Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DT-454: Add GAR specific build action #1747

Closed
wants to merge 14 commits into from
Closed

DT-454: Add GAR specific build action #1747

Changes from 4 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
d0c2ae9
feat: gar-specific build action
rushtong Jan 29, 2025
0fa5826
feat: update gcloud setup
rushtong Jan 29, 2025
11bfd11
feat: display hash along with other tags
rushtong Jan 29, 2025
eaff611
feat: update hashed value
rushtong Jan 29, 2025
3c90907
feat: update version
rushtong Jan 30, 2025
65c05fa
feat: rm trivy
rushtong Jan 30, 2025
c7d5d71
feat: use env vars instead of referencing step values directly
rushtong Jan 30, 2025
d951f03
feat: ensure DOCKER_TAG is in global env
rushtong Jan 30, 2025
ece99b6
feat: echo, quote variable
rushtong Jan 30, 2025
511fb6e
feat: testing
rushtong Jan 30, 2025
5ec3c13
feat: testing
rushtong Jan 30, 2025
c0f7659
feat: more testing
rushtong Jan 30, 2025
5357e57
feat: cleaning up
rushtong Jan 30, 2025
78d3abc
feat: more clean up
rushtong Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 109 additions & 0 deletions .github/workflows/bump-tag-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
name: Bump, Tag, and Publish
# The purpose of the workflow is to:
# 1. Bump the version number and tag the release if not a PR
# 2. Build docker image and publish to GAR
#
# When run on merge to main, it tags and bumps the minor version by default. You can
# bump other parts of the version by putting #major, #minor, or #patch in your commit
# message.
#
# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image.
on:
workflow_dispatch: {}
push:
branches:
- develop
pull_request:
branches:
- develop
paths-ignore:
- "README.md"
env:
# The project we'll be pushing artifacts to.
GOOGLE_PROJECT: dsp-artifact-registry
# Name of the app-specific Docker repository configured in GOOGLE_PROJECT.
# This is typically equal to the GitHub repository name.
REPOSITORY_NAME: ${{ github.event.repository.name }}
# Name of the image we'll be uploading into the Docker repository.
# This is often equal to the GitHub repository name, but it might also be the
# name of the Helm Chart if that's different.
IMAGE_NAME: ${{ github.event.repository.name }}
# This is the region-specific top-level Google-managed domain where our
# GOOGLE_PROJECT/REPOSITORY_NAME can be found.
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev
jobs:
tag-build-publish:
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
# Git config
- name: Checkout current code
uses: actions/checkout@v2
with:
token: ${{ secrets.BROADBOT_TOKEN }}
- name: Set up Git
shell: bash
run: |
git config --global user.name 'broadbot'
git config --global user.email '[email protected]'
git fetch --all --tags
- name: Bump the tag to a new version
uses: databiosphere/github-actions/actions/[email protected]
id: tag
env:
DEFAULT_BUMP: minor
GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }}
RELEASE_BRANCHES: ${{ github.event.repository.default_branch }}
WITH_V: true

# GCP config
- name: Auth to GCP
id: "auth"
uses: google-github-actions/auth@v0
with:
workload_identity_provider: "projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider"
service_account: "dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com"
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: Explicitly auth Docker for Artifact Registry
run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
run: gcloud auth configure-docker $GOOGLE_DOCKER_REPOSITORY --quiet
run: gcloud auth configure-docker "$GOOGLE_DOCKER_REPOSITORY" --quiet


# Build images
- name: Construct docker image name and tags
id: image-name
shell: bash
run: |
NAME="${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${REPOSITORY_NAME}/${IMAGE_NAME}"
DOCKER_TAG="${{ steps.tag.outputs.tag }}"
TAGGED="${NAME}:${DOCKER_TAG}"
HASHED="${NAME}:$(git rev-parse --short HEAD)"
echo "NAME: ${NAME}"
echo "TAGGED: ${TAGGED}"
echo "HASHED: ${HASHED}"
echo "name=${NAME}" >> $GITHUB_OUTPUT
echo "tagged=${TAGGED}" >> $GITHUB_OUTPUT
echo "hashed=${HASHED}" >> $GITHUB_OUTPUT
- name: Build image
run: |
docker build -t ${{ steps.image-name.outputs.tagged }} .

# Publish images
- name: Run Trivy vulnerability scanner
# From https://github.com/broadinstitute/dsp-appsec-trivy-action
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.image-name.outputs.tagged }}
- name: Push image
run: |
docker push ${{ steps.image-name.outputs.tagged }}
- name: Add latest tags to Docker image
if: github.event_name != 'pull_request'
shell: bash
run: |
gcloud artifacts docker tags add \
"${{ steps.image-name.outputs.tagged }}" \
"${{ steps.image-name.outputs.hashed }}" \
"${{ steps.image-name.outputs.hashed }}-develop" \
"${{ steps.image-name.outputs.name }}:latest"
Loading