[API] Add a RBAC solution #1014
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish version tag | |
on: | |
merge_group: | |
pull_request: | |
branches: | |
- main | |
paths-ignore: | |
- ".github/**" | |
- ".gitignore" | |
- "**/*.md" | |
- "charts/**" | |
- "Makefile" | |
- "sda-admin/**" | |
- "tools/*" | |
types: [ closed ] | |
jobs: | |
tag_release: | |
if: github.event.pull_request.merged == true | |
name: tag version | |
outputs: | |
part: ${{ steps.bump_tag.outputs.part }} | |
tag: ${{ steps.bump_tag.outputs.tag }} | |
new_tag: ${{ steps.bump_tag.outputs.new_tag }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: '0' | |
- name: Bump version and push tag | |
id: bump_tag | |
uses: anothrNick/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
WITH_V: true | |
DEFAULT_BUMP: patch | |
push_to_registry: | |
needs: tag_release | |
if: needs.tag_release.outputs.tag != '' | |
name: Push Docker image to Github Container registry | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Log in to the Github Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Pull PR containers | |
run : | | |
for t in -download -postgres -rabbitmq -sftp-inbox; do | |
docker pull ghcr.io/${{ github.repository }}:PR${{ github.event.number }}$t | |
done | |
docker pull ghcr.io/${{ github.repository }}:PR${{ github.event.number }} | |
- name: Retag PR image for download | |
run: | | |
docker tag ghcr.io/${{ github.repository }}:PR${{ github.event.number }}-download ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-download | |
docker push ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-download | |
- name: Retag PR image for postgres | |
run: | | |
docker tag ghcr.io/${{ github.repository }}:PR${{ github.event.number }}-postgres ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-postgres | |
docker push ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-postgres | |
- name: Retag PR image for rabbitmq | |
run: | | |
docker tag ghcr.io/${{ github.repository }}:PR${{ github.event.number }}-rabbitmq ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-rabbitmq | |
docker push ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-rabbitmq | |
- name: Retag PR image for sftp-inbox | |
run: | | |
docker tag ghcr.io/${{ github.repository }}:PR${{ github.event.number }}-sftp-inbox ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-sftp-inbox | |
docker push ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-sftp-inbox | |
- name: Retag PR image for sensitive-data-archive | |
run: | | |
docker tag ghcr.io/${{ github.repository }}:PR${{ github.event.number }} ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }} | |
docker push ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }} | |
bump_chart_version: | |
needs: [tag_release, push_to_registry] | |
if: ${{ needs.tag_release.outputs.tag != '' && needs.push_to_registry.result == 'success' }} | |
permissions: | |
contents: write | |
pull-requests: write | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: '0' | |
- name: Install PyBump | |
run: | | |
python3 -m pip install pybump | |
shell: bash | |
- name: Automated Version Bump | |
id: version-bump | |
run: | | |
for name in sda-db sda-mq sda-svc; do | |
pybump set --file charts/"$name"/Chart.yaml --set-version ${{ needs.tag_release.outputs.tag }} --app-version | |
pybump bump --file charts/"$name"/Chart.yaml --level patch | |
done | |
shell: bash | |
- name: Create Pull Request | |
uses: peter-evans/create-pull-request@v7 | |
with: | |
token: ${{ secrets.GHCR_TOKEN }} | |
commit-message: Bump chart version | |
author: neicnordic <[email protected]> | |
base: main | |
branch: bump | |
delete-branch: true | |
title: '[charts] Bump version' | |
body: | | |
Bump the appVersion to: ${{ needs.tag_release.outputs.tag }} | |
labels: | | |
automated pr | |
team-reviewers: neicnordic/sensitive-data-development-collaboration |