Skip to content

Merge pull request #603 from umccr/enhancement/add-ora-to-dragen-tran… #224

Merge pull request #603 from umccr/enhancement/add-ora-to-dragen-tran…

Merge pull request #603 from umccr/enhancement/add-ora-to-dragen-tran… #224

name: Create Workflow Release Asset
on:
push:
tags:
# Matches dragen-pon-qc/3.9.3
# Matches tso500-ctdna-with-post-processing-pipeline/1.1.0--1.0.0
# Matches dragen-somatic-pipeline/4.0.3-rc
# ** required since our tags have '/' in them -- https://stackoverflow.com/a/61892639/6946787
# Single quotes required since * is a special character in yaml
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
- '**'
jobs:
# Workflow split due to https://github.com/actions/runner/issues/662
# This way we do a 'precheck', update a few vars and most importantly make sure that the tag is legix
release_asset_precheck:
name: release asset precheck
runs-on: ubuntu-latest
defaults:
run:
shell: bash -l {0}
steps:
# Checkout code
- name: Checkout code
id: git_checkout
uses: actions/checkout@v4
# Set to fail
- name: Update bash settings
id: update_bash_settings
run: |
set -euo pipefail
# Install jq (for querying branch name)
- name: Install Jq
id: install_jq
run: |
sudo apt-get update -y
sudo apt-get install jq -y
# Get tag
- name: Set output
id: get_tag
run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
# Ensure tag matches regex
- name: action regex match
id: tag_regex_match
uses: kaisugi/action-regex-match@v1.0.1
with:
text: ${{ steps.get_tag.outputs.tag }}
regex: '^[A-Za-z0-9-_]+/[0-9]+\.[0-9]+\.[0-9]+(?:--\S+)?(-rc)?$'
# Get email and username
- name: Get User Configurations
id: get_user_configurations
run: |
echo "user_name=${{ github.actor }}" >> "${GITHUB_OUTPUT}"
echo "user_email=${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" >> "${GITHUB_OUTPUT}"
# Has regex match
- name: has regex match
id: has_regex_match
run: |
create_release="false"
is_prerelease="false"
if [[ -n "${{ steps.tag_regex_match.outputs.match }}" ]]; then
create_release="true"
fi
if [[ -n "${{ steps.tag_regex_match.outputs.group1 }}" ]]; then
is_prerelease="true"
fi
echo "create_release=${create_release}" >> "${GITHUB_OUTPUT}"
echo "is_prerelease=${is_prerelease}" >> "${GITHUB_OUTPUT}"
# Get date
- name: get date
id: get_date
run: |
echo "date_str=$(date +%Y%m%d%H%M%S)" >> "${GITHUB_OUTPUT}"
# Get workflow path
- name: get workflow path
id: get_workflow_path
run: |
# Get tag without release candidate
tag="${{ steps.get_tag.outputs.tag }}"
tag="${tag//-rc}"
# Check workflow directory exists
if [[ ! -d "workflows/$tag" ]]; then
echo "Could not find directory workflows/$tag"
exit 1
fi
workflow_path="$( \
find "workflows/$tag" \
-mindepth 1 \
-maxdepth 1 \
-type f \
-name "*.cwl"
)"
echo "workflow_path=${workflow_path}" >> "${GITHUB_OUTPUT}"
# Set git tag env var
- name: set git tag
id: set_git_tag
run: |
echo "git_tag=${{ steps.get_tag.outputs.tag }},${{ steps.get_tag.outputs.tag }}__${{ steps.get_date.outputs.date_str }}" >> "${GITHUB_OUTPUT}"
# Set up complete
# Set outputs
outputs:
original_tag: ${{ steps.get_tag.outputs.tag }}
git_tag: ${{ steps.set_git_tag.outputs.git_tag }}
user_name: ${{ steps.get_user_configurations.outputs.user_name }}
user_email: ${{ steps.get_user_configurations.outputs.user_email }}
workflow_path: ${{ steps.get_workflow_path.outputs.workflow_path }}
create_release: ${{ steps.has_regex_match.outputs.create_release }}
is_prerelease: ${{ steps.has_regex_match.outputs.is_prerelease }}
get_umccr_prod_icav2_access_token:
# Note this currently gets the access token for the 'trial' project
name: Get ICAv2 Access Token (umccr-prod)
uses: ./.github/workflows/get_tenant_icav2_access_token.yml
with:
role_to_assume_arn: arn:aws:iam::472057503814:role/gh-service-icav2-pipeline-user-prod
secret_arn: arn:aws:secretsmanager:ap-southeast-2:472057503814:secret:ICAv2JWTKey-umccr-prod-service-pipelines-WoiHJv
secrets:
symmetrical_encryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
create_release_asset:
name: create release asset
runs-on: ubuntu-latest
defaults:
run:
shell: bash -l {0}
needs:
- release_asset_precheck
- get_umccr_prod_icav2_access_token
steps:
# Checkout code
- name: Checkout code
id: git_checkout
uses: actions/checkout@v4
# Decrypt tokens
- id: decrypt_umccr_prod_icav2_access_token
name: Decrypt Access Token
uses: ./.github/actions/decrypt_token
with:
encrypted_token: ${{ needs.get_umccr_prod_icav2_access_token.outputs.icav2_access_token_encrypted }}
decryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
# Create release asset
- name: create release asset
id: create_release_asset
if: needs.release_asset_precheck.outputs.create_release == 'true'
run: |
docker run \
--rm \
--volume "$PWD:$PWD" \
--workdir "$PWD" \
--env CWL_ICA_REPO_PATH="${PWD}" \
--env GITHUB_SERVER_URL="${GITHUB_SERVER_URL}" \
--env GITHUB_REPOSITORY="${GITHUB_REPOSITORY}" \
--env GITHUB_TAG="${{ needs.release_asset_precheck.outputs.git_tag }}" \
--env GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
--env _GIT_AUTHOR_NAME="${{ needs.release_asset_precheck.outputs.user_name }}" \
--env _GIT_AUTHOR_EMAIL="${{ needs.release_asset_precheck.outputs.user_email }}" \
--env ICAV2_ACCESS_TOKEN_UMCCR_PROD="${{ steps.decrypt_umccr_prod_icav2_access_token.outputs.decrypted_token }}" \
ghcr.io/umccr/cwl-ica-cli:latest \
bash ".github/scripts/create_workflow_release_asset.sh" \
--workflow-path "${{ needs.release_asset_precheck.outputs.workflow_path }}" \
--is-prerelease "${{ needs.release_asset_precheck.outputs.is_prerelease }}"