From 129cbdf7f06664b87b9cb5480229bdea59d33e7d Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Fri, 9 Feb 2024 16:27:50 +0100 Subject: [PATCH 1/5] add contents read top level permission --- .github/workflows/make-version.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/make-version.yml b/.github/workflows/make-version.yml index b51ff3980d..a13613712a 100644 --- a/.github/workflows/make-version.yml +++ b/.github/workflows/make-version.yml @@ -3,6 +3,9 @@ name: Make Version on: workflow_dispatch: { } +permissions: + contents: read + jobs: bump-version: From 2284e0b76b147157b777029a7b85247074bed724 Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Fri, 9 Feb 2024 16:29:50 +0100 Subject: [PATCH 2/5] remove double doc update, we will update doc after layer ARN PR merge --- .github/workflows/publish_layer.yml | 29 +---------------------------- 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index d567de0585..ceed605b16 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -76,31 +76,4 @@ jobs: artifact-name: "cdk-layer-artifact" latest_published_version: ${{ inputs.latest_published_version }} secrets: - target-account-role: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }} - - prepare_docs_alias: - runs-on: ubuntu-latest - permissions: - contents: read - outputs: - DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }} - steps: - - name: Set docs alias - id: set-alias - run: | - DOCS_ALIAS=latest - if [[ "${{ inputs.pre_release }}" == true ]] ; then - DOCS_ALIAS=alpha - fi - echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT" - - release-docs: - needs: [ deploy-prod, prepare_docs_alias ] - permissions: - id-token: write - secrets: inherit - uses: ./.github/workflows/reusable_publish_docs.yml - with: - version: ${{ inputs.latest_published_version }} - alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }} - detached_mode: true + target-account-role: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }} \ No newline at end of file From a050d6b7ab7a44994024dbdd4df55f2d5f4d3a3e Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Fri, 9 Feb 2024 16:33:53 +0100 Subject: [PATCH 3/5] pull up layer ARN docs update --- .github/workflows/publish_layer.yml | 36 ++++++++++++- .../workflows/reusable_deploy_layer_stack.yml | 8 --- .../reusable_update_layer_arn_docs.yml | 50 ------------------- 3 files changed, 35 insertions(+), 59 deletions(-) delete mode 100644 .github/workflows/reusable_update_layer_arn_docs.yml diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index ceed605b16..3f348cfc14 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -76,4 +76,38 @@ jobs: artifact-name: "cdk-layer-artifact" latest_published_version: ${{ inputs.latest_published_version }} secrets: - target-account-role: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }} \ No newline at end of file + target-account-role: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }} + + update_layer_arn_docs: + needs: [deploy-prod] + # Force Github action to run only a single job at a time (based on the group name) + # This is to prevent race-condition and inconsistencies with changelog push + concurrency: + group: changelog-build + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + id-token: none + steps: + - name: Checkout repository # reusable workflows start clean, so we need to checkout again + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ github.sha }} + - name: Download CDK layer artifact + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + with: + name: cdk-layer-stack + path: cdk-layer-stack/ + - name: Replace layer versions in documentation + run: | + ls -la cdk-layer-stack/ + ./.github/scripts/update_layer_arn.sh cdk-layer-stack + - name: Create PR + id: create-pr + uses: ./.github/actions/create-pr + with: + files: 'docs/index.md' + temp_branch_prefix: 'ci-layer-docs' + pull_request_title: 'chore(ci): update layer ARN on documentation' + github_token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/reusable_deploy_layer_stack.yml b/.github/workflows/reusable_deploy_layer_stack.yml index 47d5d4bc61..ca120916e5 100644 --- a/.github/workflows/reusable_deploy_layer_stack.yml +++ b/.github/workflows/reusable_deploy_layer_stack.yml @@ -100,11 +100,3 @@ jobs: overwrite: true - name: CDK deploy canary run: npm run cdk -w layers -- deploy --app cdk.out --context region=${{ matrix.region }} 'CanaryStack' --require-approval never --verbose --outputs-file cdk-outputs.json - update_layer_arn_docs: - needs: deploy-cdk-stack - permissions: - contents: write - if: ${{ inputs.stage == 'PROD' }} - uses: ./.github/workflows/reusable_update_layer_arn_docs.yml - with: - latest_published_version: ${{ inputs.latest_published_version }} diff --git a/.github/workflows/reusable_update_layer_arn_docs.yml b/.github/workflows/reusable_update_layer_arn_docs.yml deleted file mode 100644 index 4d4cea1547..0000000000 --- a/.github/workflows/reusable_update_layer_arn_docs.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: Update Layer ARN Docs - -on: - workflow_call: - inputs: - latest_published_version: - description: "Latest NPM published version to rebuild latest docs for, e.g. 1.5.1" - type: string - required: true - -permissions: - contents: read - -env: - BRANCH: main - -jobs: - publish_layer_arn: - # Force Github action to run only a single job at a time (based on the group name) - # This is to prevent race-condition and inconsistencies with changelog push - concurrency: - group: changelog-build - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - id-token: none - steps: - - name: Checkout repository # reusable workflows start clean, so we need to checkout again - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.sha }} - - name: Download CDK layer artifact - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 - with: - name: cdk-layer-stack - path: cdk-layer-stack/ - - name: Replace layer versions in documentation - run: | - ls -la cdk-layer-stack/ - ./.github/scripts/update_layer_arn.sh cdk-layer-stack - - name: Create PR - id: create-pr - uses: ./.github/actions/create-pr - with: - files: 'docs/index.md' - temp_branch_prefix: 'ci-layer-docs' - pull_request_title: 'chore(ci): update layer ARN on documentation' - github_token: ${{ secrets.GITHUB_TOKEN }} - \ No newline at end of file From 25f452cd61c708d1cc960e19eff7a6ab4ef6605b Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Fri, 9 Feb 2024 16:38:23 +0100 Subject: [PATCH 4/5] remove contents write for npm publish step --- .github/workflows/make-release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index d23de1850c..b3ab87e91b 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -39,7 +39,6 @@ jobs: # Needed as recommended by npm docs on publishing with provenance https://docs.npmjs.com/generating-provenance-statements permissions: id-token: write - contents: write environment: Release runs-on: ubuntu-latest outputs: From 4b37aac0ec8de9863b06e33af35fe322947c172d Mon Sep 17 00:00:00 2001 From: Alexander Schueren Date: Fri, 9 Feb 2024 16:40:30 +0100 Subject: [PATCH 5/5] add pull-requests write permission from parnet call --- .github/workflows/make-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index b3ab87e91b..3602d606d2 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -97,6 +97,7 @@ jobs: id-token: write contents: write pages: write + pull-requests: write uses: ./.github/workflows/publish_layer.yml with: latest_published_version: ${{ needs.publish-npm.outputs.RELEASE_VERSION }}