DDO-3201: chart version v3 API (#321) #623
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Bump, Tag, and Publish | |
# The purpose of the workflow is to: | |
# 1. Bump the version number and tag the release if not a PR | |
# 2. Build docker image and publish to GAR | |
# | |
# When run on merge to main, it tags and bumps the patch version by default. You can | |
# bump other parts of the version by putting #major, #minor, or #patch in your commit | |
# message. | |
# | |
# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image. | |
# | |
# The workflow relies on github secrets: | |
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- ".github/workflows/sherlock-build.yaml" | |
- "sherlock/**" | |
- "!sherlock/docs/**" | |
- "go-shared/**" | |
pull_request: | |
branches: | |
- main | |
paths: | |
- ".github/workflows/sherlock-build.yaml" | |
- "sherlock/**" | |
- "!sherlock/docs/**" | |
- "go-shared/**" | |
workflow_dispatch: | |
env: | |
# Google project where artifacts are uploaded. | |
GOOGLE_PROJECT: dsp-artifact-registry | |
# Name of the app-specific Docker repository configured in GOOGLE_PROJECT. | |
REPOSITORY_NAME: ${{ github.event.repository.name }} | |
# Name of the image we'll be uploading into the Docker repository. | |
# This is often equal to the GitHub repository name, but it might also be the | |
# name of the Helm Chart if that's different. | |
IMAGE_NAME: ${{ github.event.repository.name }} | |
# This is the region-specific top-level Google-managed domain where our | |
# GOOGLE_PROJECT/REPOSITORY_NAME can be found. | |
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev | |
# App-specific variables like versions of build tools: | |
GO_SWAGGER_VERSION: v0.29.0 | |
concurrency: | |
# Don't run this workflow concurrently on the same branch | |
group: ${{ github.workflow }}-${{ github.ref }} | |
# For PRs, don't wait for completion of existing runs, cancel them instead | |
cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
jobs: | |
tag-build-publish: | |
runs-on: ubuntu-latest | |
permissions: | |
# We'll use Broadbot to push changed tag | |
contents: "read" | |
# Use OIDC for workload identity | |
id-token: "write" | |
# Make comments | |
pull-requests: "write" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }} | |
fetch-depth: 0 | |
- name: Set up Git | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
run: | | |
git config --global user.name 'broadbot' | |
git config --global user.email '[email protected]' | |
- name: Set up Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version-file: sherlock/go.mod | |
- name: Set up Node/NPM | |
if: ${{ github.event_name != 'pull_request' }} | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 18 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Set up Swag | |
run: go install github.com/swaggo/swag/cmd/swag@latest | |
# We use DRY_RUN so we don't push to the repo prematurely -- we may | |
# have code-gen changes, or we might not end up pushing at all. | |
- name: Generate Tag | |
uses: databiosphere/github-actions/actions/[email protected] | |
id: tag | |
env: | |
DEFAULT_BUMP: patch | |
RELEASE_BRANCHES: ${{ github.event.repository.default_branch }} | |
WITH_V: true | |
GITHUB_TOKEN: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }} | |
DRY_RUN: true | |
- name: Generate Swagger source | |
run: make generate-swagger | |
- name: Generate Go client library | |
if: ${{ github.event_name != 'pull_request' }} | |
run: | | |
docker run --rm -e GOPATH=/go \ | |
-v $(go env GOPATH):/go \ | |
-v "${PWD}:/local" \ | |
-w "/local/sherlock-go-client" \ | |
quay.io/goswagger/swagger:${GO_SWAGGER_VERSION} \ | |
generate client -f /local/sherlock/docs/swagger.json -A sherlock --default-scheme=https -m client/models -c client | |
- name: Tidy Go client library dependencies | |
if: ${{ github.event_name != 'pull_request' }} | |
working-directory: sherlock-go-client | |
run: go mod tidy | |
- name: Generate Typescript client library | |
if: ${{ github.event_name != 'pull_request' }} | |
run: | | |
docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli generate \ | |
-i /local/sherlock/docs/swagger.json \ | |
-g typescript-fetch \ | |
-o /local/sherlock-typescript-client \ | |
--git-user-id broadinstitute \ | |
--git-repo-id sherlock \ | |
--additional-properties=disallowAdditionalPropertiesIfNotPresent=false \ | |
--additional-properties=supportsES6=true \ | |
--additional-properties=npmName=@sherlock-js-client/sherlock \ | |
--additional-properties=npmVersion=${{ steps.tag.outputs.new_tag }} | |
- name: Build Typescript client | |
if: ${{ github.event_name != 'pull_request' }} | |
working-directory: sherlock-typescript-client | |
run: | | |
npm install --save-dev | |
npm run build | |
- name: Assemble Docker tags | |
uses: docker/metadata-action@v5 | |
id: meta | |
with: | |
# server image for backwards compatibility with old build behavior | |
images: | | |
${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }} | |
tags: | | |
type=raw,value=latest,enable={{is_default_branch}} | |
type=raw,value=${{ steps.tag.outputs.new_tag }} | |
type=semver,pattern=v{{major}},value=${{ steps.tag.outputs.new_tag }},enable={{is_default_branch}} | |
type=semver,pattern=v{{major}}.{{minor}},value=${{ steps.tag.outputs.new_tag }},enable={{is_default_branch}} | |
- name: Build image | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: sherlock/Dockerfile | |
push: false | |
load: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
build-args: BUILD_VERSION=${{ steps.tag.outputs.new_tag }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Run Trivy vulnerability scanner | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: ${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.new_tag }} | |
- name: Auth to GCP | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
uses: google-github-actions/auth@v1 | |
with: | |
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider' | |
service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com' | |
- name: Set up Cloud SDK | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
uses: google-github-actions/setup-gcloud@v1 | |
- name: Commit changes | |
if: ${{ github.event_name != 'pull_request' }} | |
run: | | |
git add . | |
git commit --allow-empty --message "[sherlock-build] generated from ${{ github.sha }}" | |
- name: Add tag | |
if: ${{ github.event_name != 'pull_request' }} | |
# Go subdirectories need to have tags prefixed with the directory name, otherwise go mod won't be | |
# able to see them. | |
# In other words, if you do `go get github.com/broadinstitute/sherlock/[email protected]`, | |
# go mod is actually going to look for a tag of sherlock-go-client/v1.2.3. | |
# https://github.com/golang/go/issues/31045 | |
run: | | |
git tag "${{ steps.tag.outputs.new_tag }}" | |
git tag "sherlock/${{ steps.tag.outputs.new_tag }}" | |
git tag "go-shared/${{ steps.tag.outputs.new_tag }}" | |
git tag "sherlock-go-client/${{ steps.tag.outputs.new_tag }}" | |
- name: Push to main | |
if: ${{ github.event_name != 'pull_request' }} | |
run: | | |
git push --atomic --tags origin main | |
- name: Publish typescript client | |
if: ${{ github.event_name != 'pull_request' }} | |
working-directory: sherlock-typescript-client | |
run: | | |
npx google-artifactregistry-auth --yes | |
npm publish | |
- name: Explicitly auth Docker for Artifact Registry | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
run: gcloud auth configure-docker ${{ env.GOOGLE_DOCKER_REPOSITORY }} --quiet | |
- name: Push image | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
run: | | |
docker push --all-tags ${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }} | |
- name: Comment published image | |
if: ${{ github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }} | |
uses: marocchino/sticky-pull-request-comment@v2 | |
with: | |
header: image | |
message: | | |
Published image from ${{ github.event.pull_request.head.sha }} (merge ${{ github.sha }}): | |
``` | |
${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.new_tag }} | |
``` |