Skip to content

Commit

Permalink
ci: add reusable workflows
Browse files Browse the repository at this point in the history 
Signed-off-by: Charles Moore <[email protected]>
  • Loading branch information
@moorec-aws
moorec-aws committed Apr 22, 2024
1 parent 7988c35 commit c556e61
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 325 deletions.
15 changes: 10 additions & 5 deletions .github/workflows/code_quality.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,13 @@ on:
type: string

jobs:
TestPython:
name: Code Quality
uses: ./.github/workflows/reuse_python_build.yml
secrets: inherit

Test:
name: Python
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
python-version: ['3.8', '3.9', '3.10', '3.11']
uses: aws-deadline/.github/.github/workflows/reusable_python_build.yml@mainline
with:
os: ${{ matrix.os }}
python-version: ${{ matrix.python-version }}
27 changes: 6 additions & 21 deletions .github/workflows/mainline_integration_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,27 +6,12 @@ on:
jobs:
MainlineIntegrationTest:
name: Integration Test
runs-on: ubuntu-latest
environment: mainline
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
with:
ref: mainline
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_CODEBUILD_MAINLINE_INTEG_ROLE }}
aws-region: us-west-2
mask-aws-account-id: true
- name: Run CodeBuild
uses: aws-actions/aws-codebuild-run-build@v1
with:
project-name: deadline-cloud-mainline-IntegTest
hide-cloudwatch-logs: true
env-vars-for-codebuild: |
TEST_TYPE
env:
TEST_TYPE: WHEEL
uses: aws-deadline/.github/.github/workflows/reusable_integration_test.yml@mainline
secrets: inherit
with:
repository: ${{ github.event.repository.name }}
branch: mainline
environment: mainline
70 changes: 5 additions & 65 deletions .github/workflows/release_bump.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,71 +22,11 @@ jobs:
uses: ./.github/workflows/code_quality.yml
with:
branch: mainline
secrets: inherit

Bump:
name: Version Bump
needs: UnitTests
runs-on: ubuntu-latest
environment: release
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: mainline
fetch-depth: 0
token: ${{ secrets.CI_TOKEN }}

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'

- name: ConfigureGit
run: |
git config --local user.email "[email protected]"
git config --local user.name "client-software-ci"
- name: Bump
run: |
BUMP_ARGS=""
if [[ "${{ inputs.force_version_bump }}" != "" ]]; then
BUMP_ARGS="$BUMP_ARGS --${{ inputs.force_version_bump }}"
fi
# Backup actual changelog to preserve its contents
touch CHANGELOG.md
cp CHANGELOG.md CHANGELOG.bak.md
# Run semantic-release to generate new changelog
pip install --upgrade hatch
hatch env create release
hatch run release:deps
NEXT_SEMVER=$(hatch run release:bump $BUMP_ARGS)
# Grab the new version's changelog and prepend it to the original changelog contents
python .github/scripts/get_latest_changelog.py > NEW_LOG.md
cat NEW_LOG.md CHANGELOG.bak.md > CHANGELOG.md
rm NEW_LOG.md
git checkout -b bump/$NEXT_SEMVER
git add CHANGELOG.md
git commit -sm "chore(release): $NEXT_SEMVER"
echo "NEXT_SEMVER=$NEXT_SEMVER" >> $GITHUB_ENV
{
echo 'RELEASE_NOTES<<EOF'
python .github/scripts/get_latest_changelog.py
echo EOF
} >> $GITHUB_ENV
- name: PushPR
env:
GH_TOKEN: ${{ secrets.CI_TOKEN }}
run: |
git push -u origin bump/$NEXT_SEMVER
# Needs "Allow GitHub Actions to create and approve pull requests" under Settings > Actions
gh pr create --base mainline --title "chore(release): $NEXT_SEMVER" --body "$RELEASE_NOTES"
uses: aws-deadline/.github/.github/workflows/reusable_bump.yml@mainline
secrets: inherit
with:
force_version_bump: ${{ inputs.force_version_bump }}
187 changes: 4 additions & 183 deletions .github/workflows/release_publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,189 +12,10 @@ concurrency:
group: release

jobs:
VerifyCommit:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
fetch-depth: 0

- name: VerifyAuthor
run: |
EXPECTED_AUTHOR="[email protected]"
AUTHOR=$(git show -s --format='%ae' HEAD)
if [[ $AUTHOR != $EXPECTED_AUTHOR ]]; then
echo "ERROR: Expected author email to be '$EXPECTED_AUTHOR', but got '$AUTHOR'. Aborting release."
exit 1
else
echo "Verified author email ($AUTHOR) is as expected ($EXPECTED_AUTHOR)"
fi
Release:
needs: VerifyCommit
runs-on: ubuntu-latest
environment: release
permissions:
id-token: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: release
fetch-depth: 0
token: ${{ secrets.CI_TOKEN }}

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'

- name: ConfigureGit
run: |
git config --local user.email "[email protected]"
git config --local user.name "client-software-ci"
- name: MergePushRelease
run: |
git merge --ff-only origin/mainline -v
git push origin release
- name: PrepRelease
id: prep-release
run: |
COMMIT_TITLE=$(git show -s --format='%s' HEAD)
NEXT_SEMVER=$(python -c 'import sys, re; print(re.match(r"chore\(release\): ([0-9]+\.[0-9]+\.[0-9]+).*", sys.argv[1]).group(1))' "$COMMIT_TITLE")
# The format of the tag must match the pattern in pyproject.toml -> tool.semantic_release.tag_format
TAG="$NEXT_SEMVER"
git tag -a $TAG -m "Release $TAG"
echo "TAG=$TAG" >> $GITHUB_ENV
echo "NEXT_SEMVER=$NEXT_SEMVER" >> $GITHUB_ENV
{
echo 'RELEASE_NOTES<<EOF'
python .github/scripts/get_latest_changelog.py
echo EOF
} >> $GITHUB_ENV
# Tag must be made before building so the generated _version.py files have the correct version
- name: Build
run: |
pip install --upgrade hatch
hatch -v build
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_PGP_KEY_SECRET_ROLE }}
aws-region: us-west-2
mask-aws-account-id: true

- name: Import PGP Key
run: |
export SECRET_STRING="$(aws secretsmanager get-secret-value --secret-id ${{ secrets.AWS_PGP_KEY_SECRET }} --query 'SecretString')"
printenv SECRET_STRING | jq -r '. | fromjson | .PrivateKey' | gpg --batch --pinentry-mode loopback --import --armor
PGP_KEY_PASSPHRASE=$(printenv SECRET_STRING | jq -r '. | fromjson | .Passphrase')
echo "::add-mask::$PGP_KEY_PASSPHRASE"
echo "PGP_KEY_PASSPHRASE=$PGP_KEY_PASSPHRASE" >> $GITHUB_ENV
- name: Sign
run: |
for file in dist/*; do
printenv PGP_KEY_PASSPHRASE | gpg --batch --pinentry-mode loopback --local-user "AWS Deadline Cloud" --passphrase-fd 0 --output $file.sig --detach-sign $file
echo "Created signature file for $file"
done
- name: PushRelease
env:
GH_TOKEN: ${{ secrets.CI_TOKEN }}
run: |
git push origin $TAG
gh release create $TAG dist/* --notes "$RELEASE_NOTES"
PublishToInternal:
needs: Release
runs-on: ubuntu-latest
environment: release
permissions:
id-token: write
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_CODEBUILD_RELEASE_PUBLISH_ROLE }}
aws-region: us-west-2
mask-aws-account-id: true

- name: Run CodeBuild
uses: aws-actions/aws-codebuild-run-build@v1
with:
project-name: ${{ github.event.repository.name }}-release-Publish
hide-cloudwatch-logs: true

PublishToRepository:
needs: Release
runs-on: ubuntu-latest
environment: release
Publish:
name: Publish Release
permissions:
id-token: write
contents: read
env:
CODEARTIFACT_REGION: "us-west-2"
CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }}
CODEARTIFACT_ACCOUNT_ID: ${{ secrets.CODEARTIFACT_ACCOUNT_ID }}
CODEARTIFACT_REPOSITORY: ${{ secrets.CODEARTIFACT_REPOSITORY }}
CUSTOMER_DOMAIN: ${{ secrets.CUSTOMER_DOMAIN }}
CUSTOMER_REPOSITORY: ${{ secrets.CUSTOMER_REPOSITORY }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: release
fetch-depth: 0

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_CODEARTIFACT_ROLE }}
aws-region: us-west-2
mask-aws-account-id: true

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'

- name: Install dependencies
run: |
pip install --upgrade hatch
pip install --upgrade twine
- name: Build
run: hatch -v build

- name: Publish to Repository
run: |
export TWINE_USERNAME=aws
export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text`
export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain ${{ secrets.CODEARTIFACT_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --repository ${{ secrets.CODEARTIFACT_REPOSITORY }} --format pypi --query repositoryEndpoint --output text`
twine upload dist/*
- name: Publish to Customer Repository
run: |
export TWINE_USERNAME=aws
export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain ${{ secrets.CUSTOMER_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --query authorizationToken --output text`
export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain ${{ secrets.CUSTOMER_DOMAIN }} --domain-owner ${{ secrets.CODEARTIFACT_ACCOUNT_ID }} --repository ${{ secrets.CUSTOMER_REPOSITORY }} --format pypi --query repositoryEndpoint --output text`
twine upload dist/*
# # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
uses: aws-deadline/.github/.github/workflows/reusable_publish.yml@mainline
secrets: inherit
51 changes: 0 additions & 51 deletions .github/workflows/reuse_python_build.yml
View file

This file was deleted.

0 comments on commit c556e61

Please sign in to comment.