Merge pull request #1593 from NASA-AMMOS/release/v3-1-0 #1297

Workflow file for this run

.github/workflows/publish.yml at 7cffc9f

	name: Publish

	on:
	push:
	branches:
	- develop
	- dev-[0-9]+.[0-9]+.[0-9]+
	tags:
	- v*
	pull_request:
	types:
	# publish images for PRs labeled "publish" whenever changed/labeled
	[opened, reopened, synchronize, labeled]
	workflow_dispatch:

	env:
	REGISTRY: ghcr.io
	OWNER: nasa-ammos
	IS_RELEASE: ${{ startsWith(github.ref, 'refs/tags/v') }}
	SHOULD_PUBLISH_IMAGES: ${{ (github.event_name != 'pull_request') \|\| contains(github.event.pull_request.labels.*.name, 'publish') }}
	SHOULD_PUBLISH_DEPLOYMENT: ${{ (github.event_name != 'pull_request') }}

	jobs:
	init:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	outputs:
	# set these as outputs to make available later, since `env` context isn't available in `jobs.if`
	SHOULD_PUBLISH_IMAGES: ${{ env.SHOULD_PUBLISH_IMAGES }}
	SHOULD_PUBLISH_DEPLOYMENT: ${{ env.SHOULD_PUBLISH_DEPLOYMENT }}
	steps:
	- uses: actions/checkout@v4

	- uses: gradle/wrapper-validation-action@v2

	- uses: gradle/actions/setup-gradle@v3
	with:
	generate-job-summary: false

	- name: Gradle Version
	run: ./gradlew --version

	containers:
	runs-on: ubuntu-latest
	needs: init
	if: needs.init.outputs.SHOULD_PUBLISH_IMAGES == 'true'
	permissions:
	contents: read
	packages: write
	strategy:
	matrix:
	components:
	- image: aerie-merlin
	context: merlin-server
	file: merlin-server/Dockerfile
	- image: aerie-merlin-worker
	context: merlin-worker
	file: merlin-worker/Dockerfile
	- image: aerie-scheduler
	context: scheduler-server
	file: scheduler-server/Dockerfile
	- image: aerie-scheduler-worker
	context: scheduler-worker
	file: scheduler-worker/Dockerfile
	- image: aerie-sequencing
	context: sequencing-server
	file: sequencing-server/Dockerfile
	- image: aerie-hasura
	context: .
	file: docker/Dockerfile.hasura
	- image: aerie-postgres
	context: .
	file: docker/Dockerfile.postgres
	name: ${{ matrix.components.image }}
	steps:
	- name: Log SHOULD_PUBLISH_IMAGES
	run: echo ${{ needs.init.outputs.SHOULD_PUBLISH_IMAGES }}

	- uses: actions/checkout@v4

	- uses: actions/setup-java@v4
	with:
	distribution: "temurin"
	java-version: "21"

	- name: Init Gradle cache
	uses: gradle/actions/setup-gradle@v3
	with:
	generate-job-summary: false

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	with:
	platforms: linux/amd64,linux/arm64

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Login to ${{ env.REGISTRY }}
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ github.token }}

	- name: Extract metadata (tags, labels) for ${{ matrix.components.image }}
	id: metadata-step
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ matrix.components.image }}

	- name: Assemble ${{ matrix.components.context }}
	env:
	component: ${{ matrix.components.context }}
	run: \|
	set -x
	# aerie-hasura and aerie-postgres don't need compiled java
	if [[ "$component" != "." ]]; then
	./gradlew ":$component:assemble" --no-daemon --parallel
	fi

	- name: Build and push ${{ matrix.components.image }}
	uses: docker/build-push-action@v5
	with:
	context: ${{ matrix.components.context }}
	file: ${{ matrix.components.file }}
	platforms: linux/amd64,linux/arm64
	push: true
	tags: ${{ steps.metadata-step.outputs.tags }}
	labels: ${{ steps.metadata-step.outputs.labels }}

	scan:
	runs-on: ubuntu-latest
	needs: containers
	if: needs.init.outputs.SHOULD_PUBLISH_IMAGES == 'true'
	strategy:
	matrix:
	image:
	- aerie-merlin
	- aerie-merlin-worker
	- aerie-scheduler
	- aerie-scheduler-worker
	- aerie-sequencing
	- aerie-hasura
	- aerie-postgres
	fail-fast: false
	name: scan ${{ matrix.image }}
	steps:
	- uses: actions/checkout@v4

	- name: Scan ${{ matrix.image }} for vulnerabilities
	uses: aquasecurity/[email protected]
	with:
	image-ref: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ matrix.image }}:develop
	ignore-unfixed: true
	exit-code: "1"
	severity: "CRITICAL"
	format: "template"
	template: "@/contrib/html.tpl"
	scanners: "vuln"
	output: "${{ matrix.image }}-results.html"
	trivyignores: .github/config/.trivyignore

	- name: Upload ${{ matrix.image }} scan results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: Vuln Scan Results - ${{ matrix.image }}
	path: "${{ matrix.image }}-results.html"

	publish:
	name: gradle publish
	runs-on: ubuntu-latest
	needs: init
	if: needs.init.outputs.SHOULD_PUBLISH_DEPLOYMENT == 'true'
	permissions:
	contents: read
	packages: write
	steps:
	- uses: actions/checkout@v4

	- name: Gradle Cache
	uses: gradle/actions/setup-gradle@v3
	with:
	generate-job-summary: false

	- name: Publish Package
	run: ./gradlew publish -Pversion.isRelease=$IS_RELEASE --parallel
	env:
	GITHUB_TOKEN: ${{ github.token }}

	- name: Create deployment archive
	run: ./gradlew archiveDeployment

	- name: Publish deployment
	uses: actions/upload-artifact@v4
	with:
	name: Deployment
	path: deployment.tar

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #1593 from NASA-AMMOS/release/v3-1-0 #1297

Workflow file

Merge pull request #1593 from NASA-AMMOS/release/v3-1-0 #1297

Jobs

Run details

Workflow file for this run