Fix UntrustedHost error and add encryption tests #51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| env: | |
| PROJECT_ID: gitunderstand | |
| REGION: us-central1 | |
| jobs: | |
| # Detect which parts of the codebase changed | |
| changes: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| backend: ${{ steps.filter.outputs.backend }} | |
| diagrams: ${{ steps.filter.outputs.diagrams }} | |
| diagrams-backend: ${{ steps.filter.outputs.diagrams-backend }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| backend: | |
| - 'src/**' | |
| - 'tests/**' | |
| - 'pyproject.toml' | |
| - 'Dockerfile' | |
| - 'requirements*.txt' | |
| diagrams: | |
| - 'diagrams/**' | |
| - '!diagrams/backend/**' | |
| diagrams-backend: | |
| - 'diagrams/backend/**' | |
| # Test the Python backend (runs on backend changes or PRs) | |
| test-backend: | |
| needs: changes | |
| if: needs.changes.outputs.backend == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.13 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.13" | |
| cache: "pip" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install ".[dev]" | |
| - name: Lint with ruff | |
| run: ruff check src/ tests/ | |
| - name: Run tests | |
| run: pytest tests/ -v | |
| # Test the diagrams frontend build (runs on diagrams changes or PRs) | |
| test-diagrams: | |
| needs: changes | |
| if: needs.changes.outputs.diagrams == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| - name: Install pnpm | |
| run: corepack enable && corepack prepare pnpm@9.13.0 --activate | |
| - name: Install dependencies | |
| working-directory: diagrams | |
| run: pnpm install --frozen-lockfile | |
| - name: Run tests | |
| working-directory: diagrams | |
| run: pnpm test | |
| - name: Build check | |
| working-directory: diagrams | |
| env: | |
| SKIP_ENV_VALIDATION: "1" | |
| run: pnpm build | |
| # Deploy the Python backend to Cloud Run | |
| deploy-backend: | |
| needs: [changes, test-backend] | |
| if: github.event_name == 'push' && needs.changes.outputs.backend == 'true' | |
| runs-on: ubuntu-latest | |
| environment: gitunderstand | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Authenticate to GCP | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| token_format: access_token | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Configure Docker | |
| run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet | |
| - name: Build and push Docker image | |
| run: | | |
| docker build \ | |
| --tag "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/app:${{ github.sha }}" \ | |
| --tag "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/app:latest" \ | |
| . | |
| docker push "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/app:${{ github.sha }}" | |
| docker push "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/app:latest" | |
| - name: Deploy to Cloud Run | |
| run: | | |
| gcloud run deploy gitunderstand \ | |
| --image "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/app:${{ github.sha }}" \ | |
| --region ${{ env.REGION }} \ | |
| --platform managed \ | |
| --allow-unauthenticated \ | |
| --port 8080 \ | |
| --memory 1Gi \ | |
| --cpu 1 \ | |
| --min-instances 0 \ | |
| --max-instances 10 \ | |
| --timeout 300 \ | |
| --set-env-vars "^@^GCP_PROJECT_ID=${{ env.PROJECT_ID }}@USE_LOCAL_STORAGE=false@GCS_BUCKET_NAME=gitunderstand-digests@ALLOWED_HOSTS=gitunderstand.com,gitunderstand-308289525742.us-central1.run.app,localhost,127.0.0.1" \ | |
| --set-secrets "CLAUDE_API_KEY=claude-api-key:latest" \ | |
| --project ${{ env.PROJECT_ID }} | |
| - name: Show URL | |
| run: | | |
| URL=$(gcloud run services describe gitunderstand --region ${{ env.REGION }} --project ${{ env.PROJECT_ID }} --format "value(status.url)") | |
| echo "::notice::Backend deployed to $URL" | |
| # Deploy the diagrams frontend to Cloud Run | |
| deploy-diagrams: | |
| needs: [changes, test-diagrams] | |
| if: github.event_name == 'push' && needs.changes.outputs.diagrams == 'true' | |
| runs-on: ubuntu-latest | |
| environment: gitunderstand | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Authenticate to GCP | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Configure Docker | |
| run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet | |
| - name: Build and push Docker image | |
| working-directory: diagrams | |
| run: | | |
| docker build \ | |
| --tag "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitunderstand-web:${{ github.sha }}" \ | |
| --tag "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitunderstand-web:latest" \ | |
| . | |
| docker push "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitunderstand-web:${{ github.sha }}" | |
| docker push "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitunderstand-web:latest" | |
| - name: Deploy to Cloud Run | |
| run: | | |
| gcloud run deploy gitunderstand-web \ | |
| --image "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitunderstand-web:${{ github.sha }}" \ | |
| --region ${{ env.REGION }} \ | |
| --platform managed \ | |
| --allow-unauthenticated \ | |
| --port 8080 \ | |
| --memory 512Mi \ | |
| --cpu 1 \ | |
| --min-instances 0 \ | |
| --max-instances 5 \ | |
| --timeout 300 \ | |
| --add-cloudsql-instances=gitunderstand:us-central1:gitdiagram-db \ | |
| --set-secrets "POSTGRES_URL=diagrams-db-url:latest" \ | |
| --set-env-vars "^@^GITUNDERSTAND_API_URL=https://gitunderstand-308289525742.us-central1.run.app@NEXT_PUBLIC_API_DEV_URL=https://gitdiagram-backend-308289525742.us-central1.run.app@NODE_ENV=production@SKIP_ENV_VALIDATION=1" \ | |
| --project ${{ env.PROJECT_ID }} | |
| - name: Show URL | |
| run: | | |
| URL=$(gcloud run services describe gitunderstand-web --region ${{ env.REGION }} --project ${{ env.PROJECT_ID }} --format "value(status.url)") | |
| echo "::notice::Diagrams frontend deployed to $URL" | |
| # Test the diagrams backend (runs on diagrams-backend changes or PRs) | |
| test-diagrams-backend: | |
| needs: changes | |
| if: needs.changes.outputs.diagrams-backend == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.11 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| cache: "pip" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install -r diagrams/backend/requirements.txt pytest | |
| - name: Run unit tests | |
| working-directory: diagrams/backend | |
| run: pytest tests/ -v -m "not integration" | |
| # Deploy the diagrams backend (FastAPI) to Cloud Run | |
| deploy-diagrams-backend: | |
| needs: [changes, test-diagrams-backend] | |
| if: github.event_name == 'push' && needs.changes.outputs.diagrams-backend == 'true' | |
| runs-on: ubuntu-latest | |
| environment: gitunderstand | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Authenticate to GCP | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Configure Docker | |
| run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet | |
| - name: Build and push Docker image | |
| working-directory: diagrams/backend | |
| run: | | |
| docker build \ | |
| --tag "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitdiagram-backend:${{ github.sha }}" \ | |
| --tag "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitdiagram-backend:latest" \ | |
| . | |
| docker push "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitdiagram-backend:${{ github.sha }}" | |
| docker push "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitdiagram-backend:latest" | |
| - name: Deploy to Cloud Run | |
| run: | | |
| gcloud run deploy gitdiagram-backend \ | |
| --image "us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/gitunderstand/gitdiagram-backend:${{ github.sha }}" \ | |
| --region ${{ env.REGION }} \ | |
| --platform managed \ | |
| --allow-unauthenticated \ | |
| --port 8000 \ | |
| --memory 512Mi \ | |
| --cpu 1 \ | |
| --min-instances 0 \ | |
| --max-instances 5 \ | |
| --timeout 300 \ | |
| --add-cloudsql-instances=gitunderstand:us-central1:gitdiagram-db \ | |
| --set-secrets "ANTHROPIC_API_KEY=claude-api-key:latest,GITHUB_PAT=github-pat:latest" \ | |
| --set-env-vars "^@^ENVIRONMENT=production@ALLOWED_ORIGINS=https://gitunderstand.com,https://www.gitunderstand.com,http://localhost:3000" \ | |
| --project ${{ env.PROJECT_ID }} | |
| - name: Show URL | |
| run: | | |
| URL=$(gcloud run services describe gitdiagram-backend --region ${{ env.REGION }} --project ${{ env.PROJECT_ID }} --format "value(status.url)") | |
| echo "::notice::Diagrams backend deployed to $URL" |