Skip to content
Release

Release #60

Sign in to view logs

Release

Release #60

Workflow file for this run

.github/workflows/release.yml at 3f389cb
# This workflow builds a release version of Pathling and deploys it to Maven Central and PyPI.
name: Release
# This workflow is only run when a release is published.
on:
release:
types: [published]
workflow_dispatch:
env:
# The add-exports and add-opens flags are required for Java 21
MAVEN_OPTS: --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED
permissions:
id-token: write
contents: write # Required to upload release assets
jobs:
release-maven:
name: Release to Maven Central
environment: maven-central
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: recursive
- name: Set up JDK
uses: actions/setup-java@v4
with:
java-version: 21
distribution: "zulu"
- name: Install Bun
uses: oven-sh/setup-bun@v2
- name: Install uv
uses: astral-sh/setup-uv@v6
- name: Set up R
uses: r-lib/actions/setup-r@v2
with:
r-version: "4.1.3"
use-public-rspm: true
- name: Set up Pandoc
uses: r-lib/actions/setup-pandoc@v2
- name: Cache local Maven repository
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |-
${{ runner.os }}-maven-
- name: Cache Python packages
uses: actions/cache@v4
with:
path: /home/runner/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('lib/python/requirements/dev.txt', 'lib/python/requirements/package.txt') }}
- name: Cache R packages
uses: actions/cache@v4
with:
path: ${{ runner.temp }}/Library
key: r-packages-${{ runner.os }}-${{ hashFiles('lib/R/DESCRIPTION.src') }}
restore-keys: r-packages-${{ runner.os }}-
- name: Cache SonarQube packages
uses: actions/cache@v4
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Install TinyTeX and libcurl
# These are required for building the R package documentation.
run: |
wget -qO- "https://yihui.org/tinytex/install-bin-unix.sh" | sh
echo "$HOME/bin" >> $GITHUB_PATH
sudo apt-get install -y libcurl4-openssl-dev
- name: Install GPG key
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: |
echo "$GPG_KEY" | gpg --batch --import
gpg --list-secret-keys --keyid-format LONG
- name: Configure Maven settings
uses: s4u/maven-settings-action@v3.1.0
with:
servers: |
[{
"id": "central",
"username": "${{ secrets.OSSRH_USERNAME }}",
"password": "${{ secrets.OSSRH_PASSWORD }}"
}]
# Release won't be possible if there are outstanding vulnerabilities of medium severity or
# higher as reported by Trivy.
- name: Run security scan
uses: aquasecurity/trivy-action@0.32.0
with:
scan-type: repo
severity: "MEDIUM,HIGH,CRITICAL"
scan-ref: .
format: sarif
output: trivy-results.sarif
skip-files: examples/**/*,**/target/**/*,sql-on-fhir/sof-js/package-lock.json,licenses/**/*,site/package-lock.json
# Upon release, the databases will be updated and scanned to make sure nothing has crept
# in since the last daily update.
cache: false
- name: Run deploy goal
env:
PYSPARK_PYTHON: ${{ steps.python-install.outputs.python-path }}
PYSPARK_DRIVER_PYTHON: ${{ steps.python-install.outputs.python-path }}
R_KEEP_PKG_SOURCE: yes
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: |
mvn --batch-mode deploy \
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.projectKey=aehrc_pathling -Dsonar.organization=aehrc \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.sarifReportPaths=trivy-results.sarif \
-pl '!benchmark' -Pdocs,mavenRelease,check
timeout-minutes: 60
- name: Save test reports
uses: actions/upload-artifact@v4
with:
name: surefire-reports
path: "**/surefire-reports/"
- name: Save coverage reports
uses: actions/upload-artifact@v4
with:
name: coverage-reports
path: |
**/jacoco.xml
**/target/site/jacoco
**/target/site/jacoco-aggregate
lib/python/**/coverage.xml
- name: Save built JARs
uses: actions/upload-artifact@v4
with:
name: jars
path: |
utilities/target/utilities-*.jar
encoders/target/encoders-*.jar
terminology/target/terminology-*.jar
fhirpath/target/fhirpath-*.jar
library-api/target/library-api-*.jar
library-runtime/target/library-runtime-*.jar
lib/python/target/python-*.jar
lib/R/target/r-*.jar
if-no-files-found: "error"
- name: Save Python wheel
uses: actions/upload-artifact@v4
with:
name: python-wheel
path: lib/python/target/py-dist/pathling-*.whl
- name: Save R package
uses: actions/upload-artifact@v4
with:
name: r-package
path: lib/R/target/pathling_*.tar.gz
- name: Save site
uses: actions/upload-artifact@v4
with:
name: site
path: site/target/site/
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::865780493209:role/PathlingBenchmarkUpload
aws-region: ap-southeast-2
- name: Extract major version
id: extract-version
run: |
# Extract version from tag (e.g. v8.0.1 -> v8)
VERSION_TAG="${{ github.ref_name }}"
MAJOR_VERSION=$(echo "$VERSION_TAG" | sed -E 's/^(v[0-9]+).*/\1/')
echo "major_version=${MAJOR_VERSION}" >> $GITHUB_OUTPUT
echo "Extracted major version: ${MAJOR_VERSION}"
- name: Upload SQL on FHIR test report to S3
run: aws s3 cp fhirpath/target/fhir-view-compliance-test.json s3://pathling-benchmark/test-reports/${{ steps.extract-version.outputs.major_version }}/sof-test-results.json
- name: Upload release assets
run: |
gh release upload ${{ github.ref_name }} \
--clobber \
library-runtime/target/library-runtime-*.jar \
lib/python/target/py-dist/pathling-*.whl \
lib/R/target/pathling_*.tar.gz
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-pypi:
name: Release to PyPI
environment: pypi
runs-on: ubuntu-latest
needs: release-maven
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
# This is required so that git-commit-id-plugin can find the latest tag.
fetch-depth: 0
submodules: recursive
- name: Set up JDK
uses: actions/setup-java@v4
with:
java-version: 21
distribution: "zulu"
- name: Install uv
uses: astral-sh/setup-uv@v6
- name: Set up R
uses: r-lib/actions/setup-r@v2
with:
r-version: "4.1.3"
use-public-rspm: true
- name: Set up Pandoc
uses: r-lib/actions/setup-pandoc@v2
- name: Cache local Maven repository
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Cache Python packages
uses: actions/cache@v4
with:
path: /home/runner/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('lib/python/requirements/dev.txt', 'lib/python/requirements/package.txt') }}
- name: Cache R packages
uses: actions/cache@v4
with:
path: ${{ runner.temp }}/Library
key: r-packages-${{ runner.os }}-${{ hashFiles('lib/R/DESCRIPTION.src') }}
restore-keys: r-packages-${{ runner.os }}-
- name: Install TinyTeX and libcurl
# These are required for building the R package documentation.
run: |
wget -qO- "https://yihui.org/tinytex/install-bin-unix.sh" | sh
echo "$HOME/bin" >> $GITHUB_PATH
sudo apt-get install -y libcurl4-openssl-dev
- name: Run deploy goal
env:
PYSPARK_PYTHON: ${{ steps.python-install.outputs.python-path }}
PYSPARK_DRIVER_PYTHON: ${{ steps.python-install.outputs.python-path }}
TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }}
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
R_KEEP_PKG_SOURCE: yes
run: |
mvn --batch-mode deploy \
-pl lib/python -am \
-DskipTests -PpythonRelease
timeout-minutes: 30
upload-to-dap:
name: Upload source code to CSIRO DAP
environment: csiro-dap
runs-on: [self-hosted, Linux]
needs: [release-maven, release-pypi]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download source code and upload to CSIRO DAP
run: python .github/scripts/dap_upload.py
env:
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_REF_NAME: ${{ github.ref_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DAP_USERNAME: ${{ secrets.DAP_USERNAME }}
DAP_PASSWORD: ${{ secrets.DAP_PASSWORD }}
DAP_BASE_URL: https://data.csiro.au
COLLECTION_PID: csiro:49524
timeout-minutes: 20