-
Notifications
You must be signed in to change notification settings - Fork 4
318 lines (314 loc) · 12.4 KB
/
push-tests.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
name: Push Tests
on:
push:
branches:
- trunk
pull_request:
branches: "**"
env:
# Force using BuildKit instead of normal Docker, required so that metadata
# is written/read to allow us to use layers of previous builds as cache.
DOCKER_BUILDKIT: 1
COMPOSE_DOCKER_CLI_BUILD: 1
DOCKER_REPO: ${{ secrets.ECR_REPO }}/
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
permissions:
id-token: write
contents: read
jobs:
wdl-lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
- name: run wdl check
run: |
pip3 install miniwdl==1.1.4
sudo apt-get install -y shellcheck
make wdl-lint
tf-lint:
runs-on: ubuntu-20.04
steps:
- uses: terraform-linters/setup-tflint@v1
name: Setup TFLint
with:
tflint_version: v0.28.1
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: 0.13.5
- uses: actions/checkout@v2
- name: run tflint
run: |
make tf-lint
ts-lint:
runs-on: ubuntu-20.04
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
aws-region: us-west-2
role-session-name: LintAndBuild
role-duration-seconds: 900
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.ECR_REPO }}
- uses: actions/checkout@v2
- name: Lint ts
run: |
# Build frontend image
make gha-setup
docker buildx build --cache-from=type=registry,ref=${{ secrets.ECR_REPO }}/genepi-frontend:branch-trunk -t ${{ secrets.ECR_REPO }}/genepi-frontend:latest src/frontend
make frontend-check-style
ts-test:
runs-on: ubuntu-20.04
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-session-name: TestAndBuild
aws-region: us-west-2
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-duration-seconds: 900
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.ECR_REPO }}
- uses: actions/checkout@v2
- name: Test ts
run: |
# Build frontend
make gha-setup
docker buildx build --cache-from=type=registry,ref=${{ secrets.ECR_REPO }}/genepi-frontend:branch-trunk -t ${{ secrets.ECR_REPO }}/genepi-frontend:latest src/frontend
make frontend-tests
ts-test-build:
runs-on: ubuntu-20.04
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-session-name: TestAndBuild
aws-region: us-west-2
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-duration-seconds: 900
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.ECR_REPO }}
- uses: actions/checkout@v2
- name: Test ts build
run: |
make gha-setup
mkdir src/frontend/build
chmod -R a+w src/frontend/build
# Build frontend
docker buildx build --cache-from=type=registry,ref=${{ secrets.ECR_REPO }}/genepi-frontend:branch-trunk -t ${{ secrets.ECR_REPO }}/genepi-frontend:latest src/frontend
make frontend-test-build
py-lint:
runs-on: ubuntu-20.04
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-session-name: PyLintAndBuild
aws-region: us-west-2
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-duration-seconds: 900
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.ECR_REPO }}
- uses: actions/checkout@v2
- name: Lint Python
run: |
# Build backend
make gha-setup
docker buildx build --cache-from=type=registry,ref=${{ secrets.ECR_REPO }}/genepi-backend:branch-trunk -t ${{ secrets.ECR_REPO }}/genepi-backend:latest src/backend
make backend-check-style
# run Playwright E2E tests
# e2e-test:
# runs-on: ubuntu-20.04
# steps:
# - name: Configure AWS prod Credentials
# uses: aws-actions/configure-aws-credentials@v1
# with:
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# aws-region: us-west-2
# role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
# role-duration-seconds: 900
# - name: Login to ECR
# uses: docker/login-action@v1
# with:
# registry: ${{ secrets.ECR_REPO }}
# - uses: actions/checkout@v2
# - name: Install happy
# uses: chanzuckerberg/github-actions/.github/actions/install-happy@install-happy-v1.4.0
# with:
# happy_version: "0.41.3"
# install_globally: "true"
# - name: Playwright tests
# run: |
# make gha-setup
# # Build backend image
# docker buildx build --cache-from=type=registry,ref=${{ secrets.ECR_REPO }}/genepi-backend:branch-trunk -t ${{ secrets.ECR_REPO }}/genepi-backend:latest src/backend
# # Build frontend
# docker buildx build --cache-from=type=registry,ref=${{ secrets.ECR_REPO }}/genepi-frontend:branch-trunk -t ${{ secrets.ECR_REPO }}/genepi-frontend:latest src/frontend
# mkdir -p src/frontend/build
# chmod a+rwx src/frontend/build # TODO temp hack - need a better plan for the build dir.
# make local-init
# echo "Init complete - testing web service"
# docker-compose exec -T frontend wget -qO- -T 10 --timeout 20 --tries 60 frontend.genepinet.localdev:8000/
# docker-compose exec -T oidc
# echo "Webserver up, running tests!"
# docker-compose logs -f frontend &
# export S3_PREFIX=${{ secrets.CI_SCREENSHOT_PREFIX }}/${{ github.run_id }}/
# make frontend-e2e-ci
py-test:
runs-on: ubuntu-20.04
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: PyTestAndBuild
aws-region: us-west-2
role-duration-seconds: 900
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.ECR_REPO }}
- uses: actions/checkout@v2
- name: Install happy
uses: chanzuckerberg/github-actions/.github/actions/install-happy@install-happy-v1.4.0
with:
happy_version: "0.41.3"
install_globally: "true"
- name: Test Python
run: |
make gha-setup
# Build backend image
docker buildx build --cache-from=type=registry,ref=${{ secrets.ECR_REPO }}/genepi-backend:branch-trunk -t ${{ secrets.ECR_REPO }}/genepi-backend:latest src/backend
make local-init LOCALDEV_PROFILE=backend
make backend-test
gisaid-test:
runs-on: ubuntu-20.04
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: TestGisaidWorkflow
aws-region: us-west-2
role-duration-seconds: 900
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.ECR_REPO }}
- uses: actions/checkout@v2
- name: Install happy
uses: chanzuckerberg/github-actions/.github/actions/install-happy@405f86e7f30b41403677c5df2d8d3339afa3c6d7
with:
happy_version: "0.41.3"
install_globally: "true"
- name: Test Gisaid workflow
run: |
make gha-setup
# Build gisaid image
# docker buildx build --cache-from=type=registry,ref=${{ secrets.ECR_REPO }}/genepi-backend:branch-trunk -t ${{ secrets.ECR_REPO }}/genepi-gisaid:latest -f src/backend/Dockerfile.gisaid src/backend
make local-init LOCALDEV_PROFILE=gisaid
python3 -m pip install miniwdl
make pipeline-test-gisaid
make pipeline-test-genbank-mpx
build-push-images:
if: github.ref == 'refs/heads/trunk'
runs-on: ubuntu-20.04
needs:
- tf-lint
- ts-lint
- ts-test
- ts-test-build
- py-lint
- py-test
strategy:
matrix:
image:
- dockerfile: src/backend/Dockerfile.gisaid
context: ./src/backend/
name: genepi-gisaid
- dockerfile: src/backend/Dockerfile.nextstrain
context: ./src/backend/
name: genepi-nextstrain
- dockerfile: src/backend/Dockerfile.pangolin
context: ./src/backend/
name: genepi-pangolin
- dockerfile: src/backend/Dockerfile.lineage_qc
context: ./src/backend/
name: genepi-lineage-qc
- dockerfile: src/backend/Dockerfile
context: ./src/backend/
name: genepi-backend
- dockerfile: src/frontend/Dockerfile
context: ./src/frontend/
name: genepi-frontend
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: BuildAndImageCheck
aws-region: us-west-2
role-duration-seconds: 900
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.ECR_REPO }}
- uses: actions/checkout@v2
- run: docker buildx build --build-arg HAPPY_COMMIT=${GITHUB_SHA} --build-arg HAPPY_BRANCH=${GITHUB_REF} --cache-from=type=registry,ref=${{ secrets.ECR_REPO }}/${{ matrix.image.name }}:branch-trunk --cache-to=type=inline,mode=max -t ${{ secrets.ECR_REPO }}/${{ matrix.image.name }}:sha-${GITHUB_SHA:0:8} -f ${{ matrix.image.dockerfile }} --push ${{ matrix.image.context }}
- run: make imagecheck-${{ matrix.image.name }} IMAGE=${{ secrets.ECR_REPO }}/${{ matrix.image.name }}:sha-${GITHUB_SHA:0:8}
update-stage:
needs:
- build-push-images
runs-on: ubuntu-20.04
if: github.ref == 'refs/heads/trunk'
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: UpdateStage
aws-region: us-west-2
role-duration-seconds: 900
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.ECR_REPO }}
- uses: actions/checkout@v2
- name: Determine source and destination tags
run: |
echo "SOURCE_TAG=sha-${GITHUB_SHA:0:8}" >> $GITHUB_ENV
echo "DEST_TAG=branch-$(echo ${GITHUB_REF#refs/heads/} | sed 's/[\+\/]/-/g')" >> $GITHUB_ENV
- name: Docker re-tag
uses: chanzuckerberg/github-actions/.github/actions/retag-happy@retag-happy-v1.1.0
with:
source-tag: ${{ env.SOURCE_TAG }}
dest-tag: ${{ env.DEST_TAG }}
happy_version: "0.41.3"
- name: Generate payload
run: |
echo "payload={\"tag\":\"sha-${GITHUB_SHA:0:8}\"}" >> $GITHUB_ENV
- uses: avakar/create-deployment@v1.0.2
with:
auto_merge: false
environment: staging
payload: ${{ env.payload }}
required_contexts: "" # Temporary hack to avoid checking Github Status for the commit
# TODO: Avoid circular dependency on the deploy step; this step hasn't finished yet so
# it's not considered ready for deploy normally by required_contexts, but we need to
# deploy for this to be considered ready.
# Unfortunately there is no blocklist for required_contexts, only an allowlist, so
# we'd have to enumerate every other Github PR status here, which can be constantly changing.
# For now, we just ignore required_contexts to deploy on every success.
# See https://github.community/t/can-i-avoid-creating-a-check-run-from-a-job-needed-for-deployments-api/16426
env:
GITHUB_TOKEN: ${{ secrets.CZIBUILDBOT_GITHUB_TOKEN }}