updated ngen image tag to use IMAGE_TAG variable #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| pull_request: | |
| branches: [main, nwm-main, development, release-candidate] | |
| push: | |
| branches: [main, nwm-main, development, release-candidate] | |
| release: | |
| types: [published] | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| env: | |
| REGISTRY: ghcr.io | |
| PYTHON_VERSION: '3.11' | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image_base: ${{ steps.vars.outputs.image_base }} | |
| pr_tag: ${{ steps.vars.outputs.pr_tag }} | |
| commit_sha: ${{ steps.vars.outputs.commit_sha }} | |
| commit_sha_short: ${{ steps.vars.outputs.commit_sha_short }} | |
| test_image_tag: ${{ steps.vars.outputs.test_image_tag }} | |
| steps: | |
| - name: Compute image vars | |
| id: vars | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| ORG="$(echo "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')" | |
| REPO="$(basename "${GITHUB_REPOSITORY}")" | |
| IMAGE_BASE="${REGISTRY}/${ORG}/${REPO}" | |
| echo "image_base=${IMAGE_BASE}" >> "$GITHUB_OUTPUT" | |
| if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then | |
| PR_NUM="${{ github.event.pull_request.number }}" | |
| PR_TAG="pr-${PR_NUM}-build" | |
| echo "pr_tag=${PR_TAG}" >> "$GITHUB_OUTPUT" | |
| echo "test_image_tag=${PR_TAG}" >> "$GITHUB_OUTPUT" | |
| fi | |
| if [ "${GITHUB_EVENT_NAME}" = "push" ]; then | |
| COMMIT_SHA="${GITHUB_SHA}" | |
| SHORT_SHA="${COMMIT_SHA:0:12}" | |
| echo "commit_sha=${COMMIT_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "commit_sha_short=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "test_image_tag=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| fi | |
| build: | |
| name: build | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Log in to registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build & push image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }} | |
| build-args: | | |
| NGEN_IMAGE_TAG=${{ env.NGEN_IMAGE_TAG || 'latest' }} | |
| unit-test: | |
| name: unit-test | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| needs: [setup, build] | |
| container: | |
| image: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }} | |
| steps: | |
| - name: run unit tests (with coverage xml) | |
| run: | | |
| echo "Running Unit Tests..." | |
| cd /ngen-app/nwm-cal-mgr | |
| echo "Current Git commit hash:" && git rev-parse HEAD | |
| echo "Last commit log:" && git log -1 --oneline | |
| # ensure coverage plugin is available | |
| python -m pip install -U pip pytest pytest-cov coverage | |
| # ensure coverage paths are relative so sonar can match files after checkout | |
| printf "[run]\nrelative_files = True\n" > .coveragerc | |
| # run tests and write coverage.xml at repo root inside the container | |
| pytest --log-cli-level 0 \ | |
| --cov=python \ | |
| --cov-report=xml:coverage.xml \ | |
| ./python/calib/tests/ | |
| - name: upload coverage.xml | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-xml | |
| path: /ngen-app/nwm-cal-mgr/coverage.xml | |
| if-no-files-found: error | |
| sonarqube-internal: | |
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && github.repository_owner == 'NGWPC' | |
| runs-on: self-hosted | |
| needs: [setup, build, unit-test] | |
| continue-on-error: true | |
| container: | |
| image: sonarsource/sonar-scanner-cli | |
| options: --entrypoint="" --user 0 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: install git | |
| run: | | |
| apt-get update && apt-get install -y git | |
| git --version | |
| - name: download coverage.xml | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: coverage-xml | |
| path: . | |
| - name: SonarQube scan | |
| env: | |
| SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: | | |
| sonar-scanner -X -Dsonar.verbose=true \ | |
| -Dsonar.host.url="$SONAR_HOST_URL" \ | |
| -Dsonar.token="$SONAR_TOKEN" \ | |
| -Dsonar.scanner.skipSystemTruststore=true \ | |
| -Dsonar.python.coverage.reportPaths=coverage.xml | |
| codeql-scan: | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| needs: [setup, build] | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: python | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| if [ -f requirements.txt ]; then pip install -r requirements.txt; fi | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| container-scanning: | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| needs: [setup, build] | |
| steps: | |
| - name: Scan container with Trivy | |
| uses: aquasecurity/trivy-action@0.20.0 | |
| with: | |
| image-ref: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }} | |
| format: 'template' | |
| template: '@/contrib/sarif.tpl' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy SARIF | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| deploy-latest-on-development: | |
| name: deploy-latest-on-development | |
| if: github.event_name == 'push' && github.ref_name == 'development' | |
| runs-on: ubuntu-latest | |
| needs: [setup, build, unit-test, sonarqube-internal, codeql-scan, container-scanning] | |
| steps: | |
| - name: Log in to registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build latest image | |
| run: | | |
| docker pull ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.commit_sha_short }} | |
| docker tag ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.commit_sha_short }} ${{ needs.setup.outputs.image_base }}:latest | |
| docker push ${{ needs.setup.outputs.image_base }}:latest | |
| release: | |
| name: release | |
| if: github.event_name == 'release' && github.event.action == 'published' | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| steps: | |
| - name: Log in to registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check out the release tag | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.release.tag_name }} | |
| fetch-depth: 0 | |
| - name: Resolve commit sha for the tag | |
| id: rev | |
| shell: bash | |
| run: | | |
| SHORT_SHA="$(git rev-parse --short=12 HEAD)" | |
| echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| - name: Tag image with release tag | |
| run: | | |
| docker pull ${{ needs.setup.outputs.image_base }}:${{ steps.rev.outputs.short_sha }} | |
| docker tag ${{ needs.setup.outputs.image_base }}:${{ steps.rev.outputs.short_sha }} ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }} | |
| docker push ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }} |