sherlock-build.yaml

name: Bump, Tag, and Publish
# The purpose of the workflow is to:
#  1. Bump the version number and tag the release if not a PR
#  2. Build docker image and publish to GAR
#
# When run on merge to main, it tags and bumps the patch version by default. You can
# bump other parts of the version by putting #major, #minor, or #patch in your commit
# message.
#
# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image.
#
# The workflow relies on github secrets:
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations
on:
  push:
    branches:
      - main
    paths:
      - ".github/workflows/sherlock-build.yaml"
      - "sherlock/**"
      - "!sherlock/docs/**"
      - "go-shared/**"
  pull_request:
    branches:
      - main
    paths:
      - ".github/workflows/sherlock-build.yaml"
      - "sherlock/**"
      - "!sherlock/docs/**"
      - "go-shared/**"
  workflow_dispatch:

env:
  # Google project where artifacts are uploaded.
  GOOGLE_PROJECT: dsp-artifact-registry
  # Name of the app-specific Docker repository configured in GOOGLE_PROJECT.
  REPOSITORY_NAME: ${{ github.event.repository.name }}
  # Name of the image we'll be uploading into the Docker repository.
  # This is often equal to the GitHub repository name, but it might also be the
  # name of the Helm Chart if that's different.
  IMAGE_NAME: ${{ github.event.repository.name }}
  # This is the region-specific top-level Google-managed domain where our
  # GOOGLE_PROJECT/REPOSITORY_NAME can be found.
  GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev

  # App-specific variables like versions of build tools:
  GO_SWAGGER_VERSION: v0.29.0

concurrency:
  # Don't run this workflow concurrently on the same branch
  group: ${{ github.workflow }}-${{ github.ref }}
  # For PRs, don't wait for completion of existing runs, cancel them instead
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
  tag-build-publish:
    runs-on: ubuntu-latest
    permissions:
      # We'll use Broadbot to push changed tag
      contents: "read"
      # Use OIDC for workload identity
      id-token: "write"
      # Make comments
      pull-requests: "write"
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }}
          fetch-depth: 0

      - name: Set up Git
        if: ${{ github.actor != 'dependabot[bot]' }}
        run: |
          git config --global user.name 'broadbot'
          git config --global user.email 'broadbot@broadinstitute.org'

      - name: Set up Go
        uses: actions/setup-go@v4
        with:
          go-version-file: sherlock/go.mod

      - name: Set up Node/NPM
        if: ${{ github.event_name != 'pull_request' }}
        uses: actions/setup-node@v3
        with:
          node-version: 18

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Set up Swag
        run: go install github.com/swaggo/swag/cmd/swag@latest

      # We use DRY_RUN so we don't push to the repo prematurely -- we may
      # have code-gen changes, or we might not end up pushing at all.
      - name: Generate Tag
        uses: databiosphere/github-actions/actions/bumper@bumper-0.2.0
        id: tag
        env:
          DEFAULT_BUMP: patch
          RELEASE_BRANCHES: ${{ github.event.repository.default_branch }}
          WITH_V: true
          GITHUB_TOKEN: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }}
          DRY_RUN: true

      - name: Generate Swagger source
        run: make generate-swagger

      - name: Generate Go client library
        if: ${{ github.event_name != 'pull_request' }}
        run: |
          docker run --rm -e GOPATH=/go \
            -v $(go env GOPATH):/go \
            -v "${PWD}:/local" \
            -w "/local/sherlock-go-client" \
            quay.io/goswagger/swagger:${GO_SWAGGER_VERSION} \
            generate client -f /local/sherlock/docs/swagger.json -A sherlock --default-scheme=https -m client/models -c client

      - name: Tidy Go client library dependencies
        if: ${{ github.event_name != 'pull_request' }}
        working-directory: sherlock-go-client
        run: go mod tidy

      - name: Generate Typescript client library
        if: ${{ github.event_name != 'pull_request' }}
        run: |
          docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli generate \
            -i /local/sherlock/docs/swagger.json \
            -g typescript-fetch \
            -o /local/sherlock-typescript-client \
            --git-user-id broadinstitute \
            --git-repo-id sherlock \
            --additional-properties=disallowAdditionalPropertiesIfNotPresent=false \
            --additional-properties=supportsES6=true \
            --additional-properties=npmName=@sherlock-js-client/sherlock \
            --additional-properties=npmVersion=${{ steps.tag.outputs.new_tag }}

      - name: Build Typescript client
        if: ${{ github.event_name != 'pull_request' }}
        working-directory: sherlock-typescript-client
        run: |
          npm install --save-dev
          npm run build

      - name: Assemble Docker tags
        uses: docker/metadata-action@v5
        id: meta
        with:
          # server image for backwards compatibility with old build behavior
          images: |
            ${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}
          tags: |
            type=raw,value=latest,enable={{is_default_branch}}
            type=raw,value=${{ steps.tag.outputs.new_tag }}
            type=semver,pattern=v{{major}},value=${{ steps.tag.outputs.new_tag }},enable={{is_default_branch}}
            type=semver,pattern=v{{major}}.{{minor}},value=${{ steps.tag.outputs.new_tag }},enable={{is_default_branch}}

      - name: Build image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: sherlock/Dockerfile
          push: false
          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: BUILD_VERSION=${{ steps.tag.outputs.new_tag }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Run Trivy vulnerability scanner
        uses: broadinstitute/dsp-appsec-trivy-action@v1
        with:
          image: ${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.new_tag }}

      - name: Auth to GCP
        if: ${{ github.actor != 'dependabot[bot]' }}
        uses: google-github-actions/auth@v1
        with:
          workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider'
          service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com'

      - name: Set up Cloud SDK
        if: ${{ github.actor != 'dependabot[bot]' }}
        uses: google-github-actions/setup-gcloud@v1

      - name: Commit changes
        if: ${{ github.event_name != 'pull_request' }}
        run: |
          git add .
          git commit --allow-empty --message "[sherlock-build] generated from ${{ github.sha }}"

      - name: Add tag
        if: ${{ github.event_name != 'pull_request' }}
        # Go subdirectories need to have tags prefixed with the directory name, otherwise go mod won't be
        # able to see them.
        # In other words, if you do `go get github.com/broadinstitute/sherlock/sherlock-go-client@v1.2.3`,
        # go mod is actually going to look for a tag of sherlock-go-client/v1.2.3.
        # https://github.com/golang/go/issues/31045
        run: |
          git tag "${{ steps.tag.outputs.new_tag }}"
          git tag "sherlock/${{ steps.tag.outputs.new_tag }}"
          git tag "go-shared/${{ steps.tag.outputs.new_tag }}"
          git tag "sherlock-go-client/${{ steps.tag.outputs.new_tag }}"

      - name: Push to main
        if: ${{ github.event_name != 'pull_request' }}
        run: |
          git push --atomic --tags origin main

      - name: Publish typescript client
        if: ${{ github.event_name != 'pull_request' }}
        working-directory: sherlock-typescript-client
        run: |
          npx google-artifactregistry-auth --yes
          npm publish

      - name: Explicitly auth Docker for Artifact Registry
        if: ${{ github.actor != 'dependabot[bot]' }}
        run: gcloud auth configure-docker ${{ env.GOOGLE_DOCKER_REPOSITORY }} --quiet

      - name: Push image
        if: ${{ github.actor != 'dependabot[bot]' }}
        run: |
          docker push --all-tags ${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}

      - name: Comment published image
        if: ${{ github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
        uses: marocchino/sticky-pull-request-comment@v2
        with:
          header: image
          message: |
            Published image from ${{ github.event.pull_request.head.sha }} (merge ${{ github.sha }}):
            
            ```
            ${{ env.GOOGLE_DOCKER_REPOSITORY }}/${{ env.GOOGLE_PROJECT }}/${{ env.REPOSITORY_NAME }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.new_tag }}
            ```