Ensure that flake8 runs on PR changes

Unfortunately, the way we previously set up our workflow caused flake8 to run on code already committed to master, not the changes made in a PR, because it ran in the context of the target branch. This is obviously useless when it comes to protecting our codebase from linting errors. I've now set up flake8 in a different way, using Workflow Commands to create error annotions. I've also split up the workflow into two separate workflows.
author: Sebastiaan Zeeff <[email protected]> 2020-11-19 00:37:14 +0100
committer: Sebastiaan Zeeff <[email protected]> 2020-11-19 00:37:14 +0100
commit: 3a9b8943d1d4203a7a6f41af5437d2c9dc90e828 (patch)
tree: 2a8534fddddc4f9c71fa7b77d2379606ea16d012 /.github
parent: Default to HTTPS for account URLs (diff)
2 files changed, 83 insertions, 67 deletions
diff --git a/.github/workflows/build-deploy.yaml b/.github/workflows/build-deploy.yaml
new file mode 100644
index 00000000..668927e0
--- /dev/null
+++ b/.github/workflows/build-deploy.yaml
@@ -0,0 +1,70 @@
+name: Build & Deploy
+
+on:
+  workflow_run:
+    workflows: ["Lint & Test"]
+    branches:
+      - master
+    types:
+      - completed
+
+  build-and-deploy:
+    name: Build and Deploy to Kubernetes
+    needs: lint-test
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+
+    steps:
+      # Create a commit SHA-based tag for the container repositories
+      - name: Create SHA Container Tag
+        id: sha_tag
+        run: |
+          tag=$(cut -c 1-7 <<< $GITHUB_SHA)
+          echo "::set-output name=tag::$tag"
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      # The current version (v2) of Docker's build-push action uses
+      # buildx, which comes with BuildKit features that help us speed
+      # up our builds using additional cache features. Buildx also
+      # has a lot of other features that are not as relevant to us.
+      #
+      # See https://github.com/docker/build-push-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to Github Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.GHCR_USER }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      # Build the container, including an inline cache manifest to
+      # allow us to use the registry as a cache source.
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          cache-from: type=registry,ref=ghcr.io/python-discord/site:latest
+          cache-to: type=inline
+          tags: |
+            ghcr.io/python-discord/site:latest
+            ghcr.io/python-discord/site:${{ steps.sha_tag.outputs.tag }}
+
+      - name: Authenticate with Kubernetes
+        uses: azure/k8s-set-context@v1
+        with:
+          method: kubeconfig
+          kubeconfig: ${{ secrets.KUBECONFIG }}
+
+      - name: Deploy to Kubernetes
+        uses: Azure/k8s-deploy@v1
+        with:
+          manifests: |
+              deployment.yaml
+          images: 'ghcr.io/python-discord/site:${{ steps.sha_tag.outputs.tag }}'
+          kubectl-version: 'latest'
diff --git a/.github/workflows/lint-test-deploy.yaml b/.github/workflows/lint-test.yaml
index 7369a3b8..80305322 100644
--- a/.github/workflows/lint-test-deploy.yaml
+++ b/.github/workflows/lint-test.yaml
@@ -1,13 +1,10 @@
-name: Lint, Test & Deploy
+name: Lint & Test
 
 on:
   push:
     branches:
       - master
-  # We use pull_request_target as we get PRs from
-  # forks, but need to be able to add annotations
-  # for our flake8 step.
-  pull_request_target:
+  pull_request:
 
 
 jobs:
@@ -34,12 +31,8 @@ jobs:
       - name: Add custom PYTHONUSERBASE to PATH
         run: echo '${{ env.PYTHONUSERBASE }}/bin/' >> $GITHUB_PATH
 
-      # We don't want to persist credentials, as our GitHub Action
-      # may be run when a PR is made from a fork.
       - name: Checkout repository
         uses: actions/checkout@v2
-        with:
-          persist-credentials: false
 
       - name: Setup python
         id: python
@@ -86,14 +79,18 @@ jobs:
       - name: Run pre-commit hooks
         run: export PIP_USER=0; SKIP=flake8 pre-commit run --all-files
 
-      # This step requires `pull_request_target`, as adding annotations
-      # requires "write" permissions to the repo.
+      # Run flake8 and have it format the linting errors in the format of
+      # the GitHub Workflow command to register error annotations. This
+      # means that our flake8 output is automatically added as an error
+      # annotation to both the run result and in the "Files" tab of a
+      # pull request.
+      #
+      # Format used:
+      # ::error file={filename},line={line},col={col}::{message}
       - name: Run flake8
-        uses: julianwachholz/flake8-action@v1
-        with:
-          checkName: lint-test
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: "flake8 \
+        --format='::error file=%(path)s,line=%(row)d,col=%(col)d::\
+        [flake8] %(code)s: %(text)s'"
 
       - name: Run database using docker-compose
         run: docker-compose run -d -p 7777:5432 --name pydis_web postgres
@@ -119,54 +116,3 @@ jobs:
       - name: Tear down docker-compose containers
         run: docker-compose stop
         if: ${{ always() }}
-
-  build-and-deploy:
-    name: Build and Deploy to Kubernetes
-    needs: lint-test
-    if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/master'
-    runs-on: ubuntu-latest
-
-    steps:
-      # Create a commit SHA-based tag for the container repositories
-      - name: Create SHA Container Tag
-        id: sha_tag
-        run: |
-          tag=$(cut -c 1-7 <<< $GITHUB_SHA)
-          echo "::set-output name=tag::$tag"
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Login to Github Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ secrets.GHCR_USER }}
-          password: ${{ secrets.GHCR_TOKEN }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          file: ./Dockerfile
-          push: true
-          cache-from: type=registry,ref=ghcr.io/python-discord/site:latest
-          tags: |
-            ghcr.io/python-discord/site:latest
-            ghcr.io/python-discord/site:${{ steps.sha_tag.outputs.tag }}
-
-      - name: Authenticate with Kubernetes
-        uses: azure/k8s-set-context@v1
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-
-      - name: Deploy to Kubernetes
-        uses: Azure/k8s-deploy@v1
-        with:
-          manifests: |
-              deployment.yaml
-          images: 'ghcr.io/python-discord/site:${{ steps.sha_tag.outputs.tag }}'
-          kubectl-version: 'latest'
author	Sebastiaan Zeeff <[email protected]>	2020-11-19 00:37:14 +0100
committer	Sebastiaan Zeeff <[email protected]>	2020-11-19 00:37:14 +0100
commit	3a9b8943d1d4203a7a6f41af5437d2c9dc90e828 (patch)
tree	2a8534fddddc4f9c71fa7b77d2379606ea16d012 /.github
parent	Default to HTTPS for account URLs (diff)