generated from amazon-archives/__template_MIT-0
-
Notifications
You must be signed in to change notification settings - Fork 100
333 lines (322 loc) · 12.2 KB
/
release.yml
File metadata and controls
333 lines (322 loc) · 12.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
# Release
#
# Description:
# Creates a release for the project
#
# 1. Runs a setup job to set needed variables (build_matrix & version)
# 2. Versions to the project and stores as an artifact
# 3. Run quality checks
# 4. Build
# 5. Publish to Maven Central
# 6. Create PR
# 7. Publish docs
#
# Inputs:
# - version (string): SemVer of the new release (X.Y.Z)
# - snapshot (bool): If it's a snapshot release, this skips versioning assets like docs
# - skip_checks (bool): Don't run quality checks if it's an emergency release
# - skip_publish (bool): Don't publish to maven central
# - continue_on_error (bool): Don't fail the workflow if a quality check fails
#
# Triggers:
# - workflow_dispatch
#
# Secrets:
# - RELEASE.GPG_SIGNING_KEY
# - RELEASE.OSSRH_JIRA_USERNAME
# - RELEASE.OSSRH_JIRA_PASSWORD
# - RELEASE.GPG_PASSPHRASE
# - DOCS.AWS_DOCS_ROLE_ARN
# - DOCS.AWS_DOCS_BUCKET
on:
workflow_dispatch:
inputs:
version:
type: string
description: Semver version to release
snapshot:
type: boolean
description: Create snapshot release
default: false
skip_checks:
type: boolean
description: Skip quality checks
default: false
skip_publish:
type: boolean
description: Skip publish to Maven Central
default: false
continue_on_error:
type: boolean
description: Continue to build if there's an error in quality checks
default: false
name: Release
run-name: Release – ${{ inputs.version }}
permissions: {}
env:
RELEASE_COMMIT: ${{ github.sha }}
RELEASE_TAG_VERSION: ${{ inputs.version }}
jobs:
setup:
runs-on: ubuntu-latest
outputs:
version: ${{ format('{0}{1}', steps.version_release.outputs.version, steps.version_snapshot.outputs.version) }}
build_matrix: ${{ format('{0}{1}', steps.build_matrix_v1.outputs.build_matrix, steps.build_matrix_v2.outputs.build_matrix) }}
steps:
- id: version_snapshot
if: ${{ inputs.snapshot }}
name: Version
run: |
echo version="$(grep -q "SNAPSHOT" <<< "${{ inputs.version }}" && echo "${{ inputs.version }}" || echo "${{ inputs.version }}-SNAPSHOT")" >> "$GITHUB_OUTPUT"
- id: version_release
if: ${{ !inputs.snapshot }}
name: Version
run: |
echo version="${{ inputs.version }}" >> "$GITHUB_OUTPUT"
- id: base
name: Base
run: |
echo build_version=$(test ${{ github.ref_name }} == "main" && echo "v2" || echo "v1") >> $GITHUB_OUTPUT
- id: build_matrix_v1
name: Build matrix (v1)
if: ${{ steps.base.outputs.build_version == 'v1' }}
run: |
echo build_matrix='["8", "11", "17", "21"]' >> "$GITHUB_OUTPUT"
- id: build_matrix_v2
name: Build matrix (v2)
if: ${{ steps.base.outputs.build_version == 'v2' }}
run: |
echo build_matrix='["11", "17", "21"]'>> "$GITHUB_OUTPUT"
version_seal:
runs-on: ubuntu-latest
needs:
- setup
permissions:
contents: read # checkout repository
outputs:
source_hash: ${{ steps.upload_source.outputs.artifact-digest }}
steps:
- id: checkout
name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- id: version
name: version
uses: ./.github/actions/version
with:
new_version: ${{ needs.setup.outputs.version }}
snapshot: ${{ inputs.snapshot}}
- id: upload_source
name: Upload artifacts
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
if-no-files-found: error
name: source
path: |
*
!.git/*
include-hidden-files: true
retention-days: 1
quality:
runs-on: aws-powertools_ubuntu-latest_8-core
needs:
- version_seal
if: ${{ inputs.skip_checks == false }}
permissions:
contents: read # checkout and run tests
steps:
- id: download_source
name: Download artifacts
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4.6.1
with:
name: source
- name: Setup Java
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
with:
distribution: corretto
java-version: 21
cache: maven
# non-exhuastive, but gives a fair indication if the final build will succeed, tests will run when we build later
- name: Run unit tests
run: mvn -B test --file pom.xml
continue-on-error: ${{ inputs.continue_on_error }}
- name: Run Spotbugs
run: mvn -Pbuild-with-spotbugs -B install --file pom.xml -DskipTests -Dmaven.javadoc.skip=true -Dspotbugs.failOnError=true
continue-on-error: ${{ inputs.continue_on_error }}
- uses: pmd/pmd-github-action@d9c1f3c5940cbf5923f1354e83fa858b4496ebaa # v2.0.0
with:
rulesets: '.github/pmd-ruleset.xml'
token: ${{ secrets.GITHUB_TOKEN }}
uploadSarifReport: false
build:
runs-on: aws-powertools_ubuntu-latest_8-core
needs:
- setup
- quality
- version_seal
if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
permissions:
contents: read # download artifacts
strategy:
matrix:
java: ${{ fromJson(needs.setup.outputs.build_matrix) }}
steps:
- id: download_source
name: Download artifacts
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4.6.1
with:
name: source
- name: Setup Java
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
with:
distribution: corretto
java-version: ${{ matrix.java }}
cache: maven
- id: build-maven
name: Build (Maven)
run: |
mvn -B install --file pom.xml
publish:
runs-on: aws-powertools_ubuntu-latest_8-core
if: ${{ github.repository == 'aws-powertools/powertools-lambda-java' && inputs.skip_publish == false && always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
needs:
- build
permissions:
contents: read # download artifacts
environment: Release
steps:
- id: download_source
name: Download artifacts
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4.6.1
with:
name: source
- name: Setup Java
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
with:
distribution: corretto
java-version: 21
cache: maven
gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
gpg-passphrase: GPG_PASSPHRASE
server-id: central
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
- name: Publish package
run: mvn -Prelease clean deploy -DskipTests
env:
MAVEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
create_pr:
runs-on: ubuntu-latest
if: ${{ inputs.snapshot == false && always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
needs:
- build
- publish
permissions:
contents: write # create tag and branch
pull-requests: write # create PR
steps:
- id: checkout
name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ env.RELEASE_COMMIT }}
- id: download_source
name: Download artifacts
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4.6.1
with:
name: source
- id: setup-git
name: Git client setup and refresh tip
run: |
git config user.name "Powertools for AWS Lambda (Java) Bot"
git config user.email "151832416+aws-powertools-bot@users.noreply.github.com"
git config pull.rebase true
git config remote.origin.url >&-
- id: tag
name: Create tag
run: |
git tag -a v${{ inputs.version }} -m "Release v${{ inputs.version }}"
git push origin v${{ inputs.version }}
- id: branch
name: Create branch and update change log
run: |
git checkout -b ci-${{ github.run_id }}
docker run -v "${PWD}":/workdir quay.io/git-chglog/git-chglog@sha256:c791b1e8264387690cce4ce32e18b4f59ca3ffd8d55cb4093dc6de74529493f4 > CHANGELOG.md
git commit -am "chore(ci): bump version to ${{ inputs.version }}"
git push origin ci-${{ github.run_id }}
- id: create_pr
name: Create PR
run: |
gh pr create \
--title "chore(ci): bump version to ${{ inputs.version }}" \
--body "This is an automated PR created from the following workflow: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
docs:
runs-on: ubuntu-latest
if: ${{ inputs.snapshot == false }}
needs:
- create_pr
permissions:
contents: read # checkout repository
id-token: write # OIDC for AWS credentials
environment: Docs
steps:
- id: checkout
name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# Checkout PR branch to make sure we build the version-bumped docs
ref: ci-${{ github.run_id }}
- name: Build
run: |
mkdir -p dist
docker build -t squidfunk/mkdocs-material ./docs/
docker run --rm -t -v ${PWD}:/docs squidfunk/mkdocs-material build
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_DOCS_ROLE_ARN }}
- name: Deploy Docs (Version)
env:
VERSION: ${{ inputs.version }}
ALIAS: 'latest'
run: |
aws s3 sync \
site/ \
s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-java/${{ env.VERSION }}/
- name: Deploy Docs (Alias)
env:
VERSION: ${{ inputs.version }}
ALIAS: 'latest'
run: |
aws s3 sync \
site/ \
s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-java/${{ env.ALIAS }}/
- name: Deploy Docs (Version JSON)
env:
VERSION: ${{ inputs.version }}
ALIAS: 'latest'
# We originally used "mike" from PyPi to manage versions for us, but since we moved to S3, we can't use it to manage versions any more.
# Instead, we're using some shell script that manages the versions.
#
# Operations:
# 1. Download the versions.json file from S3
# 2. Find any reference to the alias and delete it from the versions file
# 3. This is voodoo (don't use JQ):
# - we assign the input as $o and the new version/alias as $n,
# - we check if the version number exists in the file already (for republishing docs)
# - if it's an alias (stage/latest/*) or old version, we do nothing and output $o (original input)
# - if it's a new version number, we add it at position 0 in the array.
# 4. Once done, we'll upload it back to S3.
run: |
aws s3 cp \
s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-java/versions.json \
versions_old.json
jq 'del(.[].aliases[] | select(. == "${{ env.ALIAS }}"))' < versions_old.json > versions_proc.json
jq '. as $o | [{"title": "${{ env.VERSION }}", "version": "${{ env.VERSION }}", "aliases": ["${{ env.ALIAS }}"] }] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
aws s3 cp \
versions.json \
s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-java/versions.json