Skip to content

Revert "[CORE-182] Move listRuntimes over to new Sam permissions model (#4810)" #7754

Revert "[CORE-182] Move listRuntimes over to new Sam permissions model (#4810)"

Revert "[CORE-182] Move listRuntimes over to new Sam permissions model (#4810)" #7754

name: Consumer contract tests
# The purpose of this workflow is to run a suite of Leo contract tests against mock service provider(s) using Pact framework.
#
# More details about Contract Testing can be found in our handbook
#
# https://broadworkbench.atlassian.net/wiki/spaces/IRT/pages/2660368406/Getting+Started+with+Pact+Contract+Testing
#
# This workflow involves Leo as a consumer, and ANY provider (e.g. Sam) Leo consumes.
# Each party owns a set of tests (aka contract tests).
#
# Consumer contract tests (aka consumer tests) runs on a mock provider service and does not require a real provider service.
# Provider contract tests (aka provider verification tests) runs independently of any consumer.
#
# Specifically:
# Leo runs consumer tests against mock Sam service. Upon success, publish consumer pacts to
# Pact Broker https://pact-broker.dsp-eng-tools.broadinstitute.org/.
#
# Pact Broker is the source of truth to forge contractual obligations between consumer and provider.
#
# This workflow meets the criteria of Pact Broker *Platinum* as described in https://docs.pact.io/pact_nirvana/step_6.
# The can-i-deploy job has been added to this workflow to support *Platinum* and gate the code for promotion to default branch.
#
# This is how it works.
#
# Consumer makes a change that results in a new pact published to Pact Broker.
# Pact Broker notifies provider(s) of the changed pact and trigger corresponding verification workflows.
# Provider downloads relevant versions of consumer pacts from Pact Broker and kicks off verification tests against the consumer pacts.
# Provider updates Pact Broker with verification status.
# Consumer kicks off can-i-deploy on process to determine if changes can be promoted and used for deployment.
#
# NOTE: The publish-contracts workflow will use the latest commit of the branch that triggers this workflow to publish the unique consumer contract version to Pact Broker.
on:
pull_request:
branches:
- develop
paths-ignore:
- 'README.md'
push:
branches:
- develop
paths-ignore:
- 'README.md'
merge_group:
branches:
- develop
env:
PUBLISH_CONTRACTS_RUN_NAME: 'publish-contracts-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
CAN_I_DEPLOY_RUN_NAME: 'can-i-deploy-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
concurrency:
# Don't run this workflow concurrently on the same branch
group: ${{ github.workflow }}-${{ github.ref }}
# For PRs, don't wait for completion of existing runs, cancel them instead
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
# The primary objective of this section is to carefully control the dispatching of tags,
# ensuring it only occurs during the 'Tag, publish, deploy' workflow.
# However, a challenge arises with contract tests, as they require knowledge of the upcoming tag
# before the actual deployment. To address this, we leverage the dry run feature provided by bumper.
# This allows us to obtain the next tag for publishing contracts and verifying consumer pacts without
# triggering the tag dispatch. This approach sidesteps the need for orchestrating multiple workflows,
# simplifying our implementation.
#
# We regulate the tag job to meet the following requirements according to the trigger event type:
# 1. pull_request event (due to opening or updating of PR branch):
# dry-run flag is set to false
# this allows the new semver tag #major.#minor.#patch-#commit to be used to identity pacticipant version for development purpose
# PR has no effect on the value of the latest tag in settings.gradle on disk
# 2. PR merge to main, this triggers a push event on the main branch:
# dry-run flag is set to true
# this allows the new semver tag #major.#minor.#patch to be used to identity pacticipant version, and
# this action will not update the value of the latest tag in settings.gradle on disk
#
# Note: All workflows from the same PR merge should have the same copy of settings.gradle on disk,
# which should be the one from the HEAD of the main branch before the workflow starts running
regulated-tag-job:
uses: ./.github/workflows/tag.yml
with:
# The 'ref' parameter ensures that the consumer version is postfixed with the HEAD commit of the PR branch,
# facilitating cross-referencing of a pact between Pact Broker and GitHub.
ref: ${{ github.head_ref || '' }}
# The 'dry-run' parameter prevents the new tag from being dispatched.
dry-run: true
release-branches: develop
secrets: inherit
init-github-context:
runs-on: ubuntu-latest
outputs:
repo-branch: ${{ steps.extract-branch.outputs.repo-branch }}
repo-version: ${{ steps.extract-branch.outputs.repo-version }}
fork: ${{ steps.extract-branch.outputs.fork }}
steps:
- uses: actions/checkout@v4
- name: Obtain branch properties
id: extract-branch
run: |
FORK=false
GITHUB_EVENT_NAME=${{ github.event_name }}
if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then
GITHUB_REF=${{ github.ref }}
GITHUB_SHA=${{ github.sha }}
elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
FORK=${{ github.event.pull_request.head.repo.fork }}
GITHUB_REF=refs/heads/${{ github.head_ref }}
GITHUB_SHA=${{ github.event.pull_request.head.sha }}
elif [[ "$GITHUB_EVENT_NAME" == "merge_group" ]]; then
GITHUB_REF=refs/heads/${{ github.head_ref }}
else
echo "Failed to extract branch information"
exit 1
fi
echo "repo-branch=${GITHUB_REF/refs\/heads\//""}" >> $GITHUB_OUTPUT
echo "repo-version=${GITHUB_SHA}" >> $GITHUB_OUTPUT
echo "fork=${FORK}" >> $GITHUB_OUTPUT
- name: Is PR triggered by forked repo?
if: ${{ steps.extract-branch.outputs.fork == 'true' }}
run: |
echo "PR was triggered by forked repo"
- name: Echo repo and branch information
run: |
echo "repo-owner=${{ github.repository_owner }}"
echo "repo-name=${{ github.event.repository.name }}"
echo "repo-branch=${{ steps.extract-branch.outputs.repo-branch }}"
echo "repo-version=${{ steps.extract-branch.outputs.repo-version }}"
leo-consumer-contract-tests:
runs-on: ubuntu-latest
needs: [init-github-context]
outputs:
pact-b64: ${{ steps.encode-pact.outputs.pact-b64 }}
steps:
- uses: actions/checkout@v4
- name: Run consumer tests
run: |
docker run --rm -v $PWD:/working \
-v jar-cache:/root/.ivy \
-v jar-cache:/root/.ivy2 \
-w /working \
sbtscala/scala-sbt:openjdk-17.0.2_1.7.2_2.13.10 \
sbt "project pact4s" clean coverage "testOnly org.broadinstitute.dsde.workbench.leonardo.consumer.*" coverageReport
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
with:
fail_ci_if_error: true
flags: pact
token: ${{ secrets.CODECOV_TOKEN }}
verbose: true
working-directory: ./pact4s
- name: Output consumer contract as non-breaking base64 string
id: encode-pact
run: |
cd pact4s
NON_BREAKING_B64=$(cat target/pacts/leonardo-sam.json | base64 -w 0)
echo "pact-b64=${NON_BREAKING_B64}" >> $GITHUB_OUTPUT
# Prevent untrusted sources from using PRs to publish contracts
# since access to secrets is not allowed.
publish-contracts:
runs-on: ubuntu-latest
needs: [init-github-context, leo-consumer-contract-tests, regulated-tag-job ]
if: ${{ needs.init-github-context.outputs.fork == 'false' }}
steps:
- name: Dispatch to terra-github-workflows
uses: broadinstitute/workflow-dispatch@v4.0.0
with:
run-name: "${{ env.PUBLISH_CONTRACTS_RUN_NAME }}"
workflow: .github/workflows/publish-contracts.yaml
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN }} # github token for access to kick off a job in the private repo
inputs: '{
"run-name": "${{ env.PUBLISH_CONTRACTS_RUN_NAME }}",
"pact-b64": "${{ needs.leo-consumer-contract-tests.outputs.pact-b64 }}",
"repo-owner": "${{ github.repository_owner }}",
"repo-name": "${{ github.event.repository.name }}",
"repo-branch": "${{ needs.init-github-context.outputs.repo-branch }}",
"release-tag": "${{ needs.regulated-tag-job.outputs.new-tag }}"
}'
can-i-deploy:
runs-on: ubuntu-latest
if: ${{ needs.init-github-context.outputs.fork == 'false' }}
needs: [ init-github-context, publish-contracts, regulated-tag-job ]
steps:
- name: Dispatch to terra-github-workflows
uses: broadinstitute/workflow-dispatch@v4.0.0
with:
run-name: "${{ env.CAN_I_DEPLOY_RUN_NAME }}"
workflow: .github/workflows/can-i-deploy.yaml
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN }} # github token for access to kick off a job in the private repo
inputs: '{
"run-name": "${{ env.CAN_I_DEPLOY_RUN_NAME }}",
"pacticipant": "leonardo",
"version": "${{ needs.regulated-tag-job.outputs.new-tag }}"
}'