feat: Introduce provisioned roles in ACL #1467
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trigger Private Janus build | |
| on: | |
| # When a PR is merged | |
| push: | |
| branches: ["main"] | |
| # When a PR is raised (for example, dependency updates from Dependabot or Scala Steward) | |
| pull_request: | |
| # When a workflow is manually triggered | |
| workflow_dispatch: | |
| jobs: | |
| # Compile and run tests | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| checks: write # Required by dorny/test-reporter | |
| steps: | |
| - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Install Scala | |
| uses: guardian/setup-scala@v1 | |
| - name: Install Node | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version-file: '.nvmrc' | |
| cache: 'npm' | |
| cache-dependency-path: 'frontend/package-lock.json' | |
| - name: Install Node dependencies | |
| run: npm ci | |
| working-directory: frontend | |
| - name: Check frontend linting | |
| run: npm run lint | |
| working-directory: frontend | |
| - name: Check formatting of frontend files | |
| run: npm run format:check | |
| working-directory: frontend | |
| - name: Build frontend app | |
| run: npm run build | |
| working-directory: frontend | |
| - run: > | |
| sbt | |
| compile | |
| Test/compile | |
| scalafmtCheckAll | |
| scalafmtSbtCheck | |
| test | |
| - name: Test Report for Janus-App | |
| uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0 | |
| if: (success() || failure()) && !github.event.pull_request.head.repo.fork # run this step even if previous step failed | |
| with: | |
| name: Janus-App Tests | |
| path: logs/test-reports/TEST-*.xml | |
| reporter: java-junit | |
| only-summary: 'false' | |
| fail-on-error: 'true' | |
| # Trigger a workflow in the guardian/janus repository, if and only if: | |
| # - The Scala build is successful | |
| # - We're on the 'main' branch | |
| trigger-workflow: | |
| needs: build | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| runs-on: ubuntu-latest | |
| outputs: | |
| workflow_run_id: ${{ steps.fetch.outputs.result }} | |
| steps: | |
| - name: record start time | |
| run: echo START_TIME=$(date "+%Y-%m-%dT%H:%M:%S") >> $GITHUB_ENV | |
| - name: Exchange GitHub App for GitHub Token | |
| uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 | |
| id: app-token | |
| with: | |
| # These values are for the GitHub App guardian-janus-ci | |
| # See https://github.com/organizations/guardian/settings/apps/guardian-janus-ci (only accessible by GitHub owners) | |
| app-id: ${{ secrets.GH_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} | |
| owner: guardian | |
| repositories: janus | |
| - name: Trigger workflow | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| github-token: ${{ steps.app-token.outputs.token }} # A GitHub app token generated by a previous step | |
| script: | | |
| await github.rest.actions.createWorkflowDispatch({ | |
| owner: 'guardian', | |
| repo: 'janus', | |
| workflow_id: 'build.yml', | |
| ref: 'main' | |
| }) | |
| - name: fetch workflow id | |
| id: fetch | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| env: | |
| MAX_RETRIES: 3 | |
| BASE_DELAY_MS: 5000 | |
| with: | |
| github-token: ${{ steps.app-token.outputs.token }} # A GitHub app token generated by a previous step | |
| result-encoding: string | |
| script: | | |
| const maxRetries = parseInt(process.env.MAX_RETRIES, 10); | |
| const baseDelayMs = parseInt(process.env.BASE_DELAY_MS, 10); | |
| const delay = ms => new Promise(resolve => setTimeout(resolve, ms)); | |
| async function fetchWorkflowId() { | |
| let lastError; | |
| for (let attempt = 1; attempt <= maxRetries; attempt++) { | |
| try { | |
| console.log(`Attempt ${attempt}/${maxRetries}`); | |
| const result = await github.rest.actions.listWorkflowRuns({ | |
| owner: 'guardian', | |
| repo: 'janus', | |
| workflow_id: 'build.yml', | |
| event: 'workflow_dispatch', | |
| created: '>=${{ env.START_TIME }}' | |
| }); | |
| console.log(result); | |
| if (!result.data.workflow_runs || result.data.workflow_runs.length === 0) { | |
| throw new Error('No janus build workflow run found yet.'); | |
| } | |
| return result.data.workflow_runs[0].id; | |
| } catch (error) { | |
| console.error(`Attempt ${attempt} failed:`, error.message); | |
| lastError = error; | |
| if (attempt < maxRetries) { | |
| const waitTime = baseDelayMs * Math.pow(2, attempt - 1); // Exponential backoff | |
| console.log(`Waiting ${waitTime}ms before next attempt...`); | |
| await delay(waitTime); | |
| } | |
| } | |
| } | |
| throw new Error(`All ${maxRetries} attempts failed. Last error: ${lastError.message}`); | |
| } | |
| return await fetchWorkflowId(); | |
| # wait 6 minutes for job to run | |
| # This is the observed upper limit for builds that invalidate the sbt cache | |
| - run: sleep 360 | |
| # Reflect the build status from the workflow in the guardian/janus repository here | |
| check-status: | |
| runs-on: ubuntu-latest | |
| needs: trigger-workflow | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| steps: | |
| - name: Exchange GitHub App for GitHub Token | |
| uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 | |
| id: app-token | |
| with: | |
| # These values are for the GitHub App guardian-janus-ci | |
| # See https://github.com/organizations/guardian/settings/apps/guardian-janus-ci (only accessible by GitHub owners) | |
| app-id: ${{ secrets.GH_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} | |
| owner: guardian | |
| repositories: janus | |
| - name: fetch status | |
| id: status | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| github-token: ${{ steps.app-token.outputs.token }} # A GitHub app token generated by a previous step | |
| result-encoding: string | |
| script: | | |
| const result = await github.rest.actions.getWorkflowRun({ | |
| owner: 'guardian', | |
| repo: 'janus', | |
| run_id: '${{ needs.trigger-workflow.outputs.workflow_run_id }}' | |
| }); | |
| console.log(result); | |
| return result["data"]["conclusion"]; | |
| - name: Verify job completed successfully | |
| if: ${{ steps.status.outputs.result != 'success' }} | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: core.setFailed('Task started by trigger-workflow did not conclude successfully') |