Skip to content

TSPS-100 add logic to use service account credentials when talking to leonardo #93

TSPS-100 add logic to use service account credentials when talking to leonardo

TSPS-100 add logic to use service account credentials when talking to leonardo #93

Workflow file for this run

name: Bump, Tag, Publish, and Deploy
# The purpose of the workflow is to:
# 1. Bump the version number and tag the release
# 2. Build and publish the client to Artifactory
# 3. Build docker image and publish to GCR
# 4. Trigger deployment to the dev environment
#
# When run on merge to main, it tags and bumps the patch version by default. You can
# bump other parts of the version by putting #major, #minor, or #patch in your commit
# message.
#
# When run on a hotfix branch, it tags and generates the hotfix version
#
# When run manually, you can specify the part of the semantic version to bump
#
# The workflow relies on github secrets:
# - ARTIFACTORY_PASSWORD - password for publishing the client to artifactory
# - ARTIFACTORY_USERNAME - username for publishing the client to artifactory
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations
# - SLACK_WEBHOOK_URL - the webhook url to post to the desired Slack channel
on:
push:
branches:
- main
paths-ignore:
- 'README.md'
- '.github/**'
- 'local-dev/**'
pull_request:
paths-ignore:
- 'README.md'
- '.github/**'
- 'local-dev/**'
workflow_dispatch:
inputs:
bump:
description: 'Part of the version to bump: major, minor, patch'
required: false
default: 'patch'
type: choice
options:
- patch
- minor
- major
branch:
description: 'Branch to run the workflow on'
required: false
default: 'main'
env:
SERVICE_NAME: ${{ github.event.repository.name }}
IMAGE_NAME: ${{ github.event.repository.name }}
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev
GOOGLE_PROJECT: dsp-artifact-registry
jobs:
bump-check:
runs-on: ubuntu-latest
outputs:
is-bump: ${{ steps.skiptest.outputs.is-bump }}
steps:
- uses: actions/checkout@v2
- name: Skip version bump merges
id: skiptest
uses: ./.github/actions/bump-skip
with:
event-name: ${{ github.event_name }}
tag-publish-docker-deploy:
needs: [ bump-check ]
runs-on: ubuntu-latest
permissions:
contents: 'write'
id-token: 'write'
if: needs.bump-check.outputs.is-bump == 'no'
outputs:
tag: ${{ steps.tag.outputs.tag }}
steps:
- name: Set part of semantic version to bump
id: controls
run: |
SEMVER_PART=""
CHECKOUT_BRANCH="$GITHUB_REF"
if ${{github.event_name == 'push' }}; then
SEMVER_PART="patch"
elif ${{github.event_name == 'workflow_dispatch' }}; then
SEMVER_PART=${{ github.event.inputs.bump }}
CHECKOUT_BRANCH=${{ github.event.inputs.branch }}
fi
echo ::set-output name=semver-part::$SEMVER_PART
echo ::set-output name=checkout-branch::$CHECKOUT_BRANCH
- name: Checkout current code
uses: actions/checkout@v2
with:
ref: ${{ steps.controls.outputs.checkout-branch }}
token: ${{ secrets.BROADBOT_TOKEN }}
- name: Bump the tag to a new version
uses: databiosphere/github-actions/actions/[email protected]
id: tag
env:
DEFAULT_BUMP: patch
GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }}
HOTFIX_BRANCHES: hotfix.*
OVERRIDE_BUMP: ${{ steps.controls.outputs.semver-part }}
RELEASE_BRANCHES: main
VERSION_FILE_PATH: settings.gradle
VERSION_LINE_MATCH: "^gradle.ext.releaseVersion\\s*=\\s*\".*\""
VERSION_SUFFIX: SNAPSHOT
- name: Set up AdoptOpenJDK
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: 17
- name: Cache Gradle packages
uses: actions/cache@v2
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }}
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}
- name: Grant execute permission for gradlew
run: chmod +x gradlew
# Publish client to artifactory
- name: Publish to Artifactory
if: ${{ github.event_name != 'pull_request' }}
run: ./gradlew :client:artifactoryPublish --scan
env:
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
ARTIFACTORY_REPO_KEY: "libs-snapshot-local"
- name: Auth to GCP
id: 'auth'
uses: google-github-actions/auth@v0
with:
token_format: 'access_token'
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider'
service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com'
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
- name: Explicitly auth Docker for Artifact Registry
run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet
- name: Construct docker image name and tag
id: image-name
run: echo ::set-output name=name::${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${SERVICE_NAME}/${IMAGE_NAME}:${{ steps.tag.outputs.tag }}
- name: Build image locally with jib
run: |
./gradlew --build-cache :service:jibDockerBuild \
--image=${{ steps.image-name.outputs.name }} \
-Djib.console=plain
- name: Push GCR image
run: docker push ${{ steps.image-name.outputs.name }}
- name: Make release
if: ${{ github.event_name != 'pull_request' }}
uses: ncipollo/release-action@v1
id: create_release
with:
tag: ${{ steps.tag.outputs.tag }}
- name: Notify slack on failure
uses: broadinstitute/[email protected]
if: failure()
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
channel: '#terra-tsps-alerts'
status: failure
author_name: Publish to dev
fields: job
text: 'Publish failed :sadpanda:'
username: 'Terra Scientific Pipelines Service Action'
report-to-sherlock:
# Report new TSPS version to Broad DevOps
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: [ bump-check, tag-publish-docker-deploy ]
if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
with:
new-version: ${{ needs.tag-publish-docker-deploy.outputs.tag }}
chart-name: 'tsps'
permissions:
contents: 'read'
id-token: 'write'
set-version-in-dev:
# Put new TSPS version in Broad dev environment
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main
needs: [ bump-check, tag-publish-docker-deploy, report-to-sherlock ]
if: ${{ needs.bump-check.outputs.is-bump == 'no' && github.event_name != 'pull_request' }}
with:
new-version: ${{ needs.tag-publish-docker-deploy.outputs.tag }}
chart-name: 'tsps'
environment-name: 'dev'
secrets:
sync-git-token: ${{ secrets.BROADBOT_TOKEN }}
permissions:
id-token: 'write'