Tag, publish, deploy #563
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tag, publish, deploy | |
on: workflow_dispatch | |
# Tags HEAD of main branch, builds and publishes images and deploys to Terra dev environment | |
env: | |
SERVICE_NAME: ${{ github.event.repository.name }} | |
GOOGLE_PROJECT: broad-dsp-gcr-public | |
jobs: | |
tag: | |
uses: ./.github/workflows/tag.yml | |
secrets: inherit | |
publish-job: | |
needs: [ tag ] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v2 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Auth to GCR | |
uses: google-github-actions/auth@v2 | |
with: | |
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider' | |
service_account: '[email protected]' | |
- name: Explicitly auth Docker for GCR | |
run: gcloud auth configure-docker --quiet | |
- name: Cache Gradle packages | |
uses: actions/cache@v2 | |
with: | |
path: | | |
~/.gradle/caches | |
~/.gradle/wrapper | |
key: v1-${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
restore-keys: | | |
v1-${{ runner.os }}-gradle- | |
- name: Publish API client | |
run: ./gradlew :client:artifactoryPublish | |
env: | |
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
ARTIFACTORY_REPO_KEY: libs-snapshot-local | |
- name: Construct docker image name and tag | |
id: image-name | |
run: echo ::set-output name=name::gcr.io/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ needs.tag.outputs.tag }} | |
# TODO add google cloud profiler | |
- name: Build image locally with jib | |
run: | | |
./gradlew --build-cache :service:jibDockerBuild \ | |
--image=${{ steps.image-name.outputs.name }} \ | |
-Djib.console=plain | |
- name: Run Trivy vulnerability scanner | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: ${{ steps.image-name.outputs.name }} | |
- name: Push GCR image | |
run: docker push ${{ steps.image-name.outputs.name }} | |
- name: Notify slack on failure | |
uses: broadinstitute/[email protected] | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.BPM_SLACK_WEBHOOK }} | |
with: | |
status: ${{ job.status }} | |
author_name: Publish to dev | |
fields: job | |
text: 'Publish failed :sadpanda:' | |
report-to-sherlock: | |
# Report new BPM version to Broad DevOps | |
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
needs: [tag, publish-job] | |
with: | |
new-version: ${{ needs.tag.outputs.tag }} | |
chart-name: 'bpm' | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
set-version-in-dev: | |
# Put new BPM version in Broad dev environment | |
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main | |
needs: [tag, publish-job, report-to-sherlock] | |
with: | |
new-version: ${{ needs.tag.outputs.tag }} | |
chart-name: 'bpm' | |
environment-name: 'dev' | |
secrets: | |
sync-git-token: ${{ secrets.BROADBOT_TOKEN }} | |
permissions: | |
id-token: 'write' |