This repository has been archived by the owner on Sep 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
201 lines (184 loc) · 6.63 KB
/
build-test-tag.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
name: Build, test, and tag docker image
on:
push:
paths-ignore:
- .circleci
- hooks
- app.yaml
- CONTRIBUTING.md
- deploy.sh
- README.md
- release-checklist.md
- run_local.sh
env:
# GCP project to write images to.
GOOGLE_PROJECT: dsp-artifact-registry
# Name of the app-specific Docker repository configured in GOOGLE_PROJECT.
REPOSITORY_NAME: ${{ github.event.repository.name }}
# Name of the image to make in REPOSITORY_NAME.
IMAGE_NAME: ${{ github.event.repository.name }}
# Region-specific Google Docker repository where GOOGLE_PROJECT/REPOSITORY_NAME can be found.
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev
# Dockerfile location relative to the repo root.
DOCKERFILE: docker/Dockerfile
jobs:
# Build Bond.
tag-build-publish:
permissions:
# Push changed tag.
contents: 'write'
# Use OIDC -> IAP.
id-token: 'write'
outputs:
tag: ${{ steps.tag.outputs.tag }}
runs-on: ubuntu-latest
steps:
# Repo clone and git user config.
- name: Checkout current code
uses: actions/checkout@v4
- name: Setup Git
shell: bash
run: |
git config --global user.name 'broadbot'
git config --global user.email 'broadbot@broadinstitute.org'
# GCP WI auth and Docker login.
- name: Auth to GCP
uses: google-github-actions/auth@v1
with:
# yamllint disable-line rule:line-length
workload_identity_provider: "projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider"
service_account: "dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com"
- name: Explicitly auth Docker for Artifact Registry
run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet
# Setup multi-platform build.
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# Version bump.
- name: Bump version tag
uses: databiosphere/github-actions/actions/bumper@bumper-0.0.6
id: tag
env:
INITIAL_VERSION: 1.7.7
WITH_V: true
DEFAULT_BUMP: patch
RELEASE_BRANCHES: ${{ github.event.repository.default_branch }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Build and push Docker image and tags.
- name: Construct docker image name and tag
id: image-name
run: |
NAME="${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${REPOSITORY_NAME}/${IMAGE_NAME}"
VERSION_TAG="${NAME}:${{ steps.tag.outputs.tag }}"
if [ ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]; then
BRANCH_TAG="${NAME}:latest"
else
BRANCH_TAG="${NAME}:${{ github.ref_name }}"
fi
TAGS="${VERSION_TAG},${BRANCH_TAG}"
echo "NAME: ${NAME}"
echo "image-name=${NAME}" >> $GITHUB_OUTPUT
echo "BRANCH_TAG: ${BRANCH_TAG}"
echo "branch-tag=${BRANCH_TAG}" >> $GITHUB_OUTPUT
echo "VERSION_TAG: ${VERSION_TAG}"
echo "TAGS: ${TAGS}"
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
shell: bash
- name: Build and cache image
uses: docker/build-push-action@v5
with:
context: .
file: ${{ env.DOCKERFILE }}
platforms: linux/amd64 # ,linux/arm64 # More platforms can be added here.
push: false
tags: ${{ steps.image-name.outputs.tags }}
load: true
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
# From https://github.com/broadinstitute/dsp-appsec-trivy-action
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
context: .
dockerfile: ${{ env.DOCKERFILE }}
- name: Run functional tests
run: |
docker run --entrypoint /bin/bash --workdir "/app" ${{ steps.image-name.outputs.branch-tag }} -c "./tests/functional_test.sh"
- name: Push image
run: |
docker push -a ${{ steps.image-name.outputs.image-name }}
test:
runs-on: ubuntu-latest
container: google/cloud-sdk:454.0.0
steps:
- name: Check Python version
run: |
VER_REGEX="^Python 3\.9(\.[0-9]+)?$"
PY_VER=$(python3 --version 2>&1)
if ! [[ "$PY_VER" =~ $VER_REGEX ]]; then
echo "$PY_VER is not the expected version" && exit 1
fi
shell: bash
- name: Checkout current code
uses: actions/checkout@v4
- name: Setup virtualenv
run: |
apt-get update
apt-get -y install python3-pip
pip3 install virtualenv
python3 -m virtualenv -p python3 virtualenv
shell: bash
- name: Install dependencies
run: |
source virtualenv/bin/activate
pip3 install -r requirements.txt --ignore-installed
shell: bash
- name: Run tests
run: |
source virtualenv/bin/activate
python -m unittest discover -s tests/unit -p "*_test.py"
shell: bash
- name: Start Datastore Emulator
run: |
./tests/datastore_emulator/run_emulator.sh &
shell: bash
- name: Run Datastore Emulator Tests
run: |
# Sleep to let the emulator start up before running tests.
sleep 10
source virtualenv/bin/activate
./tests/datastore_emulator/test.sh
shell: bash
tag:
if: github.ref_name == github.event.repository.default_branch
needs: [tag-build-publish, test]
permissions:
# Push changed tag.
contents: 'write'
runs-on: ubuntu-latest
steps:
# Repo clone and git user config.
- name: Checkout current code
uses: actions/checkout@v4
- name: Setup Git
shell: bash
run: |
git config --global user.name 'broadbot'
git config --global user.email 'broadbot@broadinstitute.org'
- name: Tag dev_tests_passed commit
run: |
TAG_NAME=dev_tests_passed_$(date +%b_%d_%Y-%H_%M_%S)
# git tag $TAG_NAME
# git push origin $TAG_NAME
echo "current commit would be tagged as ${TAG_NAME}"
# Report new semver versions to Sherlock (main branch only).
report-to-sherlock:
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: [tag-build-publish, test]
with:
chart-name: "bond"
new-version: ${{ needs.tag-build-publish.outputs.tag }}
permissions:
contents: "read"
id-token: "write"