ci: change to reusable workflows (#148)

Signed-off-by: Charles Moore <122481442+moorec-aws@users.noreply.github.com>
aws-deadline · Apr 30, 2024 · faf3bd6 · faf3bd6
1 parent 2de6f48
commit faf3bd6
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 277 deletions.
diff --git a/.github/workflows/code_quality.yml b/.github/workflows/code_quality.yml
@@ -10,8 +10,13 @@ on:
         type: string
 
 jobs:
-  TestPython:
-    name: Code Quality
-    uses: ./.github/workflows/reuse_python_build.yml
-    secrets: inherit
-
+  Test:
+    name: Python
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        python-version: ['3.9', '3.10', '3.11']
+    uses: aws-deadline/.github/.github/workflows/reusable_python_build.yml@mainline
+    with:
+      os: ${{ matrix.os }}
+      python-version: ${{ matrix.python-version }}
diff --git a/.github/workflows/release_bump.yml b/.github/workflows/release_bump.yml
@@ -22,71 +22,11 @@ jobs:
     uses: ./.github/workflows/code_quality.yml
     with:
       branch: mainline
-    secrets: inherit
 
   Bump:
+    name: Version Bump
     needs: UnitTests
-    runs-on: ubuntu-latest
-    environment: release
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: mainline
-          fetch-depth: 0
-          token: ${{ secrets.CI_TOKEN }}
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.9'
-
-      - name: ConfigureGit
-        run: |
-          git config --local user.email "129794699+client-software-ci@users.noreply.github.com"
-          git config --local user.name "client-software-ci"
-
-      - name: Bump
-        run: |
-          BUMP_ARGS=""
-          if [[ "${{ inputs.force_version_bump }}" != "" ]]; then
-            BUMP_ARGS="$BUMP_ARGS --${{ inputs.force_version_bump }}"
-          fi
-
-          # Backup actual changelog to preserve its contents
-          touch CHANGELOG.md
-          cp CHANGELOG.md CHANGELOG.bak.md
-
-          # Run semantic-release to generate new changelog
-          pip install --upgrade hatch
-          hatch env create release
-          hatch run release:deps
-          NEXT_SEMVER=$(hatch run release:bump $BUMP_ARGS)
-
-          # Grab the new version's changelog and prepend it to the original changelog contents
-          python .github/scripts/get_latest_changelog.py > NEW_LOG.md
-          cat NEW_LOG.md CHANGELOG.bak.md > CHANGELOG.md
-          rm NEW_LOG.md
-
-          git checkout -b bump/$NEXT_SEMVER
-          git add CHANGELOG.md
-          git commit -sm "chore(release): $NEXT_SEMVER"
-
-          echo "NEXT_SEMVER=$NEXT_SEMVER" >> $GITHUB_ENV
-          {
-            echo 'RELEASE_NOTES<<EOF'
-            python .github/scripts/get_latest_changelog.py
-            echo EOF
-          } >> $GITHUB_ENV
-
-      - name: PushPR
-        env:
-          GH_TOKEN: ${{ secrets.CI_TOKEN }}
-        run: |
-          git push -u origin bump/$NEXT_SEMVER
-
-          # Needs "Allow GitHub Actions to create and approve pull requests" under Settings > Actions
-          gh pr create --base mainline --title "chore(release): $NEXT_SEMVER" --body "$RELEASE_NOTES"
+    uses: aws-deadline/.github/.github/workflows/reusable_bump.yml@mainline
+    secrets: inherit
+    with:
+      force_version_bump: ${{ inputs.force_version_bump }}
diff --git a/.github/workflows/release_publish.yml b/.github/workflows/release_publish.yml
@@ -12,188 +12,36 @@ concurrency:
   group: release
 
 jobs:
-  VerifyCommit:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - name: VerifyAuthor
-        run: |
-          EXPECTED_AUTHOR="129794699+client-software-ci@users.noreply.github.com"
-          AUTHOR=$(git show -s --format='%ae' HEAD)
-          if [[ $AUTHOR != $EXPECTED_AUTHOR ]]; then
-            echo "ERROR: Expected author email to be '$EXPECTED_AUTHOR', but got '$AUTHOR'. Aborting release."
-            exit 1
-          else
-            echo "Verified author email ($AUTHOR) is as expected ($EXPECTED_AUTHOR)"
-          fi
-
-  Release:
-    needs: VerifyCommit
-    runs-on: ubuntu-latest
-    environment: release
+  Publish:
+    name: Publish Release
     permissions:
       id-token: write
       contents: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: release
-          fetch-depth: 0
-          token: ${{ secrets.CI_TOKEN }}
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.9'
-
-      - name: ConfigureGit
-        run: |
-          git config --local user.email "129794699+client-software-ci@users.noreply.github.com"
-          git config --local user.name "client-software-ci"
-
-      - name: MergePushRelease
-        run: |
-          git merge --ff-only origin/mainline -v
-          git push origin release 
-
-      - name: PrepRelease
-        id: prep-release
-        run: |
-          COMMIT_TITLE=$(git show -s --format='%s' HEAD)
-          NEXT_SEMVER=$(python -c 'import sys, re; print(re.match(r"chore\(release\): ([0-9]+\.[0-9]+\.[0-9]+).*", sys.argv[1]).group(1))' "$COMMIT_TITLE")
-
-          # The format of the tag must match the pattern in pyproject.toml -> tool.semantic_release.tag_format
-          TAG="$NEXT_SEMVER"
-
-          git tag -a $TAG -m "Release $TAG"
-
-          echo "TAG=$TAG" >> $GITHUB_ENV
-          echo "NEXT_SEMVER=$NEXT_SEMVER" >> $GITHUB_ENV
-          {
-            echo 'RELEASE_NOTES<<EOF'
-            python .github/scripts/get_latest_changelog.py
-            echo EOF
-          } >> $GITHUB_ENV
-
-      # Tag must be made before building so the generated _version.py files have the correct version
-      - name: Build
-        run: |
-          pip install --upgrade hatch
-          hatch -v build
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.AWS_PGP_KEY_SECRET_ROLE }}
-          aws-region: us-west-2
-          mask-aws-account-id: true
-
-      - name: Import PGP Key
-        run: |
-          export SECRET_STRING="$(aws secretsmanager get-secret-value --secret-id ${{ secrets.AWS_PGP_KEY_SECRET }} --query 'SecretString')"
-          printenv SECRET_STRING | jq -r '. | fromjson | .PrivateKey' | gpg --batch --pinentry-mode loopback --import --armor
-
-          PGP_KEY_PASSPHRASE=$(printenv SECRET_STRING | jq -r '. | fromjson | .Passphrase')
-          echo "::add-mask::$PGP_KEY_PASSPHRASE"
-          echo "PGP_KEY_PASSPHRASE=$PGP_KEY_PASSPHRASE" >> $GITHUB_ENV
-
-      - name: Sign
-        run: |
-          for file in dist/*; do
-            printenv PGP_KEY_PASSPHRASE | gpg --batch --pinentry-mode loopback --local-user "AWS Deadline Cloud" --passphrase-fd 0 --output $file.sig --detach-sign $file
-            echo "Created signature file for $file"
-          done
-
-      - name: PushRelease
-        env:
-          GH_TOKEN: ${{ secrets.CI_TOKEN }}
-        run: |
-          git push origin $TAG
-          gh release create $TAG dist/* --notes "$RELEASE_NOTES"
-
-  PublishToInternal:
-    needs: Release
-    runs-on: ubuntu-latest
-    environment: release
-    permissions:
-      id-token: write
-    steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.AWS_CODEBUILD_RELEASE_PUBLISH_ROLE }}
-          aws-region: us-west-2
-          mask-aws-account-id: true
-
-      - name: Run CodeBuild
-        uses: aws-actions/aws-codebuild-run-build@v1
-        with:
-          project-name: ${{ github.event.repository.name }}-release-Publish
-          hide-cloudwatch-logs: true
-
-  PublishToRepository:
-    needs: Release
+    uses: aws-deadline/.github/.github/workflows/reusable_publish.yml@mainline
+    secrets: inherit
+  # PyPI does not support reusable workflows yet
+  # # See https://github.com/pypi/warehouse/issues/11096
+  PublishToPyPI:
+    needs: Publish
     runs-on: ubuntu-latest
     environment: release
     permissions:
       id-token: write
-      contents: read
-    env:
-      CODEARTIFACT_REGION: "us-west-2"
-      CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }}
-      CODEARTIFACT_ACCOUNT_ID: ${{ secrets.CODEARTIFACT_ACCOUNT_ID }}
-      CODEARTIFACT_REPOSITORY: ${{ secrets.CODEARTIFACT_REPOSITORY }}
-      CUSTOMER_DOMAIN: ${{ secrets.CUSTOMER_DOMAIN }}
-      CUSTOMER_REPOSITORY: ${{ secrets.CUSTOMER_REPOSITORY }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: release
           fetch-depth: 0
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.AWS_CODEARTIFACT_ROLE }}
-          aws-region: us-west-2
-          mask-aws-account-id: true
-
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: '3.9'
-
       - name: Install dependencies
         run: |
           pip install --upgrade hatch
-          pip install --upgrade twine
-
       - name: Build
         run: hatch -v build
-
-      - name: Publish to Repository
-        run: |
-          export TWINE_USERNAME=aws
-          export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text`
-          export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --repository ${{ secrets.CODEARTIFACT_REPOSITORY }} --format pypi --query repositoryEndpoint --output text`
-          twine upload dist/*
-
-      - name: Publish to Customer Repository
-        run: |
-          export TWINE_USERNAME=aws
-          export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain ${{ secrets.CUSTOMER_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text`
-          export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain ${{ secrets.CUSTOMER_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --repository ${{ secrets.CUSTOMER_REPOSITORY }} --format pypi --query repositoryEndpoint --output text`
-          twine upload dist/*
-
       # # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/reuse_python_build.yml b/.github/workflows/reuse_python_build.yml