Skip to content

Build Release

Build Release #161

Workflow file for this run

---
name: "Build Release"
on:
workflow_dispatch:
inputs:
releaseBranch:
description: >-
releaseBranch: Override the branch on which a release is based.
Default to the selected reference in the `Use workflow from` drop-down when empty.
required: false
default: ""
releaseVersion:
description: >-
releaseVersion: Override the release version. Default to promoting the current
X.Y.Z-SNAPSHOT to X.Y.Z when empty.
required: false
default: ""
developmentVersion:
description: >-
developmentVersion: Override the next development iteration version.
Default to X.(Y+1).0-SNAPSHOT of the release version X.Y.Z when empty.
required: false
default: ""
awsRegion:
description: >-
awsRegion: Override the AWS Region destination for uploaded artifacts.
Default to `us-east-1`.
default: us-east-1
type: choice
options:
- us-east-1
- us-west-2
required: true
forceRelease:
description: >-
forceRelease: Override creation of the GitHub Release object.
Default to creating release objects when `releaseVersion` does not contain the hyphen
character ('-'), indicating a pre-release.
default: false
required: false
type: boolean
permissions:
id-token: write # This is required for requesting the AWS IAM OIDC JWT
contents: write # This is required for actions/checkout
env:
# AWS Code Artifact Repository
CA_REPOSITORY: bfd-mgmt
CA_DOMAIN: bfd-mgmt
AWS_REGION: ${{ inputs.awsRegion }}
BFD_RELEASE_OVERRIDE: ${{ inputs.releaseVersion }}
BFD_DEV_VERSION_OVERRIDE: ${{ inputs.developmentVersion }}
defaults:
run:
shell: bash
jobs:
run-mvn-release:
runs-on: ubuntu-latest
outputs:
BFD_RELEASE: ${{ steps.bfd-version-strings.outputs.BFD_RELEASE }}
steps:
- name: "Generate an App Token"
id: generate_token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.BFD_RELEASE_APP_ID }}
private-key: ${{ secrets.BFD_RELEASE_APP_KEY }}
- name: Checkout
if: github.event_name == 'workflow_dispatch'
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ inputs.releaseBranch || github.ref_name }}
token: ${{ steps.generate_token.outputs.token }}
- name: 'Install yq'
run: |
sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
sudo chmod +x /usr/bin/yq
- name: Install gitleaks
run: |
curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest \
| grep "browser_download_url.*linux_x64.tar.gz" \
| cut -d : -f 2,3 \
| tr -d \" \
| wget -qi -
sudo tar -xzf "$(find -iname 'gitleaks*.tar.gz')" -C /usr/bin gitleaks
sudo chmod +x /usr/bin/gitleaks
- name: Set and Validate Version Strings
id: bfd-version-strings
run: |
# Set default values for bfd-parent version based on existing version string in apps/pom.xml
BFD_PARENT_POM_VERSION="$(yq --output-format=yaml .project.version apps/pom.xml)"
## Use override OR promote default by removing '-SNAPSHOT' suffix
BFD_RELEASE_DEFAULT="$(yq 'split("-") | .[0]' <<< "$BFD_PARENT_POM_VERSION")"
BFD_RELEASE="${BFD_RELEASE_OVERRIDE:-$BFD_RELEASE_DEFAULT}"
## Use override OR increment default value Y in X.Y.Z formatted release version, attach '-SNAPSHOT' suffix
BFD_DEV_VERSION_DEFAULT="$(yq 'split("-") | .[0] | split(".") | map(. type = "!!int") | [.[0], .[1]+1, .[2]] | join(".")' <<< "$BFD_PARENT_POM_VERSION")-SNAPSHOT"
BFD_DEV_VERSION="${BFD_DEV_VERSION_OVERRIDE:-$BFD_DEV_VERSION_DEFAULT}"
# Validate and set BFD_RELASE and BFD_DEV_VERSION
echo "$BFD_RELEASE" | grep -P '^\d+\.\d+\.\d+$|^\d+\.\d+\.\d+-[a-zA-Z0-9-]+$'
echo BFD_RELEASE="${BFD_RELEASE}" >> "$GITHUB_ENV"
echo BFD_RELEASE="${BFD_RELEASE}" >> "$GITHUB_OUTPUT"
echo "$BFD_DEV_VERSION" | grep -P '^\d+\.\d+\.\d+-SNAPSHOT$'
echo BFD_DEV_VERSION="${BFD_DEV_VERSION_OVERRIDE:-$BFD_DEV_VERSION_DEFAULT}" >> "$GITHUB_ENV"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.GHA_AWS_IAM_ROLE_ARN }}
role-session-name: run-mvn-release
aws-region: ${{ inputs.awsRegion }}
- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2
- name: Setup JDK
uses: actions/setup-java@v4
with:
java-version: "21"
distribution: corretto
- name: Configure the git user
run: |
git config --global user.email "[email protected]"
git config --global user.name "GitHub Actions"
- name: Set Authorization Token
run: |
CODEARTIFACT_AUTH_TOKEN="$(aws codeartifact get-authorization-token --domain "$CA_DOMAIN" --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --query authorizationToken --output text --region "$AWS_REGION")"
echo "::add-mask::$CODEARTIFACT_AUTH_TOKEN"
echo CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN >> $GITHUB_ENV
- name: Get Repository Endpoint
run: |
CA_REPOSITORY_ENDPOINT="$(aws codeartifact get-repository-endpoint --domain "$CA_DOMAIN" --repository "$CA_REPOSITORY" --format maven --query repositoryEndpoint --output text)"
echo "::add-mask::$CA_REPOSITORY_ENDPOINT"
echo CA_REPOSITORY_ENDPOINT=$CA_REPOSITORY_ENDPOINT >> $GITHUB_ENV
- name: Get ECR Registry Namespace
run: |
ECR_REPOSITORY_NAMESPACE="$(aws ecr describe-registry --region "$AWS_REGION" | jq -r '.registryId').dkr.ecr.${AWS_REGION}.amazonaws.com"
echo "::add-mask::$ECR_REPOSITORY_NAMESPACE"
echo ECR_REPOSITORY_NAMESPACE=$ECR_REPOSITORY_NAMESPACE >> $GITHUB_ENV
- name: Configure additional maven settings.xml
run: |-
cat <<"EOF" > ~/.m2/settings.xml
<settings xmlns="http://maven.apache.org/settings/1.0.0" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"
xsi:schemalocation="http://maven.apache.org/settings/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
<servers>
<server>
<username>aws</username>
<password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
<id>${env.CA_DOMAIN}-${env.CA_REPOSITORY}</id>
</server>
<server>
<id>github</id>
<username>${env.GITHUB_ACTOR}</username>
<password>${env.GITHUB_TOKEN}</password>
</server>
</servers>
</settings>
EOF
- name: "Prepare and Perform Release"
if: github.event_name == 'workflow_dispatch'
run: |-
mvn --batch-mode --activate-profiles release \
-Dtag="$BFD_RELEASE" \
-DreleaseVersion="$BFD_RELEASE" \
-DdevelopmentVersion="$BFD_DEV_VERSION" \
release:prepare release:perform
working-directory: ./apps
env:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: "Perform Exceptional Rollback"
if: failure()
run: mvn release:rollback
working-directory: ./apps
build-docker-images:
uses: ./.github/workflows/build-docker-images.yml
needs: run-mvn-release
permissions:
contents: read
id-token: write
with:
branch: ${{ inputs.releaseBranch || github.ref_name }}
versionTag: ${{ needs.run-mvn-release.outputs.BFD_RELEASE }}
awsRegion: ${{ inputs.awsRegion }}
secrets: inherit
create-gh-release:
if: ${{ !contains(needs.run-mvn-release.outputs.BFD_RELEASE, '-') || inputs.forceRelease }}
runs-on: ubuntu-latest
needs: [run-mvn-release, build-docker-images]
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.GHA_AWS_IAM_ROLE_ARN }}
role-session-name: create-gh-release
aws-region: ${{ inputs.awsRegion }}
- name: Pull Release Files
run: |
readarray -t assets < <(echo "$CA_ASSETS" | jq -r -c '.[]')
for asset in "${assets[@]}"
do
aws codeartifact get-package-version-asset \
--domain-owner ${{ secrets.AWS_ACCOUNT_ID }} \
--domain "$CA_DOMAIN" \
--repository "$CA_REPOSITORY" \
--asset "$asset" \
--package-version "$BFD_RELEASE" \
--package "$CA_PACKAGE" \
--namespace "$CA_NAMESPACE" \
--format maven \
--region "$AWS_REGION" \
"${asset/$CA_PACKAGE-${BFD_RELEASE}-/}" 1>/dev/null
done
# rename data dictionary release assets to follow historical naming conventions
for item in ./*data-dictionary*
do
filename=$(basename -- "$item")
extension="${filename##*.}"
filename="$(echo "${filename%.*}" | sed -E 's/^v([0-9]+.*)$/V\1/')"
mv "$item" "$filename-${BFD_RELEASE}.$extension"
done
mv ./openapi.yaml "openapi-${BFD_RELEASE}.yaml"
env:
BFD_RELEASE: ${{ needs.run-mvn-release.outputs.BFD_RELEASE }}
CA_NAMESPACE: gov.cms.bfd
CA_PACKAGE: bfd-server-war
CA_ASSETS: |
[
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v1-data-dictionary.csv",
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v2-data-dictionary.csv",
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v1-data-dictionary.json",
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v2-data-dictionary.json",
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-data-dictionary.xlsx",
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-openapi.yaml"
]
- name: Release
uses: ncipollo/release-action@v1
with:
# NOTE: Prevent automatic promotion of pre-release objects to latest
makeLatest: "${{ !contains(needs.run-mvn-release.outputs.BFD_RELEASE, '-') }}"
generateReleaseNotes: true
artifactErrorsFailBuild: true
tag: ${{ needs.run-mvn-release.outputs.BFD_RELEASE }}
name: "v${{ needs.run-mvn-release.outputs.BFD_RELEASE }}"
artifacts: "*.csv,*.json,*.xlsx,*.yaml"