Publish Snapshot GCP OIDC Operator #141
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish GCP OIDC Operator | |
run-name: ${{ format('Publish {0} GCP OIDC Operator', inputs.release_type) }} | |
on: | |
workflow_dispatch: | |
inputs: | |
release_type: | |
type: choice | |
description: The type of release | |
options: | |
- Snapshot | |
- Patch | |
- Minor | |
- Major | |
version_number_input: | |
description: If set, the version number will not be incremented and the given number will be used. | |
type: string | |
default: '' | |
vulnerability_severity: | |
description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. | |
type: choice | |
options: | |
- CRITICAL,HIGH | |
- CRITICAL,HIGH,MEDIUM | |
- CRITICAL (DO NOT use if JIRA ticket not raised) | |
workflow_call: | |
inputs: | |
release_type: | |
description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major] | |
required: true | |
type: string | |
version_number_input: | |
description: If set, the version number will not be incremented and the given number will be used. | |
type: string | |
default: '' | |
vulnerability_severity: | |
description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between). | |
type: string | |
default: 'CRITICAL,HIGH' | |
outputs: | |
image_tag: | |
description: The tag used to describe the image in Docker | |
value: ${{ jobs.buildImage.outputs.image_tag }} | |
env: | |
REGISTRY: ghcr.io | |
GCP_REGISTRY: us-docker.pkg.dev | |
GCP_GAR_PROJECT: uid2-prod-project | |
MAVEN_PROFILE: gcp | |
ENCLAVE_PROTOCOL: gcp-oidc | |
IMAGE_NAME: ${{ github.repository }} | |
DOCKER_CONTEXT_PATH: scripts/gcp-oidc | |
ARTIFACTS_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts | |
MANIFEST_OUTPUT_DIR: ${{ github.workspace }}/manifests | |
jobs: | |
buildImage: | |
name: Build Image | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
security-events: write | |
packages: write | |
id-token: write | |
pull-requests: write | |
outputs: | |
jar_version: ${{ steps.version.outputs.new_version }} | |
image_tag: ${{ steps.updatePom.outputs.image_tag }} | |
steps: | |
- name: Approve Major release | |
if: inputs.release_type == 'Major' | |
uses: trstringer/manual-approval@v1 | |
with: | |
secret: ${{ github.token }} | |
approvers: thomasm-ttd,atarassov-ttd,cody-constine-ttd | |
minimum-approvals: 1 | |
issue-title: Creating Major version of UID2-Operator | |
- name: Check branch and release type | |
id: checkRelease | |
uses: IABTechLab/uid2-shared-actions/actions/[email protected] | |
with: | |
release_type: ${{ inputs.release_type }} | |
- name: Show Context | |
run: | | |
printenv | |
echo "$GITHUB_CONTEXT" | |
shell: bash | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
IS_RELEASE: ${{ steps.checkRelease.outputs.is_release }} | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '21' | |
- name: Checkout full history on Main | |
uses: actions/checkout@v4 | |
if: ${{ inputs.version_number_input == ''}} | |
with: | |
# git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout. | |
fetch-depth: 0 | |
- name: Checkout full history at tag v${{ inputs.version_number_input }} | |
uses: actions/checkout@v4 | |
if: ${{ inputs.version_number_input != ''}} | |
with: | |
ref: v${{ inputs.version_number_input }} | |
# git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout. | |
fetch-depth: 0 | |
- name: Restore timestamps | |
uses: thetradedesk/[email protected] | |
- name: Set version number | |
id: version | |
uses: IABTechLab/uid2-shared-actions/actions/version_number@v2 | |
with: | |
type: ${{ inputs.release_type }} | |
version_number: ${{ inputs.version_number_input }} | |
branch_name: ${{ github.ref }} | |
- name: Update pom.xml | |
id: updatePom | |
run: | | |
current_version=$(grep -o '<version>.*</version>' pom.xml | head -1 | sed 's/<version>\(.*\)<\/version>/\1/') | |
new_version=${{ steps.version.outputs.new_version }} | |
sed -i "0,/$current_version/s/$current_version/$new_version/" pom.xml | |
echo "Version number updated from $current_version to $new_version" | |
echo "image_tag=${{ steps.version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }}" >> $GITHUB_OUTPUT | |
- name: Package JAR | |
id: package | |
run: | | |
mvn -B package -P ${{ env.MAVEN_PROFILE }} | |
echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT | |
echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT | |
cp -r target ${{ env.DOCKER_CONTEXT_PATH }}/ | |
- name: Commit pom.xml and version.json | |
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release != 'true' }} | |
uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v2 | |
with: | |
add: 'pom.xml version.json' | |
message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' | |
- name: Commit pom.xml, version.json and set tag | |
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }} | |
uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v2 | |
with: | |
add: 'pom.xml version.json' | |
message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}' | |
tag: v${{ steps.version.outputs.new_version }} | |
- name: Log in to the Docker container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Authenticate with Google Cloud | |
id: gcp_auth | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: access_token | |
workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER_ID }} | |
service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} | |
access_token_lifetime: 300s | |
- name: Log in to the GCP Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.GCP_REGISTRY }} | |
username: oauth2accesstoken | |
password: ${{ steps.gcp_auth.outputs.access_token }} | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
tags: | | |
type=raw,value=${{ steps.updatePom.outputs.image_tag }} | |
- name: Extract metadata (tags, labels) for GCP image | |
id: meta-gcp | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} | |
tags: | | |
type=raw,value=${{ steps.updatePom.outputs.image_tag }} | |
- name: Extract metadata (tags, labels) for all Docker images | |
id: meta-all | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
${{ env.GCP_REGISTRY }}/${{ env.GCP_GAR_PROJECT }}/${{ env.IMAGE_NAME }} | |
tags: | | |
type=raw,value=${{ steps.version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }} | |
- name: Build and export to Docker | |
uses: docker/build-push-action@v5 | |
with: | |
context: ${{ env.DOCKER_CONTEXT_PATH }} | |
load: true | |
tags: ${{ steps.meta-all.outputs.tags }} | |
labels: ${{ steps.meta-all.outputs.labels }} | |
build-args: | | |
JAR_VERSION=${{ steps.version.outputs.new_version }} | |
IMAGE_VERSION=${{ steps.version.outputs.new_version }} | |
BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }} | |
- name: Generate Trivy vulnerability scan report | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ${{ steps.meta.outputs.tags }} | |
format: 'sarif' | |
exit-code: '0' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
output: 'trivy-results.sarif' | |
hide-progress: true | |
- name: Upload Trivy scan report to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
- name: Test with Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ${{ steps.meta.outputs.tags }} | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: ${{ inputs.vulnerability_severity }} | |
hide-progress: true | |
- name: Push to Docker | |
id: push-to-docker | |
uses: docker/build-push-action@v5 | |
with: | |
context: ${{ env.DOCKER_CONTEXT_PATH }} | |
push: true | |
tags: ${{ steps.meta-all.outputs.tags }} | |
labels: ${{ steps.meta-all.outputs.labels }} | |
build-args: | | |
JAR_VERSION=${{ steps.version.outputs.new_version }} | |
IMAGE_VERSION=${{ steps.version.outputs.new_version }} | |
- name: Generate GCP deployment artifacts | |
env: | |
IMAGE: ${{ steps.meta-gcp.outputs.tags }} | |
IMAGE_DIGEST: ${{ steps.push-to-docker.outputs.digest }} | |
OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
MANIFEST_DIR: ${{ env.MANIFEST_OUTPUT_DIR}} | |
VERSION_NUMBER: ${{ steps.version.outputs.new_version }} | |
run: | | |
bash ./scripts/gcp-oidc/generate-deployment-artifacts.sh | |
- name: Upload deployment artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: gcp-oidc-deployment-files-${{ steps.version.outputs.new_version }} | |
path: ${{ env.ARTIFACTS_OUTPUT_DIR }} | |
if-no-files-found: error | |
- name: Upload manifest artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: gcp-oidc-enclave-ids-${{ steps.version.outputs.new_version }} | |
path: ${{ env.MANIFEST_OUTPUT_DIR }} | |
if-no-files-found: error | |
- name: Generate release archive | |
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }} | |
run: | | |
zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.version.outputs.new_version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/* | |
- name: Build changelog | |
id: github_release | |
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }} | |
uses: mikepenz/release-changelog-builder-action@v4 | |
with: | |
configurationJson: | | |
{ | |
"template": "#{{CHANGELOG}}\n## Installation\n```\ndocker pull ${{ steps.meta.outputs.tags }}\n```\n\n## Image reference to deploy: \n```\n${{ steps.updatePom.outputs.image_tag }}\n```\n\n## Changelog\n#{{UNCATEGORIZED}}", | |
"pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )" | |
} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create release | |
if: ${{ inputs.version_number_input == '' && steps.checkRelease.outputs.is_release == 'true' }} | |
uses: softprops/action-gh-release@v2 | |
with: | |
name: ${{ steps.version.outputs.new_version }} | |
body: ${{ steps.github_release.outputs.changelog }} | |
draft: true | |
files: | | |
${{ env.ARTIFACTS_OUTPUT_DIR }}/gcp-oidc-deployment-files-${{ steps.version.outputs.new_version }}.zip | |
${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-${{ steps.version.outputs.new_version }}.txt | |
${{ env.MANIFEST_OUTPUT_DIR }}/gcp-oidc-enclave-id-debug-${{ steps.version.outputs.new_version }}.txt | |
e2e: | |
name: E2E | |
uses: ./.github/workflows/run-e2e-tests-on-operator.yaml | |
needs: buildImage | |
with: | |
operator_type: gcp | |
operator_image_version: ${{ needs.buildImage.outputs.image_tag }} | |
secrets: inherit |