs.has_diff)) && !cancelled()))
+      inputs.merge && (fromJSON(needs.metadata.outputs.has_diff) || inputs.ignore_metadata_diff) && success()) ||
+      ((!inputs.merge || !(fromJSON(needs.metadata.outputs.has_diff) || inputs.ignore_metadata_diff)) && !cancelled()))
     steps:
       - name: Get environment URL
         id: get_url
         run: |
-          if [ $GITHUB_REF_NAME = 'master' ]; then
-            echo '::set-output name=environment_url::https://csvalpha.nl/api'
+          if [ "$GITHUB_REF_NAME" = 'master' ]; then
+            echo 'environment_url=https://csvalpha.nl/api' >> "$GITHUB_OUTPUT"
           else
-            echo '::set-output name=environment_url::https://staging.csvalpha.nl/api'
+            echo 'environment_url=https://staging.csvalpha.nl/api' >> "$GITHUB_OUTPUT"
           fi
 
       - name: Checkout code
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.merge.outputs.sha }}
 
       - name: Start deployment
-        uses: bobheadxi/deployments@f235d02c2daaaa84c710d013c7d39f7f0f8bf298 # tag=v0.6.2
+        uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1.5.0
         id: start_deployment
         with:
           step: start
-          token: ${{ secrets.GITHUB_TOKEN }}
           env: ${{ needs.metadata.outputs.stage }}
 
       - name: Deploy
-        uses: appleboy/ssh-action@1d1b21ca96111b1eb4c03c21c14ebb971d2200f6 # tag=v0.1.4
+        uses: appleboy/ssh-action@8faa84277b88b6cd1455986f459aa66cf72bc8a3 # v1.2.1
         env:
           STAGE: ${{ needs.metadata.outputs.stage }}
         with:
-          host: csvalpha.nl
+          host: ssh.csvalpha.nl
           username: github-actions
           key: ${{ secrets.SSH_PRIVATE_KEY }}
           envs: PROJECT_NAME,STAGE
@@ -167,50 +171,60 @@ jobs:
             docker-compose up -d
 
       - name: Finalize Sentry release
-        uses: getsentry/action-release@744e4b262278339b79fb39c8922efcae71e98e39 # tag=v1.1.6
+        uses: getsentry/action-release@a74facf8a080ecbdf1cb355f16743530d712abb7 # v1.11.0
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ vars.SENTRY_ORG_NAME }}
           SENTRY_PROJECT: ${{ env.PROJECT_NAME }}
         with:
           environment: ${{ needs.metadata.outputs.stage }}
           version: ${{ needs.merge.outputs.sha }}
           set_commits: skip
 
       - name: Finish deployment
-        uses: bobheadxi/deployments@f235d02c2daaaa84c710d013c7d39f7f0f8bf298 # tag=v0.6.2
+        uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1.5.0
         if: steps.start_deployment.conclusion == 'success' && always()
         with:
           step: finish
-          token: ${{ secrets.GITHUB_TOKEN }}
           status: ${{ job.status }}
           deployment_id: ${{ steps.start_deployment.outputs.deployment_id }}
+          env: ${{ needs.metadata.outputs.stage }}
           env_url: ${{ steps.get_url.outputs.environment_url }}
 
   update_check_run:
     name: Update Check Run
     runs-on: ubuntu-latest
-    needs: [branch_check, metadata, merge, continuous_integration, publish_image, deploy]
+    needs:
+      [
+        branch_check,
+        metadata,
+        merge,
+        continuous_integration,
+        publish_image,
+        deploy,
+      ]
     if: (github.ref_name == 'staging' || github.ref_name == 'master') && always()
+    permissions:
+      checks: write
     steps:
       - name: Get conclusion
         id: get_conclusion
         env:
           RESULTS: ${{ join(needs.*.result, ' ') }}
         run: |
-          echo '::set-output name=conclusion::success'
+          echo 'conclusion=success' >> "$GITHUB_OUTPUT"
           for RESULT in $RESULTS; do
-            if [ $RESULT = 'cancelled' ] || [ $RESULT = 'failure' ]; then
-              echo '::set-output name=conclusion::'$RESULT
+            if [ "$RESULT" = 'cancelled' ] || [ "$RESULT" = 'failure' ]; then
+              echo 'conclusion='"$RESULT" >> "$GITHUB_OUTPUT"
               break
             fi
           done
 
       - name: Update Continuous Delivery check run
-        uses: guidojw/actions/update-check-run@2b1dea8cbd9e44491c269e771b75636026caf8ca # tag=v1.1.0
+        uses: LouisBrunner/checks-action@6b626ffbad7cc56fd58627f774b9067e6118af23 # v2.0.0
         with:
-          app_id: ${{ env.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
           sha: ${{ needs.merge.outputs.sha }}
+          token: ${{ github.token }}
           name: Continuous Delivery
           conclusion: ${{ steps.get_conclusion.outputs.conclusion }}
           details_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}