[DDO-3205] Remix v2 update, remix-utils update, very slightly lower d… #872
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Bump, Tag, and Publish | |
| # The purpose of the workflow is to: | |
| # 1. Bump the version number and tag the release if not a PR | |
| # 2. Build docker image and publish to GAR | |
| # | |
| # When run on merge to main, it tags and bumps the patch version by default. You can | |
| # bump other parts of the version by putting #major, #minor, or #patch in your commit | |
| # message. | |
| # | |
| # When run on a PR, it simulates bumping the tag and appends a hash to the pushed image. | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - "README.md" | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - "README.md" | |
| - "foundation.yaml" | |
| env: | |
| # The project we'll be pushing artifacts to. | |
| GOOGLE_PROJECT: dsp-artifact-registry | |
| # Name of the app-specific Docker repository configured in GOOGLE_PROJECT. | |
| # This is typically equal to the GitHub repository name. | |
| REPOSITORY_NAME: ${{ github.event.repository.name }} | |
| # Name of the image we'll be uploading into the Docker repository. | |
| # This is often equal to the GitHub repository name, but it might also be the | |
| # name of the Helm Chart if that's different. | |
| IMAGE_NAME: ${{ github.event.repository.name }} | |
| # This is the region-specific top-level Google-managed domain where our | |
| # GOOGLE_PROJECT/REPOSITORY_NAME can be found. | |
| GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev | |
| jobs: | |
| tag-build-publish: | |
| runs-on: ubuntu-latest | |
| # For Dependabot, see dependabot-build.yaml | |
| if: ${{ github.actor != 'dependabot[bot]' }} | |
| permissions: | |
| # Push changed tag | |
| contents: "write" | |
| # Use OIDC -> IAP | |
| id-token: "write" | |
| # Make comments | |
| pull-requests: "write" | |
| issues: "write" | |
| outputs: | |
| tag: ${{ steps.tag.outputs.tag }} | |
| steps: | |
| # Git config | |
| - name: Checkout current code | |
| uses: actions/checkout@v3 | |
| - name: Set up Git | |
| shell: bash | |
| run: | | |
| git config --global user.name 'broadbot' | |
| git config --global user.email '[email protected]' | |
| # GCP config | |
| - name: Auth to GCP | |
| id: "auth" | |
| uses: google-github-actions/auth@v0 | |
| with: | |
| workload_identity_provider: "projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider" | |
| service_account: "dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com" | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v0 | |
| # Docker config | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Explicitly auth Docker for Artifact Registry | |
| run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet | |
| # Version bump | |
| - name: Bump the tag to a new version | |
| uses: databiosphere/github-actions/actions/[email protected] | |
| id: tag | |
| env: | |
| DEFAULT_BUMP: patch | |
| RELEASE_BRANCHES: ${{ github.event.repository.default_branch }} | |
| WITH_V: true | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Build images | |
| - name: Construct docker image name and tag | |
| id: image-name | |
| shell: bash | |
| run: | | |
| NAME="${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${REPOSITORY_NAME}/${IMAGE_NAME}" | |
| DOCKER_TAG="${{ steps.tag.outputs.tag }}" | |
| TAGGED="${NAME}:${DOCKER_TAG}" | |
| echo "NAME: ${NAME}" | |
| echo "TAGGED: ${TAGGED}" | |
| echo "name=${NAME}" >> $GITHUB_OUTPUT | |
| echo "tagged=${TAGGED}" >> $GITHUB_OUTPUT | |
| - name: Build image | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: . | |
| push: false | |
| load: true | |
| tags: | | |
| ${{ steps.image-name.outputs.tagged }} | |
| build-args: | | |
| BUILD_VERSION=${{ steps.tag.outputs.tag }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Run Trivy vulnerability scanner | |
| uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
| with: | |
| image: ${{ steps.image-name.outputs.tagged }} | |
| # Publish images | |
| - name: Push image | |
| run: | | |
| docker push ${{ steps.image-name.outputs.tagged }} | |
| - name: Add latest tag to Docker image | |
| if: github.event_name != 'pull_request' | |
| shell: bash | |
| run: | | |
| gcloud artifacts docker tags add \ | |
| "${{ steps.image-name.outputs.tagged }}" \ | |
| "${{ steps.image-name.outputs.name }}:latest" | |
| # (Optional) Comment pushed image | |
| - name: Comment pushed image | |
| uses: actions/[email protected] | |
| if: github.event_name == 'pull_request' | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { issue: { number: issue_number }, repo: { owner, repo } } = context; | |
| github.issues.createComment({ issue_number, owner, repo, body: 'Pushed image: ${{ steps.image-name.outputs.tagged }}' }); | |
| report-to-sherlock: | |
| uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
| needs: tag-build-publish | |
| with: | |
| chart-name: "beehive" | |
| new-version: ${{ needs.tag-build-publish.outputs.tag }} | |
| permissions: | |
| contents: "read" | |
| id-token: "write" |