Skip to content

GH workflow to publish images for PRs labeled 'publish' #937

GH workflow to publish images for PRs labeled 'publish'

GH workflow to publish images for PRs labeled 'publish' #937

Workflow file for this run

name: Publish
on:
push:
branches:
- develop
- dev-[0-9]+.[0-9]+.[0-9]+
tags:
- v*
pull_request:
types:
# publish images for PRs labeled "publish" whenever changed/labeled
[opened, reopened, synchronize, labeled]
workflow_dispatch:
env:
REGISTRY: ghcr.io
OWNER: nasa-ammos
IS_RELEASE: ${{ startsWith(github.ref, 'refs/tags/v') }}
SHOULD_PUBLISH_IMAGES: ${{ (github.event_name != 'pull_request') || contains(github.event.pull_request.labels.*.name, 'publish') }}
SHOULD_PUBLISH_DEPLOYMENT: ${{ (github.event_name != 'pull_request') }}
jobs:
init:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
# set these as outputs to make available later, since `env` context isn't available in `jobs.if`
SHOULD_PUBLISH_IMAGES: ${{ env.SHOULD_PUBLISH_IMAGES }}
SHOULD_PUBLISH_DEPLOYMENT: ${{ env.SHOULD_PUBLISH_DEPLOYMENT }}
steps:
- uses: actions/checkout@v4
- uses: gradle/wrapper-validation-action@v2
- uses: gradle/actions/setup-gradle@v3
with:
generate-job-summary: false
- name: Gradle Version
run: ./gradlew --version
containers:
runs-on: ubuntu-latest
needs: init
if: needs.init.outputs.SHOULD_PUBLISH_IMAGES == 'true'
permissions:
contents: read
packages: write
strategy:
matrix:
components:
- image: aerie-merlin
context: merlin-server
file: merlin-server/Dockerfile
- image: aerie-merlin-worker
context: merlin-worker
file: merlin-worker/Dockerfile
- image: aerie-scheduler
context: scheduler-server
file: scheduler-server/Dockerfile
- image: aerie-scheduler-worker
context: scheduler-worker
file: scheduler-worker/Dockerfile
- image: aerie-sequencing
context: sequencing-server
file: sequencing-server/Dockerfile
- image: aerie-hasura
context: .
file: docker/Dockerfile.hasura
- image: aerie-postgres
context: .
file: docker/Dockerfile.postgres
name: ${{ matrix.components.image }}
steps:
- name: Log SHOULD_PUBLISH_IMAGES
run: echo ${{ needs.init.outputs.SHOULD_PUBLISH_IMAGES }}
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: "temurin"
java-version: "21"
- name: Init Gradle cache
uses: gradle/actions/setup-gradle@v3
with:
generate-job-summary: false
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: linux/amd64,linux/arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to ${{ env.REGISTRY }}
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Extract metadata (tags, labels) for ${{ matrix.components.image }}
id: metadata-step
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ matrix.components.image }}
- name: Assemble ${{ matrix.components.context }}
env:
component: ${{ matrix.components.context }}
run: |
set -x
# aerie-hasura and aerie-postgres don't need compiled java
if [[ "$component" != "." ]]; then
./gradlew ":$component:assemble" --no-daemon --parallel
fi
- name: Build and push ${{ matrix.components.image }}
uses: docker/build-push-action@v5
with:
context: ${{ matrix.components.context }}
file: ${{ matrix.components.file }}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.metadata-step.outputs.tags }}
labels: ${{ steps.metadata-step.outputs.labels }}
scan:
runs-on: ubuntu-latest
needs: containers
if: needs.init.outputs.SHOULD_PUBLISH_IMAGES == 'true'
strategy:
matrix:
image:
- aerie-merlin
- aerie-merlin-worker
- aerie-scheduler
- aerie-scheduler-worker
- aerie-sequencing
- aerie-hasura
- aerie-postgres
fail-fast: false
name: scan ${{ matrix.image }}
steps:
- name: Scan ${{ matrix.image }} for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ matrix.image }}:develop
ignore-unfixed: true
exit-code: "1"
severity: "CRITICAL"
format: "template"
template: "@/contrib/html.tpl"
scanners: "vuln"
output: "${{ matrix.image }}-results.html"
- name: Upload ${{ matrix.image }} scan results
if: always()
uses: actions/upload-artifact@v4
with:
name: Vuln Scan Results - ${{ matrix.image }}
path: "${{ matrix.image }}-results.html"
publish:
name: gradle publish
runs-on: ubuntu-latest
needs: init
if: needs.init.outputs.SHOULD_PUBLISH_DEPLOYMENT == 'true'
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- name: Gradle Cache
uses: gradle/actions/setup-gradle@v3
with:
generate-job-summary: false
- name: Publish Package
run: ./gradlew publish -Pversion.isRelease=$IS_RELEASE --parallel
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Create deployment archive
run: ./gradlew archiveDeployment
- name: Publish deployment
uses: actions/upload-artifact@v4
with:
name: Deployment
path: deployment.tar