dfinity · DFINITYManu · Aug 22, 2024 · Aug 22, 2024 · Aug 22, 2024 · Aug 22, 2024
@@ -21,13 +21,37 @@ jobs:
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
+      - name: Set month and year for cache key
+        id: date
+        run: echo "date=$(date +'%Y-%m')" >> "$GITHUB_OUTPUT"
       - uses: actions/checkout@v4
+      - name: Move backend files to source root
+        run: mv -f rollout-dashboard/server/* .
+      - name: Cache Cargo stuff once a month for faster execution
+        uses: actions/cache@v3
+        with:
+          key: cargo-build-deps-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-${{ steps.date.outputs.date }}
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/debug/build
+            target/debug/deps
+            target/debug/.fingerprint
       - name: Set up Rust toolchain
         uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
-      - name: Move backend files to source root
-        run: mv -f rollout-dashboard/server/* .
+      - name: Security audit
+        uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: cargo machete
+        run: |
+          set -e
+          which cargo-machete || cargo install cargo-machete
+          cargo machete
       - name: cargo clippy
         uses: actions-rs/cargo@v1
         with:
@@ -50,6 +74,8 @@ jobs:
         run: mv -f rollout-dashboard/frontend/* .
       - name: prepare NPM for CI
         run: npm ci
+      - name: Security audit (optional for now)
+        run: npm audit || true
       - name: build frontend
         run: npm run build
       - name: run tests on frontend
@@ -64,12 +90,8 @@ jobs:
       - uses: docker/metadata-action@v5
         id: metadata
         with:
-          images: ghcr.io/${{ github.repository }}/rollout-dashboard
+          images: ghcr.io/${{ github.repository }}/cache
           tags: |
-            type=schedule
-            type=ref,event=branch
-            type=ref,event=tag
-            type=ref,event=pr
             type=sha,format=long
       - uses: docker/login-action@v3
         with:
@@ -79,10 +101,10 @@ jobs:
       - uses: int128/kaniko-action@v1
         name: Create rollout-dashboard container
         with:
-          push: false
+          push: true
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
-          cache: false
+          cache: true
           cache-repository: ghcr.io/${{ github.repository }}/cache
           context: rollout-dashboard
   publish-rollout-dashboard-container:
@@ -112,6 +134,6 @@ jobs:
           push: true
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
-          cache: false
+          cache: true
           cache-repository: ghcr.io/${{ github.repository }}/cache
           context: rollout-dashboard
@@ -157,7 +157,7 @@ def execute(self, context: Context) -> dict[str, int | str | bool]:
                 "is in state %s and must be created again.  Will create.",
                 props_for_git_revision[0]["proposal_id"],
                 git_revision,
-                props_for_git_revision[0]["status"],
+                props_for_git_revision[0]["status"].name,
             )
         else:
             prop = props_for_git_revision[0]

@@ -1,21 +1,28 @@
 FROM docker.io/rust:1.80-bookworm as rust
 WORKDIR /usr/src
-COPY server/Cargo.toml server/Cargo.lock ./
+RUN cargo new rollout-dashboard
+COPY server/Cargo.toml server/Cargo.lock ./rollout-dashboard/
+WORKDIR /usr/src/rollout-dashboard
+RUN cargo build --release ; rm -rf src ; echo "This step is expected to fail, but it creates a layer that is cacheable." >&2
 COPY server/src ./src/
-RUN cargo install --path .
+RUN cargo build --release && \
+    mv target/release/rollout-dashboard .
 
 FROM docker.io/node:alpine as node
 WORKDIR /
-COPY frontend/index.html frontend/*.json frontend/*.js frontend/*.ts ./
+# The following step copies only the package files so npm install can be cached.
+COPY frontend/package*.json ./
+RUN npm install
+COPY frontend/*.json frontend/index.html frontend/*.js frontend/*.ts ./
 COPY frontend/public ./public
 COPY frontend/src ./src
-RUN npm install && npm run build
+RUN npm run build
 
 FROM docker.io/debian:bookworm
 WORKDIR /
-RUN apt-get update && apt install -y openssl ca-certificates
-COPY --from=rust /usr/local/cargo/bin/rollout-dashboard /rollout-dashboard
+COPY --from=rust /usr/src/rollout-dashboard/rollout-dashboard /rollout-dashboard
 COPY --from=node /dist /static
+RUN apt-get update && apt-get upgrade -y && apt install -y openssl ca-certificates
 
 EXPOSE 4174
 ENV FRONTEND_STATIC_DIR=static