From faf3bd6e930ba247d3d047936881074dfb06eb75 Mon Sep 17 00:00:00 2001 From: Charles Moore <122481442+moorec-aws@users.noreply.github.com> Date: Tue, 30 Apr 2024 09:03:47 -0500 Subject: [PATCH] ci: change to reusable workflows (#148) Signed-off-by: Charles Moore <122481442+moorec-aws@users.noreply.github.com> --- .github/workflows/code_quality.yml | 15 +- .github/workflows/release_bump.yml | 70 +--------- .github/workflows/release_publish.yml | 168 ++--------------------- .github/workflows/reuse_python_build.yml | 47 ------- 4 files changed, 23 insertions(+), 277 deletions(-) delete mode 100644 .github/workflows/reuse_python_build.yml diff --git a/.github/workflows/code_quality.yml b/.github/workflows/code_quality.yml index 6b4b777..50fe8a3 100644 --- a/.github/workflows/code_quality.yml +++ b/.github/workflows/code_quality.yml @@ -10,8 +10,13 @@ on: type: string jobs: - TestPython: - name: Code Quality - uses: ./.github/workflows/reuse_python_build.yml - secrets: inherit - + Test: + name: Python + strategy: + matrix: + os: [ubuntu-latest, macos-latest] + python-version: ['3.9', '3.10', '3.11'] + uses: aws-deadline/.github/.github/workflows/reusable_python_build.yml@mainline + with: + os: ${{ matrix.os }} + python-version: ${{ matrix.python-version }} \ No newline at end of file diff --git a/.github/workflows/release_bump.yml b/.github/workflows/release_bump.yml index f36f728..7b14815 100644 --- a/.github/workflows/release_bump.yml +++ b/.github/workflows/release_bump.yml @@ -22,71 +22,11 @@ jobs: uses: ./.github/workflows/code_quality.yml with: branch: mainline - secrets: inherit Bump: + name: Version Bump needs: UnitTests - runs-on: ubuntu-latest - environment: release - permissions: - contents: write - pull-requests: write - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - ref: mainline - fetch-depth: 0 - token: ${{ secrets.CI_TOKEN }} - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.9' - - - name: ConfigureGit - run: | - git config --local user.email "129794699+client-software-ci@users.noreply.github.com" - git config --local user.name "client-software-ci" - - - name: Bump - run: | - BUMP_ARGS="" - if [[ "${{ inputs.force_version_bump }}" != "" ]]; then - BUMP_ARGS="$BUMP_ARGS --${{ inputs.force_version_bump }}" - fi - - # Backup actual changelog to preserve its contents - touch CHANGELOG.md - cp CHANGELOG.md CHANGELOG.bak.md - - # Run semantic-release to generate new changelog - pip install --upgrade hatch - hatch env create release - hatch run release:deps - NEXT_SEMVER=$(hatch run release:bump $BUMP_ARGS) - - # Grab the new version's changelog and prepend it to the original changelog contents - python .github/scripts/get_latest_changelog.py > NEW_LOG.md - cat NEW_LOG.md CHANGELOG.bak.md > CHANGELOG.md - rm NEW_LOG.md - - git checkout -b bump/$NEXT_SEMVER - git add CHANGELOG.md - git commit -sm "chore(release): $NEXT_SEMVER" - - echo "NEXT_SEMVER=$NEXT_SEMVER" >> $GITHUB_ENV - { - echo 'RELEASE_NOTES<> $GITHUB_ENV - - - name: PushPR - env: - GH_TOKEN: ${{ secrets.CI_TOKEN }} - run: | - git push -u origin bump/$NEXT_SEMVER - - # Needs "Allow GitHub Actions to create and approve pull requests" under Settings > Actions - gh pr create --base mainline --title "chore(release): $NEXT_SEMVER" --body "$RELEASE_NOTES" + uses: aws-deadline/.github/.github/workflows/reusable_bump.yml@mainline + secrets: inherit + with: + force_version_bump: ${{ inputs.force_version_bump }} \ No newline at end of file diff --git a/.github/workflows/release_publish.yml b/.github/workflows/release_publish.yml index 992d5db..b956377 100644 --- a/.github/workflows/release_publish.yml +++ b/.github/workflows/release_publish.yml @@ -12,188 +12,36 @@ concurrency: group: release jobs: - VerifyCommit: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - ref: ${{ github.ref }} - fetch-depth: 0 - - - name: VerifyAuthor - run: | - EXPECTED_AUTHOR="129794699+client-software-ci@users.noreply.github.com" - AUTHOR=$(git show -s --format='%ae' HEAD) - if [[ $AUTHOR != $EXPECTED_AUTHOR ]]; then - echo "ERROR: Expected author email to be '$EXPECTED_AUTHOR', but got '$AUTHOR'. Aborting release." - exit 1 - else - echo "Verified author email ($AUTHOR) is as expected ($EXPECTED_AUTHOR)" - fi - - Release: - needs: VerifyCommit - runs-on: ubuntu-latest - environment: release + Publish: + name: Publish Release permissions: id-token: write contents: write - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - ref: release - fetch-depth: 0 - token: ${{ secrets.CI_TOKEN }} - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.9' - - - name: ConfigureGit - run: | - git config --local user.email "129794699+client-software-ci@users.noreply.github.com" - git config --local user.name "client-software-ci" - - - name: MergePushRelease - run: | - git merge --ff-only origin/mainline -v - git push origin release - - - name: PrepRelease - id: prep-release - run: | - COMMIT_TITLE=$(git show -s --format='%s' HEAD) - NEXT_SEMVER=$(python -c 'import sys, re; print(re.match(r"chore\(release\): ([0-9]+\.[0-9]+\.[0-9]+).*", sys.argv[1]).group(1))' "$COMMIT_TITLE") - - # The format of the tag must match the pattern in pyproject.toml -> tool.semantic_release.tag_format - TAG="$NEXT_SEMVER" - - git tag -a $TAG -m "Release $TAG" - - echo "TAG=$TAG" >> $GITHUB_ENV - echo "NEXT_SEMVER=$NEXT_SEMVER" >> $GITHUB_ENV - { - echo 'RELEASE_NOTES<> $GITHUB_ENV - - # Tag must be made before building so the generated _version.py files have the correct version - - name: Build - run: | - pip install --upgrade hatch - hatch -v build - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_PGP_KEY_SECRET_ROLE }} - aws-region: us-west-2 - mask-aws-account-id: true - - - name: Import PGP Key - run: | - export SECRET_STRING="$(aws secretsmanager get-secret-value --secret-id ${{ secrets.AWS_PGP_KEY_SECRET }} --query 'SecretString')" - printenv SECRET_STRING | jq -r '. | fromjson | .PrivateKey' | gpg --batch --pinentry-mode loopback --import --armor - - PGP_KEY_PASSPHRASE=$(printenv SECRET_STRING | jq -r '. | fromjson | .Passphrase') - echo "::add-mask::$PGP_KEY_PASSPHRASE" - echo "PGP_KEY_PASSPHRASE=$PGP_KEY_PASSPHRASE" >> $GITHUB_ENV - - - name: Sign - run: | - for file in dist/*; do - printenv PGP_KEY_PASSPHRASE | gpg --batch --pinentry-mode loopback --local-user "AWS Deadline Cloud" --passphrase-fd 0 --output $file.sig --detach-sign $file - echo "Created signature file for $file" - done - - - name: PushRelease - env: - GH_TOKEN: ${{ secrets.CI_TOKEN }} - run: | - git push origin $TAG - gh release create $TAG dist/* --notes "$RELEASE_NOTES" - - PublishToInternal: - needs: Release - runs-on: ubuntu-latest - environment: release - permissions: - id-token: write - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_CODEBUILD_RELEASE_PUBLISH_ROLE }} - aws-region: us-west-2 - mask-aws-account-id: true - - - name: Run CodeBuild - uses: aws-actions/aws-codebuild-run-build@v1 - with: - project-name: ${{ github.event.repository.name }}-release-Publish - hide-cloudwatch-logs: true - - PublishToRepository: - needs: Release + uses: aws-deadline/.github/.github/workflows/reusable_publish.yml@mainline + secrets: inherit + # PyPI does not support reusable workflows yet + # # See https://github.com/pypi/warehouse/issues/11096 + PublishToPyPI: + needs: Publish runs-on: ubuntu-latest environment: release permissions: id-token: write - contents: read - env: - CODEARTIFACT_REGION: "us-west-2" - CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }} - CODEARTIFACT_ACCOUNT_ID: ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} - CODEARTIFACT_REPOSITORY: ${{ secrets.CODEARTIFACT_REPOSITORY }} - CUSTOMER_DOMAIN: ${{ secrets.CUSTOMER_DOMAIN }} - CUSTOMER_REPOSITORY: ${{ secrets.CUSTOMER_REPOSITORY }} steps: - name: Checkout uses: actions/checkout@v4 with: ref: release fetch-depth: 0 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_CODEARTIFACT_ROLE }} - aws-region: us-west-2 - mask-aws-account-id: true - - name: Set up Python uses: actions/setup-python@v5 with: python-version: '3.9' - - name: Install dependencies run: | pip install --upgrade hatch - pip install --upgrade twine - - name: Build run: hatch -v build - - - name: Publish to Repository - run: | - export TWINE_USERNAME=aws - export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text` - export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --repository ${{ secrets.CODEARTIFACT_REPOSITORY }} --format pypi --query repositoryEndpoint --output text` - twine upload dist/* - - - name: Publish to Customer Repository - run: | - export TWINE_USERNAME=aws - export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain ${{ secrets.CUSTOMER_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text` - export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain ${{ secrets.CUSTOMER_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --repository ${{ secrets.CUSTOMER_REPOSITORY }} --format pypi --query repositoryEndpoint --output text` - twine upload dist/* - # # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@release/v1 diff --git a/.github/workflows/reuse_python_build.yml b/.github/workflows/reuse_python_build.yml deleted file mode 100644 index 668da9f..0000000 --- a/.github/workflows/reuse_python_build.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: Python Build - -on: - workflow_call: - inputs: - branch: - required: false - type: string - -jobs: - Python: - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - strategy: - matrix: - python-version: ['3.9', '3.10', '3.11'] - env: - PYTHON: ${{ matrix.python-version }} - steps: - - uses: actions/checkout@v4 - if: ${{ !inputs.branch }} - - - uses: actions/checkout@v4 - if: ${{ inputs.branch }} - with: - ref: ${{ inputs.branch }} - fetch-depth: 0 - - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 - with: - python-version: ${{ matrix.python-version }} - - - name: Install Hatch - run: | - pip install --upgrade hatch - - - name: Run Linting - run: hatch -v run lint - - - name: Run Build - run: hatch -v build - - - name: Run Tests - run: hatch run test