[DDO-3654]: Bump github.com/zitadel/oidc/v3 from 3.32.1 to 3.33.1 in /sherlock #1662
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Bump, Tag, and Publish | |
# The purpose of the workflow is to: | |
# 1. Bump the version number and tag the release if not a PR | |
# 2. Build docker image and publish to GAR | |
# | |
# When run on merge to main, it tags and bumps the patch version by default. You can | |
# bump other parts of the version by putting #major, #minor, or #patch in your commit | |
# message. | |
# | |
# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image. | |
# | |
# The workflow relies on github secrets: | |
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- ".github/workflows/sherlock-build.yaml" | |
- ".github/workflows/client-report-app-version.yaml" | |
- ".github/workflows/client-report-workflow.yaml" | |
- "sherlock/**" | |
- "!sherlock/docs/**" | |
- "go-shared/**" | |
- "!**/*.md" | |
pull_request: | |
branches: | |
- main | |
workflow_dispatch: | |
env: | |
GO_SWAGGER_VERSION: v0.29.0 | |
RUNTIME_BASE_IMAGE: us.gcr.io/broad-dsp-gcr-public/base/cbl-mariner:2.0-nonroot-fips | |
concurrency: | |
# Don't run this workflow concurrently on the same branch | |
group: ${{ github.workflow }}-${{ github.ref }} | |
# For PRs, don't wait for completion of existing runs, cancel them instead | |
cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
jobs: | |
generate-tag: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'read' | |
outputs: | |
tag: ${{ steps.tag.outputs.new_tag }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }} | |
fetch-depth: 0 | |
# We use DRY_RUN so we don't push to the repo prematurely -- we may | |
# have code-gen changes, or we might not end up pushing at all. | |
- name: Generate Tag | |
uses: databiosphere/github-actions/actions/[email protected] | |
id: tag | |
env: | |
DEFAULT_BUMP: patch | |
RELEASE_BRANCHES: ${{ github.event.repository.default_branch }} | |
WITH_V: true | |
GITHUB_TOKEN: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }} | |
DRY_RUN: true | |
build-and-publish: | |
needs: [generate-tag] | |
if: ${{ needs.generate-tag.outputs.tag != '' }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) || secrets.GITHUB_TOKEN }} | |
- name: Set up Git | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
run: | | |
git config --global user.name 'broadbot' | |
git config --global user.email '[email protected]' | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: sherlock/go.mod | |
- name: Set up Node/NPM | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Set up Swag | |
run: make install-swagger | |
- name: Format Swagger comments | |
run: make format-swagger | |
- name: Generate Swagger source | |
run: make generate-swagger | |
- name: Update Pact provider documentation | |
run: make document-pact-provider | |
- name: Delete existing Go client library code | |
# Just delete code, not config, so that no-longer-generated files will disappear | |
run: rm -rf sherlock-go-client/client | |
- name: Generate Go client library | |
run: | | |
docker run --rm -e GOPATH=/go \ | |
-v $(go env GOPATH):/go \ | |
-v "${PWD}:/local" \ | |
-w "/local/sherlock-go-client" \ | |
quay.io/goswagger/swagger:${GO_SWAGGER_VERSION} \ | |
generate client -f /local/sherlock/docs/swagger.json -A sherlock --default-scheme=https -m client/models -c client | |
- name: Tidy Go client library dependencies | |
working-directory: sherlock-go-client | |
run: go mod tidy | |
- name: Delete existing Python client library code | |
# Just delete code, not config, so that no-longer-generated files will disappear | |
run: rm -rf sherlock-python-client/docs sherlock-python-client/sherlock_python_client sherlock-python-client/test | |
- name: Generate Python client library | |
run: | | |
docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli generate \ | |
-i /local/sherlock/docs/swagger.json \ | |
-g python \ | |
-o /local/sherlock-python-client \ | |
--git-user-id broadinstitute \ | |
--git-repo-id sherlock \ | |
--additional-properties=disallowAdditionalPropertiesIfNotPresent=false \ | |
--additional-properties=packageName=sherlock_python_client \ | |
--additional-properties=packageUrl='git+https://github.com/broadinstitute/sherlock#subdirectory=sherlock-python-client' \ | |
--additional-properties=packageVersion=${{ needs.generate-tag.outputs.tag }} | |
- name: Fix Python documentation | |
run: | | |
cat sherlock-python-client/README-header.md sherlock-python-client/README.md > temp | |
mv temp sherlock-python-client/README.md | |
cp sherlock-python-client/README.md sherlock-python-client/sherlock_python_client_README.md | |
- name: Delete existing Typescript client library code | |
# Just delete code, not config, so that no-longer-generated files will disappear | |
run: rm -rf sherlock-typescript-client/src | |
- name: Generate Typescript client library | |
run: | | |
docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli generate \ | |
-i /local/sherlock/docs/swagger.json \ | |
-g typescript-fetch \ | |
-o /local/sherlock-typescript-client \ | |
--git-user-id broadinstitute \ | |
--git-repo-id sherlock \ | |
--additional-properties=disallowAdditionalPropertiesIfNotPresent=false \ | |
--additional-properties=supportsES6=true \ | |
--additional-properties=npmName=@sherlock-js-client/sherlock \ | |
--additional-properties=npmVersion=${{ needs.generate-tag.outputs.tag }} | |
- name: Build Typescript client | |
working-directory: sherlock-typescript-client | |
run: | | |
npm install --save-dev | |
npm run build | |
- name: Assemble Docker tags | |
uses: docker/metadata-action@v5 | |
id: meta | |
with: | |
images: | | |
us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock | |
us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock | |
tags: | | |
type=raw,value=${{ needs.generate-tag.outputs.tag }} | |
type=semver,pattern=v{{major}},value=${{ needs.generate-tag.outputs.tag }},enable={{is_default_branch}} | |
type=semver,pattern=v{{major}}.{{minor}},value=${{ needs.generate-tag.outputs.tag }},enable={{is_default_branch}} | |
type=raw,value=latest,enable={{is_default_branch}} | |
- name: Build image | |
uses: docker/build-push-action@v6 | |
with: | |
# Don't push, just build and load locally. | |
context: . | |
file: sherlock/Dockerfile | |
push: false | |
load: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
build-args: | | |
BUILD_VERSION=${{ needs.generate-tag.outputs.tag }} | |
RUNTIME_BASE_IMAGE=${{ env.RUNTIME_BASE_IMAGE }} | |
- name: Run Trivy vulnerability scanner | |
# We only run Trivy here as dependabot, because otherwise we run it afterwards so as to not block an intentional | |
# build (so we can fix or work around Trivy issues) | |
if: ${{ github.actor == 'dependabot[bot]' }} | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }} | |
- name: Commit changes | |
if: ${{ github.event_name != 'pull_request' }} | |
run: | | |
git add . | |
git commit --allow-empty --message "[sherlock-build] generated from ${{ github.sha }}" | |
- name: Add tag | |
if: ${{ github.event_name != 'pull_request' }} | |
# Go subdirectories need to have tags prefixed with the directory name, otherwise go mod won't be | |
# able to see them. | |
# In other words, if you do `go get github.com/broadinstitute/sherlock/[email protected]`, | |
# go mod is actually going to look for a tag of sherlock-go-client/v1.2.3. | |
# https://github.com/golang/go/issues/31045 | |
run: | | |
git tag "${{ needs.generate-tag.outputs.tag }}" | |
git tag "sherlock/${{ needs.generate-tag.outputs.tag }}" | |
git tag "go-shared/${{ needs.generate-tag.outputs.tag }}" | |
git tag "sherlock-go-client/${{ needs.generate-tag.outputs.tag }}" | |
- name: Auth to GCP | |
id: auth | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: access_token | |
workload_identity_provider: projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider | |
service_account: [email protected] | |
- name: Push to main | |
if: ${{ github.event_name != 'pull_request' }} | |
run: | | |
git push --atomic --tags origin main | |
- name: Publish typescript client | |
if: ${{ github.event_name != 'pull_request' }} | |
working-directory: sherlock-typescript-client | |
run: | | |
npx google-artifactregistry-auth --yes | |
npm publish | |
- name: Login to GAR | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
uses: docker/login-action@v3 | |
with: | |
registry: us-central1-docker.pkg.dev | |
username: oauth2accesstoken | |
password: ${{ steps.auth.outputs.access_token }} | |
- name: Push image | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
uses: docker/build-push-action@v6 | |
with: | |
# "Build" (instant, via local cache from earlier) and push images; | |
# we do have to repeat the earlier parameters here for the cache to work. | |
context: . | |
file: sherlock/Dockerfile | |
push: true | |
load: false | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
build-args: | | |
BUILD_VERSION=${{ needs.generate-tag.outputs.tag }} | |
RUNTIME_BASE_IMAGE=${{ env.RUNTIME_BASE_IMAGE }} | |
trivy-scan: | |
needs: [ generate-tag, build-and-publish ] | |
runs-on: ubuntu-latest | |
if: ${{ needs.generate-tag.outputs.tag != '' && github.actor != 'dependabot[bot]' }} | |
steps: | |
- name: Run Trivy vulnerability scanner | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }} | |
comment-published-image: | |
needs: [ generate-tag, build-and-publish ] | |
runs-on: ubuntu-latest | |
if: ${{ needs.generate-tag.outputs.tag != '' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }} | |
permissions: | |
pull-requests: 'write' | |
steps: | |
- name: Comment published image | |
uses: marocchino/sticky-pull-request-comment@v2 | |
with: | |
header: image | |
message: | | |
Published image from ${{ github.event.pull_request.head.sha }} (merge ${{ github.sha }}): | |
``` | |
us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }} | |
us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }} | |
``` | |
report-to-sherlock: | |
uses: ./.github/workflows/client-report-app-version.yaml | |
needs: [generate-tag, build-and-publish] | |
if: ${{ needs.generate-tag.outputs.tag != '' && github.actor != 'dependabot[bot]' }} | |
with: | |
new-version: ${{ needs.generate-tag.outputs.tag }} | |
chart-name: 'sherlock' | |
permissions: | |
contents: 'read' | |
id-token: 'write' |