-
Notifications
You must be signed in to change notification settings - Fork 21
134 lines (121 loc) · 4.49 KB
/
tag-publish.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Generate BEE Build
# The purpose of the workflow is to:
# 1. Bump the version number and tag the release if not a PR
# 2. Build docker image and publish to GAR
#
# When run on merge to main, it tags and bumps the patch version by default. You can
# bump other parts of the version by putting #major, #minor, or #patch in your commit
# message.
#
# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image.
#
# The workflow relies on github secrets:
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations
on:
pull_request:
paths-ignore:
- 'README.md'
- 'integration-tests'
push:
branches:
- dev
paths-ignore:
- 'README.md'
- 'integration-tests'
env:
GOOGLE_PROJECT: dsp-artifact-registry
# Name of the app-specific Docker repository configured in GOOGLE_PROJECT
REPOSITORY_NAME: ${{ github.event.repository.name }}
# Region-specific Google Docker repository where GOOGLE_PROJECT/REPOSITORY_NAME can be found
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev
jobs:
tag-push-job:
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.tag.outputs.tag }}
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout current code
uses: actions/checkout@v3
with:
token: ${{ secrets.BROADBOT_TOKEN }}
- name: Bump the tag to a new version
uses: databiosphere/github-actions/actions/bumper@bumper-0.0.6
id: tag
env:
DEFAULT_BUMP: patch
GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }}
RELEASE_BRANCHES: dev
WITH_V: true
- name: Construct docker image name and tag
id: image-name
shell: bash
run: |
NAME="${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${REPOSITORY_NAME}/${REPOSITORY_NAME}"
DOCKER_TAG="${{ steps.tag.outputs.tag }}"
TAGGED="${NAME}:${DOCKER_TAG}"
echo "NAME: ${NAME}"
echo "TAGGED: ${TAGGED}"
echo ::set-output "name=name::${NAME}"
echo ::set-output "name=tagged::${TAGGED}"
- name: Auth to GCP
id: 'auth'
uses: google-github-actions/auth@v0
with:
token_format: 'access_token'
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider'
service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com'
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
# authenticate to GAR docker repo
- name: Docker Login
uses: 'docker/login-action@v1'
with:
registry: 'us-central1-docker.pkg.dev'
username: 'oauth2accesstoken'
password: '${{ steps.auth.outputs.access_token }}'
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build image
uses: docker/build-push-action@v3
with:
context: .
push: false
load: true
tags: |
${{ steps.image-name.outputs.tagged }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
# From https://github.com/broadinstitute/dsp-appsec-trivy-action
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.image-name.outputs.tagged }}
- name: Push image
run: "docker push ${{ steps.image-name.outputs.tagged }}"
# Add latest tag to image (optional)
- name: Add latest tag to Docker image
if: github.event_name != 'pull_request'
shell: bash
run: |
gcloud artifacts docker tags add \
"${{ steps.image-name.outputs.tagged }}" \
"${{ steps.image-name.outputs.name }}:latest"
- name: Publish packages to NPM registry on merge commits
if: github.event_name != 'pull_request'
run: |
npx google-artifactregistry-auth --yes --repo-config ./.npmrc
yarn install --immutable
./scripts/publish-packages.sh
report-to-sherlock:
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: tag-push-job
with:
chart-name: "terraui"
new-version: ${{ needs.tag-push-job.outputs.tag }}
permissions:
contents: "read"
id-token: "write"