Skip to content

chore: Migrate CodeBuild release to GHA (without publishing step) #1614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 25 commits into
base: master
Choose a base branch
from
Open

chore: Migrate CodeBuild release to GHA (without publishing step) #1614

Changes from 7 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
72227f1
m
Oct 29, 2025
02c7123
m
Oct 29, 2025
7ca039a
m
Oct 29, 2025
365996b
m
Oct 29, 2025
df6b270
m
Oct 29, 2025
e6c405e
m
Oct 29, 2025
5b998e3
m
Oct 29, 2025
60f39e3
m
Oct 29, 2025
baf3332
m
Oct 29, 2025
628f323
m
Oct 29, 2025
d4c6696
m
Oct 29, 2025
39efcd5
m
Oct 29, 2025
b8599e5
m
Oct 29, 2025
fd51dd2
m
Oct 29, 2025
9ac58d2
m
Nov 3, 2025
8e7815a
m
Nov 3, 2025
7c0f63c
m
Nov 3, 2025
998c005
m
Nov 3, 2025
cdd94f2
m
Nov 3, 2025
c003499
m
Nov 11, 2025
7d2ba4e
Potential fix for code scanning alert no. 20: Workflow does not conta…
lucasmcdonald3 Nov 12, 2025
eee7525
Potential fix for code scanning alert no. 21: Workflow does not conta…
lucasmcdonald3 Nov 12, 2025
e435e39
m
Nov 12, 2025
9b96e91
m
Nov 12, 2025
41af56a
m
Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
230 changes: 230 additions & 0 deletions .github/workflows/prod-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,230 @@
name: Release

on:
# TODO: remove pull_request once tested in PR
pull_request:
workflow_dispatch:
inputs:
version_bump:
required: false
description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)'
default: ''
dist_tag:
description: 'NPM distribution tag'
required: false
default: 'latest'
branch:
description: 'The branch to release from'
required: false
default: 'master'

env:
NODE_OPTIONS: "--max-old-space-size=4096"
NPM_CONFIG_UNSAFE_PERM: true

jobs:
compliance:
Copy link
Contributor

@seebees seebees Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do these need to come first? Can we break this up maybe? To have the publishing things come first?

Copy link
Contributor Author

@lucasmcdonald3 lucasmcdonald3 Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need some validations to come first:

  1. Pre-publish validation that the head of main is healthy
  2. Publish
  3. Post-publish validation on the published artifact

runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true

- name: Setup Node.js 18
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'

- name: Install dependencies
run: npm ci --unsafe-perm

- name: Run compliance checks
run: |
npm run lint
npm run test_conditions

test-nodejs20:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true

- name: Setup Node.js 20
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'

- name: Configure AWS Credentials for Tests
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
role-session-name: JavaScriptTests

- name: Install dependencies and build
run: |
npm ci --unsafe-perm
npm run build

- name: Run Node.js tests
run: npm run coverage-node

test-browser18:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true

- name: Setup Node.js 18
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'

- name: Configure AWS Credentials for Tests
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
role-session-name: JavaScriptTests

- name: Install dependencies and build
run: |
npm ci --unsafe-perm
npm run build

- name: Run browser tests
run: npm run coverage-browser

test-vectors-nodejs20:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true

- name: Setup Node.js 20
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'

- name: Configure AWS Credentials for Tests
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
role-session-name: JavaScriptTests

- name: Install dependencies and build
run: |
npm ci --unsafe-perm
npm run build

- name: Run integration tests with local publish
env:
PUBLISH_LOCAL: "true"
run: |
npm run verdaccio-publish
npm run verdaccio-node-decrypt
npm run verdaccio-node-encrypt

test-vectors-browser18:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true

- name: Setup Node.js 18
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'

- name: Configure AWS Credentials for Tests
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
role-session-name: JavaScriptTests

- name: Install dependencies and build
run: |
npm ci --unsafe-perm
npm run build

- name: Run integration tests with local publish
env:
PUBLISH_LOCAL: "true"
run: |
npm run verdaccio-publish
npm run verdaccio-browser-decrypt
npm run verdaccio-browser-encrypt

# Once all tests have passed, run semantic versioning
version:
runs-on: ubuntu-latest
needs: [compliance, test-nodejs20, test-browser18, test-vectors-nodejs20, test-vectors-browser18]
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true

- name: Setup Node.js 16
Copy link
Contributor

@seebees seebees Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why 16?

Copy link
Contributor Author

@lucasmcdonald3 lucasmcdonald3 Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's what the CodeBuild uses today

uses: actions/setup-node@v4
with:
node-version: '16'
cache: 'npm'

- name: Install dependencies
run: npm ci --unsafe-perm

- name: Configure git
env:
BRANCH: ${{ github.event.inputs.branch }}
VERSION_BUMP: ${{ github.event.inputs.version_bump }}
run: |
git config --global user.name "aws-crypto-tools-ci-bot"
git config --global user.email "[email protected]"
git checkout $BRANCH

- name: Version packages
run: |
npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish}
git log -n 1

# Once semantic versioning has run and bumped versions, publish to npm
# TODO: Publish step that doesn't use OTP but instead follows
# https://docs.npmjs.com/trusted-publishers

# Once publishing is complete, validate that the published packages are useable
# TODO: Publish step based on CodeBuild jobs
Loading