feat: RBAC Authorization in Feast Operator #13423
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: java_pr | |
on: | |
pull_request_target: | |
types: | |
- opened | |
- synchronize | |
- labeled | |
permissions: | |
pull-requests: read | |
jobs: | |
lint-java: | |
# when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. | |
if: | |
((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) || | |
(github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) && | |
github.repository == 'feast-dev/feast' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# pull_request_target runs the workflow in the context of the base repo | |
# as such actions/checkout needs to be explicit configured to retrieve | |
# code from the PR. | |
ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
submodules: recursive | |
persist-credentials: false | |
- name: Lint java | |
run: make lint-java | |
unit-test-java: | |
# when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. | |
if: | |
((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) || | |
(github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) && | |
github.repository == 'feast-dev/feast' | |
runs-on: ubuntu-latest | |
needs: lint-java | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# pull_request_target runs the workflow in the context of the base repo | |
# as such actions/checkout needs to be explicit configured to retrieve | |
# code from the PR. | |
ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
submodules: recursive | |
persist-credentials: false | |
- name: Set up JDK 11 | |
uses: actions/setup-java@v1 | |
with: | |
java-version: '11' | |
java-package: jdk | |
architecture: x64 | |
- uses: actions/cache@v2 | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-it-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
${{ runner.os }}-it-maven- | |
- uses: actions/cache@v2 | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-ut-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
${{ runner.os }}-ut-maven- | |
- name: Test java | |
run: make test-java-with-coverage | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: java-coverage-report | |
path: ${{ github.workspace }}/docs/coverage/java/target/site/jacoco-aggregate/ | |
build-docker-image-java: | |
# when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. | |
if: | |
((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) || | |
(github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) && | |
github.repository == 'feast-dev/feast' | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
component: [ feature-server-java ] | |
env: | |
MAVEN_CACHE: gs://feast-templocation-kf-feast/.m2.2020-08-19.tar | |
REGISTRY: gcr.io/kf-feast | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'true' | |
persist-credentials: false | |
- name: Setup Python | |
uses: actions/setup-python@v5 | |
id: setup-python | |
with: | |
python-version: "3.11" | |
architecture: x64 | |
- name: Authenticate to Google Cloud | |
uses: 'google-github-actions/auth@v1' | |
with: | |
credentials_json: '${{ secrets.GCP_SA_KEY }}' | |
- name: Set up gcloud SDK | |
uses: google-github-actions/setup-gcloud@v1 | |
with: | |
project_id: ${{ secrets.GCP_PROJECT_ID }} | |
- run: gcloud auth configure-docker --quiet | |
- name: Build image | |
run: make build-${{ matrix.component }}-docker REGISTRY=${REGISTRY} VERSION=${GITHUB_SHA} | |
integration-test-java-pr: | |
# when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. | |
if: | |
((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) || | |
(github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) && | |
github.repository == 'feast-dev/feast' | |
runs-on: ubuntu-latest | |
needs: unit-test-java | |
env: | |
PYTHON: 3.11 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# pull_request_target runs the workflow in the context of the base repo | |
# as such actions/checkout needs to be explicit configured to retrieve | |
# code from the PR. | |
ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
submodules: recursive | |
persist-credentials: false | |
- name: Set up JDK 11 | |
uses: actions/setup-java@v1 | |
with: | |
java-version: '11' | |
java-package: jdk | |
architecture: x64 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.11' | |
architecture: 'x64' | |
- uses: actions/cache@v2 | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-it-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
${{ runner.os }}-it-maven- | |
- name: Authenticate to Google Cloud | |
uses: 'google-github-actions/auth@v1' | |
with: | |
credentials_json: '${{ secrets.GCP_SA_KEY }}' | |
- name: Set up gcloud SDK | |
uses: google-github-actions/setup-gcloud@v1 | |
with: | |
project_id: ${{ secrets.GCP_PROJECT_ID }} | |
- name: Use gcloud CLI | |
run: gcloud info | |
- name: Set up AWS SDK | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-west-2 | |
- name: Use AWS CLI | |
run: aws sts get-caller-identity | |
- name: Setup Python (to call feast apply) | |
uses: actions/setup-python@v5 | |
id: setup-python | |
with: | |
python-version: 3.11 | |
architecture: x64 | |
- name: Install uv | |
run: | | |
curl -LsSf https://astral.sh/uv/install.sh | sh | |
- name: Get uv cache dir | |
id: uv-cache | |
run: | | |
echo "::set-output name=dir::$(uv cache dir)" | |
- name: uv cache | |
uses: actions/cache@v4 | |
with: | |
path: ${{ steps.uv-cache.outputs.dir }} | |
key: ${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-uv-${{ hashFiles(format('**/py{0}-ci-requirements.txt', env.PYTHON)) }} | |
- name: Install dependencies | |
run: make install-python-ci-dependencies-uv | |
- name: Run integration tests | |
run: make test-java-integration | |
- name: Save report | |
uses: actions/upload-artifact@v3 | |
if: failure() | |
with: | |
name: it-report | |
path: spark/ingestion/target/test-reports/TestSuite.txt | |
retention-days: 5 |