DataBiosphere
diff --git a/‎.github/workflows/consumer_contract_tests.yml
+63-6 b/‎.github/workflows/consumer_contract_tests.yml
+63-6
diff --git a/‎.github/workflows/tag.yml
+67 b/‎.github/workflows/tag.yml
+67
@@ -21,9 +21,58 @@ on:
     branches: [ main ]
     paths-ignore: [ '**.md' ]
 
+env:
+  PUBLISH_CONTRACTS_RUN_NAME: 'publish-contracts-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
+  CAN_I_DEPLOY_RUN_NAME: 'can-i-deploy-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
+
 jobs:
+  bump-check:
+    runs-on: ubuntu-latest
+    outputs:
+      is-bump: ${{ steps.skiptest.outputs.is-bump }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Skip version bump merges
+        id: skiptest
+        uses: ./.github/actions/bump-skip
+        with:
+          event-name: ${{ github.event_name }}
+
+# The primary objective of this section is to carefully control the dispatching of tags,
+# ensuring it only occurs during the 'Tag, publish, deploy' workflow.
+# However, a challenge arises with contract tests, as they require knowledge of the upcoming tag
+# before the actual deployment. To address this, we leverage the dry run feature provided by bumper.
+# This allows us to obtain the next tag for publishing contracts and verifying consumer pacts without
+# triggering the tag dispatch. This approach sidesteps the need for orchestrating multiple workflows,
+# simplifying our implementation.
+#
+# We regulate the tag job to meet the following requirements according to the trigger event type:
+# 1. pull_request event (due to opening or updating of PR branch):
+#      dry-run flag is set to false
+#         this allows the new semver tag #major.#minor.#patch-#commit to be used to identity pacticipant version for development purpose
+#         PR has no effect on the value of the latest tag in settings.gradle on disk
+# 2. PR merge to main, this triggers a push event on the main branch:
+#      dry-run flag is set to true
+#         this allows the new semver tag #major.#minor.#patch to be used to identity pacticipant version, and
+#         this action will not update the value of the latest tag in settings.gradle on disk
+#
+# Note: All workflows from the same PR merge should have the same copy of settings.gradle on disk,
+# which should be the one from the HEAD of the main branch before the workflow starts running
+  regulated-tag-job:
+    needs: [ bump-check ]
+    if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
+    uses: ./.github/workflows/tag.yml
+    with:
+      # The 'ref' parameter ensures that the consumer version is postfixed with the HEAD commit of the PR branch,
+      # facilitating cross-referencing of a pact between Pact Broker and GitHub.
+      ref: ${{ github.head_ref || '' }}
+      dry-run: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    secrets: inherit
+
   init-github-context:
     runs-on: ubuntu-latest
+    needs: [ bump-check ]
+    if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
     outputs:
       repo-branch: ${{ steps.extract-branch.outputs.repo-branch }}
       repo-version: ${{ steps.extract-branch.outputs.repo-version }}
@@ -56,7 +105,8 @@ jobs:
 
   wsm-consumer-contract-tests:
     runs-on: ubuntu-latest
-    needs: [ init-github-context ]
+    needs: [ bump-check, init-github-context ]
+    if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
     outputs:
       pact-b64: ${{ steps.encode-pact.outputs.pact-b64 }}
 
@@ -77,15 +127,22 @@ jobs:
 
   publish-contracts:
     runs-on: ubuntu-latest
-    needs: [ init-github-context, wsm-consumer-contract-tests ]
+    needs: [ bump-check, init-github-context, wsm-consumer-contract-tests, regulated-tag-job ]
+    if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
     steps:
       - name: Dispatch to terra-github-workflows
-        uses: broadinstitute/workflow-dispatch@v3
+        uses: broadinstitute/workflow-dispatch@v4.0.0
         with:
+          run-name: "${{ env.PUBLISH_CONTRACTS_RUN_NAME }}"
           workflow: .github/workflows/publish-contracts.yaml
           repo: broadinstitute/terra-github-workflows
           ref: refs/heads/main
           token: ${{ secrets.BROADBOT_TOKEN }} # github token for access to kick off a job in the private repo
-          inputs: '{ "pact-b64": "${{ needs.wsm-consumer-contract-tests.outputs.pact-b64 }}", "repo-owner": "${{ github.repository_owner }}", "repo-name": "${{ github.event.repository.name }}", "repo-branch": "${{ needs.init-github-context.outputs.repo-branch }}" }'
-
-
+          inputs: '{
+            "run-name": "${{ env.PUBLISH_CONTRACTS_RUN_NAME }}",
+            "pact-b64": "${{ needs.wsm-consumer-contract-tests.outputs.pact-b64 }}",
+            "repo-owner": "${{ github.repository_owner }}",
+            "repo-name": "${{ github.event.repository.name }}",
+            "repo-branch": "${{ needs.init-github-context.outputs.repo-branch }}",
+            "release-tag": "${{ needs.regulated-tag-job.outputs.new-tag }}"
+          }'
@@ -0,0 +1,67 @@
+name: Tag
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      ref:
+        description: "The branch, tag or SHA to checkout"
+        default: ''
+        required: false
+        type: string
+      dry-run:
+        description: "Determine the next version without tagging the branch. The workflow can use the outputs new_tag and tag in subsequent steps. Possible values are true and false (default)"
+        default: false
+        required: false
+        type: string
+      print-tag:
+        description: "Echo tag to console"
+        default: true
+        required: false
+        type: string
+    outputs:
+      tag:
+        description: "The value of the latest tag after running this action"
+        value: ${{ jobs.tag-job.outputs.tag }}
+      new-tag:
+        description: "The value of the newly created tag"
+        value: ${{ jobs.tag-job.outputs.new-tag }}
+    secrets:
+      BROADBOT_TOKEN:
+        required: true
+
+jobs:
+# On tag vs. new-tag.
+# The new-tag is always the tag resulting from a bump to the original tag.
+# However, the tag is by definition the value of the latest tag after running the action,
+# which might not change if dry run is used, and remains same as the original tag.
+  tag-job:
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.tag }}
+      new-tag: ${{ steps.tag.outputs.new_tag }}
+    steps:
+      - name: Checkout current code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref }}
+          token: ${{ secrets.BROADBOT_TOKEN }} # this allows the push to succeed later
+      - name: Bump the tag to a new version
+        # https://github.com/DataBiosphere/github-actions/tree/master/actions/bumper
+        uses: databiosphere/github-actions/actions/[email protected]
+        id: tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }}
+          HOTFIX_BRANCHES: hotfix.*
+          DEFAULT_BUMP: patch
+          DRY_RUN: ${{ inputs.dry-run }}
+          RELEASE_BRANCHES: main
+          VERSION_FILE_PATH: settings.gradle
+          VERSION_LINE_MATCH: "^\\s*gradle.ext.wsmVersion\\s*=\\s*\".*\""
+          VERSION_SUFFIX: SNAPSHOT
+      - name: Echo tag to console
+        if: ${{ inputs.print-tag == 'true' }}
+        run: |
+          echo "Newly created version tag: '${{ steps.tag.outputs.new_tag }}'"
+          echo "settings.gradle"
+          echo "==============="
+          cat settings.gradle