AJ-2022: add Content-Security-Policy meta header for swagger-ui #3674
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish contract tests | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: [ '**.md' ] | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: [ '**.md' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| WDS_RUN_ID: ${{ github.event.repository.name }}-${{ github.run_id }} | |
| PUBLISH_CONTRACT_RUN_NAME: 'publish-contracts-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}' | |
| WDS_PACTS_ARTIFACT: wds-pacts-${{ github.event.repository.name }}-${{ github.run_id }} | |
| WDS_PACTS_OUTPUT_DIR: service/build/pacts/ | |
| CAN_I_DEPLOY_RUN_NAME: 'can-i-deploy-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}' | |
| jobs: | |
| bump-check: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| is-bump: ${{ steps.bumpcheck.outputs.is-bump }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Skip version bump merges | |
| id: bumpcheck | |
| uses: ./.github/actions/bump-skip | |
| with: | |
| event-name: ${{ github.event_name }} | |
| # The primary objective of this section is to carefully control the dispatching of tags, | |
| # ensuring it only occurs during the 'Tag, publish, deploy' workflow. | |
| # However, a challenge arises with contract tests, as they require knowledge of the upcoming tag | |
| # before the actual deployment. To address this, we leverage the dry run feature provided by bumper. | |
| # This allows us to obtain the next tag for publishing contracts and verifying consumer pacts without | |
| # triggering the tag dispatch. This approach sidesteps the need for orchestrating multiple workflows, | |
| # simplifying our implementation. | |
| # | |
| # We regulate the tag job to meet the following requirements according to the trigger event type: | |
| # 1. pull_request event (due to opening or updating of PR branch): | |
| # dry-run flag is set to false | |
| # this allows the new semver tag #major.#minor.#patch-#commit to be used to identity pacticipant version for development purpose | |
| # PR has no effect on the value of the latest tag in settings.gradle on disk | |
| # 2. PR merge to main, this triggers a push event on the main branch: | |
| # dry-run flag is set to true | |
| # this allows the new semver tag #major.#minor.#patch to be used to identity pacticipant version, and | |
| # this action will not update the value of the latest tag in settings.gradle on disk | |
| # | |
| # Note: All workflows from the same PR merge should have the same copy of settings.gradle on disk, | |
| # which should be the one from the HEAD of the main branch before the workflow starts running | |
| regulated-tag-job: | |
| needs: [ bump-check ] | |
| if: ${{ needs.bump-check.outputs.is-bump == 'no' }} | |
| uses: ./.github/workflows/tag.yml | |
| with: | |
| # The 'ref' parameter ensures that the consumer version is postfixed with the HEAD commit of the PR branch, | |
| # facilitating cross-referencing of a pact between Pact Broker and GitHub. | |
| ref: ${{ github.head_ref || '' }} | |
| # The 'dry-run' parameter prevents the new tag from being dispatched. | |
| dry-run: true | |
| release-branches: main | |
| secrets: inherit | |
| init-github-context: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| sha-short: ${{ steps.extract-branch.outputs.sha-short }} | |
| repo-branch: ${{ steps.extract-branch.outputs.repo-branch }} | |
| repo-version: ${{ steps.extract-branch.outputs.repo-version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Extract branch | |
| id: extract-branch | |
| run: | | |
| GITHUB_EVENT_NAME=${{ github.event_name }} | |
| if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then | |
| GITHUB_REF=${{ github.ref }} | |
| GITHUB_SHA=${{ github.sha }} | |
| elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then | |
| GITHUB_REF=refs/heads/${{ github.head_ref }} | |
| GITHUB_SHA=${{ github.event.pull_request.head.sha }} | |
| elif [[ "$GITHUB_EVENT_NAME" == "merge_group" ]]; then | |
| GITHUB_REF=refs/heads/${{ github.head_ref }} | |
| else | |
| echo "Failed to extract branch information" | |
| exit 1 | |
| fi | |
| echo "repo-branch=${GITHUB_REF/refs\/heads\//""}" >> $GITHUB_OUTPUT | |
| echo "repo-version=${GITHUB_SHA}" >> $GITHUB_OUTPUT | |
| - name: Echo repo and branch information | |
| run: | | |
| echo "repo-owner=${{ github.repository_owner }}" | |
| echo "repo-name=${{ github.event.repository.name }}" | |
| echo "repo-branch=${{ steps.extract-branch.outputs.repo-branch }}" | |
| echo "repo-version=${{ steps.extract-branch.outputs.repo-version }}" | |
| run-consumer-contract-tests: | |
| runs-on: ubuntu-latest | |
| needs: [ init-github-context ] | |
| outputs: | |
| pact-paths: ${{ steps.locate-pacts.outputs.pact-paths }} | |
| steps: | |
| - name: Checkout current code | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Run consumer tests | |
| run: ./gradlew pactTests | |
| - name: Locate pact files | |
| id: locate-pacts | |
| run: | | |
| pactPaths=$(find "$WDS_PACTS_OUTPUT_DIR" -type f -name "*.json" | jq -cnR "[inputs]") | |
| echo "pact-paths=$pactPaths" >> $GITHUB_OUTPUT | |
| - name: Upload pact files to artifact | |
| id: upload-pacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.WDS_PACTS_ARTIFACT }} | |
| path: ${{ env.WDS_PACTS_OUTPUT_DIR }} | |
| retention-days: 1 | |
| publish-pacts-job: | |
| runs-on: ubuntu-latest | |
| needs: [ regulated-tag-job, init-github-context, run-consumer-contract-tests ] | |
| strategy: | |
| matrix: | |
| pact_path: ${{ fromJson(needs.run-consumer-contract-tests.outputs.pact-paths) }} | |
| steps: | |
| - name: Download pact files from artifact | |
| id: download-pacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.WDS_PACTS_ARTIFACT }} | |
| path: ${{ env.WDS_PACTS_OUTPUT_DIR }} | |
| - name: Encode pact as non-breaking base64 string | |
| id: encode-pact | |
| run: | | |
| nonBreakingB64=$(cat "${{ matrix.pact_path }}" | base64 -w 0) | |
| echo "pact-b64=${nonBreakingB64}" >> $GITHUB_OUTPUT | |
| - name: Dispatch to terra-github-workflows | |
| uses: broadinstitute/workflow-dispatch@v4 | |
| with: | |
| run-name: '${{ env.PUBLISH_CONTRACT_RUN_NAME }}-${{ matrix.pact_path }}' | |
| workflow: .github/workflows/publish-contracts.yaml | |
| repo: broadinstitute/terra-github-workflows | |
| ref: refs/heads/main | |
| token: ${{ secrets.BROADBOT_TOKEN }} # github token for access to kick off a job in the private repo | |
| inputs: '{ | |
| "run-name": "${{ env.PUBLISH_CONTRACT_RUN_NAME }}-${{ matrix.pact_path }}", | |
| "pact-b64": "${{ steps.encode-pact.outputs.pact-b64 }}", | |
| "repo-owner": "${{ github.repository_owner }}", | |
| "repo-name": "${{ github.event.repository.name }}", | |
| "repo-branch": "${{ needs.init-github-context.outputs.repo-branch }}", | |
| "release-tag": "${{ needs.regulated-tag-job.outputs.new-tag }}" | |
| }' | |
| can-i-deploy: # The can-i-deploy job will run as a result of a PR. It reports the pact verification statuses on all deployed environments. | |
| runs-on: ubuntu-latest | |
| needs: [ run-consumer-contract-tests, regulated-tag-job ] | |
| strategy: | |
| matrix: | |
| pacticipant-name: ["wds", "cwds"] | |
| steps: | |
| - name: Dispatch to terra-github-workflows | |
| uses: broadinstitute/workflow-dispatch@v4 | |
| with: | |
| run-name: "${{ env.CAN_I_DEPLOY_RUN_NAME }}-${{ matrix.pacticipant-name }}" | |
| workflow: .github/workflows/can-i-deploy.yaml | |
| repo: broadinstitute/terra-github-workflows | |
| ref: refs/heads/main | |
| token: ${{ secrets.BROADBOT_TOKEN }} # github token for access to kick off a job in the private repo | |
| inputs: '{ | |
| "run-name": "${{ env.CAN_I_DEPLOY_RUN_NAME }}-${{ matrix.pacticipant-name }}", | |
| "pacticipant": "${{ matrix.pacticipant-name }}", | |
| "version": "${{ needs.regulated-tag-job.outputs.new-tag }}" | |
| }' |