Skip to content

Sync tools and sync workflows and create catalogue #656

Sync tools and sync workflows and create catalogue

Sync tools and sync workflows and create catalogue #656

name: Sync tools and sync workflows and create catalogue
on:
workflow_dispatch:
pull_request_review:
types:
- "submitted"
branches:
- main
jobs:
setup:
# First check
# 1a. It's a PR that's in an approved state
# AND
# 1b. It's not a PR to 'Add in images for release'
# 2. OR it's been run manually by using the workflow_dispatch command
if: |
(
(
github.event.review.state == 'approved' &&
github.event.pull_request.draft == false
) &&
! startsWith( github.event.pull_request.title, '[GitHub Actions]' )
) ||
github.event_name == 'workflow_dispatch'
name: setup-sync-tools
concurrency: git_commits
runs-on: ubuntu-latest
defaults:
run:
shell: bash -l {0}
steps:
# # DEBUG
# - uses: hmarr/debug-action@v2
# Set to fail
- name: Update bash settings
id: update_bash_settings
run: |
set -euo pipefail
# Install jq (for querying branch name)
- name: Install Jq
id: install_jq
run: |
sudo apt-get update -y
sudo apt-get install jq -y
# Get branch name from event path
- name: Get Branch Name
id: get_branch_name
run: |
# Get reference
ref="$( \
jq --raw-output \
'
# Get head of the pull request
if .pull_request?.head?.ref? != null then
.pull_request.head.ref
# If not try the base reference
elif .pull_request?.base?.ref? != null then
.pull_request.base.ref
# Could this maybe not a PR?
# Try legacy
elif .ref? != null then
.ref
elif .base?.ref? != null then
.base.ref
else
null
end
' \
< "${GITHUB_EVENT_PATH}" \
)"
# Could not get reference commit id
if [[ "${ref}" == "null" ]]; then
echo "Error! Could not get reference commit id"
cat "${GITHUB_EVENT_PATH}"
exit 1
fi
# Set output
echo "branch_name=${ref%refs/heads/}" >> "${GITHUB_OUTPUT}"
# Standard checkout step
- name: Checkout code
id: git_checkout
uses: actions/checkout@v4
with:
# Otherwise we're just in a detached head state
ref: ${{ steps.get_branch_name.outputs.branch_name }}
# Get git commit ID
- name: Get git commit ID
id: get_git_commit_id
run: echo "git_commit_id=$(git log --format="%H" -n1 | cut -c1-7)" >> "${GITHUB_OUTPUT}"
# Get outputs
outputs:
git_commit_id: ${{ steps.get_git_commit_id.outputs.git_commit_id }}
branch_name: ${{ steps.get_branch_name.outputs.branch_name }}
# Get access tokens
get_umccr_development_workflows_ica_access_token:
name: Get ICA Access Token (umccr-development)
uses: ./.github/workflows/get_ica_access_token.yml
needs:
- setup
permissions:
id-token: write
contents: read
with:
project_id: "0df0356d-3637-48a5-80d1-a924642a6556" # development_workflows
role_to_assume_arn: arn:aws:iam::843407916570:role/ica-credentials-dev-stack-IcaSecretsicacredentialsd-9oauPhOTTfHb
secret_arn: arn:aws:secretsmanager:ap-southeast-2:843407916570:secret:IcaSecretsWorkflow-yUaicA
aws_region: ${{ vars.AWS_REGION }}
branch_name: ${{ needs.setup.outputs.branch_name }}
secrets:
symmetrical_encryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
get_umccr_collab_illumina_dev_workflows_ica_access_token:
name: Get ICA Access Token (umccr-collab-illumina-dev)
uses: ./.github/workflows/get_ica_access_token.yml
needs:
- setup
permissions:
id-token: write
contents: read
with:
# Uses same secret as dev
project_id: "dddd6c29-24d3-49f4-91c0-7e818b3c0a21" # collab-illumina-dev_workflows
role_to_assume_arn: arn:aws:iam::843407916570:role/ica-credentials-dev-stack-IcaSecretsicacredentialsd-9oauPhOTTfHb
secret_arn: arn:aws:secretsmanager:ap-southeast-2:843407916570:secret:IcaSecretsWorkflow-yUaicA
aws_region: ${{ vars.AWS_REGION }}
branch_name: ${{ needs.setup.outputs.branch_name }}
secrets:
symmetrical_encryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
get_umccr_production_workflows_ica_access_token:
name: Get ICA Access Token (umccr-production)
uses: ./.github/workflows/get_ica_access_token.yml
needs:
- setup
permissions:
id-token: write
contents: read
with:
project_id: "fdd48e11-cdcc-46a9-b5ac-dee3a4c5f19d" # production_workflows
role_to_assume_arn: arn:aws:iam::472057503814:role/ica-credentials-prod-stac-IcaSecretsicacredentialsp-pFZQUb2Bvys7
secret_arn: arn:aws:secretsmanager:ap-southeast-2:472057503814:secret:IcaSecretsWorkflow-zq2Abw
aws_region: ${{ vars.AWS_REGION }}
branch_name: ${{ needs.setup.outputs.branch_name }}
secrets:
symmetrical_encryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
# Now sync
sync_tools_and_workflows_and_create_catalogue:
name: sync tools and workflows and create catalogue
concurrency: git_commits
runs-on: ubuntu-latest
defaults:
run:
shell: bash -l {0}
needs:
- setup
- get_umccr_development_workflows_ica_access_token
- get_umccr_collab_illumina_dev_workflows_ica_access_token
- get_umccr_production_workflows_ica_access_token
steps:
# Standard checkout step
- name: Checkout code
id: git_checkout
uses: actions/checkout@v4
with:
# For changed files we need to look back in time a little
fetch-depth: 0
# Otherwise we're just in a detached head state
ref: ${{ needs.setup.outputs.branch_name }}
# Add masks to encrypted tokens
- name: Add masks to encrypted tokens
run: |
echo "::add-mask::${{ needs.get_umccr_development_workflows_ica_access_token.outputs.ica_access_token_encrypted }}"
echo "::add-mask::${{ needs.get_umccr_collab_illumina_dev_workflows_ica_access_token.outputs.ica_access_token_encrypted }}"
echo "::add-mask::${{ needs.get_umccr_production_workflows_ica_access_token.outputs.ica_access_token_encrypted }}"
# Decrypt tokens
- id: decrypt_development_workflows_project_id_access_token
name: Decrypt Development Access Token
uses: ./.github/actions/decrypt_token
with:
encrypted_token: ${{ needs.get_umccr_development_workflows_ica_access_token.outputs.ica_access_token_encrypted }}
decryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
- id: decrypt_collab_illumina_dev_workflows_project_id_access_token
name: Decrypt Collab Illumina Dev Access Token
uses: ./.github/actions/decrypt_token
with:
encrypted_token: ${{ needs.get_umccr_collab_illumina_dev_workflows_ica_access_token.outputs.ica_access_token_encrypted }}
decryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
- id: decrypt_production_workflows_project_id_access_token
name: Decrypt Production Access Token
uses: ./.github/actions/decrypt_token
with:
encrypted_token: ${{ needs.get_umccr_production_workflows_ica_access_token.outputs.ica_access_token_encrypted }}
decryption_key: ${{ secrets.SYMMETRICAL_ENCRYPTION_KEY }}
# Check that the paths were interested in are actually of any significants
- id: check_file_changes
name: Check that this PR is relevant to workflows
uses: tj-actions/changed-files@v41
with:
files_yaml: |
workflows:
# Workflows, Expressions, CommandLineTools
- "**/*.cwl"
# Schemas
- "schemas/**/*.yaml"
# TypeScript Expressions
- "**/*.cwljs"
gh_actions:
- ".github/actions/get_ica_access_token/action.yml"
- ".github/workflows/sync-tools_and_sync-workflows.yml"
- ".github/scripts/run_sync-tools_and_sync-workflows.sh"
catalogs:
- ".github/create_catalogue.sh"
configurations:
# Config files (say a merge conflict is resolved)
- "config/project.yaml"
- "config/tool.yaml"
- "config/workflow.yaml"
- "config/run.yaml"
base_sha: ${{ github.event.pull_request.base.sha }}
# Create secrets json
- name: create secrets json
id: create_secrets_json
run: |
secrets_json="$( \
jq --null-input --raw-output \
--arg development_workflows_access_token "${{ steps.decrypt_development_workflows_project_id_access_token.outputs.decrypted_token }}" \
--arg collab_illumina_dev_workflows_access_token "${{ steps.decrypt_collab_illumina_dev_workflows_project_id_access_token.outputs.decrypted_token }}" \
--arg production_workflows_access_token "${{ steps.decrypt_production_workflows_project_id_access_token.outputs.decrypted_token }}" \
'
{
"development_workflows": {
"ICA_ACCESS_TOKEN": $development_workflows_access_token
},
"collab_illumina_dev_workflows": {
"ICA_ACCESS_TOKEN": $collab_illumina_dev_workflows_access_token
},
"production_workflows": {
"ICA_ACCESS_TOKEN": $production_workflows_access_token
}
} |
@base64
' \
)"
echo "::add-mask::${secrets_json}"
echo "secrets_json=${secrets_json}" >> "${GITHUB_OUTPUT}"
# Sync tools and workflows
- name: sync-tools and sync-workflows
if: |
steps.check_file_changes.outputs.workflows_any_changed == 'true' ||
steps.check_file_changes.outputs.configurations_any_changed == 'true' ||
github.event_name == 'workflow_dispatch'
run: |
docker run \
--rm \
--user "$(id -u):$(id -g)" \
--volume "$PWD:$PWD" \
--workdir "$PWD" \
--env USER="$(id -u)" \
--env GIT_COMMIT_ID="${{ needs.setup.outputs.git_commit_id }}" \
--env SECRETS_JSON="${{ steps.create_secrets_json.outputs.secrets_json }}" \
--env ICA_BASE_URL="${{ vars.ICA_BASE_URL }}" \
ghcr.io/umccr/cwl-ica-cli:latest \
bash ".github/scripts/run_sync-tools_and_sync-workflows.sh"
# Create Catalogue
- name: create catalogue
if: |
steps.check_file_changes.outputs.workflows_any_changed == 'true' ||
steps.check_file_changes.outputs.configurations_any_changed == 'true' ||
steps.check_file_changes.outputs.catalogs_any_changed == 'true' ||
github.event_name == 'workflow_dispatch'
run: |
docker run \
--rm \
--user "$(id -u):$(id -g)" \
--volume "$PWD:$PWD" \
--workdir "$PWD" \
--env USER="$(id -nu)" \
--env GITHUB_SERVER_URL="${GITHUB_SERVER_URL}" \
--env GITHUB_REPOSITORY="${GITHUB_REPOSITORY}" \
ghcr.io/umccr/cwl-ica-cli:latest \
bash ".github/scripts/create_catalogue.sh"
# Commit config files
- id: commit_and_push_config_and_catalogue
name: Commit catalogue files
uses: EndBug/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
add: "[ 'config/', 'cwl-ica-catalogue.md', '.github/catalogue/' ]"
default_author: github_actions
message: "Updating cwl ica config and catalogue files - (Autogenerated github actions commit)"
push: true
pull: ${{ format('--rebase --autostash origin {0}', needs.setup.outputs.branch_name) }}