-
Notifications
You must be signed in to change notification settings - Fork 1
110 lines (106 loc) · 5.11 KB
/
build-and-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# This workflow will build a Java project with Gradle
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
name: Java CI with Gradle
on:
workflow_dispatch: {}
push:
branches: [ master ]
paths-ignore: [ '**.md' ]
pull_request:
# Branch settings require status checks before merging, so don't add paths-ignore.
branches: [ master ]
env:
VAULT_ADDR: https://clotho.broadinstitute.org:8200
VAULT_SERVICE_ACCOUNT_ADMIN_PATH: secret/dsde/terra/crl-test/default/service-account-admin.json
VAULT_SERVICE_ACCOUNT_USER_PATH: secret/dsde/terra/crl-test/default/service-account-user.json
VAULT_AZURE_MANAGED_APP_CLIENT_PATH: secret/dsde/terra/azure/common/managed-app-publisher
# Where to store the retrieved service accounts credentials for Google integration tests.
SERVICE_ACCOUNT_ADMIN_FILE: src/testFixtures/resources/integration_service_account_admin.json
SERVICE_ACCOUNT_USER_FILE: src/testFixtures/resources/integration_service_account_user.json
SERVICE_ACCOUNT_JANITOR_CLIENT_FILE: src/testFixtures/resources/integration_service_account_janitor_client.json
AZURE_MANAGED_APP_FILE: src/testFixtures/resources/integration_azure_managed_app_client.json
AZURE_CREDENTIALS_FILE: src/testFixtures/resources/integration_azure_env.properties
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Pull Vault image
run: docker pull vault:1.1.0
# Currently, there's no way to add capabilities to Docker actions on Git, and Vault needs IPC_LOCK to run.
- name: Get Vault token
id: vault-token-step
run: |
VAULT_TOKEN=$(docker run --rm --cap-add IPC_LOCK \
-e "VAULT_ADDR=${VAULT_ADDR}" \
vault:1.1.0 \
vault write -field token \
auth/approle/login role_id=${{ secrets.VAULT_APPROLE_ROLE_ID }} \
secret_id=${{ secrets.VAULT_APPROLE_SECRET_ID }})
echo ::add-mask::$VAULT_TOKEN
echo vault-token=$VAULT_TOKEN >> $GITHUB_OUTPUT
- name: Get service account credentials from Vault
id: vault-secret-step
run: |
docker run --rm --cap-add IPC_LOCK \
-e "VAULT_TOKEN=${{ steps.vault-token-step.outputs.vault-token }}" \
-e "VAULT_ADDR=${VAULT_ADDR}" \
vault:1.1.0 \
vault read -format json $VAULT_SERVICE_ACCOUNT_ADMIN_PATH \
| jq .data > $SERVICE_ACCOUNT_ADMIN_FILE &&#
docker run --rm --cap-add IPC_LOCK \
-e "VAULT_TOKEN=${{ steps.vault-token-step.outputs.vault-token }}" \
-e "VAULT_ADDR=${VAULT_ADDR}" \
vault:1.1.0 \
vault read -format json $VAULT_SERVICE_ACCOUNT_USER_PATH \
| jq .data > $SERVICE_ACCOUNT_USER_FILE &&#
docker run --rm --cap-add IPC_LOCK \
-e "VAULT_TOKEN=${{ steps.vault-token-step.outputs.vault-token }}" \
-e "VAULT_ADDR=${VAULT_ADDR}" \
vault:1.1.0 \
vault read -format json $VAULT_AZURE_MANAGED_APP_CLIENT_PATH \
| jq .data > $AZURE_MANAGED_APP_FILE
- name: Write Janitor Client SA file
run: |
JANITOR_SA_B64=${{ secrets.CRL_JANITOR_CLIENT_SA_B64 }}
echo ::add-mask::$JANITOR_SA_B64
echo $JANITOR_SA_B64 | base64 --decode > ${SERVICE_ACCOUNT_JANITOR_CLIENT_FILE}
- name: Write Azure properties file
run: |
AZURE_MANAGED_APP_CLIENT_ID=$(jq -r '."client-id"' ${AZURE_MANAGED_APP_FILE})
AZURE_MANAGED_APP_CLIENT_SECRET=$(jq -r '."client-secret"' ${AZURE_MANAGED_APP_FILE})
AZURE_MANAGED_APP_TENANT_ID=$(jq -r '."tenant-id"' ${AZURE_MANAGED_APP_FILE})
cat > ${AZURE_CREDENTIALS_FILE} <<EOF
integration.azure.admin.clientId=${AZURE_MANAGED_APP_CLIENT_ID}
integration.azure.admin.clientSecret=${AZURE_MANAGED_APP_CLIENT_SECRET}
integration.azure.admin.tenantId=${AZURE_MANAGED_APP_TENANT_ID}
EOF
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: 17
# See https://github.com/actions/cache/blob/main/examples.md#java---gradle
- name: Cache Gradle packages
uses: actions/cache@v3
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }}
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}
- name: Grant execute permission for gradlew
run: chmod +x gradlew
- name: Build, assemble and test
run: ./gradlew build -x minniekenny --scan # skip minniekenny
# TODO(CA-814): Determine how to run tests based on modified packages.
- name: Integration test
id: integration-test
run: ./gradlew integrationTest --scan
- name: Upload test reports
if: always()
uses: actions/upload-artifact@v3
with:
name: Test Reports
path: |
**/build/reports/tests