.github/workflows/release.yml

# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".

name: release
run-name: Release ${{ github.ref_name }}
on:
  push:
    tags:
      - v*.*.*
jobs:
  build:
    name: Build release package
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    outputs:
      dist-tag: ${{ steps.publish-target.outputs.dist-tag }}
      latest: ${{ steps.publish-target.outputs.latest }}
      github-release: ${{ steps.publish-target.outputs.github-release }}
      prerelease: ${{ steps.publish-target.outputs.prerelease }}
    env:
      CI: "true"
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          repository: ${{ github.repository }}
          ref: ${{ github.ref }}
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          cache: yarn
          node-version: "18"
      - name: Install dependencies
        run: yarn install --frozen-lockfile
      - name: Prepare Release
        run: yarn release ${{ github.ref_name }}
      - name: Determine Target
        id: publish-target
        env:
          GITHUB_TOKEN: ${{ github.token }}
        run: yarn ts-node projenrc/publish-target.ts ${{ github.ref_name }}
      - name: Federate to AWS
        if: fromJSON(steps.publish-target.outputs.github-release)
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-east-1
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          role-session-name: GHA-aws-jsii-compiler@${{ github.ref_name }}
      - name: Sign Tarball
        if: fromJSON(steps.publish-target.outputs.github-release)
        run: |-
          set -eo pipefail
          export GNUPGHOME=$(mktemp -d)
          echo "charset utf-8"   >  ${GNUPGHOME}/gpg.conf
          echo "no-comments"     >> ${GNUPGHOME}/gpg.conf
          echo "no-emit-version" >> ${GNUPGHOME}/gpg.conf
          echo "no-greeting"     >> ${GNUPGHOME}/gpg.conf
          secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.OPEN_PGP_KEY_ARN }} --query=SecretString --output=text)
          privatekey=$(node -p "(${secret}).PrivateKey")
          passphrase=$(node -p "(${secret}).Passphrase")
          echo "::add-mask::${passphrase}"
          unset secret
          echo ${passphrase} | gpg --batch --yes --import --armor --passphrase-fd=0 <(echo "${privatekey}")
          unset privatekey
          for file in $(find dist -type f -not -iname "*.asc"); do
            echo ${passphrase} | gpg --batch --yes --local-user="aws-jsii@amazon.com" --detach-sign --armor --pinentry-mode=loopback --passphrase-fd=0 ${file}
          done
          unset passphrase
          find ${GNUPGHOME} -type f -exec shred --remove {} \;
      - name: Upload artifact
        uses: actions/upload-artifact@v4.3.6
        with:
          name: release-package
          path: ${{ github.workspace }}/dist
          overwrite: true
  release-to-github:
    name: Create GitHub Release
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
    env:
      CI: "true"
    if: fromJSON(needs.build.outputs.github-release)
    steps:
      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: release-package
      - name: Verify if release exists
        id: release-exists
        env:
          GH_TOKEN: ${{ github.token }}
        run: |-
          if gh release view ${{ github.ref_name }} --repo=${{ github.repository }} &>/dev/null
          then
          echo "result=true" >> $GITHUB_OUTPUT
          else
          echo "result=false" >> $GITHUB_OUTPUT
          fi
      - name: Create PreRelease
        if: "!fromJSON(steps.release-exists.outputs.result) && fromJSON(needs.build.outputs.prerelease)"
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --prerelease --latest=${{ needs.build.outputs.latest }}
      - name: Create Release
        if: "!fromJSON(steps.release-exists.outputs.result) && !fromJSON(needs.build.outputs.prerelease)"
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --latest=${{ needs.build.outputs.latest }}
      - name: Attach assets
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh release upload ${{ github.ref_name }} --repo=${{ github.repository }} --clobber ${{ github.workspace }}/**/*
  release-npm-package:
    name: Release to registry.npmjs.org
    needs: build
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    env:
      CI: "true"
    steps:
      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: release-package
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          always-auth: true
          node-version: "18"
          registry-url: https://registry.npmjs.org/
      - name: Federate to AWS
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-east-1
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          role-session-name: GHA-aws-jsii-compiler@${{ github.ref_name }}
      - name: Set NODE_AUTH_TOKEN
        run: |-
          secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.NPM_TOKEN_ARN }} --query=SecretString --output=text)
          token=$(node -p "(${secret}).token")
          unset secret
          echo "::add-mask::${token}"
          echo "NODE_AUTH_TOKEN=${token}" >> $GITHUB_ENV
          unset token
      - name: Publish
        run: npm publish ${{ github.workspace }}/js/jsii-*.tgz --access=public --tag=${{ needs.build.outputs.dist-tag }}
      - name: Tag "latest"
        if: fromJSON(needs.build.outputs.latest)
        run: npm dist-tag add jsii@${{ github.ref_name }} latest