Publish and deploy #372
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish and deploy | |
| on: create | |
| env: | |
| SERVICE_NAME: ${{ github.event.repository.name }} | |
| GOOGLE_PROJECT: broad-dsp-gcr-public | |
| jobs: | |
| publish-job: | |
| if: startsWith(github.ref, 'refs/tags/') | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag: ${{ steps.tag.outputs.tag }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - name: Cache Gradle packages | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper | |
| key: v1-${{ runner.os }}-gradle-refs/heads/dev-${{ github.sha }} | |
| - name: Parse tag | |
| id: tag | |
| run: echo tag=$(git describe --tags) >> $GITHUB_OUTPUT | |
| - name: Publish jakarta-based client library to Artifactory | |
| run: ./gradlew --build-cache :client-resttemplate:artifactoryPublish | |
| env: | |
| ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
| ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
| ARTIFACTORY_REPO_KEY: libs-snapshot-local | |
| - name: Auth to GCR | |
| uses: google-github-actions/auth@v1 | |
| with: | |
| credentials_json: ${{ secrets.GCR_PUBLISH_KEY_B64 }} | |
| - name: Explicitly auth Docker for GCR | |
| run: gcloud auth configure-docker --quiet | |
| - name: Construct docker image name and tag | |
| id: image-name | |
| run: echo name=gcr.io/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ steps.tag.outputs.tag }} >> $GITHUB_OUTPUT | |
| - name: Add Google Cloud Profiler to Docker Image | |
| run: docker build ./service -t externalcreds:local | |
| - name: Build image locally with jib | |
| run: | | |
| ./gradlew --build-cache :service:jibDockerBuild \ | |
| --image=${{ steps.image-name.outputs.name }} \ | |
| -Djib.from.image=docker://externalcreds:local \ | |
| -Djib.console=plain | |
| - name: Run Trivy vulnerability scanner | |
| # Link to the github location of the action https://github.com/broadinstitute/dsp-appsec-trivy-action | |
| uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
| with: | |
| image: ${{ steps.image-name.outputs.name }} | |
| - name: Push GCR image | |
| run: docker push ${{ steps.image-name.outputs.name }} | |
| - name: Notify slack on failure | |
| uses: 8398a7/action-slack@v3 | |
| if: failure() | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.POLICY_INT_WEBHOOK_URL }} | |
| with: | |
| status: ${{ job.status }} | |
| author_name: Publish to dev | |
| fields: job | |
| text: 'ECM Publish job to dev failed :sadpanda:' | |
| report-to-sherlock: | |
| # Report new ECM version to Broad DevOps | |
| uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
| needs: publish-job | |
| with: | |
| new-version: ${{ needs.publish-job.outputs.tag }} | |
| chart-name: 'externalcreds' | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| set-version-in-dev: | |
| # Put new ECM version in Broad dev environment | |
| uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main | |
| needs: [publish-job, report-to-sherlock] | |
| with: | |
| new-version: ${{ needs.publish-job.outputs.tag }} | |
| chart-name: 'externalcreds' | |
| environment-name: 'dev' | |
| secrets: | |
| sync-git-token: ${{ secrets.BROADBOT_TOKEN }} | |
| permissions: | |
| id-token: 'write' |