Build Release #162
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: "Build Release" | |
on: | |
workflow_dispatch: | |
inputs: | |
releaseBranch: | |
description: >- | |
releaseBranch: Override the branch on which a release is based. | |
Default to the selected reference in the `Use workflow from` drop-down when empty. | |
required: false | |
default: "" | |
releaseVersion: | |
description: >- | |
releaseVersion: Override the release version. Default to promoting the current | |
X.Y.Z-SNAPSHOT to X.Y.Z when empty. | |
required: false | |
default: "" | |
developmentVersion: | |
description: >- | |
developmentVersion: Override the next development iteration version. | |
Default to X.(Y+1).0-SNAPSHOT of the release version X.Y.Z when empty. | |
required: false | |
default: "" | |
awsRegion: | |
description: >- | |
awsRegion: Override the AWS Region destination for uploaded artifacts. | |
Default to `us-east-1`. | |
default: us-east-1 | |
type: choice | |
options: | |
- us-east-1 | |
- us-west-2 | |
required: true | |
forceRelease: | |
description: >- | |
forceRelease: Override creation of the GitHub Release object. | |
Default to creating release objects when `releaseVersion` does not contain the hyphen | |
character ('-'), indicating a pre-release. | |
default: false | |
required: false | |
type: boolean | |
permissions: | |
id-token: write # This is required for requesting the AWS IAM OIDC JWT | |
contents: write # This is required for actions/checkout | |
env: | |
# AWS Code Artifact Repository | |
CA_REPOSITORY: bfd-mgmt | |
CA_DOMAIN: bfd-mgmt | |
AWS_REGION: ${{ inputs.awsRegion }} | |
BFD_RELEASE_OVERRIDE: ${{ inputs.releaseVersion }} | |
BFD_DEV_VERSION_OVERRIDE: ${{ inputs.developmentVersion }} | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
run-mvn-release: | |
runs-on: ubuntu-latest | |
outputs: | |
BFD_RELEASE: ${{ steps.bfd-version-strings.outputs.BFD_RELEASE }} | |
steps: | |
- name: "Generate an App Token" | |
id: generate_token | |
uses: actions/create-github-app-token@v1 | |
with: | |
app-id: ${{ secrets.BFD_RELEASE_APP_ID }} | |
private-key: ${{ secrets.BFD_RELEASE_APP_KEY }} | |
- name: Checkout | |
if: github.event_name == 'workflow_dispatch' | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ inputs.releaseBranch || github.ref_name }} | |
token: ${{ steps.generate_token.outputs.token }} | |
- name: 'Install yq' | |
run: | | |
sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq | |
sudo chmod +x /usr/bin/yq | |
- name: Install gitleaks | |
run: | | |
curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest \ | |
| grep "browser_download_url.*linux_x64.tar.gz" \ | |
| cut -d : -f 2,3 \ | |
| tr -d \" \ | |
| wget -qi - | |
sudo tar -xzf "$(find -iname 'gitleaks*.tar.gz')" -C /usr/bin gitleaks | |
sudo chmod +x /usr/bin/gitleaks | |
- name: Set and Validate Version Strings | |
id: bfd-version-strings | |
run: | | |
# Set default values for bfd-parent version based on existing version string in apps/pom.xml | |
BFD_PARENT_POM_VERSION="$(yq --output-format=yaml .project.version apps/pom.xml)" | |
## Use override OR promote default by removing '-SNAPSHOT' suffix | |
BFD_RELEASE_DEFAULT="$(yq 'split("-") | .[0]' <<< "$BFD_PARENT_POM_VERSION")" | |
BFD_RELEASE="${BFD_RELEASE_OVERRIDE:-$BFD_RELEASE_DEFAULT}" | |
## Use override OR increment default value Y in X.Y.Z formatted release version, attach '-SNAPSHOT' suffix | |
BFD_DEV_VERSION_DEFAULT="$(yq 'split("-") | .[0] | split(".") | map(. type = "!!int") | [.[0], .[1]+1, .[2]] | join(".")' <<< "$BFD_PARENT_POM_VERSION")-SNAPSHOT" | |
BFD_DEV_VERSION="${BFD_DEV_VERSION_OVERRIDE:-$BFD_DEV_VERSION_DEFAULT}" | |
# Validate and set BFD_RELASE and BFD_DEV_VERSION | |
echo "$BFD_RELEASE" | grep -P '^\d+\.\d+\.\d+$|^\d+\.\d+\.\d+-[a-zA-Z0-9-]+$' | |
echo BFD_RELEASE="${BFD_RELEASE}" >> "$GITHUB_ENV" | |
echo BFD_RELEASE="${BFD_RELEASE}" >> "$GITHUB_OUTPUT" | |
echo "$BFD_DEV_VERSION" | grep -P '^\d+\.\d+\.\d+-SNAPSHOT$' | |
echo BFD_DEV_VERSION="${BFD_DEV_VERSION_OVERRIDE:-$BFD_DEV_VERSION_DEFAULT}" >> "$GITHUB_ENV" | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.GHA_AWS_IAM_ROLE_ARN }} | |
role-session-name: run-mvn-release | |
aws-region: ${{ inputs.awsRegion }} | |
- name: Login to ECR | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: Setup JDK | |
uses: actions/setup-java@v4 | |
with: | |
java-version: "21" | |
distribution: corretto | |
- name: Configure the git user | |
run: | | |
git config --global user.email "[email protected]" | |
git config --global user.name "GitHub Actions" | |
- name: Set Authorization Token | |
run: | | |
CODEARTIFACT_AUTH_TOKEN="$(aws codeartifact get-authorization-token --domain "$CA_DOMAIN" --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --query authorizationToken --output text --region "$AWS_REGION")" | |
echo "::add-mask::$CODEARTIFACT_AUTH_TOKEN" | |
echo CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN >> $GITHUB_ENV | |
- name: Get Repository Endpoint | |
run: | | |
CA_REPOSITORY_ENDPOINT="$(aws codeartifact get-repository-endpoint --domain "$CA_DOMAIN" --repository "$CA_REPOSITORY" --format maven --query repositoryEndpoint --output text)" | |
echo "::add-mask::$CA_REPOSITORY_ENDPOINT" | |
echo CA_REPOSITORY_ENDPOINT=$CA_REPOSITORY_ENDPOINT >> $GITHUB_ENV | |
- name: Get ECR Registry Namespace | |
run: | | |
ECR_REPOSITORY_NAMESPACE="$(aws ecr describe-registry --region "$AWS_REGION" | jq -r '.registryId').dkr.ecr.${AWS_REGION}.amazonaws.com" | |
echo "::add-mask::$ECR_REPOSITORY_NAMESPACE" | |
echo ECR_REPOSITORY_NAMESPACE=$ECR_REPOSITORY_NAMESPACE >> $GITHUB_ENV | |
- name: Configure additional maven settings.xml | |
run: |- | |
cat <<"EOF" > ~/.m2/settings.xml | |
<settings xmlns="http://maven.apache.org/settings/1.0.0" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" | |
xsi:schemalocation="http://maven.apache.org/settings/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd"> | |
<servers> | |
<server> | |
<username>aws</username> | |
<password>${env.CODEARTIFACT_AUTH_TOKEN}</password> | |
<id>${env.CA_DOMAIN}-${env.CA_REPOSITORY}</id> | |
</server> | |
<server> | |
<id>github</id> | |
<username>${env.GITHUB_ACTOR}</username> | |
<password>${env.GITHUB_TOKEN}</password> | |
</server> | |
</servers> | |
</settings> | |
EOF | |
- name: "Prepare and Perform Release" | |
if: github.event_name == 'workflow_dispatch' | |
run: |- | |
mvn --batch-mode --activate-profiles release \ | |
-Dtag="$BFD_RELEASE" \ | |
-DreleaseVersion="$BFD_RELEASE" \ | |
-DdevelopmentVersion="$BFD_DEV_VERSION" \ | |
release:prepare release:perform | |
working-directory: ./apps | |
env: | |
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} | |
- name: "Perform Exceptional Rollback" | |
if: failure() | |
run: mvn release:rollback | |
working-directory: ./apps | |
build-docker-images: | |
uses: ./.github/workflows/build-docker-images.yml | |
needs: run-mvn-release | |
permissions: | |
contents: read | |
id-token: write | |
with: | |
branch: ${{ inputs.releaseBranch || github.ref_name }} | |
versionTag: ${{ needs.run-mvn-release.outputs.BFD_RELEASE }} | |
awsRegion: ${{ inputs.awsRegion }} | |
secrets: inherit | |
create-gh-release: | |
if: ${{ !contains(needs.run-mvn-release.outputs.BFD_RELEASE, '-') || inputs.forceRelease }} | |
runs-on: ubuntu-latest | |
needs: [run-mvn-release, build-docker-images] | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.GHA_AWS_IAM_ROLE_ARN }} | |
role-session-name: create-gh-release | |
aws-region: ${{ inputs.awsRegion }} | |
- name: Pull Release Files | |
run: | | |
readarray -t assets < <(echo "$CA_ASSETS" | jq -r -c '.[]') | |
for asset in "${assets[@]}" | |
do | |
aws codeartifact get-package-version-asset \ | |
--domain-owner ${{ secrets.AWS_ACCOUNT_ID }} \ | |
--domain "$CA_DOMAIN" \ | |
--repository "$CA_REPOSITORY" \ | |
--asset "$asset" \ | |
--package-version "$BFD_RELEASE" \ | |
--package "$CA_PACKAGE" \ | |
--namespace "$CA_NAMESPACE" \ | |
--format maven \ | |
--region "$AWS_REGION" \ | |
"${asset/$CA_PACKAGE-${BFD_RELEASE}-/}" 1>/dev/null | |
done | |
# rename data dictionary release assets to follow historical naming conventions | |
for item in ./*data-dictionary* | |
do | |
filename=$(basename -- "$item") | |
extension="${filename##*.}" | |
filename="$(echo "${filename%.*}" | sed -E 's/^v([0-9]+.*)$/V\1/')" | |
mv "$item" "$filename-${BFD_RELEASE}.$extension" | |
done | |
mv ./openapi.yaml "openapi-${BFD_RELEASE}.yaml" | |
env: | |
BFD_RELEASE: ${{ needs.run-mvn-release.outputs.BFD_RELEASE }} | |
CA_NAMESPACE: gov.cms.bfd | |
CA_PACKAGE: bfd-server-war | |
CA_ASSETS: | | |
[ | |
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v1-data-dictionary.csv", | |
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v2-data-dictionary.csv", | |
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v1-data-dictionary.json", | |
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v2-data-dictionary.json", | |
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-data-dictionary.xlsx", | |
"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-openapi.yaml" | |
] | |
- name: Release | |
uses: ncipollo/release-action@v1 | |
with: | |
# NOTE: Prevent automatic promotion of pre-release objects to latest | |
makeLatest: "${{ !contains(needs.run-mvn-release.outputs.BFD_RELEASE, '-') }}" | |
generateReleaseNotes: true | |
artifactErrorsFailBuild: true | |
tag: ${{ needs.run-mvn-release.outputs.BFD_RELEASE }} | |
name: "v${{ needs.run-mvn-release.outputs.BFD_RELEASE }}" | |
artifacts: "*.csv,*.json,*.xlsx,*.yaml" |