Feature/dbt apply (#6)

jonhopper-dataengineers · web-flow · commit 15a73f1feab3 · 2025-01-24T09:59:59.000+13:00
- split out dbt compile and dbt seed into their own tasks
- updated python version to 3.12
- updated azure logins to use ODIC as an option for the authentication
- Upgrade upload-artifact action to version 4 in YAML files
diff --git a/setup/aws/action.yml b/setup/aws/action.yml
@@ -20,7 +20,7 @@ runs:
     - name: install Python
       uses: "actions/setup-python@v5"
       with:
-        python-version: '3.10'
+        python-version: '3.12'
 
     - name: setup environment
       shell: bash
diff --git a/setup/dbt/action.yml b/setup/dbt/action.yml
@@ -12,7 +12,7 @@ runs:
     - name: install Python
       uses: "actions/setup-python@v5"
       with:
-        python-version: '3.10'
+        python-version: '3.12'
 
     - name: install components
       shell: bash
diff --git a/setup/schemachange/action.yml b/setup/schemachange/action.yml
@@ -12,7 +12,7 @@ runs:
     - name: install Python
       uses: "actions/setup-python@v5"
       with:
-        python-version: 3.8
+        python-version: 3.12
 
     - name: install components
       shell: bash
diff --git a/tasks/database-permissions/action.yml b/tasks/database-permissions/action.yml
@@ -103,7 +103,7 @@ runs:
         $fileName = "./schemaresults.json"
 
         $schemaObjects = Get-Content -Raw -Path $fileName | ConvertFrom-Json
-        
+
         $schemaObjects |  ForEach-Object {
             $schema=  $_.SCHEMA_NAME.toLower()
             $statements.Add(-JOIN("GRANT OWNERSHIP ON SCHEMA ", $schema , " TO ROLE ",$new_role, " REVOKE CURRENT GRANTS;"))
@@ -136,7 +136,7 @@ runs:
         $fileName = "./maskingpolicies.json"
 
         $schemaObjects = Get-Content -Raw -Path $fileName | ConvertFrom-Json
-        
+
         $schemaObjects |  ForEach-Object {
             $schema=  $_.SCHEMA_NAME.toLower()
             $policy= $_.NAME.toLower()
@@ -152,7 +152,7 @@ runs:
 
 
     - name: Archive Permission Details
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ inputs.archive-outputs == 'true' }}
       with:
           name: permissions
diff --git a/tasks/dbt-apply/action.yml b/tasks/dbt-apply/action.yml
@@ -35,11 +35,19 @@ inputs:
     description: Additional flags to pass to the dbt command
     required: false
     default: ''
+  run_compile:
+    description: Run dbt compile
+    required: false
+    default: true
+  run_seed:
+    description: Run dbt seed
+    required: false
+    default: true
 
 runs:
   using: "composite"
   steps:
-    - name: Clean target
+    - name: Clean targets
       shell: pwsh
       run: |
          if(Test-Path -Path ".\target\partial_parse.msgpack") {
@@ -50,19 +58,11 @@ runs:
          }
       working-directory: ${{ inputs.working-directory }}
 
-    - name: Run DBT without Unit-tets
-      if: inputs.target  != 'unit-test'
+    - name: dbt Compile
+      if: ${{ inputs.run_compile == 'true' }}
       shell: pwsh
       run: |
-        dbt compile --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }} --exclude tag:unit_test
-        dbt seed --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }} --exclude path:seeds/unit_tests --full-refresh
-        if(Test-Path -Path ".\manifest.json" -PathType Leaf) {
-          echo " ==> Previous Manifest file found, running dbt run for release"
-          dbt run -s state:modified --defer --state . --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }} --exclude tag:unit_test ${{ inputs.additional_flag }}
-        } else {
-            echo " ==> No Previous Manifest file found, running dbt run fo release"
-            dbt run --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }} --exclude tag:unit_test ${{ inputs.additional_flag }}
-        }
+        dbt compile --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }}
       working-directory: ${{ inputs.working-directory }}
       env:
         snowflake-account: ${{ inputs.snowflake-account }}
@@ -73,20 +73,31 @@ runs:
         snowflake-authenticator-value: ${{ inputs.snowflake-authenticator-value }}
         snowflake-privatekey-passphrase: ${{ inputs.snowflake-privatekey-passphrase }}
 
-    - name: Run DBT with unit-tests
-      if: inputs.target  == 'unit-test'
+    - name: dbt Seed
+      if: ${{ inputs.run_seed == 'true' }}
       shell: pwsh
       run: |
-        dbt compile --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }} --exclude tag:unit_test
         dbt seed --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }} --full-refresh
+      working-directory: ${{ inputs.working-directory }}
+      env:
+        snowflake-account: ${{ inputs.snowflake-account }}
+        snowflake-username: ${{ inputs.snowflake-username }}
+        snowflake-role: ${{ inputs.snowflake-role }}
+        snowflake-warehouse: ${{ inputs.snowflake-warehouse }}
+        snowflake-target-database: ${{ inputs.snowflake-target-database }}
+        snowflake-authenticator-value: ${{ inputs.snowflake-authenticator-value }}
+        snowflake-privatekey-passphrase: ${{ inputs.snowflake-privatekey-passphrase }}
+
+    - name: dbt Run
+      shell: pwsh
+      run: |
         if(Test-Path -Path ".\manifest.json" -PathType Leaf) {
-          echo " ==> Previous Manifest file found, running dbt run for unit tests"
+          echo " ==> Previous Manifest file found, running dbt run for release"
           dbt run -s state:modified --defer --state . --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }} ${{ inputs.additional_flag }}
         } else {
-          echo " ==> No Previous Manifest file found, running dbt run for unit tests"
-          dbt run --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }} ${{ inputs.additional_flag }}
+            echo " ==> No Previous Manifest file found, running dbt run fo release"
+            dbt run --profiles-dir=${{ inputs.profiles-directory }} --target=${{ inputs.target }}  ${{ inputs.additional_flag }}
         }
-
       working-directory: ${{ inputs.working-directory }}
       env:
         snowflake-account: ${{ inputs.snowflake-account }}
@@ -95,4 +106,4 @@ runs:
         snowflake-warehouse: ${{ inputs.snowflake-warehouse }}
         snowflake-target-database: ${{ inputs.snowflake-target-database }}
         snowflake-authenticator-value: ${{ inputs.snowflake-authenticator-value }}
-        snowflake-privatekey-passphrase: ${{ inputs.snowflake-privatekey-passphrase }}
+        snowflake-privatekey-passphrase: ${{ inputs.snowflake-privatekey-passphrase }}
diff --git a/tasks/dbt-docs-generate/action.yml b/tasks/dbt-docs-generate/action.yml
@@ -54,7 +54,7 @@ runs:
         snowflake-privatekey-passphrase: ${{ inputs.snowflake-privatekey-passphrase }}
 
     - name: Archive Dbt Docs
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ inputs.archive-outputs == 'true' }}
       with:
           name: dbt-docs
diff --git a/tasks/dbt-docs-publish/action.yml b/tasks/dbt-docs-publish/action.yml
@@ -1,9 +1,9 @@
 name: Publish Dbt Docs to Azure Storage
 description: Publish the dbt docs to Azure Storage
 inputs:
-  azure_credentials:
-    description: The azure azure_credentials to be used 
-    required: true
+  use-azure-federated-login:
+    description: Specifies if the action should use Azure Federated Login or Azure Service Principal ClientID/ClientSecret
+    default: false
   target-directory:
     description: The directory where the DBT output is located
     required: true
@@ -28,7 +28,22 @@ inputs:
     description: The number of seconds to wait before removing the IP address from the firewall
     required: false
     default: 30
+  azure-credentials:
+    description: The Azure credentials to use for authentication
+    required: false
+  azure-client-id:
+    description: The Azure client ID to use for authentication
+    required: false
+  azure-tenant-id:
+    description: The Azure tenant ID to use for authentication
+    required: false
+  azure-subscription-id:
+    description: The Azure subscription ID to use for authentication
+    required: false
 
+permissions:
+  id-token: write
+  contents: read
 runs:
   using: "composite"
   steps:
@@ -51,9 +66,20 @@ runs:
           echo "CATALOG_FILE=$(echo ${{ env.BRANCH_NAME }}/catalog.json)" >> $GITHUB_ENV
 
       - name: Authenticate to Azure as a Service Principal
-        uses: azure/login@v1
+        uses: azure/login@v2
+        if: ${{ inputs.use-azure-federated-login == 'false' }}
+        with:
+          creds: ${{ inputs.azure-credentials }}
+
+      - name: Authenticate to Azure as a Service Principal (ODIC)
+        uses: azure/login@v2
+        if: ${{ inputs.use-azure-federated-login == 'true' }}
         with:
-          creds: ${{ inputs.azure_credentials }}
+          client-id: ${{ inputs.azure-client-id }}
+          tenant-id: ${{ inputs.azure-tenant-id }}
+          subscription-id: ${{ inputs.azure-subscription-id }}
+          enable-AzPSSession: true
+
 
       - name: Find and replace the placeholders
         shell: pwsh
@@ -67,7 +93,7 @@ runs:
 
 
       - name: Upload DBT Docs to subfolder
-        uses: azure/CLI@v1
+        uses: azure/CLI@v2
         if: inputs.branchBasedFolder == 'yes'
         with:
           inlineScript: |
@@ -83,7 +109,7 @@ runs:
               az storage blob upload --account-name ${{ inputs.storage-account }} --auth-mode login  -f '${{ inputs.working-directory }}/${{ inputs.target-directory }}/index.html' -c '${{inputs.container}}' -n '${{ env.BRANCH_NAME }}/index.html' --content-type 'text/html' --overwrite
 
       - name: Upload DBT Docs
-        uses: azure/CLI@v1
+        uses: azure/CLI@v2
         if: inputs.branchBasedFolder == 'no'
         with:
           inlineScript: |
@@ -98,7 +124,7 @@ runs:
               az storage blob upload --account-name ${{ inputs.storage-account }}  -f '${{ inputs.working-directory }}/${{ inputs.target-directory }}/index.html' -c '${{inputs.container}}' -n 'index.html' --content-type 'text/html' --overwrite
 
       - name: add the IP address of the agent to the allowed list
-        uses: azure/CLI@v1
+        uses: azure/CLI@v2
         if: always()
         with:
           inlineScript: |
diff --git a/tasks/dbt-manifest-clone/action.yml b/tasks/dbt-manifest-clone/action.yml
@@ -1,9 +1,9 @@
 name: Clone the Manifest for the cloned database
 description: Clones an existing dbt manifest.json for the database
 inputs:
-  azure_credentials:
-    description: The azure azure_credentials to be used 
-    required: true
+  use-azure-federated-login:
+    description: Specifies if the action should use Azure Federated Login or Azure Service Principal ClientID/ClientSecret
+    default: false
   resource-group:
     description: The resource group where the storage account is located
     required: true
@@ -16,17 +16,43 @@ inputs:
   snowflake-target-database:
     description: The name of the database to set the manifest for
     required: true
+  azure-credentials:
+    description: The Azure credentials to use for authentication
+    required: false
+  azure-client-id:
+    description: The Azure client ID to use for authentication
+    required: false
+  azure-tenant-id:
+    description: The Azure tenant ID to use for authentication
+    required: false
+  azure-subscription-id:
+    description: The Azure subscription ID to use for authentication
+    required: false
 
+permissions:
+  id-token: write
+  contents: read
 runs:
   using: "composite"
   steps:
       - name: Authenticate to Azure as a Service Principal
-        uses: azure/login@v1
+        uses: azure/login@v2
+        if: ${{ inputs.use-azure-federated-login == 'false' }}
+        with:
+          creds: ${{ inputs.azure-credentials }}
+
+      - name: Authenticate to Azure as a Service Principal (ODIC)
+        uses: azure/login@v2
+        if: ${{ inputs.use-azure-federated-login == 'true' }}
         with:
-          creds: ${{ inputs.azure_credentials }}           
+          client-id: ${{ inputs.azure-client-id }}
+          tenant-id: ${{ inputs.azure-tenant-id }}
+          subscription-id: ${{ inputs.azure-subscription-id }}
+          enable-AzPSSession: true
+
 
       - name: Clone Manifest file
-        uses: azure/CLI@v1
+        uses: azure/CLI@v2
         with:
           inlineScript: |
               if $(az storage blob exists --container-name 'manifests' --name ${{ inputs.snowflake-source-database }}_manifest.json --account-name ${{ inputs.storage-account }} --query exists --auth-mode login)
@@ -41,7 +67,7 @@ runs:
                   --source-blob '${{ inputs.snowflake-source-database }}_manifest.json' \
                   --auth-mode login  
               fi
-              
+
       # Azure logout
       - name: logout
         shell: bash
diff --git a/tasks/dbt-manifest-destroy/action.yml b/tasks/dbt-manifest-destroy/action.yml
@@ -1,9 +1,9 @@
 name: Removes the Manifest for the database
 description: Removes an existing dbt manifest.json from the storage account
 inputs:
-  azure_credentials:
-    description: The azure azure_credentials to be used 
-    required: true
+  use-azure-federated-login:
+    description: Specifies if the action should use Azure Federated Login or Azure Service Principal ClientID/ClientSecret
+    default: false
   resource-group:
     description: The resource group where the storage account is located
     required: true
@@ -13,17 +13,43 @@ inputs:
   snowflake-target-database:
     description: The name of the database to set the manifest for
     required: true
+  azure-credentials:
+    description: The Azure credentials to use for authentication
+    required: false
+  azure-client-id:
+    description: The Azure client ID to use for authentication
+    required: false
+  azure-tenant-id:
+    description: The Azure tenant ID to use for authentication
+    required: false
+  azure-subscription-id:
+    description: The Azure subscription ID to use for authentication
+    required: false
 
+permissions:
+  id-token: write
+  contents: read
 runs:
   using: "composite"
   steps:
       - name: Authenticate to Azure as a Service Principal
-        uses: azure/login@v1
+        uses: azure/login@v2
+        if: ${{ inputs.use-azure-federated-login == 'false' }}
+        with:
+          creds: ${{ inputs.azure-credentials }}
+
+      - name: Authenticate to Azure as a Service Principal (ODIC)
+        uses: azure/login@v2
+        if: ${{ inputs.use-azure-federated-login == 'true' }}
         with:
-          creds: ${{ inputs.azure_credentials }}           
+          client-id: ${{ inputs.azure-client-id }}
+          tenant-id: ${{ inputs.azure-tenant-id }}
+          subscription-id: ${{ inputs.azure-subscription-id }}
+          enable-AzPSSession: true
+
 
       - name: Clone Manifest file
-        uses: azure/CLI@v1
+        uses: azure/CLI@v2
         with:
           inlineScript: |
               if $(az storage blob exists --container-name 'manifests' --name ${{ inputs.snowflake-target-database }}_manifest.json --account-name ${{ inputs.storage-account }} --query exists --auth-mode login)
@@ -34,9 +60,9 @@ runs:
                   --container-name 'manifests' \
                   --name '${{ inputs.snowflake-target-database }}_manifest.json' \
                   --delete-snapshots include \
-                  --auth-mode login  
+                  --auth-mode login
               fi
-   
+
       # Azure logout
       - name: logout
         shell: bash
diff --git a/tasks/dbt-manifest-download/action.yml b/tasks/dbt-manifest-download/action.yml
diff --git a/tasks/dbt-manifest-upload/action.yml b/tasks/dbt-manifest-upload/action.yml
diff --git a/tasks/dbt-test/action.yml b/tasks/dbt-test/action.yml
