-
Notifications
You must be signed in to change notification settings - Fork 402
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(layers): add release pipeline in GitHub Actions #1278
chore(layers): add release pipeline in GitHub Actions #1278
Conversation
…ertools-python into chore/layer-release
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
quick initial review on the Workflow with some tips
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
quick typos and branding
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some comments and suggestions on the canary
This is so so so exciting. I can't believe we're finally at the stage we will have Layers with Extras, ARM, all commercial regions, except the special ones (yet), and more importantly tightly integrated with the release process now. Can't thank you enough! |
Co-authored-by: Heitor Lessa <[email protected]>
Co-authored-by: Heitor Lessa <[email protected]>
…ertools-python into chore/layer-release
I have configured the GitHub OIDC connection to AWS accounts and added the secrets used in for layer deployments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks awesome! loved how reusable workflow turned out, so clean! Made some questions as I think you accidentally left a workflow dependency which might fail in the first run.
The only thing missing is the ability to add custom builds for when we introduce additional layers like Extra deps, and when we optimize boto size after our E2E are done -- we can do that later as part of introducing them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
two final comments: workflow naming, and address a potential security vulnerability when downloading cdk.out
I can't believe it's finally here for the next release ;) In a separate PR, we should include a new section in the MAINTAINERS playbook to explain a bit more on Lambda Layers - how to check it worked, areas in the docs to update (until we have automation), etc. |
* develop: fix: unzip the right artifact name fix: path to artefact fix: add entire ARN role instead of account and role name fix: no need to cache npm since we only install cdk cli and don't have .lock files fix: typo in input for layer workflow chore(layers): add release pipeline in GitHub Actions (aws-powertools#1278)
* chore: add layer project * reduce to 1 region for dev * chore: shorter name for the workflow * fix ignore markdown lint for now * fix: more f strings * ignore mdlint * add reusable workflow for both beta and prod * Update layer/layer/canary/app.py Co-authored-by: Heitor Lessa <[email protected]> * Update layer/layer/canary/app.py Co-authored-by: Heitor Lessa <[email protected]> * readme review * rephrase canary stack ssm parameter usage * add default RELEASE_TAG_VERSION assignment based on the input (release or manual trigger) * add reference to layer docs * wording * move version trackign arn to canary stack * remove outdated npm caching, add release tag resolution for manual workflow trigger * review: fix layer name and remove dependencies from reusable workflow * remove debug statement, add default working dir * pin versions and hashes for requirements with pip-compile * rename reusable workflow * pass artefact name to the reusable workflow to prevent potential future conflicts Co-authored-by: Heitor Lessa <[email protected]>
Issue number: #1183
Summary
We have been using internal pipeline to release public layers for with powertools. Because of the initial design we could not ship public layers to all commercial regions. This PR introduces a CDK project and GitHub action workflow and we will integrate it into the release process in this repository. The goal is to deploy public layers after a release and update the documentation with the latest ARNs automatically.
Changes
The CDK project has two stacks
LayerStack
andCanaryStack
. We use CDK customer resource capability to run a canary function after the layer deployment so we can verify that the layer works. We also need to track layer ARNs, powertools and the available region, so we can put this information into our documentation. To achieve that, there is dedicated version tracking application. After a successful deployment the canary functions sends an event with all the details. This application is maintained separately. The only information we need is the event bus ARN to send the data.To deploy into an AWS account we assume a role by using GitHub OIDC configuration. We store the target account and the role name as secrets (though the target account will be public after the public layer is released). The OIDC configuration for target accounts will be provided, no additional work is required in this project.
Open tasks
After merge
Checklist
If your change doesn't seem to apply, please leave them unchecked.
Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.
View rendered layer/README.md