From 7051d9721cfb65c70906c30f7ddbb09a538790c9 Mon Sep 17 00:00:00 2001
From: Benjamin Farley <farleyb@amazon.com>
Date: Thu, 3 Jun 2021 13:15:41 -0600
Subject: [PATCH 1/6] chore: Release improvements

---
 codebuild/release/prod-release.yml | 47 ++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 codebuild/release/prod-release.yml

diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml
new file mode 100644
index 000000000..b1a619aba
--- /dev/null
+++ b/codebuild/release/prod-release.yml
@@ -0,0 +1,47 @@
+version: 0.2
+
+env:
+  variables:
+    NODE_OPTIONS: "--max-old-space-size=4096"
+    BRANCH: "master" # TODO: maybe pass from CB invocation instead
+
+phases:
+  install:
+    commands:
+      - npm ci --unsafe-perm
+      # Install `otplib` to extract the OTP from the npm 2FA secret
+      - npm install otplib --no-save
+      - npm run build
+    runtime-versions:
+      nodejs: 10
+  pre_build:
+    commands:
+      - git config --global user.name "aws-crypto-tools-ci-bot"
+      - git config --global user.email "no-reply@noemail.local"
+      - git checkout $BRANCH
+  build:
+    commands:
+      # Pre-check, make sure everything is happy
+      - npm test
+      - npm run test_conditions
+      - npm run verdaccio
+      # Generate new version and CHANGELOG entry. Because we specify `--no-push` this
+      # does not yet push any changes to the remote
+      #- npx lerna version --conventional-commits --git-remote origin --yes --no-push
+      # Log the commit for posterity
+      - git log -n 1
+      # Publish to the local verdaccio server and run all tests
+      #- npm run verdaccio-publish
+      # TODO: actual publishing happens here
+      # Clear out the verdaccio cache so that we get the latest version
+      # of everything from public npm
+      #- rm -rf verdaccio/storage/
+      # Since the cache is empty, and we don't call `verdaccio-publish`
+      # this will run the integrations from the public code in npm
+      #- npx run-s verdaccio-publish-*
+
+
+batch:
+  fast-fail: true 
+  build-graph:
+    - identifier: release_to_prod

From adb0c20fcf8240ac8758caeb3a8ddc0773143a70 Mon Sep 17 00:00:00 2001
From: Benjamin Farley <farleyb@amazon.com>
Date: Thu, 3 Jun 2021 13:30:33 -0600
Subject: [PATCH 2/6] Uncomment some stuff

---
 codebuild/release/prod-release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml
index b1a619aba..400e58ccd 100644
--- a/codebuild/release/prod-release.yml
+++ b/codebuild/release/prod-release.yml
@@ -31,14 +31,14 @@ phases:
       # Log the commit for posterity
       - git log -n 1
       # Publish to the local verdaccio server and run all tests
-      #- npm run verdaccio-publish
+      - npm run verdaccio-publish
       # TODO: actual publishing happens here
       # Clear out the verdaccio cache so that we get the latest version
       # of everything from public npm
-      #- rm -rf verdaccio/storage/
+      - rm -rf verdaccio/storage/
       # Since the cache is empty, and we don't call `verdaccio-publish`
       # this will run the integrations from the public code in npm
-      #- npx run-s verdaccio-publish-*
+      - npx run-s verdaccio-publish-*
 
 
 batch:

From 40b6e1e8fbebc48b0b38bffc4bb6bd8837693944 Mon Sep 17 00:00:00 2001
From: Benjamin Farley <farleyb@amazon.com>
Date: Thu, 3 Jun 2021 14:18:38 -0600
Subject: [PATCH 3/6] Add secrets

---
 codebuild/release/prod-release.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml
index 400e58ccd..ebcdc50aa 100644
--- a/codebuild/release/prod-release.yml
+++ b/codebuild/release/prod-release.yml
@@ -4,6 +4,10 @@ env:
   variables:
     NODE_OPTIONS: "--max-old-space-size=4096"
     BRANCH: "master" # TODO: maybe pass from CB invocation instead
+  secrets-manager:
+     OTP_SECRET_KEY: npm/aws-crypto-tools-ci-bot/2FA:OTP_SECRET_KEY
+     NPM_TOKEN: npm/aws-crypto-tools-ci-bot/2FA:NPM_TOKEN
+  git-credential-helper: yes
 
 phases:
   install:
@@ -27,7 +31,7 @@ phases:
       - npm run verdaccio
       # Generate new version and CHANGELOG entry. Because we specify `--no-push` this
       # does not yet push any changes to the remote
-      #- npx lerna version --conventional-commits --git-remote origin --yes --no-push
+      - npx lerna version --conventional-commits --git-remote origin --yes --no-push
       # Log the commit for posterity
       - git log -n 1
       # Publish to the local verdaccio server and run all tests

From 48206e4ea7c1f31ba2922adce040969194af900a Mon Sep 17 00:00:00 2001
From: Benjamin Farley <farleyb@amazon.com>
Date: Fri, 4 Jun 2021 09:30:07 -0600
Subject: [PATCH 4/6] Grab OTP

---
 codebuild/release/prod-release.yml | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml
index ebcdc50aa..eb297a09a 100644
--- a/codebuild/release/prod-release.yml
+++ b/codebuild/release/prod-release.yml
@@ -3,7 +3,7 @@ version: 0.2
 env:
   variables:
     NODE_OPTIONS: "--max-old-space-size=4096"
-    BRANCH: "master" # TODO: maybe pass from CB invocation instead
+    BRANCH: "master"
   secrets-manager:
      OTP_SECRET_KEY: npm/aws-crypto-tools-ci-bot/2FA:OTP_SECRET_KEY
      NPM_TOKEN: npm/aws-crypto-tools-ci-bot/2FA:NPM_TOKEN
@@ -36,7 +36,20 @@ phases:
       - git log -n 1
       # Publish to the local verdaccio server and run all tests
       - npm run verdaccio-publish
-      # TODO: actual publishing happens here
+      # Extract the otp using the secrets environment variables from above.
+      # This will wait for the next token. This is because npm uses
+      # TOTP and the tokens time out after 30 seconds. If the process just
+      # extracted the token then the lifetime for this token
+      # would be very random. This will maximize the amount of time
+      # available on the OTP to publish.
+      - >-
+        OTP=`node -e "
+          auth=require('otplib').authenticator;
+          setTimeout(() =>
+            console.log(auth.generate(process.env.OTP_SECRET_KEY)),
+            auth.timeRemaining() * 1000);
+          "`
+      # TODO: Actual publishing
       # Clear out the verdaccio cache so that we get the latest version
       # of everything from public npm
       - rm -rf verdaccio/storage/

From 79e13c5f0fa410ee4f00b34b764f465d04fe8595 Mon Sep 17 00:00:00 2001
From: Benjamin Farley <farleyb@amazon.com>
Date: Fri, 4 Jun 2021 10:09:16 -0600
Subject: [PATCH 5/6] Add publishing steps

---
 codebuild/release/prod-release.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml
index eb297a09a..2540ca075 100644
--- a/codebuild/release/prod-release.yml
+++ b/codebuild/release/prod-release.yml
@@ -49,7 +49,11 @@ phases:
             console.log(auth.generate(process.env.OTP_SECRET_KEY)),
             auth.timeRemaining() * 1000);
           "`
-      # TODO: Actual publishing
+      # Now we publish to npm.
+      # This is going to use the OTP generated above and the NPM_TOKEN
+      # environment variable. This will only publish things that are
+      # missing from npm. It is therefore safe to run repeatedly.
+      - npx lerna publish from-package --yes --otp $OTP
       # Clear out the verdaccio cache so that we get the latest version
       # of everything from public npm
       - rm -rf verdaccio/storage/
@@ -58,6 +62,8 @@ phases:
       - npx run-s verdaccio-publish-*
 
 
+# Batching is technically unnecessary for now since we have just the one
+# buildspec, but leaving it in place makes it easier to extend later on
 batch:
   fast-fail: true 
   build-graph:

From 53b58f13a2da52678e9ff8b55106a97fd97438eb Mon Sep 17 00:00:00 2001
From: Benjamin Farley <farleyb@amazon.com>
Date: Fri, 4 Jun 2021 11:41:58 -0600
Subject: [PATCH 6/6] Updates per offline discussion

---
 codebuild/release/prod-release.yml | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml
index 2540ca075..a6e209013 100644
--- a/codebuild/release/prod-release.yml
+++ b/codebuild/release/prod-release.yml
@@ -17,7 +17,7 @@ phases:
       - npm install otplib --no-save
       - npm run build
     runtime-versions:
-      nodejs: 10
+      nodejs: 14
   pre_build:
     commands:
       - git config --global user.name "aws-crypto-tools-ci-bot"
@@ -28,14 +28,12 @@ phases:
       # Pre-check, make sure everything is happy
       - npm test
       - npm run test_conditions
+      # Publish to a local verdaccio server and run all tests against it
       - npm run verdaccio
-      # Generate new version and CHANGELOG entry. Because we specify `--no-push` this
-      # does not yet push any changes to the remote
-      - npx lerna version --conventional-commits --git-remote origin --yes --no-push
+      # Generate new version and CHANGELOG entry and push it
+      - npx lerna version --conventional-commits --git-remote origin --yes
       # Log the commit for posterity
       - git log -n 1
-      # Publish to the local verdaccio server and run all tests
-      - npm run verdaccio-publish
       # Extract the otp using the secrets environment variables from above.
       # This will wait for the next token. This is because npm uses
       # TOTP and the tokens time out after 30 seconds. If the process just