microdata-job-executor/.github/workflows/test-and-build.yaml at 3644ea53e517aeff7afd60d4adc0946bac10e75e · statisticsnorway/microdata-job-executor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Build
permissions:
  contents: read

on:
  push:
    branches:
      - main
  workflow_dispatch:

env:
  REGISTRY: europe-north1-docker.pkg.dev/${{ secrets.GAR_PROJECT_ID }}/microdata-docker
  IMAGE: job-executor

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: "3.13"

    - name: Install the latest version of uv
      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2

    - name: Sync dependencies
      run: uv sync

    - name: Run tests
      run: uv run pytest

  build:
    runs-on: ubuntu-latest
    needs: test
    permissions:
      contents: read
      id-token: write

    steps:
      - uses: actions/checkout@v4

      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
        with:
          workload_identity_provider: "projects/${{ secrets.GAR_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions"
          service_account: "gh-actions-microdata@${{ secrets.GAR_PROJECT_ID }}.iam.gserviceaccount.com"
          token_format: access_token

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Login to Artifact Registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ${{ env.REGISTRY }}
          username: "oauth2accesstoken"
          password: "${{ steps.auth.outputs.access_token }}"

      - name: Extract build metadata for Docker
        id: build_metadata
        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE }}
          tags: |
            type=raw,value=main-{{sha}}
            type=raw,value=latest

      - name: Build and push docker image to Artifact Registry
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          provenance: false
          file: Dockerfile
          push: true
          tags: ${{ steps.build_metadata.outputs.tags }}
          labels: ${{ steps.build_metadata.outputs.labels }}
          build-args: |
            COMMIT_ID=${{ github.sha }}

  integration-test:
    name: Run Integration test
    runs-on: ubuntu-latest
    needs: build
    permissions:
      contents: read
      id-token: write

    steps:
      - name: Call workflow
        uses: actions/github-script@v7
        env:
          INTEGRATION_TEST_REPO: ${{ secrets.INTEGRATION_TEST_REPO }}
          INTEGRATION_TEST_WORKFLOW: "${{ secrets.INTEGRATION_TEST_WORKFLOW }}.yaml"
        with:
          github-token: ${{ secrets.INTEGRATION_TEST_PAT }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: 'statisticsnorway',
              repo: process.env.INTEGRATION_TEST_REPO,
              workflow_id: process.env.INTEGRATION_TEST_WORKFLOW,
              ref: 'main'
            })

  revoke:
    runs-on: ubuntu-latest
    needs: build
    permissions:
      actions: write
    steps:
      - uses: actions/checkout@v4
      - name: Mark older approvals as unnecessary
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Find previous workflow runs for the same workflow
          runs=$(gh run list --workflow=87753728 --json databaseId,status --jq '.[] | select(.status == "waiting") | .databaseId')

          for run_id in $runs; do
            echo "Marking workflow run $run_id as outdated"
            gh run cancel $run_id
          done

  deploy:
    name: Deploy to production
    runs-on: ubuntu-latest
    needs: [build, revoke]
    environment: prod
    permissions:
      contents: read
      id-token: write

    steps:
      - name: Call workflow
        uses: actions/github-script@v7
        env:
          DEPLOY_REPO: ${{ secrets.DEPLOY_REPO }}
          DEPLOY_WORKFLOW: "${{ secrets.DEPLOY_WORKFLOW }}.yaml"
        with:
          github-token: ${{ secrets.DEPLOY_PAT }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: 'statisticsnorway',
              repo: process.env.DEPLOY_REPO,
              workflow_id: process.env.DEPLOY_WORKFLOW,
              ref: 'master',
              inputs: {
                environment: "PROD",
                service: "job-executor"
              }
            })