Skip to content

bump 0.254.1153

bump 0.254.1153 #2333

Workflow file for this run

name: Bump, Tag, Publish, and Deploy
# The purpose of the workflow is to:
# 1. Bump the version number and tag the release
# 2. Build and publish the client to Artifactory
# 3. Build docker image and publish to GCR
# 4. Trigger deployment to the dev environment
#
# When run on merge to main, it tags and bumps the patch version by default. You can
# bump other parts of the version by putting #major, #minor, or #patch in your commit
# message.
#
# When run on a hotfix branch, it tags and generates the hotfix version
#
# When run manually, you can specify the part of the semantic version to bump
#
# The workflow relies on github secrets:
# - ARTIFACTORY_PASSWORD - password for publishing the client to artifactory
# - ARTIFACTORY_USERNAME - username for publishing the client to artifactory
# - GCR_PUBLISH_EMAIL - email for publishing the docker to GCR
# - GCR_PUBLISH_KEY - key for publishing the docker to GCR
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations
on:
push:
branches:
- main
paths-ignore:
- 'README.md'
- 'local-dev/**'
workflow_dispatch:
inputs:
bump:
description: 'Part of the version to bump: major, minor, patch'
required: false
default: 'patch'
type: choice
options:
- patch
- minor
- major
branch:
description: 'Branch to run the workflow on'
required: false
default: 'main'
env:
SERVICE_NAME: ${{ github.event.repository.name }}
jobs:
tag-publish-job:
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.tag.outputs.tag }}
is-bump: ${{ steps.skiptest.outputs.is-bump }}
steps:
- name: Set part of semantic version to bump
id: controls
run: |
SEMVER_PART=""
CHECKOUT_BRANCH="$GITHUB_REF"
if ${{github.event_name == 'push' }}; then
SEMVER_PART="patch"
elif ${{github.event_name == 'workflow_dispatch' }}; then
SEMVER_PART=${{ github.event.inputs.bump }}
CHECKOUT_BRANCH=${{ github.event.inputs.branch }}
fi
echo semver-part=$SEMVER_PART >> $GITHUB_OUTPUT
echo checkout-branch=$CHECKOUT_BRANCH >> $GITHUB_OUTPUT
- name: Checkout current code
uses: actions/checkout@v3
with:
ref: ${{ steps.controls.outputs.checkout-branch }}
token: ${{ secrets.BROADBOT_TOKEN }}
- name: Skip version bump merges
id: skiptest
uses: ./.github/actions/bump-skip
with:
event-name: ${{ github.event_name }}
- name: Bump the tag to a new version
if: steps.skiptest.outputs.is-bump == 'no'
uses: databiosphere/github-actions/actions/[email protected]
id: tag
env:
DEFAULT_BUMP: patch
GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }}
HOTFIX_BRANCHES: hotfix.*
OVERRIDE_BUMP: ${{ steps.controls.outputs.semver-part }}
RELEASE_BRANCHES: main
VERSION_FILE_PATH: settings.gradle
VERSION_LINE_MATCH: "^gradle.ext.wsmVersion\\s*=\\s*\".*\""
VERSION_SUFFIX: SNAPSHOT
- name: Set up AdoptOpenJDK
if: steps.skiptest.outputs.is-bump == 'no'
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
- name: Cache Gradle packages
if: steps.skiptest.outputs.is-bump == 'no'
uses: actions/cache@v3
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }}
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}
- name: Grant execute permission for gradlew
if: steps.skiptest.outputs.is-bump == 'no'
run: chmod +x gradlew
- name: "Publish to Artifactory"
if: steps.skiptest.outputs.is-bump == 'no'
run: ./gradlew :client:artifactoryPublish --scan
env:
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
ARTIFACTORY_REPO_KEY: "libs-snapshot-local"
- name: Auth to Google
if: steps.skiptest.outputs.is-bump == 'no'
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCR_PUBLISH_KEY }}
- name: Setup gcloud
if: steps.skiptest.outputs.is-bump == 'no'
uses: google-github-actions/setup-gcloud@v1
- name: Explicitly auth Docker for GCR
if: steps.skiptest.outputs.is-bump == 'no'
run: gcloud auth configure-docker --quiet
- name: Construct docker image name and tag
if: steps.skiptest.outputs.is-bump == 'no'
id: image-name
run: |
DOCKER_TAG=${{ steps.tag.outputs.tag }}
echo name=gcr.io/broad-dsp-gcr-public/${SERVICE_NAME}:${DOCKER_TAG} >> $GITHUB_OUTPUT
- name: Build image locally with jib
if: steps.skiptest.outputs.is-bump == 'no'
run: "./gradlew :service:jibDockerBuild --image=${{ steps.image-name.outputs.name }} -Djib.console=plain"
- name: Run Trivy vulnerability scanner
if: steps.skiptest.outputs.is-bump == 'no'
# Link to the github location of the action https://github.com/broadinstitute/dsp-appsec-trivy-action
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.image-name.outputs.name }}
- name: Push GCR image
if: steps.skiptest.outputs.is-bump == 'no'
run: "docker push ${{ steps.image-name.outputs.name }}"
- name: Build the OpenAPI interface
if: steps.skiptest.outputs.is-bump == 'no'
run: ./gradlew :service:generateSwaggerCodeServer
- name: Where is the file
if: steps.skiptest.outputs.is-bump == 'no'
run: |
pwd
find . -name "service_openapi.yaml"
- name: Make release
if: steps.skiptest.outputs.is-bump == 'no'
uses: ncipollo/release-action@v1
id: create_release
with:
tag: ${{ steps.tag.outputs.tag }}
artifacts: "service/build/resources/main/api/service_openapi.yaml"
report-to-sherlock:
# Report new WSM version to Broad DevOps
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: tag-publish-job
if: ${{ needs.tag-publish-job.outputs.is-bump == 'no' }}
with:
new-version: ${{ needs.tag-publish-job.outputs.tag }}
chart-name: 'workspacemanager'
permissions:
contents: 'read'
id-token: 'write'
set-version-in-dev:
# Put new WSM version in Broad dev environment
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main
needs: [tag-publish-job, report-to-sherlock]
if: ${{ needs.tag-publish-job.outputs.is-bump == 'no' }}
with:
new-version: ${{ needs.tag-publish-job.outputs.tag }}
chart-name: 'workspacemanager'
environment-name: 'dev'
secrets:
sync-git-token: ${{ secrets.BROADBOT_TOKEN }}
permissions:
id-token: 'write'