ci(CodeBuild): publish to NPM via CodeBuild

texastony · texastony · commit e8483152b89f · 2022-08-26T16:24:17.000-07:00
diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml
@@ -0,0 +1,32 @@
+version: 0.2
+
+batch:
+  fast-fail: true 
+  build-graph:
+# CI
+    - identifier: nodejs10
+      buildspec: codebuild/nodejs10.yml
+      env:
+        compute-type: BUILD_GENERAL1_MEDIUM
+    - identifier: nodejs12
+      buildspec: codebuild/nodejs12.yml
+      env:
+        image: aws/codebuild/standard:5.0
+        compute-type: BUILD_GENERAL1_MEDIUM
+
+# Version the project and push git commits and tags
+    - identifier: version
+      depend-on:
+        - nodejs10
+        - nodejs12
+      buildspec: codebuild/release/version.yml
+      env:
+        image: aws/codebuild/standard:5.0
+
+# Publish the release to npm
+    - identifier: publish
+      depend-on:
+        - version
+      buildspec: codebuild/release/publish.yml
+      env:
+        image: aws/codebuild/standard:5.0
diff --git a/codebuild/release/publish.yml b/codebuild/release/publish.yml
@@ -0,0 +1,48 @@
+version: 0.2
+
+env:
+  variables:
+    NODE_OPTIONS: "--max-old-space-size=4096"
+    BRANCH: "mainline-1.x"
+  secrets-manager:
+     OTP_SECRET_KEY: npm/aws-crypto-tools-ci-bot/2FA:OTP_SECRET_KEY
+     NPM_TOKEN: npm/aws-crypto-tools-ci-bot/2FA:NPM_TOKEN
+
+phases:
+  install:
+    commands:
+      - npm ci --unsafe-perm
+      # Install `otplib` to extract the OTP from the npm 2FA secret
+      - npm install otplib --no-save
+      - npm run build
+    runtime-versions:
+      nodejs: 12
+  pre_build:
+    commands:
+      - git checkout $BRANCH
+  build:
+    commands:
+      # Extract the otp using the secrets environment variables from above.
+      # This will wait for the next token. This is because npm uses
+      # TOTP and the tokens time out after 30 seconds. If the process just
+      # extracted the token then the lifetime for this token
+      # would be very random. This will maximize the amount of time
+      # available on the OTP to publish.
+      - >-
+        OTP=`node -e "
+          auth=require('otplib').authenticator;
+          setTimeout(() =>
+            console.log(auth.generate(process.env.OTP_SECRET_KEY)),
+            auth.timeRemaining() * 1000);
+          "`
+      # npm will only expand env vars inside .npmrc
+      # NOTE the ' this is to keep the env var NPM_TOKEN from expanding!
+      - echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > .npmrc
+      # Now we publish to npm.
+      # This is going to use the OTP generated above and the NPM_TOKEN
+      # environment variable. This will only publish things that are
+      # missing from npm. It is therefore safe to run repeatedly.
+      - npx lerna publish from-package --yes --otp $OTP
+      # remove after publishing
+      - rm .npmrc
+
diff --git a/codebuild/release/version.yml b/codebuild/release/version.yml
@@ -0,0 +1,27 @@
+version: 0.2
+
+env:
+  variables:
+    NODE_OPTIONS: "--max-old-space-size=4096"
+    BRANCH: "mainline-1.x"
+    # An explicit version bump
+    VERSION_BUMP: ""
+  git-credential-helper: yes
+
+phases:
+  install:
+    commands:
+      - npm ci --unsafe-perm
+    runtime-versions:
+      nodejs: 12
+  pre_build:
+    commands:
+      - git config --global user.name "aws-crypto-tools-ci-bot"
+      - git config --global user.email "no-reply@noemail.local"
+      - git checkout $BRANCH
+  build:
+    commands:
+      # Generate new version and CHANGELOG entry and push it
+      - npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish}
+      # Log the commit for posterity
+      - git log -n 1
