From f8bb38151c37877c8bb68b4d882dca574b98cea2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niklas=20K=C3=B6hnecke?=
 <155443293+NiklasKoehneckeAA@users.noreply.github.com>
Date: Wed, 10 Apr 2024 14:19:42 +0200
Subject: [PATCH] feat: artifactory deployment on release(#724)

* builds and pushes IL pypi package to artifactory
* only deploys trace-viewer container, does not build it (further work may be required)
* can be started manually

---------

Co-authored-by: Sebastian Niehus <sebastian.niehus@ext.aleph-alpha.com>
---
 .github/workflows/artifactory.yml | 109 ++++++++++++++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 .github/workflows/artifactory.yml

diff --git a/.github/workflows/artifactory.yml b/.github/workflows/artifactory.yml
new file mode 100644
index 000000000..17b5a2a1e
--- /dev/null
+++ b/.github/workflows/artifactory.yml
@@ -0,0 +1,109 @@
+name: Artifactory Deployment of PyPi and trace-viewer
+
+on:
+  workflow_dispatch: {}
+  release:
+    types: [published]
+
+env:
+  ARTIFACTORY_URL: https://alephalpha.jfrog.io
+  ARTIFACTORY_PYPI_REPOSITORY: "intelligence-layer"
+  ARTIFACTORY_DOCKER_REGISTRY: alephalpha.jfrog.io/intelligence-layer-images
+
+jobs:
+  build-and-push-pypi:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get Identity Token From Github
+        run: |
+          ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https://alephalpha.jfrog.io" | jq .value | tr -d '"')
+          echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_ENV
+      - name: Get Jfrog Access Token with Github Identity Token
+        env:
+          ID_TOKEN: ${{ env.ID_TOKEN }}
+        run: |
+          JFROG_ACCESS_TOKEN=$(curl \
+            -X POST \
+            -H "Content-type: application/json" \
+            $ARTIFACTORY_URL/access/api/v1/oidc/token \
+            -d \
+            "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"github\"}" \
+          | jq .access_token -r)
+          echo "JFROG_ACCESS_TOKEN=${JFROG_ACCESS_TOKEN}" >> $GITHUB_ENV
+      - name: Checkout
+        uses: actions/checkout@v2
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - name: Install and configure Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+          installer-parallel: true
+      - name: Build package and push to Artifactory
+        env:
+          JFROG_ACCESS_TOKEN: ${{ env.JFROG_ACCESS_TOKEN }}
+        run: |
+          poetry build
+          poetry config repositories.artifactory $ARTIFACTORY_URL/artifactory/api/pypi/$ARTIFACTORY_PYPI_REPOSITORY
+          JFROG_ACCESS_TOKEN_SUBJECT=$(echo $JFROG_ACCESS_TOKEN | awk -F'.' '{print $2}'  | sed 's/.\{1,3\}$/&==/' | base64 -d | jq '.sub' -r)
+          poetry config http-basic.artifactory "$JFROG_ACCESS_TOKEN_SUBJECT" "$JFROG_ACCESS_TOKEN"
+          poetry publish -r artifactory
+  publish-docker:
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
+    env:
+      GITHUB_DOCKER_REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}-trace-viewer
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get Identity Token From Github
+        run: |
+          ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https://alephalpha.jfrog.io" | jq .value | tr -d '"')
+          echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_ENV
+      - name: Get Jfrog Access Token & Token Subject with Github Identity Token
+        env:
+          ID_TOKEN: ${{ env.ID_TOKEN }}
+        run: |
+          JFROG_ACCESS_TOKEN=$(curl \
+            -X POST \
+            -H "Content-type: application/json" \
+            $ARTIFACTORY_URL/access/api/v1/oidc/token \
+            -d \
+            "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"github\"}" \
+          | jq .access_token -r)
+          echo "JFROG_ACCESS_TOKEN=${JFROG_ACCESS_TOKEN}" >> $GITHUB_ENV
+          JFROG_ACCESS_TOKEN_SUBJECT=$(echo $JFROG_ACCESS_TOKEN | awk -F'.' '{print $2}'  | sed 's/.\{1,3\}$/&==/' | base64 -d | jq '.sub' -r)
+          echo "JFROG_ACCESS_TOKEN_SUBJECT=${JFROG_ACCESS_TOKEN_SUBJECT}" >> $GITHUB_ENV
+      - name: Log in to the github container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GITHUB_DOCKER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Log in to the artifactory container registry
+        uses: docker/login-action@v3
+        env:
+          JFROG_ACCESS_TOKEN: ${{ env.JFROG_ACCESS_TOKEN }}
+          JFROG_ACCESS_TOKEN_SUBJECT: ${{ env.JFROG_ACCESS_TOKEN_SUBJECT }}
+        with:
+          registry: ${{ env.ARTIFACTORY_DOCKER_REGISTRY }}
+          username: ${{ env.JFROG_ACCESS_TOKEN_SUBJECT }}
+          password: ${{ env.JFROG_ACCESS_TOKEN }}
+      - name: Build package and push to Artifactory
+      # Docker accepts only lower-case names. Therefore, the first line is needed
+        run: |
+          IMAGE_NAME=${IMAGE_NAME,,}
+          echo $GITHUB_DOCKER_REGISTRY/$IMAGE_NAME
+          echo $ARTIFACTORY_DOCKER_REGISTRY/trace-viewer:latest
+          docker pull $GITHUB_DOCKER_REGISTRY/$IMAGE_NAME
+          docker tag $GITHUB_DOCKER_REGISTRY/$IMAGE_NAME $ARTIFACTORY_DOCKER_REGISTRY/trace-viewer:latest
+          docker push $ARTIFACTORY_DOCKER_REGISTRY/trace-viewer:latest