-
Notifications
You must be signed in to change notification settings - Fork 407
317 lines (288 loc) · 11.1 KB
/
publish_v2_layer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
name: Deploy v2 layer to all regions
# PROCESS
#
# 1. Compile Layer using cdk-aws-lambda-powertools-layer CDK construct for x86_64 and ARM (uses custom runner as it's CPU heavy)
# 2. Kick off pipeline for beta, prod, and canary releases
# 3. Create PR to update trunk so staged docs also point to the latest Layer ARN, when merged
# 4. Builds and publishes docs with latest Layer ARN using given version (generally coming from release)
# USAGE
#
# NOTE: meant to be used with ./.github/workflows/release.yml
#
# publish_layer:
# needs: [seal, release, create_tag]
# secrets: inherit
# permissions:
# id-token: write
# contents: write
# pages: write
# pull-requests: write
# uses: ./.github/workflows/publish_v2_layer.yml
# with:
# latest_published_version: ${{ needs.seal.outputs.RELEASE_VERSION }}
# pre_release: ${{ inputs.pre_release }}
# source_code_artifact_name: ${{ needs.seal.outputs.artifact_name }}
# source_code_integrity_hash: ${{ needs.seal.outputs.integrity_hash }}
on:
workflow_dispatch:
inputs:
latest_published_version:
description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0, 2.0.0a1 (pre-release)"
required: true
source_code_artifact_name:
description: "Artifact name to restore sealed source code"
type: string
required: true
source_code_integrity_hash:
description: "Sealed source code integrity hash"
type: string
required: true
pre_release:
description: "Publishes documentation using a pre-release tag (2.0.0a1)."
default: false
type: boolean
required: false
workflow_call:
inputs:
latest_published_version:
type: string
description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0, 2.0.0a1 (pre-release)"
required: true
pre_release:
description: "Publishes documentation using a pre-release tag (2.0.0a1)."
default: false
type: boolean
required: false
source_code_artifact_name:
description: "Artifact name to restore sealed source code"
type: string
required: true
source_code_integrity_hash:
description: "Sealed source code integrity hash"
type: string
required: true
permissions:
contents: read
env:
RELEASE_COMMIT: ${{ github.sha }}
jobs:
build-layer:
permissions:
# lower privilege propagated from parent workflow (release.yml)
contents: read
id-token: write
pages: none
pull-requests: none
runs-on: aws-powertools_ubuntu-latest_8-core
defaults:
run:
working-directory: ./layer
steps:
- name: checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ env.RELEASE_COMMIT }}
- name: Restore sealed source code
uses: ./.github/actions/seal-restore
with:
integrity_hash: ${{ inputs.source_code_integrity_hash }}
artifact_name: ${{ inputs.source_code_artifact_name }}
- name: Install poetry
run: pipx install git+https://github.com/python-poetry/poetry@bd500dd3bdfaec3de6894144c9cedb3a9358be84 # v2.0.1
- name: Setup Node.js
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: "16.12"
- name: Setup python
uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: "3.12"
cache: "pip"
- name: Resolve and install project dependencies
# CDK spawns system python when compiling stack
# therefore it ignores both activated virtual env and cached interpreter by GH
run: |
poetry export --format requirements.txt --output requirements.txt
pip install --require-hashes -r requirements.txt
- name: Set up QEMU
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v2.0.0
with:
platforms: arm64
# NOTE: we need QEMU to build Layer against a different architecture (e.g., ARM)
- name: Set up Docker Buildx
id: builder
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
with:
install: true
driver: docker
platforms: linux/amd64,linux/arm64
- name: Install CDK
working-directory: ./
run: |
npm ci
npx cdk --version
# Baking time for PyPi eventual consistency; 60s seemed more than enough
# https://github.com/aws-powertools/powertools-lambda-python/issues/2491
- name: Baking time (PyPi)
run: sleep 60
- name: CDK build
run: npx cdk synth --verbose --context version="${{ inputs.latest_published_version }}" -o cdk.out
- name: zip output
run: zip -r cdk.out.zip cdk.out
- name: Archive CDK artifacts
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: cdk-layer-artefact
path: layer/cdk.out.zip
beta:
needs: build-layer
# lower privilege propagated from parent workflow (release.yml)
permissions:
id-token: write
contents: read
pages: write # docs will be updated with latest Layer ARNs
pull-requests: write # creation-action will create a PR with Layer ARN updates
uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml
secrets: inherit
with:
stage: "BETA"
artefact-name: "cdk-layer-artefact"
environment: "layer-beta"
latest_published_version: ${{ inputs.latest_published_version }}
source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
prod:
needs: beta
# lower privilege propagated from parent workflow (release.yml)
permissions:
id-token: write
contents: read
pages: write # docs will be updated with latest Layer ARNs
pull-requests: write # creation-action will create a PR with Layer ARN updates
uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml
secrets: inherit
with:
stage: "PROD"
artefact-name: "cdk-layer-artefact"
environment: "layer-prod"
latest_published_version: ${{ inputs.latest_published_version }}
source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
sar-beta:
needs: beta # canaries run on Layer Beta env
permissions:
# lower privilege propagated from parent workflow (release.yml)
id-token: write
contents: read
pull-requests: none
pages: none
uses: ./.github/workflows/reusable_deploy_v2_sar.yml
secrets: inherit
with:
stage: "BETA"
artefact-name: "cdk-layer-artefact"
environment: "layer-beta"
package-version: ${{ inputs.latest_published_version }}
source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
sar-prod:
needs: sar-beta
permissions:
# lower privilege propagated from parent workflow (release.yml)
id-token: write
contents: read
pull-requests: none
pages: none
uses: ./.github/workflows/reusable_deploy_v2_sar.yml
secrets: inherit
with:
stage: "PROD"
artefact-name: "cdk-layer-artefact"
environment: "layer-prod"
package-version: ${{ inputs.latest_published_version }}
source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
# Updating the documentation with the latest Layer ARNs is a two-phase process
#
# 1. Update layer ARNs with latest deployed locally and create a PR with these changes
# 2. Pull from temporary branch with these changes and update the docs we're releasing
#
# This keeps our permissions tight and we don't run into a conflict,
# where a new release creates a new doc (2.16.0) while layers are still pointing to 2.15
# because the PR has to be merged while release process is running
update_v2_layer_arn_docs:
needs: prod
outputs:
temp_branch: ${{ steps.create-pr.outputs.temp_branch }}
runs-on: ubuntu-latest
permissions:
# lower privilege propagated from parent workflow (release.yml)
contents: write
pull-requests: write
id-token: none
pages: none
steps:
- name: Checkout repository # reusable workflows start clean, so we need to checkout again
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ env.RELEASE_COMMIT }}
- name: Restore sealed source code
uses: ./.github/actions/seal-restore
with:
integrity_hash: ${{ inputs.source_code_integrity_hash }}
artifact_name: ${{ inputs.source_code_artifact_name }}
- name: Download CDK layer artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: cdk-layer-stack
pattern: cdk-layer-stack-* # merge all Layer artifacts created per region earlier (reusable_deploy_v2_layer_stack.yml; step "Save Layer ARN artifact")
merge-multiple: true
- name: Replace layer versions in documentation
run: |
ls -la cdk-layer-stack/
./layer/scripts/update_layer_arn.sh cdk-layer-stack
# NOTE: It felt unnecessary creating yet another PR to update changelog w/ latest tag
# since this is the only step in the release where we update docs from a temp branch
- name: Update changelog with latest tag
run: make changelog
- name: Create PR
id: create-pr
uses: ./.github/actions/create-pr
with:
files: "docs/index.md examples CHANGELOG.md"
temp_branch_prefix: "ci-layer-docs"
pull_request_title: "chore(ci): layer docs update"
github_token: ${{ secrets.GITHUB_TOKEN }}
prepare_docs_alias:
runs-on: ubuntu-latest
permissions:
# lower privilege propagated from parent workflow (release.yml)
contents: read
pages: none
id-token: none
pull-requests: none
outputs:
DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }}
steps:
- name: Set docs alias
id: set-alias
run: |
DOCS_ALIAS=latest
if [[ "${{ inputs.pre_release }}" == true ]] ; then
DOCS_ALIAS=alpha
fi
echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT"
release_docs:
needs: [update_v2_layer_arn_docs, prepare_docs_alias]
permissions:
# lower privilege propagated from parent workflow (release.yml)
contents: write
pages: write
pull-requests: none
id-token: write
secrets: inherit
uses: ./.github/workflows/reusable_publish_docs.yml
with:
version: ${{ inputs.latest_published_version }}
alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }}
git_ref: ${{ needs.update_v2_layer_arn_docs.outputs.temp_branch }}