Back patch PyPI, ECR image and Lambda layer signature to 0.14.x (#592)

*Description of changes:*
The CR includes 3 changes:
* back patch signing public ECR
image(aws-observability/aws-otel-java-instrumentation#1288)
* back patch signing PyPI attestation error
(#585)
* fix signing lambda layer issue that the unsigned s3 file is not
overwrite to be the signed.

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

Author: wangzlei

.github/workflows/release-build.yml

@@ -162,19 +162,19 @@ jobs:
           path: dist-pypi
 
       # The step below publishes to testpypi in order to catch any issues 
-      # - name: Publish to TestPyPI
-      #   uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
-      #   with:
-      #     repository-url: https://test.pypi.org/legacy/
-      #     skip-existing: true
-      #     verbose: true
-      #     packages-dir: dist-pypi
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
+        with:
+          attestations: false
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true
+          verbose: true
+          packages-dir: dist-pypi
 
       # Publish to prod PyPI
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
         with:
-          attestations: false
           skip-existing: true
           verbose: true
           packages-dir: dist-pypi
@@ -249,20 +249,32 @@ jobs:
           aws s3 cp aws-opentelemetry-python-layer.zip s3://${{ env.BUCKET_NAME }}
           
           # Sign the layer
+          echo "Checking for signing profile..."
           PROFILE=$(aws signer list-signing-profiles --query "profiles[?profileName=='ADOTLambdaLayerSigningProfile'].arn" --output text 2>/dev/null)
-          [ -z "$PROFILE" ] && exit 0
+          [ -z "$PROFILE" ] && echo "No signing profile found, skipping" && exit 0
           
+          echo "Starting signing job..."
           JOB_ID=$(aws signer start-signing-job \
             --source "s3={bucketName=${{ env.BUCKET_NAME }},key=aws-opentelemetry-python-layer.zip,version=null}" \
             --destination "s3={bucketName=${{ env.BUCKET_NAME }},prefix=signed-}" \
             --profile-name ADOTLambdaLayerSigningProfile \
             --query 'jobId' --output text 2>/dev/null) || exit 0
-          [ -z "$JOB_ID" ] && exit 0
+          [ -z "$JOB_ID" ] && echo "No job ID returned" && exit 0
+          echo "Job ID: $JOB_ID"
           
+          echo "Waiting for signing job to complete..."
           aws signer wait successful-signing-job --job-id "$JOB_ID" || exit 0
+          echo "Signing completed"
           
+          echo "Moving signed layer..."
           SIGNED=$(aws signer describe-signing-job --job-id "$JOB_ID" --query 'signedObject.s3.key' --output text 2>/dev/null)
-          [ -n "$SIGNED" ] && aws s3 mv "s3://${{ env.BUCKET_NAME }}/$SIGNED" "s3://${{ env.BUCKET_NAME }}/aws-opentelemetry-python-layer.zip"
+          echo "SIGNED value: '$SIGNED'"
+          if [ -n "$SIGNED" ]; then
+            aws s3 mv "s3://${{ env.BUCKET_NAME }}/$SIGNED" "s3://${{ env.BUCKET_NAME }}/aws-opentelemetry-python-layer.zip --clobber"
+            echo "Signed layer moved successfully"
+          else
+            echo "No SIGNED value returned, skipping move"
+          fi
       
       - name: Publish Layer Version
         run: |
@@ -474,3 +486,53 @@ jobs:
              ${{ env.WHEEL_ARTIFACT_NAME }}.sha256 \
              layer.zip \
              layer.zip.sha256
+
+  sign-public-ecr-image:
+    runs-on: ubuntu-latest
+    needs: publish-sdk
+    steps:
+      - name: Configure AWS Credentials for public ECR
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_ECR_RELEASE }}
+          aws-region: ${{ env.AWS_PUBLIC_ECR_REGION }}
+
+      # Install notation CLI with AWS Signer plugin
+      - name: Install notation CLI with AWS Signer plugin
+        run: |
+          curl -Lo aws-signer-notation-cli_amd64.deb https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
+          sudo dpkg -i aws-signer-notation-cli_amd64.deb
+          notation version
+          notation plugin ls
+
+      # Query ECR signing profile ARN
+      - name: Query ECR Signing Profile ARN
+        id: ecr-signing-profile
+        run: |
+          PROFILE_ARN=$(aws signer list-signing-profiles --region ${{ env.AWS_PUBLIC_ECR_REGION }} --query "profiles[?profileName=='ADOTECRSigningProfile'].arn" --output text 2>/dev/null)
+          if [ -n "$PROFILE_ARN" ]; then
+            echo "profile_arn=$PROFILE_ARN" >> $GITHUB_OUTPUT
+            echo "Found ECR signing profile: $PROFILE_ARN"
+          else
+            echo "ECR signing profile 'ADOTECRSigningProfile' not found"
+            exit 0
+          fi
+
+      # Login to Public ECR
+      - name: Log in to AWS public ECR
+        if: steps.ecr-signing-profile.outputs.profile_arn != ''
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0
+        with:
+          registry: public.ecr.aws
+
+      # Sign Public ECR Image
+      - name: Sign Public ECR Image
+        if: steps.ecr-signing-profile.outputs.profile_arn != ''
+        run: |
+          # Sign the released public ECR image
+          notation sign ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }} \
+            --plugin com.amazonaws.signer.notation.plugin \
+            --id ${{ steps.ecr-signing-profile.outputs.profile_arn }}
+          echo "Successfully signed public ECR image"
+          echo "Image: ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}"
+          echo "Profile ARN: ${{ steps.ecr-signing-profile.outputs.profile_arn }}"