Skip to content

IA-4897: add authorization to admin endpoints #119

IA-4897: add authorization to admin endpoints

IA-4897: add authorization to admin endpoints #119

Workflow file for this run

name: Build and Test
on:
push:
branches: [ main ]
paths-ignore: [ '*.md' ]
pull_request:
branches: [ '**' ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Install black and link shellcheck into expected location
run: |
pip install black --force-reinstall black==22.3.0
sudo ln -s $(which shellcheck) /usr/local/bin/shellcheck
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: Build all projects without running tests
run: ./scripts/build --skip-tests project
jib:
needs: [ build ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: Construct docker image name and tag
id: image-name
run: |
GITHUB_REPO=$(basename ${{ github.repository }})
GIT_SHORT_HASH=$(git rev-parse --short HEAD)
echo "name=${GITHUB_REPO}:${GIT_SHORT_HASH}" >> $GITHUB_OUTPUT
- name: Build image locally with jib
run: |
DOCKER_IMAGE_NAME_AND_TAG=${{ steps.image-name.outputs.name }} \
./scripts/build docker
dispatch-trivy:
needs: [ build ]
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Fire off Trivy action
uses: broadinstitute/workflow-dispatch@v3
with:
workflow: Trivy
token: ${{ secrets.BROADBOT_TOKEN }}
ref: ${{ github.event.pull_request.head.ref }}
source-clear:
needs: [ build ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: SourceClear scan
env:
SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
run: ./gradlew --build-cache srcclr
unit-tests-and-sonar:
needs: [ build ]
runs-on: ubuntu-latest
services:
postgres:
image: postgres:13
env:
POSTGRES_PASSWORD: postgres
ports: [ "5432:5432" ]
steps:
- uses: actions/checkout@v3
# Needed by sonar to get the git history for the branch the PR will be merged into.
with:
fetch-depth: 0
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: Make sure Postgres is ready and init
env:
PGPASSWORD: postgres
run: |
pg_isready -h localhost -t 10
psql -h localhost -U postgres -f ./scripts/init-db/postgres-init.sql
- name: Test with coverage
run: |
./scripts/run tests
# Run the Sonar scan after `gradle test` to include code coverage data in its report.
- name: Sonar scan
run: ./gradlew --build-cache sonar --info
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
integration-tests:
needs: [ build ]
runs-on: ubuntu-latest
services:
postgres:
image: postgres:13
env:
POSTGRES_PASSWORD: postgres
ports: [ "5432:5432" ]
steps:
- uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: Make sure Postgres is ready and init
env:
PGPASSWORD: postgres
run: |
pg_isready -h localhost -t 10
psql -h localhost -U postgres -f ./scripts/init-db/postgres-init.sql
- name: Render GitHub Secrets
run: |
echo "${{ secrets.DEV_FIRECLOUD_ACCOUNT_B64 }}" | base64 -d > "integration/src/main/resources/rendered/user-delegated-sa.json"
echo "${{ secrets.PERF_TESTRUNNER_ACCOUNT_B64 }}" | base64 -d > "integration/src/main/resources/rendered/testrunner-perf.json"
- name: Launch the background process for integration tests
run: ./scripts/run local | tee application.log &
- name: Wait for boot run to be ready
run: |
set +e
timeout 60 bash -c 'until echo > /dev/tcp/localhost/8080; do sleep 1; done'
resultStatus=$?
set -e
if [[ $resultStatus == 0 ]]; then
echo "Server started successfully"
else
echo "Server did not start successfully"
exit 1
fi
- name: Run the integration test suite
run: |
./scripts/run integration
- name: Archive logs
id: archive_logs
if: always()
uses: actions/upload-artifact@v3
with:
name: application-logs
path: |
application.log
dispatch-tag:
needs: [ build, unit-tests-and-sonar, source-clear, integration-tests ]
runs-on: ubuntu-latest
if: success() && github.ref == 'refs/heads/main'
steps:
- name: Fire off tag action
uses: broadinstitute/workflow-dispatch@v3
with:
workflow: Tag
token: ${{ secrets.BROADBOT_TOKEN }}
# report workflow status in slack
# see https://docs.google.com/document/d/1G6-whnNJvON6Qq1b3VvRJFC7M9M-gu2dAVrQHDyp9Us/edit?usp=sharing
report-workflow:
uses: broadinstitute/sherlock/.github/workflows/client-report-workflow.yaml@main
with:
# Channels to notify upon workflow success or failure
notify-slack-channels-upon-workflow-completion: '#dsp-app-manager-builds'
# Channels to notify upon workflow success only
# notify-slack-channels-upon-workflow-success: "#channel-here"
# Channels to notify upon workflow failure only
# notify-slack-channels-upon-workflow-failure: "#channel-here"
permissions:
id-token: 'write'