dataverse/.github/workflows/container_app_push.yml at develop · QualitativeDataRepository/dataverse · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
---
name: Application Container Image

on:
    # We are deliberately *not* running on push events here to avoid double runs.
    # Instead, push events will trigger from the base image and maven unit tests via workflow_call.
    workflow_call:
        inputs:
            base-image-ref:
                type: string
                description: "Reference of the base image to build on in full qualified form [<registry>/]<namespace>/<repo>:<tag>"
                required: false
                default: "gdcc/base:unstable"
    pull_request:
        branches:
            - develop
            - master
        paths:
            - 'src/main/docker/**'
            - 'modules/container-configbaker/**'
            - '.github/workflows/container_app_push.yml'

env:
    IMAGE_TAG: unstable
    REGISTRY: "" # Empty means default to Docker Hub
    PLATFORMS: "linux/amd64,linux/arm64"

jobs:
    build:
        name: "Build & Test"
        runs-on: ubuntu-latest
        permissions:
            contents: read
            packages: write
            pull-requests: write
        # Only run in upstream repo - avoid unnecessary runs in forks
        if: ${{ github.repository_owner == 'IQSS' }}

        steps:
            - name: Checkout and Setup Maven
              uses: IQSS/dataverse/.github/actions/setup-maven@develop
              with:
                pom-paths: |
                  pom.xml
                  modules/container-configbaker/pom.xml
                  modules/dataverse-parent/pom.xml

            # TODO: Add a filter step here, that avoids building the image if this is a PR and there are other files touched than declared above.
            #       Use https://github.com/dorny/paths-filter to solve this. This will ensure we do not run this twice if this workflow
            #       will be triggered by the other workflows already (base image or java changes)
            #       To become a part of #10618.

            - name: Build app and configbaker container image with local architecture and submodules (profile will skip tests)
              run: >
                  mvn -B -f modules/dataverse-parent
                  -P ct -pl edu.harvard.iq:dataverse -am
                  $( [[ -n "${{ inputs.base-image-ref }}" ]] && echo "-Dbase.image=${{ inputs.base-image-ref }}" )
                  install

            # TODO: add smoke / integration testing here (add "-Pct -DskipIntegrationTests=false")

    # Note: Accessing, pushing tags etc. to DockerHub or GHCR will only succeed in upstream because secrets.
    # We check for them here and subsequent jobs can rely on this to decide if they shall run.
    check-secrets:
        needs: build
        name: Check for Secrets Availability
        runs-on: ubuntu-latest
        outputs:
            available: ${{ steps.secret-check.outputs.available }}
        steps:
            - id: secret-check
              # perform secret check & put boolean result as an output
              shell: bash
              run: |
                  if [ "${{ secrets.DOCKERHUB_TOKEN }}" != '' ]; then
                      echo "available=true" >> $GITHUB_OUTPUT;
                  else
                      echo "available=false" >> $GITHUB_OUTPUT;
                  fi

    deploy:
        needs: check-secrets
        name: "Package & Publish"
        runs-on: ubuntu-latest
        # Only run this job if we have access to secrets. This is true for events like push/schedule which run in the
        # context of the main repo, but for PRs only true if coming from the main repo! Forks have no secret access.
        #
        # Note: The team's decision was to not auto-deploy an image on any git push where no PR exists (yet).
        #       Accordingly, only run for push events on the 'develop' branch.
        if: needs.check-secrets.outputs.available == 'true' &&
            ( github.event_name != 'push' || ( github.event_name == 'push' && github.ref_name == 'develop' ))
        steps:
            - name: Checkout and Setup Maven
              uses: IQSS/dataverse/.github/actions/setup-maven@develop
              with:
                pom-paths: |
                  pom.xml
                  modules/container-configbaker/pom.xml
                  modules/dataverse-parent/pom.xml

            # Depending on context, we push to different targets. Login accordingly.
            - if: github.event_name != 'pull_request'
              name: Log in to Docker Hub registry
              uses: docker/login-action@v3
              with:
                  username: ${{ secrets.DOCKERHUB_USERNAME }}
                  password: ${{ secrets.DOCKERHUB_TOKEN }}
            - if: ${{ github.event_name == 'pull_request' }}
              name: Login to Github Container Registry
              uses: docker/login-action@v3
              with:
                  registry: ghcr.io
                  username: ${{ secrets.GHCR_USERNAME }}
                  password: ${{ secrets.GHCR_TOKEN }}

            - name: Set up QEMU for multi-arch builds
              uses: docker/setup-qemu-action@v3

            - name: Add rolling image tag when pushing to develop
              if: ${{ github.event_name == 'push' && github.ref_name == 'develop' }}
              run: |
                  echo "ADDITIONAL_TAGS=-Ddocker.tags.upcoming=$( mvn initialize help:evaluate -Pct -Dexpression=app.image.tag -Dapp.image.tag='${app.image.version}-${base.image.flavor}' -q -DforceStdout )" | tee -a "$GITHUB_ENV"
            - name: Re-set image tag and container registry when on PR
              if: ${{ github.event_name == 'pull_request' }}
              run: |
                  echo "IMAGE_TAG=$(echo "$GITHUB_HEAD_REF" | tr '\\/_:&+,;#*' '-')" | tee -a "$GITHUB_ENV"
                  echo "REGISTRY='-Ddocker.registry=ghcr.io'" | tee -a "$GITHUB_ENV"

            # Necessary to split as otherwise the submodules are not available (deploy skips install)
            - name: Build app and configbaker container image with local architecture and submodules (profile will skip tests)
              run: >
                  mvn -B -f modules/dataverse-parent
                  -P ct -pl edu.harvard.iq:dataverse -am
                  $( [[ -n "${{ inputs.base-image-ref }}" ]] && echo "-Dbase.image=${{ inputs.base-image-ref }}" )
                  install
            - name: Deploy multi-arch application and configbaker container image
              run: >
                  mvn
                  -Dapp.image.tag=${{ env.IMAGE_TAG }} ${{ env.ADDITIONAL_TAGS }}
                  $( [[ -n "${{ inputs.base-image-ref }}" ]] && echo "-Dbase.image=${{ inputs.base-image-ref }}" )
                  ${{ env.REGISTRY }} -Ddocker.platforms=${{ env.PLATFORMS }}
                  -P ct deploy

            - uses: marocchino/sticky-pull-request-comment@v2
              if: ${{ github.event_name == 'pull_request' }}
              with:
                  header: registry-push
                  hide_and_recreate: true
                  hide_classify: "OUTDATED"
                  message: |
                      :package: Pushed preview images as
                      ```
                      ghcr.io/gdcc/dataverse:${{ env.IMAGE_TAG }}
                      ```
                      ```
                      ghcr.io/gdcc/configbaker:${{ env.IMAGE_TAG }}
                      ```
                      :ship: [See on GHCR](https://github.com/orgs/gdcc/packages/container). Use by referencing with full name as printed above, mind the registry name.