Compile dbt documentation in Github actions (#3814)

* Extract environment variables from terraform workflow yml

* Split dbt related github workflow items

* Upload dbt artifacts and documentation to GCS

* Allow staging github actions service account to run bigquery jobs

* Correctly interpolate runner operating system in cache key

* Compile staging against staging

* Use google credentials output for keyfile

* Do not use service account to build dbt

* Add permission to service account to create BigQuery job on cal-itp-data-infra-staging to fix error when compiling dbt

* Apply custom roles to service account

* Add permissions for staging to read production resources

* Allow staging service account to act like a production analyst

* Allow github service account to read filtered data and bigquery metadata

* Store CI artifacts on github

* Remove old Composer environment references

Signed-off-by: Erika Pacheco <[email protected]>
Co-authored-by: Doc Ritezel <[email protected]>

Author: erikamov

.github/workflows/build-warehouse-image.yml

@@ -1,9 +1,9 @@
-name: Test, visualize, and build dbt project
+name: Build dbt image
 
 on:
   push:
     branches:
-      - 'main'
+      - main
     paths:
       - '.github/workflows/build-warehouse-image.yml'
       - 'warehouse/**'
@@ -16,77 +16,57 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
+env:
+  PYTHON_VERSION: '3.11'
+  POETRY_VERSION: '2.0.1'
+
 jobs:
-  check:
-    name: check python
+  lint:
     runs-on: ubuntu-latest
     steps:
-      - run: sudo apt-get install -y libgraphviz-dev graphviz-dev
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: '3.11'
-      - run: curl -sSL https://install.python-poetry.org | POETRY_VERSION=2.0.1 python -
-      - run: cd warehouse && poetry install && poetry run mypy scripts
+      - name: Checkout
+        uses: actions/checkout@v4
 
-  compile:
-    name: check dbt
-    runs-on: ubuntu-latest
-    steps:
-      - run: sudo apt-get install -y libgraphviz-dev graphviz graphviz-dev
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: '3.11'
-      - run: curl -sSL https://install.python-poetry.org | POETRY_VERSION=2.0.1 python -
-      - uses: 'google-github-actions/auth@v2'
-        with:
-          credentials_json: '${{ secrets.GCP_SA_KEY }}'
-      - uses: google-github-actions/setup-gcloud@v2
-      - name: Compile dbt project
-        working-directory: warehouse
-        run: |
-          poetry install
-          poetry run dbt deps
-          poetry run dbt compile --target prod --full-refresh
-          poetry run dbt docs generate --target prod --no-compile
-      - uses: 'google-github-actions/upload-cloud-storage@v1'
+      - name: Setup Graphviz
+        uses: ts-graphviz/setup-graphviz@v2
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
         with:
-          path: './warehouse/logs/'
-          destination: 'calitp-ci-artifacts/${{github.workflow}}/run_id=${{github.run_id}}/job=${{github.job}}/logs/'
-      - uses: 'google-github-actions/upload-cloud-storage@v1'
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Cache poetry
+        uses: actions/cache@v3
         with:
-          path: './warehouse/target/'
-          glob: '*.json'
-          destination: 'calitp-ci-artifacts/${{github.workflow}}/run_id=${{github.run_id}}/job=${{github.job}}/target/'
-      # Only do visualization if we actually changed models and we are merging against main
-      - uses: tj-actions/changed-files@v41
-        if: ${{ github.event_name == 'pull_request' }}
-        id: changed-files-warehouse
+          path: ~/.cache/pypoetry
+          key: poetry-cache-${{ runner.os }}-python-${{ env.PYTHON_VERSION }}-poetry-${{ env.POETRY_VERSION }}
+
+      - name: Setup Poetry
+        uses: abatilo/actions-poetry@v3
         with:
-          files: 'warehouse/models/**/*.sql'
-      # install a specific version of node before cml https://github.com/iterative/cml/issues/1377
-      - uses: actions/setup-node@v1
+          poetry-version: ${{ env.POETRY_VERSION }}
+
+      - name: Cache python packages
+        uses: actions/cache@v3
         with:
-          node-version: '16'
-      - uses: iterative/setup-cml@v1
-        if: steps.changed-files-warehouse.outputs.any_changed == 'true'
-      - name: Create GitHub comment
-        if: steps.changed-files-warehouse.outputs.any_changed == 'true'
-        env:
-          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          cd warehouse
-          gsutil cp -r gs://calitp-dbt-artifacts/latest/ .
-          poetry run python scripts/visualize.py ci-report
-          cml comment update target/report.md
+          path: ~/.local
+          key: python-cache-${{ runner.os }}-python-${{ env.PYTHON_VERSION }}-lock-${{ hashFiles('poetry.lock') }}-${{ hashFiles('.github/workflows/*.yml') }}
+
+      - name: Install dependencies
+        working-directory: warehouse
+        run: poetry install
+
+      - name: Run mypy
+        working-directory: warehouse
+        run: poetry run mypy scripts
 
-  build_push:
-    name: package warehouse image
+  docker:
     runs-on: ubuntu-latest
-    needs: [check]
+    needs: [lint]
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - uses: tj-actions/changed-files@v41
         with:
           files: |

.github/workflows/deploy-airflow-requirements.yml

@@ -0,0 +1,44 @@
+name: Deploy Airflow Requirements
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - airflow/requirements.txt
+
+env:
+  SERVICE_ACCOUNT: github-actions-services-accoun@cal-itp-data-infra.iam.gserviceaccount.com
+  WORKLOAD_IDENTITY_PROVIDER: projects/1005246706141/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
+  PROJECT_ID: cal-itp-data-infra
+  COMPOSER_ENVIRONMENT: calitp-airflow2-prod-composer2-20250402
+  COMPOSER_REGION: us-west2
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Authenticate Google Service Account
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: ${{ env.PROJECT_ID }}
+          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ env.SERVICE_ACCOUNT }}
+
+      - name: Setup GCloud utilities
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Update Composer Dependencies
+        run: |
+          gcloud composer environments update ${{ env.COMPOSER_ENVIRONMENT }} \
+          --update-pypi-packages-from-file airflow/requirements.txt \
+          --location ${{ env.COMPOSER_REGION }} \
+          --project ${{ env.PROJECT_ID }}

.github/workflows/deploy-airflow.yml

@@ -8,35 +8,35 @@ on:
       - .github/workflows/deploy-airflow.yml
       - 'airflow/**'
 
+env:
+  SERVICE_ACCOUNT: github-actions-services-accoun@cal-itp-data-infra.iam.gserviceaccount.com
+  WORKLOAD_IDENTITY_PROVIDER: projects/1005246706141/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
+  PROJECT_ID: cal-itp-data-infra
+  AIRFLOW_BUCKET: us-west2-calitp-airflow2-pr-f6bb9855-bucket
+
 jobs:
-  deploy:
+  build:
     runs-on: ubuntu-latest
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
 
-      - uses: 'google-github-actions/auth@v2'
-        with:
-          credentials_json: '${{ secrets.GCP_SA_KEY }}'
+    permissions:
+      contents: read
+      id-token: write
 
-      - uses: google-github-actions/setup-gcloud@v2
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
 
-      # Only update requirements if they have changed; Composer throws an error if there are no changes to apply
-      - uses: tj-actions/changed-files@v41
-        if: ${{ github.ref == 'refs/heads/main' }}
-        id: changed-requirements
+      - name: Authenticate Google Service Account
+        uses: google-github-actions/auth@v2
         with:
-          files: 'airflow/requirements.txt'
+          project_id: ${{ env.PROJECT_ID }}
+          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ env.SERVICE_ACCOUNT }}
 
-      - name: Deploy Airflow dependencies to Composer
-        if: steps.changed-requirements.outputs.any_changed == 'true'
-        run: gcloud composer environments update calitp-airflow2-prod-composer2-20250402 --update-pypi-packages-from-file airflow/requirements.txt --location us-west2 --project cal-itp-data-infra
+      - name: Setup GCloud utilities
+        uses: google-github-actions/setup-gcloud@v2
 
       - name: Push Airflow code to Composer
         run: |
-          gsutil -m rsync -d -c -r airflow/dags gs://$AIRFLOW_BUCKET/dags
-          gsutil -m rsync -d -c -r airflow/plugins gs://$AIRFLOW_BUCKET/plugins
-        env:
-          AIRFLOW_BUCKET: "us-west2-calitp-airflow2-pr-f6bb9855-bucket"
+          gsutil -m rsync -d -c -r airflow/dags gs://${{ env.AIRFLOW_BUCKET }}/dags
+          gsutil -m rsync -d -c -r airflow/plugins gs://${{ env.AIRFLOW_BUCKET }}/plugins