From f1629e71bd341d2addab70b4a37cb5342b0c2455 Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Thu, 10 Oct 2024 20:39:25 +0200 Subject: [PATCH] Add workflow gatekeepers --- .github/workflows/build-app.yml | 24 +++++++++++++++---- .github/workflows/build-deploy-gatekeeper.yml | 14 +++++++++++ .github/workflows/build-deploy.yml | 11 ++------- .github/workflows/mvn-release.yml | 4 ++-- .github/workflows/publish-release.yml | 15 +----------- 5 files changed, 39 insertions(+), 29 deletions(-) create mode 100644 .github/workflows/build-deploy-gatekeeper.yml diff --git a/.github/workflows/build-app.yml b/.github/workflows/build-app.yml index fde8408..bb2a0ea 100644 --- a/.github/workflows/build-app.yml +++ b/.github/workflows/build-app.yml @@ -19,6 +19,9 @@ on: - ".mvn" - ".gitignore" +env: + REGISTRY: europe-north1-docker.pkg.dev/artifact-registry-5n/dapla-stat-docker/maskinporten-guardian + jobs: build-test: name: Build and test with Maven @@ -36,14 +39,27 @@ jobs: java-version: 21 distribution: temurin cache: maven + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v2 + with: + workload_identity_provider: "projects/848539402404/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" + service_account: "gh-actions-dapla-stat@artifact-registry-5n.iam.gserviceaccount.com" + token_format: access_token + + - name: Login to Artifact Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: "oauth2accesstoken" + password: "${{ steps.auth.outputs.access_token }}" - name: Maven build and install run: mvn --batch-mode clean install - deploy: + deploy-gatekeeper: name: Deploy to NAIS test cluster if: ${{github.event_name == 'push'}} needs: build-test - uses: ./.github/workflows/build-deploy.yml - with: - commit-sha: ${{ github.sha }} \ No newline at end of file + uses: ./.github/workflows/build-deploy-gatekeeper.yml \ No newline at end of file diff --git a/.github/workflows/build-deploy-gatekeeper.yml b/.github/workflows/build-deploy-gatekeeper.yml new file mode 100644 index 0000000..e8990a8 --- /dev/null +++ b/.github/workflows/build-deploy-gatekeeper.yml @@ -0,0 +1,14 @@ +on: + release: + types: [ published ] + workflow_call: + +jobs: + deploy-prod: + name: Deploy to NAIS production cluster + if: github.head_ref == 'release' && github.event.pull_request.merged == true + uses: ./.github/workflows/publish-release.yml + deploy-test: + name: Deploy to NAIS test cluster + if: github.head_ref != 'release' + uses: ./.github/workflows/build-deploy.yml \ No newline at end of file diff --git a/.github/workflows/build-deploy.yml b/.github/workflows/build-deploy.yml index 612b65a..12cadb5 100644 --- a/.github/workflows/build-deploy.yml +++ b/.github/workflows/build-deploy.yml @@ -2,11 +2,6 @@ on: release: types: [ published ] workflow_call: - inputs: - commit-sha: - description: Commit SHA from the caller - required: true - type: string env: REGISTRY: europe-north1-docker.pkg.dev/artifact-registry-5n/dapla-stat-docker/maskinporten-guardian @@ -69,7 +64,7 @@ jobs: tags=${latest},${semver},${major_minor_version},${major_version} echo "tags=${tags}" >> "$GITHUB_OUTPUT" else - git_sha_short="$(git rev-parse --short ${{inputs.commit-sha}})" + git_sha_short="$(git rev-parse --short ${{github.sha}})" current_sha_tag=${REGISTRY}/${IMAGE}:${{github.event.repository.default_branch}}-$git_sha_short latest=${REGISTRY}/${IMAGE}:latest @@ -81,9 +76,7 @@ jobs: - name: Maven build and install run: | - if [ ${{ github.event_name }} == "workflow_call" ]; then - mvn --batch-mode -P artifact-registry deploy - fi + mvn --batch-mode -P artifact-registry deploy - name: Docker meta id: docker_metadata diff --git a/.github/workflows/mvn-release.yml b/.github/workflows/mvn-release.yml index e517518..6469fa4 100644 --- a/.github/workflows/mvn-release.yml +++ b/.github/workflows/mvn-release.yml @@ -60,7 +60,7 @@ jobs: VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout | sed "s/-SNAPSHOT//") echo "version=${VERSION}" >> $GITHUB_OUTPUT # Perform the release/deploy and increment the version to the next snapshot - mvn --batch-mode release:prepare -P github,artifact-registry -Darguments="-Dmaven.test.skip=true -Dmaven.deploy.skip=true" + mvn --batch-mode release:prepare -P github -Darguments="-Dmaven.test.skip=true -Dmaven.deploy.skip=true" mvn --batch-mode release:perform TAG=$(git describe --abbrev=0 --tags) echo "tag=${TAG}" >> $GITHUB_OUTPUT @@ -88,7 +88,7 @@ jobs: - name: Create a pull request with the changes in the branch run: | pr_title="Release ${{steps.release_artifact.outputs.tag}}" - pr_body="This PR is autogenerated by a workflow. A release draft has been created and should be published after merging." + pr_body="This PR is autogenerated by a workflow. A release draft has been created and will be published after merging." gh pr create --title "$pr_title" --body "$pr_body" --head $(git branch --show-current) env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 7c53d7b..08345c8 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -1,24 +1,11 @@ name: Publish release on: - pull_request: - types: - - closed - branches: - - master - paths-ignore: - - "**/*.md" - - "Makefile" - - ".mvn" - - ".gitignore" + workflow_call: workflow_dispatch: jobs: publish-release: - if: | - (github.head_ref == 'release' && github.event.pull_request.merged == true) || - github.event_name == 'workflow_dispatch' - runs-on: ubuntu-latest permissions: contents: write