chore: Migrate CodeBuild release to GHA (without publishing step) #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| permissions: | |
| contents: read | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| inputs: | |
| version_bump: | |
| required: false | |
| description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)' | |
| default: '' | |
| dist_tag: | |
| description: 'NPM distribution tag' | |
| required: false | |
| default: 'latest' | |
| branch: | |
| description: 'The branch to release from' | |
| required: false | |
| default: 'master' | |
| env: | |
| NODE_OPTIONS: "--max-old-space-size=4096" | |
| NPM_CONFIG_UNSAFE_PERM: true | |
| jobs: | |
| compliance: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: true | |
| - name: Setup Node.js 18 | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci --unsafe-perm | |
| - name: Run compliance checks | |
| run: | | |
| npm run lint | |
| npm run test_conditions | |
| test: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node-version: ['18', '20', '22'] | |
| test-type: ['node', 'browser'] | |
| test-category: ['coverage', 'vectors'] | |
| name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: true | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: 'npm' | |
| - name: Configure AWS Credentials for Tests | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: us-west-2 | |
| role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 | |
| role-session-name: JavaScriptTests | |
| - name: Install dependencies and build | |
| run: | | |
| npm ci --unsafe-perm | |
| npm run build | |
| - name: Run ${{ matrix.test-category }} tests (${{ matrix.test-type }}) | |
| run: | | |
| if [ "${{ matrix.test-category }}" = "coverage" ]; then | |
| npm run coverage-${{ matrix.test-type }} | |
| elif [ "${{ matrix.test-category }}" = "vectors" ]; then | |
| npm run verdaccio-publish | |
| npm run verdaccio-${{ matrix.test-type }}-decrypt | |
| npm run verdaccio-${{ matrix.test-type }}-encrypt | |
| else | |
| echo "Error: Unrecognized test category '${{ matrix.test-category }}'" | |
| exit 1 | |
| fi | |
| # Once all tests have passed, run semantic versioning | |
| version: | |
| runs-on: ubuntu-latest | |
| needs: [compliance, test] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: true | |
| - name: Setup Node.js 16 | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '16' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci --unsafe-perm | |
| - name: Configure git | |
| env: | |
| BRANCH: ${{ github.event.inputs.branch }} | |
| VERSION_BUMP: ${{ github.event.inputs.version_bump }} | |
| run: | | |
| git config --global user.name "aws-crypto-tools-ci-bot" | |
| git config --global user.email "[email protected]" | |
| git checkout ${{ github.head_ref }} # Use PR branch or current branch | |
| - name: Version packages (dry run - no push) | |
| run: | | |
| # For testing: no push to avoid modifying master branch | |
| npx lerna version --conventional-commits --no-push --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} | |
| # TODO: uncomment line below and remove line above when adding publish step | |
| # npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} | |
| git log -n 1 | |
| # Once semantic versioning has run and bumped versions, publish to npm | |
| # TODO: Publish step that doesn't use OTP but instead follows | |
| # https://docs.npmjs.com/trusted-publishers | |
| # Once publishing is complete, validate that the published packages are useable | |
| validate: | |
| runs-on: ubuntu-latest | |
| # TODO: Uncomment when adding publish step | |
| # needs: [publish] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node-version: ['18', '20', '22'] | |
| test-type: ['node', 'browser'] | |
| name: validate-${{ matrix.test-type }}${{ matrix.node-version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: true | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: 'npm' | |
| - name: Configure AWS Credentials for Tests | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: us-west-2 | |
| role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 | |
| role-session-name: JavaScriptTests | |
| - name: Install dependencies | |
| run: npm ci --unsafe-perm | |
| - name: Validate published packages - ${{ matrix.test-type }} | |
| # This will fail until the publish step is run for the first time. | |
| # A dependency change broke the browser tests. | |
| # Commit fb10180dfb451ff5359ebc703c58eaf5393971ac fixes this. | |
| # The first publish step for v4.2.2+ should make this pass. | |
| # TODO: Remove this comment block after first successful publish of v4.2.2+. | |
| run: | | |
| npm run verdaccio-${{ matrix.test-type }}-decrypt | |
| npm run verdaccio-${{ matrix.test-type }}-encrypt |