Skip to content

[AN-225] Cromwell Google Batch API workspace setting (#3136) #2857

[AN-225] Cromwell Google Batch API workspace setting (#3136)

[AN-225] Cromwell Google Batch API workspace setting (#3136) #2857

name: Consumer contract tests
# The purpose of this workflow is to run a suite of Rawls contract tests against mock service provider(s) using Pact framework.
#
# More details about Contract Testing can be found in our handbook
#
# https://broadworkbench.atlassian.net/wiki/spaces/IRT/pages/2660368406/Getting+Started+with+Pact+Contract+Testing
#
# This workflow involves Rawls as a consumer, and ANY provider (e.g. BPM) Rawls consumes.
# Each party owns a set of tests (aka contract tests).
#
# Consumer contract tests (aka consumer tests) runs on a mock provider service and does not require a real provider service.
# Provider contract tests (aka provider verification tests) runs independently of any consumer.
#
# Specifically:
# Rawls runs consumer tests against mock BPM service. Upon success, publish consumer pacts to
# Pact Broker https://pact-broker.dsp-eng-tools.broadinstitute.org/.
#
# Pact Broker is the source of truth to forge contractual obligations between consumer and provider.
#
# This workflow meets the criteria of Pact Broker *Platinum* as described in https://docs.pact.io/pact_nirvana/step_6.
# The can-i-deploy job has been added to this workflow to support *Platinum* and gate the code for promotion to default branch.
#
# This is how it works.
#
# Consumer makes a change that results in a new pact published to Pact Broker.
# Pact Broker notifies provider(s) of the changed pact and trigger corresponding verification workflows.
# Provider downloads relevant versions of consumer pacts from Pact Broker and kicks off verification tests against the consumer pacts.
# Provider updates Pact Broker with verification status.
# Consumer kicks off can-i-deploy on process to determine if changes can be promoted and used for deployment.
#
# NOTE: The publish-contracts workflow will use the latest commit of the branch that triggers this workflow to publish the unique consumer contract version to Pact Broker.
on:
pull_request:
branches:
- develop
paths-ignore:
- 'README.md'
push:
branches:
- develop
paths-ignore:
- 'README.md'
merge_group:
branches:
- develop
env:
PUBLISH_CONTRACTS_RUN_NAME: 'publish-contracts-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
CAN_I_DEPLOY_RUN_NAME: 'can-i-deploy-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
jobs:
bump-check:
runs-on: ubuntu-latest
outputs:
is-bump: ${{ steps.skiptest.outputs.is-bump }}
steps:
- uses: actions/checkout@v4
- name: Skip version bump merges
id: skiptest
uses: ./.github/actions/bump-skip
with:
event-name: ${{ github.event_name }}
regulated-tag-job:
needs: [ bump-check ]
if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
uses: ./.github/workflows/tag.yml
with:
# The 'ref' parameter ensures that the consumer version is postfixed with the HEAD commit of the PR branch,
# facilitating cross-referencing of a pact between Pact Broker and GitHub.
ref: ${{ github.head_ref || '' }}
# The 'dry-run' parameter prevents the new tag from being dispatched.
dry-run: true
release-branches: develop
secrets: inherit
init-github-context:
runs-on: ubuntu-latest
needs: [ bump-check ]
if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
outputs:
repo-branch: ${{ steps.extract-branch.outputs.repo-branch }}
repo-version: ${{ steps.extract-branch.outputs.repo-version }}
fork: ${{ steps.extract-branch.outputs.fork }}
steps:
- uses: actions/checkout@v4
- name: Obtain branch properties
id: extract-branch
run: |
FORK=false
GITHUB_EVENT_NAME=${{ github.event_name }}
if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then
GITHUB_REF=${{ github.ref }}
GITHUB_SHA=${{ github.sha }}
elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
FORK=${{ github.event.pull_request.head.repo.fork }}
GITHUB_REF=refs/heads/${{ github.head_ref }}
GITHUB_SHA=${{ github.event.pull_request.head.sha }}
elif [[ "$GITHUB_EVENT_NAME" == "merge_group" ]]; then
GITHUB_REF=refs/heads/${{ github.head_ref }}
else
echo "Failed to extract branch information"
exit 1
fi
echo "repo-branch=${GITHUB_REF/refs\/heads\//""}" >> $GITHUB_OUTPUT
echo "repo-version=${GITHUB_SHA}" >> $GITHUB_OUTPUT
echo "fork=${FORK}" >> $GITHUB_OUTPUT
- name: Is PR triggered by forked repo?
if: ${{ steps.extract-branch.outputs.fork == 'true' }}
run: |
echo "PR was triggered by forked repo"
- name: Echo repo and branch information
run: |
echo "repo-owner=${{ github.repository_owner }}"
echo "repo-name=${{ github.event.repository.name }}"
echo "repo-branch=${{ steps.extract-branch.outputs.repo-branch }}"
echo "repo-version=${{ steps.extract-branch.outputs.repo-version }}"
rawls-consumer-contract-tests:
runs-on: ubuntu-latest
needs: [ bump-check, init-github-context ]
if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
outputs:
pact-b64: ${{ steps.encode-pact.outputs.pact-b64 }}
steps:
- uses: actions/checkout@v4
- name: Run consumer tests
run: |
docker run --rm -v $PWD:/working \
-v jar-cache:/root/.ivy \
-v jar-cache:/root/.ivy2 \
-w /working \
sbtscala/scala-sbt:eclipse-temurin-17.0.13_11_1.10.5_2.13.15 \
bash -c "git config --global --add safe.directory /working && sbt -J-Xmx2g -J-XX:+UseG1GC \"project pact4s\" clean \"testOnly org.broadinstitute.dsde.rawls.consumer.*\""
- name: Output consumer contract as non-breaking base64 string
id: encode-pact
run: |
cd pact4s
NON_BREAKING_B64=$(cat target/pacts/rawls-bpm.json | base64 -w 0)
echo "pact-b64=${NON_BREAKING_B64}" >> $GITHUB_OUTPUT
# Prevent untrusted sources from using PRs to publish contracts
# since access to secrets is not allowed.
publish-contracts:
runs-on: ubuntu-latest
if: ${{ (needs.init-github-context.outputs.fork == 'false') && (needs.bump-check.outputs.is-bump == 'no') }}
needs:
- bump-check
- regulated-tag-job
- init-github-context
- rawls-consumer-contract-tests
steps:
- name: Dispatch to terra-github-workflows
uses: broadinstitute/[email protected]
with:
run-name: "${{ env.PUBLISH_CONTRACTS_RUN_NAME }}"
workflow: .github/workflows/publish-contracts.yaml
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN }} # github token for access to kick off a job in the private repo
inputs: '{
"run-name": "${{ env.PUBLISH_CONTRACTS_RUN_NAME }}",
"pact-b64": "${{ needs.rawls-consumer-contract-tests.outputs.pact-b64 }}",
"repo-owner": "${{ github.repository_owner }}",
"repo-name": "${{ github.event.repository.name }}",
"repo-branch": "${{ needs.init-github-context.outputs.repo-branch }}",
"release-tag": "${{ needs.regulated-tag-job.outputs.app-version }}"
}'
can-i-deploy:
runs-on: ubuntu-latest
needs: [ bump-check, regulated-tag-job, init-github-context, publish-contracts ]
if: ${{ (needs.init-github-context.outputs.fork == 'false') && (needs.bump-check.outputs.is-bump == 'no') }}
steps:
- name: Dispatch to terra-github-workflows
uses: broadinstitute/[email protected]
with:
run-name: "${{ env.CAN_I_DEPLOY_RUN_NAME }}"
workflow: .github/workflows/can-i-deploy.yaml
repo: broadinstitute/terra-github-workflows
ref: refs/heads/main
token: ${{ secrets.BROADBOT_TOKEN }} # github token for access to kick off a job in the private repo
inputs: '{
"run-name": "${{ env.CAN_I_DEPLOY_RUN_NAME }}",
"pacticipant": "rawls",
"version": "${{ needs.regulated-tag-job.outputs.app-version }}"
}'