Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

[ID-1014] GHA builds and version reporting (#230) #11

[ID-1014] GHA builds and version reporting (#230)

[ID-1014] GHA builds and version reporting (#230) #11

Workflow file for this run

name: Build, test, and tag docker image
on:
push:
paths-ignore:
- .circleci
- hooks
- app.yaml
- CONTRIBUTING.md
- deploy.sh
- README.md
- release-checklist.md
- run_local.sh
env:
# GCP project to write images to.
GOOGLE_PROJECT: dsp-artifact-registry
# Name of the app-specific Docker repository configured in GOOGLE_PROJECT.
REPOSITORY_NAME: ${{ github.event.repository.name }}
# Name of the image to make in REPOSITORY_NAME.
IMAGE_NAME: ${{ github.event.repository.name }}
# Region-specific Google Docker repository where GOOGLE_PROJECT/REPOSITORY_NAME can be found.
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev
# Dockerfile location relative to the repo root.
DOCKERFILE: docker/Dockerfile
jobs:
# Build Bond.
tag-build-publish:
permissions:
# Push changed tag.
contents: 'write'
# Use OIDC -> IAP.
id-token: 'write'
outputs:
tag: ${{ steps.tag.outputs.tag }}
runs-on: ubuntu-latest
steps:
# Repo clone and git user config.
- name: Checkout current code
uses: actions/checkout@v4
- name: Setup Git
shell: bash
run: |
git config --global user.name 'broadbot'
git config --global user.email 'broadbot@broadinstitute.org'
# GCP WI auth and Docker login.
- name: Auth to GCP
uses: google-github-actions/auth@v1
with:
# yamllint disable-line rule:line-length
workload_identity_provider: "projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider"
service_account: "dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com"
- name: Explicitly auth Docker for Artifact Registry
run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet
# Setup multi-platform build.
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# Version bump.
- name: Bump version tag
uses: databiosphere/github-actions/actions/bumper@bumper-0.0.6
id: tag
env:
INITIAL_VERSION: 1.7.7
WITH_V: true
DEFAULT_BUMP: patch
RELEASE_BRANCHES: ${{ github.event.repository.default_branch }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Build and push Docker image and tags.
- name: Construct docker image name and tag
id: image-name
run: |
NAME="${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${REPOSITORY_NAME}/${IMAGE_NAME}"
VERSION_TAG="${NAME}:${{ steps.tag.outputs.tag }}"
if [ ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]; then
BRANCH_TAG="${NAME}:latest"
else
BRANCH_TAG="${NAME}:${{ github.ref_name }}"
fi
TAGS="${VERSION_TAG},${BRANCH_TAG}"
echo "NAME: ${NAME}"
echo "image-name=${NAME}" >> $GITHUB_OUTPUT
echo "BRANCH_TAG: ${BRANCH_TAG}"
echo "branch-tag=${BRANCH_TAG}" >> $GITHUB_OUTPUT
echo "VERSION_TAG: ${VERSION_TAG}"
echo "TAGS: ${TAGS}"
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
shell: bash
- name: Build and cache image
uses: docker/build-push-action@v5
with:
context: .
file: ${{ env.DOCKERFILE }}
platforms: linux/amd64 # ,linux/arm64 # More platforms can be added here.
push: false
tags: ${{ steps.image-name.outputs.tags }}
load: true
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
# From https://github.com/broadinstitute/dsp-appsec-trivy-action
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
context: .
dockerfile: ${{ env.DOCKERFILE }}
- name: Run functional tests
run: |
docker run --entrypoint /bin/bash --workdir "/app" ${{ steps.image-name.outputs.branch-tag }} -c "./tests/functional_test.sh"
- name: Push image
run: |
docker push -a ${{ steps.image-name.outputs.image-name }}
test:
runs-on: ubuntu-latest
container: google/cloud-sdk:454.0.0
steps:
- name: Check Python version
run: |
VER_REGEX="^Python 3\.9(\.[0-9]+)?$"
PY_VER=$(python3 --version 2>&1)
if ! [[ "$PY_VER" =~ $VER_REGEX ]]; then
echo "$PY_VER is not the expected version" && exit 1
fi
shell: bash
- name: Checkout current code
uses: actions/checkout@v4
- name: Setup virtualenv
run: |
apt-get update
apt-get -y install python3-pip
pip3 install virtualenv
python3 -m virtualenv -p python3 virtualenv
shell: bash
- name: Install dependencies
run: |
source virtualenv/bin/activate
pip3 install -r requirements.txt --ignore-installed
shell: bash
- name: Run tests
run: |
source virtualenv/bin/activate
python -m unittest discover -s tests/unit -p "*_test.py"
shell: bash
- name: Start Datastore Emulator
run: |
./tests/datastore_emulator/run_emulator.sh &
shell: bash
- name: Run Datastore Emulator Tests
run: |
# Sleep to let the emulator start up before running tests.
sleep 10
source virtualenv/bin/activate
./tests/datastore_emulator/test.sh
shell: bash
tag:
if: github.ref_name == github.event.repository.default_branch
needs: [tag-build-publish, test]
permissions:
# Push changed tag.
contents: 'write'
runs-on: ubuntu-latest
steps:
# Repo clone and git user config.
- name: Checkout current code
uses: actions/checkout@v4
- name: Setup Git
shell: bash
run: |
git config --global user.name 'broadbot'
git config --global user.email 'broadbot@broadinstitute.org'
- name: Tag dev_tests_passed commit
run: |
TAG_NAME=dev_tests_passed_$(date +%b_%d_%Y-%H_%M_%S)
git tag $TAG_NAME
git push origin $TAG_NAME
# Report new semver versions to Sherlock (main branch only).
report-to-sherlock:
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: [tag-build-publish, test]
with:
chart-name: "bond"
new-version: ${{ needs.tag-build-publish.outputs.tag }}
permissions:
contents: "read"
id-token: "write"