Skip to content
main

Merge pull request #5507 from brucehoff/PLFM-9441 #129

Sign in to view logs

Merge pull request #5507 from brucehoff/PLFM-9441

Merge pull request #5507 from brucehoff/PLFM-9441 #129

Workflow file for this run

.github/workflows/build_and_test.yml at 35e3c74
---
#
# This workflow runs the Synapse Stack Builder and then builds and runs the tests
# for the Synapse Repository Services.
#
# These parameters can be overridden with repo's action variables:
#
# - USER (the 'user' parameter for the Synapse build): defaults to repo' owner. Should be alphanumeric only.
# - STACK_BUILDER_REPO_OWNER: defaults to Sage-Bionetworks
# - STACK_BUILDER_BRANCH: defaults to develop
# - FULL_BUILD: if true, will do a full build, vs. an abbreviated "feature build"
# - EXTRA_ARGS: pass extra arguments to maven build
#
# The place to set The page where you set the "repository variables" is
# https://github.com/<owner>/Synapse-Repository-Services/settings/variables/actions
# where <owner> is the name of one's fork of this repository.
#
name: main
on:
push:
branches: ['*']
# let only one copy of the workflow run at a time
concurrency:
group: ${{ github.workflow }}
jobs:
build_and_test:
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
with:
fetch-depth: 0 # Fetch all history for git commands to work correctly
- name: Static Analysis
uses: pre-commit/action@v3.0.0
- name: Determine Pipeline Parameters
id: pipeline-params
run: |
# get the 'user' parameter, either from the repo' env or repo' owner if not set
if [ ${{ vars.USER }} ]; then
USER=${{ vars.USER }}
else
alpha_only_trunc_repo_name=$(echo "${GITHUB_REPOSITORY_OWNER//[^[:alnum:]]/}" | cut -c1-7)
USER=$alpha_only_trunc_repo_name
fi
echo "USER=$USER" >> $GITHUB_OUTPUT
# capture the current branch as an environment variable
BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
# get repo' and branch specifying the version of the stack builder to use
if [ ${{ vars.STACK_BUILDER_REPO_OWNER }} ]; then
STACK_BUILDER_REPO_OWNER=${{ vars.STACK_BUILDER_REPO_OWNER }}
else
STACK_BUILDER_REPO_OWNER=Sage-Bionetworks
fi
if [ ${{ vars.STACK_BUILDER_BRANCH }} ]; then
STACK_BUILDER_BRANCH=${{ vars.STACK_BUILDER_BRANCH }}
else
STACK_BUILDER_BRANCH=develop
fi
FULL_BUILD=${{ vars.FULL_BUILD }}
EXTRA_ARGS=${{ vars.EXTRA_ARGS }}
# for builds in Sage-Bionetworks repo', publish build artifacts
if [[ $GITHUB_REPOSITORY_OWNER == "Sage-Bionetworks" ]]; then
if [[ $BRANCH == "develop" ]]; then
GIT_COMMIT=${{ github.sha }}
ARTIFACT_VERSION=$(date +%Y-%m-%d_%H-%M)"_"${GIT_COMMIT:0:7}
elif [[ $BRANCH =~ "release-" ]]; then
git fetch --tags
ARTIFACT_VERSION=$(git describe --tags)
fi
fi
if [[ $ARTIFACT_VERSION ]]; then
echo "ARTIFACT_VERSION=$ARTIFACT_VERSION" >> $GITHUB_OUTPUT
fi
PIPELINE_PARAMETERS=\
"SynapseBranch=$BRANCH,\
SynapseRepoOwner=${{ github.repository_owner }},\
BuildParamUser=$USER,\
StackBuilderBranch=$STACK_BUILDER_BRANCH,\
StackBuilderRepoOwner=$STACK_BUILDER_REPO_OWNER,\
FullBuild=$FULL_BUILD,\
MavenExtraArgs=$EXTRA_ARGS,\
ArtifactVersion=$ARTIFACT_VERSION"
echo "PIPELINE_PARAMETERS=$PIPELINE_PARAMETERS" >> $GITHUB_OUTPUT
- id: display-artifact-version
name: Display Artifact Version
run: |
if [[ "${{ steps.pipeline-params.outputs.ARTIFACT_VERSION }}" ]]; then
echo "Build will publish artifacts with version" ${{ steps.pipeline-params.outputs.ARTIFACT_VERSION }}
else
echo "Artifacts will not be published for this build"
fi
- id: oidc
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: arn:aws:iam::449435941126:role/sagebase-github-oidc-sage-bionetworks-synapse-build
aws-region: us-east-1
# eight hours
role-duration-seconds: 28800
- name: Capture Session Credentials
run: |
# We will capture the long-lived session token to use for the build
# Note: We cannot pass the credentials as inputs to code pipeline
# since the token exceeded the 1000 character limit for input variables.
SECRET_NAME="/build/session-token/${{ steps.pipeline-params.outputs.USER }}"
SECRET_VALUE='{"AwsAccessKeyId":"${{ env.AWS_ACCESS_KEY_ID }}", "AwsSecretAccessKey":"${{ env.AWS_SECRET_ACCESS_KEY }}", "AwsSessionToken":"${{ env.AWS_SESSION_TOKEN }}"}'
# Try to update the secret value first
if aws secretsmanager put-secret-value \
--secret-id "$SECRET_NAME" \
--secret-string "$SECRET_VALUE" \
2>/dev/null; then
echo "Secret updated successfully"
else
echo "Secret doesn't exist, creating new secret..."
if aws secretsmanager create-secret \
--name "$SECRET_NAME" \
--secret-string "$SECRET_VALUE" \
--description "Build credentials for ${{ steps.pipeline-params.outputs.USER }}"; then
echo "Secret created successfully"
else
echo "Failed to create secret"
exit 1
fi
fi
outputs:
USER: ${{ steps.pipeline-params.outputs.USER }}
PIPELINE_PARAMETERS: ${{ steps.pipeline-params.outputs.PIPELINE_PARAMETERS }}
invoke_workflow:
needs: build_and_test
uses: Sage-Bionetworks/Synapse-Code-Pipeline/.github/workflows/execute_code_pipeline.yml@main
with:
CODE_PIPELINE_CF_TEMPLATE: configuration/build/codepipeline_cf_template.yaml
PIPELINE_NAME: Synapse-Build-${{ needs.build_and_test.outputs.USER }}
CODE_PIPELINE_SOURCE_REVISIONS: "actionName=CheckoutSynapseRepo,revisionType=COMMIT_ID,revisionValue=${{ github.sha }}"
PIPELINE_PARAMETERS: ${{ needs.build_and_test.outputs.PIPELINE_PARAMETERS }}
ROLE_TO_ASSUME: arn:aws:iam::449435941126:role/sagebase-github-oidc-sage-bionetworks-synapse-build
STATUS_REPO_OWNER: Sage-Bionetworks
STATUS_REPOSITORY: Synapse-Repository-Services
secrets: inherit
permissions:
# https://graphite.dev/guides/github-actions-permissions
id-token: write
contents: read
deployments: write
security-events: write
statuses: write
actions: write
checks: write
...