Build Release #171

Workflow file for this run

.github/workflows/build-release.yml at 69952fd

	---
	name: "Build Release"
	on:
	workflow_dispatch:
	inputs:
	releaseBranch:
	description: >-
	releaseBranch: Override the branch on which a release is based.
	Default to the selected reference in the `Use workflow from` drop-down when empty.
	required: false
	default: ""
	releaseVersion:
	description: >-
	releaseVersion: Override the release version. Default to promoting the current
	X.Y.Z-SNAPSHOT to X.Y.Z when empty.
	required: false
	default: ""
	developmentVersion:
	description: >-
	developmentVersion: Override the next development iteration version.
	Default to X.(Y+1).0-SNAPSHOT of the release version X.Y.Z when empty.
	required: false
	default: ""
	awsRegion:
	description: >-
	awsRegion: Override the AWS Region destination for uploaded artifacts.
	Default to `us-east-1`.
	default: us-east-1
	type: choice
	options:
	- us-east-1
	- us-west-2
	required: true
	forceRelease:
	description: >-
	forceRelease: Override creation of the GitHub Release object.
	Default to creating release objects when `releaseVersion` does not contain the hyphen
	character ('-'), indicating a pre-release.
	default: false
	required: false
	type: boolean

	permissions:
	id-token: write # This is required for requesting the AWS IAM OIDC JWT
	contents: write # This is required for actions/checkout

	env:
	# AWS Code Artifact Repository
	CA_REPOSITORY: bfd-mgmt
	CA_DOMAIN: bfd-mgmt
	AWS_REGION: ${{ inputs.awsRegion }}
	BFD_RELEASE_OVERRIDE: ${{ inputs.releaseVersion }}
	BFD_DEV_VERSION_OVERRIDE: ${{ inputs.developmentVersion }}

	defaults:
	run:
	shell: bash

	jobs:
	run-mvn-release:
	runs-on: ubuntu-latest
	outputs:
	BFD_RELEASE: ${{ steps.bfd-version-strings.outputs.BFD_RELEASE }}
	steps:
	- name: "Generate an App Token"
	id: generate_token
	uses: actions/create-github-app-token@v1
	with:
	app-id: ${{ secrets.BFD_RELEASE_APP_ID }}
	private-key: ${{ secrets.BFD_RELEASE_APP_KEY }}

	- name: Checkout
	if: github.event_name == 'workflow_dispatch'
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	ref: ${{ inputs.releaseBranch \|\| github.ref_name }}
	token: ${{ steps.generate_token.outputs.token }}

	- name: 'Install yq'
	run: \|
	sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
	sudo chmod +x /usr/bin/yq

	- name: Install gitleaks
	run: \|
	curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest \
	\| grep "browser_download_url.*linux_x64.tar.gz" \
	\| cut -d : -f 2,3 \
	\| tr -d \" \
	\| wget -qi -
	sudo tar -xzf "$(find -iname 'gitleaks*.tar.gz')" -C /usr/bin gitleaks
	sudo chmod +x /usr/bin/gitleaks

	- name: Set and Validate Version Strings
	id: bfd-version-strings
	run: \|
	# Set default values for bfd-parent version based on existing version string in apps/pom.xml
	BFD_PARENT_POM_VERSION="$(yq --output-format=yaml .project.version apps/pom.xml)"

	## Use override OR promote default by removing '-SNAPSHOT' suffix
	BFD_RELEASE_DEFAULT="$(yq 'split("-") \| .[0]' <<< "$BFD_PARENT_POM_VERSION")"
	BFD_RELEASE="${BFD_RELEASE_OVERRIDE:-$BFD_RELEASE_DEFAULT}"

	## Use override OR increment default value Y in X.Y.Z formatted release version, attach '-SNAPSHOT' suffix
	BFD_DEV_VERSION_DEFAULT="$(yq 'split("-") \| .[0] \| split(".") \| map(. type = "!!int") \| [.[0], .[1]+1, .[2]] \| join(".")' <<< "$BFD_PARENT_POM_VERSION")-SNAPSHOT"
	BFD_DEV_VERSION="${BFD_DEV_VERSION_OVERRIDE:-$BFD_DEV_VERSION_DEFAULT}"

	# Validate and set BFD_RELASE and BFD_DEV_VERSION
	echo "$BFD_RELEASE" \| grep -P '^\d+\.\d+\.\d+$\|^\d+\.\d+\.\d+-[a-zA-Z0-9-]+$'
	echo BFD_RELEASE="${BFD_RELEASE}" >> "$GITHUB_ENV"
	echo BFD_RELEASE="${BFD_RELEASE}" >> "$GITHUB_OUTPUT"

	echo "$BFD_DEV_VERSION" \| grep -P '^\d+\.\d+\.\d+-SNAPSHOT$'
	echo BFD_DEV_VERSION="${BFD_DEV_VERSION_OVERRIDE:-$BFD_DEV_VERSION_DEFAULT}" >> "$GITHUB_ENV"

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: ${{ secrets.GHA_AWS_IAM_ROLE_ARN }}
	role-session-name: run-mvn-release
	aws-region: ${{ inputs.awsRegion }}

	- name: Login to ECR
	uses: aws-actions/amazon-ecr-login@v2

	- name: Setup JDK
	uses: actions/setup-java@v4
	with:
	java-version: "21"
	distribution: corretto

	- name: Configure the git user
	run: \|
	git config --global user.email "[email protected]"
	git config --global user.name "GitHub Actions"

	- name: Set Authorization Token
	run: \|
	CODEARTIFACT_AUTH_TOKEN="$(aws codeartifact get-authorization-token --domain "$CA_DOMAIN" --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --query authorizationToken --output text --region "$AWS_REGION")"
	echo "::add-mask::$CODEARTIFACT_AUTH_TOKEN"
	echo CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN >> $GITHUB_ENV

	- name: Get Repository Endpoint
	run: \|
	CA_REPOSITORY_ENDPOINT="$(aws codeartifact get-repository-endpoint --domain "$CA_DOMAIN" --repository "$CA_REPOSITORY" --format maven --query repositoryEndpoint --output text)"
	echo "::add-mask::$CA_REPOSITORY_ENDPOINT"
	echo CA_REPOSITORY_ENDPOINT=$CA_REPOSITORY_ENDPOINT >> $GITHUB_ENV

	- name: Get ECR Registry Namespace
	run: \|
	ECR_REPOSITORY_NAMESPACE="$(aws ecr describe-registry --region "$AWS_REGION" \| jq -r '.registryId').dkr.ecr.${AWS_REGION}.amazonaws.com"
	echo "::add-mask::$ECR_REPOSITORY_NAMESPACE"
	echo ECR_REPOSITORY_NAMESPACE=$ECR_REPOSITORY_NAMESPACE >> $GITHUB_ENV

	- name: Configure additional maven settings.xml
	run: \|-
	cat <<"EOF" > ~/.m2/settings.xml
	<settings xmlns="http://maven.apache.org/settings/1.0.0" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"
	xsi:schemalocation="http://maven.apache.org/settings/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
	<servers>
	<server>
	<username>aws</username>
	<password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
	<id>${env.CA_DOMAIN}-${env.CA_REPOSITORY}</id>
	</server>
	<server>
	<id>github</id>
	<username>${env.GITHUB_ACTOR}</username>
	<password>${env.GITHUB_TOKEN}</password>
	</server>
	</servers>
	</settings>
	EOF

	- name: "Prepare and Perform Release"
	if: github.event_name == 'workflow_dispatch'
	run: \|-
	mvn --batch-mode --activate-profiles release \
	-Dtag="$BFD_RELEASE" \
	-DreleaseVersion="$BFD_RELEASE" \
	-DdevelopmentVersion="$BFD_DEV_VERSION" \
	release:prepare release:perform
	working-directory: ./apps
	env:
	GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

	- name: "Perform Exceptional Rollback"
	if: failure()
	run: mvn release:rollback
	working-directory: ./apps

	build-docker-images:
	uses: ./.github/workflows/build-docker-images.yml
	needs: run-mvn-release
	permissions:
	contents: read
	id-token: write
	with:
	branch: ${{ inputs.releaseBranch \|\| github.ref_name }}
	versionTag: ${{ needs.run-mvn-release.outputs.BFD_RELEASE }}
	awsRegion: ${{ inputs.awsRegion }}
	secrets: inherit

	create-gh-release:
	if: ${{ !contains(needs.run-mvn-release.outputs.BFD_RELEASE, '-') \|\| inputs.forceRelease }}
	runs-on: ubuntu-latest
	needs: [run-mvn-release, build-docker-images]
	steps:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: ${{ secrets.GHA_AWS_IAM_ROLE_ARN }}
	role-session-name: create-gh-release
	aws-region: ${{ inputs.awsRegion }}

	- name: Pull Release Files
	run: \|
	readarray -t assets < <(echo "$CA_ASSETS" \| jq -r -c '.[]')
	for asset in "${assets[@]}"
	do
	aws codeartifact get-package-version-asset \
	--domain-owner ${{ secrets.AWS_ACCOUNT_ID }} \
	--domain "$CA_DOMAIN" \
	--repository "$CA_REPOSITORY" \
	--asset "$asset" \
	--package-version "$BFD_RELEASE" \
	--package "$CA_PACKAGE" \
	--namespace "$CA_NAMESPACE" \
	--format maven \
	--region "$AWS_REGION" \
	"${asset/$CA_PACKAGE-${BFD_RELEASE}-/}" 1>/dev/null
	done

	# rename data dictionary release assets to follow historical naming conventions
	for item in ./data-dictionary
	do
	filename=$(basename -- "$item")
	extension="${filename##*.}"
	filename="$(echo "${filename%.}" \| sed -E 's/^v([0-9]+.)$/V\1/')"

	mv "$item" "$filename-${BFD_RELEASE}.$extension"
	done

	mv ./openapi.yaml "openapi-${BFD_RELEASE}.yaml"

	env:
	BFD_RELEASE: ${{ needs.run-mvn-release.outputs.BFD_RELEASE }}
	CA_NAMESPACE: gov.cms.bfd
	CA_PACKAGE: bfd-server-war
	CA_ASSETS: \|
	[
	"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v1-data-dictionary.csv",
	"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v2-data-dictionary.csv",
	"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v1-data-dictionary.json",
	"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-v2-data-dictionary.json",
	"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-data-dictionary.xlsx",
	"bfd-server-war-${{ needs.run-mvn-release.outputs.BFD_RELEASE }}-openapi.yaml"
	]

	- name: Release
	uses: ncipollo/release-action@v1
	with:
	# NOTE: Prevent automatic promotion of pre-release objects to latest
	makeLatest: "${{ !contains(needs.run-mvn-release.outputs.BFD_RELEASE, '-') }}"
	generateReleaseNotes: true
	artifactErrorsFailBuild: true
	tag: ${{ needs.run-mvn-release.outputs.BFD_RELEASE }}
	name: "v${{ needs.run-mvn-release.outputs.BFD_RELEASE }}"
	artifacts: ".csv,.json,.xlsx,.yaml"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build Release #171

Workflow file

Build Release #171

Jobs

Run details

Workflow file for this run