Galapagos/.github/workflows/main.yml at main · NetLogo/Galapagos · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: build-and-test

on:
  push:
  pull_request:
  workflow_dispatch:

jobs:
  build-and-test:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          lfs: true

      - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
        with:
          distribution: 'liberica'
          java-version: '25.0'
          java-package: jdk+fx

      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: '18'
          cache: 'npm'
          cache-dependency-path: package-lock.json

      - uses: sbt/setup-sbt@2e222825582620cc38d2a54e674f3c01b7c14f5d # v1

      - name: Git Init
        run: git submodule update --init --recursive

      - name: Build and Test
        run: |
          sbt -v update compile
          sbt -v coffeelint test

  # The deploy job builds from source instead of reusing artifacts from build-and-test.
  # This prevents cache-poisoning attacks: a malicious PR could write arbitrary data
  # into the shared cache, which deploy would then push to S3/CloudFront.
  # Building from the trusted branch ref is slower but eliminates that vector.
  deploy:
    runs-on: ubuntu-latest
    needs: build-and-test
    permissions:
      id-token: write
      contents: read
    if: ${{ github.ref == 'refs/heads/scrape-test' || github.ref == 'refs/heads/modelingcommons' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' }}
    environment: Deployments
    env:
      AWS_REGION: 'us-east-1'
      AWS_ROLE_TO_ASSUME: 'arn:aws:iam::922513866616:role/Galapagos-AWS-Deploy'

    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          lfs: true
          fetch-depth: 0

      - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
        with:
          distribution: 'liberica'
          java-version: '25.0'
          java-package: jdk+fx

      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: '18'
          cache: 'npm'
          cache-dependency-path: package-lock.json

      - uses: sbt/setup-sbt@2e222825582620cc38d2a54e674f3c01b7c14f5d # v1

      - name: Git Init
        run: git submodule update --init --recursive

      - name: Build
        run: sbt -v update compile

      - name: Configure AWS Credentials
        id: creds
        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
        with:
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.AWS_ROLE_TO_ASSUME }}
          role-session-name: 'GitHub-Actions-Galapagos-AWS-Deploy'
          output-credentials: true

      - name: Verify AWS Credentials
        run: |
          aws sts get-caller-identity

      - name: Scrape
        run: |
          sbt scrapePlay
          cp -Rv public/modelslib/ target/play-scrape/assets/
          cp -Rv public/nt-modelslib/ target/play-scrape/assets/
          cp -Rv public/versions/ target/play-scrape/

      - name: Upload
        env:
          CREDENTIALS_FROM_ENVIRONMENT: 'true'
          BUILD_SERVER: 'true'
          BUILD_BRANCH: ${{ github.ref_name }}
          AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
          AWS_SECRET_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
          AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
        run: |
          sbt scrapeUpload