galaxyproject/galaxy-helm (opens in new tab)
5 workflows
Triggers
issue_comment
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| approve | ubuntu-latest | 4 | actions/github-script@v7 actions/create-github-app-token@v1 actions/github-script@v7 |
Raw YAML
name: Auto Approve
on:
issue_comment:
types: [created]
permissions:
contents: read
pull-requests: write
issues: write
jobs:
approve:
# Only run on PR comments (not issue comments) with /approve command
# Use startsWith to handle trailing whitespace from GitHub's comment body
if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/approve')
runs-on: ubuntu-latest
steps:
- name: Check user permissions
id: check-permission
uses: actions/github-script@v7
with:
script: |
const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: context.payload.comment.user.login
});
const allowed = ['admin', 'write'].includes(permission.permission);
console.log(`User ${context.payload.comment.user.login} has permission: ${permission.permission}`);
console.log(`Allowed to approve: ${allowed}`);
if (!allowed) {
// Add thumbs down reaction
await github.rest.reactions.createForIssueComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: context.payload.comment.id,
content: '-1'
});
// Add comment explaining the denial
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.issue.number,
body: `@${context.payload.comment.user.login} You do not have permission to approve pull requests. Only users with write access or higher can use the \`/approve\` command.`
});
core.setFailed(`User ${context.payload.comment.user.login} does not have write access to this repository`);
}
core.setOutput('allowed', allowed);
return allowed;
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.HELM_UPDATER_APP_ID }}
private-key: ${{ secrets.HELM_UPDATER_PKEY }}
- name: Approve PR
uses: actions/github-script@v7
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
const prNumber = context.payload.issue.number;
// Submit approval review
await github.rest.pulls.createReview({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: prNumber,
event: 'APPROVE',
body: `Approved by @${context.payload.comment.user.login} via \`/approve\` command.`
});
console.log(`PR #${prNumber} approved`);
// Add a reaction to the comment to confirm
await github.rest.reactions.createForIssueComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: context.payload.comment.id,
content: '+1'
});
- name: Enable auto-merge
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
PR_NUMBER=${{ github.event.issue.number }}
echo "Enabling auto-merge for PR #${PR_NUMBER}..."
gh pr merge "${PR_NUMBER}" --auto --merge --repo "${{ github.repository }}" || echo "Auto-merge may already be enabled or not available"Last fetched:
Enable Auto-Merge on Approval
.github/workflows/enable-auto-merge.yaml (opens in new tab)
Triggers
pull_request_review
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| enable-auto-merge | ubuntu-latest | 2 | actions/create-github-app-token@v1 |
Raw YAML
name: Enable Auto-Merge on Approval
on:
pull_request_review:
types: [submitted]
permissions:
contents: read
pull-requests: write
jobs:
enable-auto-merge:
# Only run when PR is approved and targeting master
if: github.event.review.state == 'approved' && github.event.pull_request.base.ref == 'master'
runs-on: ubuntu-latest
steps:
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.HELM_UPDATER_APP_ID }}
private-key: ${{ secrets.HELM_UPDATER_PKEY }}
- name: Enable auto-merge
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
PR_NUMBER=${{ github.event.pull_request.number }}
echo "PR #${PR_NUMBER} approved by ${{ github.event.review.user.login }}"
echo "Enabling auto-merge..."
gh pr merge "${PR_NUMBER}" --auto --merge --repo "${{ github.repository }}" || echo "Auto-merge may already be enabled or not available"Last fetched:
PR Validation
.github/workflows/pr-validation.yaml (opens in new tab)
Triggers
pull_request
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| validate-release-pr | ubuntu-latest | 2 | mheap/github-action-required-labels@v5 |
Raw YAML
name: PR Validation
on:
pull_request:
branches: [master]
permissions:
contents: read
pull-requests: read
jobs:
validate-release-pr:
runs-on: ubuntu-latest
steps:
- name: Check source branch
if: github.head_ref != 'dev'
run: |
echo "::error::Release PRs must come from the 'dev' branch"
exit 1
- name: Check for version label
uses: mheap/github-action-required-labels@v5
with:
mode: exactly
count: 1
labels: "major, minor, patch"
message: "PR must have exactly one label: major, minor, or patch"Last fetched:
Triggers
pull_request workflow_dispatch
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| smoke-test | unknown | 0 | |
| prepare | ubuntu-latest | 3 | actions/checkout@v4 |
| approve-release | ubuntu-latest | 1 | |
| release | ubuntu-latest | 9 | actions/create-github-app-token@v1 actions/checkout@v4 |
| trigger-downstream | ubuntu-latest | 2 | actions/create-github-app-token@v1 peter-evans/repository-dispatch@v3 |
| notify | ubuntu-latest | 1 | slackapi/slack-github-action@v1.26.0 |
Raw YAML
name: Release
on:
pull_request:
types: [closed]
branches: [master]
workflow_dispatch:
inputs:
version-bump:
description: 'Version bump type'
required: true
type: choice
options:
- major
- minor
- patch
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: write
pull-requests: read
actions: read
jobs:
# Job 1: Run smoke tests
smoke-test:
if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
uses: ./.github/workflows/test.yaml
# Job 2: Prepare release (calculate version, etc.)
prepare:
needs: smoke-test
runs-on: ubuntu-latest
outputs:
new_version: ${{ steps.bump.outputs.new_version }}
bump_type: ${{ steps.determine.outputs.bump_type }}
steps:
- uses: actions/checkout@v4
- name: Determine bump type
id: determine
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "bump_type=${{ inputs.version-bump }}" >> $GITHUB_OUTPUT
else
LABELS='${{ toJson(github.event.pull_request.labels.*.name) }}'
if echo "$LABELS" | grep -q '"major"'; then
echo "bump_type=major" >> $GITHUB_OUTPUT
elif echo "$LABELS" | grep -q '"minor"'; then
echo "bump_type=minor" >> $GITHUB_OUTPUT
else
echo "bump_type=patch" >> $GITHUB_OUTPUT
fi
fi
- name: Calculate new version
id: bump
run: |
CURRENT=$(grep '^version:' galaxy/Chart.yaml | awk '{print $2}')
IFS='.' read -r major minor patch <<< "$CURRENT"
case "${{ steps.determine.outputs.bump_type }}" in
major) NEW_VERSION="$((major + 1)).0.0" ;;
minor) NEW_VERSION="${major}.$((minor + 1)).0" ;;
patch) NEW_VERSION="${major}.${minor}.$((patch + 1))" ;;
esac
echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
echo "Bumping $CURRENT -> $NEW_VERSION"
# Job 3: Manual approval gate
approve-release:
needs: prepare
runs-on: ubuntu-latest
environment: release
steps:
- name: Approval gate
run: |
echo "Release v${{ needs.prepare.outputs.new_version }} approved"
echo "Proceeding with release..."
# Job 4: Execute release
release:
needs: [prepare, approve-release]
runs-on: ubuntu-latest
env:
NEW_VERSION: ${{ needs.prepare.outputs.new_version }}
steps:
# Generate token from GitHub App (bypasses branch protection rulesets)
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.HELM_UPDATER_APP_ID }}
private-key: ${{ secrets.HELM_UPDATER_PKEY }}
repositories: galaxy-helm,helm-charts,galaxy-k8s-boot
- uses: actions/checkout@v4
with:
token: ${{ steps.app-token.outputs.token }}
fetch-depth: 0
ref: master # Explicitly checkout master to get merge commit
- name: Configure git
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
- name: Update Chart.yaml version
run: |
set -e
echo "Updating Chart.yaml version to $NEW_VERSION"
# Ensure we have latest (including merge commit)
git pull origin master || { echo "Failed to pull latest master"; exit 1; }
# Backup before modification
cp galaxy/Chart.yaml galaxy/Chart.yaml.bak
# Update version with validation
sed -i "s/^version:.*/version: $NEW_VERSION/" galaxy/Chart.yaml
# Verify the change worked
NEW_VER_CHECK=$(grep '^version:' galaxy/Chart.yaml | awk '{print $2}' | tr -d '"')
if [ "$NEW_VER_CHECK" != "$NEW_VERSION" ]; then
echo "Version update failed. Expected: $NEW_VERSION, Got: $NEW_VER_CHECK"
exit 1
fi
echo "Version successfully updated to $NEW_VERSION"
# Commit and push changes
git add galaxy/Chart.yaml
git commit -m "chore(release): bump version to $NEW_VERSION"
git push origin master || { echo "Failed to push version update"; exit 1; }
- name: Install Helm
id: install-helm
run: |
if ! command -v helm &> /dev/null; then
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
fi
helm version
- name: Package Helm chart
run: |
helm package galaxy/
mv galaxy-${NEW_VERSION}.tgz /tmp/
- name: Push to CloudVE/helm-charts
env:
APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
git clone https://x-access-token:${APP_TOKEN}@github.com/CloudVE/helm-charts.git /tmp/helm-charts
cp /tmp/galaxy-${NEW_VERSION}.tgz /tmp/helm-charts/
cd /tmp/helm-charts
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
helm repo index . --merge index.yaml
git add .
git commit -m "Add galaxy-${NEW_VERSION}"
git push
- name: Create tag and release
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
git tag -a "v${NEW_VERSION}" -m "Release v${NEW_VERSION}"
git push origin "v${NEW_VERSION}"
gh release create "v${NEW_VERSION}" \
--title "release_${NEW_VERSION}" \
--generate-notes \
--latest
- name: Merge master to dev
run: |
set -e
echo "Merging master back to dev after release v${NEW_VERSION}"
# Check if dev branch exists
if git ls-remote --heads origin dev | grep -q dev; then
git checkout dev || { echo "Failed to checkout dev branch"; exit 1; }
git pull origin dev || { echo "Failed to pull latest dev"; exit 1; }
# Attempt merge
if ! git merge master -m "Merge master back to dev after release v${NEW_VERSION}"; then
echo "Merge conflict detected. Manual resolution required."
git merge --abort
echo "::warning::Merge conflicts detected when merging master to dev. Please resolve manually."
exit 1
fi
git push origin dev || { echo "Failed to push merge to dev"; exit 1; }
echo "Successfully merged master to dev"
else
echo "Dev branch does not exist yet. Skipping merge back to dev."
fi
# Job 5: Trigger downstream updates
trigger-downstream:
needs: [prepare, release]
runs-on: ubuntu-latest
steps:
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.HELM_UPDATER_APP_ID }}
private-key: ${{ secrets.HELM_UPDATER_PKEY }}
repositories: galaxy-k8s-boot
- name: Trigger galaxy-k8s-boot update
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ steps.app-token.outputs.token }}
repository: galaxyproject/galaxy-k8s-boot
event-type: update-galaxy-chart
client-payload: '{"version": "${{ needs.prepare.outputs.new_version }}"}'
# Job 6: Send notifications
notify:
needs: [prepare, release]
runs-on: ubuntu-latest
if: always()
steps:
- name: Slack notification
uses: slackapi/slack-github-action@v1.26.0
with:
payload: |
{
"text": "Galaxy Helm Chart Release",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Galaxy Helm Chart v${{ needs.prepare.outputs.new_version }}* has been released!\n<${{ github.server_url }}/${{ github.repository }}/releases/tag/v${{ needs.prepare.outputs.new_version }}|View Release>"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.K8S_SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOKLast fetched:
Linting and deployment test on K3S
.github/workflows/test.yaml (opens in new tab)
Triggers
push pull_request workflow_dispatch workflow_call
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| linting | ubuntu-latest | 4 | actions/checkout@v5 |
| test | ubuntu-latest | 11 | actions/checkout@v5 jupyterhub/action-k3s-helm@v4 |
Raw YAML
name: Linting and deployment test on K3S
on:
push:
branches: [master, dev]
pull_request: {}
workflow_dispatch: {}
workflow_call: {} # Allow calling from release workflow
permissions:
contents: read
pull-requests: read
jobs:
linting:
runs-on: ubuntu-latest
steps:
- name: Install Kubectl
run: curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl" && chmod +x ./kubectl && sudo mv ./kubectl /usr/local/bin/kubectl && kubectl version || true
- name: Install Helm
id: install-helm
run: |
if ! command -v helm &> /dev/null; then
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
fi
helm version
- uses: actions/checkout@v5
with:
persist-credentials: false
- name: Helm linting for galaxy
run: helm lint galaxy/
test:
runs-on: ubuntu-latest
steps:
- name: Install Helm
id: install-helm
run: |
if ! command -v helm &> /dev/null; then
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
fi
helm version
- uses: actions/checkout@v5
with:
persist-credentials: false
- name: Start k8s locally
uses: jupyterhub/action-k3s-helm@v4
with:
k3s-version: v1.34.7+k3s1 # releases: https://github.com/k3s-io/k3s/tags
metrics-enabled: false
traefik-enabled: false
- name: Verify function of k8s, kubectl, and helm
run: |
echo "kubeconfig: $KUBECONFIG"
kubectl version
kubectl get pods --all-namespaces
helm version
helm list
- name: Helm repo add galaxy
run: helm repo add galaxy https://github.com/CloudVE/helm-charts/raw/master
- name: Helm install galaxy-helm-deps
run: time bash -c 'helm install --create-namespace --wait -n "galaxy-deps" "galaxy-deps" galaxy/galaxy-deps --set cvmfs.cvmfscsi.cache.alien.enabled=false --wait --timeout=1200s'
- name: Helm install Galaxy
run: time bash -c 'helm install --create-namespace -n galaxy galaxy ./galaxy --set persistence.accessMode="ReadWriteOnce" --set resources.requests.memory=0Mi,resources.requests.cpu=0m --wait --timeout=1200s'
- name: Get events
run: kubectl get events -n galaxy; kubectl get events -n csi-drivers;
if: always()
- name: Get pods, pvc, and pv
run: kubectl get pods -n galaxy; kubectl get pvc -n galaxy; kubectl get pv -n galaxy
if: always()
- name: Print handler logs
run: |
echo "=== Collecting Galaxy handler logs ==="
for handler in web job workflow; do
echo "--- ${handler} handler logs ---"
POD_NAME=$(kubectl get pods -n galaxy -l "app.kubernetes.io/component=galaxy-${handler}-handler" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
if [[ -n "$POD_NAME" ]]; then
echo "Pod: $POD_NAME"
kubectl logs -n galaxy "$POD_NAME" --tail=100 || echo "Failed to get logs for $POD_NAME"
else
# Fallback to old method if label selector doesn't work
POD_NAME=$(kubectl get pods -n galaxy -o name | grep "galaxy-${handler}" | head -1 | cut -d/ -f2 2>/dev/null || echo "")
if [[ -n "$POD_NAME" ]]; then
echo "Pod (fallback): $POD_NAME"
kubectl logs -n galaxy "$POD_NAME" --tail=100 || echo "Failed to get logs for $POD_NAME"
else
echo "No ${handler} handler pod found"
fi
fi
echo ""
done
if: always()
- name: Check appVersion
if: always()
run: |
kubectl get svc -n galaxy
kubectl describe svc -n galaxy galaxy-nginx
appVersion=$(cat galaxy/Chart.yaml | grep ^appVersion: | awk '{print $2}' | tr -d '"')
address=$(kubectl get svc -n galaxy galaxy-nginx -o jsonpath="http://{.spec.clusterIP}:{.spec.ports[0].port}/galaxy/api/version")
echo "Address is $address"
apiVersion=$(curl $address | jq -r '"\(.version_major).\(.version_minor)"')
echo "appVersion: $appVersion"
echo "apiVersion: $apiVersion"
if [ "$appVersion" != "$apiVersion" ]; then
exit 1
fi
Last fetched: