Add temporary admin routes to backfill DNS records (#1079) #1670
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: validate | |
| concurrency: | |
| group: validate-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| jobs: | |
| # This job detects which parts of the repo have been changed, setting future jobs up for conditional behavior. | |
| detect-changes: | |
| runs-on: ubuntu-latest | |
| env: | |
| IS_CI_AUTOMATION: "yes" | |
| outputs: | |
| src-changed: ${{ steps.check.outputs.src-changed }} | |
| e2e-changed: ${{ steps.check.outputs.e2e-changed }} | |
| iac-changed: ${{ steps.check.outputs.iac-changed }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| - uses: dorny/paths-filter@v3 | |
| id: check | |
| with: | |
| filters: | | |
| src-changed: | |
| - 'assets/**' | |
| - 'static/**' | |
| - 'templates/**' | |
| - 'scripts/entry.sh' | |
| - 'Dockerfile' | |
| - 'manage.py' | |
| - 'MANIFEST.in' | |
| - 'package.json' | |
| - 'package-lock.json' | |
| - 'pyproject.toml' | |
| - 'README.md' | |
| - 'src/**' | |
| - 'uv.lock' | |
| - 'vite.config.mjs' | |
| e2e-changed: | |
| - '.github/workflows/validate.yml' | |
| - '.env.example' | |
| - 'config.toml.example' | |
| - 'docker-compose.yml' | |
| - 'Dockerfile.keycloak' | |
| - 'keycloak/**' | |
| - 'test/e2e/**' | |
| iac-changed: | |
| - 'pulumi/**' | |
| validate-accounts: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.src-changed == 'true' | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: staging | |
| deployment: false | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Start docker-compose | |
| run: docker compose up -d --build -V postgres redis accounts vite-dev | |
| # Manually run this step as it seems to not run correctly sometimes? | |
| - name: Build frontend | |
| run: | | |
| docker compose exec vite-dev bash -c 'npm run build & npm run build-theme' | |
| - name: Accounts lint check | |
| run: | | |
| docker compose exec accounts bash -c 'uv run ruff check' | |
| - name: Test with pytest | |
| run: | | |
| docker compose exec accounts bash -c 'uv run coverage run --source="thunderbird_accounts" manage.py test thunderbird_accounts' | |
| - name: Generate code coverage report | |
| continue-on-error: true | |
| run: | | |
| docker compose exec accounts bash -c 'uv run coverage report' | |
| validate-iac: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.iac-changed | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: staging | |
| deployment: false | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Ruff formatting/linting checks | |
| uses: chartboost/ruff-action@v1 | |
| with: | |
| src: "pulumi" | |
| args: "format --check" | |
| - name: Ruff error checks | |
| uses: chartboost/ruff-action@v1 | |
| with: | |
| src: "pulumi" | |
| run-e2e-tests-local: | |
| needs: | |
| - detect-changes | |
| - validate-accounts | |
| if: >- | |
| always() && | |
| (needs.detect-changes.outputs.src-changed == 'true' || needs.detect-changes.outputs.e2e-changed == 'true') && | |
| needs.detect-changes.result == 'success' && | |
| needs.validate-accounts.result != 'failure' && | |
| needs.validate-accounts.result != 'cancelled' | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: staging | |
| deployment: false | |
| env: | |
| ACCTS_FXA_EMAIL: ${{ secrets.E2E_ACCTS_FXA_EMAIL }} | |
| ACCTS_FXA_PWORD: ${{ secrets.E2E_ACCTS_FXA_PWORD }} | |
| FXA_CLIENT_ID: ${{ secrets.E2E_ACCTS_FXA_CLIENT_ID }} | |
| FXA_SECRET: ${{ secrets.E2E_ACCTS_FXA_SECRET }} | |
| SECRET_KEY: ${{ secrets.E2E_ACCTS_SECRET_KEY }} | |
| LOGIN_CODE_SECRET: ${{ secrets.E2E_ACCTS_LOGIN_CODE_SECRET }} | |
| FXA_ENCRYPT_SECRET: ${{ secrets.E2E_ACCTS_FXA_ENCRYPT_SECRET }} | |
| PADDLE_TOKEN: ${{ secrets.E2E_ACCTS_PADDLE_TOKEN }} | |
| EMAIL_SIGN_UP_ADDRESS: ${{ secrets.E2E_ACCTS_PADDLE_EMAIL_SIGN_UP_ADDRESS }} | |
| PADDLE_API_KEY: ${{ secrets.E2E_ACCTS_PADDLE_API_KEY }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Resolve `keycloak` host alias to localhost | |
| shell: bash | |
| run: | | |
| # The accounts container's OIDC config redirects users through | |
| # `http://keycloak:8999/...`, which is also where Keycloak issues its | |
| # SSO cookies. Both Firefox (during sign-in) and Node-side fetches in | |
| # the e2e tests (admin API calls) need that hostname to resolve, so | |
| # add the alias the README already documents for local dev. | |
| echo '127.0.0.1 keycloak' | sudo tee -a /etc/hosts | |
| - name: Set up local environment | |
| shell: bash | |
| run: | | |
| cp .env.example .env | |
| mkdir -p mail/etc && cp config.toml.example mail/etc/config.toml | |
| append_env_if_set() { | |
| local key="$1" | |
| local value="${!key}" | |
| if [ -n "$value" ]; then | |
| printf '%s=%s\n' "$key" "$value" >> .env | |
| fi | |
| } | |
| echo >> .env | |
| append_env_if_set FXA_CLIENT_ID | |
| append_env_if_set FXA_SECRET | |
| append_env_if_set SECRET_KEY | |
| append_env_if_set LOGIN_CODE_SECRET | |
| append_env_if_set FXA_ENCRYPT_SECRET | |
| append_env_if_set PADDLE_TOKEN | |
| append_env_if_set PADDLE_API_KEY | |
| - name: Start accounts stack via docker | |
| run: docker compose up -d --build -V | |
| - name: Wait for local services | |
| run: | | |
| curl --retry 30 --retry-all-errors --retry-delay 2 --fail http://localhost:8087/health | |
| curl --retry 30 --retry-all-errors --retry-delay 2 --fail http://localhost:9000/health/ready | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: 'npm' | |
| cache-dependency-path: 'test/e2e/package-lock.json' | |
| - name: Install E2E test dependencies | |
| working-directory: test/e2e | |
| run: | | |
| npm ci | |
| npx playwright install --with-deps firefox | |
| - name: Create test plans | |
| run: | | |
| docker compose exec accounts ./manage.py create_plan_for_e2e_test Low ${{ secrets.E2E_ACCTS_PADDLE_PRODUCT_ID_LO }} | |
| docker compose exec accounts ./manage.py create_plan_for_e2e_test Medium ${{ secrets.E2E_ACCTS_PADDLE_PRODUCT_ID_MD }} | |
| docker compose exec accounts ./manage.py create_plan_for_e2e_test High ${{secrets.E2E_ACCTS_PADDLE_PRODUCT_ID_HI }} | |
| - name: Give the e2e test account an active subscription | |
| # The Vue router redirects authenticated users without an active | |
| # subscription to /subscribe, which keeps the MFA tests from reaching | |
| # /manage-mfa. The management command pre-creates the Django User row | |
| # (mozilla-django-oidc only creates it on first sign-in) and attaches | |
| # an ACTIVE Subscription so `User.has_active_subscription` is true. | |
| run: | | |
| docker compose exec accounts ./manage.py create_active_subscription_for_e2e_test admin@example.org | |
| - name: Run E2E tests against local stack | |
| id: e2e | |
| working-directory: test/e2e | |
| run: | | |
| cp .env.dev.example .env | |
| npm run e2e-test | |
| - uses: actions/upload-artifact@v4 | |
| if: ${{ always() && !cancelled() }} | |
| with: | |
| name: playwright-report | |
| path: test/e2e/playwright-report/ | |
| retention-days: 7 |