TSPS-325 Support for adding more CLI commands #890
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Bump, Tag, Publish, and Deploy | |
# The purpose of the workflow is to: | |
# 1. Bump the version number and tag the release | |
# 2. Build and publish the python client to PyPi | |
# 3. Build and publish the client to Artifactory | |
# 4. Build docker image and publish to GCR | |
# 5. Trigger deployment to the dev environment | |
# | |
# When run on merge to main, it tags and bumps the patch version by default. You can | |
# bump other parts of the version by putting #major, #minor, or #patch in your commit | |
# message. | |
# | |
# When run on a hotfix branch, it tags and generates the hotfix version | |
# | |
# When run manually, you can specify the part of the semantic version to bump | |
# | |
# The workflow relies on github secrets: | |
# - ARTIFACTORY_PASSWORD - password for publishing the client to artifactory | |
# - ARTIFACTORY_USERNAME - username for publishing the client to artifactory | |
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations | |
# - SLACK_WEBHOOK_URL - the webhook url to post to the desired Slack channel | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- 'README.md' | |
- '.github/**' | |
pull_request: | |
workflow_dispatch: | |
inputs: | |
bump: | |
description: 'Part of the version to bump: major, minor, patch' | |
required: false | |
default: 'patch' | |
type: choice | |
options: | |
- patch | |
- minor | |
- major | |
branch: | |
description: 'Branch to run the workflow on' | |
required: false | |
default: 'main' | |
env: | |
SERVICE_NAME: ${{ github.event.repository.name }} | |
IMAGE_NAME: ${{ github.event.repository.name }} | |
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev | |
GOOGLE_PROJECT: dsp-artifact-registry | |
jobs: | |
bump-check: | |
runs-on: ubuntu-latest | |
outputs: | |
is-bump: ${{ steps.skiptest.outputs.is-bump }} | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Skip version bump merges | |
id: skiptest | |
uses: ./.github/actions/bump-skip | |
with: | |
event-name: ${{ github.event_name }} | |
tag-job: | |
needs: [ bump-check ] | |
runs-on: ubuntu-latest | |
if: needs.bump-check.outputs.is-bump == 'no' | |
outputs: | |
tag: ${{ steps.tag.outputs.new_tag }} | |
new-tag-for-python-client-version: ${{ steps.generate-params.outputs.new-tag-for-python-client-version }} | |
checkout-ref: ${{ steps.generate-params.outputs.checkout-ref }} | |
steps: | |
- name: Set part of semantic version to bump | |
id: controls | |
run: | | |
SEMVER_PART="" | |
CHECKOUT_BRANCH="$GITHUB_REF" | |
if ${{github.event_name == 'push' }}; then | |
SEMVER_PART="patch" | |
elif ${{github.event_name == 'workflow_dispatch' }}; then | |
SEMVER_PART=${{ github.event.inputs.bump }} | |
CHECKOUT_BRANCH=${{ github.event.inputs.branch }} | |
fi | |
echo ::set-output name=semver-part::$SEMVER_PART | |
echo ::set-output name=checkout-branch::$CHECKOUT_BRANCH | |
- name: Checkout current code | |
uses: actions/checkout@v2 | |
with: | |
ref: ${{ steps.controls.outputs.checkout-branch }} | |
token: ${{ secrets.BROADBOT_TOKEN }} | |
- name: Bump the tag to a new version | |
# https://github.com/DataBiosphere/github-actions/tree/master/actions/bumper | |
uses: databiosphere/github-actions/actions/[email protected] | |
id: tag | |
env: | |
DEFAULT_BUMP: patch | |
GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }} | |
HOTFIX_BRANCHES: hotfix.* | |
OVERRIDE_BUMP: ${{ steps.controls.outputs.semver-part }} | |
RELEASE_BRANCHES: main | |
VERSION_FILE_PATH: settings.gradle | |
VERSION_LINE_MATCH: "^gradle.ext.releaseVersion\\s*=\\s*\".*\"" | |
VERSION_SUFFIX: SNAPSHOT | |
- name: Generate tag for Java resources, version for Python, and checkout-ref to use in subsequent jobs | |
id: generate-params | |
run: | | |
if [ ${{ github.event_name != 'pull_request' }} == true ]; then | |
# This workflow was called on a push to main or manually, i.e. a PR merge / new release | |
echo "New tag provided: ${{ steps.tag.outputs.new_tag }}" | |
echo "Will use python client version based on tag: ${{ steps.tag.outputs.new_tag }}" | |
echo "new-tag-for-python-client-version=${{ steps.tag.outputs.new_tag }}" >> $GITHUB_OUTPUT | |
echo "Will use checkout-ref: ${{ steps.tag.outputs.new_tag }}" | |
echo "checkout-ref=${{ steps.tag.outputs.new_tag }}" >> $GITHUB_OUTPUT | |
else | |
# This workflow was called on a PR, and the new tag was not actually created | |
echo "New tag provided: ${{ steps.tag.outputs.new_tag }}" | |
echo "Will use python client version '0.0.0'. This will not overwrite the existing PyPi version '0.0.0'" | |
echo "new-tag-for-python-client-version='0.0.0'" >> $GITHUB_OUTPUT | |
echo "Will use checkout-ref: $GITHUB_REF" | |
echo "checkout-ref=$GITHUB_REF" >> $GITHUB_OUTPUT | |
fi | |
# Publish Python client to PyPI | |
python-client-job: | |
needs: [ tag-job ] | |
uses: ./.github/workflows/release-python-client.yml | |
with: | |
new-tag-for-python-client-version: ${{ needs.tag-job.outputs.new-tag-for-python-client-version }} | |
checkout-ref: ${{ needs.tag-job.outputs.checkout-ref }} | |
# Publish the Java client to Artifactory and deploy the docker image to GCR | |
publish-docker-deploy: | |
needs: [ tag-job ] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'write' | |
id-token: 'write' | |
steps: | |
- name: Set up AdoptOpenJDK | |
uses: actions/setup-java@v2 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
- name: Checkout current code | |
uses: actions/checkout@v2 | |
with: | |
ref: ${{ needs.tag-job.outputs.checkout-ref }} | |
token: ${{ secrets.BROADBOT_TOKEN }} | |
- name: Cache Gradle packages | |
uses: actions/cache@v2 | |
with: | |
path: | | |
~/.gradle/caches | |
~/.gradle/wrapper | |
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }} | |
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }} | |
- name: Grant execute permission for gradlew | |
run: chmod +x gradlew | |
# Publish Java client to artifactory | |
- name: Publish Java client to Artifactory | |
if: ${{ github.event_name != 'pull_request' }} | |
run: ./gradlew :client:artifactoryPublish --scan | |
env: | |
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
ARTIFACTORY_REPO_KEY: "libs-snapshot-local" | |
- name: Auth to GCP | |
id: 'auth' | |
uses: google-github-actions/auth@v0 | |
with: | |
token_format: 'access_token' | |
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider' | |
service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com' | |
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`. | |
- name: 'Set up Cloud SDK' | |
uses: 'google-github-actions/setup-gcloud@v0' | |
- name: Explicitly auth Docker for Artifact Registry | |
run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet | |
- name: Construct docker image name and tag | |
id: image-name | |
run: echo ::set-output name=name::${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${SERVICE_NAME}/${IMAGE_NAME}:${{ needs.tag-job.outputs.tag }} | |
- name: Build image locally with jib | |
run: | | |
./gradlew --build-cache :service:jibDockerBuild \ | |
--image=${{ steps.image-name.outputs.name }} \ | |
-Djib.console=plain | |
- name: Push GCR image | |
run: docker push ${{ steps.image-name.outputs.name }} | |
- name: Make release | |
if: ${{ github.event_name != 'pull_request' }} | |
uses: ncipollo/release-action@v1 | |
id: create_release | |
with: | |
tag: ${{ needs.tag-job.outputs.tag }} | |
- name: Notify slack on failure | |
uses: broadinstitute/[email protected] | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
channel: '#terra-tsps-alerts' | |
status: failure | |
author_name: Publish image | |
fields: job | |
text: 'Publish image failed :sadpanda: ${{ github.event.pull_request.html_url || github.event.head_commit.url }}' | |
username: 'Terra Scientific Pipelines Service Action' | |
report-to-sherlock: | |
# Report new Teaspoons version to Broad DevOps | |
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
needs: [ bump-check, tag-job, publish-docker-deploy ] | |
if: ${{ needs.bump-check.outputs.is-bump == 'no' }} | |
with: | |
new-version: ${{ needs.tag-job.outputs.tag }} | |
chart-name: 'tsps' | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
set-version-in-dev: | |
# Put new Teaspoons version in Broad dev environment | |
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main | |
needs: [ bump-check, tag-job, report-to-sherlock ] | |
if: ${{ needs.bump-check.outputs.is-bump == 'no' && github.event_name != 'pull_request' }} | |
with: | |
new-version: ${{ needs.tag-job.outputs.tag }} | |
chart-name: 'tsps' | |
environment-name: 'dev' | |
secrets: | |
sync-git-token: ${{ secrets.BROADBOT_TOKEN }} | |
permissions: | |
id-token: 'write' |