-
Notifications
You must be signed in to change notification settings - Fork 2
161 lines (158 loc) · 6.41 KB
/
create_workflow_release_asset.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Create Workflow Release Asset
on:
push:
tags:
# Matches dragen-pon-qc/3.9.3
# Matches tso500-ctdna-with-post-processing-pipeline/1.1.0--1.0.0
# Matches dragen-somatic-pipeline/4.0.3-rc
# ** required since our tags have '/' in them -- https://stackoverflow.com/a/61892639/6946787
# Single quotes required since * is a special character in yaml
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
- '**'
jobs:
# Workflow split due to https://github.com/actions/runner/issues/662
# This way we do a 'precheck', update a few vars and most importantly make sure that the tag is legix
release_asset_precheck:
name: release asset precheck
runs-on: ubuntu-latest
defaults:
run:
shell: bash -l {0}
steps:
# Checkout code
- name: Checkout code
id: git_checkout
uses: actions/checkout@v4
# Set to fail
- name: Update bash settings
id: update_bash_settings
run: |
set -euo pipefail
# Install jq (for querying branch name)
- name: Install Jq
id: install_jq
run: |
sudo apt-get update -y
sudo apt-get install jq -y
# Get tag
- name: Set output
id: get_tag
run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
# Ensure tag matches regex
- name: action regex match
id: tag_regex_match
uses: kaisugi/[email protected]
with:
text: ${{ steps.get_tag.outputs.tag }}
regex: '^[A-Za-z0-9-_]+/[0-9]+\.[0-9]+\.[0-9]+(?:--\S+)?(-rc)?$'
# Get email and username
- name: Get User Configurations
id: get_user_configurations
run: |
echo "user_name=${{ github.actor }}" >> "${GITHUB_OUTPUT}"
echo "user_email=${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" >> "${GITHUB_OUTPUT}"
# Has regex match
- name: has regex match
id: has_regex_match
run: |
create_release="false"
is_prerelease="false"
if [[ -n "${{ steps.tag_regex_match.outputs.match }}" ]]; then
create_release="true"
fi
if [[ -n "${{ steps.tag_regex_match.outputs.group1 }}" ]]; then
is_prerelease="true"
fi
echo "create_release=${create_release}" >> "${GITHUB_OUTPUT}"
echo "is_prerelease=${is_prerelease}" >> "${GITHUB_OUTPUT}"
# Get date
- name: get date
id: get_date
run: |
echo "date_str=$(date +%Y%m%d%H%M%S)" >> "${GITHUB_OUTPUT}"
# Get workflow path
- name: get workflow path
id: get_workflow_path
run: |
# Get tag without release candidate
tag="${{ steps.get_tag.outputs.tag }}"
tag="${tag//-rc}"
# Check workflow directory exists
if [[ ! -d "workflows/$tag" ]]; then
echo "Could not find directory workflows/$tag"
exit 1
fi
workflow_path="$( \
find "workflows/$tag" \
-mindepth 1 \
-maxdepth 1 \
-type f \
-name "*.cwl"
)"
echo "workflow_path=${workflow_path}" >> "${GITHUB_OUTPUT}"
# Set git tag env var
- name: set git tag
id: set_git_tag
run: |
echo "git_tag=${{ steps.get_tag.outputs.tag }},${{ steps.get_tag.outputs.tag }}__${{ steps.get_date.outputs.date_str }}" >> "${GITHUB_OUTPUT}"
# Set up complete
# Set outputs
outputs:
original_tag: ${{ steps.get_tag.outputs.tag }}
git_tag: ${{ steps.set_git_tag.outputs.git_tag }}
user_name: ${{ steps.get_user_configurations.outputs.user_name }}
user_email: ${{ steps.get_user_configurations.outputs.user_email }}
workflow_path: ${{ steps.get_workflow_path.outputs.workflow_path }}
create_release: ${{ steps.has_regex_match.outputs.create_release }}
is_prerelease: ${{ steps.has_regex_match.outputs.is_prerelease }}
get_umccr_prod_icav2_access_token:
# Note this currently gets the access token for the 'trial' project
name: Get ICAv2 Access Token (umccr-prod)
uses: ./.github/workflows/get_tenant_icav2_access_token.yml
with:
role_to_assume_arn: arn:aws:iam::472057503814:role/gh-service-icav2-pipeline-user-prod
secret_arn: arn:aws:secretsmanager:ap-southeast-2:472057503814:secret:ICAv2JWTKey-umccr-prod-service-pipelines-WoiHJv
secrets:
symmetrical_encryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
create_release_asset:
name: create release asset
runs-on: ubuntu-latest
defaults:
run:
shell: bash -l {0}
needs:
- release_asset_precheck
- get_umccr_prod_icav2_access_token
steps:
# Checkout code
- name: Checkout code
id: git_checkout
uses: actions/checkout@v4
# Decrypt tokens
- id: decrypt_umccr_prod_icav2_access_token
name: Decrypt Access Token
uses: ./.github/actions/decrypt_token
with:
encrypted_token: ${{ needs.get_umccr_prod_icav2_access_token.outputs.icav2_access_token_encrypted }}
decryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
# Create release asset
- name: create release asset
id: create_release_asset
if: needs.release_asset_precheck.outputs.create_release == 'true'
run: |
docker run \
--rm \
--volume "$PWD:$PWD" \
--workdir "$PWD" \
--env CWL_ICA_REPO_PATH="${PWD}" \
--env GITHUB_SERVER_URL="${GITHUB_SERVER_URL}" \
--env GITHUB_REPOSITORY="${GITHUB_REPOSITORY}" \
--env GITHUB_TAG="${{ needs.release_asset_precheck.outputs.git_tag }}" \
--env GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
--env _GIT_AUTHOR_NAME="${{ needs.release_asset_precheck.outputs.user_name }}" \
--env _GIT_AUTHOR_EMAIL="${{ needs.release_asset_precheck.outputs.user_email }}" \
--env ICAV2_ACCESS_TOKEN_UMCCR_PROD="${{ steps.decrypt_umccr_prod_icav2_access_token.outputs.decrypted_token }}" \
ghcr.io/umccr/cwl-ica-cli:latest \
bash ".github/scripts/create_workflow_release_asset.sh" \
--workflow-path "${{ needs.release_asset_precheck.outputs.workflow_path }}" \
--is-prerelease "${{ needs.release_asset_precheck.outputs.is_prerelease }}"