diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index d23de1850c..3602d606d2 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -39,7 +39,6 @@ jobs: # Needed as recommended by npm docs on publishing with provenance https://docs.npmjs.com/generating-provenance-statements permissions: id-token: write - contents: write environment: Release runs-on: ubuntu-latest outputs: @@ -98,6 +97,7 @@ jobs: id-token: write contents: write pages: write + pull-requests: write uses: ./.github/workflows/publish_layer.yml with: latest_published_version: ${{ needs.publish-npm.outputs.RELEASE_VERSION }} diff --git a/.github/workflows/make-version.yml b/.github/workflows/make-version.yml index b51ff3980d..a13613712a 100644 --- a/.github/workflows/make-version.yml +++ b/.github/workflows/make-version.yml @@ -3,6 +3,9 @@ name: Make Version on: workflow_dispatch: { } +permissions: + contents: read + jobs: bump-version: diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index d567de0585..3f348cfc14 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -78,29 +78,36 @@ jobs: secrets: target-account-role: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }} - prepare_docs_alias: + update_layer_arn_docs: + needs: [deploy-prod] + # Force Github action to run only a single job at a time (based on the group name) + # This is to prevent race-condition and inconsistencies with changelog push + concurrency: + group: changelog-build runs-on: ubuntu-latest permissions: - contents: read - outputs: - DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }} + contents: write + pull-requests: write + id-token: none steps: - - name: Set docs alias - id: set-alias + - name: Checkout repository # reusable workflows start clean, so we need to checkout again + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ github.sha }} + - name: Download CDK layer artifact + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + with: + name: cdk-layer-stack + path: cdk-layer-stack/ + - name: Replace layer versions in documentation run: | - DOCS_ALIAS=latest - if [[ "${{ inputs.pre_release }}" == true ]] ; then - DOCS_ALIAS=alpha - fi - echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT" - - release-docs: - needs: [ deploy-prod, prepare_docs_alias ] - permissions: - id-token: write - secrets: inherit - uses: ./.github/workflows/reusable_publish_docs.yml - with: - version: ${{ inputs.latest_published_version }} - alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }} - detached_mode: true + ls -la cdk-layer-stack/ + ./.github/scripts/update_layer_arn.sh cdk-layer-stack + - name: Create PR + id: create-pr + uses: ./.github/actions/create-pr + with: + files: 'docs/index.md' + temp_branch_prefix: 'ci-layer-docs' + pull_request_title: 'chore(ci): update layer ARN on documentation' + github_token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/reusable_deploy_layer_stack.yml b/.github/workflows/reusable_deploy_layer_stack.yml index 47d5d4bc61..ca120916e5 100644 --- a/.github/workflows/reusable_deploy_layer_stack.yml +++ b/.github/workflows/reusable_deploy_layer_stack.yml @@ -100,11 +100,3 @@ jobs: overwrite: true - name: CDK deploy canary run: npm run cdk -w layers -- deploy --app cdk.out --context region=${{ matrix.region }} 'CanaryStack' --require-approval never --verbose --outputs-file cdk-outputs.json - update_layer_arn_docs: - needs: deploy-cdk-stack - permissions: - contents: write - if: ${{ inputs.stage == 'PROD' }} - uses: ./.github/workflows/reusable_update_layer_arn_docs.yml - with: - latest_published_version: ${{ inputs.latest_published_version }} diff --git a/.github/workflows/reusable_update_layer_arn_docs.yml b/.github/workflows/reusable_update_layer_arn_docs.yml deleted file mode 100644 index 4d4cea1547..0000000000 --- a/.github/workflows/reusable_update_layer_arn_docs.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: Update Layer ARN Docs - -on: - workflow_call: - inputs: - latest_published_version: - description: "Latest NPM published version to rebuild latest docs for, e.g. 1.5.1" - type: string - required: true - -permissions: - contents: read - -env: - BRANCH: main - -jobs: - publish_layer_arn: - # Force Github action to run only a single job at a time (based on the group name) - # This is to prevent race-condition and inconsistencies with changelog push - concurrency: - group: changelog-build - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - id-token: none - steps: - - name: Checkout repository # reusable workflows start clean, so we need to checkout again - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.sha }} - - name: Download CDK layer artifact - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 - with: - name: cdk-layer-stack - path: cdk-layer-stack/ - - name: Replace layer versions in documentation - run: | - ls -la cdk-layer-stack/ - ./.github/scripts/update_layer_arn.sh cdk-layer-stack - - name: Create PR - id: create-pr - uses: ./.github/actions/create-pr - with: - files: 'docs/index.md' - temp_branch_prefix: 'ci-layer-docs' - pull_request_title: 'chore(ci): update layer ARN on documentation' - github_token: ${{ secrets.GITHUB_TOKEN }} - \ No newline at end of file