Skip to content

Sync tools and sync workflows and create catalogue #497

Sync tools and sync workflows and create catalogue

Sync tools and sync workflows and create catalogue #497

name: Sync tools and sync workflows and create catalogue
on:
workflow_dispatch:
pull_request_review:
types:
- "submitted"
branches:
- main
paths:
# Workflow change
- "**/*.cwl"
# GH change
- ".github/workflows/sync-tools_and_sync-workflows.yml"
- ".github/scripts/run_sync-tools_and_sync-workflows.sh"
# Also for changes in the catalogue script
- ".github/create_catalogue.sh"
# Config files (say a merge conflict is resolved)
- "config/project.yaml"
- "config.tool.yaml"
- "config/workflow.yaml"
- "config/run.yaml"
jobs:
sync_tools_and_workflows_and_create_catalogue:
# First check
# 1a. It's a PR that's in an approved state
# AND
# 1b. It's not a PR to 'Add in images for release'
# 2. OR it's been run manually by using the workflow_dispatch command
if: |
(
(
github.event.review.state == 'approved' &&
github.event.pull_request.draft == false
) &&
! startsWith( github.event.pull_request.title, 'Add in images for release' )
) ||
github.event_name == 'workflow_dispatch'
name: sync-tools and sync-workflows and create-catalogue
concurrency: git_commits
runs-on: ubuntu-latest
defaults:
run:
shell: bash -l {0}
steps:
# # DEBUG
# - uses: hmarr/debug-action@v2
# Set to fail
- name: Update bash settings
id: update_bash_settings
run: |
set -euo pipefail
# Install jq (for querying branch name)
- name: Install Jq
id: install_jq
run: |
sudo apt-get update -y
sudo apt-get install jq -y
# Get branch name from event path
- name: Get Branch Name
id: get_branch_name
run: |
# Get reference
ref="$( \
jq --raw-output \
'
# Get head of the pull request
if .pull_request?.head?.ref? != null then
.pull_request.head.ref
# If not try the base reference
elif .pull_request?.base?.ref? != null then
.pull_request.base.ref
# Could this maybe not a PR?
# Try legacy
elif .ref? != null then
.ref
elif .base?.ref? != null then
.base.ref
else
null
end
' \
< "${GITHUB_EVENT_PATH}" \
)"
if [[ "${ref}" == "null" ]]; then
echo "Error! Could not get reference commit id"
cat "${GITHUB_EVENT_PATH}"
exit 1
fi
# Set output
echo "branch_name=${ref%refs/heads/}" >> "${GITHUB_OUTPUT}"
# Standard checkout step
- name: Checkout code
id: git_checkout
uses: actions/checkout@v3
with:
# Otherwise we're just in a detached head state
ref: ${{ steps.get_branch_name.outputs.branch_name }}
# Get git commit ID
- name: Get git commit ID
id: get_git_commit_id
run: echo "git_commit_id=$(git log --format="%H" -n1 | cut -c1-7)" >> "${GITHUB_OUTPUT}"
# Get development workflows access token
- name: get development workflows project id access token
id: get_development_workflows_project_id_access_token
run: |
development_workflows_project_id="0df0356d-3637-48a5-80d1-a924642a6556"
development_workflows_access_token="$( \
AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID_DEV_ICA_SECRETS_WORKFLOW }}" \
AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY_DEV_ICA_SECRETS_WORKFLOW }}" \
AWS_REGION="${{ secrets.AWS_REGION }}" \
aws secretsmanager get-secret-value \
--output json \
--secret-id IcaSecretsWorkflow | \
jq --raw-output \
--arg project_id "${development_workflows_project_id}" \
'
.SecretString |
fromjson |
.[$project_id]
' \
)"
echo "::add-mask::${development_workflows_access_token}"
echo "ica_access_token=${development_workflows_access_token}" >> "${GITHUB_OUTPUT}"
# Get collab illumina dev workflows access token
- name: get collab illumina dev workflows project id access token
id: get_collab_illumina_dev_workflows_project_id_access_token
run: |
collab_illumina_dev_workflows_project_id="dddd6c29-24d3-49f4-91c0-7e818b3c0a21"
collab_illumina_dev_access_token="$( \
AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID_DEV_ICA_SECRETS_WORKFLOW }}" \
AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY_DEV_ICA_SECRETS_WORKFLOW }}" \
AWS_REGION="${{ secrets.AWS_REGION }}" \
aws secretsmanager get-secret-value \
--output json \
--secret-id IcaSecretsWorkflow | \
jq --raw-output \
--arg project_id "${collab_illumina_dev_workflows_project_id}" \
'
.SecretString |
fromjson |
.[$project_id]
' \
)"
echo "::add-mask::${collab_illumina_dev_access_token}"
echo "ica_access_token=${collab_illumina_dev_access_token}" >> "${GITHUB_OUTPUT}"
# Get production workflows access token
- name: get production workflows project id access token
id: get_production_workflows_project_id_access_token
run: |
production_workflows_project_id="fdd48e11-cdcc-46a9-b5ac-dee3a4c5f19d"
production_workflows_access_token="$( \
AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID_PROD_ICA_SECRETS_WORKFLOW }}" \
AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY_PROD_ICA_SECRETS_WORKFLOW }}" \
AWS_REGION="${{ secrets.AWS_REGION }}" \
aws secretsmanager get-secret-value \
--output json \
--secret-id IcaSecretsWorkflow | \
jq --raw-output \
--arg project_id "${production_workflows_project_id}" \
'
.SecretString |
fromjson |
.[$project_id]
' \
)"
echo "::add-mask::${production_workflows_access_token}"
echo "ica_access_token=${production_workflows_access_token}" >> "${GITHUB_OUTPUT}"
# Create secrets json
- name: create secrets json
id: create_secrets_json
run: |
secrets_json="$( \
jq --null-input --raw-output \
--arg development_workflows_access_token "${{ steps.get_development_workflows_project_id_access_token.outputs.ica_access_token }}" \
--arg collab_illumina_dev_workflows_access_token "${{ steps.get_collab_illumina_dev_workflows_project_id_access_token.outputs.ica_access_token }}" \
--arg production_workflows_access_token "${{ steps.get_production_workflows_project_id_access_token.outputs.ica_access_token }}" \
'
{
"development_workflows": {
"ICA_ACCESS_TOKEN": $development_workflows_access_token
},
"collab_illumina_dev_workflows": {
"ICA_ACCESS_TOKEN": $collab_illumina_dev_workflows_access_token
},
"production_workflows": {
"ICA_ACCESS_TOKEN": $production_workflows_access_token
}
} |
@base64
' \
)"
echo "::add-mask::${secrets_json}"
echo "secrets_json=${secrets_json}" >> "${GITHUB_OUTPUT}"
# Sync tools and workflows
- name: sync-tools and sync-workflows
run: |
docker run \
--rm \
--user "$(id -u):$(id -g)" \
--volume "$PWD:$PWD" \
--workdir "$PWD" \
--env USER="$(id -u)" \
--env GIT_COMMIT_ID="${{ steps.get_git_commit_id.outputs.git_commit_id }}" \
--env SECRETS_JSON="${{ steps.create_secrets_json.outputs.secrets_json }}" \
--env ICA_BASE_URL="${{ secrets.ICA_BASE_URL }}" \
ghcr.io/umccr/cwl-ica-cli:latest \
bash ".github/scripts/run_sync-tools_and_sync-workflows.sh"
# Create Catalogue
- name: create catalogue
run: |
docker run \
--rm \
--user "$(id -u):$(id -g)" \
--volume "$PWD:$PWD" \
--workdir "$PWD" \
--env USER="$(id -nu)" \
--env GITHUB_SERVER_URL="${GITHUB_SERVER_URL}" \
--env GITHUB_REPOSITORY="${GITHUB_REPOSITORY}" \
ghcr.io/umccr/cwl-ica-cli:latest \
bash ".github/scripts/create_catalogue.sh"
# Commit config files
- id: commit_config_and_catalogue
name: Commit catalogue files
uses: EndBug/add-and-commit@v7.2.1
with:
add: "[ 'config/', 'cwl-ica-catalogue.md', '.github/catalogue/' ]"
default_author: github_actions
#author_name: "auto-catalogue-updater"
message: "Updating cwl ica config and catalogue files - (Autogenerated github actions commit)"
# Don't push, we push manually in the next step
push: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Push config files
- name: Push code
id: git_push
if: ${{ steps.commit_config_and_catalogue.outputs.committed == 'true' }}
run: |
CURRENT_BRANCH="${{ steps.get_branch_name.outputs.branch_name }}"
# Pull first (might have had another action complete a commit)
git pull --rebase origin "${CURRENT_BRANCH}"
# Then push
# Pretend to push
git push origin "${CURRENT_BRANCH}"