Skip to content

[DDO-3889] Content Security Policy (#676) #1576

[DDO-3889] Content Security Policy (#676)

[DDO-3889] Content Security Policy (#676) #1576

name: Bump, Tag, and Publish
# The purpose of the workflow is to:
# 1. Bump the version number and tag the release if not a PR
# 2. Build docker image and publish to GAR
#
# When run on merge to main, it tags and bumps the patch version by default. You can
# bump other parts of the version by putting #major, #minor, or #patch in your commit
# message.
#
# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image.
#
# The workflow relies on github secrets:
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations
on:
push:
branches:
- main
paths:
- ".github/workflows/sherlock-build.yaml"
- ".github/workflows/client-report-app-version.yaml"
- ".github/workflows/client-report-workflow.yaml"
- "sherlock/**"
- "!sherlock/docs/**"
- "go-shared/**"
- "!**/*.md"
pull_request:
branches:
- main
workflow_dispatch:
env:
GO_SWAGGER_VERSION: v0.29.0
RUNTIME_BASE_IMAGE: us.gcr.io/broad-dsp-gcr-public/base/cbl-mariner:2.0-nonroot-fips
concurrency:
# Don't run this workflow concurrently on the same branch
group: ${{ github.workflow }}-${{ github.ref }}
# For PRs, don't wait for completion of existing runs, cancel them instead
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
generate-tag:
runs-on: ubuntu-latest
permissions:
contents: 'read'
outputs:
tag: ${{ steps.tag.outputs.new_tag }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }}
fetch-depth: 0
# We use DRY_RUN so we don't push to the repo prematurely -- we may
# have code-gen changes, or we might not end up pushing at all.
- name: Generate Tag
uses: databiosphere/github-actions/actions/[email protected]
id: tag
env:
DEFAULT_BUMP: patch
RELEASE_BRANCHES: ${{ github.event.repository.default_branch }}
WITH_V: true
GITHUB_TOKEN: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }}
DRY_RUN: true
build-and-publish:
needs: [generate-tag]
if: ${{ needs.generate-tag.outputs.tag != '' }}
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }}
- name: Set up Git
if: ${{ github.actor != 'dependabot[bot]' }}
run: |
git config --global user.name 'broadbot'
git config --global user.email '[email protected]'
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: sherlock/go.mod
- name: Set up Node/NPM
uses: actions/setup-node@v4
with:
node-version: 18
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up Swag
run: make install-swagger
- name: Format Swagger comments
run: make format-swagger
- name: Generate Swagger source
run: make generate-swagger
- name: Update Pact provider documentation
run: make document-pact-provider
- name: Delete existing Go client library code
# Just delete code, not config, so that no-longer-generated files will disappear
run: rm -rf sherlock-go-client/client
- name: Generate Go client library
run: |
docker run --rm -e GOPATH=/go \
-v $(go env GOPATH):/go \
-v "${PWD}:/local" \
-w "/local/sherlock-go-client" \
quay.io/goswagger/swagger:${GO_SWAGGER_VERSION} \
generate client -f /local/sherlock/docs/swagger.json -A sherlock --default-scheme=https -m client/models -c client
- name: Tidy Go client library dependencies
working-directory: sherlock-go-client
run: go mod tidy
- name: Delete existing Python client library code
# Just delete code, not config, so that no-longer-generated files will disappear
run: rm -rf sherlock-python-client/docs sherlock-python-client/sherlock_python_client sherlock-python-client/test
- name: Generate Python client library
run: |
docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli generate \
-i /local/sherlock/docs/swagger.json \
-g python \
-o /local/sherlock-python-client \
--git-user-id broadinstitute \
--git-repo-id sherlock \
--additional-properties=disallowAdditionalPropertiesIfNotPresent=false \
--additional-properties=packageName=sherlock_python_client \
--additional-properties=packageUrl='git+https://github.com/broadinstitute/sherlock#subdirectory=sherlock-python-client' \
--additional-properties=packageVersion=${{ needs.generate-tag.outputs.tag }}
- name: Fix Python documentation
run: |
cat sherlock-python-client/README-header.md sherlock-python-client/README.md > temp
mv temp sherlock-python-client/README.md
cp sherlock-python-client/README.md sherlock-python-client/sherlock_python_client_README.md
- name: Delete existing Typescript client library code
# Just delete code, not config, so that no-longer-generated files will disappear
run: rm -rf sherlock-typescript-client/src
- name: Generate Typescript client library
run: |
docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli generate \
-i /local/sherlock/docs/swagger.json \
-g typescript-fetch \
-o /local/sherlock-typescript-client \
--git-user-id broadinstitute \
--git-repo-id sherlock \
--additional-properties=disallowAdditionalPropertiesIfNotPresent=false \
--additional-properties=supportsES6=true \
--additional-properties=npmName=@sherlock-js-client/sherlock \
--additional-properties=npmVersion=${{ needs.generate-tag.outputs.tag }}
- name: Build Typescript client
working-directory: sherlock-typescript-client
run: |
npm install --save-dev
npm run build
- name: Assemble Docker tags
uses: docker/metadata-action@v5
id: meta
with:
images: |
us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock
us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock
tags: |
type=raw,value=${{ needs.generate-tag.outputs.tag }}
type=semver,pattern=v{{major}},value=${{ needs.generate-tag.outputs.tag }},enable={{is_default_branch}}
type=semver,pattern=v{{major}}.{{minor}},value=${{ needs.generate-tag.outputs.tag }},enable={{is_default_branch}}
type=raw,value=latest,enable={{is_default_branch}}
- name: Build image
uses: docker/build-push-action@v6
with:
# Don't push, just build and load locally.
context: .
file: sherlock/Dockerfile
push: false
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
BUILD_VERSION=${{ needs.generate-tag.outputs.tag }}
RUNTIME_BASE_IMAGE=${{ env.RUNTIME_BASE_IMAGE }}
- name: Run Trivy vulnerability scanner
# We only run Trivy here as dependabot, because otherwise we run it afterwards so as to not block an intentional
# build (so we can fix or work around Trivy issues)
if: ${{ github.actor == 'dependabot[bot]' }}
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }}
- name: Commit changes
if: ${{ github.event_name != 'pull_request' }}
run: |
git add .
git commit --allow-empty --message "[sherlock-build] generated from ${{ github.sha }}"
- name: Add tag
if: ${{ github.event_name != 'pull_request' }}
# Go subdirectories need to have tags prefixed with the directory name, otherwise go mod won't be
# able to see them.
# In other words, if you do `go get github.com/broadinstitute/sherlock/[email protected]`,
# go mod is actually going to look for a tag of sherlock-go-client/v1.2.3.
# https://github.com/golang/go/issues/31045
run: |
git tag "${{ needs.generate-tag.outputs.tag }}"
git tag "sherlock/${{ needs.generate-tag.outputs.tag }}"
git tag "go-shared/${{ needs.generate-tag.outputs.tag }}"
git tag "sherlock-go-client/${{ needs.generate-tag.outputs.tag }}"
- name: Auth to GCP
id: auth
if: ${{ github.actor != 'dependabot[bot]' }}
uses: google-github-actions/auth@v2
with:
token_format: access_token
workload_identity_provider: projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider
service_account: [email protected]
- name: Push to main
if: ${{ github.event_name != 'pull_request' }}
run: |
git push --atomic --tags origin main
- name: Publish typescript client
if: ${{ github.event_name != 'pull_request' }}
working-directory: sherlock-typescript-client
run: |
npx google-artifactregistry-auth --yes
npm publish
- name: Login to GAR
if: ${{ github.actor != 'dependabot[bot]' }}
uses: docker/login-action@v3
with:
registry: us-central1-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Push image
if: ${{ github.actor != 'dependabot[bot]' }}
uses: docker/build-push-action@v6
with:
# "Build" (instant, via local cache from earlier) and push images;
# we do have to repeat the earlier parameters here for the cache to work.
context: .
file: sherlock/Dockerfile
push: true
load: false
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
BUILD_VERSION=${{ needs.generate-tag.outputs.tag }}
RUNTIME_BASE_IMAGE=${{ env.RUNTIME_BASE_IMAGE }}
trivy-scan:
needs: [ generate-tag, build-and-publish ]
runs-on: ubuntu-latest
if: ${{ needs.generate-tag.outputs.tag != '' && github.actor != 'dependabot[bot]' }}
steps:
- name: Run Trivy vulnerability scanner
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }}
comment-published-image:
needs: [ generate-tag, build-and-publish ]
runs-on: ubuntu-latest
if: ${{ needs.generate-tag.outputs.tag != '' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
permissions:
pull-requests: 'write'
steps:
- name: Comment published image
uses: marocchino/sticky-pull-request-comment@v2
with:
header: image
message: |
Published image from ${{ github.event.pull_request.head.sha }} (merge ${{ github.sha }}):
```
us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }}
us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }}
```
report-to-sherlock:
uses: ./.github/workflows/client-report-app-version.yaml
needs: [generate-tag, build-and-publish]
if: ${{ needs.generate-tag.outputs.tag != '' && github.actor != 'dependabot[bot]' }}
with:
new-version: ${{ needs.generate-tag.outputs.tag }}
chart-name: 'sherlock'
permissions:
contents: 'read'
id-token: 'write'