TSPS-100 add logic to use service account credentials when talking to leonardo #232
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Test | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- '*.md' | |
- '.github/**' | |
pull_request: | |
branches: [ '**' ] | |
# There is an issue with GitHub required checks and paths-ignore. We don't really need to | |
# run the tests if there are only irrelevant changes (see paths-ignore above). However, | |
# we require tests to pass by making a "required check" rule on the branch. If the action | |
# is not triggered, the required check never passes and you are stuck. Therefore, we have | |
# to run tests even when we only change a markdown file. So don't do what I did and put a | |
# paths-ignore right here! | |
workflow_dispatch: {} | |
jobs: | |
bump-check: | |
runs-on: ubuntu-latest | |
outputs: | |
is-bump: ${{ steps.skiptest.outputs.is-bump }} | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Skip version bump merges | |
id: skiptest | |
uses: ./.github/actions/bump-skip | |
with: | |
event-name: ${{ github.event_name }} | |
build: | |
needs: [ bump-check ] | |
runs-on: ubuntu-latest | |
if: needs.bump-check.outputs.is-bump == 'no' | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Set up JDK | |
uses: actions/setup-java@v2 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: 'gradle' | |
- name: Build the test harness and, by dependency, the service library | |
run: ./gradlew --build-cache build -x test | |
- name: Upload spotbugs results | |
uses: github/codeql-action/upload-sarif@main | |
with: | |
sarif_file: service/build/reports/spotbugs/main.sarif | |
jib: | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Set up JDK | |
uses: actions/setup-java@v2 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: 'gradle' | |
- name: Construct docker image name and tag | |
id: image-name | |
run: | | |
GITHUB_REPO=$(basename ${{ github.repository }}) | |
GIT_SHORT_HASH=$(git rev-parse --short HEAD) | |
echo ::set-output name=name::${GITHUB_REPO}:${GIT_SHORT_HASH} | |
- name: Build image locally with jib | |
run: | | |
./gradlew --build-cache :service:jibDockerBuild \ | |
--image=${{ steps.image-name.outputs.name }} \ | |
-Djib.console=plain | |
- name: Run Trivy vulnerability scanner | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: ${{ steps.image-name.outputs.name }} | |
tests-and-sonarqube: | |
needs: [ bump-check, build ] | |
runs-on: ubuntu-latest | |
if: needs.bump-check.outputs.is-bump == 'no' | |
services: | |
postgres: | |
image: postgres:13.1 | |
env: | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v2 | |
# Needed by sonar to get the git history for the branch the PR will be merged into. | |
with: | |
fetch-depth: 0 | |
- name: Set up JDK | |
uses: actions/setup-java@v2 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: 'gradle' | |
- name: initialize the database | |
env: | |
PGPASSWORD: postgres | |
run: | | |
psql -h localhost -U postgres -f ./scripts/postgres-init.sql | |
- name: Test with coverage | |
run: ./gradlew --build-cache service:test jacocoTestReport --scan | |
# The SonarQube scan is done here, so it can upload the coverage report generated by the tests. | |
- name: SonarQube scan | |
run: ./gradlew --build-cache sonarqube | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
notify-slack: | |
needs: [ bump-check, build, tests-and-sonarqube ] | |
runs-on: ubuntu-latest | |
if: failure() && github.event_name == 'push' && needs.bump-check.outputs.is-bump == 'no' | |
steps: | |
- name: Notify WSM Slack on Failure | |
uses: broadinstitute/[email protected] | |
# see https://github.com/broadinstitute/action-slack | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
with: | |
status: failure | |
channel: "#terra-tsps-alerts" | |
username: "TSPS push to main branch" | |
author_name: "build-and-test" | |
icon_emoji: ":triangular_ruler:" | |
fields: job, commit |