-
Notifications
You must be signed in to change notification settings - Fork 0
101 lines (87 loc) · 3.25 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: Publish and deploy
on: create
env:
SERVICE_NAME: ${{ github.event.repository.name }}
GOOGLE_PROJECT: broad-dsp-gcr-public
jobs:
publish-job:
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.tag.outputs.tag }}
steps:
- uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
- name: Cache Gradle packages
uses: actions/cache@v3
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: v1-${{ runner.os }}-gradle-refs/heads/dev-${{ github.sha }}
- name: Parse tag
id: tag
run: echo tag=$(git describe --tags) >> $GITHUB_OUTPUT
# - name: "Publish to Artifactory"
# run: ./gradlew --build-cache :client:artifactoryPublish
# env:
# ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
# ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
# ARTIFACTORY_REPO_KEY: "libs-snapshot-local"
- name: Auth to GCR
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCR_PUBLISH_KEY_B64 }}
- name: Explicitly auth Docker for GCR
run: gcloud auth configure-docker --quiet
- name: Construct docker image name and tag
id: image-name
run: echo name=gcr.io/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ steps.tag.outputs.tag }} >> $GITHUB_OUTPUT
- name: Add Google Cloud Profiler to Docker Image
run: docker build ./service -t drshub:local
- name: Build image locally with jib
run: |
./gradlew --build-cache :service:jibDockerBuild \
--image=${{ steps.image-name.outputs.name }} \
-Djib.from.image=docker://drshub:local \
-Djib.console=plain
- name: Run Trivy vulnerability scanner
# Link to the github location of the action https://github.com/broadinstitute/dsp-appsec-trivy-action
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.image-name.outputs.name }}
- name: Push GCR image
run: docker push ${{ steps.image-name.outputs.name }}
report-to-sherlock:
# Report new drshub version to Broad DevOps
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: publish-job
with:
new-version: ${{ needs.publish-job.outputs.tag }}
chart-name: 'drshub'
permissions:
contents: 'read'
id-token: 'write'
set-version-in-dev:
# Put new drshub version in Broad dev environment
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main
needs: [publish-job, report-to-sherlock]
with:
new-version: ${{ needs.publish-job.outputs.tag }}
chart-name: 'drshub'
environment-name: 'dev'
secrets:
sync-git-token: ${{ secrets.BROADBOT_TOKEN }}
permissions:
id-token: 'write'
notify-slack-on-failure:
needs: [publish-job, report-to-sherlock, set-version-in-dev]
uses: ./.github/workflows/slack-notify-on-failure.yml
secrets: inherit
if: ${{ failure() }}
with:
workflow_name: Publish