Skip to content

Add first pact verification for WDS integration. #7267

Add first pact verification for WDS integration.

Add first pact verification for WDS integration. #7267

Workflow file for this run

# This workflow will build a Java project with Gradle
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
name: Run Service Tests
on:
push:
branches:
- main
paths-ignore:
- '*.md'
- '.github/**'
- 'service/local-dev/**'
pull_request:
branches:
- main
# There is an issue with GitHub required checks and paths-ignore. We don't really need to
# run the tests if there are only irrelevant changes (see paths-ignore above). However,
# we require tests to pass by making a "required check" rule on the branch. If the action
# is not triggered, the required check never passes and you are stuck. Therefore, we have
# to run tests even when we only change a markdown file. So don't do what I did and put a
# paths-ignore right here!
workflow_dispatch:
inputs:
testEnv:
description: 'Environment in which tests should be run. Regardless of how this is set, the tests run against a local Postgres and development Sam'
required: true
jobs:
build-test-publish-azureDatabaseUtils:
runs-on: ubuntu-latest
steps:
- name: Checkout current code
uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
- name: Cache Gradle packages
uses: actions/cache@v3
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }}
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}
- name: Grant execute permission for gradlew
run: chmod +x gradlew
- name: Construct docker image name and tag
id: image-name
run: echo name=us.gcr.io/broad-dsp-gcr-public/azure-database-utils:${GITHUB_SHA} >> $GITHUB_OUTPUT
- name: Run tests
run: ./gradlew --build-cache :azureDatabaseUtils:test --scan
- name: Build docker
run: ./gradlew --build-cache :azureDatabaseUtils:jibDockerBuild --image=${{ steps.image-name.outputs.name }} -Djib.console=plain --scan
- name: Run Trivy vulnerability scanner
# Link to the github location of the action https://github.com/broadinstitute/dsp-appsec-trivy-action
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.image-name.outputs.name }}
- name: Auth to Google
uses: google-github-actions/auth@v1
with:
version: '411.0.0'
credentials_json: ${{ secrets.GCR_PUBLISH_KEY }}
- name: Setup gcloud
uses: google-github-actions/setup-gcloud@v1
- name: Explicitly auth Docker for GCR
run: gcloud auth configure-docker --quiet
- name: Push GCR image
run: "docker push ${{ steps.image-name.outputs.name }}"
- name: SonarQube scan
run: ./gradlew --build-cache :azureDatabaseUtils:sonarqube
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
test-job:
runs-on: ubuntu-latest
# the azure connected tests require azureDatabaseUtils to be built and published
needs: build-test-publish-azureDatabaseUtils
# A note on our use of a matrix here:
# Github workflows don't really support reusing code very well. Every workflow runs on a clean
# instance, so we can't share a setup workflow. We could write a custom action, but you can't
# call an action from another action, and they also don't have access to secrets.
# Github also doesn't support yaml anchors (https://github.community/t/support-for-yaml-anchors/),
# so we're using a matrix.
strategy:
fail-fast: false
matrix:
gradleTask: [unitTest, connectedTest, azureUnitTest, azureConnectedTest, awsUnitTest]
steps:
- name: Checkout current code
uses: actions/checkout@v3
- name: Skip version bump merges
id: skiptest
uses: ./.github/actions/bump-skip
with:
event-name: ${{ github.event_name }}
- name: Set env
if: steps.skiptest.outputs.is-bump == 'no'
id: set-env-step
run: |
if ${{ github.event_name == 'pull_request' || github.event_name == 'push' }}; then
ENV=local
elif ${{ github.event_name == 'workflow_dispatch' }}; then
ENV=${{ github.event.inputs.testEnv }}
else
echo ::error ::${{ github.event_name }} not supported for this workflow
exit 1
fi
echo test-env=$ENV >> $GITHUB_OUTPUT
- name: Set up JDK
if: steps.skiptest.outputs.is-bump == 'no'
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
- name: Cache Gradle packages
if: steps.skiptest.outputs.is-bump == 'no'
uses: actions/cache@v3
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }}
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}
- name: Grant execute permission for gradlew
if: steps.skiptest.outputs.is-bump == 'no'
run: chmod +x gradlew
# These steps aren't needed for unit tests
- name: Get Vault token
if: matrix.gradleTask != 'unitTest' && steps.skiptest.outputs.is-bump == 'no'
id: vault-token-step
env:
VAULT_ADDR: https://clotho.broadinstitute.org:8200
run: |
VAULT_TOKEN=$(docker run --rm --cap-add IPC_LOCK \
-e "VAULT_ADDR=${VAULT_ADDR}" \
vault:1.1.0 \
vault write -field token \
auth/approle/login role_id=${{ secrets.VAULT_APPROLE_ROLE_ID }} \
secret_id=${{ secrets.VAULT_APPROLE_SECRET_ID }})
echo ::add-mask::$VAULT_TOKEN
echo vault-token=$VAULT_TOKEN >> $GITHUB_OUTPUT
- name: Write config
if: matrix.gradleTask != 'unitTest' && steps.skiptest.outputs.is-bump == 'no'
id: config
uses: ./.github/actions/write-config
with:
# Note that unit and connected tests run with local configuration regardless of
# the test-env specified on the workflow-dispatch input.
target: local
vault-token: ${{ steps.vault-token-step.outputs.vault-token }}
# Run tests
- name: Run tests
if: steps.skiptest.outputs.is-bump == 'no'
env:
# PRINT_STANDARD_STREAMS is temporary to let us inspect logs for a particular
# issue with Stairway serdes.
PRINT_STANDARD_STREAMS: please
TEST_ENV: ${{ steps.set-env-step.outputs.test-env }}
run: ./gradlew :service:${{ matrix.gradleTask }} --scan
- name: SonarQube scan
if: steps.skiptest.outputs.is-bump == 'no'
run: ./gradlew --build-cache :service:sonarqube
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Notify QA Slack"
if: always() && (steps.set-env-step.outputs.test-env == 'alpha' || steps.set-env-step.outputs.test-env == 'staging')
uses: broadinstitute/[email protected]
# see https://github.com/broadinstitute/action-slack
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
MATRIX_CONTEXT: ${{ toJson(matrix) }}
with:
status: ${{ job.status }}
channel: "#dsde-qa"
username: "Workspace Manager ${{ steps.set-env-step.outputs.test-env }} tests"
author_name: "Workspace Manager ${{ steps.set-env-step.outputs.test-env }} ${{ matrix.gradleTask }}"
fields: repo,job,workflow,commit,eventName,author,took
- name: "Notify WSM Slack"
# post to WSM Slack when a regular push (i.e. non-bumper push) is made to main branch
if: failure() && github.event_name == 'push' && steps.skiptest.outputs.is-bump == 'no'
uses: broadinstitute/[email protected]
# see https://github.com/broadinstitute/action-slack
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
MATRIX_CONTEXT: ${{ toJson(matrix) }}
with:
status: ${{ job.status }}
channel: "#terra-wsm-alerts"
username: "WSM push to main branch"
author_name: "${{ matrix.gradleTask }}"
icon_emoji: ":triangular_ruler:"
fields: job, commit