rembus.python/.github/workflows/python-app.yml at main · cardo-org/rembus.python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python

name: Python application

on:
  push:
    branches: [ "main" ]
    tags:
      - "*.*.*"
  pull_request:
    branches: [ "main" ]

permissions:
  contents: read
  id-token: write

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v4

    # Install system dependencies: Mosquitto + Postgres + OpenSSL
    - name: Install system packages
      run: |
        sudo apt-get update
        sudo apt-get install -y mosquitto mosquitto-clients postgresql postgresql-contrib openssl

    # Initialize local Postgres
    - name: Start Postgres
      run: |
          sudo service postgresql start
          sudo -u postgres psql -c "CREATE USER admin WITH PASSWORD 'secret' CREATEDB;"
          sudo -u postgres psql -c "CREATE DATABASE rembus_test OWNER admin;"

    # Generate temporary MQTT TLS certs for local Mosquitto
    - name: Generate temporary MQTT TLS certificates
      run: |
        mkdir -p tests/cfg

        # CA
        openssl req -x509 -nodes -newkey rsa:2048 -days 1 \
          -subj "/CN=Rembus-Test-CA/C=IT/L=Trento" \
          -keyout tests/cfg/rembus-ca.key \
          -out tests/cfg/rembus-ca.crt \
          -addext "keyUsage = critical, keyCertSign, cRLSign" \
          -addext "basicConstraints = critical, CA:TRUE"

        # Broker key + CSR
        openssl req -nodes -newkey rsa:2048 \
          -subj "/CN=localhost" \
          -keyout tests/cfg/rembus.key \
          -out tests/cfg/rembus.csr

        # Create SAN config file
        cat > tests/cfg/rembus.ext <<EOF
        authorityKeyIdentifier=keyid,issuer
        basicConstraints=CA:FALSE
        keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
        subjectAltName = @alt_names

        [alt_names]
        DNS.1 = localhost
        IP.1 = 127.0.0.1
        EOF

        # Sign broker cert
        openssl x509 -req -in tests/cfg/rembus.csr \
          -CA tests/cfg/rembus-ca.crt -CAkey tests/cfg/rembus-ca.key \
          -CAcreateserial -out tests/cfg/rembus.crt -days 1 \
          -extfile tests/cfg/rembus.ext

    # Start Mosquitto locally with TLS enabled
    - name: Start local Mosquitto
      run: |
        cat > tests/cfg/mosquitto.conf <<EOF
        listener 1883
        allow_anonymous true

        listener 8883
        cafile $(pwd)/tests/cfg/rembus-ca.crt
        certfile $(pwd)/tests/cfg/rembus.crt
        keyfile $(pwd)/tests/cfg/rembus.key
        allow_anonymous true
        EOF
        chmod 644 tests/cfg/rembus-*.crt tests/cfg/rembus.key
        sudo systemctl stop mosquitto
        mosquitto -c tests/cfg/mosquitto.conf -d
        sleep 2
        ss -ltnp | grep 1883 || (echo "Mosquitto not listening!" && exit 1)

    # Set up Python
    - name: Set up Python 3.11
      uses: actions/setup-python@v4
      with:
        python-version: "3.11"

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install flake8
        pip install .[test]
        pip install -e .

    - name: Lint with flake8
      run: |
        flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=80 --statistics

    - name: Run tests with pytest
      env:
        PGHOST: localhost
        PGPORT: 5432
        PGUSER: admin
        PGPASSWORD: secret
        MQTT_HOST: 127.0.0.1
        MQTT_PORT: 1883
        MQTTS_PORT: 8883
        MQTT_CA_CERT: ${{ github.workspace }}/tests/cfg/rembus-ca.crt
        MQTT_CERT: ${{ github.workspace }}/tests/cfg/rembus.crt
        MQTT_KEY: ${{ github.workspace }}/tests/cfg/rembus.key
      run: |
        pytest tests --asyncio-mode=auto

    - name: Upload coverage to Codecov
      if: github.event_name == 'push'
      uses: codecov/codecov-action@v5
      with:
        token: ${{ secrets.CODECOV_TOKEN }}

    - name: Build distribution
      if: github.event_name == 'push'
      run: |
        pip install build
        python -m build

    - name: Upload dist as artifact
      uses: actions/upload-artifact@v4
      with:
        name: dist
        path: dist/

  publish-to-pypi:
    name: Publish Python 🐍 distribution 📦 to PyPI
    if: startsWith(github.ref, 'refs/tags/')
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: pypi
      url: https://pypi.org/p/rembus
    steps:
      - uses: actions/download-artifact@v4
        with:
          name: dist
          path: dist
      - name: Publish package to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          attestations: true