Skip to content

Action Service Accounts Proof of Concept #2288

Action Service Accounts Proof of Concept

Action Service Accounts Proof of Concept #2288

# Github action to Build Sam artifact, add/promote semantic tagging and then run tests
name: Build, Publish to Sherlock, and Run Integration Tests
on:
pull_request:
paths-ignore: ['**.md']
push:
branches:
- develop
paths-ignore: ['**.md']
env:
BEE_CREATE_RUN_NAME: 'bee-create-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
BEE_DESTROY_RUN_NAME: 'bee-destroy-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
RAWLS_SWAT_TESTS_RUN_NAME: 'rawls-swat-tests-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
jobs:
tag:
uses: ./.github/workflows/tag.yml
with:
release-branches: develop
secrets: inherit
sam-build-tag-publish-job:
runs-on: ubuntu-latest
needs: [ tag ]
permissions:
contents: 'read'
id-token: 'write'
outputs:
custom-version-json: ${{ steps.render-sam-version.outputs.custom-version-json }}
tag: ${{ needs.tag.outputs.tag }}
steps:
- uses: 'actions/checkout@v3'
- name: debug outputs
run: |-
echo "github.ref ${{ github.ref }}"
echo "github.ref_name ${{ github.ref_name }}"
echo "GITHUB_REF_NAME ${GITHUB_REF_NAME}"
echo "github.ref_type ${{ github.ref_type }}"
echo "github.head_ref ${{ github.head_ref }}"
echo "github ${{ github }}"
# we need this because github can't actually provide the branch name reliably
# https://github.com/orgs/community/discussions/5251
- name: Extract branch
id: extract-branch
run: |
if [[ '${{ github.event_name }}' == 'push' ]]; then
BRANCH_NAME=${{ github.ref_name }}
elif [[ '${{ github.event_name }}' == 'pull_request' ]]; then
BRANCH_NAME=${{ github.head_ref }}
else
echo "Failed to extract branch information"
exit 1
fi
echo "name=$BRANCH_NAME" >> $GITHUB_OUTPUT
# Builds Sam elsewhere to protect secrets. Upon success, will tag the commit in git.
- name: dispatch build to terra-github-workflows
uses: broadinstitute/workflow-dispatch@v3
with:
workflow: sam-build
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN}} # github token for access to kick off a job in the private repo
inputs: '{ "repository": "${{ github.event.repository.full_name }}", "ref": "${{ steps.extract-branch.outputs.name }}", "sam-release-tag": "${{ needs.tag.outputs.tag }}" }'
- name: Render Sam version
id: render-sam-version
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: |
echo "$GITHUB_CONTEXT"
echo 'custom-version-json={\"sam\":{\"appVersion\":\"${{ needs.tag.outputs.tag }}\"}}' >> $GITHUB_OUTPUT
prepare-configs:
runs-on: ubuntu-latest
outputs:
log-results: ${{ steps.prepare-outputs.outputs.log-results }}
test-context: ${{ steps.prepare-outputs.outputs.test-context }}
steps:
- id: prepare-outputs
run: |-
echo 'log-results=true' >> $GITHUB_OUTPUT
if ${{ github.ref_name == 'develop' }}; then
echo 'test-context=dev-merge' >> $GITHUB_OUTPUT
else
echo 'test-context=pr-test' >> $GITHUB_OUTPUT
fi
report-to-sherlock:
# Report new Sam version to Broad DevOps
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: [ sam-build-tag-publish-job ]
with:
new-version: ${{ needs.sam-build-tag-publish-job.outputs.tag }}
chart-name: 'sam'
permissions:
contents: 'read'
id-token: 'write'
set-version-in-dev:
# Put new Sam version in Broad dev environment
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main
needs: [ sam-build-tag-publish-job, report-to-sherlock ]
if: ${{ github.ref_name == 'develop' }}
with:
new-version: ${{ needs.sam-build-tag-publish-job.outputs.tag }}
chart-name: 'sam'
environment-name: 'dev'
secrets:
sync-git-token: ${{ secrets.BROADBOT_TOKEN }}
permissions:
id-token: 'write'
create-bee-workflow:
strategy:
matrix:
terra-env: [ dev ] # what versions of apps do we use to emulate types of environments
runs-on: ubuntu-latest
needs: [sam-build-tag-publish-job]
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Echo Sam version
run: |
echo '${{ needs.sam-build-tag-publish-job.outputs.custom-version-json }}'
- name: dispatch to terra-github-workflows
uses: broadinstitute/workflow-dispatch@v4.0.0
with:
run-name: "${{ env.BEE_CREATE_RUN_NAME }}-${{ matrix.terra-env }}"
workflow: bee-create
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN}} # github token for access to kick off a job in the private repo
# manually recalculate b/c env context is broken https://github.com/actions/runner/issues/480
inputs: '{
"run-name": "${{ env.BEE_CREATE_RUN_NAME }}-${{ matrix.terra-env }}",
"bee-name": "${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.terra-env }}",
"version-template": "${{ matrix.terra-env }}",
"custom-version-json": "${{ needs.sam-build-tag-publish-job.outputs.custom-version-json }}"
}'
sam-smoke-test-job:
strategy:
matrix:
terra-env: [ dev ] # what versions of apps do we use to emulate types of environments
testing-env: [ qa ] # what env resources to use, e.g. SA keys
runs-on: ubuntu-latest
needs: [create-bee-workflow]
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: dispatch to terra-github-workflows
uses: broadinstitute/workflow-dispatch@v3
with:
workflow: .github/workflows/sam-smoke-tests.yaml
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN }} # github token for access to kick off a job in the private repo
# manually recalculate b/c env context is broken https://github.com/actions/runner/issues/480
# The smoke tests just need an access token for an enabled user on the Sam host that is being tested.
inputs: '{ "sam-hostname": "sam.${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.terra-env }}.bee.envs-terra.bio", "ENV": "${{ matrix.testing-env }}", "smoke-test-user-email": "firecloud-${{ matrix.testing-env }}@broad-dsde-${{ matrix.testing-env }}.iam.gserviceaccount.com" }'
sam-swat-test-job:
strategy:
matrix:
terra-env: [ dev ] # what versions of apps do we use to emulate types of environments
testing-env: [ qa ] # what env resources to use, e.g. SA keys
runs-on: ubuntu-latest
needs: [sam-smoke-test-job, prepare-configs]
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: dispatch to terra-github-workflows
uses: broadinstitute/workflow-dispatch@v3
with:
workflow: .github/workflows/sam-swat-tests.yaml
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN}} # github token for access to kick off a job in the private repo
# manually recalculate b/c env context is broken https://github.com/actions/runner/issues/480
inputs: '{ "bee-name": "${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.terra-env }}", "ENV": "${{ matrix.testing-env }}", "log-results": "${{ needs.prepare-configs.outputs.log-results }}", "test-context": "${{ needs.prepare-configs.outputs.test-context }}", "caller_run_id": "${{ github.run_id }}" }'
rawls-swat-test-job:
strategy:
matrix:
terra-env: [ dev ] # what versions of apps do we use to emulate types of environments
testing-env: [ qa ] # what env resources to use, e.g. SA keys
test-group: [
{ group_name: workspaces, tag: "-n org.broadinstitute.dsde.test.api.BillingsTest -n org.broadinstitute.dsde.test.api.WorkspacesTest" },
{ group_name: workspacesAuthDomains, tag: "-n org.broadinstitute.dsde.test.api.AuthDomainsTest" },
{ group_name: workflows, tag: "-n org.broadinstitute.dsde.test.api.MethodsTest" }
] # Rawls test groups
runs-on: ubuntu-latest
needs: [sam-smoke-test-job, prepare-configs]
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: dispatch to terra-github-workflows
env:
rawls_base_test_entrypoint: "testOnly -- -l ProdTest -l NotebooksCanaryTest"
test-context: ${{ needs.prepare-configs.outputs.test-context }}
uses: broadinstitute/workflow-dispatch@v4
with:
run-name: "${{ env.RAWLS_SWAT_TESTS_RUN_NAME }}-${{ matrix.terra-env }}-${{ matrix.testing-env }}-${{ matrix.test-group.group_name }}"
workflow: .github/workflows/rawls-swat-tests.yaml
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN }} # github token for access to kick off a job in the private repo
# manually recalculate b/c env context is broken https://github.com/actions/runner/issues/480
inputs: '{
"additional-args": "{\"logging\":\"true\",\"java-version\":\"17\",\"billing-project\":\"\"}",
"run-name": "${{ env.RAWLS_SWAT_TESTS_RUN_NAME }}-${{ matrix.terra-env }}-${{ matrix.testing-env }}-${{ matrix.test-group.group_name }}",
"bee-name": "${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.terra-env }}",
"ENV": "${{ matrix.testing-env }}",
"test-group-name": "${{ matrix.test-group.group_name }}",
"test-command": "${{ env.rawls_base_test_entrypoint }} ${{ matrix.test-group.tag }}",
"test-context": "${{ env.test-context }}"
}'
orch-swat-test-job:
strategy:
matrix:
terra-env: [ dev ] # what versions of apps do we use to emulate types of environments
testing-env: [ qa ] # what env resources to use, e.g. SA keys
runs-on: ubuntu-latest
needs: [ sam-smoke-test-job, prepare-configs ]
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: dispatch to terra-github-workflows
uses: broadinstitute/workflow-dispatch@v3
env:
test-context: ${{ needs.prepare-configs.outputs.test-context }}
with:
workflow: .github/workflows/orch-swat-tests.yaml
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN}} # github token for access to kick off a job in the private repo
# manually recalculate b/c env context is broken https://github.com/actions/runner/issues/480
inputs: '{
"bee-name": "${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.terra-env }}",
"ENV": "${{ matrix.testing-env }}",
"test-context": "${{ env.test-context }}"
}'
destroy-bee-workflow:
strategy:
matrix:
terra-env: [ dev ] # what versions of apps do we use to emulate types of environments
runs-on: ubuntu-latest
needs: [sam-swat-test-job, rawls-swat-test-job, orch-swat-test-job]
if: always() # always run to confirm bee is destroyed
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: dispatch to terra-github-workflows
uses: broadinstitute/workflow-dispatch@v4.0.0
with:
run-name: "${{ env.BEE_DESTROY_RUN_NAME }}-${{ matrix.terra-env }}"
workflow: bee-destroy
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN}} # github token for access to kick off a job in the private repo
# manually recalculate b/c env context is broken https://github.com/actions/runner/issues/480
inputs: '{
"run-name": "${{ env.BEE_DESTROY_RUN_NAME }}-${{ matrix.terra-env }}",
"bee-name": "${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.terra-env }}"
}'