Skip to content

[DDO-3277] Improve cluster permissions clarity #695

[DDO-3277] Improve cluster permissions clarity

[DDO-3277] Improve cluster permissions clarity #695

Workflow file for this run

name: Bump, Tag, and Publish
# The purpose of the workflow is to:
# 1. Bump the version number and tag the release if not a PR
# 2. Build docker image and publish to GAR
#
# When run on merge to main, it tags and bumps the patch version by default. You can
# bump other parts of the version by putting #major, #minor, or #patch in your commit
# message.
#
# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image.
#
# The workflow relies on github secrets:
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations
on:
push:
branches:
- main
paths:
- ".github/workflows/sherlock-build.yaml"
- ".github/workflows/client-report-app-version.yaml"
- ".github/workflows/client-report-workflow.yaml"
- "sherlock/**"
- "!sherlock/docs/**"
- "go-shared/**"
pull_request:
branches:
- main
paths:
- ".github/workflows/sherlock-build.yaml"
- ".github/workflows/client-report-app-version.yaml"
- ".github/workflows/client-report-workflow.yaml"
- "sherlock/**"
- "!sherlock/docs/**"
- "go-shared/**"
workflow_dispatch:
env:
# Google project where artifacts are uploaded.
GOOGLE_PROJECT: dsp-artifact-registry
# Name of the app-specific Docker repository configured in GOOGLE_PROJECT.
REPOSITORY_NAME: ${{ github.event.repository.name }}
# Name of the image we'll be uploading into the Docker repository.
# This is often equal to the GitHub repository name, but it might also be the
# name of the Helm Chart if that's different.
IMAGE_NAME: ${{ github.event.repository.name }}
# This is the region-specific top-level Google-managed domain where our
# GOOGLE_PROJECT/REPOSITORY_NAME can be found.
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev
# App-specific variables like versions of build tools:
GO_SWAGGER_VERSION: v0.29.0
concurrency:
# Don't run this workflow concurrently on the same branch
group: ${{ github.workflow }}-${{ github.ref }}
# For PRs, don't wait for completion of existing runs, cancel them instead
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
generate-tag:
runs-on: ubuntu-latest
permissions:
contents: 'read'
outputs:
tag: ${{ steps.tag.outputs.new_tag }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }}
fetch-depth: 0
# We use DRY_RUN so we don't push to the repo prematurely -- we may
# have code-gen changes, or we might not end up pushing at all.
- name: Generate Tag
uses: databiosphere/github-actions/actions/[email protected]
id: tag
env:
DEFAULT_BUMP: patch
RELEASE_BRANCHES: ${{ github.event.repository.default_branch }}
WITH_V: true
GITHUB_TOKEN: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }}
DRY_RUN: true
build-and-publish:
needs: [generate-tag]
if: ${{ needs.generate-tag.outputs.tag != '' }}
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }}
- name: Set up Git
if: ${{ github.actor != 'dependabot[bot]' }}
run: |
git config --global user.name 'broadbot'
git config --global user.email '[email protected]'
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version-file: sherlock/go.mod
- name: Set up Node/NPM
if: ${{ github.event_name != 'pull_request' }}
uses: actions/setup-node@v3
with:
node-version: 18
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up Swag
run: go install github.com/swaggo/swag/cmd/swag@latest
- name: Generate Swagger source
run: make generate-swagger
- name: Generate Go client library
if: ${{ github.event_name != 'pull_request' }}
run: |
docker run --rm -e GOPATH=/go \
-v $(go env GOPATH):/go \
-v "${PWD}:/local" \
-w "/local/sherlock-go-client" \
quay.io/goswagger/swagger:${GO_SWAGGER_VERSION} \
generate client -f /local/sherlock/docs/swagger.json -A sherlock --default-scheme=https -m client/models -c client
- name: Tidy Go client library dependencies
if: ${{ github.event_name != 'pull_request' }}
working-directory: sherlock-go-client
run: go mod tidy
- name: Generate Typescript client library
if: ${{ github.event_name != 'pull_request' }}
run: |
docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli generate \
-i /local/sherlock/docs/swagger.json \
-g typescript-fetch \
-o /local/sherlock-typescript-client \
--git-user-id broadinstitute \
--git-repo-id sherlock \
--additional-properties=disallowAdditionalPropertiesIfNotPresent=false \
--additional-properties=supportsES6=true \
--additional-properties=npmName=@sherlock-js-client/sherlock \
--additional-properties=npmVersion=${{ needs.generate-tag.outputs.tag }}
- name: Build Typescript client
if: ${{ github.event_name != 'pull_request' }}
working-directory: sherlock-typescript-client
run: |
npm install --save-dev
npm run build
- name: Assemble Docker tags
uses: docker/metadata-action@v5
id: meta
with:
# server image for backwards compatibility with old build behavior
images: |
${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=${{ needs.generate-tag.outputs.tag }}
type=semver,pattern=v{{major}},value=${{ needs.generate-tag.outputs.tag }},enable={{is_default_branch}}
type=semver,pattern=v{{major}}.{{minor}},value=${{ needs.generate-tag.outputs.tag }},enable={{is_default_branch}}
- name: Build image
uses: docker/build-push-action@v5
with:
context: .
file: sherlock/Dockerfile
push: false
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: BUILD_VERSION=${{ needs.generate-tag.outputs.tag }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}:${{ needs.generate-tag.outputs.tag }}
- name: Auth to GCP
if: ${{ github.actor != 'dependabot[bot]' }}
uses: google-github-actions/auth@v1
with:
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider'
service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com'
- name: Set up Cloud SDK
if: ${{ github.actor != 'dependabot[bot]' }}
uses: google-github-actions/setup-gcloud@v1
- name: Commit changes
if: ${{ github.event_name != 'pull_request' }}
run: |
git add .
git commit --allow-empty --message "[sherlock-build] generated from ${{ github.sha }}"
- name: Add tag
if: ${{ github.event_name != 'pull_request' }}
# Go subdirectories need to have tags prefixed with the directory name, otherwise go mod won't be
# able to see them.
# In other words, if you do `go get github.com/broadinstitute/sherlock/[email protected]`,
# go mod is actually going to look for a tag of sherlock-go-client/v1.2.3.
# https://github.com/golang/go/issues/31045
run: |
git tag "${{ needs.generate-tag.outputs.tag }}"
git tag "sherlock/${{ needs.generate-tag.outputs.tag }}"
git tag "go-shared/${{ needs.generate-tag.outputs.tag }}"
git tag "sherlock-go-client/${{ needs.generate-tag.outputs.tag }}"
- name: Push to main
if: ${{ github.event_name != 'pull_request' }}
run: |
git push --atomic --tags origin main
- name: Publish typescript client
if: ${{ github.event_name != 'pull_request' }}
working-directory: sherlock-typescript-client
run: |
npx google-artifactregistry-auth --yes
npm publish
- name: Explicitly auth Docker for Artifact Registry
if: ${{ github.actor != 'dependabot[bot]' }}
run: gcloud auth configure-docker ${{ env.GOOGLE_DOCKER_REPOSITORY }} --quiet
- name: Push image
if: ${{ github.actor != 'dependabot[bot]' }}
run: |
docker push --all-tags ${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}
comment-published-image:
needs: [ generate-tag, build-and-publish ]
runs-on: ubuntu-latest
if: ${{ needs.generate-tag.outputs.tag != '' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
permissions:
pull-requests: 'write'
steps:
- name: Comment published image
uses: marocchino/sticky-pull-request-comment@v2
with:
header: image
message: |
Published image from ${{ github.event.pull_request.head.sha }} (merge ${{ github.sha }}):
```
${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}:${{ needs.generate-tag.outputs.tag }}
```
report-to-sherlock:
uses: ./.github/workflows/client-report-app-version.yaml
needs: [generate-tag, build-and-publish]
if: ${{ needs.generate-tag.outputs.tag != '' && github.actor != 'dependabot[bot]' }}
with:
new-version: ${{ needs.generate-tag.outputs.tag }}
chart-name: 'sherlock'
permissions:
contents: 'read'
id-token: 'write'