Merge pull request #58 from gmmcal/prepare-to-oss

Update rails, improve lint and add github actions

.dockerignore

@@ -0,0 +1,37 @@
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file for more about ignoring files.
+
+# Ignore git directory.
+/.git/
+
+# Ignore bundler config.
+/.bundle
+
+# Ignore all environment files (except templates).
+/.env*
+!/.env*.erb
+
+# Ignore all default key files.
+/config/master.key
+/config/credentials/*.key
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+!/log/.keep
+!/tmp/.keep
+
+# Ignore pidfiles, but keep the directory.
+/tmp/pids/*
+!/tmp/pids/.keep
+
+# Ignore storage (uploaded files in development and any SQLite databases).
+/storage/*
+!/storage/.keep
+/tmp/storage/*
+!/tmp/storage/.keep
+
+# Ignore assets.
+/node_modules/
+/app/assets/builds/*
+!/app/assets/builds/.keep
+/public/assets

.github/workflows/_docker.yml

@@ -0,0 +1,45 @@
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      tag-name:
+        type: string
+        required: false
+        default: "gmmcal/ynab"
+      target:
+        type: string
+        required: false
+        default: test
+      publish:
+        type: boolean
+        required: false
+        default: true
+
+jobs:
+  build:
+    name: "Build Image"
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build image
+        uses: docker/build-push-action@v5
+        with:
+          push: ${{ inputs.publish }}
+          context: .
+          target: ${{ inputs.target }}
+          tags: ${{ inputs.tag-name }}:${{ inputs.target }}
+          cache-from: type=registry,ref=gmmcal/ynab:buildcache${{ inputs.target }}
+          cache-to: type=registry,ref=gmmcal/ynab:buildcache${{ inputs.target }},mode=max

.github/workflows/_lint.yml

@@ -0,0 +1,25 @@
+name: Lint
+
+on:
+  workflow_call:
+    inputs:
+      command:
+        type: string
+        required: true
+      image:
+        type: string
+        required: false
+        default: gmmcal/ynab:test
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-20.04
+    container:
+      image: ${{ inputs.image }}
+      options: "--user=root:root"
+
+    steps:
+      - name: Execute ${{ inputs.command }}
+        run: ${{ inputs.command }}
+        working-directory: /rails

.github/workflows/_release.yml

@@ -0,0 +1,29 @@
+name: Release
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        type: string
+        required: true
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Create release
+        uses: ncipollo/release-action@v1
+        with:
+          generateReleaseNotes: true
+          tag: ${{ inputs.tag }}
+
+  deploy:
+    name: Deploy
+    uses: ./.github/workflows/deploy.yml
+    secrets: inherit
+    needs: release

.github/workflows/_tests.yml

@@ -0,0 +1,38 @@
+name: Backend Tests
+
+on:
+  workflow_call:
+    inputs:
+      command:
+        type: string
+        required: true
+
+jobs:
+  tests:
+    name: Tests
+    runs-on: ubuntu-20.04
+    container:
+      image: gmmcal/ynab:test
+      env:
+        DATABASE_URL: postgres://postgres:postgres@postgres:5432/gmmcalcombr_test
+        DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL: true
+
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: gmmcalcombr_test
+        ports:
+          - 5432:5432
+        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
+
+    steps:
+      - name: Migrate database
+        run: bundle exec rails db:migrate
+        working-directory: /rails
+
+      - name: Execute tests
+        run: ${{ inputs.command }}
+        working-directory: /rails

.github/workflows/codeql.yml

@@ -0,0 +1,37 @@
+name: CodeQL
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: "ubuntu-latest"
+    permissions:
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: ruby
+            build-mode: none
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/deploy.yml

@@ -0,0 +1,25 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - main
+  release:
+    types: [published]
+  workflow_call:
+
+jobs:
+  build_production:
+    name: "Build: Production"
+    uses: ./.github/workflows/_docker.yml
+    secrets: inherit
+    with:
+      target: production
+
+  build_development:
+    name: "Build: Development"
+    uses: ./.github/workflows/_docker.yml
+    secrets: inherit
+    with:
+      target: development
+    if: github.event_name == 'push'

.github/workflows/pull_request.yml

@@ -0,0 +1,61 @@
+name: Pipeline
+
+on:
+  - pull_request
+
+jobs:
+  build:
+    name: Test
+    uses: ./.github/workflows/_docker.yml
+    secrets: inherit
+
+  development:
+    name: Development
+    uses: ./.github/workflows/_docker.yml
+    secrets: inherit
+    with:
+      target: development
+      publish: false
+
+  production:
+    name: Production
+    uses: ./.github/workflows/_docker.yml
+    secrets: inherit
+    with:
+      target: production
+      publish: false
+
+  rubocop:
+    name: Rubocop
+    uses: ./.github/workflows/_lint.yml
+    with:
+      command: bundle exec rubocop --config .rubocop.yml .
+    needs: build
+
+  reek:
+    name: Reek
+    uses: ./.github/workflows/_lint.yml
+    with:
+      command: bundle exec reek --config .reek.yml .
+    needs: build
+
+  brakeman:
+    name: Brakeman
+    uses: ./.github/workflows/_lint.yml
+    with:
+      command: bundle exec brakeman
+    needs: build
+
+  tests:
+    name: Backend
+    uses: ./.github/workflows/_tests.yml
+    with:
+      command: bundle exec rails test
+    needs: build
+
+  bundler-audit:
+    name: Bundler Audit
+    uses: ./.github/workflows/_lint.yml
+    with:
+      command: bundle exec bundle-audit check --update
+    needs: build

.github/workflows/tag.yml

@@ -0,0 +1,67 @@
+name: Tag
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 1 * * 0"
+
+jobs:
+  determine-tag:
+    name: Determine version number
+    runs-on: ubuntu-20.04
+    outputs:
+      version: ${{ steps.tag.outputs.version }}
+      has-changes: ${{ steps.diff.outputs.has_changes }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
+
+      - name: Get diff
+        id: diff
+        run: |
+          LATEST=`git describe --tags --abbrev=0`
+          DIFF=`git diff --name-only $LATEST $GITHUB_SHA | awk '{printf "%s+",$0} END {print ""}'`
+          if [ "$DIFF" != '' ]; then
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_changes=false" >> $GITHUB_OUTPUT;
+          fi
+
+      - name: Bump tag number
+        id: tag
+        run: |
+          VERSION=`git describe --tags --abbrev=0 | awk -F. '{OFS="."; $NF+=1; print $0}'`
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Print version
+        run: echo ${{ steps.tag.outputs.version }}
+
+  create-tag:
+    name: Create tag
+    runs-on: ubuntu-20.04
+    needs: determine-tag
+    if: needs.determine-tag.outputs.has-changes == 'true'
+
+    steps:
+      - name: Create Tag ${{needs.determine-tag.outputs.version}}
+        uses: actions/github-script@v6
+        with:
+          script: |
+            github.rest.git.createRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: 'refs/tags/${{needs.determine-tag.outputs.version}}',
+              sha: context.sha
+            })
+
+  create-release:
+    name: Release
+    uses: ./.github/workflows/_release.yml
+    secrets: inherit
+    needs: [create-tag, determine-tag]
+    with:
+      tag: ${{needs.determine-tag.outputs.version}}

.reek.yml

@@ -10,12 +10,13 @@ detectors:
   InstanceVariableAssumption:
     exclude:
       - "/Controller$/"
+  TooManyInstanceVariables:
+    max_instance_variables: 5
 
 directories:
   "db/migrate":
     TooManyStatements:
       enabled: false
 
 exclude_paths:
-  - node_modules
   - vendor