Migrate CI/CD Pipeline #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| pull_request: | |
| branches: [main, nwm-main, development, release-candidate] | |
| push: | |
| branches: [main, nwm-main, development, release-candidate] | |
| release: | |
| types: [published] | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| env: | |
| REGISTRY: ghcr.io | |
| PYTHON_VERSION: '3.11' | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image_base: ${{ steps.vars.outputs.image_base }} | |
| pr_tag: ${{ steps.vars.outputs.pr_tag }} | |
| commit_sha: ${{ steps.vars.outputs.commit_sha }} | |
| commit_sha_short: ${{ steps.vars.outputs.commit_sha_short }} | |
| test_image_tag: ${{ steps.vars.outputs.test_image_tag }} | |
| steps: | |
| - name: Compute image vars | |
| id: vars | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| ORG="$(echo "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')" | |
| REPO="$(basename "${GITHUB_REPOSITORY}")" | |
| IMAGE_BASE="${REGISTRY}/${ORG}/${REPO}" | |
| echo "image_base=${IMAGE_BASE}" >> "$GITHUB_OUTPUT" | |
| if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then | |
| PR_NUM="${{ github.event.pull_request.number }}" | |
| PR_TAG="pr-${PR_NUM}-build" | |
| echo "pr_tag=${PR_TAG}" >> "$GITHUB_OUTPUT" | |
| echo "test_image_tag=${PR_TAG}" >> "$GITHUB_OUTPUT" | |
| fi | |
| if [ "${GITHUB_EVENT_NAME}" = "push" ]; then | |
| COMMIT_SHA="${GITHUB_SHA}" | |
| SHORT_SHA="${COMMIT_SHA:0:12}" | |
| echo "commit_sha=${COMMIT_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "commit_sha_short=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "test_image_tag=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| fi | |
| build: | |
| name: build | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Log in to registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build & push image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }} | |
| build-args: | | |
| IMAGE_TAG=${{ needs.setup.outputs.test_image_tag }} | |
| unit-test: | |
| name: unit-test | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| needs: [setup, build] | |
| container: | |
| image: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }} | |
| steps: | |
| - name: Run unit tests | |
| run: | | |
| echo "Running Unit Tests..." | |
| cd /ngen-app/nwm-cal-mgr | |
| echo "Current Git commit hash:" | |
| git rev-parse HEAD # Shows the current commit hash being used | |
| echo "Last commit log:" | |
| git log -1 --oneline # Shows the last commit log to verify the latest commit | |
| pytest --log-cli-level 0 ./python/runCalibValid/ngen_conf/tests/ | |
| pytest --log-cli-level 0 ./python/runCalibValid/ngen_cal/tests/ | |
| sonarqube-internal: | |
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && github.repository_owner == 'NGWPC' | |
| runs-on: self-hosted | |
| needs: unit-test | |
| container: | |
| image: sonarsource/sonar-scanner-cli | |
| options: --entrypoint="" --user 0 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: SonarQube Scan | |
| env: | |
| SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: sonar-scanner -X -Dsonar.verbose=true | |
| codeql-scan: | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| needs: unit-test | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: python | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| if [ -f requirements.txt ]; then pip install -r requirements.txt; fi | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| container-scanning: | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| needs: [setup, build] | |
| steps: | |
| - name: Scan container with Trivy | |
| uses: aquasecurity/trivy-action@0.20.0 | |
| with: | |
| image-ref: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }} | |
| format: 'template' | |
| template: '@/contrib/sarif.tpl' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy SARIF | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| deploy-latest-on-development: | |
| name: deploy-latest-on-development | |
| if: github.event_name == 'push' && github.ref_name == 'development' | |
| runs-on: ubuntu-latest | |
| needs: [setup, build, unit-test, sonarqube-internal, codeql-scan, container-scanning] | |
| steps: | |
| - name: Log in to registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Promote commit image to :latest | |
| run: | | |
| docker pull ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.commit_sha_short }} | |
| docker tag ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.commit_sha_short }} ${{ needs.setup.outputs.image_base }}:latest | |
| docker push ${{ needs.setup.outputs.image_base }}:latest | |
| release: | |
| name: release | |
| if: github.event_name == 'release' && github.event.action == 'published' | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| steps: | |
| - name: Log in to registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check out the release tag | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.release.tag_name }} | |
| fetch-depth: 0 | |
| - name: Resolve commit sha for the tag | |
| id: rev | |
| shell: bash | |
| run: | | |
| SHORT_SHA="$(git rev-parse --short=12 HEAD)" | |
| echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| - name: Tag image with release tag | |
| run: | | |
| docker pull ${{ needs.setup.outputs.image_base }}:${{ steps.rev.outputs.short_sha }} | |
| docker tag ${{ needs.setup.outputs.image_base }}:${{ steps.rev.outputs.short_sha }} ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }} | |
| docker push ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }} |