security update for rexml #970
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - '*' | |
| - '**/*' | |
| name: Precompile any assets that have changed and push them to S3 | |
| concurrency: | |
| group: ${{ github.ref }}-asset-compilation | |
| cancel-in-progress: true | |
| jobs: | |
| compile: | |
| name: Compile | |
| strategy: | |
| matrix: | |
| client_group: | |
| - gha_staging_load_1 | |
| - gha_staging_load_2 | |
| - gha_staging_load_3 | |
| - gha_staging_load_4 | |
| - gha_staging_load_5 | |
| - gha_staging_load_6 | |
| # - gha_staging_load_7 | |
| - gha_staging_load_8 | |
| - gha_production_load_1 | |
| - gha_production_load_2 | |
| - gha_production_load_3 | |
| - gha_production_load_4 | |
| # - gha_production_load_5 | |
| - gha_production_load_6 | |
| runs-on: ubuntu-20.04 | |
| container: ruby:3.1.6-alpine3.20 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Install GNU tar (required by cache step and checksumming) | |
| run: | | |
| apk add --no-cache tar | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-1 | |
| - name: Set up dependencies | |
| env: | |
| DATABASE_APP_DB_TEST: boston_hmis_test | |
| WAREHOUSE_DATABASE_DB_TEST: warehouse_test | |
| HEALTH_DATABASE_DB_TEST: health_test | |
| DATABASE_DB_TEST: cas_test | |
| REPORTING_DATABASE_DB_TEST: reporting_test | |
| run: | | |
| apk add --no-cache \ | |
| nodejs yarn npm \ | |
| aws-cli \ | |
| tzdata \ | |
| git \ | |
| bash \ | |
| freetds-dev \ | |
| icu icu-dev \ | |
| curl libcurl curl-dev \ | |
| imagemagick \ | |
| libmagic file-dev file \ | |
| build-base libxml2-dev libxslt-dev postgresql-dev \ | |
| libgcc libstdc++ libx11 glib libxrender libxext libintl ttf-dejavu ttf-droid ttf-freefont ttf-liberation ttf-freefont \ | |
| chromium nss freetype freetype-dev harfbuzz ca-certificates ttf-freefont \ | |
| lftp postgresql tmux postgis geos geos-dev xz \ | |
| shared-mime-info \ | |
| xz | |
| echo "postgres:5432:*:postgres:postgres" > ~/.pgpass | |
| chmod 600 ~/.pgpass | |
| gem install bundler --version=2.4.14 | |
| # According to https://www.jessesquires.com/blog/2021/08/23/caching-bundler-on-github-actions/ | |
| # this is fragile and failure prone, but the step they recommend using instead (ruby/ruby-setup) | |
| # isn't supported on Alpine. | |
| - name: cache gems | |
| uses: actions/cache@v3 | |
| id: gemcache | |
| with: | |
| path: | | |
| vendor/bundle | |
| /usr/local/bundle/ | |
| key: ${{ runner.os }}-gemcache-${{ hashFiles('**/Gemfile.lock') }}-${{ hashFiles('**/.ruby-version') }} | |
| # restore-keys: | | |
| # ${{ runner.os }}-gem-bundler- | |
| # - name: Ruby | |
| # uses: ruby/setup-ruby@v1 | |
| # with: | |
| # bundler-cache: true | |
| - name: Install gems | |
| if: always() | |
| run: | | |
| bundle config set --local without 'production staging development' | |
| bundle install --jobs 10 --retry 3 | |
| - name: Generate checksum and compile | |
| env: | |
| SECRETS_YML_SECRET_ARN: ${{ secrets.SECRETS_YML_SECRET_ARN }} | |
| DATABASE_ADAPTER: postgresql | |
| DATABASE_HOST: postgres | |
| DATABASE_PASS: postgres | |
| DATABASE_USER: postgres | |
| DEFAULT_FROM: [email protected] | |
| ENCRYPTION_KEY: strongEncryptionstrongEncryptionstrongEncryption | |
| DATABASE_DB_TEST: boston_cas_test | |
| HOSTNAME: openpath.host | |
| PORT: 80 | |
| run: | | |
| DEPLOY_PROTECT_SECRETS=true EXCEPTION_WEBHOOK_CHANNEL_OVERRIDE=gr-op-gha-except bundle exec bin/compile_assets.rb ${{ matrix.client_group }} |