hephaestus 0.1.3 → 0.2.2

data/templates/.dockerignore

@@ -0,0 +1,39 @@
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file for more about ignoring files.
+
+# Ignore git directory.
+# /.git/
+
+# Ignore bundler config.
+/.bundle
+
+# Ignore all default key files.
+/config/master.key
+/config/credentials/*.key
+
+# Ignore all environment files.
+/.env*
+!/.env.example
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+!/log/.keep
+!/tmp/.keep
+
+# Ignore pidfiles, but keep the directory.
+/tmp/pids/*
+!/tmp/pids/
+!/tmp/pids/.keep
+
+# Ignore storage (uploaded files in development and any SQLite databases).
+/storage/*
+!/storage/.keep
+/tmp/storage/*
+!/tmp/storage/
+!/tmp/storage/.keep
+
+# Ignore assets.
+/node_modules/
+/app/assets/builds/*
+!/app/assets/builds/.keep
+/public/assets

data/templates/.env.sample

@@ -0,0 +1,6 @@
+# RAILS_MASTER_KEY="GENERATE_A_NEW_KEY"
+YETTO_PLUG_PEM="REPLACE_ME_WITH_YETTO_VALUE"
+SIGNING_SECRET="super-secret"
+YETTO_PLUG_ID="REPLACE_ME_WITH_YETTO_VALUE"
+
+LD_PRELOAD_PATH="/usr/lib/aarch64-linux-gnu/libjemalloc.so.2"

data/templates/.github/dependabot.yml

@@ -3,20 +3,25 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: daily
+      interval: weekly
+      day: monday
       time: "09:00"
       timezone: "Etc/UTC"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
     open-pull-requests-limit: 10
 
   - package-ecosystem: bundler
     directory: "/"
     schedule:
-      interval: daily
+      interval: weekly
+      day: monday
       time: "09:00"
       timezone: "Etc/UTC"
     open-pull-requests-limit: 10
-    allow:
-      - dependency-name: "*"
-        dependency-type: "production"
-      - dependency-name: "sorbet*"
-        dependency-type: "all"
+    groups:
+      bundler-dependencies:
+        patterns:
+          - "*"

data/templates/.github/workflows/automerge.yml

@@ -1,4 +1,4 @@
-name: PR auto-{approve,merge}
+name: Bot auto-{approve,merge}
 
 on:
   pull_request_target:
@@ -9,89 +9,9 @@ permissions:
 
 jobs:
   dependabot:
-    name: Dependabot
-    runs-on: ubuntu-latest
-
-    env:
-      RAILS_ENV: test
-      REDIS_URL: redis://localhost:6379/0
-      RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
-      SLACK_LOG_URL: http://slack.com/the_log_room
-
-    # Service containers to run; note that this is duplicated
-    # in test.yml due to a limitation in GitHub Actions
-    # (services can only be defined per job)
-    services:
-      redis:
-        # Docker Hub image name
-        image: redis:6.2-alpine
-        ports: ["6379:6379"]
-        # Set health checks to wait until redis has started
-        options: >-
-          --health-cmd "redis-cli ping" --health-interval 10s --health-timeout
-          5s --health-retries 5
-
-    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
-    steps:
-      - name: Fetch Dependabot metadata
-        id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v1
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-
-      - uses: actions/checkout@v3
-        with:
-          ref: ${{ github.head_ref }}
-
-      - uses: ./.github/actions/sisyphus
-
-      - uses: ./.github/actions/license
-
-      - name: Commit licenses
-        run: |
-          git add .
-          git commit -m "[auto-license]: Update license information" || true
-          git push
-
-      - uses: ./.github/actions/sorbet
-
-      - name: Commit Sorbet
-        run: |
-          git add .
-          git commit -m "[auto-rbi]: Update RBI files" || true
-          git push
-
-      - name: Approve Dependabot PR
-        if: ${{steps.dependabot-metadata.outputs.update-type != 'version-update:semver-major'}}
-        run: gh pr review --approve "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Merge Dependabot PR
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    uses: yettoapp/actions/.github/workflows/automerge_dependabot.yml@main
+    secrets: inherit
 
   sisyphusbot:
-    name: Automated PRs
-    runs-on: ubuntu-latest
-
-    if: ${{ github.event.pull_request.user.login == 'sisyphusbot' }}
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Approve Automated PR
-        if: startsWith(github.event.pull_request.title, '[auto')
-        run: gh pr review --approve "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Merge Automated PR
-        if: startsWith(github.event.pull_request.title, '[auto')
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    uses: yettoapp/actions/.github/workflows/automerge_sisyphusbot.yml@main
+    secrets: inherit

data/templates/.github/workflows/deploy.yml

@@ -0,0 +1,30 @@
+name: Deployments
+on:
+  push:
+    branches:
+      - production
+  workflow_dispatch:
+    inputs:
+      target:
+        required: true
+        type: choice
+        description: The name of the environment that you're deploying the application to
+        options:
+          - staging
+          - production
+      forced:
+        description: "Whether to perform the deploy regardless of test state."
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  deployment:
+    name: Deploy app
+    uses: yettoapp/actions/.github/workflows/fly_deployment.yml@main
+    with:
+      target: ${{ github.event_name != 'workflow_dispatch' && 'production' || inputs.target }}
+      forced: ${{ github.event_name == 'workflow_dispatch' && inputs.forced || false }}
+    secrets:
+      gh_token: ${{ secrets.GH_DEPLOYMENTS_TOKEN }}
+      fly_token: ${{ inputs.target == 'staging' && secrets.FLY_STAGING_API_TOKEN || secrets.FLY_PRODUCTION_API_TOKEN }}

data/templates/.github/workflows/licenses.yml

@@ -1,43 +1,23 @@
-name: Update licenses
+name: License
 
 on:
-  push:
+  pull_request_target:
     paths:
-      - "**/Gemfile.lock"
-    branches:
-      - production
-      - staging
-  workflow_dispatch:
+      - "Gemfile.lock"
+      - "package-lock.json"
 
-permissions:
-  contents: write
-  pull-requests: write
+env:
+  RAILS_ENV: test
 
 jobs:
-  license-cache:
+  verify:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v3
         with:
-          ref: ${{ github.ref }}
-
-      - uses: ./.github/actions/license
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
-        with:
+          ref: ${{ github.head_ref }}
           token: ${{ secrets.GH_SISYPHUS_YETTO_REPO_TOKEN }}
-          commit-message: "[auto-license] Update license information"
-          title: "[auto-license] Update license information"
-          body: |
-            - Update license information
-
-            Auto-generated by [create-pull-request][1]
 
-            [1]: https://github.com/peter-evans/create-pull-request
-          branch: update-licenses
-          committer: Sisyphus <sisyphus@yetto.app>
-          author: Sisyphus <sisyphus@yetto.app>
-          delete-branch: true
-          labels: 'chore, github action'
+      - uses: yettoapp/actions/run-license-verify@main
+        with:
+          ruby: true

data/templates/.github/workflows/lint.yml

@@ -2,6 +2,8 @@ name: Linting
 
 on:
   pull_request:
+    paths:
+      - "**/*.rb"
 
 env:
   RAILS_ENV: test
@@ -12,41 +14,19 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      # reads from .ruby-version
-      - uses: ruby/setup-ruby@v1
+      - uses: yettoapp/actions/pr-contains-files@main
+        id: pr_contains_ruby
         with:
-          bundler-cache: true
-          rubygems: latest
+          pr_number: ${{ github.event.number }}
+          pattern: ".rb$"
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Rubocop
-        run: bundle exec rake rubocop
-
-  ruby-types:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      # reads from .ruby-version
-      - uses: ruby/setup-ruby@v1
+      - name: Set up Ruby
+        if: ${{ steps.pr_contains_ruby.outputs.exists == 'true' }}
+        uses: yettoapp/actions/setup-languages@main
         with:
-          bundler-cache: true
-          rubygems: latest
-
-      - name: Sorbet
-        id: sorbet_tc
-        run: bundle exec srb tc
-
-      - name: Provide error message
-        if: failure() && steps.sorbet_tc.outcome == 'failure'
-        run: |
-          echo "Run 'bundle exec srb tc -a' to auto-correct Sorbet checks."
+          ruby: true
 
-      - name: Verifying Tapioca
-        id: tapioca_verify
-        run: script/typecheck --verify
-
-      - name: Provide error message
-        if: failure() && steps.tapioca_verify.outcome == 'failure'
-        run: |
-          echo "Run 'script/typecheck --update' to update Tapioca's RBI files."
-          echo "Run 'script/typecheck --verify' to verify that Tapioca's RBI files are up-to-date."
+      - name: Rubocop
+        if: ${{ steps.pr_contains_ruby.outputs.exists == 'true' }}
+        run: bundle exec rake rubocop

data/templates/.github/workflows/security.yml

@@ -1,38 +1,15 @@
 name: Security
 
 on:
-  pull_request:
+  workflow_dispatch:
+  pull_request_target:
 
-env:
-  RAILS_ENV: test
-  BUNDLE_WITH: "ci"
+permissions:
+  pull-requests: write
+  contents: write
 
 jobs:
-  bundle-audit:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ruby/setup-ruby@v1
-        with:
-          bundler-cache: true
-          rubygems: latest
-
-      # Patch-level verification for bundler.
-      - name: Run bundle-audit
-        run: |
-          script/security_checks/bundle-audit
-
-  brakeman: # A static analysis security vulnerability scanner for Ruby on Rails applications
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: ruby/setup-ruby@v1
-        with:
-          bundler-cache: true
-          rubygems: latest
-
-      - name: brakeman report
-        run: |
-          script/security_checks/brakeman
-          cat security-results.json
+  ruby:
+    uses: yettoapp/actions/.github/workflows/ruby_security_checks.yml@main
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}

data/templates/.github/workflows/sorbet.yml

@@ -1,49 +1,19 @@
-name: Update Sorbet files
+name: Sorbet
 
 on:
-  pull_request:
+  pull_request_target:
     paths:
-      - '**.rb'
-
-permissions:
-  contents: write
-  pull-requests: write
+      - "**/*.rb"
+      - "Gemfile.lock"
 
 jobs:
-  trigger_tapioca_pr:
+  update:
     runs-on: ubuntu-latest
 
-    env:
-      RAILS_ENV: test
-      REDIS_URL: redis://localhost:6379/0
-      RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
-      SLACK_LOG_URL: http://slack.com/the_log_room
-
-    # Service containers to run; note that this is duplicated
-    # in test.yml due to a limitation in GitHub Actions
-    # (services can only be defined per job)
-    services:
-      redis:
-        # Docker Hub image name
-        image: redis:6.2-alpine
-        ports: ["6379:6379"]
-        # Set health checks to wait until redis has started
-        options: >-
-          --health-cmd "redis-cli ping" --health-interval 10s --health-timeout
-          5s --health-retries 5
-
-    if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
     steps:
       - uses: actions/checkout@v3
         with:
           ref: ${{ github.head_ref }}
+          token: ${{ secrets.GH_SISYPHUS_YETTO_REPO_TOKEN }}
 
-      - uses: ./.github/actions/sisyphus
-
-      - uses: ./.github/actions/sorbet
-
-      - name: Commit Sorbet
-        run: |
-          git add .
-          git commit -m "[auto-rbi]: Update RBI files" || true
-          git push
+      - uses: yettoapp/actions/run-sorbet-update@main

data/templates/.github/workflows/test.yml

@@ -1,53 +1,19 @@
 name: Test
 
 on:
-  pull_request:
+  workflow_dispatch:
+  pull_request_target:
 
 jobs:
   test:
     runs-on: ubuntu-latest
 
-    env:
-      RAILS_ENV: test
-      REDIS_URL: redis://localhost:6379/0
-      RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
-      SLACK_LOG_URL: http://slack.com/the_log_room
-
-   # Service containers to run; note that this is duplicated
-   # in sorbet.yml due to a limitation in GitHub Actions
-   # (services can only be defined per job)
-    services:
-      redis:
-        # Docker Hub image name
-        image: redis:6.2-alpine
-        ports: ["6379:6379"]
-        # Set health checks to wait until redis has started
-        options: >-
-          --health-cmd "redis-cli ping" --health-interval 10s --health-timeout
-          5s --health-retries 5
-
     steps:
       - uses: actions/checkout@v3
         with:
-          ref: ${{github.ref}} # checkout branch not SHA
-          fetch-depth: 0
-
-      - uses: ./.github/actions/setup
-
-      - name: Run tests
-        run: |
-          script/ci
-
-  test-licenses:
-    needs: test
-    runs-on: ubuntu-latest
-
-    if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: ./.github/actions/setup
-
-      - name: Verifying licenses
-        run: script/licenses --verify
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GH_SISYPHUS_YETTO_REPO_TOKEN }}
 
+      - uses: yettoapp/actions/run-ruby-tests@main
+        with:
+          github_token: ${{ secrets.GH_SISYPHUS_YETTO_REPO_TOKEN }}

data/templates/.licensed.yml

@@ -12,6 +12,9 @@ allowed:
 ignored:
   bundler:
     - bundler-audit # GPL-3.0; but also, only used in CI/test
+    - date # BSD-2-Clause
+    - net-protocol # BSD-2-Clause
+    - racc # BSD-2-Clause
     - ruby2_keywords # BSD-2-Clause; ignored because of custom LICENSE text
     - sidekiq # LGPL-3.0; ignored because of custom LICENSE text
 
@@ -20,14 +23,15 @@ reviewed:
     - activerecord # MIT
     - brakeman # BRAKEMAN PUBLIC USE LICENSE
     - concurrent-ruby # MIT
-    - date # BSD-2-Clause
+    - dry-core # MIT
     - dry-transformer # MIT
+    - faraday-net_http # MIT
     - json # BSD-2-Clause
+    - jwt # MIT
     - net-imap # BSD-2-Clause
     - net-pop # BSD-2-Clause
-    - net-protocol # BSD-2-Clause
     - net-smtp # BSD-2-Clause
-    - racc # BSD-2-Clause
+    - nio4r # MIT
     - timeout # BSD-2-Clause
     - websocket-driver # Apache-2.0
     - websocket-extensions # Apache-2.0

data/templates/.ruby-version

@@ -0,0 +1 @@
+<%= Hephaestus::RUBY_VERSION %>

data/templates/Dockerfile

@@ -0,0 +1,79 @@
+# syntax = docker/dockerfile:1
+
+# Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile
+ARG RUBY_VERSION=3.2.1
+FROM ruby:$RUBY_VERSION-slim as base
+
+# Rails app lives here
+WORKDIR /plug-github
+
+# Set production environment
+ARG RAILS_ENV="production"
+ENV RAILS_ENV=${RAILS_ENV} \
+  BUNDLE_WITHOUT="staging:development:test" \
+  BUNDLE_DEPLOYMENT="1"
+
+# Update gems and bundler
+RUN gem update --system --no-document && \
+  gem install -N bundler
+
+
+# Throw-away build stages to reduce size of final image
+FROM base as prebuild
+
+# Install packages needed to build gems
+RUN --mount=type=cache,id=dev-apt-cache,sharing=locked,target=/var/cache/apt \
+  --mount=type=cache,id=dev-apt-lib,sharing=locked,target=/var/lib/apt \
+  apt-get update -qq && \
+  apt-get install --no-install-recommends -y build-essential curl git libpq-dev libvips pkg-config python-is-python3 ca-certificates iptables iproute2
+
+
+FROM prebuild as build
+
+# Install application gems
+COPY --link Gemfile Gemfile.lock .ruby-version ./
+RUN --mount=type=cache,id=bld-gem-cache,sharing=locked,target=/srv/vendor \
+  bundle config set app_config .bundle && \
+  bundle config set path /srv/vendor && \
+  bundle install && \
+  bundle exec bootsnap precompile --gemfile && \
+  bundle clean && \
+  mkdir -p vendor && \
+  bundle config set path vendor && \
+  cp -ar /srv/vendor .
+
+# Copy application code
+COPY --link . .
+
+# Precompile bootsnap code for faster boot times
+RUN bundle exec bootsnap precompile app/ lib/
+
+# Adjust binfiles to set current working directory
+RUN grep -l '#!/usr/bin/env ruby' /plug-app/bin/* | xargs sed -i '/^#!/aDir.chdir File.expand_path("..", __dir__)'
+
+# Final stage for app image
+FROM base
+
+# Install packages needed for deployment
+RUN --mount=type=cache,id=dev-apt-cache,sharing=locked,target=/var/cache/apt \
+  --mount=type=cache,id=dev-apt-lib,sharing=locked,target=/var/lib/apt \
+  apt-get update -qq && \
+  apt-get install --no-install-recommends -y imagemagick libvips postgresql-client sudo git
+
+# Copy built artifacts: gems, application
+COPY --from=build /usr/local/bundle /usr/local/bundle
+COPY --from=build /plug-app /plug-app
+
+# Deployment options
+ENV RAILS_LOG_TO_STDOUT="1" \
+  RAILS_SERVE_STATIC_FILES="true" \
+  RUBY_YJIT_ENABLE="1" \
+  LD_PRELOAD=${LD_PRELOAD_PATH} \
+  MALLOC_CONF="dirty_decay_ms:1000,narenas:2,background_thread:true"
+
+# Entrypoint sets up the container.
+ENTRYPOINT ["/plug-app/bin/docker-entrypoint"]
+
+# Start the server by default, this can be overwritten at runtime
+EXPOSE 3000
+CMD ["./bin/rails", "server"]