wip - refactor entire workflow to work around GH secrets uselessness

Author: vcschapp

.github/workflows/publish-python-packages.yaml

@@ -6,6 +6,33 @@ on:
     paths:
       - '**/pyproject.toml'
       - 'packages/**/__about__.py'
+    inputs:
+      aws_account_id:
+        description: The AWS account ID that owns the CodeArtifact domain
+        type: string
+        required: false
+        default: 505071440022
+      aws_region:
+        description: The AWS region where the CodeArtifact repository is hosted
+        type: string
+        required: false
+        default: us-west-2
+      aws_iam_role_name:
+        description: The name of the IAM role to assume for accessing CodeArtifact
+        type: string
+        required: false
+        default: GithubActions_Schema_CodeArtifact_Publish
+      domain:
+        description: The CodeArtifact domain name
+        type: string
+        required: false
+        default: overture-pypi
+      repository:
+        description: The CodeArtifact repository name
+        type: string
+        required: false
+        default: overture
+
 
 permissions:
   id-token: write
@@ -19,11 +46,6 @@ jobs:
       before_commit: ${{ github.event.before }}
       after_commit: ${{ github.event.after }}
 
-  get-index-url:
-    uses: ./.github/workflows/reusable-get-code-artifact-index-url.yaml
-    with:
-      role_name: GithubActions_Schema_CodeArtifact_Publish
-
   publish:
     needs: [check, get-index-url]
     if: github.event.repository.full_name == github.repository && needs.check.outputs.num_changed_packages > 0
@@ -43,8 +65,18 @@ jobs:
       - name: Sync code to make packages visible to Python
         run: uv sync --all-packages
 
+      - name: Get CodeArtifact index URL
+        id: get-code-artifact-index-url
+        run: |
+          echo 'index_url=<<EOF' >> $GITHUB_OUTPUT
+          ./.github/workflows/scripts/get-code-artifact-index-url.sh \
+            "${{ inputs.aws_account_id }}" "${{ inputs.aws_region }}" \
+            "${{ inputs.domain }}" "${{ inputs.repository }}" >> $GITHUB_OUTPUT
+          echo EOF >> $GITHUB_OUTPUT
+
       - name: Publish package ${{ matrix.package }} version ${{ matrix.after }} to PyPI
         run: |
+          echo TODO: TEMP: VERIFY: "${{ steps.get-code-artifact-index-url.index_url }}" TODO DELETE THIS DO NOT MERGE
           package="${{ matrix.package }}"
           before="${{ matrix.before }}"
           after="${{ matrix.after }}"
@@ -60,5 +92,4 @@ jobs:
             echo "    Source tarball file [$tarball] not found. Aborting!"
             exit 1
           fi
-          printf "TODO: DELETE THIS temporary %s\n" "${{ needs.get-index-url.secrets.index_url }}"
-          uv publish "$wheel" "$tarball" --publish-url "${{ needs.get-index-url.secrets.index_url }}"
+          uv publish "$wheel" "$tarball" --publish-url "${{ steps.get-code-artifact-index-url.index_url }}"

.github/workflows/reusable-check-python-package-versions.yaml

@@ -15,6 +15,31 @@ on:
             PR or the latest commit in a push.
         type: string
         required: true
+      aws_account_id:
+        description: The AWS account ID that owns the CodeArtifact domain
+        type: string
+        required: false
+        default: 505071440022
+      aws_region:
+        description: The AWS region where the CodeArtifact repository is hosted
+        type: string
+        required: false
+        default: us-west-2
+      aws_iam_role_name:
+        description: The name of the IAM role to assume for accessing CodeArtifact
+        type: string
+        required: false
+        default: GithubActions_Schema_CodeArtifact_ReadOnly
+      domain:
+        description: The CodeArtifact domain name
+        type: string
+        required: false
+        default: overture-pypi
+      repository:
+        description: The CodeArtifact repository name
+        type: string
+        required: false
+        default: overture
     outputs:
       changed_packages:
         description: >-
@@ -27,9 +52,6 @@ on:
 
 
 jobs:
-  get-index-url:
-    uses: ./.github/workflows/reusable-get-code-artifact-index-url.yaml
-
   check-python-package-versions:
     needs: get-index-url
     runs-on: ubuntu-latest
@@ -90,13 +112,30 @@ jobs:
           echo EOF >> $GITHUB_OUTPUT
           printf 'num_changed_packages=%s\n' "$(jq -c '. | length' /tmp/package-version-diff.json)" >> $GITHUB_OUTPUT
 
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ inputs.aws_region }}
+          role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/${{ inputs.aws_iam_role_name }}
+          role-session-name: GitHubActions_${{github.job}}_${{github.run_id}}
+
+      - name: Get CodeArtifact index URL
+        id: get-code-artifact-index-url
+        run: |
+          echo 'index_url=<<EOF' >> $GITHUB_OUTPUT
+          ./.github/workflows/scripts/get-code-artifact-index-url.sh \
+            "${{ inputs.aws_account_id }}" "${{ inputs.aws_region }}" \
+            "${{ inputs.domain }}" "${{ inputs.repository }}" >> $GITHUB_OUTPUT
+          echo EOF >> $GITHUB_OUTPUT
+
       - name: Fail if any of the new versions already exist in the repo
         run: |
+          echo TODO: TEMP: VERIFY: "${{ steps.get-code-artifact-index-url.index_url }}" TODO DELETE THIS DO NOT MERGE
           jq -c '.[]' /tmp/package-version-diff.json | while read -r entry; do
             package=$(echo "$entry" | jq -r '.package')
             after=$(echo "$entry" | jq -r '.after')
             exit_code=0
-            output=$(uv run pip download "${package}==${after}" --index-url "${{ needs.get-index-url.secrets.index_url }}simple/" --no-deps -d /tmp --quiet 2>&1) || exit_code=$?
+            output=$(uv run pip download "${package}==${after}" --index-url "${{ steps.get-code-artifact-index-url.index_url }}simple/" --no-deps -d /tmp --quiet 2>&1) || exit_code=$?
             if [[ $exit_code -eq 0 || (
               "${output,,}" != *"could not find a version"* &&
               "${output,,}" != *"no matching distributions"*

.github/workflows/reusable-get-code-artifact-index-url.yaml

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [ $# -ne 4 ]; then
+  >&2 echo "Usage: $0 <aws_account_id> <aws_region> <domain> <repository>"
+  exit 1
+fi
+
+readonly aws_account_id="$1"
+readonly aws_region="$2"
+readonly domain="$3"
+readonly repository="$4"
+
+# Use the `aws-actions/configure-aws-credentials` GitHub action before calling this script to
+# ensure the necessary AWS credentials, for an appropriate role, are available in the environment.
+
+auth_token=$( \
+    aws codeartifact get-authorization-token \
+        --region "$aws_region" \
+        --domain "$domain" \
+        --domain-owner "$aws_account_id" \
+        --query authorizationToken \
+        --output text)
+
+printf "https://aws:%s@%s-%s.d.codeartifact.%s.amazonaws.com/\n" \
+    "$auth_token" "$domain"  "$aws_account_id" "$aws_region"

.github/workflows/scripts/get-code-artifact-index-url.sh

@@ -1,3 +1,3 @@
 __version__ = "0.1.0"
 
-# TEMPORARY COMMENT updated, again, and again, and again, and again
+# TEMPORARY COMMENT updated, again, and again, and again, and again, and again