From 5cd26d9ce9a9dee8958df35a10ed72dd69e20230 Mon Sep 17 00:00:00 2001
From: Raphael Silva <rapphil@gmail.com>
Date: Wed, 17 Jul 2024 16:20:53 +0000
Subject: [PATCH] Add release workflow for this project

Signed-off-by: Raphael Silva <rapphil@gmail.com>
---
 .github/scripts/integ-tests.sh               |  25 +++++
 .github/workflows/CI.yaml                    |  83 +++++++++++++++
 .github/workflows/{CD.yaml => pr-build.yaml} |   2 +-
 .github/workflows/release.yaml               | 100 +++++++++++++++++++
 RELEASING.md                                 |   9 ++
 VERSION                                      |   1 +
 6 files changed, 219 insertions(+), 1 deletion(-)
 create mode 100755 .github/scripts/integ-tests.sh
 create mode 100644 .github/workflows/CI.yaml
 rename .github/workflows/{CD.yaml => pr-build.yaml} (96%)
 create mode 100644 .github/workflows/release.yaml
 create mode 100644 RELEASING.md
 create mode 100644 VERSION

diff --git a/.github/scripts/integ-tests.sh b/.github/scripts/integ-tests.sh
new file mode 100755
index 0000000..fc0529e
--- /dev/null
+++ b/.github/scripts/integ-tests.sh
@@ -0,0 +1,25 @@
+#!/bin/sh 
+
+IMAGE=$1
+CONTAINER_NAME="integ-test-$(date +%s)"
+
+docker run -dt -p 8080:8080 \
+  -e AWS_ACCESS_KEY_ID \
+  -e AWS_SECRET_ACCESS_KEY \
+  -e AWS_SESSION_TOKEN \
+  -e AWS_REGION=us-east-1 \
+  --name $CONTAINER_NAME \
+  $IMAGE
+
+curl -s -H 'host: s3.amazonaws.com' http://localhost:8080 | grep ListAllMyBucketsResult
+result=$?
+
+docker stop $CONTAINER_NAME
+docker rm $CONTAINER_NAME
+
+if [ "$result" == "1" ]; then
+  echo "Integration tests failed"
+  exit 1
+fi
+
+exit 0
diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
new file mode 100644
index 0000000..dc139c7
--- /dev/null
+++ b/.github/workflows/CI.yaml
@@ -0,0 +1,83 @@
+name: Continuous integration
+on:
+  push:
+    branches:
+      - main
+      - "release/v*"
+env:
+    AWS_STAGING_REGION: us-west-2
+    STAGING_ECR_REGISTRY: 611364707713.dkr.ecr.us-west-2.amazonaws.com
+    STAGING_ECR_REPOSITORY: aws-sigv4-proxy-staging
+
+jobs:
+  build:
+    name: Build and publish to staging
+    runs-on: ubuntu-latest
+    outputs:
+      commit-short-sha: ${{ steps.staging-info.outputs.commit-short-sha }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.22.4
+
+      - name: Build
+        run: |
+          go build -v ./cmd/aws-sigv4-proxy
+
+      - name: Run tests
+        run: go test -v ./...
+
+      - name: Configure AWS Credentials for Private ECR
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_STAGING }}
+          aws-region: ${{ env.AWS_STAGING_REGION }}
+
+      - name: Log in to AWS private ECR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.STAGING_ECR_REGISTRY }}
+
+      - name: Get short sha
+        id: staging-info
+        run: |
+            shortSha=$(git rev-parse --short ${{ github.sha }})
+            echo "commit-short-sha=$shortSha" >> $GITHUB_OUTPUT
+
+      - name: Build and push image to staging
+        uses: docker/build-push-action@v5
+        with:
+          file: Dockerfile
+          context: .
+          push: true
+          tags: |
+            ${{ env.STAGING_ECR_REGISTRY }}/${{ env.STAGING_ECR_REPOSITORY }}:${{ steps.staging-info.outputs.commit-short-sha }}
+          platforms : linux/amd64, linux/arm64
+
+  integration-tests:
+    name: Run integration tests on image from staging
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Configure AWS Credentials for Private ECR
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_INTEG_TESTS }}
+          aws-region: ${{ env.AWS_STAGING_REGION }}
+
+      - name: Run integration tests
+        run: ./github/scripts/integ-tests.sh ${{ env.STAGING_ECR_REGISTRY }}/${{ env.STAGING_ECR_REPOSITORY }}:${{ needs.build.outputs.commit-short-sha }}
diff --git a/.github/workflows/CD.yaml b/.github/workflows/pr-build.yaml
similarity index 96%
rename from .github/workflows/CD.yaml
rename to .github/workflows/pr-build.yaml
index 2b7cf5b..5ea5585 100644
--- a/.github/workflows/CD.yaml
+++ b/.github/workflows/pr-build.yaml
@@ -1,4 +1,4 @@
-name: CD
+name: Build
 
 on: [push, pull_request]
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 0000000..69db5d2
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,100 @@
+
+name: Release aws-sigv4-proxy
+
+on:
+  workflow_dispatch:
+    inputs:
+      dryrunMode:
+        description: 'Run workflow in dry-run mode (nothing will be published)'
+        required: true
+        default: 'true'
+        type: choice
+        options:
+        - 'true'
+        - 'false'
+
+env:
+  AWS_PUBLIC_ECR_REGION: us-east-1
+  AWS_PRIVATE_ECR_REGION: us-west-2
+  PUBLIC_REGISTRY: public.ecr.aws
+  STAGING_REGISTRY: 611364707713.dkr.ecr.us-west-2.amazonaws.com
+  RELEASE_IMAGE_NAME: aws-sigv4-proxy
+  STAGING_IMAGE_NAME: aws-sigv4-proxy-staging
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Get version and sha
+        id: release-info
+        run: |
+          echo "release-version=$(cat VERSION)" >> $GITHUB_OUTPUT
+          shortSha=$(git rev-parse --short ${{ github.sha }})
+          echo "commit-short-sha=$shortSha" >> $GITHUB_OUTPUT
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_RELEASE }}
+          aws-region: ${{ env.AWS_PUBLIC_ECR_REGION }}
+
+      - name: Log in to AWS ECR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.PUBLIC_REGISTRY }}
+
+      - name: Configure AWS Credentials for Private ECR
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_RELEASE }}
+          aws-region: ${{ env.AWS_PRIVATE_ECR_REGION }}
+
+      - name: Log in to AWS private ECR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.STAGING_REGISTRY }}
+
+      - name: Push image to public ecr - dryrun
+        if: ${{ inputs.dryrunMode == 'true' }}
+        run: |
+          docker buildx imagetools create \
+            --tag ${{ env.PUBLIC_REGISTRY }}/${{ env.RELEASE_IMAGE_NAME }}:latest \
+            --tag ${{ env.PUBLIC_REGISTRY }}/${{ env.RELEASE_IMAGE_NAME }}:${{ steps.release-info.outputs.release-version }} \
+            --tag ${{ env.PUBLIC_REGISTRY }}/${{ env.RELEASE_IMAGE_NAME }}:${{ steps.release-info.outputs.commit-short-sha }} \
+            ${{ env.STAGING_REGISTRY }}/${{ env.STAGING_IMAGE_NAME }}:${{ steps.release-info.outputs.commit-short-sha }}
+            --dry-run
+
+      - name: Create release - dryrun
+        if: ${{ inputs.dryrunMode == 'true' }}
+        run: |
+          echo gh release create --target "$GITHUB_REF_NAME" \
+             --title "Release v${{ steps.release-info.outputs.release-version }}" \
+             --draft \
+             "v${{ steps.release-info.outputs.release-version }}" \
+
+      - name: Push image to public ecr
+        if: ${{ inputs.dryrunMode == 'false' }}
+        run: |
+          docker buildx imagetools create \
+            --tag ${{ env.PUBLIC_REGISTRY }}/${{ env.RELEASE_IMAGE_NAME }}:latest \
+            --tag ${{ env.PUBLIC_REGISTRY }}/${{ env.RELEASE_IMAGE_NAME }}:${{ steps.release-info.outputs.release-version }} \
+            --tag ${{ env.PUBLIC_REGISTRY }}/${{ env.RELEASE_IMAGE_NAME }}:${{ steps.release-info.outputs.commit-short-sha }} \
+            ${{ env.STAGING_REGISTRY }}/${{ env.STAGING_IMAGE_NAME }}:${{ steps.release-info.outputs.commit-short-sha }}
+
+      - name: Create release
+        if: ${{ inputs.dryrunMode == 'false'}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+        run: |
+          gh release create --target "$GITHUB_REF_NAME" \
+             --title "Release v${{ steps.release-info.outputs.release-version }}" \
+             --draft \
+             "v${{ steps.release-info.outputs.release-version }}" \
diff --git a/RELEASING.md b/RELEASING.md
new file mode 100644
index 0000000..38f080a
--- /dev/null
+++ b/RELEASING.md
@@ -0,0 +1,9 @@
+# Instructions to release a new version
+
+To release a new version of the aws-sigv4-proxy, please follow these steps:
+
+1. Create a release branch for this minor version series, if one does not exist yet. The convention is to name this branch: `release/v<release series>` where release series has the format `<major version>.<minor version>.x`. Example of branch `release/v1.8.x`
+2. From the release branch, update the content of the `VERSION` file in the root of this repository. The convention is to ommit the patch version if that is in 0. Example of content: `1.8` or `1.8.1`. Merge the PR that updates the `VERSION` file. Confirm that the continuous integration workflow will succeed.
+3. Run the release workflow. Go to the GitHub UI in this repository and select `Actions`. Then select the `Release aws-sigv4-proxy` workflow. Select the release branch. You can optionally test with dry-run mode before releasing.
+4. After the release is completed. Update the release notes for this release.
+5. Merge the changes from the release branch into mainline.
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000..6259340
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+1.8