Migrate to new infrastructure, use OIDC authentication, use sub-workf… #377
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# WARNING: DO NOT EDIT THIS FILE!!! | |
# | |
# This file is autogenerated from .github/workflows/ci-cd-main.yml.erb | |
# by ./internal-scripts/generate-ci-cd-yaml.rb. | |
# Please edit the .erb file instead, then regenerate YAML | |
# by running that script. | |
# | |
# TIP: run this on your development machine to ensure generate-ci-cd-yaml.rb | |
# is run automatically as a Git pre-commit hook: | |
# | |
# git config core.hooksPath .githooks | |
name: 'CI/CD: main' | |
on: | |
workflow_dispatch: | |
inputs: | |
ci_artifacts_run_number: | |
required: false | |
description: Run number for CI artifacts | |
push: | |
paths-ignore: | |
- '**.md' | |
- 'dev-handbook/**' | |
env: | |
## Set the following variable to a specific number to make the | |
## Google Cloud artifact upload/download actions treat as | |
## if we're running the given CI run number. Useful for | |
## speeding up development of the CI itself, in order to | |
## avoid rebuilding. | |
CI_ARTIFACTS_RUN_NUMBER: ${{ github.event.inputs.ci_artifacts_run_number || github.run_number }} | |
jobs: | |
# Determines which jobs should be run, or (in case this is a re-run) | |
# which jobs can be skipped this time because the last run succeeded. | |
# We determine this by checking whether the artifacts produced by jobs | |
# exist in this run. | |
determine_necessary_jobs: | |
name: Determine necessary jobs | |
runs-on: ubuntu-24.04 | |
environment: test | |
permissions: | |
id-token: write | |
packages: read | |
outputs: | |
ci_artifacts_run_number: ${{ steps.get_ci_artifacts_run_number.outputs.number }} | |
necessary_jobs: ${{ steps.check.outputs.necessary_jobs }} | |
steps: | |
- name: Workaround for detecting new workflows in branches | |
run: | | |
echo 'New workflow detected. Please delete the fix/cicd-new-workflows branch now.' | |
exit 1 | |
if: github.event_name == 'push' && github.ref == 'refs/heads/fix/cicd-new-workflows' | |
- uses: actions/checkout@v4 | |
- uses: google-github-actions/auth@v2 | |
with: | |
project_id: ${{ vars.GCLOUD_PROJECT_ID }} | |
workload_identity_provider: projects/${{ vars.GCLOUD_PROJECT_NUM }}/locations/global/workloadIdentityPools/github-ci-test/providers/github-ci-test | |
- name: Set up Cloud SDK | |
uses: google-github-actions/setup-gcloud@v2 | |
with: | |
version: '>= 363.0.0' | |
- name: Take note of CI artifacts run number | |
id: get_ci_artifacts_run_number | |
run: echo "number=$CI_ARTIFACTS_RUN_NUMBER" >> "$GITHUB_OUTPUT" | |
- name: List artifacts built in previous try of same CI run | |
run: ./internal-scripts/ci-cd/determine-necessary-jobs/list-artifacts.sh | |
env: | |
CI_ARTIFACTS_BUCKET: ${{ vars.CI_ARTIFACTS_BUCKET }} | |
- name: Determine necessary jobs | |
id: check | |
run: ./internal-scripts/ci-cd/determine-necessary-jobs/determine-necessary-jobs.rb | |
env: | |
GITHUB_ACTOR: ${{ github.actor }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
check_workflow_uptodate: | |
name: Check whether workflow is up-to-date | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Check | |
run: ./internal-scripts/ci-cd/check-workflow-uptodate/check.sh | |
prepare: | |
name: Prepare | |
needs: | |
- determine_necessary_jobs | |
- check_workflow_uptodate | |
permissions: | |
id-token: write | |
packages: read | |
secrets: inherit | |
uses: ./.github/workflows/ci-cd-prepare.yml | |
with: | |
ci_artifacts_run_number: ${{ needs.determine_necessary_jobs.outputs.ci_artifacts_run_number }} | |
necessary_jobs: ${{ needs.determine_necessary_jobs.outputs.necessary_jobs }} | |
build_packages_1: | |
name: Build [1] | |
needs: | |
- determine_necessary_jobs | |
- prepare | |
permissions: | |
id-token: write | |
packages: read | |
secrets: inherit | |
uses: ./.github/workflows/ci-cd-build-packages-1.yml | |
with: | |
ci_artifacts_run_number: ${{ needs.determine_necessary_jobs.outputs.ci_artifacts_run_number }} | |
necessary_jobs: ${{ needs.determine_necessary_jobs.outputs.necessary_jobs }} | |
# # Run even if a transitively dependent job has been skipped | |
# if: | | |
# needs.prepare.result == 'success' | |
# && !failure() && !cancelled() | |
build_packages_2: | |
name: Build [2] | |
needs: | |
- determine_necessary_jobs | |
- prepare | |
permissions: | |
id-token: write | |
packages: read | |
secrets: inherit | |
uses: ./.github/workflows/ci-cd-build-packages-2.yml | |
with: | |
ci_artifacts_run_number: ${{ needs.determine_necessary_jobs.outputs.ci_artifacts_run_number }} | |
necessary_jobs: ${{ needs.determine_necessary_jobs.outputs.necessary_jobs }} | |
# # Run even if a transitively dependent job has been skipped | |
# if: | | |
# needs.prepare.result == 'success' | |
# && !failure() && !cancelled() | |
build_packages_3: | |
name: Build [3] | |
needs: | |
- determine_necessary_jobs | |
- prepare | |
permissions: | |
id-token: write | |
packages: read | |
secrets: inherit | |
uses: ./.github/workflows/ci-cd-build-packages-3.yml | |
with: | |
ci_artifacts_run_number: ${{ needs.determine_necessary_jobs.outputs.ci_artifacts_run_number }} | |
necessary_jobs: ${{ needs.determine_necessary_jobs.outputs.necessary_jobs }} | |
# # Run even if a transitively dependent job has been skipped | |
# if: | | |
# needs.prepare.result == 'success' | |
# && !failure() && !cancelled() | |
build_packages_4: | |
name: Build [4] | |
needs: | |
- determine_necessary_jobs | |
- prepare | |
permissions: | |
id-token: write | |
packages: read | |
secrets: inherit | |
uses: ./.github/workflows/ci-cd-build-packages-4.yml | |
with: | |
ci_artifacts_run_number: ${{ needs.determine_necessary_jobs.outputs.ci_artifacts_run_number }} | |
necessary_jobs: ${{ needs.determine_necessary_jobs.outputs.necessary_jobs }} | |
# # Run even if a transitively dependent job has been skipped | |
# if: | | |
# needs.prepare.result == 'success' | |
# && !failure() && !cancelled() | |
publish_test: | |
name: Publish & test against test repos | |
needs: | |
- determine_necessary_jobs | |
- prepare | |
- build_packages_1 | |
- build_packages_2 | |
- build_packages_3 | |
- build_packages_4 | |
permissions: | |
id-token: write | |
packages: read | |
secrets: inherit | |
uses: ./.github/workflows/ci-cd-publish-test-test.yml | |
with: | |
ci_artifacts_run_number: ${{ needs.determine_necessary_jobs.outputs.ci_artifacts_run_number }} | |
necessary_jobs: ${{ needs.determine_necessary_jobs.outputs.necessary_jobs }} | |
publish_production: | |
name: Publish & test against production repos | |
needs: | |
- determine_necessary_jobs | |
- prepare | |
- publish_test | |
permissions: | |
id-token: write | |
packages: read | |
contents: write | |
secrets: inherit | |
uses: ./.github/workflows/ci-cd-publish-test-production.yml | |
with: | |
ci_artifacts_run_number: ${{ needs.determine_necessary_jobs.outputs.ci_artifacts_run_number }} | |
necessary_jobs: ${{ needs.determine_necessary_jobs.outputs.necessary_jobs }} |