[DDO-3769] Fix Google Subject ID inconsistency #1320

Workflow file for this run

.github/workflows/sherlock-build.yaml at 6bf3d51

	name: Bump, Tag, and Publish
	# The purpose of the workflow is to:
	# 1. Bump the version number and tag the release if not a PR
	# 2. Build docker image and publish to GAR
	#
	# When run on merge to main, it tags and bumps the patch version by default. You can
	# bump other parts of the version by putting #major, #minor, or #patch in your commit
	# message.
	#
	# When run on a PR, it simulates bumping the tag and appends a hash to the pushed image.
	#
	# The workflow relies on github secrets:
	# - BROADBOT_TOKEN - the broadbot token, so we can avoid two reviewer rule on GHA operations
	on:
	push:
	branches:
	- main
	paths:
	- ".github/workflows/sherlock-build.yaml"
	- ".github/workflows/client-report-app-version.yaml"
	- ".github/workflows/client-report-workflow.yaml"
	- "sherlock/**"
	- "!sherlock/docs/**"
	- "go-shared/**"
	- "!*/.md"
	pull_request:
	branches:
	- main
	workflow_dispatch:

	env:
	# App-specific variables like versions of build tools:
	GO_SWAGGER_VERSION: v0.29.0

	concurrency:
	# Don't run this workflow concurrently on the same branch
	group: ${{ github.workflow }}-${{ github.ref }}
	# For PRs, don't wait for completion of existing runs, cancel them instead
	cancel-in-progress: ${{ github.event_name == 'pull_request' }}

	jobs:
	generate-tag:
	runs-on: ubuntu-latest
	permissions:
	contents: 'read'
	outputs:
	tag: ${{ steps.tag.outputs.new_tag }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) \|\| secrets.GITHUB_TOKEN }}
	fetch-depth: 0

	# We use DRY_RUN so we don't push to the repo prematurely -- we may
	# have code-gen changes, or we might not end up pushing at all.
	- name: Generate Tag
	uses: databiosphere/github-actions/actions/bumper@bumper-0.4.0
	id: tag
	env:
	DEFAULT_BUMP: patch
	RELEASE_BRANCHES: ${{ github.event.repository.default_branch }}
	WITH_V: true
	GITHUB_TOKEN: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) \|\| secrets.GITHUB_TOKEN }}
	DRY_RUN: true

	build-and-publish:
	needs: [generate-tag]
	if: ${{ needs.generate-tag.outputs.tag != '' }}
	runs-on: ubuntu-latest
	permissions:
	contents: 'read'
	id-token: 'write'
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	token: ${{ (github.actor != 'dependabot[bot]' && secrets.BROADBOT_TOKEN) \|\| secrets.GITHUB_TOKEN }}

	- name: Set up Git
	if: ${{ github.actor != 'dependabot[bot]' }}
	run: \|
	git config --global user.name 'broadbot'
	git config --global user.email 'broadbot@broadinstitute.org'

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: sherlock/go.mod

	- name: Set up Node/NPM
	uses: actions/setup-node@v4
	with:
	node-version: 18

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Set up Swag
	run: make install-swagger

	- name: Format Swagger comments
	run: make format-swagger

	- name: Generate Swagger source
	run: make generate-swagger

	- name: Update Pact provider documentation
	run: make document-pact-provider

	- name: Delete existing Go client library code
	# Just delete code, not config, so that no-longer-generated files will disappear
	run: rm -rf sherlock-go-client/client

	- name: Generate Go client library
	run: \|
	docker run --rm -e GOPATH=/go \
	-v $(go env GOPATH):/go \
	-v "${PWD}:/local" \
	-w "/local/sherlock-go-client" \
	quay.io/goswagger/swagger:${GO_SWAGGER_VERSION} \
	generate client -f /local/sherlock/docs/swagger.json -A sherlock --default-scheme=https -m client/models -c client

	- name: Tidy Go client library dependencies
	working-directory: sherlock-go-client
	run: go mod tidy

	- name: Delete existing Typescript client library code
	# Just delete code, not config, so that no-longer-generated files will disappear
	run: rm -rf sherlock-typescript-client/src

	- name: Generate Typescript client library
	run: \|
	docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli generate \
	-i /local/sherlock/docs/swagger.json \
	-g typescript-fetch \
	-o /local/sherlock-typescript-client \
	--git-user-id broadinstitute \
	--git-repo-id sherlock \
	--additional-properties=disallowAdditionalPropertiesIfNotPresent=false \
	--additional-properties=supportsES6=true \
	--additional-properties=npmName=@sherlock-js-client/sherlock \
	--additional-properties=npmVersion=${{ needs.generate-tag.outputs.tag }}

	- name: Build Typescript client
	working-directory: sherlock-typescript-client
	run: \|
	npm install --save-dev
	npm run build

	- name: Assemble Docker tags
	uses: docker/metadata-action@v5
	id: meta
	with:
	images: \|
	us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock
	us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock
	tags: \|
	type=raw,value=${{ needs.generate-tag.outputs.tag }}
	type=semver,pattern=v{{major}},value=${{ needs.generate-tag.outputs.tag }},enable={{is_default_branch}}
	type=semver,pattern=v{{major}}.{{minor}},value=${{ needs.generate-tag.outputs.tag }},enable={{is_default_branch}}
	type=raw,value=latest,enable={{is_default_branch}}

	- name: Build image
	uses: docker/build-push-action@v6
	with:
	# Don't push, just build and load locally.
	context: .
	file: sherlock/Dockerfile
	push: false
	load: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max
	build-args: \|
	BUILD_VERSION=${{ needs.generate-tag.outputs.tag }}

	- name: Run Trivy vulnerability scanner
	uses: broadinstitute/dsp-appsec-trivy-action@v1
	with:
	image: us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }}

	- name: Commit changes
	if: ${{ github.event_name != 'pull_request' }}
	run: \|
	git add .
	git commit --allow-empty --message "[sherlock-build] generated from ${{ github.sha }}"

	- name: Add tag
	if: ${{ github.event_name != 'pull_request' }}
	# Go subdirectories need to have tags prefixed with the directory name, otherwise go mod won't be
	# able to see them.
	# In other words, if you do `go get github.com/broadinstitute/sherlock/sherlock-go-client@v1.2.3`,
	# go mod is actually going to look for a tag of sherlock-go-client/v1.2.3.
	# https://github.com/golang/go/issues/31045
	run: \|
	git tag "${{ needs.generate-tag.outputs.tag }}"
	git tag "sherlock/${{ needs.generate-tag.outputs.tag }}"
	git tag "go-shared/${{ needs.generate-tag.outputs.tag }}"
	git tag "sherlock-go-client/${{ needs.generate-tag.outputs.tag }}"

	- name: Auth to GCP
	id: auth
	if: ${{ github.actor != 'dependabot[bot]' }}
	uses: google-github-actions/auth@v2
	with:
	token_format: access_token
	workload_identity_provider: projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider
	service_account: gha-gar-writer@dsp-devops-super-prod.iam.gserviceaccount.com

	- name: Push to main
	if: ${{ github.event_name != 'pull_request' }}
	run: \|
	git push --atomic --tags origin main

	- name: Publish typescript client
	if: ${{ github.event_name != 'pull_request' }}
	working-directory: sherlock-typescript-client
	run: \|
	npx google-artifactregistry-auth --yes
	npm publish

	- name: Login to GAR
	if: ${{ github.actor != 'dependabot[bot]' }}
	uses: docker/login-action@v3
	with:
	registry: us-central1-docker.pkg.dev
	username: oauth2accesstoken
	password: ${{ steps.auth.outputs.access_token }}

	- name: Push image
	if: ${{ github.actor != 'dependabot[bot]' }}
	uses: docker/build-push-action@v6
	with:
	# "Build" (instant, via local cache from earlier) and push images;
	# we do have to repeat the earlier parameters here for the cache to work.
	context: .
	file: sherlock/Dockerfile
	push: true
	load: false
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max
	build-args: \|
	BUILD_VERSION=${{ needs.generate-tag.outputs.tag }}

	comment-published-image:
	needs: [ generate-tag, build-and-publish ]
	runs-on: ubuntu-latest
	if: ${{ needs.generate-tag.outputs.tag != '' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
	permissions:
	pull-requests: 'write'
	steps:
	- name: Comment published image
	uses: marocchino/sticky-pull-request-comment@v2
	with:
	header: image
	message: \|
	Published image from ${{ github.event.pull_request.head.sha }} (merge ${{ github.sha }}):

	```
	us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }}
	us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock:${{ needs.generate-tag.outputs.tag }}
	```

	report-to-sherlock:
	uses: ./.github/workflows/client-report-app-version.yaml
	needs: [generate-tag, build-and-publish]
	if: ${{ needs.generate-tag.outputs.tag != '' && github.actor != 'dependabot[bot]' }}
	with:
	new-version: ${{ needs.generate-tag.outputs.tag }}
	chart-name: 'sherlock'
	permissions:
	contents: 'read'
	id-token: 'write'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DDO-3769] Fix Google Subject ID inconsistency #1320

Workflow file

[DDO-3769] Fix Google Subject ID inconsistency #1320

Jobs

Run details

Workflow file for this run