Merge pull request #4 from NGWPC/development #67

Workflow file for this run

	name: CI/CD Pipeline

	on:
	pull_request:
	branches: [main, nwm-main, development, release-candidate]
	push:
	branches: [main, nwm-main, development, release-candidate]
	release:
	types: [published]

	permissions:
	contents: read
	packages: write
	security-events: write

	env:
	REGISTRY: ghcr.io
	PYTHON_VERSION: '3.10.14'

	jobs:
	setup:
	runs-on: ubuntu-latest
	outputs:
	image_base: ${{ steps.vars.outputs.image_base }}
	pr_tag: ${{ steps.vars.outputs.pr_tag }}
	commit_sha: ${{ steps.vars.outputs.commit_sha }}
	commit_sha_short: ${{ steps.vars.outputs.commit_sha_short }}
	test_image_tag: ${{ steps.vars.outputs.test_image_tag }}
	steps:
	- name: Compute image vars
	id: vars
	shell: bash
	run: \|
	set -euo pipefail
	ORG="$(echo "${GITHUB_REPOSITORY_OWNER}" \| tr '[:upper:]' '[:lower:]')"
	REPO="$(basename "${GITHUB_REPOSITORY}")"
	IMAGE_BASE="${REGISTRY}/${ORG}/${REPO}"
	echo "image_base=${IMAGE_BASE}" >> "$GITHUB_OUTPUT"

	if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
	PR_NUM="${{ github.event.pull_request.number }}"
	PR_TAG="pr-${PR_NUM}-build"
	echo "pr_tag=${PR_TAG}" >> "$GITHUB_OUTPUT"
	echo "test_image_tag=${PR_TAG}" >> "$GITHUB_OUTPUT"
	fi

	if [ "${GITHUB_EVENT_NAME}" = "push" ]; then
	COMMIT_SHA="${GITHUB_SHA}"
	SHORT_SHA="${COMMIT_SHA:0:12}"
	echo "commit_sha=${COMMIT_SHA}" >> "$GITHUB_OUTPUT"
	echo "commit_sha_short=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
	echo "test_image_tag=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
	fi

	build:
	name: build
	if: github.event_name == 'pull_request' \|\| github.event_name == 'push'
	runs-on: ubuntu-latest
	needs: setup
	steps:
	- uses: actions/checkout@v4

	- name: Log in to registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build & push image
	uses: docker/build-push-action@v6
	with:
	context: .
	push: true
	tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
	build-args: \|
	NWM_EVAL_MGR_TAG=${{ env.NWM_EVAL_MGR_TAG \|\| 'development' }}

	unit-test:
	name: unit-test
	if: github.event_name == 'pull_request' \|\| github.event_name == 'push'
	runs-on: ubuntu-latest
	needs: [setup, build]
	container:
	image: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
	steps:
	- name: run unit tests (with coverage xml)
	run: \|
	echo "Add unit tests here..."

	codeql-scan:
	if: github.event_name == 'pull_request' \|\| github.event_name == 'push'
	runs-on: ubuntu-latest
	needs: [setup, build]
	permissions:
	actions: read
	contents: read
	security-events: write
	steps:
	- uses: actions/checkout@v4
	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: ${{ env.PYTHON_VERSION }}
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: python
	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip setuptools wheel
	# Install the package (and dev extras if defined) since there is no requirements.txt
	if python -c "import setuptools, pkgutil; exit(0)" 2>/dev/null; then
	# Try with develop extras first (provides pytest, etc.)
	pip install '.[develop]' \|\| pip install .
	else
	pip install .
	fi
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3

	container-scanning:
	if: github.event_name == 'pull_request' \|\| github.event_name == 'push'
	runs-on: ubuntu-latest
	needs: [setup, build]
	steps:
	- name: Scan container with Trivy
	uses: aquasecurity/trivy-action@0.20.0
	with:
	image-ref: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
	format: 'template'
	template: '@/contrib/sarif.tpl'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'
	- name: Upload Trivy SARIF
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results.sarif'

	deploy-latest-on-development:
	name: deploy-latest-on-development
	if: github.event_name == 'push' && github.ref_name == 'development'
	runs-on: ubuntu-latest
	needs: [setup, build, unit-test, codeql-scan, container-scanning]
	steps:
	- name: Log in to registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Build latest image
	run: \|
	docker pull ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.commit_sha_short }}
	docker tag ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.commit_sha_short }} ${{ needs.setup.outputs.image_base }}:latest
	docker push ${{ needs.setup.outputs.image_base }}:latest

	release:
	name: release
	if: github.event_name == 'release' && github.event.action == 'published'
	runs-on: ubuntu-latest
	needs: setup
	steps:
	- name: Log in to registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Check out the release tag
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.release.tag_name }}
	fetch-depth: 0

	- name: Resolve commit sha for the tag
	id: rev
	shell: bash
	run: \|
	SHORT_SHA="$(git rev-parse --short=12 HEAD)"
	echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"

	- name: Tag image with release tag
	run: \|
	docker pull ${{ needs.setup.outputs.image_base }}:${{ steps.rev.outputs.short_sha }}
	docker tag ${{ needs.setup.outputs.image_base }}:${{ steps.rev.outputs.short_sha }} ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }}
	docker push ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge pull request #4 from NGWPC/development #67

Workflow file

Merge pull request #4 from NGWPC/development #67

Uh oh!

Jobs

Run details

Workflow file for this run