Build publish lambda layer #57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) 2023 SolarWinds, LLC. | |
# All rights reserved. | |
name: Build publish lambda layer | |
on: | |
workflow_dispatch: | |
inputs: | |
solarwinds-source: | |
required: true | |
description: 'solarwinds_apm source for build layers, e.g. RubyGem, Local' | |
type: choice | |
default: 'RubyGem' | |
options: | |
- RubyGem | |
- Local | |
publish-dest: | |
required: true | |
description: 'Publish destination, one of: staging, production' | |
type: choice | |
default: 'staging' | |
options: | |
- staging | |
- production | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
jobs: | |
# build layer on arm64 and amd64, then upload to artifacts | |
# act -j build_layer --container-architecture linux/arm64 | |
build_layer: | |
strategy: | |
matrix: | |
arch: | |
- x86_64 | |
- arm64 | |
runs-on: ${{ matrix.arch == 'arm64' && fromJSON('{"group":"apm-arm-runner"}') || 'ubuntu-latest' }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build ruby lambda layer | |
run: | | |
uname -a | |
./build.sh | |
shell: bash | |
working-directory: lambda/ | |
env: | |
GITHUB_RUBY_TOKEN: ${{ secrets.PACKAGE_GITHUB_TOKEN }} | |
MATRIX_ARCH: ${{ matrix.arch }} | |
SOLARWINDS_SOURCE: ${{ github.event.inputs.solarwinds-source }} | |
- name: Show directory contents | |
run: | | |
ls -al | |
working-directory: lambda/ | |
- name: Upload to artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ruby-layer-${{ matrix.arch }}.zip | |
path: lambda/build/ruby-layer-${{ matrix.arch }}.zip | |
# extract the built layer from artifacts, then scan it with reverselab | |
reverselab_scan_layer: | |
needs: | |
- build_layer | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: | |
- x86_64 | |
- arm64 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: extract layer zip from artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: ruby-layer-${{ matrix.arch }}.zip | |
path: lambda | |
- name: extract current solarwinds_apm version | |
run: | | |
APM_VERSION=$(grep "gem 'solarwinds_apm'" lambda/otel/layer/Gemfile | awk -F"'" '{print $4}') | |
echo "SOLARWINDS_APM_VERSION=$APM_VERSION" >> $GITHUB_ENV | |
- name: Scan build artifact on the Portal ${{ matrix.arch }} | |
id: rl-scan | |
env: | |
RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }} | |
uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1 | |
with: | |
artifact-to-scan: ./lambda/ruby-layer-${{ matrix.arch }}.zip | |
rl-verbose: true | |
rl-portal-server: solarwinds | |
rl-portal-org: SolarWinds | |
rl-portal-group: SaaS-Agents-SWO | |
rl-package-url: solarwinds-apm-ruby/apm-ruby-lambda-layer-${{ matrix.arch }}@${{ env.SOLARWINDS_APM_VERSION }} | |
- name: report the scan status | |
if: success() || failure() | |
run: | | |
echo "The status is: '${{ steps.rl-scan.outputs.status }}'" | |
echo "The description is: '${{ steps.rl-scan.outputs.description }}'" | |
# extract the built layer from artifacts, then publish it based on region | |
publish_layer: | |
needs: | |
- build_layer | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
aws_region: | |
- ap-northeast-1 | |
- ap-northeast-2 | |
- ap-south-1 | |
- ap-southeast-1 | |
- ap-southeast-2 | |
- ca-central-1 | |
- eu-central-1 | |
- eu-north-1 | |
- eu-west-1 | |
- eu-west-2 | |
- eu-west-3 | |
- sa-east-1 | |
- us-east-1 | |
- us-east-2 | |
- us-west-1 | |
- us-west-2 | |
arch: | |
- x86_64 | |
- arm64 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: configure AWS ${{ inputs.publish-dest }} credential | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ inputs.publish-dest == 'production' && secrets.LAMBDA_PUBLISHER_ARN_PROD || inputs.publish-dest == 'staging' && secrets.LAMBDA_PUBLISHER_ARN_STAGING }} | |
aws-region: ${{ matrix.aws_region }} | |
- name: extract layer zip from artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: ruby-layer-${{ matrix.arch }}.zip | |
path: lambda | |
- name: extract current solarwinds_apm version | |
run: | | |
APM_VERSION=$(grep "gem 'solarwinds_apm'" lambda/otel/layer/Gemfile | awk -F"'" '{print $4}') | |
APM_VERSION="${APM_VERSION//./_}" | |
echo "SOLARWINDS_APM_VERSION=$APM_VERSION" >> $GITHUB_ENV | |
- name: publish lambda layer | |
run: | | |
cd lambda/ | |
aws lambda publish-layer-version \ | |
--layer-name solarwinds-apm-ruby-${{ matrix.arch }}-${{ env.SOLARWINDS_APM_VERSION }} \ | |
--license-info "Apache 2.0" \ | |
--compatible-architectures ${{ matrix.arch }} \ | |
--compatible-runtimes ruby3.2 ruby3.3 \ | |
--zip-file fileb://ruby-layer-${{ matrix.arch }}.zip \ | |
--query 'LayerVersionArn' \ | |
--compatible-architectures ${{ matrix.arch }} \ | |
--output text | |
- name: grant permissions to public for the published layer | |
run: | | |
layer_name=solarwinds-apm-ruby-${{ matrix.arch }}-${{ env.SOLARWINDS_APM_VERSION }} | |
latest_version=$(aws lambda list-layer-versions --layer-name $layer_name | jq -r '.LayerVersions | max_by(.Version) | .Version') | |
aws lambda add-layer-version-permission \ | |
--layer-name $layer_name \ | |
--statement-id apm-ruby-add-permission \ | |
--action lambda:GetLayerVersion \ | |
--principal '*' \ | |
--version-number $latest_version \ | |
--output text |