-
Notifications
You must be signed in to change notification settings - Fork 19
179 lines (157 loc) · 6.67 KB
/
Copy pathrust-start-release.yml
File metadata and controls
179 lines (157 loc) · 6.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# This workflow regenerates `releases/rust/db_esdk/` for a new version of the
# aws-db-esdk crate by running DynamoDbEncryption/runtimes/rust/start_release.sh,
# committing the result on a release branch, and opening a PR back to main.
#
# `cargo publish` and `test_published.sh` live in rust-release.yml and
# should be dispatched on the resulting PR's branch before merging.
#
# This workflow only ever runs against the default branch (`main`); the
# version input must be in N.N.N form. The release branch is pushed and
# the release PR is opened as the Crypto Tools CI bot (via a PAT pulled
# from AWS Secrets Manager) so that the resulting PR's `pull_request`
# event triggers required-checks workflows on the release PR.
name: Rust Start Release
on:
workflow_dispatch:
inputs:
version:
description: "New aws-db-esdk version in N.N.N format (e.g. '1.2.5')."
required: true
type: string
permissions: {}
jobs:
start-release:
name: Run start_release.sh and open a release PR
# Disallow dispatching from anywhere but the default branch; the workflow
# checks out main below regardless of github.ref, but failing fast here
# avoids confusion.
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: write
env:
RUST_MIN_STACK: 838860800
steps:
- name: Validate version input
shell: bash
env:
VERSION: ${{ github.event.inputs.version }}
run: |
set -euo pipefail
if ! [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "::error::Version '${VERSION}' must be in N.N.N format (e.g. '1.2.5')."
exit 1
fi
- name: Configure AWS Credentials for tests
uses: aws-actions/configure-aws-credentials@v6
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2
role-session-name: DDBEC-Rust-Start-Release
special-characters-workaround: "true"
- name: Support longpaths on Git checkout
run: |
git config --global core.longpaths true
- uses: actions/checkout@v6
with:
ref: main
fetch-depth: 0
- name: Init Submodules
shell: bash
run: |
git submodule update --init --recursive submodules/smithy-dafny
git submodule update --init --recursive submodules/MaterialProviders
- name: Setup Rust Toolchain for GitHub CI
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
components: rustfmt, clippy
- name: Setup Dafny
uses: ./submodules/MaterialProviders/.github/actions/setup_dafny/
with:
dafny-version: 4.10.0
- name: Setup Java 17 for codegen
uses: actions/setup-java@v5
with:
distribution: "corretto"
java-version: "17"
- name: Install Smithy-Dafny codegen dependencies
uses: ./submodules/MaterialProviders/.github/actions/install_smithy_dafny_codegen_dependencies
with:
mpl-submodule-path: ./submodules/MaterialProviders/
- name: Configure Git
shell: bash
run: |
git config --global user.name "GitHub Actions"
git config --global user.email "actions@github.com"
- name: Create release branch
id: branch
shell: bash
env:
VERSION: ${{ github.event.inputs.version }}
run: |
set -euo pipefail
BRANCH="release/db_esdk/v${VERSION}"
git checkout -b "${BRANCH}"
echo "name=${BRANCH}" >> "$GITHUB_OUTPUT"
- name: Run start_release.sh
shell: bash
working-directory: DynamoDbEncryption/runtimes/rust
env:
VERSION: ${{ github.event.inputs.version }}
run: ./start_release.sh "${VERSION}"
- name: Commit regenerated releases/rust/db_esdk
shell: bash
env:
VERSION: ${{ github.event.inputs.version }}
run: |
set -euo pipefail
git add releases/rust/db_esdk DynamoDbEncryption/runtimes/rust/Cargo.toml
if git diff --cached --quiet; then
echo "::error::start_release.sh produced no changes; nothing to release."
exit 1
fi
git commit -m "chore(release): aws-db-esdk v${VERSION}"
# Switch from the testing role to the CI-bot-credential-access role so
# we can pull the CI bot's PAT and push/open the PR as the bot. This
# makes the resulting PR fire the repo's normal pull_request CI.
- name: Configure AWS Credentials for CI bot creds
uses: aws-actions/configure-aws-credentials@v6
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2
role-session-name: CI_Bot_RustStartRelease
special-characters-workaround: "true"
- name: Get CI Bot Creds Secret
uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: Github/aws-crypto-tools-ci-bot
parse-json-secrets: true
- name: Push release branch and open release PR as CI bot
shell: bash
env:
BRANCH: ${{ steps.branch.outputs.name }}
VERSION: ${{ github.event.inputs.version }}
run: |
set -euo pipefail
# Authenticate gh as the CI bot. Following the pattern used by
# semantic_release.yml, write the token to a temp file and feed it
# to `gh auth login --with-token`.
echo '${{ env.GITHUB_AWS_CRYPTO_TOOLS_CI_BOT_ESDK_RELEASE_TOKEN }}' > token.txt
gh auth login --with-token < token.txt
rm token.txt
gh auth status
# Push using the bot PAT so the push event is attributed to the bot
# and required pull_request CI workflows fire on the resulting PR.
REMOTE="https://x-access-token:$(gh auth token)@github.com/${GITHUB_REPOSITORY}.git"
git push "${REMOTE}" "${BRANCH}"
gh pr create \
--base main \
--head "${BRANCH}" \
--title "chore(release): aws-db-esdk v${VERSION}" \
--body "Automated release PR generated by \`rust-start-release.yml\` for aws-db-esdk v${VERSION}.
Reviewer checklist:
- Update \`CHANGELOG.md\` in the root directory with the changes for this version.
- If this is a major version bump, update \`SUPPORT_POLICY.rst\` for Rust.
- After approval and BEFORE merging, dispatch the \`Rust Release\` workflow on this branch to publish to crates.io and run \`test_published.sh\`.
Do NOT merge this PR before publishing."