[DDO-3908] Force-update cookie dependency #1182
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Bump, Tag, and Publish | |
| # The purpose of the workflow is to: | |
| # 1. Bump the version number and tag the release if not a PR | |
| # 2. Build docker image and publish to GAR | |
| # | |
| # When run on merge to main, it tags and bumps the patch version by default. You can | |
| # bump other parts of the version by putting #major, #minor, or #patch in your commit | |
| # message. | |
| # | |
| # When run on a PR, it simulates bumping the tag and appends a hash to the pushed image. | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - "README.md" | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - "README.md" | |
| - "foundation.yaml" | |
| jobs: | |
| tag-build-publish: | |
| runs-on: ubuntu-latest | |
| # For Dependabot, see dependabot-build.yaml | |
| if: ${{ github.actor != 'dependabot[bot]' }} | |
| permissions: | |
| # Push changed tag | |
| contents: "write" | |
| # Use OIDC -> IAP | |
| id-token: "write" | |
| # Make comments | |
| pull-requests: "write" | |
| issues: "write" | |
| outputs: | |
| tag: ${{ steps.tag.outputs.tag }} | |
| steps: | |
| - name: Checkout current code | |
| uses: actions/checkout@v4 | |
| - name: Set up Git | |
| shell: bash | |
| run: | | |
| git config --global user.name 'broadbot' | |
| git config --global user.email 'broadbot@broadinstitute.org' | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Bump the tag to a new version | |
| uses: databiosphere/github-actions/actions/bumper@bumper-0.4.0 | |
| id: tag | |
| env: | |
| DEFAULT_BUMP: patch | |
| RELEASE_BRANCHES: ${{ github.event.repository.default_branch }} | |
| WITH_V: true | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Assemble Docker tags | |
| uses: docker/metadata-action@v5 | |
| id: meta | |
| with: | |
| images: | | |
| us-central1-docker.pkg.dev/dsp-artifact-registry/beehive/beehive | |
| us-central1-docker.pkg.dev/dsp-devops-super-prod/beehive/beehive | |
| tags: | | |
| type=raw,value=${{ steps.tag.outputs.new_tag }} | |
| type=semver,pattern=v{{major}},value=${{ steps.tag.outputs.new_tag }},enable={{is_default_branch}} | |
| type=semver,pattern=v{{major}}.{{minor}},value=${{ steps.tag.outputs.new_tag }},enable={{is_default_branch}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Build image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| # Don't push, just build and load locally. | |
| context: . | |
| file: Dockerfile | |
| push: false | |
| load: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| BUILD_VERSION=${{ steps.tag.outputs.tag }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
| with: | |
| image: us-central1-docker.pkg.dev/dsp-artifact-registry/beehive/beehive:${{ steps.tag.outputs.tag }} | |
| - name: Auth to GCP | |
| id: auth | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| token_format: access_token | |
| workload_identity_provider: projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider | |
| service_account: gha-gar-writer@dsp-devops-super-prod.iam.gserviceaccount.com | |
| - name: Login to GAR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: us-central1-docker.pkg.dev | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: Push image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| # "Build" (instant, via local cache from earlier) and push images; | |
| # we do have to repeat the earlier parameters here for the cache to work. | |
| context: . | |
| file: Dockerfile | |
| push: true | |
| load: false | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| BUILD_VERSION=${{ steps.tag.outputs.tag }} | |
| - name: Comment published image | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: marocchino/sticky-pull-request-comment@v2 | |
| with: | |
| header: image | |
| message: | | |
| Published image from ${{ github.event.pull_request.head.sha }} (merge ${{ github.sha }}): | |
| ``` | |
| us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ steps.tag.outputs.tag }} | |
| us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock:${{ steps.tag.outputs.tag }} | |
| ``` | |
| report-to-sherlock: | |
| uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
| needs: tag-build-publish | |
| with: | |
| chart-name: "beehive" | |
| new-version: ${{ needs.tag-build-publish.outputs.tag }} | |
| permissions: | |
| contents: "read" | |
| id-token: "write" |