Skip to content

Build publish lambda layer #60

Build publish lambda layer

Build publish lambda layer #60

# Copyright (c) 2023 SolarWinds, LLC.
# All rights reserved.
name: Build publish lambda layer
on:
workflow_dispatch:
inputs:
solarwinds-source:
required: true
description: 'solarwinds_apm source for build layers, e.g. RubyGem, Local'
type: choice
default: 'RubyGem'
options:
- RubyGem
- Local
publish-dest:
required: true
description: 'Publish destination, one of: staging, production'
type: choice
default: 'staging'
options:
- staging
- production
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
# build layer on arm64 and amd64, then upload to artifacts
# act -j build_layer --container-architecture linux/arm64
build_layer:
strategy:
matrix:
arch:
- x86_64
- arm64
runs-on: ${{ matrix.arch == 'arm64' && fromJSON('{"group":"apm-arm-runner"}') || 'ubuntu-latest' }}
steps:
- uses: actions/checkout@v4
- name: Build ruby lambda layer
run: |
uname -a
./build.sh
shell: bash
working-directory: lambda/
env:
GITHUB_RUBY_TOKEN: ${{ secrets.PACKAGE_GITHUB_TOKEN }}
MATRIX_ARCH: ${{ matrix.arch }}
SOLARWINDS_SOURCE: ${{ github.event.inputs.solarwinds-source }}
- name: Show directory contents
run: |
ls -al
working-directory: lambda/
- name: Upload to artifact
uses: actions/upload-artifact@v4
with:
name: ruby-layer-${{ matrix.arch }}.zip
path: lambda/build/ruby-layer-${{ matrix.arch }}.zip
# extract the built layer from artifacts, then scan it with reverselab
reverselab_scan_layer:
needs:
- build_layer
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
arch:
- x86_64
- arm64
steps:
- uses: actions/checkout@v4
- name: extract layer zip from artifacts
uses: actions/download-artifact@v4
with:
name: ruby-layer-${{ matrix.arch }}.zip
path: lambda
- name: extract current solarwinds_apm version
run: |
APM_VERSION=$(grep "gem 'solarwinds_apm'" lambda/otel/layer/Gemfile | awk -F"'" '{print $4}')
echo "SOLARWINDS_APM_VERSION=$APM_VERSION" >> $GITHUB_ENV
- name: Scan build artifact on the Portal ${{ matrix.arch }}
id: rl-scan
env:
RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }}
uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
with:
artifact-to-scan: ./lambda/ruby-layer-${{ matrix.arch }}.zip
rl-verbose: true
rl-portal-server: solarwinds
rl-portal-org: SolarWinds
rl-portal-group: SaaS-Agents-SWO
rl-package-url: solarwinds-apm-ruby/apm-ruby-lambda-layer-${{ matrix.arch }}@${{ env.SOLARWINDS_APM_VERSION }}
- name: report the scan status
if: success() || failure()
run: |
echo "The status is: '${{ steps.rl-scan.outputs.status }}'"
echo "The description is: '${{ steps.rl-scan.outputs.description }}'"
# extract the built layer from artifacts, then publish it based on region
publish_layer:
needs:
- build_layer
runs-on: ubuntu-latest
strategy:
matrix:
aws_region:
- ap-northeast-1
- ap-northeast-2
- ap-south-1
- ap-southeast-1
- ap-southeast-2
- ca-central-1
- eu-central-1
- eu-north-1
- eu-west-1
- eu-west-2
- eu-west-3
- sa-east-1
- us-east-1
- us-east-2
- us-west-1
- us-west-2
arch:
- x86_64
- arm64
steps:
- uses: actions/checkout@v4
- name: configure AWS ${{ inputs.publish-dest }} credential
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ inputs.publish-dest == 'production' && secrets.LAMBDA_PUBLISHER_ARN_PROD || inputs.publish-dest == 'staging' && secrets.LAMBDA_PUBLISHER_ARN_STAGING }}
aws-region: ${{ matrix.aws_region }}
- name: extract layer zip from artifacts
uses: actions/download-artifact@v4
with:
name: ruby-layer-${{ matrix.arch }}.zip
path: lambda
- name: extract current solarwinds_apm version
run: |
APM_VERSION=$(grep "gem 'solarwinds_apm'" lambda/otel/layer/Gemfile | awk -F"'" '{print $4}')
APM_VERSION="${APM_VERSION//./_}"
echo "SOLARWINDS_APM_VERSION=$APM_VERSION" >> $GITHUB_ENV
- name: publish lambda layer
run: |
cd lambda/
aws lambda publish-layer-version \
--layer-name solarwinds-apm-ruby-${{ matrix.arch }}-${{ env.SOLARWINDS_APM_VERSION }} \
--license-info "Apache 2.0" \
--compatible-architectures ${{ matrix.arch }} \
--compatible-runtimes ruby3.2 ruby3.3 \
--zip-file fileb://ruby-layer-${{ matrix.arch }}.zip \
--query 'LayerVersionArn' \
--compatible-architectures ${{ matrix.arch }} \
--output text
- name: grant permissions to public for the published layer
run: |
layer_name=solarwinds-apm-ruby-${{ matrix.arch }}-${{ env.SOLARWINDS_APM_VERSION }}
latest_version=$(aws lambda list-layer-versions --layer-name $layer_name | jq -r '.LayerVersions | max_by(.Version) | .Version')
aws lambda add-layer-version-permission \
--layer-name $layer_name \
--statement-id apm-ruby-add-permission \
--action lambda:GetLayerVersion \
--principal '*' \
--version-number $latest_version \
--output text