mirror of
https://github.com/datahub-project/datahub.git
synced 2025-06-27 05:03:31 +00:00
1254 lines
57 KiB
YAML
1254 lines
57 KiB
YAML
name: Docker Build, Scan, Test
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
branches:
|
|
- "**"
|
|
types:
|
|
- labeled
|
|
- opened
|
|
- synchronize
|
|
- reopened
|
|
release:
|
|
types: [published]
|
|
|
|
concurrency:
|
|
# Using `github.run_id` (unique val) instead of `github.ref` here
|
|
# because we don't want to cancel this workflow on master only for PRs
|
|
# as that makes reproducing issues easier
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
DATAHUB_GMS_IMAGE: "acryldata/datahub-gms"
|
|
DATAHUB_FRONTEND_IMAGE: "acryldata/datahub-frontend-react"
|
|
DATAHUB_MAE_CONSUMER_IMAGE: "acryldata/datahub-mae-consumer"
|
|
DATAHUB_MCE_CONSUMER_IMAGE: "acryldata/datahub-mce-consumer"
|
|
DATAHUB_KAFKA_SETUP_IMAGE: "acryldata/datahub-kafka-setup"
|
|
DATAHUB_ELASTIC_SETUP_IMAGE: "acryldata/datahub-elasticsearch-setup"
|
|
DATAHUB_MYSQL_SETUP_IMAGE: "acryldata/datahub-mysql-setup"
|
|
DATAHUB_UPGRADE_IMAGE: "acryldata/datahub-upgrade"
|
|
DATAHUB_INGESTION_BASE_IMAGE: "acryldata/datahub-ingestion-base"
|
|
DATAHUB_INGESTION_IMAGE: "acryldata/datahub-ingestion"
|
|
|
|
DOCKER_CACHE: "DEPOT"
|
|
DEPOT_PROJECT_ID: "${{ vars.DEPOT_PROJECT_ID }}"
|
|
DEPOT_TOKEN: "${{ secrets.DEPOT_TOKEN }}"
|
|
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
|
|
jobs:
|
|
setup:
|
|
runs-on: depot-ubuntu-24.04-small
|
|
outputs:
|
|
tag: ${{ steps.tag.outputs.tag }}
|
|
slim_tag: ${{ steps.tag.outputs.slim_tag }}
|
|
full_tag: ${{ steps.tag.outputs.full_tag }}
|
|
short_sha: ${{ steps.tag.outputs.short_sha }} # needed for auto-deploy
|
|
unique_tag: ${{ steps.tag.outputs.unique_tag }}
|
|
unique_slim_tag: ${{ steps.tag.outputs.unique_slim_tag }}
|
|
unique_full_tag: ${{ steps.tag.outputs.unique_full_tag }}
|
|
docker-login: ${{ steps.docker-login.outputs.docker-login }}
|
|
publish: ${{ steps.publish.outputs.publish }}
|
|
pr-publish: ${{ steps.pr-publish.outputs.publish }}
|
|
python_release_version: ${{ steps.tag.outputs.python_release_version }}
|
|
branch_name: ${{ steps.tag.outputs.branch_name }}
|
|
repository_name: ${{ steps.tag.outputs.repository_name }}
|
|
frontend_change: ${{ steps.ci-optimize.outputs.frontend-change == 'true' }}
|
|
ingestion_change: ${{ steps.ci-optimize.outputs.ingestion-change == 'true' }}
|
|
ingestion_base_change: ${{ steps.ci-optimize.outputs.ingestion-base-change == 'true' }}
|
|
backend_change: ${{ steps.ci-optimize.outputs.backend-change == 'true' }}
|
|
frontend_only: ${{ steps.ci-optimize.outputs.frontend-only == 'true' }}
|
|
ingestion_only: ${{ steps.ci-optimize.outputs.ingestion-only == 'true' }}
|
|
backend_only: ${{ steps.ci-optimize.outputs.backend-only == 'true' }}
|
|
kafka_setup_change: ${{ steps.ci-optimize.outputs.kafka-setup-change == 'true' }}
|
|
mysql_setup_change: ${{ steps.ci-optimize.outputs.mysql-setup-change == 'true' }}
|
|
postgres_setup_change: ${{ steps.ci-optimize.outputs.postgres-setup-change == 'true' }}
|
|
elasticsearch_setup_change: ${{ steps.ci-optimize.outputs.elasticsearch-setup-change == 'true' }}
|
|
smoke_test_change: ${{ steps.ci-optimize.outputs.smoke-test-change == 'true' }}
|
|
integrations_service_change: "false"
|
|
datahub_executor_change: "false"
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Compute Tag
|
|
id: tag
|
|
run: |
|
|
source .github/scripts/docker_helpers.sh
|
|
echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
|
|
echo "tag=$(get_tag)" >> "$GITHUB_OUTPUT"
|
|
echo "slim_tag=$(get_tag_slim)" >> "$GITHUB_OUTPUT"
|
|
echo "full_tag=$(get_tag_full)" >> "$GITHUB_OUTPUT"
|
|
echo "unique_tag=$(get_unique_tag)" >> "$GITHUB_OUTPUT"
|
|
echo "unique_slim_tag=$(get_unique_tag_slim)" >> "$GITHUB_OUTPUT"
|
|
echo "unique_full_tag=$(get_unique_tag_full)" >> "$GITHUB_OUTPUT"
|
|
echo "python_release_version=$(get_python_docker_release_v)" >> "$GITHUB_OUTPUT"
|
|
echo "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
|
|
echo "repository_name=${GITHUB_REPOSITORY#*/}" >> "$GITHUB_OUTPUT"
|
|
- name: Check whether docker login is possible
|
|
id: docker-login
|
|
env:
|
|
ENABLE_DOCKER_LOGIN: ${{ secrets.ACRYL_DOCKER_PASSWORD != '' }}
|
|
run: |
|
|
echo "Enable Docker Login: ${{ env.ENABLE_DOCKER_LOGIN }}"
|
|
echo "docker-login=${{ env.ENABLE_DOCKER_LOGIN }}" >> "$GITHUB_OUTPUT"
|
|
- name: Check whether publishing enabled
|
|
id: publish
|
|
env:
|
|
ENABLE_PUBLISH: >-
|
|
${{
|
|
github.event_name != 'pull_request'
|
|
&& ( secrets.ACRYL_DOCKER_PASSWORD != '' )
|
|
}}
|
|
run: |
|
|
echo "Enable publish: ${{ env.ENABLE_PUBLISH }}"
|
|
echo "publish=${{ env.ENABLE_PUBLISH }}" >> "$GITHUB_OUTPUT"
|
|
- name: Check whether PR publishing enabled
|
|
id: pr-publish
|
|
env:
|
|
ENABLE_PUBLISH: >-
|
|
${{
|
|
(github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'publish') || contains(github.event.pull_request.labels.*.name, 'publish-docker')))
|
|
&& ( secrets.ACRYL_DOCKER_PASSWORD != '' )
|
|
}}
|
|
run: |
|
|
echo "Enable PR publish: ${{ env.ENABLE_PUBLISH }}"
|
|
echo "publish=${{ env.ENABLE_PUBLISH }}" >> "$GITHUB_OUTPUT"
|
|
- uses: ./.github/actions/ci-optimization
|
|
id: ci-optimize
|
|
|
|
smoke_test_lint:
|
|
name: Lint on smoke tests
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: setup
|
|
if: ${{ needs.setup.outputs.smoke_test_change }}" == 'true' }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
cache: "pip"
|
|
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cache/uv
|
|
key: ${{ runner.os }}-uv-${{ hashFiles('**/requirements.txt') }}
|
|
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cache/yarn
|
|
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
|
|
|
|
- name: Run lint on smoke test
|
|
run: |
|
|
python ./.github/scripts/check_python_package.py
|
|
./gradlew :smoke-test:pythonLint
|
|
./gradlew :smoke-test:cypressLint
|
|
|
|
base_build:
|
|
name: Prepare all images
|
|
runs-on: depot-ubuntu-24.04-4
|
|
needs: setup
|
|
steps:
|
|
- name: Set up JDK 17
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: "zulu"
|
|
java-version: 17
|
|
|
|
|
|
#- uses: gradle/actions/setup-gradle@v4
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cache/uv
|
|
key: ${{ runner.os }}-uv-${{ hashFiles('**/requirements.txt') }}
|
|
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cache/yarn
|
|
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
cache: "pip"
|
|
|
|
|
|
- name: Build all Docker Contexts
|
|
run: |
|
|
./gradlew :docker:PrepareAllQuickStartConsumers
|
|
|
|
|
|
- uses: actions/cache/save@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
|
|
gms_build:
|
|
name: Build and Push DataHub GMS Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, base_build]
|
|
if: ${{ needs.setup.outputs.backend_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
- name: Build and push
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_GMS_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: ./build/dockerBuildContext/metadata-service/war/docker
|
|
file: ./docker/datahub-gms/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
gms_scan:
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
name: "[Monitoring] Scan GMS images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, gms_build]
|
|
if: ${{ needs.setup.outputs.backend_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_GMS_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_GMS_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
mae_consumer_build:
|
|
name: Build and Push DataHub MAE Consumer Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, smoke_test_lint, base_build]
|
|
if: ${{ needs.setup.outputs.backend_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
- name: Build and push
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_MAE_CONSUMER_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: ./build/dockerBuildContext/metadata-jobs/mae-consumer-job/docker
|
|
file: ./docker/datahub-mae-consumer/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
mae_consumer_scan:
|
|
name: "[Monitoring] Scan MAE consumer images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, smoke_test_lint,mae_consumer_build]
|
|
if: ${{ needs.setup.outputs.backend_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_MAE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_MAE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
mce_consumer_build:
|
|
name: Build and Push DataHub MCE Consumer Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, base_build]
|
|
if: ${{ needs.setup.outputs.backend_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
- name: Build and push
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_MCE_CONSUMER_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: ./build/dockerBuildContext/metadata-jobs/mce-consumer-job/docker
|
|
file: ./docker/datahub-mce-consumer/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
mce_consumer_scan:
|
|
name: "[Monitoring] Scan MCE consumer images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, smoke_test_lint,mce_consumer_build]
|
|
if: ${{ needs.setup.outputs.backend_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_MCE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_MCE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
datahub_upgrade_build:
|
|
name: Build and Push DataHub Upgrade Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, base_build]
|
|
if: ${{ needs.setup.outputs.backend_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
- name: Build and push
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_UPGRADE_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: ./build/dockerBuildContext/datahub-upgrade/docker
|
|
file: ./docker/datahub-upgrade/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
datahub_upgrade_scan:
|
|
name: "[Monitoring] Scan DataHub Upgrade images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, smoke_test_lint,datahub_upgrade_build]
|
|
if: ${{ needs.setup.outputs.backend_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_UPGRADE_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_UPGRADE_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
frontend_build:
|
|
name: Build and Push DataHub Frontend Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, base_build]
|
|
if: ${{ needs.setup.outputs.frontend_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true'}}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
- name: Build and push
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_FRONTEND_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: ./build/dockerBuildContext/datahub-frontend/docker
|
|
file: ./docker/datahub-frontend/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
frontend_scan:
|
|
name: "[Monitoring] Scan Frontend images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, smoke_test_lint,frontend_build]
|
|
if: ${{ needs.setup.outputs.frontend_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: actions/checkout@v4
|
|
- name: Download image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_FRONTEND_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_FRONTEND_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
kafka_setup_build:
|
|
name: Build and Push DataHub Kafka Setup Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, base_build]
|
|
if: ${{ needs.setup.outputs.kafka_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true') }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
- name: Build and push
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_KAFKA_SETUP_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: ./build/dockerBuildContext/docker/kafka-setup/docker
|
|
file: ./docker/kafka-setup/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
kafka_setup_scan:
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
name: "[Monitoring] Scan Kafka Setup images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [ setup, smoke_test_lint,kafka_setup_build]
|
|
if: ${{ needs.setup.outputs.kafka_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true') }}
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_KAFKA_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_KAFKA_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
mysql_setup_build:
|
|
name: Build and Push DataHub MySQL Setup Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, base_build]
|
|
if: ${{ false || needs.setup.outputs.mysql_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true') }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
- name: Build and push
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_MYSQL_SETUP_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: ./build/dockerBuildContext/docker/mysql-setup/docker
|
|
file: ./docker/mysql-setup/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
mysql_setup_scan:
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
name: "[Monitoring] Scan MySQL Setup images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [ setup, smoke_test_lint,mysql_setup_build ]
|
|
if: ${{ needs.setup.outputs.mysql_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true') }}
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_MYSQL_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_MYSQL_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
elasticsearch_setup_build:
|
|
name: Build and Push DataHub Elasticsearch Setup Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, base_build]
|
|
if: ${{ needs.setup.outputs.elasticsearch_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' ) }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
- name: Build and push
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_ELASTIC_SETUP_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: ./build/dockerBuildContext/docker/elasticsearch-setup/docker
|
|
file: ./docker/elasticsearch-setup/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
elasticsearch_setup_scan:
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
name: "[Monitoring] Scan ElasticSearch setup images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [ setup, elasticsearch_setup_build ]
|
|
if: ${{ needs.setup.outputs.elasticsearch_setup_change == 'true' || (needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' ) }}
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_ELASTIC_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_ELASTIC_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
datahub_ingestion_base_build:
|
|
name: Build and Push DataHub Ingestion (Base) Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
outputs:
|
|
tag: ${{ steps.tag.outputs.tag }}
|
|
needs: setup
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
- name: Build and push Base Image
|
|
if: ${{ needs.setup.outputs.ingestion_base_change == 'true' }}
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
target: base-empty
|
|
images: |
|
|
${{ env.DATAHUB_INGESTION_BASE_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: .
|
|
file: ./docker/datahub-ingestion-base/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
depot-project: ${{ vars.DEPOT_PROJECT_ID }}
|
|
- name: Compute DataHub Ingestion (Base) Tag
|
|
id: tag
|
|
run: echo "tag=${{ needs.setup.outputs.ingestion_base_change == 'true' && needs.setup.outputs.unique_tag || 'head' }}" >> "$GITHUB_OUTPUT"
|
|
datahub_ingestion_base_slim_build:
|
|
name: Build and Push DataHub Ingestion (Base-Slim) Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
outputs:
|
|
tag: ${{ steps.tag.outputs.tag }}
|
|
needs: [setup, smoke_test_lint,datahub_ingestion_base_build]
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
steps:
|
|
- name: Free up disk space
|
|
run: |
|
|
sudo apt-get remove 'dotnet-*' azure-cli || true
|
|
sudo rm -rf /usr/local/lib/android/ || true
|
|
sudo docker image prune -a -f || true
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download Base Image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' && needs.setup.outputs.ingestion_base_change == 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_INGESTION_BASE_IMAGE }}:${{ needs.setup.outputs.ingestion_base_change == 'true' && needs.setup.outputs.unique_tag || 'head' }}
|
|
- name: Login to DockerHub
|
|
uses: docker/login-action@v3
|
|
if: ${{ needs.setup.outputs.docker-login == 'true' && needs.setup.outputs.publish == 'false' && needs.setup.outputs.pr-publish == 'false' && needs.setup.outputs.ingestion_base_change == 'false' }}
|
|
with:
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
- name: Build and push Base-Slim Image
|
|
if: ${{ needs.setup.outputs.ingestion_base_change == 'true' }}
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_INGESTION_BASE_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.slim_tag }}
|
|
flavor: slim
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
build-args: |
|
|
APP_ENV=slim
|
|
BASE_IMAGE=${{ env.DATAHUB_INGESTION_BASE_IMAGE }}:${{ needs.setup.outputs.ingestion_base_change == 'true' && needs.setup.outputs.unique_tag || 'head' }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: .
|
|
file: ./docker/datahub-ingestion-base/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
depot-project: ${{ vars.DEPOT_PROJECT_ID }}
|
|
- name: Compute DataHub Ingestion (Base-Slim) Tag
|
|
id: tag
|
|
run: echo "tag=${{ needs.setup.outputs.ingestion_base_change == 'true' && needs.setup.outputs.unique_slim_tag || 'head-slim' }}" >> "$GITHUB_OUTPUT"
|
|
datahub_ingestion_base_full_build:
|
|
name: Build and Push DataHub Ingestion (Base-Full) Docker Image
|
|
runs-on: depot-ubuntu-24.04
|
|
outputs:
|
|
tag: ${{ steps.tag.outputs.tag }}
|
|
needs: [setup, smoke_test_lint,datahub_ingestion_base_build]
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download Base Image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' && needs.setup.outputs.ingestion_base_change == 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_INGESTION_BASE_IMAGE }}:${{ needs.setup.outputs.ingestion_base_change == 'true' && needs.setup.outputs.unique_tag || 'head' }}
|
|
- name: Login to DockerHub
|
|
uses: docker/login-action@v3
|
|
if: ${{ needs.setup.outputs.docker-login == 'true' && needs.setup.outputs.publish == 'false' && needs.setup.outputs.pr-publish == 'false' && needs.setup.outputs.ingestion_base_change == 'false' }}
|
|
with:
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
- name: Build and push (Base-Full) Image
|
|
if: ${{ needs.setup.outputs.ingestion_base_change == 'true' }}
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_INGESTION_BASE_IMAGE }}
|
|
image_tag: ${{ needs.setup.outputs.full_tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
build-args: |
|
|
APP_ENV=full
|
|
BASE_IMAGE=${{ env.DATAHUB_INGESTION_BASE_IMAGE }}:${{ needs.setup.outputs.ingestion_base_change == 'true' && needs.setup.outputs.unique_tag || 'head' }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: .
|
|
file: ./docker/datahub-ingestion-base/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
- name: Compute DataHub Ingestion (Base-Full) Tag
|
|
id: tag
|
|
run: echo "tag=${{ needs.setup.outputs.ingestion_base_change == 'true' && needs.setup.outputs.unique_full_tag || 'head' }}" >> "$GITHUB_OUTPUT"
|
|
|
|
datahub_ingestion_slim_build:
|
|
name: Build and Push DataHub Ingestion Docker Images
|
|
runs-on: depot-ubuntu-24.04
|
|
outputs:
|
|
tag: ${{ steps.tag.outputs.tag }}
|
|
needs_artifact_download: ${{ needs.setup.outputs.ingestion_change == 'true' && ( needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true') }}
|
|
needs: [setup, smoke_test_lint]
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
cache: "pip"
|
|
- name: Set up JDK 17
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: "zulu"
|
|
java-version: 17
|
|
- name: Build codegen
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish =='true' }}
|
|
run: ./gradlew :metadata-ingestion:codegen
|
|
- name: Login to DockerHub
|
|
uses: docker/login-action@v3
|
|
if: ${{ needs.setup.outputs.docker-login == 'true' && needs.setup.outputs.publish == 'false' && needs.setup.outputs.pr-publish == 'false' && needs.setup.outputs.ingestion_base_change == 'false' }}
|
|
with:
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
- name: Build and push Slim Image
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_INGESTION_IMAGE }}
|
|
build-args: |
|
|
RELEASE_VERSION=${{ needs.setup.outputs.python_release_version }}
|
|
APP_ENV=slim
|
|
image_tag: ${{ needs.setup.outputs.slim_tag }}
|
|
flavor: slim
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: .
|
|
file: ./docker/datahub-ingestion/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
# Workaround 2025-01-25 - Depot publishing errors
|
|
depot-project: ${{ (startsWith(github.ref, 'refs/tags/') || github.event_name == 'release') && '' || vars.DEPOT_PROJECT_ID }}
|
|
- name: Compute Tag
|
|
id: tag
|
|
run: echo "tag=${{ needs.setup.outputs.ingestion_change == 'true' && needs.setup.outputs.unique_slim_tag || 'head-slim' }}" >> "$GITHUB_OUTPUT"
|
|
datahub_ingestion_slim_scan:
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
name: "[Monitoring] Scan Datahub Ingestion Slim images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, smoke_test_lint,datahub_ingestion_slim_build]
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' }}
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download image Slim Image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.datahub_ingestion_slim_build.outputs.needs_artifact_download == 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_INGESTION_IMAGE }}:${{ needs.datahub_ingestion_slim_build.outputs.tag }}
|
|
- name: Run Trivy vulnerability scanner Slim Image
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_INGESTION_IMAGE }}:${{ needs.datahub_ingestion_slim_build.outputs.tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
timeout: 15m
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
datahub_ingestion_full_build:
|
|
name: Build and Push DataHub Ingestion (Full) Docker Images
|
|
runs-on: depot-ubuntu-24.04
|
|
outputs:
|
|
tag: ${{ steps.tag.outputs.tag }}
|
|
needs_artifact_download: ${{ needs.setup.outputs.ingestion_change == 'true' && ( needs.setup.outputs.publish != 'true' && needs.setup.outputs.pr-publish != 'true' ) }}
|
|
needs: [setup, smoke_test_lint]
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
steps:
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
cache: "pip"
|
|
- name: Set up JDK 17
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: "zulu"
|
|
java-version: 17
|
|
#- uses: gradle/actions/setup-gradle@v4
|
|
- name: Build codegen
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
run: ./gradlew :metadata-ingestion:codegen
|
|
- name: Login to DockerHub
|
|
uses: docker/login-action@v3
|
|
if: ${{ needs.setup.outputs.docker-login == 'true' && needs.setup.outputs.publish == 'false' && needs.setup.outputs.pr-publish == 'false' && needs.setup.outputs.ingestion_base_change == 'false' }}
|
|
with:
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
- name: Build and push Full Image
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
uses: ./.github/actions/docker-custom-build-and-push
|
|
with:
|
|
images: |
|
|
${{ env.DATAHUB_INGESTION_IMAGE }}
|
|
build-args: |
|
|
RELEASE_VERSION=${{ needs.setup.outputs.python_release_version }}
|
|
image_tag: ${{ needs.setup.outputs.tag }}
|
|
username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
publish: ${{ needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
context: .
|
|
file: ./docker/datahub-ingestion/Dockerfile
|
|
platforms: linux/amd64,linux/arm64/v8
|
|
# Workaround 2025-01-25 - Depot publishing errors
|
|
depot-project: ${{ (startsWith(github.ref, 'refs/tags/') || github.event_name == 'release') && '' || vars.DEPOT_PROJECT_ID }}
|
|
- name: Compute Tag (Full)
|
|
id: tag
|
|
run: echo "tag=${{ needs.setup.outputs.ingestion_change == 'true' && needs.setup.outputs.unique_tag || 'head' }}" >> "$GITHUB_OUTPUT"
|
|
datahub_ingestion_full_scan:
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
|
name: "[Monitoring] Scan Datahub Ingestion images for vulnerabilities"
|
|
runs-on: depot-ubuntu-24.04
|
|
needs: [setup, smoke_test_lint,datahub_ingestion_full_build]
|
|
if: ${{ needs.setup.outputs.ingestion_change == 'true' || needs.setup.outputs.publish == 'true' || needs.setup.outputs.pr-publish == 'true' }}
|
|
steps:
|
|
- name: Checkout # adding checkout step just to make trivy upload happy
|
|
uses: acryldata/sane-checkout-action@v3
|
|
- name: Download image Full Image
|
|
uses: ishworkh/container-image-artifact-download@v2.0.0
|
|
if: ${{ needs.datahub_ingestion_full_build.outputs.needs_artifact_download == 'true' }}
|
|
with:
|
|
image: ${{ env.DATAHUB_INGESTION_IMAGE }}:${{ needs.datahub_ingestion_full_build.outputs.tag }}
|
|
- name: Run Trivy vulnerability scanner Full Image
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
env:
|
|
TRIVY_OFFLINE_SCAN: true
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
|
|
with:
|
|
image-ref: ${{ env.DATAHUB_INGESTION_IMAGE }}:${{ needs.datahub_ingestion_full_build.outputs.tag }}
|
|
format: "template"
|
|
template: "@/contrib/sarif.tpl"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
timeout: 15m
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
smoke_test_matrix:
|
|
runs-on: depot-ubuntu-24.04-small
|
|
needs: setup
|
|
outputs:
|
|
matrix: ${{ steps.set-matrix.outputs.matrix }}
|
|
cypress_batch_count: ${{ steps.set-batch-count.outputs.cypress_batch_count }}
|
|
python_batch_count: ${{ steps.set-batch-count.outputs.python_batch_count }}
|
|
steps:
|
|
- id: set-batch-count
|
|
# Tests are split simply to ensure the configured number of batches for parallelization. This may need some
|
|
# increase as a new tests added increase the duration where an additional parallel batch helps.
|
|
# python_batch_count is used to split pytests in the smoke-test (batches of actual test functions)
|
|
# cypress_batch_count is used to split the collection of cypress test specs into batches.
|
|
run: |
|
|
echo "cypress_batch_count=11" >> "$GITHUB_OUTPUT"
|
|
echo "python_batch_count=6" >> "$GITHUB_OUTPUT"
|
|
|
|
- id: set-matrix
|
|
# For m batches for python and n batches for cypress, we need a test matrix of python x m + cypress x n.
|
|
# while the github action matrix generation can handle these two parts individually, there isnt a way to use the
|
|
# two generated matrices for the same job. So, produce that matrix with scripting and use the include directive
|
|
# to add it to the test matrix.
|
|
run: |
|
|
python_batch_count=${{ steps.set-batch-count.outputs.python_batch_count }}
|
|
python_matrix=$(printf "{\"test_strategy\":\"pytests\",\"batch\":\"0\",\"batch_count\":\"$python_batch_count\"}"; for ((i=1;i<python_batch_count;i++)); do printf ",{\"test_strategy\":\"pytests\", \"batch_count\":\"$python_batch_count\",\"batch\":\"%d\"}" $i; done)
|
|
|
|
cypress_batch_count=${{ steps.set-batch-count.outputs.cypress_batch_count }}
|
|
cypress_matrix=$(printf "{\"test_strategy\":\"cypress\",\"batch\":\"0\",\"batch_count\":\"$cypress_batch_count\"}"; for ((i=1;i<cypress_batch_count;i++)); do printf ",{\"test_strategy\":\"cypress\", \"batch_count\":\"$cypress_batch_count\",\"batch\":\"%d\"}" $i; done)
|
|
|
|
includes=''
|
|
if [[ "${{ needs.setup.outputs.backend_change }}" == 'true' || "${{ needs.setup.outputs.smoke_test_change }}" == 'true' || "${{ needs.setup.outputs.publish }}" == 'true' ]]; then
|
|
includes="$python_matrix,$cypress_matrix"
|
|
elif [[ "${{ needs.setup.outputs.frontend_only }}" == 'true' ]]; then
|
|
includes="$cypress_matrix"
|
|
elif [[ "${{ needs.setup.outputs.ingestion_only }}" == 'true' ]]; then
|
|
includes="$python_matrix"
|
|
fi
|
|
echo "matrix={\"include\":[$includes] }" >> "$GITHUB_OUTPUT"
|
|
|
|
smoke_test:
|
|
name: Run Smoke Tests
|
|
runs-on: depot-ubuntu-24.04-4
|
|
needs:
|
|
[
|
|
setup,
|
|
smoke_test_matrix,
|
|
base_build,
|
|
#datahub_ingestion_slim_build,
|
|
]
|
|
strategy:
|
|
fail-fast: false
|
|
matrix: ${{ fromJson(needs.smoke_test_matrix.outputs.matrix) }}
|
|
if: ${{ always() && !failure() && !cancelled() && needs.smoke_test_matrix.outputs.matrix != '[]' }}
|
|
steps:
|
|
- name: Free up disk space
|
|
if: false # dont need this on depot
|
|
run: |
|
|
sudo apt-get remove 'dotnet-*' azure-cli || true
|
|
sudo rm -rf /usr/local/lib/android/ || true
|
|
sudo docker image prune -a -f || true
|
|
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cache/uv
|
|
key: ${{ runner.os }}-uv-${{ hashFiles('**/requirements.txt') }}
|
|
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.npm
|
|
~/.cache/Cypress
|
|
~/.cache/yarn
|
|
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
|
|
|
|
- name: Check out the repo
|
|
uses: acryldata/sane-checkout-action@v3
|
|
|
|
|
|
- name: Set up Depot CLI
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' }}
|
|
uses: depot/setup-action@v1
|
|
|
|
- name: configure-docker
|
|
if: ${{ env.DOCKER_CACHE == 'DEPOT' && env.DOCKER_PROJECT_ID != '' }}
|
|
run: |
|
|
depot configure-docker
|
|
|
|
- uses: actions/cache/restore@v4
|
|
with:
|
|
path: ${{ github.workspace }}/build/dockerBuildContext/
|
|
key: ${{ runner.os }}-docker-${{ github.sha }}
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
cache: "pip"
|
|
|
|
#- uses: gradle/actions/setup-gradle@v4
|
|
|
|
# - name: Login to DockerHub
|
|
# uses: docker/login-action@v3
|
|
# if: ${{ needs.setup.outputs.docker-login == 'true' }}
|
|
# with:
|
|
# username: ${{ secrets.ACRYL_DOCKER_USERNAME }}
|
|
# password: ${{ secrets.ACRYL_DOCKER_PASSWORD }}
|
|
|
|
- name: build images
|
|
run: |
|
|
./gradlew :docker:buildImagesFromCacheQuickstartDebugConsumers -PreleaseVersion=${{ needs.setup.outputs.unique_tag }} &
|
|
docker pull confluentinc/cp-kafka:7.4.0 &
|
|
docker pull mysql:8.2 &
|
|
docker pull opensearchproject/opensearch:2.9.0 &
|
|
docker pull ${{ env.DATAHUB_INGESTION_IMAGE }}:head &
|
|
|
|
wait
|
|
docker images
|
|
|
|
- name: run quickstart
|
|
env:
|
|
DATAHUB_TELEMETRY_ENABLED: false
|
|
DATAHUB_VERSION: ${{ needs.setup.outputs.unique_tag }}
|
|
DATAHUB_ACTIONS_IMAGE: ${{ env.DATAHUB_INGESTION_IMAGE }}
|
|
ACTIONS_VERSION: ${{ needs.datahub_ingestion_slim_build.outputs.tag || 'head-slim' }}
|
|
ACTIONS_EXTRA_PACKAGES: "acryl-datahub-actions[executor] acryl-datahub-actions"
|
|
ACTIONS_CONFIG: "https://raw.githubusercontent.com/acryldata/datahub-actions/main/docker/config/executor.yaml"
|
|
run: |
|
|
./smoke-test/run-quickstart.sh
|
|
|
|
- name: Disk Check
|
|
run: df -h . && docker images
|
|
|
|
- name: Disable ES Disk Threshold
|
|
run: |
|
|
curl -XPUT "http://localhost:9200/_cluster/settings" \
|
|
-H 'Content-Type: application/json' -d'{
|
|
"persistent": {
|
|
"cluster": {
|
|
"routing": {
|
|
"allocation.disk.threshold_enabled": false
|
|
}
|
|
}
|
|
}
|
|
}'
|
|
|
|
- name: Install dependencies
|
|
run: ./metadata-ingestion/scripts/install_deps.sh
|
|
|
|
- name: Build datahub cli
|
|
run: |
|
|
./gradlew :metadata-ingestion:install
|
|
|
|
|
|
- name: Smoke test
|
|
env:
|
|
RUN_QUICKSTART: false
|
|
DATAHUB_VERSION: ${{ needs.setup.outputs.unique_tag }}
|
|
CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
|
|
CLEANUP_DATA: "false"
|
|
TEST_STRATEGY: ${{ matrix.test_strategy }}
|
|
BATCH_COUNT: ${{ matrix.batch_count }}
|
|
BATCH_NUMBER: ${{ matrix.batch }}
|
|
run: |
|
|
echo "$DATAHUB_VERSION"
|
|
./gradlew --stop
|
|
./smoke-test/smoke.sh
|
|
|
|
- name: Disk Check
|
|
run: df -h . && docker images
|
|
|
|
- name: store logs
|
|
if: failure()
|
|
run: |
|
|
docker ps -a
|
|
TEST_STRATEGY="-${{ matrix.test_strategy }}-${{ matrix.batch }}"
|
|
source .github/scripts/docker_logs.sh
|
|
- name: Upload logs
|
|
uses: actions/upload-artifact@v4
|
|
if: failure()
|
|
with:
|
|
name: docker-logs-${{ matrix.test_strategy }}-${{ matrix.batch }}
|
|
path: "docker_logs/*.log"
|
|
retention-days: 5
|
|
- name: Upload screenshots
|
|
uses: actions/upload-artifact@v4
|
|
if: failure()
|
|
with:
|
|
name: cypress-snapshots-${{ matrix.test_strategy }}-${{ matrix.batch }}
|
|
path: smoke-test/tests/cypress/cypress/screenshots/
|
|
- uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: Test Results (smoke tests) ${{ matrix.test_strategy }} ${{ matrix.batch }}
|
|
path: |
|
|
**/build/reports/tests/test/**
|
|
**/build/test-results/test/**
|
|
**/junit.*.xml
|
|
!**/binary/**
|
|
- name: Upload test results to Codecov
|
|
if: ${{ !cancelled() }}
|
|
uses: codecov/test-results-action@v1
|
|
with:
|
|
token: ${{ secrets.CODECOV_TOKEN }}
|
|
|
|
deploy_datahub_head:
|
|
name: Deploy to Datahub HEAD
|
|
runs-on: ubuntu-latest
|
|
needs: [setup, smoke_test_lint,smoke_test]
|
|
steps:
|
|
- uses: aws-actions/configure-aws-credentials@v4
|
|
if: ${{ needs.setup.outputs.publish != 'false' && github.repository_owner == 'datahub-project' && needs.setup.outputs.repository_name == 'datahub' }}
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_SQS_ACCESS_KEY_ID }}
|
|
aws-secret-access-key: ${{ secrets.AWS_SQS_ACCESS_KEY }}
|
|
aws-region: us-west-2
|
|
- uses: isbang/sqs-action@v0.2.0
|
|
if: ${{ needs.setup.outputs.publish != 'false' && github.repository_owner == 'datahub-project' && needs.setup.outputs.repository_name == 'datahub' }}
|
|
with:
|
|
sqs-url: ${{ secrets.DATAHUB_HEAD_SYNC_QUEUE }}
|
|
message: '{ "command": "git-sync", "args" : {"repoName": "${{ needs.setup.outputs.repository_name }}", "repoOrg": "${{ github.repository_owner }}", "repoBranch": "${{ needs.setup.outputs.branch_name }}", "repoShaShort": "${{ needs.setup.outputs.short_sha }}" }}'
|