From 3fe9230da4217e9eff86c61fec187488e93c276f Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Tue, 6 Feb 2024 18:13:30 +0100 Subject: [PATCH 1/7] Update GitHub Actions workflows --- .github/workflows/make-release.yml | 29 ++++++++++++---- .github/workflows/publish_layer.yml | 2 +- .../reusable_update_layer_arn_docs.yml | 33 +++++++++---------- 3 files changed, 39 insertions(+), 25 deletions(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index f75847da52..7b77cedebd 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -35,15 +35,9 @@ jobs: cache: "npm" - name: Setup auth tokens run: | - git config --global user.name 'github-actions[bot]' - git config --global user.email 'github-actions[bot]@users.noreply.github.com' - git remote set-url origin https://x-access-token:${{ secrets.GH_PUBLISH_TOKEN }}@github.com/$GITHUB_REPOSITORY npm set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" - name: Setup dependencies uses: ./.github/actions/cached-node-modules - - name: Version - run: | - npx lerna version minor --force-publish --no-commit-hooks --yes - name: Publish to npm run: | NPM_CONFIG_PROVENANCE=true npx lerna publish from-git --yes @@ -52,7 +46,28 @@ jobs: run: | VERSION=$(cat lerna.json | jq .version -r) echo RELEASE_VERSION="$VERSION" >> "$GITHUB_OUTPUT" - + + create_tag: + needs: [publish-npm] + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + token: ${{ secrets.GH_PUBLISH_TOKEN }} + fetch-depth: 0 + - name: Git client setup + run: | + git config --global user.name 'aws-powertools-bot' + git config --global user.email '151832416+aws-powertools-bot@users.noreply.github.com' + git config remote.origin.url >&- + - name: Create git tag + run : | + git tag -a v${{ needs.publish-npm.outputs.RELEASE_VERSION }} -m "Release v${{ needs.publish-npm.outputs.RELEASE_VERSION }}" + git push origin v${{ needs.publish-npm.outputs.RELEASE_VERSION }} + # NOTE: Watch out for the depth limit of 4 nested workflow_calls. # publish_layer -> reusable_deploy_layer_stack -> reusable_update_layer_arn_docs publish_layer: diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index 7b178e9c1d..be6c34385e 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -1,7 +1,7 @@ name: Deploy layer to all regions permissions: - contents: write + contents: read on: # Manual trigger diff --git a/.github/workflows/reusable_update_layer_arn_docs.yml b/.github/workflows/reusable_update_layer_arn_docs.yml index 92ea1b6fb0..0c7729aee4 100644 --- a/.github/workflows/reusable_update_layer_arn_docs.yml +++ b/.github/workflows/reusable_update_layer_arn_docs.yml @@ -9,10 +9,11 @@ on: required: true permissions: - contents: write + contents: read env: BRANCH: main + RELEASE_COMMIT: ${{ github.sha }} jobs: publish_layer_arn: @@ -21,18 +22,15 @@ jobs: concurrency: group: changelog-build runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + id-token: none steps: - name: Checkout repository # reusable workflows start clean, so we need to checkout again uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - fetch-depth: 0 - - name: Git client setup and refresh tip - run: | - git config user.name "Release bot[bot]" - git config user.email "aws-devax-open-source@amazon.com" - git config pull.rebase true - git config remote.origin.url >&- || git remote add origin https://github.com/"${origin}" # Git Detached mode (release notes) doesn't have origin - git pull origin "${BRANCH}" + ref: ${{ env.RELEASE_COMMIT }} - name: Download CDK layer artifact uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: @@ -42,11 +40,12 @@ jobs: run: | ls -la cdk-layer-stack/ ./.github/scripts/update_layer_arn.sh cdk-layer-stack - - name: Update documentation in trunk - run: | - HAS_CHANGE=$(git status --porcelain) - test -z "${HAS_CHANGE}" && echo "Nothing to update" && exit 0 - git add docs/index.md - git commit -m "chore: update layer ARN on documentation" - git pull origin "${BRANCH}" # prevents concurrent branch update failing push - git push origin HEAD:refs/heads/"${BRANCH}" + - name: Create PR + id: create-pr + uses: ./.github/actions/create-pr + with: + files: 'docs/index.md' + temp_branch_prefix: 'ci-layer-docs' + pull_request_title: 'chore(ci): update layer ARN on documentation' + github_token: ${{ secrets.GITHUB_TOKEN }} + \ No newline at end of file From 1fcf2ac42d0eb69d1d01feeb68cee5d3b8de8844 Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Wed, 7 Feb 2024 11:00:01 +0100 Subject: [PATCH 2/7] remove env, use git sha --- .github/workflows/make-release.yml | 7 ++----- .github/workflows/publish_layer.yml | 2 +- .github/workflows/reusable_update_layer_arn_docs.yml | 3 +-- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index 7b77cedebd..cfd91ed3a1 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -24,10 +24,7 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - # Here `token` is needed to avoid incurring in error GH006 Protected Branch Update Failed, - token: ${{ secrets.GH_PUBLISH_TOKEN }} - # While `fetch-depth` is used to allow the workflow to later commit & push the changes. - fetch-depth: 0 + ref: ${{ github.ref }} - name: Setup NodeJS uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 with: @@ -57,7 +54,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: token: ${{ secrets.GH_PUBLISH_TOKEN }} - fetch-depth: 0 + ref: ${{ github.ref }} - name: Git client setup run: | git config --global user.name 'aws-powertools-bot' diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index be6c34385e..5160f3e2f9 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -33,7 +33,7 @@ jobs: - name: checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - fetch-depth: 0 + ref: ${{ github.ref }} - name: Setup Node.js uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 with: diff --git a/.github/workflows/reusable_update_layer_arn_docs.yml b/.github/workflows/reusable_update_layer_arn_docs.yml index 0c7729aee4..4d4cea1547 100644 --- a/.github/workflows/reusable_update_layer_arn_docs.yml +++ b/.github/workflows/reusable_update_layer_arn_docs.yml @@ -13,7 +13,6 @@ permissions: env: BRANCH: main - RELEASE_COMMIT: ${{ github.sha }} jobs: publish_layer_arn: @@ -30,7 +29,7 @@ jobs: - name: Checkout repository # reusable workflows start clean, so we need to checkout again uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: ${{ env.RELEASE_COMMIT }} + ref: ${{ github.sha }} - name: Download CDK layer artifact uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: From 5ebc1754741e97f25532134911d7329385dad5c6 Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Thu, 8 Feb 2024 10:39:38 +0100 Subject: [PATCH 3/7] Update GitHub Actions references to use github.sha --- .github/workflows/make-release.yml | 4 ++-- .github/workflows/make-version.yml | 5 +---- .github/workflows/publish_layer.yml | 2 +- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index cfd91ed3a1..2347a4ebe0 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: ${{ github.ref }} + ref: ${{ github.sha }} - name: Setup NodeJS uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 with: @@ -54,7 +54,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: token: ${{ secrets.GH_PUBLISH_TOKEN }} - ref: ${{ github.ref }} + ref: ${{ github.sha }} - name: Git client setup run: | git config --global user.name 'aws-powertools-bot' diff --git a/.github/workflows/make-version.yml b/.github/workflows/make-version.yml index 4f60ce52be..a300b2e7f2 100644 --- a/.github/workflows/make-version.yml +++ b/.github/workflows/make-version.yml @@ -4,9 +4,6 @@ on: workflow_dispatch: { } -env: - RELEASE_COMMIT: ${{ github.sha }} - jobs: bump-version: permissions: @@ -20,7 +17,7 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: ${{ github.ref }} + ref: ${{ github.sha }} - name: Setup NodeJS uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 with: diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index 5160f3e2f9..58e6969b39 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -33,7 +33,7 @@ jobs: - name: checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - ref: ${{ github.ref }} + ref: ${{ github.sha }} - name: Setup Node.js uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 with: From 70309186444796440de402e385250077b232855b Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Thu, 8 Feb 2024 16:38:22 +0100 Subject: [PATCH 4/7] change publish from package using sha instead of tag --- .github/workflows/make-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index 2347a4ebe0..46da01d0e0 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -37,7 +37,7 @@ jobs: uses: ./.github/actions/cached-node-modules - name: Publish to npm run: | - NPM_CONFIG_PROVENANCE=true npx lerna publish from-git --yes + NPM_CONFIG_PROVENANCE=true npx lerna publish from-package --git-head ${{ github.sha }} --yes - name: Set release version id: set-release-version run: | From e092ad5f58870d9adc8ecfe98f013585c1fd9a29 Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Fri, 9 Feb 2024 10:39:02 +0100 Subject: [PATCH 5/7] remove unnecessary token for checkout --- .github/workflows/make-release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index 46da01d0e0..9be044fea8 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -53,7 +53,6 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - token: ${{ secrets.GH_PUBLISH_TOKEN }} ref: ${{ github.sha }} - name: Git client setup run: | From b90beb45f0632aa996cbce87ca1ebb9d518379ec Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Fri, 9 Feb 2024 11:05:02 +0100 Subject: [PATCH 6/7] add workflow docs and comments --- .github/workflows/make-release.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index 9be044fea8..cf324dc4f7 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -1,4 +1,22 @@ name: Make Release + +# RELEASE PROCESS +# +# === Automated activities === +# 1. [Quality check] Run unit tests, linting +# 2. [Release] Publish to npm, all packages using the latest git commit sha, ensure provenance with NPM_CONFIG_PROVENANCE=true +# 3. [Create tag] Create a new git tag using released version +# 4. [Publish layer] build and package layer, kick off the workflow for beta and prod deployment +# 5. [Publish layer] update documentation with the latest layer ARN version +# 6. [Publish layer] Create PR to merge the updated documentation +# +# === Manual activities === +# 1. Kick off `make-version` workflow to bump and review the version changes and changelog for each package +# 2. Merge the PR created by `make-version` workflow +# 3. Kick off this opw workflow to make the release +# 4. Merge the PR created by the `publish_layer` workflow to update the documentation +# 5. Update draft release notes with the latest changes and publish the release on GitHub + on: workflow_dispatch: {} @@ -7,9 +25,15 @@ permissions: concurrency: group: on-release-publish + + jobs: run-unit-tests: uses: ./.github/workflows/reusable-run-linting-check-and-unit-tests.yml + # This job publishes the packages to npm. + # It uses the latest git commit sha as the version and ensures provenance with NPM_CONFIG_PROVENANCE flag. + # We don't bump the version because we do that in the `make-version` workflow. + # It also sets the RELEASE_VERSION output to be used by the next job to create a git tag. publish-npm: needs: run-unit-tests # Needed as recommended by npm docs on publishing with provenance https://docs.npmjs.com/generating-provenance-statements @@ -44,6 +68,7 @@ jobs: VERSION=$(cat lerna.json | jq .version -r) echo RELEASE_VERSION="$VERSION" >> "$GITHUB_OUTPUT" + # This job creates a new git tag using the released version (v1.18.1) create_tag: needs: [publish-npm] permissions: From a3772204b88dc0c4ca362531463db26c5896d813 Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Fri, 9 Feb 2024 11:08:24 +0100 Subject: [PATCH 7/7] small wording changes --- .github/workflows/make-release.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index cf324dc4f7..17887cb088 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -3,17 +3,17 @@ name: Make Release # RELEASE PROCESS # # === Automated activities === -# 1. [Quality check] Run unit tests, linting -# 2. [Release] Publish to npm, all packages using the latest git commit sha, ensure provenance with NPM_CONFIG_PROVENANCE=true -# 3. [Create tag] Create a new git tag using released version -# 4. [Publish layer] build and package layer, kick off the workflow for beta and prod deployment -# 5. [Publish layer] update documentation with the latest layer ARN version -# 6. [Publish layer] Create PR to merge the updated documentation +# 1. [Quality check] run unit tests, linting, examples, layer, doc snippets +# 2. [Release] publish all packages to npmjs.org using the latest git commit, ensure provenance with NPM_CONFIG_PROVENANCE=true +# 3. [Create tag] create a new git tag using released version, i.e. v1.13.1 +# 4. [Publish layer] build and package layer, kick off the workflow for beta and prod deployment, including canary tests +# 5. [Publish layer] update documentation with the latest layer ARN version of the prod deployment +# 6. [Publish layer] create PR to merge the updated documentation # # === Manual activities === # 1. Kick off `make-version` workflow to bump and review the version changes and changelog for each package # 2. Merge the PR created by `make-version` workflow -# 3. Kick off this opw workflow to make the release +# 3. Kick off this workflow to make the release # 4. Merge the PR created by the `publish_layer` workflow to update the documentation # 5. Update draft release notes with the latest changes and publish the release on GitHub