-
Notifications
You must be signed in to change notification settings - Fork 15
154 lines (153 loc) · 5.93 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".
name: release
run-name: Release ${{ github.ref_name }}
on:
push:
tags:
- v*.*.*
jobs:
build:
name: Build release package
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
outputs:
dist-tag: ${{ steps.publish-target.outputs.dist-tag }}
latest: ${{ steps.publish-target.outputs.latest }}
github-release: ${{ steps.publish-target.outputs.github-release }}
prerelease: ${{ steps.publish-target.outputs.prerelease }}
env:
CI: "true"
steps:
- name: Checkout
uses: actions/checkout@v3
with:
repository: ${{ github.repository }}
ref: ${{ github.ref }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
cache: yarn
node-version: "18"
- name: Install dependencies
run: yarn install --frozen-lockfile
- name: Prepare Release
run: yarn release ${{ github.ref_name }}
- name: Determine Target
id: publish-target
env:
GITHUB_TOKEN: ${{ github.token }}
run: yarn ts-node projenrc/publish-target.ts ${{ github.ref_name }}
- name: Federate to AWS
if: fromJSON(steps.publish-target.outputs.github-release)
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GHA-aws-jsii-compiler@${{ github.ref_name }}
- name: Sign Tarball
if: fromJSON(steps.publish-target.outputs.github-release)
run: |-
set -eo pipefail
export GNUPGHOME=$(mktemp -d)
echo "charset utf-8" > ${GNUPGHOME}/gpg.conf
echo "no-comments" >> ${GNUPGHOME}/gpg.conf
echo "no-emit-version" >> ${GNUPGHOME}/gpg.conf
echo "no-greeting" >> ${GNUPGHOME}/gpg.conf
secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.OPEN_PGP_KEY_ARN }} --query=SecretString --output=text)
privatekey=$(node -p "(${secret}).PrivateKey")
passphrase=$(node -p "(${secret}).Passphrase")
echo "::add-mask::${passphrase}"
unset secret
echo ${passphrase} | gpg --batch --yes --import --armor --passphrase-fd=0 <(echo "${privatekey}")
unset privatekey
for file in $(find dist -type f -not -iname "*.asc"); do
echo ${passphrase} | gpg --batch --yes --local-user="aws-jsii@amazon.com" --detach-sign --armor --pinentry-mode=loopback --passphrase-fd=0 ${file}
done
unset passphrase
find ${GNUPGHOME} -type f -exec shred --remove {} \;
- name: Upload artifact
uses: actions/upload-artifact@v4.3.6
with:
name: release-package
path: ${{ github.workspace }}/dist
overwrite: true
release-to-github:
name: Create GitHub Release
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
env:
CI: "true"
if: fromJSON(needs.build.outputs.github-release)
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: release-package
- name: Verify if release exists
id: release-exists
env:
GH_TOKEN: ${{ github.token }}
run: |-
if gh release view ${{ github.ref_name }} --repo=${{ github.repository }} &>/dev/null
then
echo "result=true" >> $GITHUB_OUTPUT
else
echo "result=false" >> $GITHUB_OUTPUT
fi
- name: Create PreRelease
if: "!fromJSON(steps.release-exists.outputs.result) && fromJSON(needs.build.outputs.prerelease)"
env:
GH_TOKEN: ${{ github.token }}
run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --prerelease --latest=${{ needs.build.outputs.latest }}
- name: Create Release
if: "!fromJSON(steps.release-exists.outputs.result) && !fromJSON(needs.build.outputs.prerelease)"
env:
GH_TOKEN: ${{ github.token }}
run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --latest=${{ needs.build.outputs.latest }}
- name: Attach assets
env:
GH_TOKEN: ${{ github.token }}
run: gh release upload ${{ github.ref_name }} --repo=${{ github.repository }} --clobber ${{ github.workspace }}/**/*
release-npm-package:
name: Release to registry.npmjs.org
needs: build
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
env:
CI: "true"
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: release-package
- name: Setup Node.js
uses: actions/setup-node@v4
with:
always-auth: true
node-version: "18"
registry-url: https://registry.npmjs.org/
- name: Federate to AWS
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GHA-aws-jsii-compiler@${{ github.ref_name }}
- name: Set NODE_AUTH_TOKEN
run: |-
secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.NPM_TOKEN_ARN }} --query=SecretString --output=text)
token=$(node -p "(${secret}).token")
unset secret
echo "::add-mask::${token}"
echo "NODE_AUTH_TOKEN=${token}" >> $GITHUB_ENV
unset token
- name: Publish
run: npm publish ${{ github.workspace }}/js/jsii-*.tgz --access=public --tag=${{ needs.build.outputs.dist-tag }}
- name: Tag "latest"
if: fromJSON(needs.build.outputs.latest)
run: npm dist-tag add jsii@${{ github.ref_name }} latest