Add API v2 #1496
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create Docker Image and Azure Pool | |
| # This GitHub Actions workflow builds a Docker image for the | |
| # cfa-epinow2-pipeline-docker project. In-container tests can be added here. | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| paths-ignore: # we don't need this to run everytime we make an edit to an irrelevant file | |
| - .github/workflows/block-fixup.yaml | |
| - .github/workflows/check-news-md.yaml | |
| - .github/workflows/manual-docker-prune.yml | |
| - .github/workflows/pkgdown.yaml | |
| - .github/workflows/pr-commands.yaml | |
| - .github/workflows/r-cmd-check.yaml | |
| - .github/workflows/test-coverage.yaml | |
| - '**.md' | |
| branches: | |
| - main | |
| push: | |
| paths-ignore: # we don't need this to run everytime we make an edit to an irrelevant file | |
| - .github/workflows/block-fixup.yaml | |
| - .github/workflows/check-news-md.yaml | |
| - .github/workflows/manual-docker-prune.yml | |
| - .github/workflows/pkgdown.yaml | |
| - .github/workflows/pr-commands.yaml | |
| - .github/workflows/r-cmd-check.yaml | |
| - .github/workflows/test-coverage.yaml | |
| - '**.md' | |
| branches: | |
| - main | |
| env: | |
| # Together, these form: cfaprdbatchcr.azurecr.io/cfa-epinow2-pipeline | |
| REGISTRY: cfaprdbatchcr.azurecr.io | |
| IMAGE_NAME: cfa-epinow2-pipeline | |
| jobs: | |
| build-pipeline-image: | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| packages: write # This is required for ACR import | |
| runs-on: ubuntu-latest | |
| name: Build image | |
| outputs: | |
| tag: ${{ steps.image-tag.outputs.tag }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| # From: https://stackoverflow.com/a/58035262/2097171 | |
| - name: Extract branch name | |
| shell: bash | |
| run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
| id: branch-name | |
| ######################################################################### | |
| # Getting the tag | |
| # The tag will be used for both the docker image and the batch pool | |
| ######################################################################### | |
| - name: Figure out tag (latest on main, dependabot PR number, else branch) | |
| shell: bash | |
| id: image-tag | |
| run: | | |
| BRANCH="${{ steps.branch-name.outputs.branch }}" | |
| # main => latest | |
| if [[ "$BRANCH" == "main" ]]; then | |
| echo "tag=latest" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| # dependabot PRs => dependabot-pr-<number> | |
| if [[ "${{ github.event_name }}" == "pull_request" ]] && [[ "${{ github.actor }}" == "dependabot[bot]" ]]; then | |
| echo "tag=dependabot-pr-${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| # everything else => branch name (existing behavior) | |
| echo "tag=$BRANCH" >> "$GITHUB_OUTPUT" | |
| - name: Docker Login | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker build and push | |
| run: | | |
| chmod +x $GITHUB_WORKSPACE/.github/scripts/docker_build_and_push.sh | |
| $GITHUB_WORKSPACE/.github/scripts/docker_build_and_push.sh ${{ env.IMAGE_NAME }} ${{ steps.image-tag.outputs.tag }} | |
| test-coverage: | |
| needs: build-pipeline-image | |
| uses: ./.github/workflows/test-coverage.yaml | |
| test-documentation: | |
| needs: build-pipeline-image | |
| uses: ./.github/workflows/test-documentation.yaml | |
| acr-import: | |
| needs: build-pipeline-image | |
| runs-on: ubuntu-latest | |
| environment: production | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| packages: write # This is required for ACR import | |
| name: Copy image from GHCR to ACR | |
| outputs: | |
| tag: ${{ needs.build-pipeline-image.outputs.tag }} | |
| steps: | |
| # From: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#requesting-the-jwt-using-the-actions-core-toolkit | |
| - name: Install OIDC Client from Core Package | |
| run: npm install @actions/core@1.6.0 @actions/http-client | |
| - name: Get Id Token | |
| uses: actions/github-script@v8 | |
| id: idtoken | |
| with: | |
| script: | | |
| const coredemo = require('@actions/core') | |
| const id_token = await coredemo.getIDToken('api://AzureADTokenExchange') | |
| coredemo.setOutput('id_token', id_token) | |
| - name: ACR Import | |
| uses: CDCgov/cfa-actions/runner-action@v1.5.0 | |
| with: | |
| github_app_id: ${{ secrets.CDCENT_ACTOR_APP_ID }} | |
| github_app_pem: ${{ secrets.CDCENT_ACTOR_APP_PEM }} | |
| wait_for_completion: true | |
| print_logs: true | |
| script: | | |
| echo "Logging into Azure CLI" | |
| az login --service-principal \ | |
| --username ${{ secrets.AZURE_NNHT_SP_CLIENT_ID }} \ | |
| --tenant ${{ secrets.TENANT_ID }} \ | |
| --federated-token ${{ steps.idtoken.outputs.id_token }} \ | |
| --output none | |
| IMAGE_TAG=${{ env.IMAGE_NAME }}:${{ needs.build-pipeline-image.outputs.tag }} | |
| az acr import --name ${{ env.REGISTRY }} \ | |
| --source "ghcr.io/cdcgov/$IMAGE_TAG" \ | |
| --username ${{ github.actor }} \ | |
| --password ${{ secrets.GITHUB_TOKEN }} \ | |
| --image "$IMAGE_TAG" \ | |
| --force && echo 'Copied image!' | |
| if [ $? -ne 0 ]; then | |
| echo "Failed to copy image" | |
| fi | |
| batch-pool: | |
| name: Create Batch Pool and Submit Jobs | |
| runs-on: ubuntu-latest | |
| needs: acr-import | |
| environment: production | |
| permissions: | |
| contents: read | |
| id-token: write | |
| env: | |
| TAG: ${{ needs.acr-import.outputs.tag }} | |
| # Every Azure Batch Pool parameter can simply go here, | |
| # no python module or config toml necessary | |
| POOL_ID: "cfa-epinow2-${{ needs.acr-import.outputs.tag }}" | |
| BATCH_ACCOUNT: "cfaprdba" | |
| BATCH_ENDPOINT: "https://cfaprdba.eastus.batch.azure.com/" | |
| NODE_AGENT_SKU_ID: "batch.node.ubuntu 22.04" | |
| VM_SIZE: "standard_d4d_v5" | |
| RESOURCE_GROUP: ${{ secrets.PRD_RESOURCE_GROUP }} | |
| BATCH_SUBNET_ID: ${{ secrets.BATCH_SUBNET_ID }} | |
| steps: | |
| - name: Checkout Repo | |
| id: checkout_repo | |
| uses: actions/checkout@v6 | |
| # From: https://stackoverflow.com/a/58035262/2097171 | |
| - name: Extract branch name | |
| shell: bash | |
| run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
| id: get-branch | |
| # From: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#requesting-the-jwt-using-the-actions-core-toolkit | |
| - name: Install OIDC Client from Core Package | |
| run: npm install @actions/core@1.6.0 @actions/http-client | |
| - name: Get Id Token | |
| uses: actions/github-script@v8 | |
| id: idtoken | |
| with: | |
| script: | | |
| const coredemo = require('@actions/core') | |
| const id_token = await coredemo.getIDToken('api://AzureADTokenExchange') | |
| coredemo.setOutput('id_token', id_token) | |
| - name: Create cfa-epinow2-pipeline Pool | |
| id: create_batch_pool | |
| # Removed invalid condition referencing steps.check_pool_id.outputs.pool-exists | |
| uses: CDCgov/cfa-actions/runner-action@v1.5.0 | |
| with: | |
| github_app_id: ${{ secrets.CDCENT_ACTOR_APP_ID }} | |
| github_app_pem: ${{ secrets.CDCENT_ACTOR_APP_PEM }} | |
| wait_for_completion: true | |
| print_logs: true | |
| script: | | |
| echo "Setting env vars" | |
| export BATCH_ACCOUNT=${{ secrets.BATCH_ACCOUNT }} | |
| export SUBSCRIPTION_ID=${{ secrets.SUBSCRIPTION_ID }} | |
| export BATCH_USER_ASSIGNED_IDENTITY=${{ secrets.BATCH_USER_ASSIGNED_IDENTITY }} | |
| export AZURE_BATCH_ACCOUNT_CLIENT_ID=${{ secrets.AZURE_BATCH_ACCOUNT_CLIENT_ID }} | |
| export PRINCIPAL_ID=${{ secrets.PRINCIPAL_ID }} | |
| export CONTAINER_REGISTRY_SERVER=${{ secrets.CONTAINER_REGISTRY_SERVER }} | |
| export CONTAINER_REGISTRY_USERNAME=${{ secrets.CONTAINER_REGISTRY_USERNAME }} | |
| export CONTAINER_REGISTRY_PASSWORD=${{ secrets.CONTAINER_REGISTRY_PASSWORD }} | |
| export CONTAINER_REGISTRY_URL=${{ secrets.CONTAINER_REGISTRY_URL }} | |
| export CONTAINER_IMAGE_NAME=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} | |
| export POOL_ID=${{ env.POOL_ID }} | |
| export SUBNET_ID=${{ secrets.BATCH_SUBNET_ID }} | |
| export RESOURCE_GROUP=${{ secrets.RESOURCE_GROUP }} | |
| echo "Logging into Azure CLI" | |
| az login --service-principal \ | |
| --username ${{ secrets.AZURE_NNHT_SP_CLIENT_ID }} \ | |
| --tenant ${{ secrets.TENANT_ID }} \ | |
| --federated-token ${{ steps.idtoken.outputs.id_token }} \ | |
| --output none | |
| echo "Logging into batch" | |
| az batch account login \ | |
| --resource-group ${{ secrets.PRD_RESOURCE_GROUP }} \ | |
| --name "${{ env.BATCH_ACCOUNT }}" | |
| echo "Listing batch pools" | |
| az batch pool list \ | |
| --output tsv \ | |
| --filter "(id eq '${{ env.POOL_ID }}')" \ | |
| --query "[].[id, allocationState, creationTime]" > pool-list-${{ github.sha }} | |
| if [ -s pool-list-${{ github.sha }} ]; then | |
| echo "Pool already exists!" | |
| else | |
| CURRENT_BRANCH="${{ steps.get-branch.outputs.branch }}" | |
| echo "Cloning repo at branch '$CURRENT_BRANCH'" | |
| git clone -b "$CURRENT_BRANCH" https://github.com/${{ github.repository }}.git | |
| cd cfa-epinow2-pipeline | |
| echo "Running create pool script" | |
| uv run .github/scripts/create_pool.py | |
| fi |