Add first pact verification for WDS integration. #7267
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow will build a Java project with Gradle | |
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle | |
name: Run Service Tests | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- '*.md' | |
- '.github/**' | |
- 'service/local-dev/**' | |
pull_request: | |
branches: | |
- main | |
# There is an issue with GitHub required checks and paths-ignore. We don't really need to | |
# run the tests if there are only irrelevant changes (see paths-ignore above). However, | |
# we require tests to pass by making a "required check" rule on the branch. If the action | |
# is not triggered, the required check never passes and you are stuck. Therefore, we have | |
# to run tests even when we only change a markdown file. So don't do what I did and put a | |
# paths-ignore right here! | |
workflow_dispatch: | |
inputs: | |
testEnv: | |
description: 'Environment in which tests should be run. Regardless of how this is set, the tests run against a local Postgres and development Sam' | |
required: true | |
jobs: | |
build-test-publish-azureDatabaseUtils: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout current code | |
uses: actions/checkout@v3 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
- name: Cache Gradle packages | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.gradle/caches | |
~/.gradle/wrapper | |
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }} | |
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }} | |
- name: Grant execute permission for gradlew | |
run: chmod +x gradlew | |
- name: Construct docker image name and tag | |
id: image-name | |
run: echo name=us.gcr.io/broad-dsp-gcr-public/azure-database-utils:${GITHUB_SHA} >> $GITHUB_OUTPUT | |
- name: Run tests | |
run: ./gradlew --build-cache :azureDatabaseUtils:test --scan | |
- name: Build docker | |
run: ./gradlew --build-cache :azureDatabaseUtils:jibDockerBuild --image=${{ steps.image-name.outputs.name }} -Djib.console=plain --scan | |
- name: Run Trivy vulnerability scanner | |
# Link to the github location of the action https://github.com/broadinstitute/dsp-appsec-trivy-action | |
uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
with: | |
image: ${{ steps.image-name.outputs.name }} | |
- name: Auth to Google | |
uses: google-github-actions/auth@v1 | |
with: | |
version: '411.0.0' | |
credentials_json: ${{ secrets.GCR_PUBLISH_KEY }} | |
- name: Setup gcloud | |
uses: google-github-actions/setup-gcloud@v1 | |
- name: Explicitly auth Docker for GCR | |
run: gcloud auth configure-docker --quiet | |
- name: Push GCR image | |
run: "docker push ${{ steps.image-name.outputs.name }}" | |
- name: SonarQube scan | |
run: ./gradlew --build-cache :azureDatabaseUtils:sonarqube | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
test-job: | |
runs-on: ubuntu-latest | |
# the azure connected tests require azureDatabaseUtils to be built and published | |
needs: build-test-publish-azureDatabaseUtils | |
# A note on our use of a matrix here: | |
# Github workflows don't really support reusing code very well. Every workflow runs on a clean | |
# instance, so we can't share a setup workflow. We could write a custom action, but you can't | |
# call an action from another action, and they also don't have access to secrets. | |
# Github also doesn't support yaml anchors (https://github.community/t/support-for-yaml-anchors/), | |
# so we're using a matrix. | |
strategy: | |
fail-fast: false | |
matrix: | |
gradleTask: [unitTest, connectedTest, azureUnitTest, azureConnectedTest, awsUnitTest] | |
steps: | |
- name: Checkout current code | |
uses: actions/checkout@v3 | |
- name: Skip version bump merges | |
id: skiptest | |
uses: ./.github/actions/bump-skip | |
with: | |
event-name: ${{ github.event_name }} | |
- name: Set env | |
if: steps.skiptest.outputs.is-bump == 'no' | |
id: set-env-step | |
run: | | |
if ${{ github.event_name == 'pull_request' || github.event_name == 'push' }}; then | |
ENV=local | |
elif ${{ github.event_name == 'workflow_dispatch' }}; then | |
ENV=${{ github.event.inputs.testEnv }} | |
else | |
echo ::error ::${{ github.event_name }} not supported for this workflow | |
exit 1 | |
fi | |
echo test-env=$ENV >> $GITHUB_OUTPUT | |
- name: Set up JDK | |
if: steps.skiptest.outputs.is-bump == 'no' | |
uses: actions/setup-java@v3 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
- name: Cache Gradle packages | |
if: steps.skiptest.outputs.is-bump == 'no' | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.gradle/caches | |
~/.gradle/wrapper | |
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }} | |
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }} | |
- name: Grant execute permission for gradlew | |
if: steps.skiptest.outputs.is-bump == 'no' | |
run: chmod +x gradlew | |
# These steps aren't needed for unit tests | |
- name: Get Vault token | |
if: matrix.gradleTask != 'unitTest' && steps.skiptest.outputs.is-bump == 'no' | |
id: vault-token-step | |
env: | |
VAULT_ADDR: https://clotho.broadinstitute.org:8200 | |
run: | | |
VAULT_TOKEN=$(docker run --rm --cap-add IPC_LOCK \ | |
-e "VAULT_ADDR=${VAULT_ADDR}" \ | |
vault:1.1.0 \ | |
vault write -field token \ | |
auth/approle/login role_id=${{ secrets.VAULT_APPROLE_ROLE_ID }} \ | |
secret_id=${{ secrets.VAULT_APPROLE_SECRET_ID }}) | |
echo ::add-mask::$VAULT_TOKEN | |
echo vault-token=$VAULT_TOKEN >> $GITHUB_OUTPUT | |
- name: Write config | |
if: matrix.gradleTask != 'unitTest' && steps.skiptest.outputs.is-bump == 'no' | |
id: config | |
uses: ./.github/actions/write-config | |
with: | |
# Note that unit and connected tests run with local configuration regardless of | |
# the test-env specified on the workflow-dispatch input. | |
target: local | |
vault-token: ${{ steps.vault-token-step.outputs.vault-token }} | |
# Run tests | |
- name: Run tests | |
if: steps.skiptest.outputs.is-bump == 'no' | |
env: | |
# PRINT_STANDARD_STREAMS is temporary to let us inspect logs for a particular | |
# issue with Stairway serdes. | |
PRINT_STANDARD_STREAMS: please | |
TEST_ENV: ${{ steps.set-env-step.outputs.test-env }} | |
run: ./gradlew :service:${{ matrix.gradleTask }} --scan | |
- name: SonarQube scan | |
if: steps.skiptest.outputs.is-bump == 'no' | |
run: ./gradlew --build-cache :service:sonarqube | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: "Notify QA Slack" | |
if: always() && (steps.set-env-step.outputs.test-env == 'alpha' || steps.set-env-step.outputs.test-env == 'staging') | |
uses: broadinstitute/[email protected] | |
# see https://github.com/broadinstitute/action-slack | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
MATRIX_CONTEXT: ${{ toJson(matrix) }} | |
with: | |
status: ${{ job.status }} | |
channel: "#dsde-qa" | |
username: "Workspace Manager ${{ steps.set-env-step.outputs.test-env }} tests" | |
author_name: "Workspace Manager ${{ steps.set-env-step.outputs.test-env }} ${{ matrix.gradleTask }}" | |
fields: repo,job,workflow,commit,eventName,author,took | |
- name: "Notify WSM Slack" | |
# post to WSM Slack when a regular push (i.e. non-bumper push) is made to main branch | |
if: failure() && github.event_name == 'push' && steps.skiptest.outputs.is-bump == 'no' | |
uses: broadinstitute/[email protected] | |
# see https://github.com/broadinstitute/action-slack | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
MATRIX_CONTEXT: ${{ toJson(matrix) }} | |
with: | |
status: ${{ job.status }} | |
channel: "#terra-wsm-alerts" | |
username: "WSM push to main branch" | |
author_name: "${{ matrix.gradleTask }}" | |
icon_emoji: ":triangular_ruler:" | |
fields: job, commit |