Publish and deploy #229
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish and deploy | |
on: create | |
env: | |
SERVICE_NAME: ${{ github.event.repository.name }} | |
GOOGLE_PROJECT: broad-dsp-gcr-public | |
jobs: | |
publish-job: | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-latest | |
outputs: | |
tag: ${{ steps.tag.outputs.tag }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v3 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Cache Gradle packages | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.gradle/caches | |
~/.gradle/wrapper | |
key: v1-${{ runner.os }}-gradle-refs/heads/dev-${{ github.sha }} | |
- name: Parse tag | |
id: tag | |
run: echo tag=$(git describe --tags) >> $GITHUB_OUTPUT | |
# - name: "Publish to Artifactory" | |
# run: ./gradlew --build-cache :client:artifactoryPublish | |
# env: | |
# ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
# ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
# ARTIFACTORY_REPO_KEY: "libs-snapshot-local" | |
- name: Auth to GCR | |
uses: google-github-actions/auth@v1 | |
with: | |
credentials_json: ${{ secrets.GCR_PUBLISH_KEY_B64 }} | |
- name: Explicitly auth Docker for GCR | |
run: gcloud auth configure-docker --quiet | |
- name: Construct docker image name and tag | |
id: image-name | |
run: echo name=gcr.io/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ steps.tag.outputs.tag }} >> $GITHUB_OUTPUT | |
- name: Add Google Cloud Profiler to Docker Image | |
run: docker build ./service -t drshub:local | |
- name: Build image locally with jib | |
run: | | |
./gradlew --build-cache :service:jibDockerBuild \ | |
--image=${{ steps.image-name.outputs.name }} \ | |
-Djib.from.image=docker://drshub:local \ | |
-Djib.console=plain | |
- name: Run Trivy vulnerability scanner | |
# Link to the github location of the action https://github.com/broadinstitute/dsp-appsec-trivy-action | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: ${{ steps.image-name.outputs.name }} | |
- name: Push GCR image | |
run: docker push ${{ steps.image-name.outputs.name }} | |
report-to-sherlock: | |
# Report new drshub version to Broad DevOps | |
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
needs: publish-job | |
with: | |
new-version: ${{ needs.publish-job.outputs.tag }} | |
chart-name: 'drshub' | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
set-version-in-dev: | |
# Put new drshub version in Broad dev environment | |
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main | |
needs: [publish-job, report-to-sherlock] | |
with: | |
new-version: ${{ needs.publish-job.outputs.tag }} | |
chart-name: 'drshub' | |
environment-name: 'dev' | |
secrets: | |
sync-git-token: ${{ secrets.BROADBOT_TOKEN }} | |
permissions: | |
id-token: 'write' | |
notify-slack-on-failure: | |
needs: [publish-job, report-to-sherlock, set-version-in-dev] | |
uses: ./.github/workflows/slack-notify-on-failure.yml | |
secrets: inherit | |
if: ${{ failure() }} | |
with: | |
workflow_name: Publish |