galaxyproject/galaxy-k8s-boot (opens in new tab)
7 workflows
Triggers
issue_comment
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| approve | ubuntu-latest | 4 | actions/github-script@v7 actions/create-github-app-token@v1 actions/github-script@v7 |
Raw YAML
name: Auto Approve
on:
issue_comment:
types: [created]
permissions:
contents: read
pull-requests: write
issues: write
jobs:
approve:
# Only run on PR comments (not issue comments) with /approve command
# Use startsWith to handle trailing whitespace from GitHub's comment body
if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/approve')
runs-on: ubuntu-latest
steps:
- name: Check user permissions
id: check-permission
uses: actions/github-script@v7
with:
script: |
const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: context.payload.comment.user.login
});
const allowed = ['admin', 'write'].includes(permission.permission);
console.log(`User ${context.payload.comment.user.login} has permission: ${permission.permission}`);
console.log(`Allowed to approve: ${allowed}`);
if (!allowed) {
// Add thumbs down reaction
await github.rest.reactions.createForIssueComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: context.payload.comment.id,
content: '-1'
});
// Add comment explaining the denial
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.issue.number,
body: `@${context.payload.comment.user.login} You do not have permission to approve pull requests. Only users with write access or higher can use the \`/approve\` command.`
});
core.setFailed(`User ${context.payload.comment.user.login} does not have write access to this repository`);
}
core.setOutput('allowed', allowed);
return allowed;
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
- name: Approve PR
uses: actions/github-script@v7
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
const prNumber = context.payload.issue.number;
// Submit approval review
await github.rest.pulls.createReview({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: prNumber,
event: 'APPROVE',
body: `Approved by @${context.payload.comment.user.login} via \`/approve\` command.`
});
console.log(`PR #${prNumber} approved`);
// Add a reaction to the comment to confirm
await github.rest.reactions.createForIssueComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: context.payload.comment.id,
content: '+1'
});
- name: Enable auto-merge
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
PR_NUMBER=${{ github.event.issue.number }}
echo "Enabling auto-merge for PR #${PR_NUMBER}..."
gh pr merge "${PR_NUMBER}" --auto --merge --repo "${{ github.repository }}" || echo "Auto-merge may already be enabled or not available"Last fetched:
Enable Auto-Merge on Approval
.github/workflows/enable-auto-merge.yaml (opens in new tab)
Triggers
pull_request_review
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| enable-auto-merge | ubuntu-latest | 2 | actions/create-github-app-token@v1 |
Raw YAML
name: Enable Auto-Merge on Approval
on:
pull_request_review:
types: [submitted]
permissions:
contents: read
pull-requests: write
jobs:
enable-auto-merge:
# Only run when PR is approved and targeting master
if: github.event.review.state == 'approved' && github.event.pull_request.base.ref == 'master'
runs-on: ubuntu-latest
steps:
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
- name: Enable auto-merge
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
PR_NUMBER=${{ github.event.pull_request.number }}
echo "PR #${PR_NUMBER} approved by ${{ github.event.review.user.login }}"
echo "Enabling auto-merge..."
gh pr merge "${PR_NUMBER}" --auto --merge --repo "${{ github.repository }}" || echo "Auto-merge may already be enabled or not available"Last fetched:
PR Validation
.github/workflows/pr-validation.yaml (opens in new tab)
Triggers
pull_request
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| validate-release-pr | ubuntu-latest | 2 | mheap/github-action-required-labels@v5 |
Raw YAML
name: PR Validation
on:
pull_request:
branches: [master]
permissions:
contents: read
pull-requests: read
jobs:
validate-release-pr:
runs-on: ubuntu-latest
steps:
- name: Check source branch
if: github.head_ref != 'dev'
run: |
echo "::error::Release PRs must come from the 'dev' branch"
exit 1
- name: Check for version label
uses: mheap/github-action-required-labels@v5
with:
mode: exactly
count: 1
labels: "major, minor, patch"
message: "PR must have exactly one label: major, minor, or patch"Last fetched:
Triggers
pull_request workflow_dispatch
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| smoke-test | unknown | 0 | |
| prepare | ubuntu-latest | 3 | actions/checkout@v4 |
| approve-release | ubuntu-latest | 1 | |
| release | ubuntu-latest | 6 | actions/create-github-app-token@v1 actions/checkout@v4 |
| notify | ubuntu-latest | 1 | slackapi/slack-github-action@v1.26.0 |
Raw YAML
name: Release
on:
pull_request:
types: [closed]
branches: [master]
workflow_dispatch:
inputs:
version-bump:
description: 'Version bump type'
required: true
type: choice
options:
- major
- minor
- patch
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: write
pull-requests: read
actions: read
jobs:
# Job 1: Run smoke tests
smoke-test:
if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
uses: ./.github/workflows/test.yaml
# Job 2: Prepare release (calculate version, etc.)
prepare:
needs: smoke-test
runs-on: ubuntu-latest
outputs:
new_version: ${{ steps.bump.outputs.new_version }}
bump_type: ${{ steps.determine.outputs.bump_type }}
steps:
- uses: actions/checkout@v4
- name: Determine bump type
id: determine
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "bump_type=${{ inputs.version-bump }}" >> $GITHUB_OUTPUT
else
LABELS='${{ toJson(github.event.pull_request.labels.*.name) }}'
if echo "$LABELS" | grep -q '"major"'; then
echo "bump_type=major" >> $GITHUB_OUTPUT
elif echo "$LABELS" | grep -q '"minor"'; then
echo "bump_type=minor" >> $GITHUB_OUTPUT
else
echo "bump_type=patch" >> $GITHUB_OUTPUT
fi
fi
- name: Calculate new version
id: bump
run: |
CURRENT=$(cat VERSION)
IFS='.' read -r major minor patch <<< "$CURRENT"
case "${{ steps.determine.outputs.bump_type }}" in
major) NEW_VERSION="$((major + 1)).0.0" ;;
minor) NEW_VERSION="${major}.$((minor + 1)).0" ;;
patch) NEW_VERSION="${major}.${minor}.$((patch + 1))" ;;
esac
echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
echo "Bumping $CURRENT -> $NEW_VERSION"
# Job 3: Manual approval gate
approve-release:
needs: prepare
runs-on: ubuntu-latest
environment: release
steps:
- name: Approval gate
run: |
echo "Release v${{ needs.prepare.outputs.new_version }} approved"
echo "Proceeding with release..."
# Job 4: Execute release
release:
needs: [prepare, approve-release]
runs-on: ubuntu-latest
env:
NEW_VERSION: ${{ needs.prepare.outputs.new_version }}
steps:
# Generate token from GitHub App (bypasses branch protection rulesets)
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
- uses: actions/checkout@v4
with:
token: ${{ steps.app-token.outputs.token }}
fetch-depth: 0
ref: master # Explicitly checkout master to get merge commit
- name: Configure git
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
- name: Update VERSION file
run: |
set -e
echo "Updating VERSION file to $NEW_VERSION"
# Ensure we have latest (including merge commit)
git pull origin master || { echo "Failed to pull latest master"; exit 1; }
# Backup before modification
cp VERSION VERSION.bak
# Update version
echo "$NEW_VERSION" > VERSION
# Verify the change worked
NEW_VER_CHECK=$(cat VERSION)
if [ "$NEW_VER_CHECK" != "$NEW_VERSION" ]; then
echo "Version update failed. Expected: $NEW_VERSION, Got: $NEW_VER_CHECK"
exit 1
fi
echo "Version successfully updated to $NEW_VERSION"
# Commit and push changes
git add VERSION
git commit -m "chore(release): bump version to $NEW_VERSION"
git push origin master || { echo "Failed to push version update"; exit 1; }
- name: Create tag and release
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
git tag -a "v${NEW_VERSION}" -m "Release v${NEW_VERSION}"
git push origin "v${NEW_VERSION}"
gh release create "v${NEW_VERSION}" \
--title "Galaxy K8s Boot v${NEW_VERSION}" \
--generate-notes \
--latest
- name: Merge master to dev
run: |
set -e
echo "Merging master back to dev after release v${NEW_VERSION}"
# Check if dev branch exists
if git ls-remote --heads origin dev | grep -q dev; then
git checkout dev || { echo "Failed to checkout dev branch"; exit 1; }
git pull origin dev || { echo "Failed to pull latest dev"; exit 1; }
# Attempt merge
if ! git merge master -m "Merge master back to dev after release v${NEW_VERSION}"; then
echo "Merge conflict detected. Manual resolution required."
git merge --abort
echo "::warning::Merge conflicts detected when merging master to dev. Please resolve manually."
exit 1
fi
git push origin dev || { echo "Failed to push merge to dev"; exit 1; }
echo "Successfully merged master to dev"
else
echo "Dev branch does not exist yet. Skipping merge back to dev."
fi
# Job 5: Send notifications
notify:
needs: [prepare, release]
runs-on: ubuntu-latest
if: always()
steps:
- name: Slack notification
uses: slackapi/slack-github-action@v1.26.0
with:
payload: |
{
"text": "Galaxy K8s Boot Release",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Galaxy K8s Boot v${{ needs.prepare.outputs.new_version }}* has been released!\n<${{ github.server_url }}/${{ github.repository }}/releases/tag/v${{ needs.prepare.outputs.new_version }}|View Release>"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOKLast fetched:
Test Galaxy Deployment on GCE
.github/workflows/test-galaxy-gce.yml (opens in new tab)
Triggers
workflow_dispatch
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| Deploy and Test Galaxy | ubuntu-latest | 12 | actions/checkout@v4 google-github-actions/auth@v2 google-github-actions/setup-gcloud@v2 |
Raw YAML
name: Test Galaxy Deployment on GCE
on:
workflow_dispatch:
inputs:
galaxy-chart-version:
description: 'Galaxy Helm chart version'
default: '6.7.0'
required: true
git-repo:
description: 'Git repository URL for galaxy-k8s-boot'
default: 'https://github.com/galaxyproject/galaxy-k8s-boot.git'
required: true
git-branch:
description: 'Git branch to deploy'
default: 'master'
required: true
instance-name:
description: 'Name for the test VM instance'
default: 'galaxy-test-ci'
required: true
gcp-project:
description: 'GCP project ID'
default: 'anvil-and-terra-development'
required: true
gcp-zone:
description: 'GCP zone'
default: 'us-east4-c'
required: true
env:
INSTANCE_NAME: ${{ inputs.instance-name }}
GCP_PROJECT: ${{ inputs.gcp-project }}
GCP_ZONE: ${{ inputs.gcp-zone }}
jobs:
test-galaxy:
name: Deploy and Test Galaxy
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # Required for Workload Identity
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: Generate SSH key for VM
id: ssh-key
run: |
ssh-keygen -t rsa -b 4096 -f ~/.ssh/galaxy-ci-key -N "" -C "github-actions"
echo "public-key=$(cat ~/.ssh/galaxy-ci-key.pub)" >> $GITHUB_OUTPUT
echo "private-key-path=$HOME/.ssh/galaxy-ci-key" >> $GITHUB_OUTPUT
- name: Launch Galaxy VM
id: launch-vm
run: |
bin/launch_vm.sh \
--project "${{ env.GCP_PROJECT }}" \
--zone "${{ env.GCP_ZONE }}" \
--ephemeral-only \
--galaxy-chart-version "${{ inputs.galaxy-chart-version }}" \
--git-repo "${{ inputs.git-repo }}" \
--git-branch "${{ inputs.git-branch }}" \
-k "${{ steps.ssh-key.outputs.public-key }}" \
-f values/values.yml \
"${{ env.INSTANCE_NAME }}"
- name: Get VM IP address
id: vm-ip
run: |
sleep 10 # Give VM time to fully initialize
VM_IP=$(gcloud compute instances describe "${{ env.INSTANCE_NAME }}" \
--project="${{ env.GCP_PROJECT }}" \
--zone="${{ env.GCP_ZONE }}" \
--format='get(networkInterfaces[0].accessConfigs[0].natIP)')
echo "ip=${VM_IP}" >> $GITHUB_OUTPUT
echo "Galaxy VM IP: ${VM_IP}"
- name: Wait for cloud-init to complete
run: |
echo "Waiting for cloud-init to complete on ${{ steps.vm-ip.outputs.ip }}..."
for i in {1..60}; do
if gcloud compute ssh "${{ env.INSTANCE_NAME }}" \
--project="${{ env.GCP_PROJECT }}" \
--zone="${{ env.GCP_ZONE }}" \
--ssh-key-file="${{ steps.ssh-key.outputs.private-key-path }}" \
--command="cloud-init status --wait" 2>/dev/null; then
echo "Cloud-init completed successfully"
break
fi
echo "Attempt $i/60: Cloud-init still running or SSH not ready..."
sleep 30
done
- name: Copy kubeconfig from VM
run: |
mkdir -p ~/.kube
gcloud compute scp \
--project="${{ env.GCP_PROJECT }}" \
--zone="${{ env.GCP_ZONE }}" \
--ssh-key-file="${{ steps.ssh-key.outputs.private-key-path }}" \
"ubuntu@${{ env.INSTANCE_NAME }}:/home/ubuntu/.kube/config" \
~/.kube/config
# Update kubeconfig to use external IP
sed -i "s|https://0.0.0.0:6443|https://${{ steps.vm-ip.outputs.ip }}:6443|" ~/.kube/config
- name: Wait for Galaxy deployments to rollout
run: |
echo "Waiting for Galaxy deployments to complete (timeout: 15 minutes)..."
# Get all deployments in the galaxy namespace
DEPLOYMENTS=$(kubectl get deployments -n galaxy -o jsonpath='{.items[*].metadata.name}')
if [ -z "$DEPLOYMENTS" ]; then
echo "No deployments found in galaxy namespace"
exit 1
fi
echo "Found deployments: $DEPLOYMENTS"
# Wait for each deployment to rollout
for deployment in $DEPLOYMENTS; do
echo "Waiting for deployment: $deployment"
kubectl rollout status deployment/$deployment -n galaxy --timeout=15m
done
echo "All deployments rolled out successfully"
- name: Test Galaxy API endpoint
id: test-api
run: |
GALAXY_URL="http://${{ steps.vm-ip.outputs.ip }}/api/version"
echo "Testing Galaxy API at: $GALAXY_URL"
# Wait for Galaxy to be responsive (max 5 minutes)
for i in {1..30}; do
if response=$(curl -s -f "$GALAXY_URL"); then
echo "Galaxy API is responsive"
echo "$response" | jq .
# Validate that response is valid JSON
if echo "$response" | jq -e . >/dev/null 2>&1; then
echo "Response is valid JSON ✓"
echo "version-info=$response" >> $GITHUB_OUTPUT
exit 0
else
echo "Response is not valid JSON"
exit 1
fi
fi
echo "Attempt $i/30: Galaxy not ready yet..."
sleep 10
done
echo "Galaxy API did not become responsive in time"
exit 1
- name: Cleanup - Delete VM
if: always()
run: |
echo "Cleaning up: Deleting VM ${{ env.INSTANCE_NAME }}"
gcloud compute instances delete "${{ env.INSTANCE_NAME }}" \
--project="${{ env.GCP_PROJECT }}" \
--zone="${{ env.GCP_ZONE }}" \
--quiet || echo "Failed to delete VM (may not exist)"
- name: Display test results
if: always()
run: |
echo "=== Test Results ==="
echo "Instance: ${{ env.INSTANCE_NAME }}"
echo "IP: ${{ steps.vm-ip.outputs.ip }}"
echo "Galaxy Chart Version: ${{ inputs.galaxy-chart-version }}"
echo "Git Repo: ${{ inputs.git-repo }}"
echo "Git Branch: ${{ inputs.git-branch }}"
if [ -n "${{ steps.test-api.outputs.version-info }}" ]; then
echo "Galaxy Version Info:"
echo "${{ steps.test-api.outputs.version-info }}"
fi
Last fetched:
Ansible Linting and Validation
.github/workflows/test.yaml (opens in new tab)
Triggers
push pull_request workflow_dispatch workflow_call
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| linting | ubuntu-latest | 6 | actions/checkout@v5 actions/setup-python@v4 |
| test | ubuntu-latest | 7 | actions/checkout@v5 actions/setup-python@v4 |
Raw YAML
name: Ansible Linting and Validation
on:
push:
branches: [master, dev]
pull_request: {}
workflow_dispatch: {}
workflow_call: {} # Allow calling from release workflow
permissions:
contents: read
pull-requests: read
jobs:
linting:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install Ansible and lint tools
run: |
pip install -r requirements.txt
pip install ansible-lint yamllint
- name: Install Ansible Galaxy requirements
run: |
if [ -f requirements.yml ]; then
ansible-galaxy install -r requirements.yml
fi
- name: Run yamllint
run: |
yamllint -d "{extends: default, rules: {line-length: {max: 120}}}" .
- name: Run ansible-lint
run: |
ansible-lint playbook.yml
test:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
run: |
pip install -r requirements.txt
- name: Install Ansible Galaxy requirements
run: |
if [ -f requirements.yml ]; then
ansible-galaxy install -r requirements.yml
fi
- name: Validate Ansible inventory
run: |
ansible-inventory --list > /dev/null
- name: Ansible syntax check
run: |
ansible-playbook --syntax-check playbook.yml
- name: Check for common issues
run: |
# Check for undefined variables in templates
echo "Checking for undefined variables in templates..."
if find templates/ -name "*.j2" -type f 2>/dev/null; then
echo "Template files found, manual review recommended"
fi
# Check inventory files exist
if [ -d inventories/ ]; then
echo "Inventory directory found"
ls -la inventories/
fi
echo "Basic validation completed successfully"Last fetched:
Update Galaxy Chart Version
.github/workflows/update-galaxy-chart.yaml (opens in new tab)
Triggers
repository_dispatch
Jobs
| Job | Runs on | Steps | Actions used |
|---|---|---|---|
| update-chart-version | ubuntu-latest | 4 | actions/checkout@v4 peter-evans/create-pull-request@v5 |
Raw YAML
name: Update Galaxy Chart Version
on:
repository_dispatch:
types: [update-galaxy-chart]
permissions:
contents: write
pull-requests: write
jobs:
update-chart-version:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version from payload
id: extract-version
run: |
VERSION="${{ github.event.client_payload.version }}"
echo "new_version=${VERSION}" >> $GITHUB_OUTPUT
echo "New Galaxy chart version: ${VERSION}"
- name: Update galaxy chart version in defaults
run: |
NEW_VERSION="${{ steps.extract-version.outputs.new_version }}"
DEFAULTS_FILE="roles/galaxy_k8s_deployment/defaults/main.yml"
echo "Updating galaxy_chart_version to ${NEW_VERSION}"
# Backup the file
cp "${DEFAULTS_FILE}" "${DEFAULTS_FILE}.bak"
# Update the galaxy_chart_version line
sed -i "s/^galaxy_chart_version: .*/galaxy_chart_version: \"${NEW_VERSION}\"/" "${DEFAULTS_FILE}"
# Verify the change was made
NEW_VERSION_CHECK=$(grep '^galaxy_chart_version:' "${DEFAULTS_FILE}" | sed 's/galaxy_chart_version: "//' | sed 's/"//')
if [ "${NEW_VERSION_CHECK}" != "${NEW_VERSION}" ]; then
echo "Version update failed. Expected: ${NEW_VERSION}, Got: ${NEW_VERSION_CHECK}"
exit 1
fi
echo "Successfully updated galaxy_chart_version to ${NEW_VERSION}"
# Show the diff
echo "Changes made:"
diff "${DEFAULTS_FILE}.bak" "${DEFAULTS_FILE}" || true
- name: Create Pull Request
uses: peter-evans/create-pull-request@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: "chore: update galaxy chart to v${{ steps.extract-version.outputs.new_version }}"
title: "Update Galaxy Chart to v${{ steps.extract-version.outputs.new_version }}"
body: |
## 🚀 Automated Galaxy Chart Update
This PR automatically updates the Galaxy Helm chart dependency to the newly released version.
**New Version:** `v${{ steps.extract-version.outputs.new_version }}`
**Release:** https://github.com/galaxyproject/galaxy-helm/releases/tag/v${{ steps.extract-version.outputs.new_version }}
### Changes:
- Updated `galaxy_chart_version` in `roles/galaxy_k8s_deployment/defaults/main.yml`
### Testing:
- [ ] Verify chart version is correct in defaults file
- [ ] Test deployment in staging environment
- [ ] Confirm Galaxy functionality works with new chart version
### Files Changed:
- `roles/galaxy_k8s_deployment/defaults/main.yml`
---
*This PR was created automatically by the galaxy-helm release process.*
branch: update-galaxy-chart-${{ steps.extract-version.outputs.new_version }}
base: master
labels: |
automated
dependencies
galaxy
delete-branch: trueLast fetched: