Referenced landing zone updates. #941
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Bump, Tag, Publish | |
| # The purpose of the workflow is to: | |
| # 1. Bump the version number and tag the release | |
| # 2. Build and publish the server library to Artifactory | |
| # 3. Build docker image and publish to GCR | |
| # 4. Trigger deployment to the dev environment | |
| # | |
| # When run on merge to main, it tags and bumps the patch version by default. You can | |
| # bump other parts of the version by putting #major, #minor, or #patch in your commit | |
| # message. | |
| # | |
| # When run on a hotfix branch, it tags and generates the hotfix version | |
| # | |
| # When run manually, you can specify the part of the semantic version to bump | |
| # | |
| # The workflow relies on github secrets: | |
| # - ARTIFACTORY_PASSWORD - password for publishing the client to artifactory | |
| # - ARTIFACTORY_USERNAME - username for publishing the client to artifactory | |
| # - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - 'README.md' | |
| - '.github/**' | |
| - 'local-dev/**' | |
| workflow_dispatch: | |
| inputs: | |
| bump: | |
| description: 'Part of the version to bump: major, minor, patch' | |
| required: false | |
| default: 'patch' | |
| type: choice | |
| options: | |
| - patch | |
| - minor | |
| - major | |
| branch: | |
| description: 'Branch to run the workflow on' | |
| required: false | |
| default: 'main' | |
| env: | |
| SERVICE_NAME: ${{ github.event.repository.name }} | |
| GOOGLE_PROJECT: broad-dsp-gcr-public | |
| jobs: | |
| bump-check: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| is-bump: ${{ steps.skiptest.outputs.is-bump }} | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Skip version bump merges | |
| id: skiptest | |
| uses: ./.github/actions/bump-skip | |
| with: | |
| event-name: ${{ github.event_name }} | |
| publish-job: | |
| needs: [ bump-check ] | |
| runs-on: ubuntu-latest | |
| if: needs.bump-check.outputs.is-bump == 'no' | |
| outputs: | |
| tag: ${{ steps.tag.outputs.tag }} | |
| steps: | |
| - name: Set part of semantic version to bump | |
| id: controls | |
| run: | | |
| SEMVER_PART="" | |
| CHECKOUT_BRANCH="$GITHUB_REF" | |
| if ${{github.event_name == 'push' }}; then | |
| SEMVER_PART="patch" | |
| elif ${{github.event_name == 'workflow_dispatch' }}; then | |
| SEMVER_PART=${{ github.event.inputs.bump }} | |
| CHECKOUT_BRANCH=${{ github.event.inputs.branch }} | |
| fi | |
| echo "semver-part=$SEMVER_PART" >> $GITHUB_OUTPUT | |
| echo "checkout-branch=$CHECKOUT_BRANCH" >> $GITHUB_OUTPUT | |
| - name: Checkout current code | |
| uses: actions/checkout@v2 | |
| with: | |
| ref: ${{ steps.controls.outputs.checkout-branch }} | |
| token: ${{ secrets.BROADBOT_TOKEN }} | |
| - name: Bump the tag to a new version | |
| uses: databiosphere/github-actions/actions/[email protected] | |
| id: tag | |
| env: | |
| DEFAULT_BUMP: patch | |
| GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }} | |
| HOTFIX_BRANCHES: hotfix.* | |
| OVERRIDE_BUMP: ${{ steps.controls.outputs.semver-part }} | |
| RELEASE_BRANCHES: main | |
| VERSION_FILE_PATH: settings.gradle | |
| VERSION_LINE_MATCH: "^gradle.ext.releaseVersion\\s*=\\s*\".*\"" | |
| VERSION_SUFFIX: SNAPSHOT | |
| - name: Set up AdoptOpenJDK | |
| uses: actions/setup-java@v2 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 17 | |
| - name: Cache Gradle packages | |
| uses: actions/cache@v2 | |
| with: | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper | |
| key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }} | |
| restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }} | |
| - name: Grant execute permission for gradlew | |
| run: chmod +x gradlew | |
| - name: Publish to Artifactory | |
| if: ${{ github.ref_name == 'main' }} | |
| run: ./gradlew :library:artifactoryPublish --scan | |
| env: | |
| ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
| ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
| ARTIFACTORY_REPO_KEY: "libs-snapshot-local" | |
| - name: Publish API client | |
| if: ${{ github.ref_name == 'main' }} | |
| run: ./gradlew :client:artifactoryPublish | |
| env: | |
| ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
| ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
| ARTIFACTORY_REPO_KEY: libs-snapshot-local | |
| - name: Make release | |
| if: ${{ github.ref_name == 'main' }} | |
| uses: ncipollo/release-action@v1 | |
| id: create_release | |
| with: | |
| tag: ${{ steps.tag.outputs.tag }} | |
| - name: Auth to GCR | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: ${{ secrets.GCR_PUBLISH_KEY_B64 }} | |
| - name: Explicitly auth Docker for GCR | |
| run: gcloud auth configure-docker --quiet | |
| - name: Construct docker image name and tag | |
| id: image-name | |
| run: echo "name=gcr.io/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ steps.tag.outputs.tag }}" >> $GITHUB_OUTPUT | |
| - name: Build image locally with jib | |
| run: | | |
| DOCKER_IMAGE_NAME_AND_TAG=${{ steps.image-name.outputs.name }} \ | |
| ./scripts/build docker | |
| - name: Push GCR image | |
| run: docker push ${{ steps.image-name.outputs.name }} | |
| report-to-sherlock: | |
| # Report new version to Broad DevOps | |
| uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
| needs: publish-job | |
| with: | |
| new-version: ${{ needs.publish-job.outputs.tag }} | |
| chart-name: 'landingzone' | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| set-version-in-dev: | |
| # Put new version in Broad dev environment | |
| uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main | |
| needs: [publish-job, report-to-sherlock] | |
| if: ${{ github.ref_name == 'main' }} | |
| with: | |
| new-version: ${{ needs.publish-job.outputs.tag }} | |
| chart-name: 'landingzone' | |
| environment-name: 'dev' | |
| secrets: | |
| sync-git-token: ${{ secrets.BROADBOT_TOKEN }} | |
| permissions: | |
| id-token: 'write' |