From d1475e53783291895cdc776daa5aa2c894c9ac70 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Wed, 26 Apr 2023 07:29:21 +0900 Subject: [PATCH 1/4] Added CodeQL code --- .github/workflows/codeql.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000..840201b1c16 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,30 @@ +jobs: + analyze: + name: Analyze + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: security-and-quality + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + strategy: + fail-fast: false + matrix: + language: + - python +name: CodeQL +'on': + push: + branches: + - develop From 1154c0b6c5ca926b7b870e48aa0252b5fe022f38 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Wed, 26 Apr 2023 16:45:27 +0900 Subject: [PATCH 2/4] Added CodeQL code --- .github/workflows/auto-merge.yml | 39 ----- .github/workflows/build_changelog.yml | 9 - .github/workflows/codeql-analysis.yml | 39 ----- .github/workflows/dispatch_analytics.yml | 43 ----- .github/workflows/label_pr_on_title.yml | 38 ---- .github/workflows/on_closed_issues.yml | 18 -- .github/workflows/on_label_added.yml | 38 ---- .github/workflows/on_merged_pr.yml | 35 ---- .github/workflows/on_opened_pr.yml | 51 ------ .github/workflows/on_push_docs.yml | 35 ---- .github/workflows/publish_v2_layer.yml | 153 ---------------- .github/workflows/python_build.yml | 60 ------- .github/workflows/rebuild_latest_docs.yml | 31 ---- .github/workflows/record_pr.yml | 22 --- .github/workflows/release-drafter.yml | 15 -- .github/workflows/release.yml | 156 ----------------- .../reusable_deploy_v2_layer_stack.yml | 158 ----------------- .github/workflows/reusable_deploy_v2_sar.yml | 163 ------------------ .../workflows/reusable_export_pr_details.yml | 89 ---------- .../workflows/reusable_publish_changelog.yml | 40 ----- .github/workflows/reusable_publish_docs.yml | 83 --------- .../reusable_update_v2_layer_arn_docs.yml | 52 ------ .github/workflows/run-e2e-tests.yml | 62 ------- .github/workflows/secure_workflows.yml | 32 ---- 24 files changed, 1461 deletions(-) delete mode 100644 .github/workflows/auto-merge.yml delete mode 100644 .github/workflows/build_changelog.yml delete mode 100644 .github/workflows/codeql-analysis.yml delete mode 100644 .github/workflows/dispatch_analytics.yml delete mode 100644 .github/workflows/label_pr_on_title.yml delete mode 100644 .github/workflows/on_closed_issues.yml delete mode 100644 .github/workflows/on_label_added.yml delete mode 100644 .github/workflows/on_merged_pr.yml delete mode 100644 .github/workflows/on_opened_pr.yml delete mode 100644 .github/workflows/on_push_docs.yml delete mode 100644 .github/workflows/publish_v2_layer.yml delete mode 100644 .github/workflows/python_build.yml delete mode 100644 .github/workflows/rebuild_latest_docs.yml delete mode 100644 .github/workflows/record_pr.yml delete mode 100644 .github/workflows/release-drafter.yml delete mode 100644 .github/workflows/release.yml delete mode 100644 .github/workflows/reusable_deploy_v2_layer_stack.yml delete mode 100644 .github/workflows/reusable_deploy_v2_sar.yml delete mode 100644 .github/workflows/reusable_export_pr_details.yml delete mode 100644 .github/workflows/reusable_publish_changelog.yml delete mode 100644 .github/workflows/reusable_publish_docs.yml delete mode 100644 .github/workflows/reusable_update_v2_layer_arn_docs.yml delete mode 100644 .github/workflows/run-e2e-tests.yml delete mode 100644 .github/workflows/secure_workflows.yml diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml deleted file mode 100644 index b2a3d23bd9b..00000000000 --- a/.github/workflows/auto-merge.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: auto-merge - -on: - pull_request: - types: [opened, edited, synchronize] - -permissions: - contents: write - -jobs: - dependabot: - runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@v1.4.0 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Enable auto-merge for mypy-boto3 stubs Dependabot PRs - if: ${{ contains(steps.metadata.outputs.dependency-names, 'mypy-boto3') && steps.metadata.outputs.update-type != 'version-update:semver-major' }} - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - # Maintenance: Experiment with literal array (toJSON('["dep1", "dep2"]')) to ease extending it - - name: Enable auto-merge for CDK Construct Lambda Layer Dependabot PRs - if: ${{ contains(steps.metadata.outputs.dependency-names, 'cdk-lambda-powertools-python-layer') && steps.metadata.outputs.update-type != 'version-update:semver-major' }} - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - # Maintenance: Revisit if CDK Constructs make breaking changes like CDK v1 - - name: Enable auto-merge for CDK Lib Construct - if: ${{ contains(steps.metadata.outputs.dependency-names, 'aws-cdk-lib') && steps.metadata.outputs.update-type != 'version-update:semver-major' }} - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/build_changelog.yml b/.github/workflows/build_changelog.yml deleted file mode 100644 index 3cd6fffe855..00000000000 --- a/.github/workflows/build_changelog.yml +++ /dev/null @@ -1,9 +0,0 @@ -# Standalone workflow to update changelog if necessary -name: Build changelog - -on: - workflow_dispatch: - -jobs: - changelog: - uses: ./.github/workflows/reusable_publish_changelog.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index d70a5c024e7..00000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: "CodeQL" - -on: - push: - paths: - - "aws_lambda_powertools/**" - branches: - - develop - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] - language: ["python"] - # Learn more... - # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml deleted file mode 100644 index 49a276f6f61..00000000000 --- a/.github/workflows/dispatch_analytics.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Dispatch analytics - -on: - workflow_dispatch: - - schedule: - - cron: '0 * * * *' - -permissions: - id-token: write - actions: read - checks: read - contents: read - deployments: read - issues: read - discussions: read - packages: read - pages: read - pull-requests: read - repository-projects: read - security-events: read - statuses: read - -jobs: - dispatch_token: - concurrency: - group: analytics - runs-on: ubuntu-latest - environment: analytics - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef - with: - aws-region: eu-central-1 - role-to-assume: ${{ secrets.AWS_ANALYTICS_ROLE_ARN }} - - - name: Invoke Lambda function - run: | - payload=$(echo -n '{"githubToken": "${{ secrets.GITHUB_TOKEN }}"}' | base64) - aws lambda invoke \ - --function-name ${{ secrets.AWS_ANALYTICS_DISPATCHER_ARN }} \ - --payload "$payload" response.json - cat response.json diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml deleted file mode 100644 index 3815a49e9bd..00000000000 --- a/.github/workflows/label_pr_on_title.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: Label PR based on title - -on: - workflow_run: - workflows: ["Record PR details"] - types: - - completed - -jobs: - get_pr_details: - # Guardrails to only ever run if PR recording workflow was indeed - # run in a PR event and ran successfully - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: ./.github/workflows/reusable_export_pr_details.yml - with: - record_pr_workflow_id: ${{ github.event.workflow_run.id }} - workflow_origin: ${{ github.event.repository.full_name }} - secrets: - token: ${{ secrets.GITHUB_TOKEN }} - label_pr: - needs: get_pr_details - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: "Label PR based on title" - uses: actions/github-script@v6 - env: - PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} - PR_TITLE: ${{ needs.get_pr_details.outputs.prTitle }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - # This safely runs in our base repo, not on fork - # thus allowing us to provide a write access token to label based on PR title - # and label PR based on semantic title accordingly - script: | - const script = require('.github/scripts/label_pr_based_on_title.js') - await script({github, context, core}) diff --git a/.github/workflows/on_closed_issues.yml b/.github/workflows/on_closed_issues.yml deleted file mode 100644 index ca815e4c07f..00000000000 --- a/.github/workflows/on_closed_issues.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: Closed Issue Message -on: - issues: - types: [closed] -jobs: - auto_comment: - runs-on: ubuntu-latest - steps: - - uses: aws-actions/closed-issue-message@v1 - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" - message: | - ### ⚠️COMMENT VISIBILITY WARNING⚠️ - This issue is now closed. Please be mindful that future comments are hard for our team to see. - - If you need more assistance, please either tag a [team member](https://github.com/awslabs/aws-lambda-powertools-python/blob/develop/MAINTAINERS.md#current-maintainers) or open a new issue that references this one. - - If you wish to keep having a conversation with other community members under this issue feel free to do so. diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml deleted file mode 100644 index e9180d8010a..00000000000 --- a/.github/workflows/on_label_added.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: On Label added - -on: - workflow_run: - workflows: ["Record PR details"] - types: - - completed - -jobs: - get_pr_details: - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: ./.github/workflows/reusable_export_pr_details.yml - with: - record_pr_workflow_id: ${{ github.event.workflow_run.id }} - workflow_origin: ${{ github.event.repository.full_name }} - secrets: - token: ${{ secrets.GITHUB_TOKEN }} - - split-large-pr: - needs: get_pr_details - runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write - steps: - - uses: actions/checkout@v3 - # Maintenance: Persist state per PR as an artifact to avoid spam on label add - - name: "Suggest split large Pull Request" - uses: actions/github-script@v6 - env: - PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} - PR_ACTION: ${{ needs.get_pr_details.outputs.prAction }} - PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const script = require('.github/scripts/comment_on_large_pr.js'); - await script({github, context, core}); diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml deleted file mode 100644 index cd97e1c306e..00000000000 --- a/.github/workflows/on_merged_pr.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: On PR merge - -on: - workflow_run: - workflows: ["Record PR details"] - types: - - completed - -jobs: - get_pr_details: - if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' - uses: ./.github/workflows/reusable_export_pr_details.yml - with: - record_pr_workflow_id: ${{ github.event.workflow_run.id }} - workflow_origin: ${{ github.event.repository.full_name }} - secrets: - token: ${{ secrets.GITHUB_TOKEN }} - release_label_on_merge: - needs: get_pr_details - runs-on: ubuntu-latest - if: needs.get_pr_details.outputs.prIsMerged == 'true' - steps: - - uses: actions/checkout@v3 - - name: "Label PR related issue for release" - uses: actions/github-script@v6 - env: - PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} - PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} - PR_IS_MERGED: ${{ needs.get_pr_details.outputs.prIsMerged }} - PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const script = require('.github/scripts/label_related_issue.js') - await script({github, context, core}) diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml deleted file mode 100644 index 043ff9628cd..00000000000 --- a/.github/workflows/on_opened_pr.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: On new PR - -on: - workflow_run: - workflows: ["Record PR details"] - types: - - completed - -jobs: - get_pr_details: - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: ./.github/workflows/reusable_export_pr_details.yml - with: - record_pr_workflow_id: ${{ github.event.workflow_run.id }} - workflow_origin: ${{ github.event.repository.full_name }} - secrets: - token: ${{ secrets.GITHUB_TOKEN }} - check_related_issue: - needs: get_pr_details - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: "Ensure related issue is present" - uses: actions/github-script@v6 - env: - PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} - PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} - PR_ACTION: ${{ needs.get_pr_details.outputs.prAction }} - PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const script = require('.github/scripts/label_missing_related_issue.js') - await script({github, context, core}) - check_acknowledge_section: - needs: get_pr_details - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: "Ensure acknowledgement section is present" - uses: actions/github-script@v6 - env: - PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} - PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} - PR_ACTION: ${{ needs.get_pr_details.outputs.prAction }} - PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const script = require('.github/scripts/label_missing_acknowledgement_section.js') - await script({github, context, core}) diff --git a/.github/workflows/on_push_docs.yml b/.github/workflows/on_push_docs.yml deleted file mode 100644 index d46879ca6b1..00000000000 --- a/.github/workflows/on_push_docs.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: Docs - -on: - push: - branches: - - develop - paths: - - "docs/**" - - "mkdocs.yml" - - "examples/**" - -jobs: - changelog: - permissions: - contents: write - uses: ./.github/workflows/reusable_publish_changelog.yml - - release-docs: - needs: changelog - permissions: - contents: write - pages: write - uses: ./.github/workflows/reusable_publish_docs.yml - with: - version: develop - alias: stage -# Maintenance: Only necessary in repo migration -# - name: Create redirect from old docs -# run: | -# git checkout gh-pages -# test -f 404.html && echo "Redirect already set" && exit 0 -# git checkout develop -- 404.html -# git add 404.html -# git commit -m "chore: set docs redirect" --no-verify -# git push origin gh-pages -f diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml deleted file mode 100644 index 8d8a8c34aae..00000000000 --- a/.github/workflows/publish_v2_layer.yml +++ /dev/null @@ -1,153 +0,0 @@ -name: Deploy v2 layer to all regions - -permissions: - id-token: write - contents: write - pages: write - -on: - workflow_dispatch: - inputs: - latest_published_version: - description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0, 2.0.0a1 (pre-release)" - required: true - pre_release: - description: "Publishes documentation using a pre-release tag (2.0.0a1)." - default: false - type: boolean - required: false - workflow_call: - inputs: - latest_published_version: - type: string - description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0, 2.0.0a1 (pre-release)" - required: true - pre_release: - description: "Publishes documentation using a pre-release tag (2.0.0a1)." - default: false - type: boolean - required: false - -jobs: - build-layer: - permissions: - contents: read - runs-on: aws-lambda-powertools_ubuntu-latest_8-core - defaults: - run: - working-directory: ./layer - steps: - - name: checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Install poetry - run: pipx install poetry - - name: Setup Node.js - uses: actions/setup-node@v3 - with: - node-version: "16.12" - - name: Setup python - uses: actions/setup-python@v4 - with: - python-version: "3.10" - cache: "pip" - - name: Resolve and install project dependencies - # CDK spawns system python when compiling stack - # therefore it ignores both activated virtual env and cached interpreter by GH - run: | - poetry export --format requirements.txt --output requirements.txt - pip install -r requirements.txt - - name: Set up QEMU - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.0.0 - with: - platforms: arm64 - # NOTE: we need QEMU to build Layer against a different architecture (e.g., ARM) - - name: Set up Docker Buildx - id: builder - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 - with: - install: true - driver: docker - platforms: linux/amd64,linux/arm64 - - name: install cdk and deps - working-directory: ./ - run: | - npm install - npx cdk --version - - name: CDK build - run: npx cdk synth --verbose --context version="${{ inputs.latest_published_version }}" -o cdk.out - - name: zip output - run: zip -r cdk.out.zip cdk.out - - name: Archive CDK artifacts - uses: actions/upload-artifact@v3 - with: - name: cdk-layer-artefact - path: layer/cdk.out.zip - - beta: - needs: build-layer - uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml - secrets: inherit - with: - stage: "BETA" - artefact-name: "cdk-layer-artefact" - environment: "layer-beta" - latest_published_version: ${{ inputs.latest_published_version }} - - prod: - needs: beta - uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml - secrets: inherit - with: - stage: "PROD" - artefact-name: "cdk-layer-artefact" - environment: "layer-prod" - latest_published_version: ${{ inputs.latest_published_version }} - - sar-beta: - needs: build-layer - uses: ./.github/workflows/reusable_deploy_v2_sar.yml - secrets: inherit - with: - stage: "BETA" - artefact-name: "cdk-layer-artefact" - environment: "layer-beta" - package-version: ${{ inputs.latest_published_version }} - - sar-prod: - needs: [build-layer, sar-beta] - uses: ./.github/workflows/reusable_deploy_v2_sar.yml - secrets: inherit - with: - stage: "PROD" - artefact-name: "cdk-layer-artefact" - environment: "layer-prod" - package-version: ${{ inputs.latest_published_version }} - - prepare_docs_alias: - runs-on: ubuntu-latest - permissions: - contents: read - outputs: - DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }} - steps: - - name: Set docs alias - id: set-alias - run: | - DOCS_ALIAS=latest - if [[ "${{ inputs.pre_release }}" == true ]] ; then - DOCS_ALIAS=alpha - fi - echo DOCS_ALIAS="$DOCS_ALIAS" >> "$GITHUB_OUTPUT" - - release-docs: - needs: [prod, prepare_docs_alias] - permissions: - contents: write - pages: write - uses: ./.github/workflows/reusable_publish_docs.yml - with: - version: ${{ inputs.latest_published_version }} - alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }} - detached_mode: true diff --git a/.github/workflows/python_build.yml b/.github/workflows/python_build.yml deleted file mode 100644 index 5daf9d5c2d3..00000000000 --- a/.github/workflows/python_build.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Code quality - -on: - pull_request: - paths: - - "aws_lambda_powertools/**" - - "tests/**" - - "pyproject.toml" - - "poetry.lock" - - "mypy.ini" - branches: - - develop - - v2 - push: - paths: - - "aws_lambda_powertools/**" - - "tests/**" - - "pyproject.toml" - - "poetry.lock" - - "mypy.ini" - branches: - - develop - - v2 - -jobs: - build: - runs-on: ubuntu-latest - strategy: - max-parallel: 4 - matrix: - python-version: ["3.7", "3.8", "3.9", "3.10"] - env: - PYTHON: "${{ matrix.python-version }}" - steps: - - uses: actions/checkout@v3 - - name: Install poetry - run: pipx install poetry - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 - with: - python-version: ${{ matrix.python-version }} - cache: "poetry" - - name: Install dependencies - run: make dev - - name: Formatting and Linting - run: make lint - - name: Static type checking - run: make mypy - - name: Test with pytest - run: make test - - name: Security baseline - run: make security-baseline - - name: Complexity baseline - run: make complexity-baseline - - name: Upload coverage to Codecov - uses: codecov/codecov-action@894ff025c7b54547a9a2a1e9f228beae737ad3c2 # 3.1.3 - with: - file: ./coverage.xml - env_vars: PYTHON - name: aws-lambda-powertools-python-codecov diff --git a/.github/workflows/rebuild_latest_docs.yml b/.github/workflows/rebuild_latest_docs.yml deleted file mode 100644 index aa3b2216289..00000000000 --- a/.github/workflows/rebuild_latest_docs.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Rebuild latest docs - -# -# === Documentation hotfix === -# -# 1. Trigger "Rebuild latest docs" workflow manually: https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow -# 2. Use the latest version released under Releases e.g. 2.0.0 - -on: - workflow_dispatch: - inputs: - latest_published_version: - description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0" - default: "2.0.0" - required: true - -jobs: - changelog: - permissions: - contents: write - uses: ./.github/workflows/reusable_publish_changelog.yml - - release-docs: - needs: changelog - permissions: - contents: write - pages: write - uses: ./.github/workflows/reusable_publish_docs.yml - with: - version: ${{ inputs.latest_published_version }} - alias: latest diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml deleted file mode 100644 index b1638ad8865..00000000000 --- a/.github/workflows/record_pr.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Record PR details - -on: - pull_request: - types: [opened, edited, closed, labeled] - -jobs: - record_pr: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - name: "Extract PR details" - uses: actions/github-script@v6 - with: - script: | - const script = require('.github/scripts/save_pr_details.js') - await script({github, context, core}) - - uses: actions/upload-artifact@v3 - with: - name: pr - path: pr.txt diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml deleted file mode 100644 index 2da4bd58b79..00000000000 --- a/.github/workflows/release-drafter.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Release Drafter - -on: - push: - branches: - - develop - workflow_dispatch: - -jobs: - update_release_draft: - runs-on: ubuntu-latest - steps: - - uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5.20.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index a3f05dc15e0..00000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,156 +0,0 @@ -name: Release - -# RELEASE PROCESS -# -# === Automated activities === -# -# 1. Run tests, linting, security and complexity base line -# 2. Bump package version and generate latest Changelog -# 3. Publish package to PyPi test and prod repository -# 4. Kick off SAR App pipeline to publish latest version with minimal and extra dependencies -# 5. Builds and publish latest changelog from tip of the branch -# 6. Builds a new user guide and API docs with release version; update /latest pointing to newly released version -# 7. Close all issues labeled "pending-release" and notify customers about the release -# -# === Manual activities === -# -# 1. Edit the current draft release notes -# 2. If not already set, use `v` as a tag, e.g., v1.26.4, and select develop as target branch - -# See MAINTAINERS.md "Releasing a new version" for release mechanisms - -env: - BRANCH: develop - ORIGIN: awslabs/aws-lambda-powertools-python - -on: - workflow_dispatch: - inputs: - version_to_publish: - description: "Version to be released in PyPi, Docs, and Lambda Layer, e.g. v2.0.0, v2.0.0a0 (pre-release)" - default: v2.0.0 - required: true - skip_pypi: - description: "Skip publishing to PyPi as it can't publish more than once. Useful for semi-failed releases" - default: false - type: boolean - required: false - skip_code_quality: - description: "Skip tests, linting, and baseline. Only use if release fail for reasons beyond our control and you need a quick release." - default: false - type: boolean - required: false - pre_release: - description: "Publishes documentation using a pre-release tag (v2.0.0a0). You are still responsible for passing a pre-release version tag to the workflow." - default: false - type: boolean - required: false - -jobs: - release: - environment: release - runs-on: aws-lambda-powertools_ubuntu-latest_4-core - permissions: - contents: write - outputs: - RELEASE_VERSION: ${{ steps.release_version.outputs.RELEASE_VERSION }} - env: - RELEASE_TAG_VERSION: ${{ inputs.version_to_publish }} - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Install poetry - run: pipx install poetry - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: "3.10" - cache: "poetry" - - name: Set release notes tag - id: release_version - # transform tag format `v> "$GITHUB_ENV" - echo "RELEASE_VERSION=${RELEASE_VERSION}" >> "$GITHUB_OUTPUT" - - name: Install dependencies - run: make dev - - name: Run all tests, linting and baselines - if: ${{ !inputs.skip_code_quality }} - run: make pr - - name: Git client setup and refresh tip - run: | - git config user.name "Release bot" - git config user.email "aws-devax-open-source@amazon.com" - git config pull.rebase true - git config remote.origin.url >&- || git remote add origin https://github.com/"${ORIGIN}" # Git Detached mode (release notes) doesn't have origin - git pull origin "${BRANCH}" - - name: Bump package version - id: versioning - run: poetry version "${RELEASE_VERSION}" - - name: Build python package and wheel - if: ${{ !inputs.skip_pypi }} - run: poetry build - # March 1st: PyPi test is under maintenance.... - # - name: Upload to PyPi test - # if: ${{ !inputs.skip_pypi }} - # run: make release-test - # env: - # PYPI_USERNAME: __token__ - # PYPI_TEST_TOKEN: ${{ secrets.PYPI_TEST_TOKEN }} - - name: Upload to PyPi prod - if: ${{ !inputs.skip_pypi }} - run: make release-prod - env: - PYPI_USERNAME: __token__ - PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} - - name: Update version in trunk - if: steps.versioning.outcome == 'success' - run: | - HAS_CHANGE=$(git status --porcelain) - test -z "${HAS_CHANGE}" && echo "Nothing to update" && exit 0 - git add pyproject.toml - git commit -m "bump version to ${RELEASE_VERSION}" --no-verify - git pull origin "${BRANCH}" # prevents concurrent branch update failing push - git push origin HEAD:refs/heads/"${BRANCH}" - - changelog: - needs: release - permissions: - contents: write - uses: ./.github/workflows/reusable_publish_changelog.yml - - # NOTE: Watch out for the depth limit of 4 nested workflow_calls. - # publish_layer -> publish_v2_layer -> reusable_deploy_v2_layer_stack -> reusable_update_v2_layer_arn_docs - publish_layer: - needs: release - secrets: inherit - permissions: - id-token: write - contents: write - pages: write - uses: ./.github/workflows/publish_v2_layer.yml - with: - latest_published_version: ${{ needs.release.outputs.RELEASE_VERSION }} - pre_release: ${{ inputs.pre_release }} - - post_release: - needs: [release, publish_layer] - permissions: - contents: read - issues: write - discussions: write - pull-requests: write - runs-on: ubuntu-latest - env: - RELEASE_VERSION: ${{ needs.release.outputs.RELEASE_VERSION }} - steps: - - uses: actions/checkout@v3 - - name: Close issues related to this release - uses: actions/github-script@v6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const post_release = require('.github/scripts/post_release.js') - await post_release({github, context, core}) diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml deleted file mode 100644 index 5af5d6385d0..00000000000 --- a/.github/workflows/reusable_deploy_v2_layer_stack.yml +++ /dev/null @@ -1,158 +0,0 @@ -name: Deploy CDK Layer v2 stack - -permissions: - id-token: write - contents: write - -on: - workflow_call: - inputs: - stage: - description: "Deployment stage (BETA, PROD)" - required: true - type: string - artefact-name: - description: "CDK Layer Artefact name to download" - required: true - type: string - environment: - description: "GitHub Environment to use for encrypted secrets" - required: true - type: string - latest_published_version: - description: "Latest version that is published" - required: true - type: string - -jobs: - deploy-cdk-stack: - runs-on: ubuntu-latest - environment: ${{ inputs.environment }} - defaults: - run: - working-directory: ./layer - strategy: - fail-fast: false - matrix: - # To get a list of current regions, use: - # aws ec2 describe-regions --all-regions --query "Regions[].RegionName" --output text | tr "\t" "\n" | sort - include: - - region: "af-south-1" - has_arm64_support: "true" - - region: "ap-east-1" - has_arm64_support: "true" - - region: "ap-northeast-1" - has_arm64_support: "true" - - region: "ap-northeast-2" - has_arm64_support: "true" - - region: "ap-northeast-3" - has_arm64_support: "true" - - region: "ap-south-1" - has_arm64_support: "true" - - region: "ap-south-2" - has_arm64_support: "false" - - region: "ap-southeast-1" - has_arm64_support: "true" - - region: "ap-southeast-2" - has_arm64_support: "true" - - region: "ap-southeast-3" - has_arm64_support: "true" - - region: "ap-southeast-4" - has_arm64_support: "false" - - region: "ca-central-1" - has_arm64_support: "true" - - region: "eu-central-1" - has_arm64_support: "true" - - region: "eu-central-2" - has_arm64_support: "false" - - region: "eu-north-1" - has_arm64_support: "true" - - region: "eu-south-1" - has_arm64_support: "true" - - region: "eu-south-2" - has_arm64_support: "false" - - region: "eu-west-1" - has_arm64_support: "true" - - region: "eu-west-2" - has_arm64_support: "true" - - region: "eu-west-3" - has_arm64_support: "true" - - region: "me-central-1" - has_arm64_support: "false" - - region: "me-south-1" - has_arm64_support: "true" - - region: "sa-east-1" - has_arm64_support: "true" - - region: "us-east-1" - has_arm64_support: "true" - - region: "us-east-2" - has_arm64_support: "true" - - region: "us-west-1" - has_arm64_support: "true" - - region: "us-west-2" - has_arm64_support: "true" - steps: - - name: checkout - uses: actions/checkout@v3 - - name: Install poetry - run: pipx install poetry - - name: aws credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef - with: - aws-region: ${{ matrix.region }} - role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} - - name: Setup Node.js - uses: actions/setup-node@v3 - with: - node-version: "16.12" - - name: Setup python - uses: actions/setup-python@v4 - with: - python-version: "3.10" - cache: "pip" - - name: Resolve and install project dependencies - # CDK spawns system python when compiling stack - # therefore it ignores both activated virtual env and cached interpreter by GH - run: | - poetry export --format requirements.txt --output requirements.txt - pip install -r requirements.txt - - name: install cdk and deps - working-directory: ./ - run: | - npm install - npx cdk --version - - name: install deps - run: poetry install - - name: Download artifact - uses: actions/download-artifact@v3 - with: - name: ${{ inputs.artefact-name }} - path: layer - - name: unzip artefact - run: unzip cdk.out.zip - - name: CDK Deploy Layer - run: npx cdk deploy --app cdk.out --context region=${{ matrix.region }} --parameters HasARM64Support=${{ matrix.has_arm64_support }} 'LayerV2Stack' --require-approval never --verbose --outputs-file cdk-outputs.json - - name: Store latest Layer ARN - if: ${{ inputs.stage == 'PROD' }} - run: | - mkdir cdk-layer-stack - jq -r -c '.LayerV2Stack.LatestLayerArn' cdk-outputs.json > cdk-layer-stack/${{ matrix.region }}-layer-version.txt - jq -r -c '.LayerV2Stack.LatestLayerArm64Arn' cdk-outputs.json >> cdk-layer-stack/${{ matrix.region }}-layer-version.txt - cat cdk-layer-stack/${{ matrix.region }}-layer-version.txt - - name: Save Layer ARN artifact - if: ${{ inputs.stage == 'PROD' }} - uses: actions/upload-artifact@v3 - with: - name: cdk-layer-stack - path: ./layer/cdk-layer-stack/* # NOTE: upload-artifact does not inherit working-directory setting. - if-no-files-found: error - retention-days: 1 - - name: CDK Deploy Canary - run: npx cdk deploy --app cdk.out --context region=${{ matrix.region }} --parameters DeployStage="${{ inputs.stage }}" --parameters HasARM64Support=${{ matrix.has_arm64_support }} 'CanaryV2Stack' --require-approval never --verbose - - update_v2_layer_arn_docs: - needs: deploy-cdk-stack - if: ${{ inputs.stage == 'PROD' }} - uses: ./.github/workflows/reusable_update_v2_layer_arn_docs.yml - with: - latest_published_version: ${{ inputs.latest_published_version }} diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml deleted file mode 100644 index b9416c5f94d..00000000000 --- a/.github/workflows/reusable_deploy_v2_sar.yml +++ /dev/null @@ -1,163 +0,0 @@ -name: Deploy V2 SAR - -# SAR deployment process -# -# 1. This workflow starts after the layer artifact is produced on `publish_v2_layer` -# 2. We use the same layer artifact to ensure the SAR app is consistent with the published Lambda Layer -# 3. We publish the SAR for both x86_64 and arm64 (see `matrix` section) -# 4. We use `sam package` and `sam publish` to publish the SAR app -# 5. We remove the previous Canary stack (if present) and deploy a new one to test the SAR App. We retain the Canary in the account for debugging purposes -# 6. Finally the published SAR app is made public on the PROD environment - -permissions: - id-token: write - contents: read - -env: - NODE_VERSION: 16.12 - AWS_REGION: eu-west-1 - SAR_NAME: aws-lambda-powertools-python-layer - TEST_STACK_NAME: serverlessrepo-v2-powertools-layer-test-stack - -on: - workflow_call: - inputs: - stage: - description: "Deployment stage (BETA, PROD)" - required: true - type: string - artefact-name: - description: "CDK Layer Artefact name to download" - required: true - type: string - package-version: - description: "The version of the package to deploy" - required: true - type: string - environment: - description: "GitHub Environment to use for encrypted secrets" - required: true - type: string - -jobs: - deploy-sar-app: - runs-on: ubuntu-latest - environment: ${{ inputs.environment }} - strategy: - matrix: - architecture: ["x86_64", "arm64"] - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: AWS credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef - with: - aws-region: ${{ env.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} - - name: AWS credentials SAR role - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef - id: aws-credentials-sar-role - with: - aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} - aws-session-token: ${{ env.AWS_SESSION_TOKEN }} - role-duration-seconds: 1200 - aws-region: ${{ env.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_SAR_V2_ROLE_ARN }} - - name: Setup Node.js - uses: actions/setup-node@v3 - with: - node-version: ${{ env.NODE_VERSION }} - - name: Download artifact - uses: actions/download-artifact@v3 - with: - name: ${{ inputs.artefact-name }} - - name: Unzip artefact - run: unzip cdk.out.zip - - name: Configure SAR name - run: | - if [[ "${{ inputs.stage }}" == "BETA" ]]; then - SAR_NAME="test-${SAR_NAME}" - fi - echo SAR_NAME="${SAR_NAME}" >> "$GITHUB_ENV" - - name: Adds arm64 suffix to SAR name - if: ${{ matrix.architecture == 'arm64' }} - run: echo SAR_NAME="${SAR_NAME}-arm64" >> "$GITHUB_ENV" - - name: Normalize semantic version - id: semantic-version # v2.0.0a0 -> v2.0.0-a0 - env: - VERSION: ${{ inputs.package-version }} - run: | - VERSION="${VERSION/a/-a}" - echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT" - - name: Prepare SAR App - env: - VERSION: ${{ steps.semantic-version.outputs.VERSION }} - run: | - # From the generated LayerStack cdk.out artifact, find the layer asset path for the correct architecture. - # We'll use this as the source directory of our SAR. This way we are re-using the same layer asset for our SAR. - asset=$(jq -jc '.Resources[] | select(.Properties.CompatibleArchitectures == ["${{ matrix.architecture }}"]) | .Metadata."aws:asset:path"' cdk.out/LayerV2Stack.template.json) - - # fill in the SAR SAM template - sed \ - -e "s||${VERSION}|g" \ - -e "s//${{ env.SAR_NAME }}/g" \ - -e "s||./cdk.out/$asset|g" \ - layer/sar/template.txt > template.yml - - # SAR needs a README and a LICENSE, so just copy the ones from the repo - cp README.md LICENSE "./cdk.out/$asset/" - - # Debug purposes - cat template.yml - - name: Deploy SAR - run: | - # Package the SAR to our SAR S3 bucket, and publish it - sam package --template-file template.yml --output-template-file packaged.yml --s3-bucket ${{ secrets.AWS_SAR_S3_BUCKET }} - sam publish --template packaged.yml --region "$AWS_REGION" - - name: Deploy BETA canary - if: ${{ inputs.stage == 'BETA' }} - run: | - if [[ "${{ matrix.architecture }}" == "arm64" ]]; then - TEST_STACK_NAME="${TEST_STACK_NAME}-arm64" - fi - - echo "Check if stack does not exist" - stack_exists=$(aws cloudformation list-stacks --query "StackSummaries[?(StackName == '$TEST_STACK_NAME' && StackStatus == 'CREATE_COMPLETE')].{StackId:StackId, StackName:StackName, CreationTime:CreationTime, StackStatus:StackStatus}" --output text) - - if [[ -n "$stack_exists" ]] ; then - echo "Found test deployment stack, removing..." - aws cloudformation delete-stack --stack-name "$TEST_STACK_NAME" - aws cloudformation wait stack-delete-complete --stack-name "$TEST_STACK_NAME" - fi - - echo "Creating canary stack" - echo "Stack name: $TEST_STACK_NAME" - aws serverlessrepo create-cloud-formation-change-set \ - --application-id arn:aws:serverlessrepo:${{ env.AWS_REGION }}:${{ steps.aws-credentials-sar-role.outputs.aws-account-id }}:applications/${{ env.SAR_NAME }} \ - --stack-name "${TEST_STACK_NAME/serverlessrepo-/}" \ - --capabilities CAPABILITY_NAMED_IAM - - CHANGE_SET_ID=$(aws cloudformation list-change-sets --stack-name "$TEST_STACK_NAME" --query 'Summaries[*].ChangeSetId' --output text) - aws cloudformation wait change-set-create-complete --change-set-name "$CHANGE_SET_ID" - aws cloudformation execute-change-set --change-set-name "$CHANGE_SET_ID" - aws cloudformation wait stack-create-complete --stack-name "$TEST_STACK_NAME" - - echo "Waiting until stack deployment completes..." - - echo "Exit with error if stack is not in CREATE_COMPLETE" - stack_exists=$(aws cloudformation list-stacks --query "StackSummaries[?(StackName == '$TEST_STACK_NAME' && StackStatus == 'CREATE_COMPLETE')].{StackId:StackId, StackName:StackName, CreationTime:CreationTime, StackStatus:StackStatus}") - if [[ -z "$stack_exists" ]] ; then - echo "Could find successful deployment, exit error..." - exit 1 - fi - echo "Deployment successful" - - name: Publish SAR - if: ${{ inputs.stage == 'PROD' }} - run: | - # wait until SAR registers the app, otherwise it fails to make it public - sleep 15 - echo "Make SAR app public" - aws serverlessrepo put-application-policy \ - --application-id arn:aws:serverlessrepo:${{ env.AWS_REGION }}:${{ steps.aws-credentials-sar-role.outputs.aws-account-id }}:applications/${{ env.SAR_NAME }} \ - --statements Principals='*',Actions=Deploy diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml deleted file mode 100644 index 2a1b45331d1..00000000000 --- a/.github/workflows/reusable_export_pr_details.yml +++ /dev/null @@ -1,89 +0,0 @@ -name: Export previously recorded PR - -on: - workflow_call: - inputs: - record_pr_workflow_id: - description: "Record PR workflow execution ID to download PR details" - required: true - type: number - workflow_origin: # see https://github.com/awslabs/aws-lambda-powertools-python/issues/1349 - description: "Repository full name for runner integrity" - required: true - type: string - secrets: - token: - description: "GitHub Actions temporary and scoped token" - required: true - # Map the workflow outputs to job outputs - outputs: - prNumber: - description: "PR Number" - value: ${{ jobs.export_pr_details.outputs.prNumber }} - prTitle: - description: "PR Title" - value: ${{ jobs.export_pr_details.outputs.prTitle }} - prBody: - description: "PR Body as string" - value: ${{ jobs.export_pr_details.outputs.prBody }} - prAuthor: - description: "PR author username" - value: ${{ jobs.export_pr_details.outputs.prAuthor }} - prAction: - description: "PR event action" - value: ${{ jobs.export_pr_details.outputs.prAction }} - prIsMerged: - description: "Whether PR is merged" - value: ${{ jobs.export_pr_details.outputs.prIsMerged }} - -jobs: - export_pr_details: - # see https://github.com/awslabs/aws-lambda-powertools-python/issues/1349 - if: inputs.workflow_origin == 'awslabs/aws-lambda-powertools-python' - runs-on: ubuntu-latest - env: - FILENAME: pr.txt - # Map the job outputs to step outputs - outputs: - prNumber: ${{ steps.prNumber.outputs.prNumber }} - prTitle: ${{ steps.prTitle.outputs.prTitle }} - prBody: ${{ steps.prBody.outputs.prBody }} - prAuthor: ${{ steps.prAuthor.outputs.prAuthor }} - prAction: ${{ steps.prAction.outputs.prAction }} - prIsMerged: ${{ steps.prIsMerged.outputs.prIsMerged }} - steps: - - name: Checkout repository # in case caller workflow doesn't checkout thus failing with file not found - uses: actions/checkout@v3 - - name: "Download previously saved PR" - uses: actions/github-script@v6 - env: - WORKFLOW_ID: ${{ inputs.record_pr_workflow_id }} - # For security, we only download artifacts tied to the successful PR recording workflow - with: - github-token: ${{ secrets.token }} - script: | - const script = require('.github/scripts/download_pr_artifact.js') - await script({github, context, core}) - # NodeJS standard library doesn't provide ZIP capabilities; use system `unzip` command instead - - name: "Unzip PR artifact" - run: unzip pr.zip - # NOTE: We need separate steps for each mapped output and respective IDs - # otherwise the parent caller won't see them regardless on how outputs are set. - - name: "Export Pull Request Number" - id: prNumber - run: echo "prNumber=$(jq -c '.number' ${FILENAME})" >> $GITHUB_OUTPUT - - name: "Export Pull Request Title" - id: prTitle - run: echo "prTitle=$(jq -c '.pull_request.title' ${FILENAME})" >> $GITHUB_OUTPUT - - name: "Export Pull Request Body" - id: prBody - run: echo "prBody=$(jq -c '.pull_request.body' ${FILENAME})" >> $GITHUB_OUTPUT - - name: "Export Pull Request Author" - id: prAuthor - run: echo "prAuthor=$(jq -c '.pull_request.user.login' ${FILENAME})" >> $GITHUB_OUTPUT - - name: "Export Pull Request Action" - id: prAction - run: echo "prAction=$(jq -c '.action' ${FILENAME})" >> $GITHUB_OUTPUT - - name: "Export Pull Request Merged status" - id: prIsMerged - run: echo "prIsMerged=$(jq -c '.pull_request.merged' ${FILENAME})" >> $GITHUB_OUTPUT diff --git a/.github/workflows/reusable_publish_changelog.yml b/.github/workflows/reusable_publish_changelog.yml deleted file mode 100644 index 30e49b98ae5..00000000000 --- a/.github/workflows/reusable_publish_changelog.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Build and publish latest changelog - -on: - workflow_call: - -permissions: - contents: write - -env: - BRANCH: develop - -jobs: - publish_changelog: - # Force Github action to run only a single job at a time (based on the group name) - # This is to prevent race-condition and inconsistencies with changelog push - concurrency: - group: changelog-build - runs-on: ubuntu-latest - steps: - - name: Checkout repository # reusable workflows start clean, so we need to checkout again - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Git client setup and refresh tip - run: | - git config user.name "Release bot" - git config user.email "aws-devax-open-source@amazon.com" - git config pull.rebase true - git config remote.origin.url >&- || git remote add origin https://github.com/"${origin}" # Git Detached mode (release notes) doesn't have origin - git pull origin "${BRANCH}" - - name: "Generate latest changelog" - run: make changelog - - name: Update Changelog in trunk - run: | - HAS_CHANGE=$(git status --porcelain) - test -z "${HAS_CHANGE}" && echo "Nothing to update" && exit 0 - git add CHANGELOG.md - git commit -m "update changelog with latest changes" - git pull origin "${BRANCH}" # prevents concurrent branch update failing push - git push origin HEAD:refs/heads/"${BRANCH}" diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml deleted file mode 100644 index 9be91b212bf..00000000000 --- a/.github/workflows/reusable_publish_docs.yml +++ /dev/null @@ -1,83 +0,0 @@ -name: Reusable publish documentation - -env: - BRANCH: develop - ORIGIN: awslabs/aws-lambda-powertools-python - -on: - workflow_call: - inputs: - version: - description: "Version to build and publish docs (1.28.0, develop)" - required: true - type: string - alias: - description: "Alias to associate version (latest, stage)" - required: true - type: string - detached_mode: - description: "Whether it's running in git detached mode to ensure git is sync'd" - required: false - default: false - type: boolean - -permissions: - contents: write - pages: write - -jobs: - publish_docs: - # Force Github action to run only a single job at a time (based on the group name) - # This is to prevent "race-condition" in publishing a new version of doc to `gh-pages` - concurrency: - group: on-docs-rebuild - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Install poetry - run: pipx install poetry - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: "3.10" - cache: "poetry" - - name: Install dependencies - run: make dev - - name: Git client setup - run: | - git config --global user.name Docs deploy - git config --global user.email aws-devax-open-source@amazon.com - - name: Git refresh tip (detached mode) - # Git Detached mode (release notes) doesn't have origin - if: ${{ inputs.detached_mode }} - run: | - git config pull.rebase true - git config remote.origin.url >&- || git remote add origin https://github.com/"$ORIGIN" - git pull origin "$BRANCH" - - name: Build docs website and API reference - env: - VERSION: ${{ inputs.version }} - ALIAS: ${{ inputs.alias }} - run: | - make release-docs VERSION="$VERSION" ALIAS="$ALIAS" - poetry run mike set-default --push latest - - - name: Release API docs - uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 - env: - VERSION: ${{ inputs.version }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - publish_dir: ./api - keep_files: true - destination_dir: ${{ env.VERSION }}/api - - name: Release API docs to latest - if: ${{ inputs.alias == 'latest' }} - uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - publish_dir: ./api - keep_files: true - destination_dir: latest/api diff --git a/.github/workflows/reusable_update_v2_layer_arn_docs.yml b/.github/workflows/reusable_update_v2_layer_arn_docs.yml deleted file mode 100644 index 142d0a32e75..00000000000 --- a/.github/workflows/reusable_update_v2_layer_arn_docs.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: Update V2 Layer ARN Docs - -on: - workflow_call: - inputs: - latest_published_version: - description: "Latest PyPi published version to rebuild latest docs for, e.g. v2.0.0" - type: string - required: true - -permissions: - contents: write - -env: - BRANCH: develop - -jobs: - publish_v2_layer_arn: - # Force Github action to run only a single job at a time (based on the group name) - # This is to prevent race-condition and inconsistencies with changelog push - concurrency: - group: changelog-build - runs-on: ubuntu-latest - steps: - - name: Checkout repository # reusable workflows start clean, so we need to checkout again - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Git client setup and refresh tip - run: | - git config user.name "Release bot" - git config user.email "aws-devax-open-source@amazon.com" - git config pull.rebase true - git config remote.origin.url >&- || git remote add origin https://github.com/"${origin}" # Git Detached mode (release notes) doesn't have origin - git pull origin "${BRANCH}" - - name: Download CDK layer artifact - uses: actions/download-artifact@v3 - with: - name: cdk-layer-stack - path: cdk-layer-stack/ - - name: Replace layer versions in documentation - run: | - ls -la cdk-layer-stack/ - ./layer/scripts/update_layer_arn.sh cdk-layer-stack - - name: Update documentation in trunk - run: | - HAS_CHANGE=$(git status --porcelain) - test -z "${HAS_CHANGE}" && echo "Nothing to update" && exit 0 - git add docs/index.md examples - git commit -m "chore: update v2 layer ARN on documentation" - git pull origin "${BRANCH}" # prevents concurrent branch update failing push - git push origin HEAD:refs/heads/"${BRANCH}" diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml deleted file mode 100644 index 2f7b2f494ea..00000000000 --- a/.github/workflows/run-e2e-tests.yml +++ /dev/null @@ -1,62 +0,0 @@ -name: Run end-to-end tests - -on: - workflow_dispatch: - - push: - branches: [develop, v2] - paths: - - "aws_lambda_powertools/**" - - "tests/e2e/**" - - "pyproject.toml" - - "poetry.lock" - - "mypy.ini" - - "parallel_run_e2e.py" - -# Maintenance: Add support for triggering on `run-e2e` label -# and enforce repo origin to prevent abuse - -env: - AWS_DEFAULT_REGION: us-east-1 - -concurrency: e2e - -jobs: - run: - runs-on: aws-lambda-powertools_ubuntu-latest_8-core - permissions: - id-token: write # needed to request JWT with GitHub's OIDC Token endpoint. docs: https://bit.ly/3MNgQO9 - contents: read - strategy: - fail-fast: false # needed so if a version fails, the others will still be able to complete and cleanup - matrix: - version: ["3.7", "3.8", "3.9", "3.10"] - if: ${{ github.actor != 'dependabot[bot]' }} - steps: - - name: "Checkout" - uses: actions/checkout@v3 - - name: Install poetry - run: pipx install poetry - - name: "Use Python" - uses: actions/setup-python@v4 - with: - python-version: ${{ matrix.version }} - architecture: "x64" - cache: "poetry" - - name: Setup Node.js - uses: actions/setup-node@v3 - with: - node-version: "16.12" - - name: Install CDK CLI - run: | - npm install - npx cdk --version - - name: Install dependencies - run: make dev - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef - with: - role-to-assume: ${{ secrets.AWS_TEST_ROLE_ARN }} - aws-region: ${{ env.AWS_DEFAULT_REGION }} - - name: Test - run: make e2e-test diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml deleted file mode 100644 index b1b5cfc0c46..00000000000 --- a/.github/workflows/secure_workflows.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: Lockdown untrusted workflows - -on: - push: - paths: - - ".github/workflows/**" - pull_request: - paths: - - ".github/workflows/**" - -jobs: - enforce_pinned_workflows: - name: Harden Security - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Ensure 3rd party workflows have SHA pinned - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@21991cec25093947ff3f62e4c223df0260c39944 # v2.1.2 - with: - # Trusted GitHub Actions and/or organizations - allowlist: | - aws-actions/ - actions/checkout - actions/github-script - actions/setup-node - actions/setup-python - actions/upload-artifact - actions/download-artifact - github/codeql-action/init - github/codeql-action/analyze - dependabot/fetch-metadata From 1d6ec0f8892c63b71a9b8273d32a68c9c9a36ef0 Mon Sep 17 00:00:00 2001 From: Arpit Jain <40381412+arpitjain799@users.noreply.github.com> Date: Fri, 28 Apr 2023 01:47:30 +0900 Subject: [PATCH 3/4] Delete .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 30 ------------------------------ 1 file changed, 30 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 840201b1c16..00000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,30 +0,0 @@ -jobs: - analyze: - name: Analyze - permissions: - actions: read - contents: read - security-events: write - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - queries: security-and-quality - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - strategy: - fail-fast: false - matrix: - language: - - python -name: CodeQL -'on': - push: - branches: - - develop From fd9fed8803b32e3240bc7d4ff74c8432cd456b35 Mon Sep 17 00:00:00 2001 From: Arpit Jain <40381412+arpitjain799@users.noreply.github.com> Date: Fri, 28 Apr 2023 01:47:30 +0900 Subject: [PATCH 4/4] Add new file --- .github/workflows/codeql.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000..94d110b3308 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,37 @@ +name: "CodeQL" +on: + workflow_dispatch: + #push: + # branches: [master] + #pull_request: + # branches: [master] + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["python"] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 \ No newline at end of file