mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-04-08 22:17:49 +09:00
3fada3d997
* Add GitHub Actions audit job (actionlint + zizmor) to CI Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Configure dependabot for GitHub Actions, bundler, and Docker Batches all action updates into a single weekly PR. Adds cooldown periods to all ecosystems. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add local GitHub Actions linting (actionlint + zizmor) to bin/setup and bin/ci Install actionlint, shellcheck, and zizmor in bin/setup. Run both linters as CI steps in config/ci.rb alongside existing style checks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Pin all GitHub Actions to SHA hashes Run pinact to pin action versions to specific commit SHAs, preventing supply chain attacks from tag mutation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix high severity zizmor findings - Suppress unpinned-images for redis service containers (digest pinning is nontrivial for service containers) - Move workflow-level permissions to job-level in publish-image.yml (build gets full set, manifest gets only what it needs) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix medium severity zizmor findings - Add persist-credentials: false to all checkout steps - Add permissions: {} at workflow level in ci.yml - Add job-level permissions (contents: read) to all CI jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix informational template-injection findings in publish-image.yml Move steps.meta.outputs.tags from inline ${{ }} expressions to env vars in both the manifest creation and cosign signing steps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update brakeman to 8.0.4 bin/brakeman uses --ensure-latest which fails if not on the newest version. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
122 lines
2.9 KiB
Bash
Executable File
122 lines
2.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -eo pipefail
|
|
|
|
# Prefer app executables
|
|
app_root="$(
|
|
cd "$(dirname "$0")/.."
|
|
pwd
|
|
)"
|
|
export PATH="$app_root/bin:$PATH"
|
|
|
|
REDIS_PORT=6379
|
|
REDIS_HOST=localhost
|
|
|
|
if [ "$RAILS_ENV" = "production" ]; then
|
|
echo "RAILS_ENV is production; bailing out"
|
|
exit 1
|
|
fi
|
|
|
|
# Install gum if needed
|
|
if ! command -v gum &>/dev/null; then
|
|
echo
|
|
echo "▸ Installing gum"
|
|
if command -v pacman &>/dev/null; then
|
|
sudo pacman -S --noconfirm gum
|
|
elif command -v brew &>/dev/null; then
|
|
brew install gum
|
|
else
|
|
echo "Please install gum: https://github.com/charmbracelet/gum"
|
|
exit 1
|
|
fi
|
|
echo
|
|
fi
|
|
|
|
step() {
|
|
local step_name="$1"
|
|
shift
|
|
|
|
gum style --foreground 208 --bold "▸ $step_name"
|
|
gum style --foreground 240 "$*"
|
|
|
|
"$@"
|
|
|
|
local exit_code=$?
|
|
echo
|
|
return $exit_code
|
|
}
|
|
|
|
redis_running() {
|
|
nc -z "$REDIS_HOST" "$REDIS_PORT" 2>/dev/null
|
|
}
|
|
|
|
echo
|
|
gum style --foreground 214 " ) "
|
|
gum style --foreground 208 " ) \\ campfire"
|
|
gum style --foreground 202 " ( ( ("
|
|
gum style --foreground 94 " .^^^."
|
|
echo
|
|
|
|
# Install dependencies
|
|
if command -v brew &>/dev/null; then
|
|
step "Installing packages" brew install sqlite ffmpeg mise
|
|
elif command -v pacman &>/dev/null; then
|
|
step "Installing packages" sudo pacman -S --noconfirm --needed sqlite ffmpeg mise
|
|
elif command -v apt &>/dev/null; then
|
|
step "Installing packages" sudo apt-get install --no-install-recommends -y libsqlite3-0 ffmpeg
|
|
fi
|
|
|
|
if ! command -v mise &>/dev/null; then
|
|
echo "Couldn't install mise"
|
|
echo "Install mise using your package manager or via:"
|
|
echo "https://mise.jdx.dev/installing-mise.html"
|
|
exit 1
|
|
fi
|
|
|
|
step "Installing Ruby" mise install --yes
|
|
eval "$(mise hook-env)"
|
|
|
|
bundle config set --local auto_install true
|
|
step "Installing RubyGems" bundle install
|
|
|
|
# Prepare database
|
|
if [[ $* == *--reset* ]]; then
|
|
rm -rf ./storage/{db,files}
|
|
step "Resetting the database" rails db:reset
|
|
fi
|
|
step "Preparing the database" rails db:prepare
|
|
|
|
# Start Redis if not running
|
|
if ! redis_running; then
|
|
if command -v docker &>/dev/null; then
|
|
if docker ps -aq -f name=campfire-redis | grep -q .; then
|
|
step "Starting Redis" docker start campfire-redis
|
|
else
|
|
step "Setting up Redis" docker run -d --name campfire-redis -p "$REDIS_PORT:$REDIS_PORT" redis:7
|
|
fi
|
|
else
|
|
echo "Couldn't start Redis"
|
|
echo "Install either docker or redis and then run this command again"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Install GitHub Actions linting tools
|
|
for tool in actionlint shellcheck zizmor; do
|
|
if ! command -v "$tool" &> /dev/null; then
|
|
if command -v brew &> /dev/null; then
|
|
step "Installing $tool" brew install "$tool"
|
|
elif command -v pacman &> /dev/null; then
|
|
step "Installing $tool" sudo pacman -S --noconfirm "$tool"
|
|
else
|
|
echo "Error: install $tool manually" >&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
done
|
|
|
|
step "Cleaning up logs and tempfiles" rails log:clear tmp:clear
|
|
|
|
step "Restarting services" rails restart
|
|
|
|
gum style --foreground 46 "✓ Done (${SECONDS} sec)"
|