Release v5.4.35-dev.4 #1158
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". | |
name: release | |
run-name: Release ${{ github.ref_name }} | |
on: | |
push: | |
tags: | |
- v*.*.* | |
jobs: | |
build: | |
name: Build release package | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
outputs: | |
dist-tag: ${{ steps.publish-target.outputs.dist-tag }} | |
latest: ${{ steps.publish-target.outputs.latest }} | |
github-release: ${{ steps.publish-target.outputs.github-release }} | |
prerelease: ${{ steps.publish-target.outputs.prerelease }} | |
env: | |
CI: "true" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
repository: ${{ github.repository }} | |
ref: ${{ github.ref }} | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
cache: yarn | |
node-version: "18" | |
- name: Install dependencies | |
run: yarn install --frozen-lockfile | |
- name: Prepare Release | |
run: yarn release ${{ github.ref_name }} | |
- name: Determine Target | |
id: publish-target | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
run: yarn ts-node projenrc/publish-target.ts ${{ github.ref_name }} | |
- name: Federate to AWS | |
if: fromJSON(steps.publish-target.outputs.github-release) | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-region: us-east-1 | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-session-name: GHA-aws-jsii-compiler@${{ github.ref_name }} | |
- name: Sign Tarball | |
if: fromJSON(steps.publish-target.outputs.github-release) | |
run: |- | |
set -eo pipefail | |
export GNUPGHOME=$(mktemp -d) | |
echo "charset utf-8" > ${GNUPGHOME}/gpg.conf | |
echo "no-comments" >> ${GNUPGHOME}/gpg.conf | |
echo "no-emit-version" >> ${GNUPGHOME}/gpg.conf | |
echo "no-greeting" >> ${GNUPGHOME}/gpg.conf | |
secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.OPEN_PGP_KEY_ARN }} --query=SecretString --output=text) | |
privatekey=$(node -p "(${secret}).PrivateKey") | |
passphrase=$(node -p "(${secret}).Passphrase") | |
echo "::add-mask::${passphrase}" | |
unset secret | |
echo ${passphrase} | gpg --batch --yes --import --armor --passphrase-fd=0 <(echo "${privatekey}") | |
unset privatekey | |
for file in $(find dist -type f -not -iname "*.asc"); do | |
echo ${passphrase} | gpg --batch --yes --local-user="aws-jsii@amazon.com" --detach-sign --armor --pinentry-mode=loopback --passphrase-fd=0 ${file} | |
done | |
unset passphrase | |
find ${GNUPGHOME} -type f -exec shred --remove {} \; | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4.3.6 | |
with: | |
name: release-package | |
path: ${{ github.workspace }}/dist | |
overwrite: true | |
release-to-github: | |
name: Create GitHub Release | |
needs: build | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
env: | |
CI: "true" | |
if: fromJSON(needs.build.outputs.github-release) | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: release-package | |
- name: Verify if release exists | |
id: release-exists | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: |- | |
if gh release view ${{ github.ref_name }} --repo=${{ github.repository }} &>/dev/null | |
then | |
echo "result=true" >> $GITHUB_OUTPUT | |
else | |
echo "result=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Create PreRelease | |
if: "!fromJSON(steps.release-exists.outputs.result) && fromJSON(needs.build.outputs.prerelease)" | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --prerelease --latest=${{ needs.build.outputs.latest }} | |
- name: Create Release | |
if: "!fromJSON(steps.release-exists.outputs.result) && !fromJSON(needs.build.outputs.prerelease)" | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --latest=${{ needs.build.outputs.latest }} | |
- name: Attach assets | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: gh release upload ${{ github.ref_name }} --repo=${{ github.repository }} --clobber ${{ github.workspace }}/**/* | |
release-npm-package: | |
name: Release to registry.npmjs.org | |
needs: build | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
env: | |
CI: "true" | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: release-package | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
always-auth: true | |
node-version: "18" | |
registry-url: https://registry.npmjs.org/ | |
- name: Federate to AWS | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-region: us-east-1 | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-session-name: GHA-aws-jsii-compiler@${{ github.ref_name }} | |
- name: Set NODE_AUTH_TOKEN | |
run: |- | |
secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.NPM_TOKEN_ARN }} --query=SecretString --output=text) | |
token=$(node -p "(${secret}).token") | |
unset secret | |
echo "::add-mask::${token}" | |
echo "NODE_AUTH_TOKEN=${token}" >> $GITHUB_ENV | |
unset token | |
- name: Publish | |
run: npm publish ${{ github.workspace }}/js/jsii-*.tgz --access=public --tag=${{ needs.build.outputs.dist-tag }} | |
- name: Tag "latest" | |
if: fromJSON(needs.build.outputs.latest) | |
run: npm dist-tag add jsii@${{ github.ref_name }} latest |