Merge pull request #5507 from brucehoff/PLFM-9441 #129
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # | |
| # This workflow runs the Synapse Stack Builder and then builds and runs the tests | |
| # for the Synapse Repository Services. | |
| # | |
| # These parameters can be overridden with repo's action variables: | |
| # | |
| # - USER (the 'user' parameter for the Synapse build): defaults to repo' owner. Should be alphanumeric only. | |
| # - STACK_BUILDER_REPO_OWNER: defaults to Sage-Bionetworks | |
| # - STACK_BUILDER_BRANCH: defaults to develop | |
| # - FULL_BUILD: if true, will do a full build, vs. an abbreviated "feature build" | |
| # - EXTRA_ARGS: pass extra arguments to maven build | |
| # | |
| # The place to set The page where you set the "repository variables" is | |
| # https://github.com/<owner>/Synapse-Repository-Services/settings/variables/actions | |
| # where <owner> is the name of one's fork of this repository. | |
| # | |
| name: main | |
| on: | |
| push: | |
| branches: ['*'] | |
| # let only one copy of the workflow run at a time | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| jobs: | |
| build_and_test: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 # Fetch all history for git commands to work correctly | |
| - name: Static Analysis | |
| uses: pre-commit/action@v3.0.0 | |
| - name: Determine Pipeline Parameters | |
| id: pipeline-params | |
| run: | | |
| # get the 'user' parameter, either from the repo' env or repo' owner if not set | |
| if [ ${{ vars.USER }} ]; then | |
| USER=${{ vars.USER }} | |
| else | |
| alpha_only_trunc_repo_name=$(echo "${GITHUB_REPOSITORY_OWNER//[^[:alnum:]]/}" | cut -c1-7) | |
| USER=$alpha_only_trunc_repo_name | |
| fi | |
| echo "USER=$USER" >> $GITHUB_OUTPUT | |
| # capture the current branch as an environment variable | |
| BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}} | |
| # get repo' and branch specifying the version of the stack builder to use | |
| if [ ${{ vars.STACK_BUILDER_REPO_OWNER }} ]; then | |
| STACK_BUILDER_REPO_OWNER=${{ vars.STACK_BUILDER_REPO_OWNER }} | |
| else | |
| STACK_BUILDER_REPO_OWNER=Sage-Bionetworks | |
| fi | |
| if [ ${{ vars.STACK_BUILDER_BRANCH }} ]; then | |
| STACK_BUILDER_BRANCH=${{ vars.STACK_BUILDER_BRANCH }} | |
| else | |
| STACK_BUILDER_BRANCH=develop | |
| fi | |
| FULL_BUILD=${{ vars.FULL_BUILD }} | |
| EXTRA_ARGS=${{ vars.EXTRA_ARGS }} | |
| # for builds in Sage-Bionetworks repo', publish build artifacts | |
| if [[ $GITHUB_REPOSITORY_OWNER == "Sage-Bionetworks" ]]; then | |
| if [[ $BRANCH == "develop" ]]; then | |
| GIT_COMMIT=${{ github.sha }} | |
| ARTIFACT_VERSION=$(date +%Y-%m-%d_%H-%M)"_"${GIT_COMMIT:0:7} | |
| elif [[ $BRANCH =~ "release-" ]]; then | |
| git fetch --tags | |
| ARTIFACT_VERSION=$(git describe --tags) | |
| fi | |
| fi | |
| if [[ $ARTIFACT_VERSION ]]; then | |
| echo "ARTIFACT_VERSION=$ARTIFACT_VERSION" >> $GITHUB_OUTPUT | |
| fi | |
| PIPELINE_PARAMETERS=\ | |
| "SynapseBranch=$BRANCH,\ | |
| SynapseRepoOwner=${{ github.repository_owner }},\ | |
| BuildParamUser=$USER,\ | |
| StackBuilderBranch=$STACK_BUILDER_BRANCH,\ | |
| StackBuilderRepoOwner=$STACK_BUILDER_REPO_OWNER,\ | |
| FullBuild=$FULL_BUILD,\ | |
| MavenExtraArgs=$EXTRA_ARGS,\ | |
| ArtifactVersion=$ARTIFACT_VERSION" | |
| echo "PIPELINE_PARAMETERS=$PIPELINE_PARAMETERS" >> $GITHUB_OUTPUT | |
| - id: display-artifact-version | |
| name: Display Artifact Version | |
| run: | | |
| if [[ "${{ steps.pipeline-params.outputs.ARTIFACT_VERSION }}" ]]; then | |
| echo "Build will publish artifacts with version" ${{ steps.pipeline-params.outputs.ARTIFACT_VERSION }} | |
| else | |
| echo "Artifacts will not be published for this build" | |
| fi | |
| - id: oidc | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: arn:aws:iam::449435941126:role/sagebase-github-oidc-sage-bionetworks-synapse-build | |
| aws-region: us-east-1 | |
| # eight hours | |
| role-duration-seconds: 28800 | |
| - name: Capture Session Credentials | |
| run: | | |
| # We will capture the long-lived session token to use for the build | |
| # Note: We cannot pass the credentials as inputs to code pipeline | |
| # since the token exceeded the 1000 character limit for input variables. | |
| SECRET_NAME="/build/session-token/${{ steps.pipeline-params.outputs.USER }}" | |
| SECRET_VALUE='{"AwsAccessKeyId":"${{ env.AWS_ACCESS_KEY_ID }}", "AwsSecretAccessKey":"${{ env.AWS_SECRET_ACCESS_KEY }}", "AwsSessionToken":"${{ env.AWS_SESSION_TOKEN }}"}' | |
| # Try to update the secret value first | |
| if aws secretsmanager put-secret-value \ | |
| --secret-id "$SECRET_NAME" \ | |
| --secret-string "$SECRET_VALUE" \ | |
| 2>/dev/null; then | |
| echo "Secret updated successfully" | |
| else | |
| echo "Secret doesn't exist, creating new secret..." | |
| if aws secretsmanager create-secret \ | |
| --name "$SECRET_NAME" \ | |
| --secret-string "$SECRET_VALUE" \ | |
| --description "Build credentials for ${{ steps.pipeline-params.outputs.USER }}"; then | |
| echo "Secret created successfully" | |
| else | |
| echo "Failed to create secret" | |
| exit 1 | |
| fi | |
| fi | |
| outputs: | |
| USER: ${{ steps.pipeline-params.outputs.USER }} | |
| PIPELINE_PARAMETERS: ${{ steps.pipeline-params.outputs.PIPELINE_PARAMETERS }} | |
| invoke_workflow: | |
| needs: build_and_test | |
| uses: Sage-Bionetworks/Synapse-Code-Pipeline/.github/workflows/execute_code_pipeline.yml@main | |
| with: | |
| CODE_PIPELINE_CF_TEMPLATE: configuration/build/codepipeline_cf_template.yaml | |
| PIPELINE_NAME: Synapse-Build-${{ needs.build_and_test.outputs.USER }} | |
| CODE_PIPELINE_SOURCE_REVISIONS: "actionName=CheckoutSynapseRepo,revisionType=COMMIT_ID,revisionValue=${{ github.sha }}" | |
| PIPELINE_PARAMETERS: ${{ needs.build_and_test.outputs.PIPELINE_PARAMETERS }} | |
| ROLE_TO_ASSUME: arn:aws:iam::449435941126:role/sagebase-github-oidc-sage-bionetworks-synapse-build | |
| STATUS_REPO_OWNER: Sage-Bionetworks | |
| STATUS_REPOSITORY: Synapse-Repository-Services | |
| secrets: inherit | |
| permissions: | |
| # https://graphite.dev/guides/github-actions-permissions | |
| id-token: write | |
| contents: read | |
| deployments: write | |
| security-events: write | |
| statuses: write | |
| actions: write | |
| checks: write | |
| ... |