Files
romm/.github/workflows/pytest.yml
Georges-Antoine Assi 26cf4b36f8 Scope test-user grant to the romm_test namespace
Addresses review feedback: granting ALL PRIVILEGES on *.* is overly broad,
especially against a shared DB instance. A database-level grant on the
`romm\_test%` wildcard pattern still lets the user CREATE the per-worker
databases (romm_test_gw0, ...) needed by pytest-xdist, while confining it to
that namespace — verified that out-of-namespace CREATE DATABASE is denied.

PostgreSQL needs no equivalent change: its CI service user (POSTGRES_USER)
is the container superuser.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-19 21:34:46 -04:00

108 lines
3.3 KiB
YAML

name: Run Pytest
on:
pull_request:
paths:
- "backend/**"
push:
branches:
- "master"
paths:
- "backend/**"
permissions: read-all
jobs:
pytest:
runs-on: ubuntu-latest
permissions:
checks: write
pull-requests: write
strategy:
fail-fast: false
matrix:
db: [mariadb, postgresql]
services:
mariadb:
image: mariadb:10.11
ports:
- 3306
env:
MYSQL_USER: romm_test
MYSQL_PASSWORD: passwd
MYSQL_DATABASE: romm_test
MYSQL_ROOT_PASSWORD: passwd
options: --health-cmd="mysqladmin ping" --health-interval=5s --health-timeout=2s --health-retries=3
postgresql:
image: postgres:16
ports:
- 5432
env:
POSTGRES_USER: romm_test
POSTGRES_PASSWORD: passwd
POSTGRES_DB: romm_test
options: --health-cmd="pg_isready" --health-interval=5s --health-timeout=2s --health-retries=3
valkey:
image: valkey/valkey:7.2
ports:
- 6379
options: >-
--health-cmd="redis-cli ping" --health-interval=5s --health-timeout=2s --health-retries=3
steps:
- name: Checkout repository
uses: actions/checkout@v4.3.0
- name: Install mariadb connectors
run: |
sudo apt-get update
sudo apt-get install -y libmariadb3 libmariadb-dev
- name: Install uv
uses: astral-sh/setup-uv@v6.7.0
- name: Install python
run: |
uv python install 3.13
- name: Install dependencies
run: |
uv sync --extra test
- name: Initiate MariaDB database
if: matrix.db == 'mariadb'
run: |
# Grant on the `romm_test%` namespace so the test user can create the
# per-worker databases (romm_test_gw0, ...) used under pytest-xdist,
# without granting it global privileges. The backticks are escaped so
# the shell doesn't treat them as command substitution.
mysql --host 127.0.0.1 --port ${{ job.services.mariadb.ports['3306'] }} -uroot -ppasswd -e "GRANT ALL PRIVILEGES ON \`romm\_test%\`.* TO 'romm_test'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;"
- name: Run python tests
env:
DB_HOST: 127.0.0.1
DB_PORT: ${{ matrix.db == 'mariadb' && job.services.mariadb.ports['3306'] || job.services.postgresql.ports['5432'] }}
ROMM_DB_DRIVER: ${{ matrix.db }}
REDIS_HOST: 127.0.0.1
REDIS_PORT: ${{ job.services.valkey.ports['6379'] }}
HYPOTHESIS_PROFILE: ci
run: |
cd backend
# GitHub-hosted Linux runners have 4 vCPUs; run one worker per core.
uv run pytest -n 4 -vv --maxfail=10 --junitxml=pytest-report.xml --cov --cov-report xml:coverage.xml --cov-config=.coveragerc .
- name: Publish test results
uses: EnricoMi/publish-unit-test-result-action/linux@v2.20.0
if: (!cancelled())
with:
check_name: Test Results (${{ matrix.db }})
files: |
backend/pytest-report.xml
- name: Publish coverage report
uses: orgoro/coverage@v3.2
continue-on-error: true
if: matrix.db == 'mariadb'
with:
coverageFile: backend/coverage.xml
token: ${{ secrets.GITHUB_TOKEN }}