AJ-1700 Implement RAWLSJSON support.
#700
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Docker Images to GCR and ACR | |
| on: | |
| workflow_call: | |
| inputs: | |
| new-tag: | |
| required: false | |
| type: string | |
| secrets: | |
| ACR_SP_PASSWORD: | |
| required: true | |
| ACR_SP_USER: | |
| required: true | |
| pull_request: | |
| env: | |
| SERVICE_NAME: ${{ github.event.repository.name }} | |
| GCR_REGISTRY: us.gcr.io | |
| ACR_REGISTRY: terradevacrpublic.azurecr.io | |
| GOOGLE_PROJECT: broad-dsp-gcr-public | |
| jobs: | |
| publish-docker-job: | |
| if: github.actor != 'dependabot[bot]' | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| newVersion: ${{ steps.newVersion.outputs.newVersion }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - name: Set commit short hash | |
| id: setHash | |
| # github.event.pull_request.head.sha is the latest commit for a pull request | |
| # github.sha is the latest commit for a push to main (but is the merge commit on PRs) | |
| run: | | |
| git_short_sha=$(echo ${{ github.event.pull_request.head.sha || github.sha }} | cut -c1-7) | |
| echo $git_short_sha | |
| echo "git_short_sha=${git_short_sha}" >> $GITHUB_OUTPUT | |
| - name: Determine new version | |
| id: newVersion | |
| run: echo "newVersion=${{ inputs.new-tag || steps.setHash.outputs.git_short_sha }}" >> "$GITHUB_OUTPUT" | |
| - name: Set up gcloud | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| # Centralized in dsp-tools-k8s; ask in #dsp-devops-champions for help troubleshooting | |
| workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider' | |
| service_account: '[email protected]' | |
| - name: Explicitly auth Docker for GCR | |
| run: gcloud auth configure-docker --quiet | |
| - name: Build WDS base Docker image | |
| run: docker build -f Dockerfile --no-cache -t wdsbase:snapshot . | |
| - name: Tag WDS base Docker image | |
| run: docker tag wdsbase:snapshot us.gcr.io/broad-dsp-gcr-public/debian/wds-debian-pg-dump:latest | |
| - name: Push WDS base Docker image | |
| run: docker push us.gcr.io/broad-dsp-gcr-public/debian/wds-debian-pg-dump:latest | |
| - name: Construct GCR docker image name | |
| id: gcr-image-name | |
| run: echo "name=${GCR_REGISTRY}/${GOOGLE_PROJECT}/${SERVICE_NAME}" >> $GITHUB_OUTPUT | |
| - name: Construct ACR docker image name | |
| id: acr-image-name | |
| run: echo "name=${ACR_REGISTRY}/${SERVICE_NAME}" >> $GITHUB_OUTPUT | |
| - name: Build image locally with jib | |
| run: | | |
| ./gradlew --build-cache jibDockerBuild \ | |
| --image=${{ steps.gcr-image-name.outputs.name }}:${{ steps.setHash.outputs.git_short_sha }} \ | |
| -Djib.console=plain | |
| - name: Add version tag to GCR | |
| if: ${{ inputs.new-tag != '' }} | |
| run: docker image tag ${{ steps.gcr-image-name.outputs.name }}:${{ steps.setHash.outputs.git_short_sha }} ${{ steps.gcr-image-name.outputs.name }}:${{ inputs.new-tag }} | |
| - name: Run Trivy vulnerability scanner | |
| # Link to the github location of the action https://github.com/broadinstitute/dsp-appsec-trivy-action | |
| uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
| with: | |
| image: ${{ steps.gcr-image-name.outputs.name }}:${{ steps.setHash.outputs.git_short_sha }} | |
| - name: Push GCR image | |
| run: docker push --all-tags ${{ steps.gcr-image-name.outputs.name }} | |
| - name: Re-tag image for ACR | |
| run: docker tag ${{ steps.gcr-image-name.outputs.name }}:${{ steps.setHash.outputs.git_short_sha }} ${{ steps.acr-image-name.outputs.name }}:${{ steps.setHash.outputs.git_short_sha }} | |
| - name: Add version tag to ACR | |
| if: ${{ inputs.new-tag != '' }} | |
| run: docker image tag ${{ steps.acr-image-name.outputs.name }}:${{ steps.setHash.outputs.git_short_sha }} ${{ steps.acr-image-name.outputs.name }}:${{ inputs.new-tag }} | |
| - name: Push image to Azure | |
| run: | | |
| echo ${{ secrets.ACR_SP_PASSWORD }} | docker login ${ACR_REGISTRY} \ | |
| --username ${{ secrets.ACR_SP_USER }} \ | |
| --password-stdin | |
| docker push --all-tags ${{ steps.acr-image-name.outputs.name }} | |
| # Report the new version of cWDS to Sherlock. | |
| # This enables Sherlock to gather metrics and generate changelogs for deployments. | |
| cwds-report-to-sherlock: | |
| if: github.actor != 'dependabot[bot]' | |
| needs: publish-docker-job | |
| uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
| with: | |
| new-version: ${{ needs.publish-docker-job.outputs.newVersion }} | |
| chart-name: 'cwds' | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' |