cwv-stats-monthly.yml

name: CWV Stats Monthly

on:
  # http archive crawl usually starts on the 2nd Tuesday of the month and finishes within ~2weeks usually by the 1st
  # of the following month therefore we run the crawl on the 7th to give a full weeks buffer after the crawl finishes.
  # https://har.fyi/guides/release-cycle/#running-the-crawl
  schedule:
    - cron: '0 0 7 * *' # At 00:00 on day-of-month 7 (UTC)
  workflow_dispatch: # Allow manual triggering

jobs:
  run-cwv-stats-lcp:
    runs-on: ubuntu-latest
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - uses: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093' # v3.0.0
        with:
          project_id: 'httparchive'
          workload_identity_provider: '${{ secrets.GCP_WIF_PROVIDER}}'
          service_account: '${{ secrets.GCP_SA_EMAIL }}'

      - name: Build cwv-stats-lcp image
        run: docker build . --target cwv-stats-lcp -t cwv-stats-lcp

      # Auth writes credentials to a new path each run and sets GOOGLE_APPLICATION_CREDENTIALS for later steps.
      # The credentials file generated by the auth step is owned by the github action user therefore we set the user
      # of the container to that of the action thereby allowing the container to read the credentials file.
      - name: Run cwv-stats-lcp container
        env:
          GOOGLE_CLOUD_PROJECT: httparchive
        run: |
          docker run --rm \
            --user "$(id -u):$(id -g)" \
            -e GOOGLE_APPLICATION_CREDENTIALS=/app/application_default_credentials.json \
            -e GOOGLE_CLOUD_PROJECT \
            -v "$GOOGLE_APPLICATION_CREDENTIALS:/app/application_default_credentials.json:ro" \
            cwv-stats-lcp