-
Notifications
You must be signed in to change notification settings - Fork 2
271 lines (233 loc) · 8.49 KB
/
deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
name: Deploy
on:
# Building on manual dispatch, and pushes to dev / main. But restricting
workflow_dispatch:
push:
branches:
- main
- dev
permissions:
id-token: write
contents: read
jobs:
unittests:
name: Run unit tests
# Run on merge to main, where the commit name starts with "Bump version:" (for bump2version)
# if: "startsWith(github.event.head_commit.message, 'Bump version:')"
runs-on: ubuntu-latest
env:
DOCKER_BUILDKIT: 1
BUILDKIT_PROGRESS: plain
CLOUDSDK_CORE_DISABLE_PROMPTS: 1
# used for generating API
SM_DOCKER: samplemetadata:dev
defaults:
run:
shell: bash -eo pipefail -l {0}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- uses: actions/setup-java@v4
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '17'
- name: Setup build env
run: |
set -euxo pipefail
pip install --no-deps -r requirements-dev.txt
# openapi-generator
wget https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/5.3.0/openapi-generator-cli-5.3.0.jar -O openapi-generator-cli.jar
# liquibase connector
pushd db/
wget https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/3.0.3/mariadb-java-client-3.0.3.jar
popd
# liquibase
VERSION=4.28.0
curl -L https://github.com/liquibase/liquibase/releases/download/v${VERSION}/liquibase-${VERSION}.zip --output liquibase-${VERSION}.zip
unzip -o -d liquibase liquibase-${VERSION}.zip
echo "$(pwd)/liquibase" >> $GITHUB_PATH
- name: 'build image'
run: |
docker build \
--build-arg SM_ENVIRONMENT=local \
--tag $SM_DOCKER \
-f deploy/api/Dockerfile \
.
- name: 'build deployable API'
run: |
export OPENAPI_COMMAND="java -jar openapi-generator-cli.jar"
python regenerate_api.py
pip install .
- name: 'Run unit tests'
id: runtests
run: |
coverage run -m pytest --doctest-modules --doctest-continue-on-failure test/ --junitxml=test-execution.xml
rc=$?
coverage xml
echo "rc=$rc" >> $GITHUB_OUTPUT
- name: 'Upload coverage report'
uses: codecov/codecov-action@v4
with:
files: ./coverage.xml
token: ${{ secrets.CODECOV_TOKEN }}
- name: 'Save coverage report as an Artifact'
uses: actions/upload-artifact@v4
with:
name: coverage-report
path: ./coverage.xml
- name: 'Save execution report as an Artifact'
uses: actions/upload-artifact@v4
with:
name: execution-report
path: ./test-execution.xml
- name: 'build web front-end'
run: |
set -eo pipefail
pushd web
# installs package-lock, not what it thinks it should be
npm ci
npm run build
rc=$?
echo "web_rc=$rc" >> $GITHUB_OUTPUT
# eventually run web front-end tests
popd
- name: Fail if unit tests are not passing
if: ${{ steps.runtests.outputs.rc != 0}}
uses: actions/github-script@v6
with:
script: |
core.setFailed('Unittests failed with rc = ${{ steps.runtests.outputs.rc }}')
- name: Fail if web build fails
if: ${{ steps.runtests.outputs.rc != 0}}
uses: actions/github-script@v6
with:
script: |
core.setFailed('Web failed to build with rc = ${{ steps.runtests.outputs.web_rc }}')
sonarqube:
name: SonarQube scan
runs-on: ubuntu-latest
needs: unittests
environment: production
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev'
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
# Download the coverage report artifact
- name: 'Download coverage and execution report'
uses: actions/download-artifact@v4
with:
pattern: '*-report'
# Perform the SonarQube scan
- uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
# Optional: Fail the job if Quality Gate is red
# If you wish to fail your job when the Quality Gate is red, uncomment the
# following lines. This would typically be used to fail a deployment.
# - uses: sonarsource/sonarqube-quality-gate-action@master
# timeout-minutes: 5
# env:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
deploy:
name: Deploy
runs-on: ubuntu-latest
needs: sonarqube
environment: production
env:
DOCKER_BUILDKIT: 1
BUILDKIT_PROGRESS: plain
CLOUDSDK_CORE_DISABLE_PROMPTS: 1
# used for generating API
SM_DOCKER: australia-southeast1-docker.pkg.dev/sample-metadata/images/server:${{ github.sha }}
defaults:
run:
shell: bash -eo pipefail -l {0}
steps:
- uses: actions/checkout@v4
- id: "google-cloud-auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v2"
with:
workload_identity_provider: "projects/774248915715/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
service_account: "[email protected]"
- id: "google-cloud-sdk-setup"
name: "Set up Cloud SDK"
uses: google-github-actions/setup-gcloud@v2
- name: "gcloud docker auth"
run: |
gcloud auth configure-docker australia-southeast1-docker.pkg.dev
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- uses: actions/setup-java@v4
with:
distribution: "temurin" # See 'Supported distributions' for available options
java-version: "17"
- name: Setup build env
run: |
pip install --no-deps -r requirements-dev.txt
wget https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/5.3.0/openapi-generator-cli-5.3.0.jar -O openapi-generator-cli.jar
- name: prepare-deployment
run: |
if [[ $GITHUB_REF == 'refs/heads/main' ]]; then
echo DEPLOYMENT_TYPE=prod >> $GITHUB_ENV
echo SM_ENVIRONMENT=production >> $GITHUB_ENV
else
echo DEPLOYMENT_TYPE=dev >> $GITHUB_ENV
echo SM_ENVIRONMENT=development >> $GITHUB_ENV
pip install bump2version
# add
bump2version patch \
--no-commit --allow-dirty \
--new-version $(cat deploy/python/version.txt)dev$(echo $(git rev-parse HEAD) | cut -c1-7)
fi
- name: "build deployable API"
run: |
export OPENAPI_COMMAND="java -jar openapi-generator-cli.jar"
python regenerate_api.py
ls -lGh metamist
# also copies build artifacts to api/public
- name: "build web front-end"
run: |
set -eo pipefail
pushd web
# installs package-lock, not what it thinks it should be
npm ci
npm run build
popd
- name: "build image"
run: |
docker build \
--build-arg SM_ENVIRONMENT=$SM_ENVIRONMENT \
--tag $SM_DOCKER \
-f deploy/api/Dockerfile \
.
- name: Build python package
run: python setup.py sdist
- name: "push server image"
run: |
docker push $SM_DOCKER
- name: "deploy to Cloud Run"
run: |
if [[ $GITHUB_REF == 'refs/heads/main' ]]; then
gcloud_deploy_name=sample-metadata-api
else
gcloud_deploy_name=sample-metadata-api-dev
fi
gcloud run deploy \
$gcloud_deploy_name --image $SM_DOCKER \
--region australia-southeast1 --no-allow-unauthenticated \
--platform managed
- name: Publish package
if: github.ref == 'refs/heads/main'
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.PYPI_API_TOKEN }}
packages-dir: dist/
skip-existing: true