-
Notifications
You must be signed in to change notification settings - Fork 8
142 lines (131 loc) · 5.95 KB
/
unstable-cicd.yaml
File metadata and controls
142 lines (131 loc) · 5.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# 🏃♀️ Continuous Integration and Delivery: Unstable
# =================================================
#
# Note: for this workflow to succeed, the following secrets must be installed
# in the repository or inherited from the organization:
#
# ``ADMIN_GITHUB_TOKEN``
# A personal access token of a user with collaborator or better access to
# the project repository. You can generate this by visiting GitHub →
# Settings → Developer settings → Personal access tokens → Generate new
# token. Give the token scopes on ``repo``, ``write:packages``,
# ``delete:packages``, ``workflow``, and ``read:gpg_key``.
# ``CODE_SIGNING_KEY``
# A *private* key with which we can sign artifacts.
# ``OSSRH_USERNAME``
# Username for the Central Repository.
# ``OSSRH_USERNAME``
# Password for the Central Repository.
---
name: 🤪 Unstable integration & delivery
# Driving Event
# -------------
#
# What event starts this workflow: a push to ``main`` (or ``master`` in old
# parlance).
on:
push:
branches:
- develop
workflow_dispatch:
concurrency: roundup
# What to Do
# ----------
#
# Round up, yee-haw!
jobs:
unstable-assembly:
name: 🧩 Unstable Assembly
runs-on: ubuntu-latest
if: github.actor != 'pdsen-ci'
steps:
-
name: 💳 Checkout
uses: actions/checkout@v6
with:
lfs: true
fetch-depth: 0
token: ${{secrets.ADMIN_GITHUB_TOKEN}}
-
name: 💵 Maven Cache
uses: actions/cache@v5
with:
path: ~/.m2/repository
# The "key" used to indicate a set of cached files is the operating system runner
# plus "mvn" for Maven-specific builds, plus a hash of the `pom.xml` files, which
# should uniquely identify the dependent jars; plus "pds" because we pds-prefix
# everything with "pds" in PDS—even when the context is obvious! 😅
key: pds-${{runner.os}}-mvn-${{hashFiles('**/pom.xml')}}
# To restore a set of files, we only need to match a prefix of the saved key.
restore-keys: pds-${{runner.os}}-mvn-
-
name: 🤠 Roundup
uses: NASA-PDS/roundup-action@stable
with:
assembly: unstable
packages: openjdk21
maven-doc-phases: package
env:
central_portal_username: ${{secrets.CENTRAL_REPOSITORY_USERNAME}}
central_portal_token: ${{secrets.CENTRAL_REPOSITORY_TOKEN}}
CODE_SIGNING_KEY: ${{secrets.CODE_SIGNING_KEY}}
ADMIN_GITHUB_TOKEN: ${{secrets.ADMIN_GITHUB_TOKEN}}
GITHUB_TOKEN: ${{secrets.ADMIN_GITHUB_TOKEN}}
-
name: 🫙 Jar File Determination
id: jarrer
run: echo "jar_file=$(find ./service/target/ -maxdepth 1 -regextype posix-extended -regex '.*/registry-api-service-[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?\.jar')" >> $GITHUB_OUTPUT
-
name: 🎰 QEMU Multiple Machine Emulation
uses: docker/setup-qemu-action@v4
-
name: 🚢 Docker Buildx
uses: docker/setup-buildx-action@v4
# we want to publish the docker image ""locally" to GHCR as the AWS Pull Through Cache requires authentication
# and we don't have an organization account to manage read-only logins for the cache
-
name: 💳 GHCR Identification
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{github.actor}}
password: ${{secrets.GITHUB_TOKEN}}
# also push the image to DockerHub because we keep providing that distribution channel.
-
name: 💳 Docker Hub Identification
uses: docker/login-action@v4
with:
username: ${{secrets.DOCKERHUB_USERNAME}}
password: ${{secrets.DOCKERHUB_TOKEN}}
-
name: Set lowercase repo name
run: echo "LOWER_GHCR_REPO=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
-
name: 🧱 Image Construction and Publication
uses: docker/build-push-action@v7
with:
context: ./
file: ./docker/Dockerfile
build-args: api_jar=${{steps.jarrer.outputs.jar_file}}
platforms: linux/amd64,linux/arm64
push: true
tags: |
ghcr.io/${{env.LOWER_GHCR_REPO}}:develop
${{secrets.DOCKERHUB_USERNAME}}/registry-api-service:develop
-
name: ∫ Integration tests … hold onto your hats, pardners
run: |
git clone --quiet https://github.com/NASA-PDS/registry.git
cd registry/docker/certs
./generate-certs.sh
cd ..
docker image pull ${{secrets.DOCKERHUB_USERNAME}}/registry-api-service:latest
docker image inspect ${{secrets.DOCKERHUB_USERNAME}}/registry-api-service:latest >/dev/null
docker compose \
--ansi never --profile int-registry-batch-loader --project-name registry \
up --detach --quiet-pull
docker compose \
--ansi never --profile int-registry-batch-loader --project-name registry \
run --rm --no-TTY reg-api-integration-test-with-wait
...
# -*- mode: yaml; indent: 4; fill-column: 120; coding: utf-8 -*-