Skip to content

[CORE-69]: Bump com.nimbusds:nimbus-jose-jwt from 9.48 to 10.0.1 #1302

[CORE-69]: Bump com.nimbusds:nimbus-jose-jwt from 9.48 to 10.0.1

[CORE-69]: Bump com.nimbusds:nimbus-jose-jwt from 9.48 to 10.0.1 #1302

name: Verify consumer pacts
# The purpose of this workflow is to verify ANY consumer contract(s) dependent on BPM provider using Pact framework.
#
# This workflow is triggered when
#
# 1. Consumer makes a change that results in a new pact published to Pact Broker (will verify ONLY the changed pact and publish the verification results back to the broker)
# 2. Provider makes a change (runs verification tests against ALL DEPLOYED consumer pact versions and publishes corresponding verification results)
#
#
# The workflow requires Pact broker credentials
# - PACT_BROKER_USERNAME - the Pact Broker username
# - PACT_BROKER_PASSWORD - the Pact Broker password
on:
pull_request:
branches: [ main ]
paths-ignore: [ '**.md' ]
push:
branches: [ main ]
paths-ignore: [ '**.md' ]
merge_group:
branches: [ main ]
paths-ignore: [ '**.md' ]
workflow_dispatch:
inputs:
pb-event-type:
description: 'the Pact Broker event type that triggers this workflow'
required: true
type: string
consumer-name:
description: 'the consumer name'
required: true
type: string
provider-version-number:
description: 'the provider version number for the verification result'
required: true
type: string
consumer-version-branch:
description: 'the name of the branch for most recent consumer version associated with the pact content'
required: true
type: string
# Optional / Deprecated Inputs
consumer-labels:
description: 'the list of labels for the consumer associated with the pact content, separated by ", "'
required: false
type: string
provider-labels:
description: 'the list of labels for the provider associated with the pact content, separated by ", "'
required: false
type: string
pact-url:
description: 'Optional. Verify contracts at a specific url. https://docs.pact.io/implementation_guides/javascript/docs/provider'
required: false
type: string
consumer-version-number:
description: 'DEPRECATED'
required: false
type: string
consumer-version-tags:
description: 'DEPRECATED'
required: false
type: string
provider-version-branch:
description: 'DEPRECATED'
required: false
type: string
env:
CAN_I_DEPLOY_RUN_NAME: 'can-i-deploy-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}'
RELEASE_BRANCH: 'main'
PACTS_ARTIFACT: bpm-pacts-${{ github.event.repository.name }}-${{ github.run_id }}
PACTS_OUTPUT_DIR: service/build/pacts
jobs:
#################################################
# VERSIONING, BRANCH MANAGEMENT, INIT AND SETUP #
#################################################
bump-check:
runs-on: ubuntu-latest
outputs:
is-bump: ${{ steps.skiptest.outputs.is-bump }}
steps:
- uses: actions/checkout@v3
- name: Skip version bump merges
id: skiptest
uses: ./.github/actions/bump-skip
with:
event-name: ${{ github.event_name }}
init-github-context:
runs-on: ubuntu-latest
needs: [ bump-check ]
if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
outputs:
repo-branch: ${{ steps.extract-branch.outputs.repo-branch }}
verify-provider-side-contracts-only: ${{ steps.set-environment.outputs.verify-provider-side-contracts-only }}
# gha branch - usaully main.
# PR will call pr version of GHA
# workflowdispatch can call branch versions of GHA.
# code checkout branch/gitref for bpm as a consumer
# code checkout branch/gitref for bpm as a provider
steps:
- id: extract-branch
run: |
GITHUB_EVENT_NAME=${{ github.event_name }}
if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then
GITHUB_REF=${{ github.ref }}
GITHUB_SHA=${{ github.sha }}
elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
GITHUB_REF=refs/heads/${{ github.head_ref }}
GITHUB_SHA=${{ github.event.pull_request.head.sha }}
elif [[ "$GITHUB_EVENT_NAME" == "merge_group" ]]; then
GITHUB_REF=refs/heads/${{ github.head_ref }} # Merge Queue support
elif [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
GITHUB_REF=${{ github.ref }} # The Git Ref that this workflow runs on
else
echo "Failed to extract branch information"
exit 1
fi
echo "repo-branch=${GITHUB_REF/refs\/heads\//""}" >> $GITHUB_OUTPUT
echo "repo-version=${GITHUB_SHA}" >> $GITHUB_OUTPUT
- uses: actions/checkout@v4
with:
ref: ${{ steps.extract-branch.outputs.repo-branch }}
- name: set various output settings
id: set-environment
run: |
echo "verify-provider-side-contracts-only=${{ inputs.pb-event-type != '' }}" >> $GITHUB_OUTPUT
- name: Echo repo and branch information
run: |
echo "repo-owner=${{ github.repository_owner }}"
echo "repo-name=${{ github.event.repository.name }}"
echo "repo-branch=${{ steps.extract-branch.outputs.repo-branch }}"
echo "repo-version=${{ steps.extract-branch.outputs.repo-version }}"
# We only need a new version tag when this workflow is triggered by opening, updating a PR or PR merge.
# When triggered by a Pact Broker webhook, the provider version (GIT hash or release tag)
# is already included in the payload, then a new version tag wouldn't be needed.
#
regulated-tag-job:
needs: [ init-github-context ]
if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
uses: ./.github/workflows/tag.yml
with:
# The 'ref' parameter ensures that the provider version is postfixed with the HEAD commit of the PR branch,
# facilitating cross-referencing of a pact between Pact Broker and GitHub.
ref: ${{ needs.init-github-context.outputs.repo-branch || '' }}
# The 'dry-run' parameter prevents the new tag from being dispatched.
dry-run: true
release-branches: main
secrets: inherit
#################################
# CONSUMER CONTRACT PUBLISHING #
#################################
run-consumer-contract-tests:
runs-on: ubuntu-latest
needs: [ bump-check, init-github-context ]
if: ${{ needs.init-github-context.outputs.verify-provider-side-contracts-only == 'false' }}
outputs:
pact-paths: ${{ steps.locate-pacts.outputs.pact-paths }}
steps:
- uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'temurin'
- name: Run consumer tests
run: ./gradlew pactTests
- name: Locate pact files
id: locate-pacts
run: |
pactPaths=$(find "$PACTS_OUTPUT_DIR" -type f -name "*.json" | jq -cnR "[inputs]")
echo "pact-paths=$pactPaths" >> $GITHUB_OUTPUT
- name: Upload pact files to artifact
id: upload-pacts
uses: actions/upload-artifact@v4
with:
name: ${{ env.PACTS_ARTIFACT }}
path: ${{ env.PACTS_OUTPUT_DIR }}
retention-days: 1
publish-contracts:
runs-on: ubuntu-latest
needs: [ bump-check, init-github-context, run-consumer-contract-tests, regulated-tag-job ]
strategy:
matrix:
pact_path: ${{ fromJson(needs.run-consumer-contract-tests.outputs.pact-paths) }}
if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
steps:
- name: Download pact files from artifact
id: download-pacts
uses: actions/download-artifact@v4
with:
name: ${{ env.PACTS_ARTIFACT }}
path: ${{ env.PACTS_OUTPUT_DIR }}
- name: Encode pact as non-breaking base64 string
id: encode-pact
run: |
nonBreakingB64=$(cat "${{ matrix.pact_path }}" | base64 -w 0)
echo "pact-b64=${nonBreakingB64}" >> $GITHUB_OUTPUT
- name: Publish contracts
id: publish-contracts
uses: broadinstitute/dsp-reusable-workflows/.github/actions/run-publish-contracts@main
with:
PACT_B64: ${{ steps.encode-pact.outputs.pact-b64 }}
REPO_OWNER: ${{ github.repository_owner }}
REPO_NAME: ${{ github.event.repository.name }}
REPO_BRANCH: ${{ needs.init-github-context.outputs.repo-branch }}
BROADBOT_TOKEN: ${{ secrets.BROADBOT_TOKEN }}
PACT_BROKER_USERNAME: ${{ secrets.PACT_BROKER_USERNAME }}
PACT_BROKER_PASSWORD: ${{ secrets.PACT_BROKER_PASSWORD }}
RELEASE_TAG: ${{ needs.regulated-tag-job.outputs.new-tag }}
###############################
# PROVIDER VERIFICATION STEPS #
###############################
verify-consumer-pact:
needs: [ bump-check, regulated-tag-job, init-github-context ]
if: ${{ needs.bump-check.outputs.is-bump == 'no' }}
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
env:
CURRENT_BRANCH: "${{ needs.init-github-context.outputs.repo-branch }}" # This only gets used for non-webhooks calls
outputs:
provider-version: ${{ steps.render-provider-version.outputs.provider-version }}
steps:
# For PR flow, this will checkout current PR code
# For Webhook, this will checkout `main` which will need to be re-checked out later to the correct provider versions.
- name: Checkout current code
uses: actions/checkout@v4
with:
fetch-depth: 0
# Only runs for webhook calls
- name: Capture webhook event payload as envvars
if: ${{ inputs.pb-event-type != '' }}
run: |
# Save webhook event parameters as envvars
echo "CONSUMER_BRANCH=${{ inputs.consumer-version-branch }}" >> $GITHUB_ENV
echo "CONSUMER_NAME=${{ inputs.consumer-name }}" >> $GITHUB_ENV
# Check out the correct version of the provider to test against for webhook flows
echo "git checkout tags/${{ inputs.provider-version-number }}"
git checkout tags/${{ inputs.provider-version-number }}
# Debug Outputs
echo "pb-event-type=${{ inputs.pb-event-type }}"
echo "consumer-name=${{ inputs.consumer-name }}"
# The consumer-version-branch and consumer-version-number identify the most recent
# consumer branch and version associated with the pact content.
echo "consumer-version-branch/consumer-version-number=${{ inputs.consumer-version-branch }}/${{ inputs.consumer-version-number }}"
# The provider-version-number represents the provider version number in the webhook event payload.
# This corresponds to the GitHub release tag recorded by Sherlock for the corresponding
# deployment environment (dev, staging, and prod).
echo "provider-version-branch/provider-version-number=${{ inputs.provider-version-branch }}/${{ inputs.provider-version-number }}"
# The pact-url is included here in case future pact4s client supports it.
echo "pact-url=${{ inputs.pact-url }}"
# if pb-event-type is null, then do this
# basically, PR flow.
- name: Set PROVIDER_VERSION envvar
id: render-provider-version
run: |
# The PROVIDER_VERSION envvar is used to identify the provider version
# for publishing the results of provider verification.
if [[ -z "${{ inputs.pb-event-type }}" ]]; then
PROVIDER_VERSION=${{ needs.regulated-tag-job.outputs.new-tag }}
else
PROVIDER_VERSION=${{ inputs.provider-version-number }}
fi
# set env for future steps
echo "PROVIDER_VERSION=${PROVIDER_VERSION}"
echo "PROVIDER_VERSION=${PROVIDER_VERSION}" >> $GITHUB_ENV
# set output for can-i-deploy
echo "provider-version=${PROVIDER_VERSION}"
echo "provider-version=${PROVIDER_VERSION}" >> $GITHUB_OUTPUT
# Output current branch and other debug info
- name: Current Branch Debug Outputs
run: |
echo "This workflow has been triggered by '${{ github.event_name }}' event."
# Echo the HEAD commit of the provider branch that has been switched to.
echo "git rev-parse HEAD $(git rev-parse HEAD)"
echo "git rev-parse --abbrev-ref HEAD: $(git rev-parse --abbrev-ref HEAD)"
echo "current github ref: ${GITHUB_REF#refs/heads/}"
# Break out this into it's own job as this is the actual run
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'temurin'
- name: Gradle cache
uses: actions/cache@v2
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: v1-${{ runner.os }}-gradle-${{ github.ref }}-${{ github.sha }}
restore-keys: v1-${{ runner.os }}-gradle-${{ github.ref }}
- name: Verify consumer pacts and publish verification status to Pact Broker
id: verification-test
# The PACT_... envvars are being consumed by build.gradle to configure the
# following System properties (https://docs.pact.io/implementation_guides/jvm/docs/system-properties)
# pact.provider.{branch, version}
# pactbroker.{host, scheme}
# pactbroker.auth.{username, password}
# If no CONSUMER_BRANCH given, will just verify all deployed consumer versions.
env:
PACT_BROKER_URL: pact-broker.dsp-eng-tools.broadinstitute.org
PACT_PROVIDER_VERSION: ${{ env.PROVIDER_VERSION }}
PACT_BROKER_USERNAME: ${{ secrets.PACT_BROKER_USERNAME }}
PACT_BROKER_PASSWORD: ${{ secrets.PACT_BROKER_PASSWORD }}
run: |
# debug outputs
# see readme for info: https://github.com/pact-foundation/pact-jvm/tree/master/provider/junit5
echo "env.CONSUMER_BRANCH=${{ env.CONSUMER_BRANCH }} # This reflects the consumer branch to test against, should only exist on webhook calls."
echo "env.PROVIDER_VERSION=${{ env.PROVIDER_VERSION }} # Pact Version to advertise back to the broker for test results"
echo "env.CONSUMER_NAME=${{ env.CONSUMER_NAME }} # Pact uses this to find the correct consumer to test against"
# actual run
./gradlew --build-cache verifyPacts
################
# CAN-I-DEPLOY #
################
can-i-deploy:
uses: broadinstitute/dsp-reusable-workflows/.github/workflows/can-i-deploy.yaml@main
if: ${{
needs.init-github-context.outputs.verify-provider-side-contracts-only == 'false' &&
needs.bump-check.outputs.is-bump == 'no'
}}
needs: [ verify-consumer-pact, bump-check, init-github-context, publish-contracts, regulated-tag-job ]
secrets:
PACT_BROKER_USERNAME: ${{ secrets.PACT_BROKER_USERNAME }}
PACT_BROKER_PASSWORD: ${{ secrets.PACT_BROKER_PASSWORD }}
with:
pacticipant: "bpm"
version: "${{ needs.verify-consumer-pact.outputs.provider-version }}"