Creation of a Common Version Provenance File

.github/CODEOWNERS

@@ -0,0 +1,5 @@
+# Who can make modifications to the `.github/CODEOWNERS` file itself
+/.github/CODEOWNERS @ACCESS-NRI/model-release
+# Who can make modifications to the `config/versions.json` file (which contains
+# deployment configuration information)
+/config/settings.json @CodeGat @aidanheerdegen @harshula

.github/actions/validate-deployment-settings/README.md

@@ -0,0 +1,37 @@
+# Validate Environment Deployment Settings Action
+
+This action validates various `ACCESS-NRI/build-cd` deployment settings.
+
+## Inputs
+
+| Name | Type | Description | Required | Default | Example |
+| ---- | ---- | ----------- | -------- | ------- | ------- |
+| `settings-path` | `string` | Path to the build-cd settings.json file to validate | `true` | N/A | `'/some/dir/to/settings.json'` |
+| `target` | `string` | Which Deployment Target to check settings. Similar to `vars.DEPLOYMENT_TARGET` in a given Environment | `true` | N/A | `'SUPERCOMPUTER'` |
+| `error-level` | `string` | Whether failed validation checks should be a GitHub `notice`, `warning` or `error`. `error` will fail the action. | `false` | `'warning'` | `'error'` or `'notice'` |
+
+## Outputs
+
+| Name | Type | Description | Example |
+| ---- | ---- | ----------- | ------- |
+| `failures` | Comma-delimited `string` | Comma-delimited string of failures encountered during validation, useful for piping to a PR comment | `"Spack version [0.20] doesn't exist in Release,Spack version [0.21] doesn't exist in Prerelease"` |
+
+## Example
+
+```yaml
+# ...
+- name: Validate settings
+  id: settings
+  uses: access-nri/build-cd/.github/actions/validate-deployment-settings@main
+  with:
+    settings-path: ./some/settings.json
+    target: Supercomputer
+    error-level: warning
+
+- name: Comment settings warnings
+  if: steps.settings.outputs.failures != ''
+  uses: access-nri/actions/.github/actions/pr-comment@main
+  with:
+    comment: |
+        The validation failed with the following errors:  ${{ steps.settings.outputs.failures }}
+```

.github/actions/validate-deployment-settings/action.yml

@@ -0,0 +1,104 @@
+name: Validate Environment Deployment Settings
+description: Action that validates various `ACCESS-NRI/build-cd` deployment settings
+inputs:
+  settings-path:
+    type: string
+    required: true
+    description: Path to the build-cd settings.json file to validate
+  target:
+    type: string
+    required: true
+    description: Check settings for this Deployment Target
+  error-level:
+    type: string
+    required: false
+    default: warning
+    description: Whether failed validation checks should be 'notice', 'warning' or 'error'
+outputs:
+  failures:
+    value: ${{ steps.collector.outputs.failures }}
+    description: Comma-delimited string of failures encountered during validation
+runs:
+  using: composite
+  steps:
+    - name: Check All Spack Major Versions in Prerelease are in Release
+      id: spack-maj-all-pre-in-rel
+      shell: bash
+      run: |
+        majors_only_in_prerelease=$(jq --compact-output --raw-output \
+          '.deployment.${{ inputs.target }} | (.Prerelease.spack | keys) - (.Release.spack | keys) | @sh' \
+          ${{ inputs.settings-path }}
+        )
+
+        if [[ "$majors_only_in_prerelease" != "" ]]; then
+          msg="Spack versions ${majors_only_in_prerelease} do not exist in Release. Deployments to Release at those versions will not succeed."
+          echo "::${{ inputs.error-level }}::$msg"
+          echo "msg=$msg" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Check All Spack Hash Versions are Equal
+      id: spack-hash-all-equal
+      shell: bash
+      # This step gets all the 'major-version: hash' entries for both Release and Prerelease (Ex for Release: [{"0.20": "92e3h3e9"}, ...]).
+      # It then merges them together based on major version (Ex. [[{"0.20": "u298rer3", "0.20": "r98u349u"}], ...]).
+      # And then finally compares the hashes for each major version, and returns the major versions where they differ.
+      run: |
+        release_version_hashes=$(jq '.deployment.${{ inputs.target }}.Release.spack | to_entries' ${{ inputs.settings-path }})
+        prerelease_version_hashes=$(jq '.deployment.${{ inputs.target }}.Prerelease.spack | to_entries' ${{ inputs.settings-path }})
+
+        unequal_hashes_for_version=$(jq --compact-output --raw-output --null-input \
+          --argjson r "$release_version_hashes" \
+          --argjson p "$prerelease_version_hashes" \
+          '$r + $p
+          | [
+              group_by(.key)[]
+              | select(.[0] != null and .[1] != null and .[0].value != .[1].value)
+              | .[0].key
+            ]
+          | @sh'
+        )
+
+        if [[ "$unequal_hashes_for_version" != "" ]]; then
+          msg="Different spack hashes between Prerelease and Release for major versions: ${unequal_hashes_for_version}. These should be equal to ensure equivalent builds, and must be updated before this PR is merged."
+          echo "::${{ inputs.error-level }}::$msg"
+          echo "msg=$msg" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Verify Spack Commits Exist
+      id: spack-hash-all-exist
+      env:
+        GH_TOKEN: ${{ github.token }}
+        CHECKOUT_DIR: ./spack-metadata
+      shell: bash
+      # Verify that every commit referenced actually exists on the
+      # `releases/VERSION` branch in access-nri/spack, but don't
+      # bother checking out the code.
+      run: |
+        gh repo clone access-nri/spack ${{ env.CHECKOUT_DIR }} -- --no-checkout --bare --filter=blob:none
+
+        # Essentially, pull out all the spack 'version: hash' sections and iterate
+        jq -cr '.deployment.${{ inputs.target }}[].spack | to_entries[] | "\(.key) \(.value)"' ${{ inputs.settings-path }} | while read -ra line; do
+          version=${line[0]}
+          hash=${line[1]}
+          echo "Checking if $hash is in $version"
+          if ! git -C ${{ env.CHECKOUT_DIR }} merge-base --is-ancestor $hash releases/v$version; then
+            echo "::${{ inputs.error-level }}::Commit $hash does not exist on branch releases/v$version"
+            failed=true
+          fi
+        done
+
+        if [ -n $failed ]; then
+          msg="Some commits referenced do not exist in access-nri/spack. Check the workflow logs."
+          echo "::${{ inputs.error-level }}::$msg"
+          echo "msg=$msg" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Warning/Error Collector
+      id: collector
+      shell: bash
+      run: echo "failures=${{ join(steps.*.outputs.msg) }}" >> $GITHUB_OUTPUT
+
+    - name: Action Fail from Error
+      if: inputs.error-level == 'error' && join(steps.*.outputs.msg) != ''
+      shell: bash
+      run: exit 1

.github/workflows/cd.yml

@@ -45,9 +45,27 @@ jobs:
             echo "default=${{ inputs.root-sbd }}" >> $GITHUB_OUTPUT
           fi
 
+  verify-settings:
+    name: Verify Deployment Settings
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ACCESS-NRI/build-cd
+          ref: main
+
+      - uses: access-nri/build-cd/.github/actions/validate-deployment-settings@main
+        with:
+          settings-path: ./config/settings.json
+          # TODO: Turn this into a matrix job of targets
+          target: Gadi
+          error-level: error
+
   push-tag:
     name: Tag Deployment
     runs-on: ubuntu-latest
+    needs:
+      - verify-settings
     permissions:
       contents: write
     outputs:

.github/workflows/ci.yml

@@ -52,14 +52,19 @@ jobs:
     outputs:
       spack-packages-version: ${{ steps.spack-packages.outputs.version }}
       spack-config-version:  ${{ steps.spack-config.outputs.version }}
+      config-settings-failures: ${{ steps.settings.outputs.failures }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout ${{ github.repository }} Config
+        uses: actions/checkout@v4
+        with:
+          path: model
 
-      - uses: access-nri/schema/.github/actions/validate-with-schema@main
+      - name: Validate ${{ github.repository }} config/versions.json
+        uses: access-nri/schema/.github/actions/validate-with-schema@main
         with:
           schema-version: ${{ vars.CONFIG_VERSIONS_SCHEMA_VERSION }}
           schema-location: au.org.access-nri/model/deployment/config/versions
-          data-location: ./config/versions.json
+          data-location: ./model/config/versions.json
 
       - name: Validate spack-packages version
         id: spack-packages
@@ -73,13 +78,31 @@ jobs:
         with:
           repo-to-check: spack-config
 
+      - name: Checkout build-cd Config
+        uses: actions/checkout@v4
+        with:
+          repository: ACCESS-NRI/build-cd
+          ref: main
+          path: cd
+
+      - name: Validate build-cd config/settings.json
+        id: settings
+        uses: access-nri/build-cd/.github/actions/validate-deployment-settings@main
+        with:
+          settings-path: ./cd/config/settings.json
+          # TODO: Turn this into a matrix job of targets
+          target: Gadi
+
   check-spack-yaml:
     name: Check spack.yaml
     runs-on: ubuntu-latest
     needs:
       - defaults
     permissions:
       pull-requests: write
+    outputs:
+      release: ${{ steps.version.outputs.release }}
+      prerelease: ${{ steps.version.outputs.prerelease }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -93,7 +116,7 @@ jobs:
           data-location: ./spack.yaml
 
       - name: Check Model Version Modified
-        id: version
+        id: version-modified
         run: |
           git checkout ${{ github.base_ref }}
 
@@ -115,7 +138,7 @@ jobs:
           fi
 
       - name: Same Model Version Failure Notifier
-        if: failure() && steps.version.outcome == 'failure'
+        if: failure() && steps.version-modified.outcome == 'failure'
         uses: access-nri/actions/.github/actions/pr-comment@main
         with:
           comment: |
@@ -156,22 +179,6 @@ jobs:
             exit 1
           fi
 
-  version:
-    name: Get Version
-    needs:
-      - check-spack-yaml
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    outputs:
-      release: ${{ steps.version.outputs.release }}
-      prerelease: ${{ steps.version.outputs.prerelease }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.head_ref }}
-          fetch-depth: 0
-
       - name: Generate Versions
         id: version
         # This step generates the release and prerelease version numbers.
@@ -194,44 +201,45 @@ jobs:
     # For example, `access-om3-pr13-3` for the deployment of access-om3 based on the third commit on the PR#13.
     needs:
       - defaults  # so we can access `inputs.root-sbd` that could have defaulted to `inputs.model`
-      - version  # implies all the spack.yaml-related checks have passed, has appropriate version for the prerelease build
+      - check-spack-yaml  # implies all the spack.yaml-related checks have passed, has appropriate version for the prerelease build
       - check-config  # implies all the json-related checks have passed
     uses: access-nri/build-cd/.github/workflows/deploy-1-setup.yml@main
     with:
       type: prerelease
       ref: ${{ github.head_ref }}
-      version: ${{ needs.version.outputs.prerelease }}
+      version: ${{ needs.check-spack-yaml.outputs.prerelease }}
       root-sbd: ${{ needs.defaults.outputs.root-sbd }}
     secrets: inherit
 
   notifier:
     name: Notifier
     needs:
       - defaults  # so we can access `inputs.root-sbd` that could have defaulted to `inputs.model`
-      - version  # implies all the spack.yaml-related checks have passed, has appropriate version for the prerelease build
-      - check-config  # implies all the json-related checks have passed
+      - check-spack-yaml  # implies all the spack.yaml-related checks have passed, has appropriate version for the prerelease build
+      - check-config  # so we can access potential failures from config/settings.json validation
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
     steps:
       - uses: access-nri/actions/.github/actions/pr-comment@main
         with:
           comment: |
-            :rocket: Deploying ${{ inputs.model }} `${{ needs.version.outputs.release }}` as prerelease `${{ needs.version.outputs.prerelease }}`
+            :rocket: Deploying ${{ inputs.model }} `${{ needs.check-spack-yaml.outputs.release }}` as prerelease `${{ needs.check-spack-yaml.outputs.prerelease }}`
+            ${{ needs.check-config.outputs.config-settings-failures != '' && ':warning:There are issues with the `build-cd` deployment configuration. If this is unexpected, let @ACCESS-NRI/model-release know.' || '' }}
             <details>
             <summary>Details and usage instructions</summary>
 
             This `${{ inputs.model }}` model will be deployed as:
-            * `${{ needs.version.outputs.release }}` as a Release (when merged).
-            * `${{ needs.version.outputs.prerelease }}` as a Prerelease (during this PR).
+            * `${{ needs.check-spack-yaml.outputs.release }}` as a Release (when merged).
+            * `${{ needs.check-spack-yaml.outputs.prerelease }}` as a Prerelease (during this PR).
 
             This Prerelease is accessible on Gadi using:
             ```bash
             module use /g/data/vk83/prerelease/modules
-            module load ${{ needs.defaults.outputs.root-sbd }}/${{ needs.version.outputs.prerelease }}
+            module load ${{ needs.defaults.outputs.root-sbd }}/${{ needs.check-spack-yaml.outputs.prerelease }}
             ```
             where the binaries shall be on your `$PATH`.
-            This Prerelease is also accessible on Gadi via `/g/data/vk83/prerelease/apps/spack/0.22/spack` in the `${{ needs.defaults.outputs.root-sbd }}-${{ needs.version.outputs.prerelease }}` environment.
+            This Prerelease is also accessible on Gadi via `/g/data/vk83/prerelease/apps/spack/0.22/spack` in the `${{ needs.defaults.outputs.root-sbd }}-${{ needs.check-spack-yaml.outputs.prerelease }}` environment.
             </details>
             :hammer_and_wrench: Using: spack-packages `${{ needs.check-config.outputs.spack-packages-version}}`, spack-config `${{ needs.check-config.outputs.spack-config-version }}`
             <details>

.github/workflows/deploy-1-setup.yml

@@ -19,7 +19,8 @@ on:
         type: string
         required: true
         description: The root SBD that is being used as the modulefile name
-
+env:
+  CONFIG_SETTINGS_PATH: ./config/settings.json
 jobs:
   setup-spack-env:
     name: Setup Spack Environment
@@ -56,9 +57,11 @@ jobs:
         id: get-deployment-environment
         run: |
           if [[ "${{ inputs.type }}" == "release" ]]; then
-            echo "deployment-environments=$(jq --compact-output '.environments' ./config/deployment-environment.json)" >> $GITHUB_OUTPUT
+            # Convention is to just have the name by itself for release (eg. 'Gadi')
+            echo "deployment-environments=$(jq --compact-output '.deployment | keys' ${{ env.CONFIG_SETTINGS_PATH }})" >> $GITHUB_OUTPUT
           elif [[ "${{ inputs.type }}" == "prerelease" ]]; then
-            echo "deployment-environments=$(jq --compact-output '."prerelease-environments"' ./config/deployment-environment.json)" >> $GITHUB_OUTPUT
+            # Convention is to have the name + Prerelease (eg. 'Gadi Prerelease')
+            echo "deployment-environments=$(jq --compact-output '[.deployment | keys | "\(.[]) Prerelease"]' ${{ env.CONFIG_SETTINGS_PATH }})" >> $GITHUB_OUTPUT
           else
             echo "::error::The 'type' input was invalid. Check the inputs documentation."
             exit 1

.github/workflows/deploy-2-start.yml

@@ -240,7 +240,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.10"
+          python-version: ${{ vars.PYTHON_VERSION }}
           cache: pip
 
       - name: Install Build Metadata Script Requirements