fix(ci): secret and OIDC inheritance in nested children workflow

rubenfonseca · heitorlessa · commit a996229cf0ce · 2022-10-20T22:12:25.000+02:00
diff --git a/.github/workflows/on_release_notes.yml b/.github/workflows/on_release_notes.yml
@@ -31,7 +31,7 @@ on:
   workflow_dispatch:
     inputs:
       version_to_publish:
-        description: "Version to be released in PyPi, Docs, and Lambda Layer, e.g. v1.26.4"
+        description: "Version to be released in PyPi, Docs, and Lambda Layer, e.g. v2.0.0, v2.0.0.a0 (pre-release)"
         default: v2.0.0
         required: true
       skip_pypi:
@@ -44,19 +44,24 @@ on:
         default: false
         type: boolean
         required: false
+      # Only use this until v1 is completely dropped, and for manual releases
+      skip_version_guard:
+        description: "Skips conditions to prevent v1 into v2 releases"
+        default: false
+        type: boolean
+        required: false
       pre_release:
-        description: "Publishes documentation using a pre-release tag. You are still responsible for passing a pre-release version tag to the workflow."
+        description: "Publishes documentation using a pre-release tag (v2.0.0.a0). You are still responsible for passing a pre-release version tag to the workflow."
         default: false
         type: boolean
         required: false
 
 jobs:
   release:
-    if: ${{ startsWith(github.ref, 'refs/tags/v2') }}
+    if: ${{ startsWith(github.ref, 'refs/tags/v2') || inputs.skip_version_guard }}
     environment: release
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
       contents: read
     outputs:
       RELEASE_VERSION: ${{ steps.release_version.outputs.RELEASE_VERSION }}
@@ -102,56 +107,29 @@ jobs:
         env:
           PYPI_USERNAME: __token__
           PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
-      - name: aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-region: eu-west-1
-          role-to-assume: ${{ secrets.AWS_SAR_ROLE_ARN }}
-      - name: publish lambda layer in SAR by triggering the internal codepipeline
-        run: |
-          aws ssm put-parameter --name "powertools-python-release-version" --value "$RELEASE_VERSION" --overwrite
-          aws codepipeline start-pipeline-execution --name ${{ secrets.AWS_SAR_PIPELINE_NAME }}
 
   changelog:
     needs: release
     permissions:
       contents: write
     uses: ./.github/workflows/reusable_publish_changelog.yml
 
-  # When doing a pre-release, we want to publish the docs as "alpha" instead of replacing the latest docs
-  prepare_docs_alias:
-    runs-on: ubuntu-latest
-    outputs:
-      DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }}
-    steps:
-      - name: Set docs alias
-        id: set-alias
-        run: |
-          DOCS_ALIAS=latest
-          if [[ "${{ github.event.release.prerelease || inputs.pre_release }}" == true ]] ; then
-            DOCS_ALIAS=alpha
-          fi
-          echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT"
-
-  docs:
-    needs: [release, changelog, prepare_docs_alias]
+  # NOTE: Watch out for the depth limit of 4 nested workflow_calls.
+  # publish_layer -> publish_v2_layer -> reusable_deploy_v2_layer_stack -> reusable_update_v2_layer_arn_docs
+  publish_layer:
+    needs: release
+    secrets: inherit
     permissions:
+      id-token: write
       contents: write
       pages: write
-    uses: ./.github/workflows/reusable_publish_docs.yml
-    with:
-      version: ${{ needs.release.outputs.RELEASE_VERSION }}
-      alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }}
-      detached_mode: true
-
-  publish_layer:
-    needs: release
     uses: ./.github/workflows/publish_v2_layer.yml
     with:
       latest_published_version: ${{ needs.release.outputs.RELEASE_VERSION }}
+      pre_release: ${{ github.event.release.prerelease || inputs.pre_release }}
 
   post_release:
-    needs: release
+    needs: [release, publish_layer]
     permissions:
       contents: read
       issues: write
diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml
@@ -2,29 +2,44 @@ name: Deploy v2 layer to all regions
 
 permissions:
   id-token: write
-  contents: read
+  contents: write
+  pages: write
 
 on:
   workflow_dispatch:
     inputs:
       latest_published_version:
-        description: "Latest PyPi published version to rebuild latest docs for, e.g. v2.0.0"
+        description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0, v2.0.0.a0 (pre-release)"
         required: true
+      pre_release:
+        description: "Publishes documentation using a pre-release tag (v2.0.0.a0)."
+        default: false
+        type: boolean
+        required: false
+      test_role:
+        type: string
+        description: "Test IAM Role ARN"
+        required: false
   workflow_call:
     inputs:
       latest_published_version:
         type: string
-        description: "Latest PyPi published version to rebuild latest docs for, e.g. v2.0.0"
+        description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0, v2.0.0.a0 (pre-release)"
         required: true
+      pre_release:
+        description: "Publishes documentation using a pre-release tag (v2.0.0.a0)."
+        default: false
+        type: boolean
+        required: false
 
 jobs:
   build-layer:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: ./layer
-    outputs:
-      release-tag-version: ${{ steps.release-notes-tag.outputs.RELEASE_TAG_VERSION }}
     steps:
       - name: checkout
         uses: actions/checkout@v3
@@ -47,13 +62,6 @@ jobs:
         run: |
           poetry export --format requirements.txt --output requirements.txt
           pip install -r requirements.txt
-      - name: Set release notes tag
-        id: release-notes-tag
-        run: |
-          RELEASE_INPUT=${{ inputs.latest_published_version }}
-          LATEST_TAG=$(git describe --tag --abbrev=0)
-          RELEASE_TAG_VERSION=${RELEASE_INPUT:-$LATEST_TAG}
-          echo RELEASE_TAG_VERSION="${RELEASE_TAG_VERSION:1}" >> "$GITHUB_OUTPUT"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8 # v2.0.0
         # NOTE: we need QEMU to build Layer against a different architecture (e.g., ARM)
@@ -65,7 +73,7 @@ jobs:
           npm install -g aws-cdk@2.44.0
           cdk --version
       - name: CDK build
-        run: cdk synth --context version="${{ steps.release-notes-tag.outputs.RELEASE_TAG_VERSION }}" -o cdk.out
+        run: cdk synth --context version="${{ inputs.latest_published_version }}" -o cdk.out
       - name: zip output
         run: zip -r cdk.out.zip cdk.out
       - name: Archive CDK artifacts
@@ -102,7 +110,7 @@ jobs:
       stage: "BETA"
       artefact-name: "cdk-layer-artefact"
       environment: "layer-beta"
-      package-version: ${{ needs.build-layer.outputs.release-tag-version }}
+      package-version: ${{ inputs.latest_published_version }}
 
   deploy-sar-prod:
     needs: [build-layer, deploy-sar-beta]
@@ -112,4 +120,31 @@ jobs:
       stage: "PROD"
       artefact-name: "cdk-layer-artefact"
       environment: "layer-prod"
-      package-version: ${{ needs.build-layer.outputs.release-tag-version }}
+      package-version: ${{ inputs.latest_published_version }}
+
+  prepare_docs_alias:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }}
+    steps:
+      - name: Set docs alias
+        id: set-alias
+        run: |
+          DOCS_ALIAS=latest
+          if [[ "${{ inputs.pre_release }}" == true ]] ; then
+            DOCS_ALIAS=alpha
+          fi
+          echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT"
+
+  release-docs:
+    needs: [deploy-prod, prepare_docs_alias]
+    permissions:
+      contents: write
+      pages: write
+    uses: ./.github/workflows/reusable_publish_docs.yml
+    with:
+      version: ${{ inputs.latest_published_version }}
+      alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }}
+      detached_mode: true
diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml
@@ -1,12 +1,12 @@
 name: Deploy CDK Layer v2 stack
 
-permissions:
-  id-token: write
-  contents: read
-
 env:
   CDK_VERSION: 2.44.0
 
+permissions:
+  id-token: write
+  contents: write
+
 on:
   workflow_call:
     inputs:
@@ -68,7 +68,7 @@ jobs:
       - name: Install poetry
         run: pipx install poetry
       - name: aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
         with:
           aws-region: ${{ matrix.region }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
@@ -110,14 +110,14 @@ jobs:
       - name: CDK Deploy Canary
         run: cdk deploy --app cdk.out --context region=${{ matrix.region}} --parameters DeployStage="${{ inputs.stage }}" 'CanaryV2Stack' --require-approval never --verbose
       - name: Save Layer ARN artifact
-        uses: actions/upload-artifacts@v3
+        uses: actions/upload-artifact@v3
         with:
           name: cdk-layer-stack
           path: cdk-layer-stack*
 
   update_v2_layer_arn_docs:
-    permissions:
-      contents: write
+    needs: deploy-cdk-stack
+    if: ${{ inputs.stage == 'PROD' }}
     uses: ./.github/workflows/reusable_update_v2_layer_arn_docs.yml
     with:
       latest_published_version: ${{ inputs.latest_published_version }}
diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml
@@ -50,12 +50,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
       - name: AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
       - name: AWS credentials SAR role
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
         id: aws-credentials-sar-role
         with:
           aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
@@ -83,18 +83,35 @@ jobs:
       - name: Adds arm64 suffix to SAR name
         if: ${{ matrix.architecture == 'arm64' }}
         run: echo SAR_NAME="${SAR_NAME}-arm64" >> "$GITHUB_ENV"
-      - name: Deploy SAR
+      - name: Normalize semantic version
+        id: semantic-version # v2.0.0.a0 -> v2.0.0-a0
+        env:
+          VERSION: ${{ inputs.package-version }}
+        run: |
+          VERSION="${VERSION/.a/-a}"
+          echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
+      - name: Prepare SAR App
+        env:
+          VERSION: ${{ steps.semantic-version.outputs.VERSION }}
         run: |
           # From the generated LayerStack cdk.out artifact, find the layer asset path for the correct architecture.
           # We'll use this as the source directory of our SAR. This way we are re-using the same layer asset for our SAR.
           asset=$(jq -jc '.Resources[] | select(.Properties.CompatibleArchitectures == ["${{ matrix.architecture }}"]) | .Metadata."aws:asset:path"' cdk.out/LayerV2Stack.template.json)
 
           # fill in the SAR SAM template
-          sed -e "s|<VERSION>|${{ inputs.package-version }}|g" -e "s/<SAR_APP_NAME>/${{ env.SAR_NAME }}/g" -e "s|<LAYER_CONTENT_PATH>|./cdk.out/$asset|g" layer/sar/template.txt > template.yml
+          sed \
+            -e "s|<VERSION>|${VERSION}|g" \
+            -e "s/<SAR_APP_NAME>/${{ env.SAR_NAME }}/g" \
+            -e "s|<LAYER_CONTENT_PATH>|./cdk.out/$asset|g" \
+            layer/sar/template.txt > template.yml
 
           # SAR needs a README and a LICENSE, so just copy the ones from the repo
           cp README.md LICENSE "./cdk.out/$asset/"
 
+          # Debug purposes
+          cat template.yml
+      - name: Deploy SAR
+        run: |
           # Package the SAR to our SAR S3 bucket, and publish it
           sam package --template-file template.yml --output-template-file packaged.yml --s3-bucket ${{ secrets.AWS_SAR_S3_BUCKET }}
           sam publish --template packaged.yml --region "$AWS_REGION"
@@ -116,11 +133,16 @@ jobs:
 
           echo "Creating canary stack"
           echo "Stack name: $TEST_STACK_NAME"
-          aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:${{ env.AWS_REGION }}:${{ steps.aws-credentials-sar-role.outputs.aws-account-id }}:applications/${{ env.SAR_NAME }} --stack-name "${TEST_STACK_NAME/serverlessrepo-/}" --capabilities CAPABILITY_NAMED_IAM
+          aws serverlessrepo create-cloud-formation-change-set \
+            --application-id arn:aws:serverlessrepo:${{ env.AWS_REGION }}:${{ steps.aws-credentials-sar-role.outputs.aws-account-id }}:applications/${{ env.SAR_NAME }} \
+            --stack-name "${TEST_STACK_NAME/serverlessrepo-/}" \
+            --capabilities CAPABILITY_NAMED_IAM
+
           CHANGE_SET_ID=$(aws cloudformation list-change-sets --stack-name "$TEST_STACK_NAME" --query 'Summaries[*].ChangeSetId' --output text)
           aws cloudformation wait change-set-create-complete --change-set-name "$CHANGE_SET_ID"
           aws cloudformation execute-change-set --change-set-name "$CHANGE_SET_ID"
           aws cloudformation wait stack-create-complete --stack-name "$TEST_STACK_NAME"
+
           echo "Waiting until stack deployment completes..."
 
           echo "Exit with error if stack is not in CREATE_COMPLETE"
@@ -136,4 +158,6 @@ jobs:
           # wait until SAR registers the app, otherwise it fails to make it public
           sleep 15
           echo "Make SAR app public"
-          aws serverlessrepo put-application-policy --application-id arn:aws:serverlessrepo:${{ env.AWS_REGION }}:${{ steps.aws-credentials-sar-role.outputs.aws-account-id }}:applications/${{ env.SAR_NAME }} --statements Principals='*',Actions=Deploy
+          aws serverlessrepo put-application-policy \
+            --application-id arn:aws:serverlessrepo:${{ env.AWS_REGION }}:${{ steps.aws-credentials-sar-role.outputs.aws-account-id }}:applications/${{ env.SAR_NAME }} \
+            --statements Principals='*',Actions=Deploy
diff --git a/.github/workflows/reusable_update_v2_layer_arn_docs.yml b/.github/workflows/reusable_update_v2_layer_arn_docs.yml
@@ -48,13 +48,3 @@ jobs:
           git commit -m "chore: update v2 layer ARN on documentation"
           git pull origin "${BRANCH}" # prevents concurrent branch update failing push
           git push origin HEAD:refs/heads/"${BRANCH}"
-
-  release-docs:
-    needs: publish_v2_layer_arn
-    permissions:
-      contents: write
-      pages: write
-    uses: ./.github/workflows/reusable_publish_docs.yml
-    with:
-      version: ${{ inputs.latest_published_version }}
-      alias: latest
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/docs/index.md b/docs/index.md
