License check #2524
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Test and Package | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - '*' | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: [ main ] | |
| pull_request_target: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: [ main ] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| - name: Build with Gradle | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| uses: gradle/gradle-build-action@v2 | |
| with: | |
| cache-disabled: false | |
| # Cache storage space is limited for GitHub actions | |
| cache-read-only: ${{ github.ref != 'refs/heads/main' }} | |
| arguments: | | |
| build | |
| -x generateClients | |
| -x test | |
| -x integrationTest | |
| -x spotlessCheck | |
| -x openApiValidate | |
| -x detekt | |
| test: | |
| runs-on: ubuntu-latest | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| - name: Run unit tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| uses: gradle/gradle-build-action@v2 | |
| with: | |
| cache-disabled: false | |
| # Cache storage space is limited for GitHub actions | |
| cache-read-only: ${{ github.ref != 'refs/heads/main' }} | |
| arguments: test -x spotlessCheck -x openApiValidate | |
| - name: Run integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| uses: gradle/gradle-build-action@v2 | |
| with: | |
| cache-disabled: false | |
| # Cache storage space is limited for GitHub actions | |
| cache-read-only: ${{ github.ref != 'refs/heads/main' }} | |
| arguments: integrationTest -x spotlessCheck -x openApiValidate | |
| test_helm: | |
| name: Test Helm Chart | |
| runs-on: ubuntu-latest | |
| # If the PR is coming from a fork (pull_request_target), ensure it's opened by "dependabot[bot]". | |
| # Otherwise, clone it normally. | |
| # This allows Dependabot PRs to have access to the repository Secrets, | |
| # but using the Workflows in the context of the base branch | |
| if: | | |
| (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') || | |
| (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') | |
| env: | |
| CHART_RELEASE_TEST_NAMESPACE: phoenix | |
| permissions: read-all | |
| steps: | |
| - name: Checkout | |
| if: ${{ github.event_name != 'pull_request_target' }} | |
| uses: actions/checkout@v3 | |
| - name: Checkout PR | |
| if: ${{ github.event_name == 'pull_request_target' }} | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up JDK | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| - name: Set up api version to deploy | |
| run: | | |
| echo "Event: ${{ github.event_name }}, Actor: ${{ github.actor }}, Ref: ${{ github.ref }}, Ref Name: ${{ github.ref_name }}, Head: ${{ github.head_ref }}, Base: ${{ github.base_ref }}" | |
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
| echo Building from PR | |
| arrIN=(${GITHUB_REF_NAME//\// }) | |
| versionTag="pr${arrIN[0]}" | |
| echo "IMAGE_TAG_FROM_REF_NAME=$versionTag" >> $GITHUB_ENV; | |
| echo "API_VERSION_FROM_REF_NAME=$versionTag" >> $GITHUB_ENV; | |
| echo "The current version is $versionTag"; | |
| else | |
| export firstPart=$(echo ${{ github.ref_name }} | cut -d '.' -f1) | |
| if [[ $firstPart == \"v*\" ]]; then | |
| echo "IMAGE_TAG_FROM_REF_NAME=${{ github.ref_name }}" >> $GITHUB_ENV; | |
| echo "API_VERSION_FROM_REF_NAME=$firstPart" >> $GITHUB_ENV; | |
| echo "The current version is $firstPart"; | |
| elif [[ $firstPart == \"main\" ]]; then | |
| echo "IMAGE_TAG_FROM_REF_NAME=latest" >> $GITHUB_ENV; | |
| echo "API_VERSION_FROM_REF_NAME=latest" >> $GITHUB_ENV | |
| echo "The current version is latest"; | |
| else | |
| echo "IMAGE_TAG_FROM_REF_NAME=${{ github.ref_name }}" >> $GITHUB_ENV; | |
| echo "API_VERSION_FROM_REF_NAME=v$firstPart" >> $GITHUB_ENV | |
| echo "The current version is v$firstPart"; | |
| fi | |
| fi | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v3.4 | |
| with: | |
| version: v3.6.0 | |
| - name: Generate KinD Config | |
| run: | | |
| cat <<EOF > /tmp/csm-kind-config.yaml | |
| kind: Cluster | |
| apiVersion: kind.x-k8s.io/v1alpha4 | |
| containerdConfigPatches: | |
| - |- | |
| [plugins."io.containerd.grpc.v1.cri".containerd] | |
| disable_snapshot_annotations = true | |
| [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] | |
| endpoint = ["http://kind-registry:5000"] | |
| nodes: | |
| - role: control-plane | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: InitConfiguration | |
| nodeRegistration: | |
| kubeletExtraArgs: | |
| node-labels: "ingress-ready=true" | |
| extraPortMappings: | |
| - containerPort: 80 | |
| hostPort: 80 | |
| protocol: TCP | |
| - containerPort: 443 | |
| hostPort: 443 | |
| protocol: TCP | |
| - role: worker | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: JoinConfiguration | |
| nodeRegistration: | |
| taints: | |
| - key: "vendor" | |
| value: "cosmotech" | |
| effect: "NoSchedule" | |
| kubeletExtraArgs: | |
| node-labels: "kubernetes.io/os=linux,cosmotech.com/tier=compute,cosmotech.com/size=basic" | |
| - role: worker | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: JoinConfiguration | |
| nodeRegistration: | |
| taints: | |
| - key: "vendor" | |
| value: "cosmotech" | |
| effect: "NoSchedule" | |
| kubeletExtraArgs: | |
| node-labels: "kubernetes.io/os=linux,cosmotech.com/tier=services" | |
| - role: worker | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: JoinConfiguration | |
| nodeRegistration: | |
| taints: | |
| - key: "vendor" | |
| value: "cosmotech" | |
| effect: "NoSchedule" | |
| kubeletExtraArgs: | |
| node-labels: "kubernetes.io/os=linux,cosmotech.com/tier=db" | |
| - role: worker | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: JoinConfiguration | |
| nodeRegistration: | |
| taints: | |
| - key: "vendor" | |
| value: "cosmotech" | |
| effect: "NoSchedule" | |
| kubeletExtraArgs: | |
| node-labels: "kubernetes.io/os=linux,cosmotech.com/tier=monitoring" | |
| networking: | |
| # disable kindnet, which does not support Network Policies | |
| disableDefaultCNI: true | |
| # set to Calico's default subnet | |
| podSubnet: 192.168.0.0/16 | |
| featureGates: | |
| # TTL Controller for finished resources is currently an opt-in alpha feature | |
| # https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | |
| TTLAfterFinished: true | |
| EOF | |
| - name: Provision Kubernetes KinD Cluster and local Container Registry | |
| uses: container-tools/kind-action@v2 | |
| with: | |
| version: v0.14.0 | |
| config: /tmp/csm-kind-config.yaml | |
| - name: Deploy Calico | |
| run: | | |
| helm repo add projectcalico https://docs.tigera.io/calico/charts | |
| helm \ | |
| install calico \ | |
| projectcalico/tigera-operator \ | |
| --version v3.24.3 \ | |
| --wait \ | |
| --timeout 2m | |
| - name: Make scripts executable | |
| run: | | |
| chmod +x .github/scripts/*.sh | |
| chmod +x api/kubernetes/*.sh | |
| - name: Build, package and push container image | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| uses: gradle/gradle-build-action@v2 | |
| with: | |
| cache-disabled: false | |
| # Cache storage space is limited for GitHub actions | |
| cache-read-only: ${{ github.ref != 'refs/heads/main' }} | |
| arguments: | | |
| :cosmotech-api:jib | |
| -Djib.to.image=localhost:5000/cosmotech-api:${{ env.IMAGE_TAG_FROM_REF_NAME }} | |
| -Djib.allowInsecureRegistries=true | |
| - name: Install the Helm Chart (current Version) | |
| env: | |
| PHOENIXAKSDEV_TENANT_ID: ${{ secrets.PHOENIXAKSDEV_TENANT_ID }} | |
| PHOENIXAKSDEV_CLIENT_ID: ${{ secrets.PHOENIXAKSDEV_CLIENT_ID }} | |
| PHOENIXAKSDEV_CLIENT_SECRET: ${{ secrets.PHOENIXAKSDEV_CLIENT_SECRET }} | |
| PHOENIXAKSDEV_STORAGE_ACCOUNT_NAME: ${{ secrets.PHOENIXAKSDEV_STORAGE_ACCOUNT_NAME }} | |
| PHOENIXAKSDEV_STORAGE_ACCOUNT_KEY: ${{ secrets.PHOENIXAKSDEV_STORAGE_ACCOUNT_KEY }} | |
| PHOENIXAKSDEV_ADX_BASE_URI: ${{ secrets.PHOENIXAKSDEV_ADX_BASE_URI }} | |
| PHOENIXAKSDEV_ADX_INGESTION_BASE_URI: ${{ secrets.PHOENIXAKSDEV_ADX_INGESTION_BASE_URI }} | |
| PHOENIXAKSDEV_EVENT_HUBS_BASE_URI: ${{ secrets.PHOENIXAKSDEV_EVENT_HUBS_BASE_URI }} | |
| run: .github/scripts/install-helm-chart.sh ${{ env.API_VERSION_FROM_REF_NAME }} ${{ env.IMAGE_TAG_FROM_REF_NAME }} | |
| - name: Test Helm Release (current Version) | |
| run: .github/scripts/test-helm-release.sh ${{ env.API_VERSION_FROM_REF_NAME }} | |
| scan_and_push_container_images_to_registries: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| - test | |
| - test_helm | |
| permissions: | |
| packages: write | |
| contents: read | |
| security-events: write | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| # Fetch all tags since Gradle project version is built upon SCM | |
| fetch-depth: 0 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| - name: Retrieve branch or tag name | |
| id: refvar | |
| run: echo "::set-output name=gitRefName::${GITHUB_REF#refs/*/}" | |
| - name: Build local Container Image for scanning | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| uses: gradle/gradle-build-action@v2 | |
| with: | |
| cache-disabled: false | |
| # Cache storage space is limited for GitHub actions | |
| cache-read-only: ${{ github.ref != 'refs/heads/main' }} | |
| arguments: | | |
| :cosmotech-api:jibDockerBuild | |
| -Djib.to.image=com.cosmotech/cosmotech-api:${{ github.sha }} | |
| - name: Scan Container Image | |
| id: scan | |
| # TODO For now, do not block if the container scan action returns issues | |
| continue-on-error: true | |
| uses: Azure/container-scan@v0.1 | |
| with: | |
| image-name: com.cosmotech/cosmotech-api:${{ github.sha }} | |
| env: | |
| DOCKLE_HOST: "unix:///var/run/docker.sock" | |
| - name: Convert Container Scan Report to SARIF | |
| id: scan-to-sarif | |
| uses: rm3l/container-scan-to-sarif-action@v1.7.1 | |
| if: ${{ always() }} | |
| with: | |
| input-file: ${{ steps.scan.outputs.scan-report-path }} | |
| - name: Upload SARIF reports to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: ${{ always() }} | |
| with: | |
| sarif_file: ${{ steps.scan-to-sarif.outputs.sarif-report-path }} | |
| - name: Archive container image scan report | |
| if: ${{ always() }} | |
| continue-on-error: true | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: container-image-scan-report | |
| path: ${{ steps.scan.outputs.scan-report-path }} | |
| retention-days: 3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v2.1.0 | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push API Container Image (sha) to GitHub Container Registry | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| run: | | |
| docker image tag com.cosmotech/cosmotech-api:${GITHUB_SHA} \ | |
| ghcr.io/cosmo-tech/cosmotech-api:${GITHUB_SHA} | |
| docker image push ghcr.io/cosmo-tech/cosmotech-api:${GITHUB_SHA} | |
| - name: Push API Container Image (tag) to GitHub Container Registry | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| docker image tag com.cosmotech/cosmotech-api:${GITHUB_SHA} \ | |
| ghcr.io/cosmo-tech/cosmotech-api:${{ steps.refvar.outputs.gitRefName }} | |
| docker image push ghcr.io/cosmo-tech/cosmotech-api:${{ steps.refvar.outputs.gitRefName }} | |
| - name: Push API Container Image (latest) to GitHub Container Registry | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| docker image tag com.cosmotech/cosmotech-api:${GITHUB_SHA} \ | |
| ghcr.io/cosmo-tech/cosmotech-api:latest | |
| docker image push ghcr.io/cosmo-tech/cosmotech-api:latest | |
| push_helm_charts_to_oci_registries: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - path: api/kubernetes/helm-chart | |
| chart_name: cosmotech-api-chart | |
| name: API | |
| needs: | |
| - build | |
| - test | |
| - test_helm | |
| permissions: | |
| packages: write | |
| contents: read | |
| env: | |
| # OCI Support by Helm is considered experimental | |
| HELM_EXPERIMENTAL_OCI: 1 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v3.4 | |
| with: | |
| version: v3.6.0 | |
| - name: Retrieve branch or tag name | |
| id: refvar | |
| run: echo "::set-output name=gitRefName::${GITHUB_REF#refs/*/}" | |
| - name: Login to GitHub Container Registry | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "${GITHUB_TOKEN}" | \ | |
| helm registry login ghcr.io \ | |
| --username "${{ github.actor }}" \ | |
| --password-stdin | |
| - name: Push Helm Chart (sha) for ${{ matrix.name }} to GitHub Container Registry | |
| run: | | |
| helm dependency update ${{ matrix.path }} | |
| helm chart save ${{ matrix.path }} ghcr.io/cosmo-tech/${{ matrix.chart_name }}:${GITHUB_SHA} | |
| helm chart push ghcr.io/cosmo-tech/${{ matrix.chart_name }}:${GITHUB_SHA} | |
| - name: Push Helm Chart (tag) for ${{ matrix.name }} to GitHub Container Registry | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| helm chart save ${{ matrix.path }} ghcr.io/cosmo-tech/${{ matrix.chart_name }}:${{ steps.refvar.outputs.gitRefName }} | |
| helm chart push ghcr.io/cosmo-tech/${{ matrix.chart_name }}:${{ steps.refvar.outputs.gitRefName }} | |
| - name: Push Helm Chart (latest) for ${{ matrix.name }} to GitHub Container Registry | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| helm chart save ${{ matrix.path }} ghcr.io/cosmo-tech/${{ matrix.chart_name }}:latest | |
| helm chart push ghcr.io/cosmo-tech/${{ matrix.chart_name }}:latest | |
| - name: Logout from GitHub Container Registry | |
| if: ${{ always() }} | |
| run: | | |
| helm registry logout ghcr.io || true | |
| trigger_deployments: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| needs: | |
| - scan_and_push_container_images_to_registries | |
| - push_helm_charts_to_oci_registries | |
| steps: | |
| - name: Dispatch deployments | |
| env: | |
| GH_PAT: ${{ secrets.OPENAPI_CLIENTS_GITHUB_PAT }} | |
| run: | | |
| curl --request POST \ | |
| --url "https://api.github.com/repos/${{ github.repository }}/dispatches" \ | |
| --header "Authorization: Bearer ${GH_PAT}" \ | |
| --header 'content-type: application/json' \ | |
| --data '{ | |
| "event_type": "ready_to_deploy", | |
| "client_payload": { | |
| "gh_actor": "${{ github.actor }}", | |
| "gh_ref": "${{ github.ref }}", | |
| "gh_sha": "${{ github.sha }}" | |
| } | |
| }' |