Skip to content

Merge pull request #1074 from dbsystel/fix/1073-iam-policy #1161

Merge pull request #1074 from dbsystel/fix/1073-iam-policy

Merge pull request #1074 from dbsystel/fix/1073-iam-policy #1161

Workflow file for this run

# ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen".
name: release
on:
push:
branches:
- main
workflow_dispatch: {}
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
jobs:
release:
needs: zipper
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
latest_commit: ${{ steps.git_remote.outputs.latest_commit }}
tag_exists: ${{ steps.check_tag_exists.outputs.exists }}
env:
CI: "true"
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Download zipper artifacts
uses: actions/download-artifact@v4
with:
name: zipper
path: assets
- name: Set git identity
run: |-
git config user.name "github-actions"
git config user.email "[email protected]"
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: lts/*
- name: Install dependencies
run: yarn install --check-files --frozen-lockfile
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
flags: cdk
directory: coverage
- name: release
run: npx projen release
- name: Check if version has already been tagged
id: check_tag_exists
run: |-
TAG=$(cat dist/releasetag.txt)
([ ! -z "$TAG" ] && git ls-remote -q --exit-code --tags origin $TAG && (echo "exists=true" >> $GITHUB_OUTPUT)) || (echo "exists=false" >> $GITHUB_OUTPUT)
cat $GITHUB_OUTPUT
- name: Check for new commits
id: git_remote
run: |-
echo "latest_commit=$(git ls-remote origin -h ${{ github.ref }} | cut -f1)" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
- name: Backup artifact permissions
if: ${{ steps.git_remote.outputs.latest_commit == github.sha }}
run: cd dist && getfacl -R . > permissions-backup.acl
continue-on-error: true
- name: Upload artifact
if: ${{ steps.git_remote.outputs.latest_commit == github.sha }}
uses: actions/[email protected]
with:
name: build-artifact
path: dist
overwrite: true
container:
image: jsii/superchain:1-buster-slim-node16
gobuild:
name: gobuild
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: "Temporary workaround Checkout Issue #760 "
run: git config --global --add safe.directory /__w/cdk-sops-secrets/cdk-sops-secrets
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Fetch all tags
run: git fetch --force --tags
- name: Test
run: scripts/lambda-test.sh
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
files: ./coverage/coverage.out
flags: go-lambda
- name: Build
run: scripts/lambda-build.sh
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: gobuild
path: lambda/bootstrap
container:
image: golang:1.23-bullseye
zipper:
name: zipper
needs: gobuild
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Prepare
run: apk add zip git
- name: Temporary workaround
run: git config --global --add safe.directory /__w/cdk-sops-secrets/cdk-sops-secrets
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Download gobuild artifacts
uses: actions/download-artifact@v4
with:
name: gobuild
path: lambda
- name: Zip
run: scripts/lambda-zip.sh
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: zipper
path: assets/cdk-sops-lambda.zip
container:
image: alpine:latest
release_github:
name: Publish to GitHub Releases
needs:
- release
- release_npm
- release_maven
- release_pypi
- release_nuget
runs-on: ubuntu-latest
permissions:
contents: write
if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha
steps:
- uses: actions/setup-node@v4
with:
node-version: lts/*
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-artifact
path: dist
- name: Restore build artifact permissions
run: cd dist && setfacl --restore=permissions-backup.acl
continue-on-error: true
- name: Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_REF: ${{ github.sha }}
run: errout=$(mktemp); gh release create $(cat dist/releasetag.txt) -R $GITHUB_REPOSITORY -F dist/changelog.md -t $(cat dist/releasetag.txt) --target $GITHUB_REF 2> $errout && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" $errout; then cat $errout; exit $exitcode; fi
release_npm:
name: Publish to npm
needs: release
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha
steps:
- uses: actions/setup-node@v4
with:
node-version: lts/*
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-artifact
path: dist
- name: Restore build artifact permissions
run: cd dist && setfacl --restore=permissions-backup.acl
continue-on-error: true
- name: Checkout
uses: actions/checkout@v4
with:
path: .repo
- name: Install Dependencies
run: cd .repo && yarn install --check-files --frozen-lockfile
- name: Extract build artifact
run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo
- name: Move build artifact out of the way
run: mv dist dist.old
- name: Create js artifact
run: cd .repo && npx projen package:js
- name: Collect js artifact
run: mv .repo/dist dist
- name: Release
env:
NPM_DIST_TAG: latest
NPM_REGISTRY: registry.npmjs.org
NPM_CONFIG_PROVENANCE: "true"
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npx -p publib@latest publib-npm
release_maven:
name: Publish to Maven Central
needs: release
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha
steps:
- uses: actions/setup-java@v4
with:
distribution: corretto
java-version: "11"
- uses: actions/setup-node@v4
with:
node-version: lts/*
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-artifact
path: dist
- name: Restore build artifact permissions
run: cd dist && setfacl --restore=permissions-backup.acl
continue-on-error: true
- name: Checkout
uses: actions/checkout@v4
with:
path: .repo
- name: Install Dependencies
run: cd .repo && yarn install --check-files --frozen-lockfile
- name: Extract build artifact
run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo
- name: Move build artifact out of the way
run: mv dist dist.old
- name: Create java artifact
run: cd .repo && npx projen package:java
- name: Collect java artifact
run: mv .repo/dist dist
- name: Release
env:
MAVEN_SERVER_ID: github
MAVEN_REPOSITORY_URL: https://maven.pkg.github.com/dbsystel/cdk-sops-secrets
MAVEN_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
MAVEN_USERNAME: ${{ github.actor }}
run: npx -p publib@latest publib-maven
release_pypi:
name: Publish to PyPI
needs: release
runs-on: ubuntu-latest
permissions:
contents: read
if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha
steps:
- uses: actions/setup-node@v4
with:
node-version: lts/*
- uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-artifact
path: dist
- name: Restore build artifact permissions
run: cd dist && setfacl --restore=permissions-backup.acl
continue-on-error: true
- name: Checkout
uses: actions/checkout@v4
with:
path: .repo
- name: Install Dependencies
run: cd .repo && yarn install --check-files --frozen-lockfile
- name: Extract build artifact
run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo
- name: Move build artifact out of the way
run: mv dist dist.old
- name: Create python artifact
run: cd .repo && npx projen package:python
- name: Collect python artifact
run: mv .repo/dist dist
- name: Release
env:
TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }}
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
run: npx -p publib@latest publib-pypi
release_nuget:
name: Publish to NuGet Gallery
needs: release
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha
steps:
- uses: actions/setup-node@v4
with:
node-version: lts/*
- uses: actions/setup-dotnet@v4
with:
dotnet-version: 6.x
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-artifact
path: dist
- name: Restore build artifact permissions
run: cd dist && setfacl --restore=permissions-backup.acl
continue-on-error: true
- name: Checkout
uses: actions/checkout@v4
with:
path: .repo
- name: Install Dependencies
run: cd .repo && yarn install --check-files --frozen-lockfile
- name: Extract build artifact
run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo
- name: Move build artifact out of the way
run: mv dist dist.old
- name: Create dotnet artifact
run: cd .repo && npx projen package:dotnet
- name: Collect dotnet artifact
run: mv .repo/dist dist
- name: Release
env:
NUGET_API_KEY: ${{ secrets.GITHUB_TOKEN }}
NUGET_SERVER: https://nuget.pkg.github.com/dbsystel/index.json
run: npx -p publib@latest publib-nuget