From 533c6273e1a86df1d8efcc79147ffd0014037ea9 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Wed, 3 May 2023 11:33:33 +0200 Subject: [PATCH 1/7] chore(ci): use new pypi trusted publisher --- .github/workflows/release.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a3f05dc15e0..bb59c833784 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,6 +52,7 @@ jobs: runs-on: aws-lambda-powertools_ubuntu-latest_4-core permissions: contents: write + id-token: write # OIDC for PyPi Trusted Publisher feature outputs: RELEASE_VERSION: ${{ steps.release_version.outputs.RELEASE_VERSION }} env: @@ -95,16 +96,13 @@ jobs: # March 1st: PyPi test is under maintenance.... # - name: Upload to PyPi test # if: ${{ !inputs.skip_pypi }} - # run: make release-test - # env: - # PYPI_USERNAME: __token__ - # PYPI_TEST_TOKEN: ${{ secrets.PYPI_TEST_TOKEN }} + # uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5 + # with: + # repository-url: https://test.pypi.org/legacy/ + - name: Upload to PyPi prod if: ${{ !inputs.skip_pypi }} - run: make release-prod - env: - PYPI_USERNAME: __token__ - PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} + uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5 - name: Update version in trunk if: steps.versioning.outcome == 'success' run: | From 5c0a8123e32803b48a1826ede00412055cf2acf2 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Wed, 3 May 2023 11:54:47 +0200 Subject: [PATCH 2/7] chore(ci): split build and release jobs to tigthen permissions --- .github/workflows/release.yml | 58 +++++++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 16 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bb59c833784..f1417620481 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,12 +47,11 @@ on: required: false jobs: - release: + build: environment: release runs-on: aws-lambda-powertools_ubuntu-latest_4-core permissions: contents: write - id-token: write # OIDC for PyPi Trusted Publisher feature outputs: RELEASE_VERSION: ${{ steps.release_version.outputs.RELEASE_VERSION }} env: @@ -91,18 +90,15 @@ jobs: id: versioning run: poetry version "${RELEASE_VERSION}" - name: Build python package and wheel - if: ${{ !inputs.skip_pypi }} run: poetry build - # March 1st: PyPi test is under maintenance.... - # - name: Upload to PyPi test - # if: ${{ !inputs.skip_pypi }} - # uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5 - # with: - # repository-url: https://test.pypi.org/legacy/ - - name: Upload to PyPi prod - if: ${{ !inputs.skip_pypi }} - uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5 + - name: Cache release artifact + id: cache-release-build + uses: actions/cache/save@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 + with: + path: dist/ + key: ${{ runner.os}}-${{ env.RELEASE_VERSION }}-${{ hashFiles('**/poetry.lock')}} + - name: Update version in trunk if: steps.versioning.outcome == 'success' run: | @@ -113,6 +109,36 @@ jobs: git pull origin "${BRANCH}" # prevents concurrent branch update failing push git push origin HEAD:refs/heads/"${BRANCH}" + release: + needs: build + environment: release + runs-on: aws-lambda-powertools_ubuntu-latest_4-core + permissions: + id-token: write # OIDC for PyPi Trusted Publisher feature + env: + RELEASE_VERSION: ${{ needs.build.outputs.RELEASE_VERSION }} + steps: + - uses: actions/checkout@v3 + - name: Restore release artifact from cache + id: restore-release-build + uses: actions/cache/restore@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 + with: + path: dist/ + key: ${{ runner.os}}-${{ env.RELEASE_VERSION }}-${{ hashFiles('**/poetry.lock')}} + + - name: Upload to PyPi prod + if: ${{ !inputs.skip_pypi }} + uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5 + with: + repository-url: https://test.pypi.org/legacy/ + + # March 1st: PyPi test is under maintenance.... + # - name: Upload to PyPi test + # if: ${{ !inputs.skip_pypi }} + # uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5 + # with: + # repository-url: https://test.pypi.org/legacy/ + changelog: needs: release permissions: @@ -122,7 +148,7 @@ jobs: # NOTE: Watch out for the depth limit of 4 nested workflow_calls. # publish_layer -> publish_v2_layer -> reusable_deploy_v2_layer_stack -> reusable_update_v2_layer_arn_docs publish_layer: - needs: release + needs: [build, release] secrets: inherit permissions: id-token: write @@ -130,11 +156,11 @@ jobs: pages: write uses: ./.github/workflows/publish_v2_layer.yml with: - latest_published_version: ${{ needs.release.outputs.RELEASE_VERSION }} + latest_published_version: ${{ needs.build.outputs.RELEASE_VERSION }} pre_release: ${{ inputs.pre_release }} post_release: - needs: [release, publish_layer] + needs: [build, release, publish_layer] permissions: contents: read issues: write @@ -142,7 +168,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest env: - RELEASE_VERSION: ${{ needs.release.outputs.RELEASE_VERSION }} + RELEASE_VERSION: ${{ needs.build.outputs.RELEASE_VERSION }} steps: - uses: actions/checkout@v3 - name: Close issues related to this release From f39a4fa10d4fcbb5ea44310a5c6e9d7839a6d5fd Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Wed, 3 May 2023 12:15:04 +0200 Subject: [PATCH 3/7] docs(ci): update release process notes --- .github/workflows/release.yml | 13 +++++++------ MAINTAINERS.md | 2 +- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f1417620481..21a066768d0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,17 +5,18 @@ name: Release # === Automated activities === # # 1. Run tests, linting, security and complexity base line -# 2. Bump package version and generate latest Changelog -# 3. Publish package to PyPi test and prod repository -# 4. Kick off SAR App pipeline to publish latest version with minimal and extra dependencies -# 5. Builds and publish latest changelog from tip of the branch +# 2. Bump package version, build release artifact, and generate latest Changelog +# 3. Publish package to PyPi prod repository using cached artifact +# 4. Kick off Layers pipeline to compile and publish latest version +# 5. Updates documentation to use the latest Layer ARN for all commercial regions # 6. Builds a new user guide and API docs with release version; update /latest pointing to newly released version # 7. Close all issues labeled "pending-release" and notify customers about the release # # === Manual activities === # -# 1. Edit the current draft release notes -# 2. If not already set, use `v` as a tag, e.g., v1.26.4, and select develop as target branch +# 1. Kick off this workflow with the intended version +# 2. Update draft release notes after this workflow completes +# 3. If not already set, use `v` as a tag, e.g., v1.26.4, and select develop as target branch # See MAINTAINERS.md "Releasing a new version" for release mechanisms diff --git a/MAINTAINERS.md b/MAINTAINERS.md index a82c160a58d..3525147f68f 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -191,7 +191,7 @@ Reword through rebase and push with `--force-with-lease` once you're confident. **Looks good, what's next?** -The only step is to draft and publish a good release notes, everything else is automated. +Kickoff the `Release` workflow with the intended version. Once complete, update the draft release notes within the `` section summarizing why customers should care about this release. #### Drafting release notes From dac9eba244e1e7cda3631825853c037d3f0534e0 Mon Sep 17 00:00:00 2001 From: heitorlessa Date: Wed, 3 May 2023 12:18:45 +0200 Subject: [PATCH 4/7] docs(ci): add note on cache key strategy --- .github/workflows/release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 21a066768d0..b0e5dcd5c80 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -98,6 +98,12 @@ jobs: uses: actions/cache/save@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: dist/ + # NOTE: cache key uses a hash of (Runner OS + Version to be released + Deps) + # since a new release might not change a dependency but version + # otherwise we might accidentally reuse a previously cached artifact for a newer release + # the reason we don't add pyproject.toml here is to avoid racing conditions + # where git checkout might happen too fast and doesn't pick up the latest + # and also future-proof for when we switch to protected branch and update via PR key: ${{ runner.os}}-${{ env.RELEASE_VERSION }}-${{ hashFiles('**/poetry.lock')}} - name: Update version in trunk From 53774dd235b08180ddf4cb2a88a4d83db2ef1fcc Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Wed, 3 May 2023 13:24:50 +0200 Subject: [PATCH 5/7] chore: add space before closing expression Co-authored-by: Ruben Fonseca Signed-off-by: Heitor Lessa --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b0e5dcd5c80..d0188885a98 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -131,7 +131,7 @@ jobs: uses: actions/cache/restore@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: dist/ - key: ${{ runner.os}}-${{ env.RELEASE_VERSION }}-${{ hashFiles('**/poetry.lock')}} + key: ${{ runner.os }}-${{ env.RELEASE_VERSION }}-${{ hashFiles('**/poetry.lock') }} - name: Upload to PyPi prod if: ${{ !inputs.skip_pypi }} From de0dc25e5bab04e26160a45fc57fe10c20f6ff27 Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Wed, 3 May 2023 13:25:01 +0200 Subject: [PATCH 6/7] chore: add space before closing expression Co-authored-by: Ruben Fonseca Signed-off-by: Heitor Lessa --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d0188885a98..ea64597e59f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -104,7 +104,7 @@ jobs: # the reason we don't add pyproject.toml here is to avoid racing conditions # where git checkout might happen too fast and doesn't pick up the latest # and also future-proof for when we switch to protected branch and update via PR - key: ${{ runner.os}}-${{ env.RELEASE_VERSION }}-${{ hashFiles('**/poetry.lock')}} + key: ${{ runner.os }}-${{ env.RELEASE_VERSION }}-${{ hashFiles('**/poetry.lock') }} - name: Update version in trunk if: steps.versioning.outcome == 'success' From 8480561b6e6717104beb07d9482e32d1d44db7aa Mon Sep 17 00:00:00 2001 From: Heitor Lessa Date: Wed, 3 May 2023 13:25:42 +0200 Subject: [PATCH 7/7] chore: capitalize sentence and add version Co-authored-by: Ruben Fonseca Signed-off-by: Heitor Lessa --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ea64597e59f..26b43725469 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -100,9 +100,9 @@ jobs: path: dist/ # NOTE: cache key uses a hash of (Runner OS + Version to be released + Deps) # since a new release might not change a dependency but version - # otherwise we might accidentally reuse a previously cached artifact for a newer release - # the reason we don't add pyproject.toml here is to avoid racing conditions - # where git checkout might happen too fast and doesn't pick up the latest + # otherwise we might accidentally reuse a previously cached artifact for a newer release. + # The reason we don't add pyproject.toml here is to avoid racing conditions + # where git checkout might happen too fast and doesn't pick up the latest version # and also future-proof for when we switch to protected branch and update via PR key: ${{ runner.os }}-${{ env.RELEASE_VERSION }}-${{ hashFiles('**/poetry.lock') }}