Skip to content

DCJ-654: Sign-in via OIDC #5109

DCJ-654: Sign-in via OIDC

DCJ-654: Sign-in via OIDC #5109

Workflow file for this run

name: Tag, Build and Push Image
on:
push:
branches:
- develop
pull_request:
branches:
- develop
env:
REGISTRY_HOST: gcr.io
GOOGLE_PROJECT: broad-dsp-gcr-public
SERVICE_NAME: ${{ github.event.repository.name }}
jobs:
tag-build-push:
runs-on: ubuntu-latest
outputs:
sherlock-version: ${{ steps.short-sha.outputs.sha }}
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Get Short Sha
id: short-sha
run: echo "sha=$(git rev-parse --short=12 HEAD)" >> $GITHUB_OUTPUT
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
- name: Construct tags
id: construct-tags
run: |
SHA_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ steps.short-sha.outputs.sha }}"
ENVIRONMENT_TAG=""
if ${{ github.event_name == 'pull_request'}}; then
ENVIRONMENT_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:pr-${{ steps.short-sha.outputs.sha }}"
elif ${{github.event_name == 'push' }}; then
ENVIRONMENT_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:dev"
fi
echo "sha-tag=$SHA_TAG" >> $GITHUB_OUTPUT
echo "environment-tag=$ENVIRONMENT_TAG" >> $GITHUB_OUTPUT
- name: Build Image
run: |
docker build \
-t ${{ steps.construct-tags.outputs.sha-tag }} \
-t ${{ steps.construct-tags.outputs.environment-tag }} \
.
- name: Log Github Actor
run: echo "${{ github.actor }}"
- id: 'auth'
if: github.actor != 'dependabot[bot]'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
with:
# Centralized in dsp-tools-k8s; ask in #dsp-devops-champions for help troubleshooting
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider'
service_account: 'gcr-publish@broad-dsp-gcr-public.iam.gserviceaccount.com'
- name: Push Image to GCR
if: github.actor != 'dependabot[bot]'
run: |
gcloud auth configure-docker --quiet
docker push ${{ steps.construct-tags.outputs.sha-tag }}
docker push ${{ steps.construct-tags.outputs.environment-tag }}
report-to-sherlock:
uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main
needs: [tag-build-push]
with:
new-version: ${{ needs.tag-build-push.outputs.sherlock-version }}
chart-name: 'duos'
permissions:
contents: 'read'
id-token: 'write'
set-version-in-dev:
if: github.event_name == 'push'
uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main
needs: [tag-build-push, report-to-sherlock]
with:
new-version: ${{ needs.tag-build-push.outputs.sherlock-version }}
chart-name: 'duos'
environment-name: 'dev'
secrets:
sync-git-token: ${{ secrets.BROADBOT_TOKEN }}
permissions:
id-token: 'write'