Skip to content

Merge pull request #6 from NGWPC/yliu_NGWPC-6986 #73

Merge pull request #6 from NGWPC/yliu_NGWPC-6986

Merge pull request #6 from NGWPC/yliu_NGWPC-6986 #73

Workflow file for this run

name: CI/CD Pipeline
on:
pull_request:
branches: [main, nwm-main, development, release-candidate]
push:
branches: [main, nwm-main, development, release-candidate]
release:
types: [published]
permissions:
contents: read
packages: write
security-events: write
env:
REGISTRY: ghcr.io
PYTHON_VERSION: '3.10.14'
jobs:
setup:
runs-on: ubuntu-latest
outputs:
image_base: ${{ steps.vars.outputs.image_base }}
pr_tag: ${{ steps.vars.outputs.pr_tag }}
commit_sha: ${{ steps.vars.outputs.commit_sha }}
commit_sha_short: ${{ steps.vars.outputs.commit_sha_short }}
test_image_tag: ${{ steps.vars.outputs.test_image_tag }}
steps:
- name: Compute image vars
id: vars
shell: bash
run: |
set -euo pipefail
ORG="$(echo "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')"
REPO="$(basename "${GITHUB_REPOSITORY}")"
IMAGE_BASE="${REGISTRY}/${ORG}/${REPO}"
echo "image_base=${IMAGE_BASE}" >> "$GITHUB_OUTPUT"
if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
PR_NUM="${{ github.event.pull_request.number }}"
PR_TAG="pr-${PR_NUM}-build"
echo "pr_tag=${PR_TAG}" >> "$GITHUB_OUTPUT"
echo "test_image_tag=${PR_TAG}" >> "$GITHUB_OUTPUT"
fi
if [ "${GITHUB_EVENT_NAME}" = "push" ]; then
COMMIT_SHA="${GITHUB_SHA}"
SHORT_SHA="${COMMIT_SHA:0:12}"
echo "commit_sha=${COMMIT_SHA}" >> "$GITHUB_OUTPUT"
echo "commit_sha_short=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
echo "test_image_tag=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
fi
build:
name: build
if: github.event_name == 'pull_request' || github.event_name == 'push'
runs-on: ubuntu-latest
needs: setup
steps:
- uses: actions/checkout@v4
- name: Log in to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build & push image
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
build-args: |
NWM_EVAL_MGR_TAG=${{ env.NWM_EVAL_MGR_TAG || 'development' }}
unit-test:
name: unit-test
if: github.event_name == 'pull_request' || github.event_name == 'push'
runs-on: ubuntu-latest
needs: [setup, build]
container:
image: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
steps:
- name: run unit tests (with coverage xml)
run: |
echo "Add unit tests here..."
codeql-scan:
if: github.event_name == 'pull_request' || github.event_name == 'push'
runs-on: ubuntu-latest
needs: [setup, build]
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: python
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
# Install the package (and dev extras if defined) since there is no requirements.txt
if python -c "import setuptools, pkgutil; exit(0)" 2>/dev/null; then
# Try with develop extras first (provides pytest, etc.)
pip install '.[develop]' || pip install .
else
pip install .
fi
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
container-scanning:
if: github.event_name == 'pull_request' || github.event_name == 'push'
runs-on: ubuntu-latest
needs: [setup, build]
steps:
- name: Scan container with Trivy
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
deploy-latest-on-development:
name: deploy-latest-on-development
if: github.event_name == 'push' && github.ref_name == 'development'
runs-on: ubuntu-latest
needs: [setup, build, unit-test, codeql-scan, container-scanning]
steps:
- name: Log in to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build latest image
run: |
docker pull ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.commit_sha_short }}
docker tag ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.commit_sha_short }} ${{ needs.setup.outputs.image_base }}:latest
docker push ${{ needs.setup.outputs.image_base }}:latest
release:
name: release
if: github.event_name == 'release' && github.event.action == 'published'
runs-on: ubuntu-latest
needs: setup
steps:
- name: Log in to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Check out the release tag
uses: actions/checkout@v4
with:
ref: ${{ github.event.release.tag_name }}
fetch-depth: 0
- name: Resolve commit sha for the tag
id: rev
shell: bash
run: |
SHORT_SHA="$(git rev-parse --short=12 HEAD)"
echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
- name: Tag image with release tag
run: |
docker pull ${{ needs.setup.outputs.image_base }}:${{ steps.rev.outputs.short_sha }}
docker tag ${{ needs.setup.outputs.image_base }}:${{ steps.rev.outputs.short_sha }} ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }}
docker push ${{ needs.setup.outputs.image_base }}:${{ github.event.release.tag_name }}