chore: add ADC publishing workflow (#94)

The configuration lives in the 'releasing' environment, and the bucket
names are masked away from the logs.


---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

Author: rix0rrr

.github/workflows/release.yml

@@ -5,6 +5,7 @@ import { BundleCli } from './projenrc/bundle';
 import { ESLINT_RULES } from './projenrc/eslint';
 import { JsiiBuild } from './projenrc/jsii';
 import { CodeCovWorkflow } from './projenrc/codecov';
+import { AdcPublishing } from './projenrc/adc-publishing';
 
 // 5.7 sometimes gives a weird error in `ts-jest` in `@aws-cdk/cli-lib-alpha`
 // https://github.com/microsoft/TypeScript/issues/60159
@@ -215,6 +216,8 @@ const repoProject = new yarn.Monorepo({
   },
 });
 
+new AdcPublishing(repoProject);
+
 // Eslint for projen config
 // @ts-ignore
 repoProject.eslint = new pj.javascript.Eslint(repoProject, {

.projen/tasks.json

@@ -0,0 +1,76 @@
+import { Monorepo } from "cdklabs-projen-project-types/lib/yarn";
+import { Component, github } from "projen";
+import { JobPermission } from "projen/lib/github/workflows-model";
+
+export class AdcPublishing extends Component {
+  constructor(private readonly project_: Monorepo) {
+    super(project_);
+
+    this.project.tasks.tryFind('build')?.exec('tsx projenrc/build-standalone-zip.task.ts');
+  }
+
+  public preSynthesize() {
+    const releaseWf = this.project_.github?.tryFindWorkflow('release');
+    if (!releaseWf) {
+      throw new Error('Could not find release workflow');
+    }
+
+    (releaseWf.getJob('release') as github.workflows.Job).steps.push({
+      name: 'standalone: Upload artifact',
+      if: '${{ steps.git_remote.outputs.latest_commit == github.sha }}',
+      uses: 'actions/[email protected]',
+      with: {
+        name: 'standalone_build-artifact',
+        path: 'dist/standalone',
+        overwrite: true
+      },
+    });
+
+    releaseWf.addJob('standalone_release_adc', {
+      name: 'standalone: publish to ADC',
+      environment: 'releasing',  // <-- this has the configuration
+      needs: ['release'],
+      runsOn: ['ubuntu-latest'],
+      permissions: {
+        contents: JobPermission.WRITE,
+      },
+      if: `\${{ needs.release.outputs.latest_commit == github.sha }}`,
+      steps: [
+        {
+          uses: 'actions/setup-node@v4',
+          with: {
+            'node-version': 'lts/*',
+          },
+        },
+        {
+          name: 'Download build artifacts',
+          uses: 'actions/download-artifact@v4',
+          with: {
+            name: 'standalone_build-artifact',
+            path: 'dist/standalone',
+          },
+        },
+        {
+          name: 'Authenticate Via OIDC Role',
+          id: 'creds',
+          uses: 'aws-actions/configure-aws-credentials@v4',
+          with: {
+            'aws-region': 'us-east-1',
+            'role-duration-seconds': 14400,
+            'role-to-assume': '${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}',
+            'role-session-name': 'releasing@aws-cdk-cli',
+            'output-credentials': true,
+          },
+        },
+        {
+          name: 'Publish artifacts',
+          env: {
+            PUBLISHING_ROLE_ARN: '${{ vars.PUBLISHING_ROLE_ARN }}',
+            TARGET_BUCKETS: '${{ vars.TARGET_BUCKETS }}',
+          },
+          run: 'npx tsx projenrc/publish-to-adc.task.ts',
+        },
+      ],
+    });
+  }
+}

.projenrc.ts

@@ -2,14 +2,12 @@ import * as cp from 'child_process';
 import { promises as fs } from 'fs';
 import * as os from 'os';
 import * as path from 'path';
-import * as util from 'util';
-import * as glob_ from 'glob';
-
-const glob = util.promisify(glob_.glob);
+import { glob } from 'glob';
 
 async function main() {
   const outdir = await fs.mkdtemp(path.join(os.tmpdir(), 'bundling'));
   try {
+
     const pkgs = ['aws-cdk'];
     // this is a build task, so we are safe either way
     // eslint-disable-next-line @cdklabs/promiseall-no-unbounded-parallelism

projenrc/adc-publishing.ts

@@ -2,6 +2,7 @@ import { createReadStream } from 'fs';
 import { S3 } from '@aws-sdk/client-s3';
 import { fromTemporaryCredentials, fromNodeProviderChain } from '@aws-sdk/credential-providers';
 import { Upload } from '@aws-sdk/lib-storage';
+import { glob } from 'glob';
 
 /**
  * Takes files from `dist/standalone` and moves them to specific ADC buckets
@@ -16,6 +17,10 @@ async function main() {
   if (!TARGET_BUCKETS) {
     throw new Error('Require $TARGET_BUCKETS');
   }
+  const buckets = TARGET_BUCKETS.split(/\s+|,+/).filter(x => x);
+
+  const root = 'dist/standalone';
+  const filesToPublish = ['aws-cdk-cli.zip'];
 
   const credentials = fromTemporaryCredentials({
     masterCredentials: fromNodeProviderChain(),
@@ -30,22 +35,24 @@ async function main() {
 
   const s3 = new S3({ region: 'us-east-1', credentials });
 
-  for (const bucket of TARGET_BUCKETS.split(' ')) {
+  for (const bucket of buckets) {
     // This value is secret-ish, mask it out
     // this is a cli
     // eslint-disable-next-line no-console
     console.log(`::add-mask::${bucket}`);
 
-    const upload = new Upload({
-      client: s3,
-      params: {
-        Bucket: bucket,
-        Key: 'aws-cdk-v2/aws-cdk-cli.zip',
-        Body: createReadStream('dist/standalone/aws-cdk-cli.zip'),
-        ChecksumAlgorithm: 'SHA256',
-      },
-    });
-    await upload.done();
+    for (const file of filesToPublish) {
+      const upload = new Upload({
+        client: s3,
+        params: {
+          Bucket: bucket,
+          Key: `aws-cdk-v2/${file}`,
+          Body: createReadStream(`${root}/${file}`),
+          ChecksumAlgorithm: 'SHA256',
+        },
+      });
+      await upload.done();
+    }
   }
 }