-
Notifications
You must be signed in to change notification settings - Fork 1
145 lines (139 loc) · 5.13 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Bump, Tag, and Publish
# The purpose of the workflow is to:
# 1. Bump the version number and tag the release if not a PR
# 2. Build docker image and publish to GAR
#
# When run on merge to main, it tags and bumps the patch version by default. You can
# bump other parts of the version by putting #major, #minor, or #patch in your commit
# message.
#
# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image.
on:
push:
branches:
- main
paths-ignore:
- "README.md"
pull_request:
branches:
- main
paths-ignore:
- "README.md"
- "foundation.yaml"
env:
# The project we'll be pushing artifacts to.
GOOGLE_PROJECT: dsp-artifact-registry
# Name of the app-specific Docker repository configured in GOOGLE_PROJECT.
# This is typically equal to the GitHub repository name.
REPOSITORY_NAME: ${{ github.event.repository.name }}
# Name of the image we'll be uploading into the Docker repository.
# This is often equal to the GitHub repository name, but it might also be the
# name of the Helm Chart if that's different.
IMAGE_NAME: ${{ github.event.repository.name }}
# This is the region-specific top-level Google-managed domain where our
# GOOGLE_PROJECT/REPOSITORY_NAME can be found.
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev
jobs:
tag-build-publish:
runs-on: ubuntu-latest
# For Dependabot, see dependabot-build.yaml
if: ${{ github.actor != 'dependabot[bot]' }}
permissions:
# Push changed tag
contents: "write"
# Use OIDC -> IAP
id-token: "write"
# Make comments
pull-requests: "write"
issues: "write"
outputs:
tag: ${{ steps.tag.outputs.tag }}
steps:
# Git config
- name: Checkout current code
uses: actions/checkout@v3
- name: Set up Git
shell: bash
run: |
git config --global user.name 'broadbot'
git config --global user.email '[email protected]'
# GCP config
- name: Auth to GCP
id: "auth"
uses: google-github-actions/auth@v0
with:
workload_identity_provider: "projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider"
service_account: "dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com"
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v0
# Docker config
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Explicitly auth Docker for Artifact Registry
run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet
# Version bump
- name: Bump the tag to a new version
uses: databiosphere/github-actions/actions/[email protected]
id: tag
env:
DEFAULT_BUMP: patch
RELEASE_BRANCHES: ${{ github.event.repository.default_branch }}
WITH_V: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Build images
- name: Construct docker image name and tag
id: image-name
shell: bash
run: |
NAME="${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${REPOSITORY_NAME}/${IMAGE_NAME}"
DOCKER_TAG="${{ steps.tag.outputs.tag }}"
TAGGED="${NAME}:${DOCKER_TAG}"
echo "NAME: ${NAME}"
echo "TAGGED: ${TAGGED}"
echo "name=${NAME}" >> $GITHUB_OUTPUT
echo "tagged=${TAGGED}" >> $GITHUB_OUTPUT
- name: Build image
uses: docker/build-push-action@v3
with:
context: .
push: false
load: true
tags: |
${{ steps.image-name.outputs.tagged }}
build-args: |
BUILD_VERSION=${{ steps.tag.outputs.tag }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.image-name.outputs.tagged }}
# Publish images
- name: Push image
run: |
docker push ${{ steps.image-name.outputs.tagged }}
- name: Add latest tag to Docker image
if: github.event_name != 'pull_request'
shell: bash
run: |
gcloud artifacts docker tags add \
"${{ steps.image-name.outputs.tagged }}" \
"${{ steps.image-name.outputs.name }}:latest"
# (Optional) Comment pushed image
- name: Comment pushed image
uses: actions/[email protected]
if: github.event_name == 'pull_request'
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { issue: { number: issue_number }, repo: { owner, repo } } = context;
github.issues.createComment({ issue_number, owner, repo, body: 'Pushed image: ${{ steps.image-name.outputs.tagged }}' });
report-to-sherlock:
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: tag-build-publish
with:
chart-name: "beehive"
new-version: ${{ needs.tag-build-publish.outputs.tag }}
permissions:
contents: "read"
id-token: "write"