document workflows

Author: sthulb

.github/workflows/build-docs.yml

@@ -1,3 +1,17 @@
+# Build Docs
+#
+# Description:
+#   Builds the docs and stores them in S3 to be served by our docs platform
+#
+#   The workflow allows us to build to the main location (/lambda/java/) and to an alias
+#   (i.e. /lambda/java/preview/) if needed
+#
+# Triggers:
+#   - workflow_dispatch
+#
+# Inputs:
+#   alias – subdirectory to store the docs in for previews or in progress work
+
 on:
   workflow_dispatch:
     inputs:
@@ -9,16 +23,6 @@ on:
           versions of the documentation, such as beta versions or snapshots.
 
           https://docs.powertools.aws.dev/lambda/java/<alias>
-  workflow_call:
-    inputs:
-      alias:
-        type: string
-        required: false
-        description: |
-          Alias to deploy the documentation into, this is mostly for testing pre-release
-          versions of the documentation, such as beta versions or snapshots.
-
-          https://docs.powertools.aws.dev/lambda/java/<alias>
 
 name: Build Docs
 run-name: Build Docs - ${{ contains(github.head_ref, 'main') && 'main' || inputs.alias }}

.github/workflows/check-build.yml

@@ -1,3 +1,17 @@
+# Check Build
+#
+# Description:
+#   Runs the build for every java version we support
+#   
+# Triggers:
+#   - pull_request: when a PR is sent to us
+#   - push: when code is pushed to a specified branch
+#
+# Notes:
+#   The matrix build for this workflow is unusual, we need to make it dyanmic since 
+#   we need to change java versions we build for depending on the branch.
+
+
 on:
   workflow_dispatch:
   pull_request:
@@ -58,7 +72,7 @@ jobs:
       - id: base
         name: Base
         run: |
-          echo build_version=$(test ${{ github.base_ref }} == "v2" && echo "v2" || echo "v1") >> $GITHUB_OUTPUT
+          echo build_version=$(test ${{ github.ref }} == "v2" && echo "v2" || echo "v1") >> $GITHUB_OUTPUT
       - id: build_matrix_v1
         name: Build matrix (v1)
         if: ${{ steps.base.outputs.build_version == 'v1' }}

.github/workflows/check-e2e.yml

@@ -1,3 +1,14 @@
+# Run E2E tests for a branch
+#
+# Description: 
+#   Runs E2E tests for a specified branch
+#
+# Triggers:
+#   - push
+#
+# Secrets:
+#   - E2E.AWS_IAM_ROLE
+
 on:
   workflow_dispatch:
 

.github/workflows/check-pmd.yml

@@ -1,3 +1,14 @@
+# Runs PMD for a Pull Request
+#
+# Description:
+#   Runs PMD (pmd.github.io) for a pull request and daily. 
+#   This does not error on failure yet, our rules are too strong and would fail on every run
+# 
+# Triggers:
+#   - pull_request
+#   - workflow_dispatch
+#   - cron: every day at 12:00PM
+
 on:
   pull_request:
   workflow_dispatch:

.github/workflows/check-spotbugs.yml

@@ -1,3 +1,11 @@
+# Check for Spotbug errors
+#
+# Description:
+#   Runs Spotbugs for a pull request.
+#   This does not error on failure yet, our rules are too strong and would fail on every run
+# 
+# Triggers:
+#   - pull_request
 on:
   pull_request:
     branches:
@@ -34,19 +42,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
-      - name: Setup java JDK 1.8
+      - name: Setup Java
         uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
           distribution: 'corretto'
-          java-version: 8
-          # https://github.com/jwgmeligmeyling/spotbugs-github-action/issues/6
-          # https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/
-          # Avoid complexity of git action with publishing report. Just build with spotbugs profile.
-#      - name: Build with Maven for spotbugs check to gather reports
-#        run: mvn -Pbuild-with-spotbugs -B install --file pom.xml -DskipTests -Dmaven.javadoc.skip=true -Dspotbugs.failOnError=false
-#      - uses: jwgmeligmeyling/spotbugs-github-action@master
-#        with:
-#          path: '**/spotbugsXml.xml'
-#      # Can be simplified post this issue is fixed https://github.com/jwgmeligmeyling/spotbugs-github-action/issues/9
+          java-version: 21
       - name: Build with Maven for spotbugs check to mark build as fail if voilations found
         run: mvn -Pbuild-with-spotbugs -B install --file pom.xml -DskipTests -Dmaven.javadoc.skip=true -Dspotbugs.failOnError=true

.github/workflows/release-drafter.yml

@@ -1,3 +1,12 @@
+# Generates release notes
+#
+# Description:
+#   Generates release notes based on pull request history. This is based on the config
+#   stored in .github/release-drafter.yml
+#
+# Triggers:
+#   - push: main
+
 on:
   push:
     branches: [ main ]

.github/workflows/release.yml

@@ -1,3 +1,34 @@
+# Release
+#
+# Description:
+#   Creates a release for the project
+#
+#   1. Runs a setup job to set needed variables (build_matrix & version)
+#   2. Versions to the project and stores as an artifact
+#   3. Run quality checks
+#   4. Build
+#   5. Publish to Maven Central
+#   6. Create PR
+#   7. Publish docs
+#
+# Inputs:
+#   - version (string): SemVer of the new release (X.Y.Z)
+#   - snapshot (bool): If it's a snapshot release, this skips versioning assets like docs
+#   - skip_checks (bool): Don't run quality checks if it's an emergency release
+#   - skip_publish (bool): Don't publish to maven central
+#   - continue_on_error (bool): Don't fail the workflow if a quality check fails
+#
+# Triggers:
+#   - workflow_dispatch
+# 
+#  Secrets:
+#   - RELEASE.GPG_SIGNING_KEY
+#   - RELEASE.OSSRH_JIRA_USERNAME
+#   - RELEASE.OSSRH_JIRA_PASSWORD
+#   - RELEASE.GPG_PASSPHRASE
+#   - DOCS.AWS_DOCS_ROLE_ARN
+#   - DOCS.AWS_DOCS_BUCKET
+
 on:
   workflow_dispatch:
     inputs:
@@ -7,7 +38,7 @@ on:
       snapshot:
         type: boolean
         description: Create snapshot release
-        default: true
+        default: false
       skip_checks: 
         type: boolean
         description: Skip quality checks
@@ -168,6 +199,8 @@ jobs:
           distribution: corretto
           java-version: 21
           cache: maven
+          gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
+          gpg-passphrase: GPG_PASSPHRASE
       - name: Publish package
         run: mvn -Prelease clean deploy -DskipTests
         env:

.github/workflows/security-branch-protections.yml

@@ -1,8 +1,23 @@
-# Modified copy of: https://github.com/github/docs/blob/main/.github/workflows/alert-changed-branch-protections.yml
+# Branch Protections
+#
+# Description:
+#   This workflow compares current security branch protections against those stored, 
+#   if there's any changes, it'll fail the job and alert using a Slack webhook
+#
+# Triggers:
+#   - pull_request
+#   - branch_protection_rule
+#   - cron: daily at 16:40
+#
+# Secrets:
+#   - SECURITY.BRANCH_PROTECTION_TOKEN
+#   - SECURITY.SLACK_WEBHOOK_URL
+#
+# Notes:
+#   Modified copy of: https://github.com/github/docs/blob/main/.github/workflows/alert-changed-branch-protections.yml
 
 on:
   branch_protection_rule:
-  workflow_dispatch:
   schedule:
     - cron: '20 16 * * *' # Run daily at 16:20 UTC
   pull_request:

.github/workflows/security-dependabot.yml

@@ -1,3 +1,12 @@
+# Auto merges dependabot PRs
+#
+# Description:
+#   Auto-merges dependabot PRs if all checks pass
+#   We verify all commits in the PR to ensure no one else has committed to the PR
+#
+# Triggers:
+#   - pull_request
+
 on: 
   pull_request:
     branches: [ dependabot/* ]

.github/workflows/security-dependencies-check.yml

@@ -1,3 +1,15 @@
+# Dependency checks
+#
+# Description:
+#   Verifies that dependencies are compatible with our project
+#   by checking licenses and their security posture
+#
+# Triggers:
+#   - pull_request
+#   - push
+#   - workflow_dispatch
+#   - cron: daily at 12:00PM
+
 on:
   pull_request: 
   workflow_dispatch:

.github/workflows/security-osv.yml

@@ -1,13 +1,26 @@
+# Runs OSV scan
+# 
+# Description:
+#   Checks dependencies already in the project for known issues
+#
+# Triggers:
+#   - pull_request 
+#   - workflow_dispatch
+#   - cron
+#   - push
+
 on:
   pull_request:
-    branches: [main]
-  merge_group:
-    branches: [main]
+    branches: 
+      - main
+      - v2
   workflow_dispatch: {}
   schedule:
     - cron: "30 12 * * 1"
   push:
-    branches: [main]
+    branches:
+      - main
+      - v2
 
 name: OpenSource Vulnerability Scanner
 run-name: OpenSource Vulnerability Scanner

.github/workflows/security-scorecard.yml

@@ -1,3 +1,17 @@
+# Runs OSSF
+#
+# Description:
+#   Runs OpenSSF Scorecard scan on the project
+#
+# Triggers:
+#   - branch_protection_rule
+#   - cron: 09:00AM  
+#   - push
+#   - workflow_dispatch
+#
+# Secrets:
+#   - Security.SCORECARD_TOKEN
+
 on:
   branch_protection_rule:
   schedule: