[WOR-1448]: Bump the minor-patch-dependencies group with 3 updates (#… #2322
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Bump, Tag, Publish, and Deploy | |
# The purpose of the workflow is to: | |
# 1. Bump the version number and tag the release | |
# 2. Build and publish the client to Artifactory | |
# 3. Build docker image and publish to GCR | |
# 4. Trigger deployment to the dev environment | |
# | |
# When run on merge to main, it tags and bumps the patch version by default. You can | |
# bump other parts of the version by putting #major, #minor, or #patch in your commit | |
# message. | |
# | |
# When run on a hotfix branch, it tags and generates the hotfix version | |
# | |
# When run manually, you can specify the part of the semantic version to bump | |
# | |
# The workflow relies on github secrets: | |
# - ARTIFACTORY_PASSWORD - password for publishing the client to artifactory | |
# - ARTIFACTORY_USERNAME - username for publishing the client to artifactory | |
# - GCR_PUBLISH_EMAIL - email for publishing the docker to GCR | |
# - GCR_PUBLISH_KEY - key for publishing the docker to GCR | |
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- 'README.md' | |
- 'local-dev/**' | |
workflow_dispatch: | |
inputs: | |
bump: | |
description: 'Part of the version to bump: major, minor, patch' | |
required: false | |
default: 'patch' | |
type: choice | |
options: | |
- patch | |
- minor | |
- major | |
branch: | |
description: 'Branch to run the workflow on' | |
required: false | |
default: 'main' | |
env: | |
SERVICE_NAME: ${{ github.event.repository.name }} | |
jobs: | |
tag-publish-job: | |
runs-on: ubuntu-latest | |
outputs: | |
tag: ${{ steps.tag.outputs.tag }} | |
is-bump: ${{ steps.skiptest.outputs.is-bump }} | |
steps: | |
- name: Set part of semantic version to bump | |
id: controls | |
run: | | |
SEMVER_PART="" | |
CHECKOUT_BRANCH="$GITHUB_REF" | |
if ${{github.event_name == 'push' }}; then | |
SEMVER_PART="patch" | |
elif ${{github.event_name == 'workflow_dispatch' }}; then | |
SEMVER_PART=${{ github.event.inputs.bump }} | |
CHECKOUT_BRANCH=${{ github.event.inputs.branch }} | |
fi | |
echo semver-part=$SEMVER_PART >> $GITHUB_OUTPUT | |
echo checkout-branch=$CHECKOUT_BRANCH >> $GITHUB_OUTPUT | |
- name: Checkout current code | |
uses: actions/checkout@v3 | |
with: | |
ref: ${{ steps.controls.outputs.checkout-branch }} | |
token: ${{ secrets.BROADBOT_TOKEN }} | |
- name: Skip version bump merges | |
id: skiptest | |
uses: ./.github/actions/bump-skip | |
with: | |
event-name: ${{ github.event_name }} | |
- name: Bump the tag to a new version | |
if: steps.skiptest.outputs.is-bump == 'no' | |
uses: databiosphere/github-actions/actions/[email protected] | |
id: tag | |
env: | |
DEFAULT_BUMP: patch | |
GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }} | |
HOTFIX_BRANCHES: hotfix.* | |
OVERRIDE_BUMP: ${{ steps.controls.outputs.semver-part }} | |
RELEASE_BRANCHES: main | |
VERSION_FILE_PATH: settings.gradle | |
VERSION_LINE_MATCH: "^gradle.ext.wsmVersion\\s*=\\s*\".*\"" | |
VERSION_SUFFIX: SNAPSHOT | |
- name: Set up AdoptOpenJDK | |
if: steps.skiptest.outputs.is-bump == 'no' | |
uses: actions/setup-java@v3 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
- name: Cache Gradle packages | |
if: steps.skiptest.outputs.is-bump == 'no' | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.gradle/caches | |
~/.gradle/wrapper | |
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }} | |
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }} | |
- name: Grant execute permission for gradlew | |
if: steps.skiptest.outputs.is-bump == 'no' | |
run: chmod +x gradlew | |
- name: "Publish to Artifactory" | |
if: steps.skiptest.outputs.is-bump == 'no' | |
run: ./gradlew :client:artifactoryPublish --scan | |
env: | |
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
ARTIFACTORY_REPO_KEY: "libs-snapshot-local" | |
- name: Auth to Google | |
if: steps.skiptest.outputs.is-bump == 'no' | |
uses: google-github-actions/auth@v1 | |
with: | |
credentials_json: ${{ secrets.GCR_PUBLISH_KEY }} | |
- name: Setup gcloud | |
if: steps.skiptest.outputs.is-bump == 'no' | |
uses: google-github-actions/setup-gcloud@v1 | |
- name: Explicitly auth Docker for GCR | |
if: steps.skiptest.outputs.is-bump == 'no' | |
run: gcloud auth configure-docker --quiet | |
- name: Construct docker image name and tag | |
if: steps.skiptest.outputs.is-bump == 'no' | |
id: image-name | |
run: | | |
DOCKER_TAG=${{ steps.tag.outputs.tag }} | |
echo name=gcr.io/broad-dsp-gcr-public/${SERVICE_NAME}:${DOCKER_TAG} >> $GITHUB_OUTPUT | |
- name: Build image locally with jib | |
if: steps.skiptest.outputs.is-bump == 'no' | |
run: "./gradlew :service:jibDockerBuild --image=${{ steps.image-name.outputs.name }} -Djib.console=plain" | |
- name: Run Trivy vulnerability scanner | |
if: steps.skiptest.outputs.is-bump == 'no' | |
# Link to the github location of the action https://github.com/broadinstitute/dsp-appsec-trivy-action | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: ${{ steps.image-name.outputs.name }} | |
- name: Push GCR image | |
if: steps.skiptest.outputs.is-bump == 'no' | |
run: "docker push ${{ steps.image-name.outputs.name }}" | |
- name: Build the OpenAPI interface | |
if: steps.skiptest.outputs.is-bump == 'no' | |
run: ./gradlew :service:generateSwaggerCodeServer | |
- name: Where is the file | |
if: steps.skiptest.outputs.is-bump == 'no' | |
run: | | |
pwd | |
find . -name "service_openapi.yaml" | |
- name: Make release | |
if: steps.skiptest.outputs.is-bump == 'no' | |
uses: ncipollo/release-action@v1 | |
id: create_release | |
with: | |
tag: ${{ steps.tag.outputs.tag }} | |
artifacts: "service/build/resources/main/api/service_openapi.yaml" | |
report-to-sherlock: | |
# Report new WSM version to Broad DevOps | |
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
needs: tag-publish-job | |
if: ${{ needs.tag-publish-job.outputs.is-bump == 'no' }} | |
with: | |
new-version: ${{ needs.tag-publish-job.outputs.tag }} | |
chart-name: 'workspacemanager' | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
set-version-in-dev: | |
# Put new WSM version in Broad dev environment | |
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main | |
needs: [tag-publish-job, report-to-sherlock] | |
if: ${{ needs.tag-publish-job.outputs.is-bump == 'no' }} | |
with: | |
new-version: ${{ needs.tag-publish-job.outputs.tag }} | |
chart-name: 'workspacemanager' | |
environment-name: 'dev' | |
secrets: | |
sync-git-token: ${{ secrets.BROADBOT_TOKEN }} | |
permissions: | |
id-token: 'write' |