This repository has been archived by the owner on Sep 3, 2024. It is now read-only.
[ID-1014] GHA builds and version reporting (#230) #11
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build, test, and tag docker image | |
on: | |
push: | |
paths-ignore: | |
- .circleci | |
- hooks | |
- app.yaml | |
- CONTRIBUTING.md | |
- deploy.sh | |
- README.md | |
- release-checklist.md | |
- run_local.sh | |
env: | |
# GCP project to write images to. | |
GOOGLE_PROJECT: dsp-artifact-registry | |
# Name of the app-specific Docker repository configured in GOOGLE_PROJECT. | |
REPOSITORY_NAME: ${{ github.event.repository.name }} | |
# Name of the image to make in REPOSITORY_NAME. | |
IMAGE_NAME: ${{ github.event.repository.name }} | |
# Region-specific Google Docker repository where GOOGLE_PROJECT/REPOSITORY_NAME can be found. | |
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev | |
# Dockerfile location relative to the repo root. | |
DOCKERFILE: docker/Dockerfile | |
jobs: | |
# Build Bond. | |
tag-build-publish: | |
permissions: | |
# Push changed tag. | |
contents: 'write' | |
# Use OIDC -> IAP. | |
id-token: 'write' | |
outputs: | |
tag: ${{ steps.tag.outputs.tag }} | |
runs-on: ubuntu-latest | |
steps: | |
# Repo clone and git user config. | |
- name: Checkout current code | |
uses: actions/checkout@v4 | |
- name: Setup Git | |
shell: bash | |
run: | | |
git config --global user.name 'broadbot' | |
git config --global user.email 'broadbot@broadinstitute.org' | |
# GCP WI auth and Docker login. | |
- name: Auth to GCP | |
uses: google-github-actions/auth@v1 | |
with: | |
# yamllint disable-line rule:line-length | |
workload_identity_provider: "projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider" | |
service_account: "dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com" | |
- name: Explicitly auth Docker for Artifact Registry | |
run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet | |
# Setup multi-platform build. | |
- name: Setup QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
# Version bump. | |
- name: Bump version tag | |
uses: databiosphere/github-actions/actions/bumper@bumper-0.0.6 | |
id: tag | |
env: | |
INITIAL_VERSION: 1.7.7 | |
WITH_V: true | |
DEFAULT_BUMP: patch | |
RELEASE_BRANCHES: ${{ github.event.repository.default_branch }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# Build and push Docker image and tags. | |
- name: Construct docker image name and tag | |
id: image-name | |
run: | | |
NAME="${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${REPOSITORY_NAME}/${IMAGE_NAME}" | |
VERSION_TAG="${NAME}:${{ steps.tag.outputs.tag }}" | |
if [ ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]; then | |
BRANCH_TAG="${NAME}:latest" | |
else | |
BRANCH_TAG="${NAME}:${{ github.ref_name }}" | |
fi | |
TAGS="${VERSION_TAG},${BRANCH_TAG}" | |
echo "NAME: ${NAME}" | |
echo "image-name=${NAME}" >> $GITHUB_OUTPUT | |
echo "BRANCH_TAG: ${BRANCH_TAG}" | |
echo "branch-tag=${BRANCH_TAG}" >> $GITHUB_OUTPUT | |
echo "VERSION_TAG: ${VERSION_TAG}" | |
echo "TAGS: ${TAGS}" | |
echo "tags=${TAGS}" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Build and cache image | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: ${{ env.DOCKERFILE }} | |
platforms: linux/amd64 # ,linux/arm64 # More platforms can be added here. | |
push: false | |
tags: ${{ steps.image-name.outputs.tags }} | |
load: true | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Run Trivy vulnerability scanner | |
# From https://github.com/broadinstitute/dsp-appsec-trivy-action | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
context: . | |
dockerfile: ${{ env.DOCKERFILE }} | |
- name: Run functional tests | |
run: | | |
docker run --entrypoint /bin/bash --workdir "/app" ${{ steps.image-name.outputs.branch-tag }} -c "./tests/functional_test.sh" | |
- name: Push image | |
run: | | |
docker push -a ${{ steps.image-name.outputs.image-name }} | |
test: | |
runs-on: ubuntu-latest | |
container: google/cloud-sdk:454.0.0 | |
steps: | |
- name: Check Python version | |
run: | | |
VER_REGEX="^Python 3\.9(\.[0-9]+)?$" | |
PY_VER=$(python3 --version 2>&1) | |
if ! [[ "$PY_VER" =~ $VER_REGEX ]]; then | |
echo "$PY_VER is not the expected version" && exit 1 | |
fi | |
shell: bash | |
- name: Checkout current code | |
uses: actions/checkout@v4 | |
- name: Setup virtualenv | |
run: | | |
apt-get update | |
apt-get -y install python3-pip | |
pip3 install virtualenv | |
python3 -m virtualenv -p python3 virtualenv | |
shell: bash | |
- name: Install dependencies | |
run: | | |
source virtualenv/bin/activate | |
pip3 install -r requirements.txt --ignore-installed | |
shell: bash | |
- name: Run tests | |
run: | | |
source virtualenv/bin/activate | |
python -m unittest discover -s tests/unit -p "*_test.py" | |
shell: bash | |
- name: Start Datastore Emulator | |
run: | | |
./tests/datastore_emulator/run_emulator.sh & | |
shell: bash | |
- name: Run Datastore Emulator Tests | |
run: | | |
# Sleep to let the emulator start up before running tests. | |
sleep 10 | |
source virtualenv/bin/activate | |
./tests/datastore_emulator/test.sh | |
shell: bash | |
tag: | |
if: github.ref_name == github.event.repository.default_branch | |
needs: [tag-build-publish, test] | |
permissions: | |
# Push changed tag. | |
contents: 'write' | |
runs-on: ubuntu-latest | |
steps: | |
# Repo clone and git user config. | |
- name: Checkout current code | |
uses: actions/checkout@v4 | |
- name: Setup Git | |
shell: bash | |
run: | | |
git config --global user.name 'broadbot' | |
git config --global user.email 'broadbot@broadinstitute.org' | |
- name: Tag dev_tests_passed commit | |
run: | | |
TAG_NAME=dev_tests_passed_$(date +%b_%d_%Y-%H_%M_%S) | |
git tag $TAG_NAME | |
git push origin $TAG_NAME | |
# Report new semver versions to Sherlock (main branch only). | |
report-to-sherlock: | |
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
needs: [tag-build-publish, test] | |
with: | |
chart-name: "bond" | |
new-version: ${{ needs.tag-build-publish.outputs.tag }} | |
permissions: | |
contents: "read" | |
id-token: "write" |