[AN-338] Fix IGV handling of signed URLs for requester-pays, refine m… #10868
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Generate BEE Build | |
# The purpose of the workflow is to: | |
# 1. Bump the version number and tag the release if not a PR | |
# 2. Build docker image and publish to GAR | |
# | |
# When run on merge to main, it tags and bumps the patch version by default. You can | |
# bump other parts of the version by putting #major, #minor, or #patch in your commit | |
# message. | |
# | |
# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image. | |
# | |
# The workflow relies on github secrets: | |
# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations | |
on: | |
pull_request: | |
paths-ignore: | |
- 'README.md' | |
- 'integration-tests' | |
push: | |
branches: | |
- dev | |
paths-ignore: | |
- 'README.md' | |
- 'integration-tests' | |
env: | |
GOOGLE_PROJECT: dsp-artifact-registry | |
# Name of the app-specific Docker repository configured in GOOGLE_PROJECT | |
REPOSITORY_NAME: ${{ github.event.repository.name }} | |
# Region-specific Google Docker repository where GOOGLE_PROJECT/REPOSITORY_NAME can be found | |
GOOGLE_DOCKER_REPOSITORY: us-central1-docker.pkg.dev | |
jobs: | |
tag-push-job: | |
runs-on: ubuntu-latest | |
outputs: | |
tag: ${{ steps.tag.outputs.tag }} | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
steps: | |
- name: Checkout current code | |
uses: actions/checkout@v3 | |
with: | |
token: ${{ secrets.BROADBOT_TOKEN }} | |
- name: Bump the tag to a new version | |
uses: databiosphere/github-actions/actions/bumper@bumper-0.0.6 | |
id: tag | |
env: | |
DEFAULT_BUMP: patch | |
GITHUB_TOKEN: ${{ secrets.BROADBOT_TOKEN }} | |
RELEASE_BRANCHES: dev | |
WITH_V: true | |
- name: Construct docker image name and tag | |
id: image-name | |
shell: bash | |
run: | | |
NAME="${GOOGLE_DOCKER_REPOSITORY}/${GOOGLE_PROJECT}/${REPOSITORY_NAME}/${REPOSITORY_NAME}" | |
DOCKER_TAG="${{ steps.tag.outputs.tag }}" | |
TAGGED="${NAME}:${DOCKER_TAG}" | |
echo "NAME: ${NAME}" | |
echo "TAGGED: ${TAGGED}" | |
echo ::set-output "name=name::${NAME}" | |
echo ::set-output "name=tagged::${TAGGED}" | |
- name: Auth to GCP | |
id: 'auth' | |
uses: google-github-actions/auth@v0 | |
with: | |
token_format: 'access_token' | |
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider' | |
service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com' | |
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`. | |
- name: 'Set up Cloud SDK' | |
uses: 'google-github-actions/setup-gcloud@v0' | |
# authenticate to GAR docker repo | |
- name: Docker Login | |
uses: 'docker/login-action@v1' | |
with: | |
registry: 'us-central1-docker.pkg.dev' | |
username: 'oauth2accesstoken' | |
password: '${{ steps.auth.outputs.access_token }}' | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Build image | |
uses: docker/build-push-action@v3 | |
with: | |
context: . | |
push: false | |
load: true | |
tags: | | |
${{ steps.image-name.outputs.tagged }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Run Trivy vulnerability scanner | |
# From https://github.com/broadinstitute/dsp-appsec-trivy-action | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: ${{ steps.image-name.outputs.tagged }} | |
- name: Push image | |
run: "docker push ${{ steps.image-name.outputs.tagged }}" | |
# Add latest tag to image (optional) | |
- name: Add latest tag to Docker image | |
if: github.event_name != 'pull_request' | |
shell: bash | |
run: | | |
gcloud artifacts docker tags add \ | |
"${{ steps.image-name.outputs.tagged }}" \ | |
"${{ steps.image-name.outputs.name }}:latest" | |
report-to-sherlock: | |
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
needs: tag-push-job | |
with: | |
chart-name: "terraui" | |
new-version: ${{ needs.tag-push-job.outputs.tag }} | |
permissions: | |
contents: "read" | |
id-token: "write" |