forked from aws-powertools/powertools-lambda-python
-
Notifications
You must be signed in to change notification settings - Fork 0
258 lines (243 loc) · 8.86 KB
/
publish_v2_layer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
name: Deploy v2 layer to all regions
# PROCESS
#
# 1. Compile Layer using cdk-aws-lambda-powertools-layer CDK construct for x86 and ARM (uses custom runner as it's CPU heavy)
# 2. Kick off pipeline for beta, prod, and canary releases
# 3. Create PR to update trunk so staged docs also point to the latest Layer ARN, when merged
# 4. Builds and publishes docs with latest Layer ARN using given version (generally coming from release)
# USAGE
#
# NOTE: meant to be used with ./.github/workflows/release.yml
#
# publish_layer:
# needs: [seal, release, create_tag]
# secrets: inherit
# permissions:
# id-token: write
# contents: write
# pages: write
# pull-requests: write
# uses: ./.github/workflows/publish_v2_layer.yml
# with:
# latest_published_version: ${{ needs.seal.outputs.RELEASE_VERSION }}
# pre_release: ${{ inputs.pre_release }}
on:
workflow_dispatch:
inputs:
latest_published_version:
description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0, 2.0.0a1 (pre-release)"
required: true
pre_release:
description: "Publishes documentation using a pre-release tag (2.0.0a1)."
default: false
type: boolean
required: false
workflow_call:
inputs:
latest_published_version:
type: string
description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0, 2.0.0a1 (pre-release)"
required: true
pre_release:
description: "Publishes documentation using a pre-release tag (2.0.0a1)."
default: false
type: boolean
required: false
jobs:
build-layer:
permissions:
# lower privilege propagated from parent workflow (release.yml)
contents: read
id-token: write
pages: none
pull-requests: none
runs-on: aws-lambda-powertools_ubuntu-latest_8-core
defaults:
run:
working-directory: ./layer
steps:
- name: checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- name: Install poetry
run: pipx install poetry
- name: Setup Node.js
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version: "16.12"
- name: Setup python
uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
with:
python-version: "3.10"
cache: "pip"
- name: Resolve and install project dependencies
# CDK spawns system python when compiling stack
# therefore it ignores both activated virtual env and cached interpreter by GH
run: |
poetry export --format requirements.txt --output requirements.txt
pip install -r requirements.txt
- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.0.0
with:
platforms: arm64
# NOTE: we need QEMU to build Layer against a different architecture (e.g., ARM)
- name: Set up Docker Buildx
id: builder
uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0
with:
install: true
driver: docker
platforms: linux/amd64,linux/arm64
- name: install cdk and deps
working-directory: ./
run: |
npm install
npx cdk --version
- name: CDK build
run: npx cdk synth --verbose --context version="${{ inputs.latest_published_version }}" -o cdk.out
- name: zip output
run: zip -r cdk.out.zip cdk.out
- name: Archive CDK artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cdk-layer-artefact
path: layer/cdk.out.zip
beta:
needs: build-layer
# lower privilege propagated from parent workflow (release.yml)
permissions:
id-token: write
contents: read
pages: write # docs will be updated with latest Layer ARNs
pull-requests: write # creation-action will create a PR with Layer ARN updates
uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml
secrets: inherit
with:
stage: "BETA"
artefact-name: "cdk-layer-artefact"
environment: "layer-beta"
latest_published_version: ${{ inputs.latest_published_version }}
prod:
needs: beta
# lower privilege propagated from parent workflow (release.yml)
permissions:
id-token: write
contents: read
pages: write # docs will be updated with latest Layer ARNs
pull-requests: write # creation-action will create a PR with Layer ARN updates
uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml
secrets: inherit
with:
stage: "PROD"
artefact-name: "cdk-layer-artefact"
environment: "layer-prod"
latest_published_version: ${{ inputs.latest_published_version }}
sar-beta:
needs: beta # canaries run on Layer Beta env
permissions:
# lower privilege propagated from parent workflow (release.yml)
id-token: write
contents: read
pull-requests: none
pages: none
uses: ./.github/workflows/reusable_deploy_v2_sar.yml
secrets: inherit
with:
stage: "BETA"
artefact-name: "cdk-layer-artefact"
environment: "layer-beta"
package-version: ${{ inputs.latest_published_version }}
sar-prod:
needs: sar-beta
permissions:
# lower privilege propagated from parent workflow (release.yml)
id-token: write
contents: read
pull-requests: none
pages: none
uses: ./.github/workflows/reusable_deploy_v2_sar.yml
secrets: inherit
with:
stage: "PROD"
artefact-name: "cdk-layer-artefact"
environment: "layer-prod"
package-version: ${{ inputs.latest_published_version }}
# Updating the documentation with the latest Layer ARNs is a two-phase process
#
# 1. Update layer ARNs with latest deployed locally and create a PR with these changes
# 2. Pull from temporary branch with these changes and update the docs we're releasing
#
# This keeps our permissions tight and we don't run into a conflict,
# where a new release creates a new doc (2.16.0) while layers are still pointing to 2.15
# because the PR has to be merged while release process is running
update_v2_layer_arn_docs:
needs: prod
outputs:
temp_branch: ${{ steps.create-pr.outputs.temp_branch }}
runs-on: ubuntu-latest
permissions:
# lower privilege propagated from parent workflow (release.yml)
contents: write
pull-requests: write
id-token: none
pages: none
steps:
- name: Checkout repository # reusable workflows start clean, so we need to checkout again
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- name: Download CDK layer artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: cdk-layer-stack
path: cdk-layer-stack/
- name: Replace layer versions in documentation
run: |
ls -la cdk-layer-stack/
./layer/scripts/update_layer_arn.sh cdk-layer-stack
# NOTE: It felt unnecessary creating yet another PR to update changelog w/ latest tag
# since this is the only step in the release where we update docs from a temp branch
- name: Update changelog with latest tag
run: make changelog
- name: Create PR
id: create-pr
uses: ./.github/actions/create-pr
with:
files: "docs/index.md examples CHANGELOG.md"
temp_branch_prefix: "ci-layer-docs"
pull_request_title: "chore(ci): layer docs update"
github_token: ${{ secrets.GITHUB_TOKEN }}
prepare_docs_alias:
runs-on: ubuntu-latest
permissions:
# lower privilege propagated from parent workflow (release.yml)
contents: read
pages: none
id-token: none
pull-requests: none
outputs:
DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }}
steps:
- name: Set docs alias
id: set-alias
run: |
DOCS_ALIAS=latest
if [[ "${{ inputs.pre_release }}" == true ]] ; then
DOCS_ALIAS=alpha
fi
echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT"
release_docs:
needs: [update_v2_layer_arn_docs, prepare_docs_alias]
permissions:
# lower privilege propagated from parent workflow (release.yml)
contents: write
pages: write
pull-requests: none
id-token: write
secrets: inherit
uses: ./.github/workflows/reusable_publish_docs.yml
with:
version: ${{ inputs.latest_published_version }}
alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }}
git_ref: ${{ needs.update_v2_layer_arn_docs.outputs.temp_branch }}