-
Notifications
You must be signed in to change notification settings - Fork 19
167 lines (149 loc) · 5.52 KB
/
release.yml
File metadata and controls
167 lines (149 loc) · 5.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
# This workflow builds a release version of Pathling and deploys it to Maven Central and PyPI.
name: Release
# This workflow is only run when a release is published.
on:
release:
types: [published]
workflow_dispatch:
jobs:
release-maven:
# Only run for main library releases (v*.*.*), not server or helm releases.
if: github.event_name == 'workflow_dispatch' || (startsWith(github.ref_name, 'v') && !contains(github.ref_name, '/'))
name: Release to Maven Central
environment: maven-central
runs-on: ubuntu-latest
permissions:
id-token: write # Required for AWS OIDC authentication.
contents: write # Required to upload release assets.
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: recursive
- name: Set up build environment
uses: ./.github/actions/setup-build-tools
with:
java: "true"
r: "true"
r-pandoc: "true"
python: "true"
bun: "true"
spark: "true"
sonar-cache: "true"
- name: Install GPG key
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: |
echo "$GPG_KEY" | gpg --batch --import
gpg --list-secret-keys --keyid-format LONG
- name: Configure Maven settings
uses: s4u/maven-settings-action@v3.1.0
with:
servers: |
[{
"id": "central",
"username": "${{ secrets.OSSRH_USERNAME }}",
"password": "${{ secrets.OSSRH_PASSWORD }}"
}]
# Release won't be possible if there are outstanding vulnerabilities of medium severity or
# higher as reported by Trivy.
- name: Run security scan
uses: ./.github/actions/trivy-scan
with:
skip-files: "examples/**/*,**/target/**/*,sql-on-fhir/**/*,licenses/**/*"
skip-dirs: "server,ui,site,fhirpath-lab-api,benchmark,test-data,deployment"
- name: Run deploy goal
env:
R_KEEP_PKG_SOURCE: yes
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: |
mvn --batch-mode deploy \
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.projectKey=aehrc_pathling -Dsonar.organization=aehrc \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.sarifReportPaths=trivy-results.sarif \
-pl '!benchmark' -Pdocs,mavenRelease,check
timeout-minutes: 60
- name: Upload test artifacts
if: always()
uses: ./.github/actions/upload-test-artifacts
with:
include-jars: "true"
include-python: "true"
include-r: "true"
include-site: "true"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::865780493209:role/PathlingBenchmarkUpload
aws-region: ap-southeast-2
- name: Extract major version
id: extract-version
run: |
# Extract version from tag (e.g. v8.0.1 -> v8).
VERSION_TAG="${{ github.ref_name }}"
MAJOR_VERSION=$(echo "$VERSION_TAG" | sed -E 's/^(v[0-9]+).*/\1/')
echo "major_version=${MAJOR_VERSION}" >> $GITHUB_OUTPUT
echo "Extracted major version: ${MAJOR_VERSION}"
- name: Upload SQL on FHIR test report to S3
run: aws s3 cp fhirpath/target/fhir-view-compliance-test.json s3://pathling-benchmark/test-reports/${{ steps.extract-version.outputs.major_version }}/sof-test-results.json
- name: Upload release assets
run: |
gh release upload ${{ github.ref_name }} \
--clobber \
library-runtime/target/library-runtime-*.jar \
lib/python/target/py-dist/pathling-*.whl \
lib/R/target/pathling_*.tar.gz
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-pypi:
name: Release to PyPI
environment: pypi
runs-on: ubuntu-latest
needs: release-maven
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
# This is required so that git-commit-id-plugin can find the latest tag.
fetch-depth: 0
submodules: recursive
- name: Set up build environment
uses: ./.github/actions/setup-build-tools
with:
java: "true"
r: "true"
r-pandoc: "true"
python: "true"
spark: "true"
- name: Run deploy goal
env:
TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }}
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
R_KEEP_PKG_SOURCE: yes
run: |
mvn --batch-mode deploy \
-pl lib/python -am \
-DskipTests -PpythonRelease
timeout-minutes: 30
upload-to-dap:
name: Upload source code to CSIRO DAP
environment: csiro-dap
runs-on: [self-hosted, Linux]
needs: [release-maven, release-pypi]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download source code and upload to CSIRO DAP
run: python .github/scripts/dap_upload.py
env:
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_REF_NAME: ${{ github.ref_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DAP_USERNAME: ${{ secrets.DAP_USERNAME }}
DAP_PASSWORD: ${{ secrets.DAP_PASSWORD }}
DAP_BASE_URL: https://data.csiro.au
COLLECTION_PID: csiro:49524
timeout-minutes: 20