Sync tools and sync workflows and create catalogue #484
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync tools and sync workflows and create catalogue | |
| on: | |
| workflow_dispatch: | |
| pull_request_review: | |
| types: | |
| - "submitted" | |
| branches: | |
| - main | |
| paths: | |
| # Workflow change | |
| - "**/*.cwl" | |
| # GH change | |
| - ".github/workflows/sync-tools_and_sync-workflows.yml" | |
| - ".github/scripts/run_sync-tools_and_sync-workflows.sh" | |
| # Also for changes in the catalogue script | |
| - ".github/create_catalogue.sh" | |
| # Config files (say a merge conflict is resolved) | |
| - "config/project.yaml" | |
| - "config.tool.yaml" | |
| - "config/workflow.yaml" | |
| - "config/run.yaml" | |
| jobs: | |
| sync_tools_and_workflows_and_create_catalogue: | |
| # First check | |
| # 1a. It's a PR that's in an approved state | |
| # AND | |
| # 1b. It's not a PR to 'Add in images for release' | |
| # 2. OR it's been run manually by using the workflow_dispatch command | |
| if: | | |
| ( | |
| ( | |
| github.event.review.state == 'approved' && | |
| github.event.pull_request.draft == false | |
| ) && | |
| ! startsWith( github.event.pull_request.title, 'Add in images for release' ) | |
| ) || | |
| github.event_name == 'workflow_dispatch' | |
| name: sync-tools and sync-workflows and create-catalogue | |
| concurrency: git_commits | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash -l {0} | |
| steps: | |
| # # DEBUG | |
| # - uses: hmarr/debug-action@v2 | |
| # Set to fail | |
| - name: Update bash settings | |
| id: update_bash_settings | |
| run: | | |
| set -euo pipefail | |
| # Install jq (for querying branch name) | |
| - name: Install Jq | |
| id: install_jq | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install jq -y | |
| # Get branch name from event path | |
| - name: Get Branch Name | |
| id: get_branch_name | |
| run: | | |
| # Get reference | |
| ref="$( \ | |
| jq --raw-output \ | |
| ' | |
| # Get head of the pull request | |
| if .pull_request?.head?.ref? != null then | |
| .pull_request.head.ref | |
| # If not try the base reference | |
| elif .pull_request?.base?.ref? != null then | |
| .pull_request.base.ref | |
| # Could this maybe not a PR? | |
| # Try legacy | |
| elif .ref? != null then | |
| .ref | |
| elif .base?.ref? != null then | |
| .base.ref | |
| else | |
| null | |
| end | |
| ' \ | |
| < "${GITHUB_EVENT_PATH}" \ | |
| )" | |
| if [[ "${ref}" == "null" ]]; then | |
| echo "Error! Could not get reference commit id" | |
| cat "${GITHUB_EVENT_PATH}" | |
| exit 1 | |
| fi | |
| # Set output | |
| echo "branch_name=${ref%refs/heads/}" >> "${GITHUB_OUTPUT}" | |
| # Standard checkout step | |
| - name: Checkout code | |
| id: git_checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| # Otherwise we're just in a detached head state | |
| ref: ${{ steps.get_branch_name.outputs.branch_name }} | |
| # Get git commit ID | |
| - name: Get git commit ID | |
| id: get_git_commit_id | |
| run: echo "git_commit_id=$(git log --format="%H" -n1 | cut -c1-7)" >> "${GITHUB_OUTPUT}" | |
| # Get development workflows access token | |
| - name: get development workflows project id access token | |
| id: get_development_workflows_project_id_access_token | |
| run: | | |
| development_workflows_project_id="0df0356d-3637-48a5-80d1-a924642a6556" | |
| development_workflows_access_token="$( \ | |
| AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID_DEV_ICA_SECRETS_WORKFLOW }}" \ | |
| AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY_DEV_ICA_SECRETS_WORKFLOW }}" \ | |
| AWS_REGION="${{ secrets.AWS_REGION }}" \ | |
| aws secretsmanager get-secret-value \ | |
| --output json \ | |
| --secret-id IcaSecretsWorkflow | \ | |
| jq --raw-output \ | |
| --arg project_id "${development_workflows_project_id}" \ | |
| ' | |
| .SecretString | | |
| fromjson | | |
| .[$project_id] | |
| ' \ | |
| )" | |
| echo "::add-mask::${development_workflows_access_token}" | |
| echo "ica_access_token=${development_workflows_access_token}" >> "${GITHUB_OUTPUT}" | |
| # Get collab illumina dev workflows access token | |
| - name: get collab illumina dev workflows project id access token | |
| id: get_collab_illumina_dev_workflows_project_id_access_token | |
| run: | | |
| collab_illumina_dev_workflows_project_id="dddd6c29-24d3-49f4-91c0-7e818b3c0a21" | |
| collab_illumina_dev_access_token="$( \ | |
| AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID_DEV_ICA_SECRETS_WORKFLOW }}" \ | |
| AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY_DEV_ICA_SECRETS_WORKFLOW }}" \ | |
| AWS_REGION="${{ secrets.AWS_REGION }}" \ | |
| aws secretsmanager get-secret-value \ | |
| --output json \ | |
| --secret-id IcaSecretsWorkflow | \ | |
| jq --raw-output \ | |
| --arg project_id "${collab_illumina_dev_workflows_project_id}" \ | |
| ' | |
| .SecretString | | |
| fromjson | | |
| .[$project_id] | |
| ' \ | |
| )" | |
| echo "::add-mask::${collab_illumina_dev_access_token}" | |
| echo "ica_access_token=${collab_illumina_dev_access_token}" >> "${GITHUB_OUTPUT}" | |
| # Get production workflows access token | |
| - name: get production workflows project id access token | |
| id: get_production_workflows_project_id_access_token | |
| run: | | |
| production_workflows_project_id="fdd48e11-cdcc-46a9-b5ac-dee3a4c5f19d" | |
| production_workflows_access_token="$( \ | |
| AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID_PROD_ICA_SECRETS_WORKFLOW }}" \ | |
| AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY_PROD_ICA_SECRETS_WORKFLOW }}" \ | |
| AWS_REGION="${{ secrets.AWS_REGION }}" \ | |
| aws secretsmanager get-secret-value \ | |
| --output json \ | |
| --secret-id IcaSecretsWorkflow | \ | |
| jq --raw-output \ | |
| --arg project_id "${production_workflows_project_id}" \ | |
| ' | |
| .SecretString | | |
| fromjson | | |
| .[$project_id] | |
| ' \ | |
| )" | |
| echo "::add-mask::${production_workflows_access_token}" | |
| echo "ica_access_token=${production_workflows_access_token}" >> "${GITHUB_OUTPUT}" | |
| # Create secrets json | |
| - name: create secrets json | |
| id: create_secrets_json | |
| run: | | |
| secrets_json="$( \ | |
| jq --null-input --raw-output \ | |
| --arg development_workflows_access_token "${{ steps.get_development_workflows_project_id_access_token.outputs.ica_access_token }}" \ | |
| --arg collab_illumina_dev_workflows_access_token "${{ steps.get_collab_illumina_dev_workflows_project_id_access_token.outputs.ica_access_token }}" \ | |
| --arg production_workflows_access_token "${{ steps.get_production_workflows_project_id_access_token.outputs.ica_access_token }}" \ | |
| ' | |
| { | |
| "development_workflows": { | |
| "ICA_ACCESS_TOKEN": $development_workflows_access_token | |
| }, | |
| "collab_illumina_dev_workflows": { | |
| "ICA_ACCESS_TOKEN": $collab_illumina_dev_workflows_access_token | |
| }, | |
| "production_workflows": { | |
| "ICA_ACCESS_TOKEN": $production_workflows_access_token | |
| } | |
| } | | |
| @base64 | |
| ' \ | |
| )" | |
| echo "::add-mask::${secrets_json}" | |
| echo "secrets_json=${secrets_json}" >> "${GITHUB_OUTPUT}" | |
| # Sync tools and workflows | |
| - name: sync-tools and sync-workflows | |
| run: | | |
| docker run \ | |
| --rm \ | |
| --user "$(id -u):$(id -g)" \ | |
| --volume "$PWD:$PWD" \ | |
| --workdir "$PWD" \ | |
| --env USER="$(id -u)" \ | |
| --env GIT_COMMIT_ID="${{ steps.get_git_commit_id.outputs.git_commit_id }}" \ | |
| --env SECRETS_JSON="${{ steps.create_secrets_json.outputs.secrets_json }}" \ | |
| --env ICA_BASE_URL="${{ secrets.ICA_BASE_URL }}" \ | |
| ghcr.io/umccr/cwl-ica-cli:latest \ | |
| bash ".github/scripts/run_sync-tools_and_sync-workflows.sh" | |
| # Create Catalogue | |
| - name: create catalogue | |
| run: | | |
| docker run \ | |
| --rm \ | |
| --user "$(id -u):$(id -g)" \ | |
| --volume "$PWD:$PWD" \ | |
| --workdir "$PWD" \ | |
| --env USER="$(id -nu)" \ | |
| --env GITHUB_SERVER_URL="${GITHUB_SERVER_URL}" \ | |
| --env GITHUB_REPOSITORY="${GITHUB_REPOSITORY}" \ | |
| ghcr.io/umccr/cwl-ica-cli:latest \ | |
| bash ".github/scripts/create_catalogue.sh" | |
| # Commit config files | |
| - id: commit_config_and_catalogue | |
| name: Commit catalogue files | |
| uses: EndBug/add-and-commit@v7.2.1 | |
| with: | |
| add: "[ 'config/', 'cwl-ica-catalogue.md', '.github/catalogue/' ]" | |
| default_author: github_actions | |
| #author_name: "auto-catalogue-updater" | |
| message: "Updating cwl ica config and catalogue files - (Autogenerated github actions commit)" | |
| # Don't push, we push manually in the next step | |
| push: false | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Push config files | |
| - name: Push code | |
| id: git_push | |
| if: ${{ steps.commit_config_and_catalogue.outputs.committed == 'true' }} | |
| run: | | |
| CURRENT_BRANCH="${{ steps.get_branch_name.outputs.branch_name }}" | |
| # Pull first (might have had another action complete a commit) | |
| git pull --rebase origin "${CURRENT_BRANCH}" | |
| # Then push | |
| # Pretend to push | |
| git push origin "${CURRENT_BRANCH}" | |