-
Notifications
You must be signed in to change notification settings - Fork 19
131 lines (116 loc) · 3.94 KB
/
pre-release.yml
File metadata and controls
131 lines (116 loc) · 3.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# This workflow will build the software and documentation to ensure there are no errors, and also
# execute the tests. It also deploys a pre-release version of the library API to Maven Central (as
# long as the POM versions are correctly set to a SNAPSHOT version).
name: Pre-release
# This workflow only runs on release branches.
on:
push:
branches:
- "release/*"
jobs:
detect-changes:
name: Detect changes
runs-on: ubuntu-latest
outputs:
ui: ${{ steps.filter.outputs.ui }}
server: ${{ steps.filter.outputs.server }}
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect changed paths
uses: dorny/paths-filter@v3
id: filter
with:
# Compare against the merge base to detect all changes on the release branch.
base: main
filters: |
ui:
- 'ui/**'
server:
- 'server/**'
pre-release:
name: Pre-release to Maven Central
environment: maven-central
runs-on: ubuntu-latest
needs: detect-changes
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: recursive
- name: Set up build environment
uses: ./.github/actions/setup-build-tools
with:
java: "true"
r: "true"
r-pandoc: "true"
python: "true"
bun: "true"
spark: "true"
sonar-cache: "true"
- name: Install GPG key
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: |
echo "$GPG_KEY" | gpg --batch --import
gpg --list-secret-keys --keyid-format LONG
- name: Configure Maven settings
uses: s4u/maven-settings-action@v3.1.0
with:
servers: |
[{
"id": "central",
"username": "${{ secrets.OSSRH_USERNAME }}",
"password": "${{ secrets.OSSRH_PASSWORD }}"
}]
- name: Run security scan
uses: ./.github/actions/trivy-scan
with:
skip-files: "examples/**/*,**/target/**/*,sql-on-fhir/**/*,licenses/**/*"
skip-db-update: "true"
skip-dirs: "server,ui,site,fhirpath-lab-api,benchmark,test-data,deployment"
- name: Run deploy goal (pre-release)
env:
R_KEEP_PKG_SOURCE: yes
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: |
mvn --batch-mode deploy \
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.projectKey=aehrc_pathling -Dsonar.organization=aehrc \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.sarifReportPaths=trivy-results.sarif \
-pl '!benchmark' -Pdocs,mavenPreRelease,check
timeout-minutes: 60
- name: Upload test artifacts
if: always()
uses: ./.github/actions/upload-test-artifacts
with:
include-jars: "true"
include-python: "true"
include-r: "true"
include-site: "true"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::865780493209:role/PathlingBenchmarkUpload
aws-region: ap-southeast-2
- name: Upload SQL on FHIR test report to S3
run: aws s3 cp fhirpath/target/fhir-view-compliance-test.json s3://pathling-benchmark/test-reports/${{ github.ref }}/sof-test-results.json
test-ui:
name: Test UI
needs: [detect-changes, pre-release]
if: needs.detect-changes.outputs.ui == 'true'
uses: ./.github/workflows/ui-test.yml
test-server:
name: Test server
needs: [detect-changes, pre-release]
if: needs.detect-changes.outputs.server == 'true'
uses: ./.github/workflows/server-test.yml
secrets: inherit