TSPS-100 add logic to use service account credentials when talking to leonardo #93
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Bump, Tag, Publish, and Deploy | |
# The purpose of the workflow is to: | |
# 1. Bump the version number and tag the release | |
# 2. Build and publish the client to Artifactory | |
# 3. Build docker image and publish to GCR | |
# 4. Trigger deployment to the dev environment | |
# | |
# When run on merge to main, it tags and bumps the patch version by default. You can | |
# bump other parts of the version by putting #major, #minor, or #patch in your commit | |
# message. | |
# | |
# When run on a hotfix branch, it tags and generates the hotfix version | |
# | |
# When run manually, you can specify the part of the semantic version to bump | |
# | |
# The workflow relies on github secrets: | |
# - ARTIFACTORY_PASSWORD - password for publishing the client to artifactory | |
# - ARTIFACTORY_USERNAME - username for publishing the client to artifactory | |
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations | |
# - SLACK_WEBHOOK_URL - the webhook url to post to the desired Slack channel | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- 'README.md' | |
- '.github/**' | |
- 'local-dev/**' | |
pull_request: | |
paths-ignore: | |
- 'README.md' | |
- '.github/**' | |
- 'local-dev/**' | |
workflow_dispatch: | |
inputs: | |
bump: | |
description: 'Part of the version to bump: major, minor, patch' | |
required: false | |
default: 'patch' | |
type: choice | |
options: | |
- patch | |
- minor | |
- major | |
branch: | |
description: 'Branch to run the workflow on' | |
required: false | |
default: 'main' | |
env: | |
SERVICE_NAME: ${{ github.event.repository.name }} | |
IMAGE_NAME: ${{ github.event.repository.name }} | |
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev | |
GOOGLE_PROJECT: dsp-artifact-registry | |
jobs: | |
bump-check: | |
runs-on: ubuntu-latest | |
outputs: | |
is-bump: ${{ steps.skiptest.outputs.is-bump }} | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Skip version bump merges | |
id: skiptest | |
uses: ./.github/actions/bump-skip | |
with: | |
event-name: ${{ github.event_name }} | |
tag-publish-docker-deploy: | |
needs: [ bump-check ] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'write' | |
id-token: 'write' | |
if: needs.bump-check.outputs.is-bump == 'no' | |
outputs: | |
tag: ${{ steps.tag.outputs.tag }} | |
steps: | |
- name: Set part of semantic version to bump | |
id: controls | |
run: | | |
SEMVER_PART="" | |
CHECKOUT_BRANCH="$GITHUB_REF" | |
if ${{github.event_name == 'push' }}; then | |
SEMVER_PART="patch" | |
elif ${{github.event_name == 'workflow_dispatch' }}; then | |
SEMVER_PART=${{ github.event.inputs.bump }} | |
CHECKOUT_BRANCH=${{ github.event.inputs.branch }} | |
fi | |
echo ::set-output name=semver-part::$SEMVER_PART | |
echo ::set-output name=checkout-branch::$CHECKOUT_BRANCH | |
- name: Checkout current code | |
uses: actions/checkout@v2 | |
with: | |
ref: ${{ steps.controls.outputs.checkout-branch }} | |
token: ${{ secrets.BROADBOT_TOKEN }} | |
- name: Bump the tag to a new version | |
uses: databiosphere/github-actions/actions/[email protected] | |
id: tag | |
env: | |
DEFAULT_BUMP: patch | |
GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }} | |
HOTFIX_BRANCHES: hotfix.* | |
OVERRIDE_BUMP: ${{ steps.controls.outputs.semver-part }} | |
RELEASE_BRANCHES: main | |
VERSION_FILE_PATH: settings.gradle | |
VERSION_LINE_MATCH: "^gradle.ext.releaseVersion\\s*=\\s*\".*\"" | |
VERSION_SUFFIX: SNAPSHOT | |
- name: Set up AdoptOpenJDK | |
uses: actions/setup-java@v2 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
- name: Cache Gradle packages | |
uses: actions/cache@v2 | |
with: | |
path: | | |
~/.gradle/caches | |
~/.gradle/wrapper | |
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }} | |
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }} | |
- name: Grant execute permission for gradlew | |
run: chmod +x gradlew | |
# Publish client to artifactory | |
- name: Publish to Artifactory | |
if: ${{ github.event_name != 'pull_request' }} | |
run: ./gradlew :client:artifactoryPublish --scan | |
env: | |
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
ARTIFACTORY_REPO_KEY: "libs-snapshot-local" | |
- name: Auth to GCP | |
id: 'auth' | |
uses: google-github-actions/auth@v0 | |
with: | |
token_format: 'access_token' | |
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider' | |
service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com' | |
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`. | |
- name: 'Set up Cloud SDK' | |
uses: 'google-github-actions/setup-gcloud@v0' | |
- name: Explicitly auth Docker for Artifact Registry | |
run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet | |
- name: Construct docker image name and tag | |
id: image-name | |
run: echo ::set-output name=name::${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${SERVICE_NAME}/${IMAGE_NAME}:${{ steps.tag.outputs.tag }} | |
- name: Build image locally with jib | |
run: | | |
./gradlew --build-cache :service:jibDockerBuild \ | |
--image=${{ steps.image-name.outputs.name }} \ | |
-Djib.console=plain | |
- name: Push GCR image | |
run: docker push ${{ steps.image-name.outputs.name }} | |
- name: Make release | |
if: ${{ github.event_name != 'pull_request' }} | |
uses: ncipollo/release-action@v1 | |
id: create_release | |
with: | |
tag: ${{ steps.tag.outputs.tag }} | |
- name: Notify slack on failure | |
uses: broadinstitute/[email protected] | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
channel: '#terra-tsps-alerts' | |
status: failure | |
author_name: Publish to dev | |
fields: job | |
text: 'Publish failed :sadpanda:' | |
username: 'Terra Scientific Pipelines Service Action' | |
report-to-sherlock: | |
# Report new TSPS version to Broad DevOps | |
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
needs: [ bump-check, tag-publish-docker-deploy ] | |
if: ${{ needs.bump-check.outputs.is-bump == 'no' }} | |
with: | |
new-version: ${{ needs.tag-publish-docker-deploy.outputs.tag }} | |
chart-name: 'tsps' | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
set-version-in-dev: | |
# Put new TSPS version in Broad dev environment | |
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main | |
needs: [ bump-check, tag-publish-docker-deploy, report-to-sherlock ] | |
if: ${{ needs.bump-check.outputs.is-bump == 'no' && github.event_name != 'pull_request' }} | |
with: | |
new-version: ${{ needs.tag-publish-docker-deploy.outputs.tag }} | |
chart-name: 'tsps' | |
environment-name: 'dev' | |
secrets: | |
sync-git-token: ${{ secrets.BROADBOT_TOKEN }} | |
permissions: | |
id-token: 'write' |