|
| 1 | +name: Pre-Release |
| 2 | + |
| 3 | +# PRE-RELEASE PROCESS |
| 4 | +# |
| 5 | +# === Automated activities === |
| 6 | +# |
| 7 | +# 1. [Seal] Bump to release version and export source code with integrity hash |
| 8 | +# 2. [Quality check] Restore sealed source code, run tests, linting, security and complexity base line |
| 9 | +# 3. [Build] Restore sealed source code, create and export hashed build artifact for PyPi release (wheel, tarball) |
| 10 | +# 4. [Provenance] Generates provenance for build, signs attestation with GitHub OIDC claims to confirm it came from this release pipeline, commit, org, repo, branch, hash, etc. |
| 11 | +# 5. [Release] Restore built artifact, and publish package to PyPi prod repository |
| 12 | +# 6. [PR to bump version] Restore sealed source code, and create a PR to update trunk with latest released project metadata |
| 13 | + |
| 14 | +# NOTE |
| 15 | +# |
| 16 | +# See MAINTAINERS.md "Releasing a new version" for release mechanisms |
| 17 | +# |
| 18 | +# Every job is isolated and starts a new fresh container. |
| 19 | + |
| 20 | +env: |
| 21 | + RELEASE_COMMIT: ${{ github.sha }} |
| 22 | + |
| 23 | +on: |
| 24 | + workflow_dispatch: |
| 25 | + inputs: |
| 26 | + skip_code_quality: |
| 27 | + description: "Skip tests, linting, and baseline. Only use if release fail for reasons beyond our control and you need a quick release." |
| 28 | + default: false |
| 29 | + type: boolean |
| 30 | + required: false |
| 31 | + skip_pypi: |
| 32 | + description: "Skip publishing to PyPi. Used for testing release steps." |
| 33 | + default: false |
| 34 | + type: boolean |
| 35 | + required: false |
| 36 | + schedule: |
| 37 | + # Note: run daily on weekdays at 8am UTC time |
| 38 | + - cron: "0 8 * * 1-5" |
| 39 | + |
| 40 | +permissions: |
| 41 | + contents: read |
| 42 | + |
| 43 | +jobs: |
| 44 | + |
| 45 | + # This job bumps the package version to the pre-release version |
| 46 | + # creates an integrity hash from the source code |
| 47 | + # uploads the artifact with the integrity hash as the key name |
| 48 | + # so subsequent jobs can restore from a trusted point in time to prevent tampering |
| 49 | + seal: |
| 50 | + # ignore forks |
| 51 | + if: github.repository == 'aws-powertools/powertools-lambda-python' |
| 52 | + |
| 53 | + runs-on: ubuntu-latest |
| 54 | + permissions: |
| 55 | + contents: read |
| 56 | + outputs: |
| 57 | + integrity_hash: ${{ steps.seal_source_code.outputs.integrity_hash }} |
| 58 | + artifact_name: ${{ steps.seal_source_code.outputs.artifact_name }} |
| 59 | + RELEASE_VERSION: ${{ steps.release_version.outputs.RELEASE_VERSION }} |
| 60 | + steps: |
| 61 | + # NOTE: Different from prod release, we need both poetry and source code available in earlier steps to bump and verify. |
| 62 | + |
| 63 | + # We use a pinned version of Poetry to be certain it won't modify source code before we create a hash |
| 64 | + - name: Install poetry |
| 65 | + run: | |
| 66 | + pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0 |
| 67 | + pipx inject poetry git+https://github.com/monim67/poetry-bumpversion@315fe3324a699fa12ec20e202eb7375d4327d1c4 # v0.3.1 |
| 68 | +
|
| 69 | + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
| 70 | + with: |
| 71 | + ref: ${{ env.RELEASE_COMMIT }} |
| 72 | + |
| 73 | + - name: Bump and export release version |
| 74 | + id: release_version |
| 75 | + run: | |
| 76 | + RELEASE_VERSION="$(poetry version prerelease --short | head -n1 | tr -d '\n')" |
| 77 | +
|
| 78 | + echo "RELEASE_VERSION=${RELEASE_VERSION}" >> "$GITHUB_OUTPUT" |
| 79 | +
|
| 80 | + - name: Verifies pre-release version semantics |
| 81 | + # verify pre-release semantics before proceeding to avoid versioning pollution |
| 82 | + # e.g., 2.40.0a1 and 2.40.0b2 are valid while 2.40.0 is not |
| 83 | + # NOTE. we do it in a separate step to handle edge cases like |
| 84 | + # `poetry` CLI uses immutable install, versioning behaviour could change even in a minor version (we had breaking changes before) |
| 85 | + # a separate step allows us to pinpoint what happened (before/after) |
| 86 | + run: | |
| 87 | + if [[ ! "$RELEASE_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+[a-b].*$ ]]; then |
| 88 | + echo "Version $VERSION doesn't look like a pre-release version; aborting" |
| 89 | + exit 1 |
| 90 | + fi |
| 91 | + env: |
| 92 | + RELEASE_VERSION: ${{ steps.release_version.outputs.RELEASE_VERSION}} |
| 93 | + |
| 94 | + - name: Seal and upload |
| 95 | + id: seal_source_code |
| 96 | + uses: ./.github/actions/seal |
| 97 | + with: |
| 98 | + artifact_name_prefix: "source" |
| 99 | + |
| 100 | + # This job runs our automated test suite, complexity and security baselines |
| 101 | + # it ensures previously merged have been tested as part of the pull request process |
| 102 | + # |
| 103 | + # NOTE |
| 104 | + # |
| 105 | + # we don't upload the artifact after testing to prevent any tampering of our source code dependencies |
| 106 | + quality_check: |
| 107 | + needs: seal |
| 108 | + runs-on: ubuntu-latest |
| 109 | + permissions: |
| 110 | + contents: read |
| 111 | + steps: |
| 112 | + # NOTE: we need actions/checkout to configure git first (pre-commit hooks in make dev) |
| 113 | + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
| 114 | + with: |
| 115 | + ref: ${{ env.RELEASE_COMMIT }} |
| 116 | + |
| 117 | + - name: Restore sealed source code |
| 118 | + uses: ./.github/actions/seal-restore |
| 119 | + with: |
| 120 | + integrity_hash: ${{ needs.seal.outputs.integrity_hash }} |
| 121 | + artifact_name: ${{ needs.seal.outputs.artifact_name }} |
| 122 | + |
| 123 | + - name: Debug cache restore |
| 124 | + run: cat pyproject.toml |
| 125 | + |
| 126 | + - name: Install poetry |
| 127 | + run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0 |
| 128 | + - name: Set up Python |
| 129 | + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 |
| 130 | + with: |
| 131 | + python-version: "3.12" |
| 132 | + cache: "poetry" |
| 133 | + - name: Install dependencies |
| 134 | + run: make dev |
| 135 | + - name: Run all tests, linting and baselines |
| 136 | + run: make pr |
| 137 | + |
| 138 | + # This job creates a release artifact (tar.gz, wheel) |
| 139 | + # it checks out code from release commit for custom actions to work |
| 140 | + # then restores the sealed source code (overwrites any potential tampering) |
| 141 | + # it's done separately from release job to enforce least privilege. |
| 142 | + # We export just the final build artifact for release |
| 143 | + build: |
| 144 | + runs-on: ubuntu-latest |
| 145 | + needs: [quality_check, seal] |
| 146 | + permissions: |
| 147 | + contents: read |
| 148 | + outputs: |
| 149 | + integrity_hash: ${{ steps.seal_build.outputs.integrity_hash }} |
| 150 | + artifact_name: ${{ steps.seal_build.outputs.artifact_name }} |
| 151 | + attestation_hashes: ${{ steps.encoded_hash.outputs.attestation_hashes }} |
| 152 | + steps: |
| 153 | + # NOTE: we need actions/checkout to configure git first (pre-commit hooks in make dev) |
| 154 | + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
| 155 | + with: |
| 156 | + ref: ${{ env.RELEASE_COMMIT }} |
| 157 | + |
| 158 | + - name: Restore sealed source code |
| 159 | + uses: ./.github/actions/seal-restore |
| 160 | + with: |
| 161 | + integrity_hash: ${{ needs.seal.outputs.integrity_hash }} |
| 162 | + artifact_name: ${{ needs.seal.outputs.artifact_name }} |
| 163 | + |
| 164 | + - name: Install poetry |
| 165 | + run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0 |
| 166 | + - name: Set up Python |
| 167 | + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 |
| 168 | + with: |
| 169 | + python-version: "3.12" |
| 170 | + cache: "poetry" |
| 171 | + |
| 172 | + - name: Build python package and wheel |
| 173 | + run: poetry build |
| 174 | + |
| 175 | + - name: Seal and upload |
| 176 | + id: seal_build |
| 177 | + uses: ./.github/actions/seal |
| 178 | + with: |
| 179 | + artifact_name_prefix: "build" |
| 180 | + files: "dist/" |
| 181 | + |
| 182 | + # NOTE: SLSA retraces our build to its artifact to ensure it wasn't tampered |
| 183 | + # coupled with GitHub OIDC, SLSA can then confidently sign it came from this release pipeline+commit+branch+org+repo+actor+integrity hash |
| 184 | + - name: Create attestation encoded hash for provenance |
| 185 | + id: encoded_hash |
| 186 | + working-directory: dist |
| 187 | + run: echo "attestation_hashes=$(sha256sum ./* | base64 -w0)" >> "$GITHUB_OUTPUT" |
| 188 | + |
| 189 | + # This job creates a provenance file that describes how our release was built (all steps) |
| 190 | + # after it verifies our build is reproducible within the same pipeline |
| 191 | + # it confirms that its own software and the CI build haven't been tampered with (Trust but verify) |
| 192 | + # lastly, it creates and sign an attestation (multiple.intoto.jsonl) that confirms |
| 193 | + # this build artifact came from this GitHub org, branch, actor, commit ID, inputs that triggered this pipeline, and matches its integrity hash |
| 194 | + # NOTE: supply chain threats review (we protect against all of them now): https://slsa.dev/spec/v1.0/threats-overview |
| 195 | + provenance: |
| 196 | + needs: [seal, build] |
| 197 | + permissions: |
| 198 | + contents: write # nested job explicitly require despite upload assets being set to false |
| 199 | + actions: read # To read the workflow path. |
| 200 | + id-token: write # To sign the provenance. |
| 201 | + # NOTE: provenance fails if we use action pinning... it's a Github limitation |
| 202 | + # because SLSA needs to trace & attest it came from a given branch; pinning doesn't expose that information |
| 203 | + # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#referencing-the-slsa-generator |
| 204 | + uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] |
| 205 | + with: |
| 206 | + base64-subjects: ${{ needs.build.outputs.attestation_hashes }} |
| 207 | + upload-assets: false # we upload its attestation in create_tag job, otherwise it creates a new release |
| 208 | + |
| 209 | + # This job uses release artifact to publish to PyPi |
| 210 | + # it exchanges JWT tokens with GitHub to obtain PyPi credentials |
| 211 | + # since it's already registered as a Trusted Publisher. |
| 212 | + # It uses the sealed build artifact (.whl, .tar.gz) to release it |
| 213 | + release: |
| 214 | + needs: [build, seal, provenance] |
| 215 | + environment: pre-release |
| 216 | + runs-on: ubuntu-latest |
| 217 | + permissions: |
| 218 | + id-token: write # OIDC for PyPi Trusted Publisher feature |
| 219 | + env: |
| 220 | + RELEASE_VERSION: ${{ needs.seal.outputs.RELEASE_VERSION }} |
| 221 | + steps: |
| 222 | + # NOTE: we need actions/checkout in order to use our local actions (e.g., ./.github/actions) |
| 223 | + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
| 224 | + with: |
| 225 | + ref: ${{ env.RELEASE_COMMIT }} |
| 226 | + |
| 227 | + - name: Restore sealed source code |
| 228 | + uses: ./.github/actions/seal-restore |
| 229 | + with: |
| 230 | + integrity_hash: ${{ needs.build.outputs.integrity_hash }} |
| 231 | + artifact_name: ${{ needs.build.outputs.artifact_name }} |
| 232 | + |
| 233 | + - name: Upload to PyPi prod |
| 234 | + if: ${{ !inputs.skip_pypi }} |
| 235 | + uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1 |
| 236 | + |
| 237 | + # Creates a PR with the latest version we've just released |
| 238 | + # since our trunk is protected against any direct pushes from automation |
| 239 | + bump_version: |
| 240 | + needs: [release, seal, provenance] |
| 241 | + permissions: |
| 242 | + contents: write # create-pr action creates a temporary branch |
| 243 | + pull-requests: write # create-pr action creates a PR using the temporary branch |
| 244 | + runs-on: ubuntu-latest |
| 245 | + steps: |
| 246 | + # NOTE: we need actions/checkout to authenticate and configure git first |
| 247 | + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
| 248 | + with: |
| 249 | + ref: ${{ env.RELEASE_COMMIT }} |
| 250 | + |
| 251 | + - name: Restore sealed source code |
| 252 | + uses: ./.github/actions/seal-restore |
| 253 | + with: |
| 254 | + integrity_hash: ${{ needs.seal.outputs.integrity_hash }} |
| 255 | + artifact_name: ${{ needs.seal.outputs.artifact_name }} |
| 256 | + |
| 257 | + - name: Download provenance |
| 258 | + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 |
| 259 | + with: |
| 260 | + name: ${{needs.provenance.outputs.provenance-name}} |
| 261 | + |
| 262 | + - name: Update provenance |
| 263 | + run: mkdir -p "${PROVENANCE_DIR}" && mv "${PROVENANCE_FILE}" "${PROVENANCE_DIR}/" |
| 264 | + env: |
| 265 | + PROVENANCE_FILE: ${{ needs.provenance.outputs.provenance-name }} |
| 266 | + PROVENANCE_DIR: provenance/${{ needs.seal.outputs.RELEASE_VERSION}} |
| 267 | + |
| 268 | + - name: Create PR |
| 269 | + id: create-pr |
| 270 | + uses: ./.github/actions/create-pr |
| 271 | + with: |
| 272 | + files: "pyproject.toml aws_lambda_powertools/shared/version.py provenance/" |
| 273 | + temp_branch_prefix: "ci-bump" |
| 274 | + pull_request_title: "chore(ci): new pre-release ${{ needs.seal.outputs.RELEASE_VERSION }}" |
| 275 | + github_token: ${{ secrets.GITHUB_TOKEN }} |
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments