[DUOS-1740][risk=no] Updates for OWASP warnings (#883) #837
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tag, Build and Push Image | |
| on: | |
| push: | |
| branches: | |
| - develop | |
| pull_request: | |
| branches: | |
| - develop | |
| env: | |
| REGISTRY_HOST: gcr.io | |
| GOOGLE_PROJECT: broad-dsp-gcr-public | |
| SERVICE_NAME: ${{ github.event.repository.name }} | |
| jobs: | |
| tag-build-push: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| sherlock-version: ${{ steps.short-sha.outputs.sha }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Get Short Sha | |
| id: short-sha | |
| run: echo "sha=$(git rev-parse --short=12 HEAD)" >> $GITHUB_OUTPUT | |
| - name: 'Set up Cloud SDK' | |
| uses: 'google-github-actions/setup-gcloud@v1' | |
| - name: Construct tags | |
| id: construct-tags | |
| run: | | |
| SHA_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ steps.short-sha.outputs.sha }}" | |
| ENVIRONMENT_TAG="" | |
| if ${{ github.event_name == 'pull_request'}}; then | |
| ENVIRONMENT_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:pr-${{ steps.short-sha.outputs.sha }}" | |
| elif ${{github.event_name == 'push' }}; then | |
| ENVIRONMENT_TAG="${REGISTRY_HOST}/${GOOGLE_PROJECT}/${SERVICE_NAME}:dev" | |
| fi | |
| echo "sha-tag=$SHA_TAG" >> $GITHUB_OUTPUT | |
| echo "environment-tag=$ENVIRONMENT_TAG" >> $GITHUB_OUTPUT | |
| - name: Build Image | |
| run: | | |
| docker build \ | |
| -t ${{ steps.construct-tags.outputs.sha-tag }} \ | |
| -t ${{ steps.construct-tags.outputs.environment-tag }} \ | |
| . | |
| - name: Log Github Actor | |
| run: echo "${{ github.actor }}" | |
| - name: Auth to GCR | |
| if: github.actor != 'dependabot[bot]' | |
| uses: 'google-github-actions/auth@v1' | |
| with: | |
| credentials_json: ${{ secrets.GCR_PUBLISH_KEY_B64 }} | |
| - name: Auth Docker for GCR | |
| if: github.actor != 'dependabot[bot]' | |
| run: gcloud auth configure-docker --quiet | |
| - name: Push Image to GCR | |
| if: github.actor != 'dependabot[bot]' | |
| run: | | |
| docker push ${{ steps.construct-tags.outputs.sha-tag }} | |
| docker push ${{ steps.construct-tags.outputs.environment-tag }} | |
| - name: Notify Slack | |
| # only notify for develop branch build | |
| if: github.event_name == 'push' | |
| uses: broadinstitute/[email protected] | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| status: ${{ job.status }} | |
| channel: "#duos-notifications" | |
| fields: repo,commit,author,action,eventName,ref,workflow,job,took | |
| report-to-sherlock: | |
| uses: broadinstitute/sherlock/.github/workflows/client-report-app-version.yaml@main | |
| needs: [ tag-build-push ] | |
| with: | |
| new-version: ${{ needs.tag-build-push.outputs.sherlock-version }} | |
| chart-name: 'ontology' | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| set-version-in-dev: | |
| if: github.event_name == 'push' | |
| uses: broadinstitute/sherlock/.github/workflows/client-set-environment-app-version.yaml@main | |
| needs: [ tag-build-push, report-to-sherlock ] | |
| with: | |
| new-version: ${{ needs.tag-build-push.outputs.sherlock-version }} | |
| chart-name: 'ontology' | |
| environment-name: 'dev' | |
| secrets: | |
| sync-git-token: ${{ secrets.BROADBOT_TOKEN }} | |
| permissions: | |
| id-token: 'write' |