update sphinx and github actions #401
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is the main build pipeline that verifies and publishes the software | |
| name: Build | |
| # Controls when the workflow will run | |
| on: | |
| # Triggers the workflow on push events | |
| push: | |
| branches: [ develop, release/**, main, feature/** ] | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| env: | |
| POETRY_VERSION: "2.1.3" | |
| PYTHON_VERSION: "3.10" | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| # First job in the workflow installs and verifies the software | |
| build: | |
| name: Build, Test, Verify, Publish | |
| # The type of runner that the job will run on | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install Poetry | |
| uses: abatilo/actions-poetry@v4 | |
| with: | |
| poetry-version: ${{ env.POETRY_VERSION }} | |
| - name: Get version | |
| id: get-version | |
| run: | | |
| echo "current_version=$(poetry version | awk '{print $2}')" >> $GITHUB_OUTPUT | |
| echo "pyproject_name=$(poetry version | awk '{print $1}')" >> $GITHUB_ENV | |
| - name: Bump version and set venue | |
| id: bump-version | |
| run: | | |
| ref="${GITHUB_REF#refs/heads/}" | |
| current_version="${{ steps.get-version.outputs.current_version }}" | |
| if [[ "$ref" == feature/* ]]; then | |
| new_ver="${current_version}+$(git rev-parse --short ${GITHUB_SHA})" | |
| poetry version "$new_ver" | |
| echo "venue=sit" >> $GITHUB_ENV | |
| elif [[ "$ref" == "develop" ]]; then | |
| poetry version prerelease | |
| echo "venue=sit" >> $GITHUB_ENV | |
| elif [[ "$ref" == release/* ]]; then | |
| if [[ "$current_version" == *rc* ]]; then | |
| poetry version prerelease | |
| else | |
| poetry version "${ref#release/}rc1" | |
| fi | |
| echo "venue=uat" >> $GITHUB_ENV | |
| elif [[ "$ref" == main* ]]; then | |
| # Remove rc* from the end of the version string | |
| release_ver="${current_version%%rc*}" | |
| poetry version "$release_ver" | |
| echo "venue=ops" >> $GITHUB_ENV | |
| fi | |
| echo "software_version=$(poetry version | awk '{print $2}')" >> $GITHUB_ENV | |
| - name: Install concise | |
| run: poetry install | |
| - name: Lint | |
| run: | | |
| poetry run pylint podaac | |
| poetry run flake8 podaac | |
| - name: Test and coverage | |
| run: | | |
| poetry run pytest --junitxml=build/reports/pytest.xml --cov=podaac/ --cov-report=xml:build/reports/coverage.xml -m "not aws and not integration" tests/ | |
| - name: SonarCloud Scan | |
| uses: sonarsource/sonarqube-scan-action@v4 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| with: | |
| args: > | |
| -Dsonar.organization=${{ github.repository_owner }} | |
| -Dsonar.projectKey=${{ github.repository_owner }}_concise | |
| -Dsonar.python.coverage.reportPaths=build/reports/coverage.xml | |
| -Dsonar.sources=podaac/ | |
| -Dsonar.tests=tests/ | |
| -Dsonar.projectName=podaac-concise | |
| -Dsonar.projectVersion=${{ env.software_version }} | |
| -Dsonar.python.version=${{ env.PYTHON_VERSION }} | |
| - name: Run Snyk as a blocking step | |
| uses: snyk/actions/python-3.10@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| command: test | |
| args: > | |
| --org=${{ secrets.SNYK_ORG_ID }} | |
| --project-name=${{ github.repository }} | |
| --severity-threshold=high | |
| --fail-on=all | |
| - name: Run Snyk on Python | |
| uses: snyk/actions/python-3.10@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| command: monitor | |
| args: > | |
| --org=${{ secrets.SNYK_ORG_ID }} | |
| --project-name=${{ github.repository }} | |
| - name: Commit version bump and push tag | |
| if: | | |
| github.ref == 'refs/heads/develop' || | |
| github.ref == 'refs/heads/main' || | |
| startsWith(github.ref, 'refs/heads/release') | |
| run: | | |
| git config --global user.name "${GITHUB_ACTOR}" | |
| git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com" | |
| git commit -am "/version ${{ env.software_version }}" | |
| git push | |
| git tag -a "${{ env.software_version }}" -m "Version ${{ env.software_version }}" | |
| git push origin "${{ env.software_version }}" | |
| - name: Configure AWS credentials for UAT | |
| if: env.venue == 'uat' | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CUMULUS_UAT }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CUMULUS_UAT }} | |
| aws-region: us-west-2 | |
| - name: Configure AWS credentials for OPS | |
| if: env.venue == 'ops' | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CUMULUS_OPS }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CUMULUS_OPS }} | |
| aws-region: us-west-2 | |
| - name: Get Lauchpad Token | |
| id: lambda | |
| if: | | |
| github.ref == 'refs/heads/main' || | |
| startsWith(github.ref, 'refs/heads/release') | |
| run: | | |
| OUTPUT_FILE=result.json | |
| PAYLOAD=$(echo '{"client_id": "L2SSpyGithubAction", "minimum_alive_secs": 300}' | base64) | |
| aws lambda invoke \ | |
| --function-name ${{ env.venue }}-launchpad_token_dispenser \ | |
| --payload "$PAYLOAD" \ | |
| $OUTPUT_FILE > /dev/null 2>&1 | |
| RESULT=$(jq -r '.sm_token' < "$OUTPUT_FILE") | |
| echo "::add-mask::$RESULT" | |
| echo "result=$RESULT" >> $GITHUB_OUTPUT | |
| - name: Publish UMM-S with new version | |
| uses: podaac/cmr-umm-updater@develop | |
| if: | | |
| github.ref == 'refs/heads/main' || | |
| startsWith(github.ref, 'refs/heads/release') | |
| with: | |
| umm-json: 'cmr/concise_cmr_umm_s.json' | |
| provider: 'POCLOUD' | |
| env: ${{ env.venue }} | |
| version: ${{ env.software_version }} | |
| timeout: 60 | |
| disable_removal: 'true' | |
| umm_type: 'umm-s' | |
| use_associations: 'false' | |
| umm_version: '1.5.2' | |
| env: | |
| LAUNCHPAD_TOKEN_SIT: ${{ steps.lambda.outputs.result }} | |
| LAUNCHPAD_TOKEN_UAT: ${{ steps.lambda.outputs.result }} | |
| LAUNCHPAD_TOKEN_OPS: ${{ steps.lambda.outputs.result }} | |
| - name: Build Docs | |
| if: | | |
| github.ref == 'refs/heads/main' | |
| run: | | |
| poetry run sphinx-build -b html ./docs docs/_build/ | |
| - name: Prepare combined folder for deploy | |
| if: | | |
| github.ref == 'refs/heads/main' | |
| run: | | |
| mkdir -p deploy_dir/${{ env.software_version }} | |
| cp -r docs/_build/* deploy_dir/${{ env.software_version }}/ | |
| cp -r docs/_build/* deploy_dir/ | |
| - name: Deploy combined docs | |
| if: github.ref == 'refs/heads/main' | |
| uses: JamesIves/github-pages-deploy-action@v4 | |
| with: | |
| branch: gh-pages | |
| folder: deploy_dir | |
| clean: false | |
| - name: Build Python Artifact | |
| run: | | |
| poetry build | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: python-artifact | |
| path: dist/* | |
| - name: Publish to test.pypi.org | |
| if: | | |
| github.ref == 'refs/heads/develop' || | |
| startsWith(github.ref, 'refs/heads/release') | |
| env: | |
| POETRY_PYPI_TOKEN_TESTPYPI: ${{secrets.POETRY_PYPI_TOKEN_TESTPYPI}} | |
| run: | | |
| poetry config repositories.testpypi https://test.pypi.org/legacy/ | |
| poetry publish -r testpypi | |
| - name: Publish to pypi.org | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| env: | |
| POETRY_PYPI_TOKEN_PYPI: ${{secrets.POETRY_PYPI_TOKEN_PYPI}} | |
| run: | | |
| poetry publish | |
| - name: Log in to the Container registry | |
| if: ${{ !startsWith(github.ref, 'refs/heads/feature') }} | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| if: ${{ !startsWith(github.ref, 'refs/heads/feature') }} | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,pattern={{version}},value=${{ env.software_version }} | |
| type=raw,value=${{ env.venue }} | |
| - name: Wait for package | |
| if: ${{ !startsWith(github.ref, 'refs/heads/feature') }} | |
| run: | | |
| pip install tenacity | |
| ${GITHUB_WORKSPACE}/.github/workflows/wait-for-pypi.py ${{env.pyproject_name}}[harmony]==${{ env.software_version }} | |
| - name: Build and push Docker image | |
| if: ${{ !startsWith(github.ref, 'refs/heads/feature') }} | |
| id: docker-push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: docker/Dockerfile | |
| build-args: | | |
| SOURCE=${{env.pyproject_name}}[harmony]==${{ env.software_version }} | |
| push: true | |
| pull: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Run Snyk on Docker Image | |
| if: ${{ !startsWith(github.ref, 'refs/heads/feature') }} | |
| # Snyk can be used to break the build when it detects vulnerabilities. | |
| # In this case we want to upload the issues to GitHub Code Scanning | |
| continue-on-error: true | |
| uses: snyk/actions/docker@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| image: ${{ steps.meta.outputs.tags[0] }} | |
| args: > | |
| --severity-threshold=high | |
| - name: Deploy Harmony | |
| env: | |
| ENV: ${{ env.venue }} | |
| CMR_USER: ${{ secrets.CMR_USER }} | |
| CMR_PASS: ${{ secrets.CMR_PASS }} | |
| if: | | |
| github.ref == 'refs/heads/main' || | |
| startsWith(github.ref, 'refs/heads/release') | |
| working-directory: deployment | |
| run: | |
| poetry run python harmony_deploy.py --tag ${{ env.software_version }} | |
| - name: Create Release | |
| id: create_release | |
| if: | | |
| github.ref == 'refs/heads/main' | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ env.software_version }} # Use the tag that triggered the action | |
| name: Release v${{ env.software_version }} | |
| draft: false | |
| generate_release_notes: true | |
| token: ${{ secrets.GITHUB_TOKEN }} |