Final pipelines

Author: leandrodamascena

.github/workflows/publish_v3_layer.yml

@@ -76,7 +76,7 @@ env:
 jobs:
   build-layer:
     permissions:
-      # lower privilege propagated from parent workflow (release.yml)
+      # lower privilege propagated from parent workflow (release-v3.yml)
       contents: read
       id-token: write
       pages: none
@@ -85,7 +85,7 @@ jobs:
     strategy:
       max-parallel: 5
       matrix:
-        python-version: ["3.8","3.9"]
+        python-version: ["3.8","3.9","3.10","3.11","3.12"]
     defaults:
       run:
         working-directory: ./layer_v3
@@ -156,7 +156,7 @@ jobs:
 
   beta:
     needs: build-layer
-    # lower privilege propagated from parent workflow (release.yml)
+    # lower privilege propagated from parent workflow (release-v3.yml)
     permissions:
       id-token: write
       contents: read
@@ -170,40 +170,40 @@ jobs:
       source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
       source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
-  # UNCOMMENT prod JOB
-  #prod:
-  #  needs: beta
-    # lower privilege propagated from parent workflow (release.yml)
-  #  permissions:
-  #    id-token: write
-  #    contents: read
-  #    pages: write             # docs will be updated with latest Layer ARNs
-  #    pull-requests: write     # creation-action will create a PR with Layer ARN updates
-  #  uses: ./.github/workflows/reusable_deploy_v3_layer_stack.yml
-  #  secrets: inherit
-  #  with:
-  #    stage: "PROD"
-  #    environment: "layer-prod"
-  #    source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
-  #    source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
-
-  sar-beta:
-    needs: beta  # canaries run on Layer Beta env
+  prod:
+    needs: beta
+    # lower privilege propagated from parent workflow (release-v3.yml)
     permissions:
-      # lower privilege propagated from parent workflow (release.yml)
       id-token: write
       contents: read
-      pull-requests: none
-      pages: none
-    uses: ./.github/workflows/reusable_deploy_v3_sar.yml
+      pages: write             # docs will be updated with latest Layer ARNs
+      pull-requests: write     # creation-action will create a PR with Layer ARN updates
+    uses: ./.github/workflows/reusable_deploy_v3_layer_stack.yml
     secrets: inherit
     with:
-      stage: "BETA"
-      environment: "layer-beta"
-      package-version: ${{ inputs.latest_published_version }}
+      stage: "PROD"
+      environment: "layer-prod"
       source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
       source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
+  # UNCOMMENT sar-beta JOB
+  #sar-beta:
+  #  needs: beta  # canaries run on Layer Beta env
+  #  permissions:
+      # lower privilege propagated from parent workflow (release.yml)
+  #    id-token: write
+  #    contents: read
+  #    pull-requests: none
+  #    pages: none
+  #  uses: ./.github/workflows/reusable_deploy_v3_sar.yml
+  #  secrets: inherit
+  #  with:
+  #    stage: "BETA"
+  #    environment: "layer-beta"
+  #    package-version: ${{ inputs.latest_published_version }}
+  #    source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
+  #    source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
+
   # UNCOMMENT sar-prod JOB
   #sar-prod:
   #  needs: sar-beta
@@ -232,30 +232,30 @@ jobs:
   # where a new release creates a new doc (2.16.0) while layers are still pointing to 2.15
   # because the PR has to be merged while release process is running
 
-  # UNCOMMENT update_v3_layer_arn_docs JOB
-  #update_v3_layer_arn_docs:
-  #  needs: prod
-  #  outputs:
-  #    temp_branch: ${{ steps.create-pr.outputs.temp_branch }}
-  #  runs-on: ubuntu-latest
-  #  permissions:
+  update_v3_layer_arn_docs:
+    needs: prod
+    outputs:
+      temp_branch: ${{ steps.create-pr.outputs.temp_branch }}
+    runs-on: ubuntu-latest
+    permissions:
       # lower privilege propagated from parent workflow (release.yml)
-  #    contents: write
-  #    pull-requests: write
-  #    id-token: none
-  #    pages: none
-  #  steps:
-  #    - name: Checkout repository # reusable workflows start clean, so we need to checkout again
-  #      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
-  #      with:
-  #        ref: ${{ env.RELEASE_COMMIT }}
+      contents: write
+      pull-requests: write
+      id-token: none
+      pages: none
+    steps:
+      - name: Checkout repository # reusable workflows start clean, so we need to checkout again
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
+        with:
+          ref: ${{ env.RELEASE_COMMIT }}
 
-  #    - name: Restore sealed source code
-  #      uses: ./.github/actions/seal-restore
-  #      with:
-  #        integrity_hash: ${{ inputs.source_code_integrity_hash }}
-  #        artifact_name: ${{ inputs.source_code_artifact_name }}
+      - name: Restore sealed source code
+        uses: ./.github/actions/seal-restore
+        with:
+          integrity_hash: ${{ inputs.source_code_integrity_hash }}
+          artifact_name: ${{ inputs.source_code_artifact_name }}
 
+  # UNCOMMENT THIS
   #    - name: Download CDK layer artifacts
   #      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
   #      with:
@@ -265,53 +265,51 @@ jobs:
   #    - name: Replace layer versions in documentation
   #      run: |
   #        ls -la cdk-layer-stack/
-  #        ./layer/scripts/update_layer_arn.sh cdk-layer-stack
+  #        ./layer_v3/scripts/update_layer_arn.sh cdk-layer-stack
       # NOTE: It felt unnecessary creating yet another PR to update changelog w/ latest tag
       # since this is the only step in the release where we update docs from a temp branch
-  #    - name: Update changelog with latest tag
-  #      run: make changelog
-  #    - name: Create PR
-  #      id: create-pr
-  #      uses: ./.github/actions/create-pr
-  #      with:
-  #        files: "docs/index.md examples CHANGELOG.md"
-  #        temp_branch_prefix: "ci-layer-docs"
-  #        pull_request_title: "chore(ci): layer docs update"
-  #        github_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Update changelog with latest tag
+        run: make changelog
+      - name: Create PR
+        id: create-pr
+        uses: ./.github/actions/create-pr
+        with:
+          files: "docs/index.md examples CHANGELOG.md"
+          temp_branch_prefix: "ci-layer-docs"
+          pull_request_title: "chore(ci): layer docs update"
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
-  # UNCOMMENT prepare_docs_alias JOB
-  #prepare_docs_alias:
-  #  runs-on: ubuntu-latest
-  #  permissions:
-  #    # lower privilege propagated from parent workflow (release.yml)
-  #    contents: read
-  #    pages: none
-  #    id-token: none
-  #    pull-requests: none
-  #  outputs:
-  #    DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }}
-  #  steps:
-  #    - name: Set docs alias
-  #      id: set-alias
-  #      run: |
-  #        DOCS_ALIAS=latest
-  #        if [[ "${{ inputs.pre_release }}" == true ]] ; then
-  #          DOCS_ALIAS=alpha
-  #        fi
-  #        echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT"
+  prepare_docs_alias:
+    runs-on: ubuntu-latest
+    permissions:
+      # lower privilege propagated from parent workflow (release.yml)
+      contents: read
+      pages: none
+      id-token: none
+      pull-requests: none
+    outputs:
+      DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }}
+    steps:
+      - name: Set docs alias
+        id: set-alias
+        run: |
+          DOCS_ALIAS=latest
+          if [[ "${{ inputs.pre_release }}" == true ]] ; then
+            DOCS_ALIAS=alpha
+          fi
+          echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT"
 
-  # UNCOMMENT release_docs JOB
-  #release_docs:
-  #  needs: [update_v3_layer_arn_docs, prepare_docs_alias]
-  #  permissions:
-  #    # lower privilege propagated from parent workflow (release.yml)
-  #    contents: write
-  #    pages: write
-  #    pull-requests: none
-  #    id-token: write
-  #  secrets: inherit
-  #  uses: ./.github/workflows/reusable_publish_docs.yml
-  #  with:
-  #    version: ${{ inputs.latest_published_version }}
-  #    alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }}
-  #    git_ref: ${{ needs.update_v3_layer_arn_docs.outputs.temp_branch }}
+  release_docs:
+    needs: [update_v3_layer_arn_docs, prepare_docs_alias]
+    permissions:
+      # lower privilege propagated from parent workflow (release.yml)
+      contents: write
+      pages: write
+      pull-requests: none
+      id-token: write
+    secrets: inherit
+    uses: ./.github/workflows/reusable_publish_docs.yml
+    with:
+      version: ${{ inputs.latest_published_version }}
+      alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }}
+      git_ref: ${{ needs.update_v3_layer_arn_docs.outputs.temp_branch }}