Skip to content

Commit

Permalink
ci: add reusable workflows
Browse files Browse the repository at this point in the history
Signed-off-by: Charles Moore <[email protected]>
  • Loading branch information
moorec-aws committed Apr 22, 2024
1 parent 30e6386 commit c3d6079
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 228 deletions.
15 changes: 10 additions & 5 deletions .github/workflows/code_quality.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,13 @@ on:
type: string

jobs:
TestPython:
name: Code Quality
uses: ./.github/workflows/reuse_python_build.yml
secrets: inherit

Test:
name: Python
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
python-version: ['3.9', '3.10', '3.11']
uses: OpenJobDescription/.github/.github/workflows/reusable_python_build.yml@mainline
with:
os: ${{ matrix.os }}
python-version: ${{ matrix.python-version }}
70 changes: 5 additions & 65 deletions .github/workflows/release_bump.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,71 +22,11 @@ jobs:
uses: ./.github/workflows/code_quality.yml
with:
branch: mainline
secrets: inherit

Bump:
name: Version Bump
needs: UnitTests
runs-on: ubuntu-latest
environment: release
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: mainline
fetch-depth: 0
token: ${{ secrets.CI_TOKEN }}

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'

- name: ConfigureGit
run: |
git config --local user.email "[email protected]"
git config --local user.name "client-software-ci"
- name: Bump
run: |
BUMP_ARGS=""
if [[ "${{ inputs.force_version_bump }}" != "" ]]; then
BUMP_ARGS="$BUMP_ARGS --${{ inputs.force_version_bump }}"
fi
# Backup actual changelog to preserve its contents
touch CHANGELOG.md
cp CHANGELOG.md CHANGELOG.bak.md
# Run semantic-release to generate new changelog
pip install --upgrade hatch
hatch env create release
hatch run release:deps
NEXT_SEMVER=$(hatch run release:bump $BUMP_ARGS)
# Grab the new version's changelog and prepend it to the original changelog contents
python .github/scripts/get_latest_changelog.py > NEW_LOG.md
cat NEW_LOG.md CHANGELOG.bak.md > CHANGELOG.md
rm NEW_LOG.md
git checkout -b bump/$NEXT_SEMVER
git add CHANGELOG.md
git commit -sm "chore(release): $NEXT_SEMVER"
echo "NEXT_SEMVER=$NEXT_SEMVER" >> $GITHUB_ENV
{
echo 'RELEASE_NOTES<<EOF'
python .github/scripts/get_latest_changelog.py
echo EOF
} >> $GITHUB_ENV
- name: PushPR
env:
GH_TOKEN: ${{ secrets.CI_TOKEN }}
run: |
git push -u origin bump/$NEXT_SEMVER
# Needs "Allow GitHub Actions to create and approve pull requests" under Settings > Actions
gh pr create --base mainline --title "chore(release): $NEXT_SEMVER" --body "$RELEASE_NOTES"
uses: OpenJobDescription/.github/.github/workflows/reusable_bump.yml@mainline
secrets: inherit
with:
force_version_bump: ${{ inputs.force_version_bump }}
118 changes: 7 additions & 111 deletions .github/workflows/release_publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,120 +12,12 @@ concurrency:
group: release

jobs:
VerifyCommit:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
fetch-depth: 0

- name: VerifyAuthor
run: |
EXPECTED_AUTHOR="[email protected]"
AUTHOR=$(git show -s --format='%ae' HEAD)
if [[ $AUTHOR != $EXPECTED_AUTHOR ]]; then
echo "ERROR: Expected author email to be '$EXPECTED_AUTHOR', but got '$AUTHOR'. Aborting release."
exit 1
else
echo "Verified author email ($AUTHOR) is as expected ($EXPECTED_AUTHOR)"
fi
Release:
needs: VerifyCommit
runs-on: ubuntu-latest
environment: release
permissions:
id-token: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: release
fetch-depth: 0
token: ${{ secrets.CI_TOKEN }}

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'

- name: ConfigureGit
run: |
git config --local user.email "[email protected]"
git config --local user.name "client-software-ci"
- name: MergePushRelease
run: |
git merge --ff-only origin/mainline -v
git push origin release
- name: PrepRelease
id: prep-release
run: |
COMMIT_TITLE=$(git show -s --format='%s' HEAD)
NEXT_SEMVER=$(python -c 'import sys, re; print(re.match(r"chore\(release\): ([0-9]+\.[0-9]+\.[0-9]+).*", sys.argv[1]).group(1))' "$COMMIT_TITLE")
# The format of the tag must match the pattern in pyproject.toml -> tool.semantic_release.tag_format
TAG="$NEXT_SEMVER"
git tag -a $TAG -m "Release $TAG"
echo "TAG=$TAG" >> $GITHUB_ENV
echo "NEXT_SEMVER=$NEXT_SEMVER" >> $GITHUB_ENV
{
echo 'RELEASE_NOTES<<EOF'
python .github/scripts/get_latest_changelog.py
echo EOF
} >> $GITHUB_ENV
# Tag must be made before building so the generated _version.py files have the correct version
- name: Build
run: |
pip install --upgrade hatch
hatch build
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_PGP_KEY_SECRET_ROLE }}
aws-region: us-west-2
mask-aws-account-id: true

- name: Import PGP Key
run: |
export SECRET_STRING="$(aws secretsmanager get-secret-value --secret-id ${{ secrets.AWS_PGP_KEY_SECRET }} --query 'SecretString')"
printenv SECRET_STRING | jq -r '. | fromjson | .PrivateKey' | gpg --batch --pinentry-mode loopback --import --armor
PGP_KEY_PASSPHRASE=$(printenv SECRET_STRING | jq -r '. | fromjson | .Passphrase')
echo "::add-mask::$PGP_KEY_PASSPHRASE"
echo "PGP_KEY_PASSPHRASE=$PGP_KEY_PASSPHRASE" >> $GITHUB_ENV
- name: Sign
run: |
for file in dist/*; do
printenv PGP_KEY_PASSPHRASE | gpg --batch --pinentry-mode loopback --local-user "Open Job Description" --passphrase-fd 0 --output $file.sig --detach-sign $file
echo "Created signature file for $file"
done
- name: PushRelease
env:
GH_TOKEN: ${{ secrets.CI_TOKEN }}
run: |
git push origin $TAG
gh release create $TAG dist/* --notes "$RELEASE_NOTES"
PublishToRepository:
needs: Release
runs-on: ubuntu-latest
environment: release
Publish:
name: Publish Release
permissions:
id-token: write
contents: read
<<<<<<< Updated upstream
env:
CODEARTIFACT_REGION: "us-west-2"
CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }}
Expand Down Expand Up @@ -197,3 +89,7 @@ jobs:
with:
project-name: ${{ github.event.repository.name }}-release-Publish
hide-cloudwatch-logs: true
=======
uses: OpenJobDescription/.github/.github/workflows/reusable_publish.yml@mainline
secrets: inherit
>>>>>>> Stashed changes
47 changes: 0 additions & 47 deletions .github/workflows/reuse_python_build.yml

This file was deleted.

0 comments on commit c3d6079

Please sign in to comment.