Release: chore(release): 0.5.2 (#88) Signed-off-by: client-software-ci <[email protected]> #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Release: Publish" | |
run-name: "Release: ${{ github.event.head_commit.message }}" | |
on: | |
push: | |
branches: | |
- mainline | |
paths: | |
- CHANGELOG.md | |
concurrency: | |
group: release | |
jobs: | |
VerifyCommit: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
fetch-depth: 0 | |
- name: VerifyAuthor | |
run: | | |
EXPECTED_AUTHOR="[email protected]" | |
AUTHOR=$(git show -s --format='%ae' HEAD) | |
if [[ $AUTHOR != $EXPECTED_AUTHOR ]]; then | |
echo "ERROR: Expected author email to be '$EXPECTED_AUTHOR', but got '$AUTHOR'. Aborting release." | |
exit 1 | |
else | |
echo "Verified author email ($AUTHOR) is as expected ($EXPECTED_AUTHOR)" | |
fi | |
Release: | |
needs: VerifyCommit | |
runs-on: ubuntu-latest | |
environment: release | |
permissions: | |
id-token: write | |
contents: write | |
env: | |
CODEARTIFACT_REGION: "us-west-2" | |
CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }} | |
CODEARTIFACT_ACCOUNT_ID: ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} | |
CODEARTIFACT_REPOSITORY: ${{ secrets.CODEARTIFACT_REPOSITORY }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
ref: release | |
fetch-depth: 0 | |
token: ${{ secrets.CI_TOKEN }} | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.9' | |
- name: ConfigureGit | |
run: | | |
git config --local user.email "[email protected]" | |
git config --local user.name "client-software-ci" | |
- name: MergePushRelease | |
run: | | |
git merge --ff-only origin/mainline -v | |
git push origin release | |
- name: PrepRelease | |
id: prep-release | |
run: | | |
COMMIT_TITLE=$(git show -s --format='%s' HEAD) | |
NEXT_SEMVER=$(python -c 'import sys, re; print(re.match(r"chore\(release\): ([0-9]+\.[0-9]+\.[0-9]+).*", sys.argv[1]).group(1))' "$COMMIT_TITLE") | |
# The format of the tag must match the pattern in pyproject.toml -> tool.semantic_release.tag_format | |
TAG="$NEXT_SEMVER" | |
git tag -a $TAG -m "Release $TAG" | |
echo "TAG=$TAG" >> $GITHUB_ENV | |
echo "NEXT_SEMVER=$NEXT_SEMVER" >> $GITHUB_ENV | |
{ | |
echo 'RELEASE_NOTES<<EOF' | |
python .github/scripts/get_latest_changelog.py | |
echo EOF | |
} >> $GITHUB_ENV | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_CODEARTIFACT_ROLE }} | |
aws-region: us-west-2 | |
mask-aws-account-id: true | |
# Tag must be made before building so the generated _version.py files have the correct version | |
- name: Build | |
run: | | |
export CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text --region us-west-2) | |
pip install --upgrade hatch | |
hatch build | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_PGP_KEY_SECRET_ROLE }} | |
aws-region: us-west-2 | |
mask-aws-account-id: true | |
- name: Import PGP Key | |
run: | | |
export SECRET_STRING="$(aws secretsmanager get-secret-value --secret-id ${{ secrets.AWS_PGP_KEY_SECRET }} --query 'SecretString')" | |
printenv SECRET_STRING | jq -r '. | fromjson | .PrivateKey' | gpg --batch --pinentry-mode loopback --import --armor | |
PGP_KEY_PASSPHRASE=$(printenv SECRET_STRING | jq -r '. | fromjson | .Passphrase') | |
echo "::add-mask::$PGP_KEY_PASSPHRASE" | |
echo "PGP_KEY_PASSPHRASE=$PGP_KEY_PASSPHRASE" >> $GITHUB_ENV | |
- name: Sign | |
run: | | |
for file in dist/*; do | |
printenv PGP_KEY_PASSPHRASE | gpg --batch --pinentry-mode loopback --local-user "Open Job Description" --passphrase-fd 0 --output $file.sig --detach-sign $file | |
echo "Created signature file for $file" | |
done | |
- name: PushRelease | |
env: | |
GH_TOKEN: ${{ secrets.CI_TOKEN }} | |
run: | | |
git push origin $TAG | |
gh release create $TAG dist/* --notes "$RELEASE_NOTES" | |
PublishToRepository: | |
needs: Release | |
runs-on: ubuntu-latest | |
environment: release | |
permissions: | |
id-token: write | |
contents: read | |
env: | |
CODEARTIFACT_REGION: "us-west-2" | |
CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }} | |
CODEARTIFACT_ACCOUNT_ID: ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} | |
CODEARTIFACT_REPOSITORY: ${{ secrets.CODEARTIFACT_REPOSITORY }} | |
CUSTOMER_DOMAIN: ${{ secrets.CUSTOMER_DOMAIN }} | |
CUSTOMER_REPOSITORY: ${{ secrets.CUSTOMER_REPOSITORY }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
ref: release | |
fetch-depth: 0 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_CODEARTIFACT_ROLE }} | |
aws-region: us-west-2 | |
mask-aws-account-id: true | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.9' | |
- name: Install dependencies | |
run: | | |
CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text --region us-west-2) | |
echo "::add-mask::$CODEARTIFACT_AUTH_TOKEN" | |
echo CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN >> $GITHUB_ENV | |
pip install --upgrade hatch | |
pip install --upgrade twine | |
- name: Build | |
run: hatch build | |
- name: Publish to Repository | |
run: | | |
export TWINE_USERNAME=aws | |
export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text` | |
export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --repository ${{ secrets.CODEARTIFACT_REPOSITORY }} --format pypi --query repositoryEndpoint --output text` | |
twine upload dist/* | |
- name: Publish to Customer Repository | |
run: | | |
export TWINE_USERNAME=aws | |
export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain ${{ secrets.CUSTOMER_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text` | |
export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain ${{ secrets.CUSTOMER_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --repository ${{ secrets.CUSTOMER_REPOSITORY }} --format pypi --query repositoryEndpoint --output text` | |
twine upload dist/* | |
# TODO: Uncomment this block to publish to PyPI once this package is public | |
# # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi | |
# - name: Publish to PyPI | |
# uses: pypa/gh-action-pypi-publish@release/v1 | |
PublishToInternal: | |
needs: Release | |
runs-on: ubuntu-latest | |
environment: release | |
permissions: | |
id-token: write | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_CODEBUILD_RELEASE_PUBLISH_ROLE }} | |
aws-region: us-west-2 | |
mask-aws-account-id: true | |
- name: Run CodeBuild | |
uses: aws-actions/aws-codebuild-run-build@v1 | |
with: | |
project-name: ${{ github.event.repository.name }}-Publish | |
hide-cloudwatch-logs: true |