ci(identity): migrate identity-service CI to GitHub Actions#14390
Open
dylanjeffers wants to merge 5 commits into
Open
ci(identity): migrate identity-service CI to GitHub Actions#14390dylanjeffers wants to merge 5 commits into
dylanjeffers wants to merge 5 commits into
Conversation
Adds .github/workflows/identity.yml covering install, lint, typecheck, test, and docker push — mirroring the jobs previously defined under .circleci/src/workflows/identity.yml. Disables the CircleCI workflow trigger via path filtering (matches how web/mobile were migrated). Tests now run against GHA service containers (postgres:11.1 + redis:7.0) and ts-mocha is invoked directly with the same env vars run-tests.sh exports, avoiding the audius-compose / docker-compose dependency. Docker push (main only) uses docker/build-push-action with the git SHA as the tag, matching what audius-compose push --prod identity-service produced. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 9412812 | Triggered | Generic Password | b32026b | .github/workflows/identity.yml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Contributor
🌐 Web preview readyPreview URL: https://audius-web-preview-pr-14390.audius.workers.dev Unique preview for this PR (deployed from this branch). |
Match the secret names pedalboard's build-services workflow uses (these are org-level secrets on AudiusProject) instead of the CircleCI-era DOCKERHUB_USERNAME / DOCKERHUB_PASS, which aren't configured as GitHub Actions secrets. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
CircleCI's test-identity-service entrypoint shifted "test" off and ran
`npx mocha` with no args, so mocha used its default
`test/*.{js,cjs,mjs}` glob — only the .js tests, never `test/index.ts`.
src/app.js only requires .js modules (routes/index.js filters to
`.js`), so the .ts solana relay tree never loaded and the missing
solana env vars didn't matter.
`ts-mocha test/index.ts` exposed that path and crashed on
`new PublicKey('')` in solanaRelayChecks.ts. Switch to plain
`npx mocha` to mirror CircleCI exactly. Filling in real solana env
vars (or unblocking the .ts tests) is out of scope for the migration.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
PR #14207 removed src/models/notification.js but left 20191107223636-create-viewed-field.js calling models.Notification.update(). On a fresh DB the migration crashes with "Cannot read properties of undefined (reading 'update')". The break went undetected because CircleCI was disabled before that PR landed. Replace the ORM call with a raw UPDATE — the Notifications table itself is still created by 20191025193919-create-notification.js and was never dropped, so the migration still has a real table to write to. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
15/16 tests passed on the previous run; the lone failure was the test-authentication-routes beforeEach hitting the 12s default. Each hook re-runs all ~50 migrations from scratch, which exceeds the window on ubuntu-latest. Pass --timeout 60000 to give the runner headroom without changing the .mocharc default used locally. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/identity.ymlcovering install, lint, typecheck, test, and Docker push for identity-service — equivalent to the CircleCI jobs under.circleci/src/workflows/identity.yml.packages/identity-service/scripts/run-tests.shexports, avoiding the audius-compose/docker-compose dependency on the runner.docker/build-push-actionwithaudius/identity-service:${{ github.sha }}as the tag, matchingaudius-compose push --prod identity-service. Authenticates viaDOCKERHUB_USERNAME/DOCKERHUB_PASSsecrets and notifies Slack on failure viaSLACK_DAILY_DEPLOY_WEBHOOK..circleci/config.yml(run-identity-workflow false) and adds a NOTE comment to.circleci/src/workflows/identity.yml. Matches the pattern used when web/mobile were migrated.Test plan
Identity Service CI/CDruns on the diff (lint, typecheck, test).npx turbo run lint --filter=identity-service.npx turbo run typecheck --filter=identity-service.if: github.ref == 'refs/heads/main' && github.event_name == 'push').main, tags as the merge commit SHA, and pushes to Docker Hub. Confirm Slack failure notification path if anything blows up.run-identity-workflow false).Notes
The required secrets (
DOCKERHUB_USERNAME,DOCKERHUB_PASS,SLACK_DAILY_DEPLOY_WEBHOOK) need to be present in the repo's Actions secrets — same secrets the CircleCIdockerhub/slack-secretscontexts referenced. If those names differ on the GH side, the docker-push job will need a tweak.🤖 Generated with Claude Code