Skip to content

Commit

Permalink
ci: improve release robustness (#275)
Browse files Browse the repository at this point in the history
This commit reorders operations in order to reduce the scope for error
in case of a CI failure.

We run the release job concurrently for each region. If any job fails,
all other jobs are interrupted. This opened the possibility for the root
`packaged.yaml` template to be uploaded, but with incorrect ACLs.

We should always copy the template with the ACL directive. This
eliminates the possibility of the object existing with the incorrect
permissions. Furthermore, we should only upload the template once all
objects it refers to are also publicly readable. That way we ensure that
if the template is accessible, it is also installable.

In debugging this issue I also uncovered we were building things twice:
once for the version (e.g. `1.2.0`), and again for the tag (e.g.
`beta`). There is no reason to rebuild things a second time, all we need
is to ensure the `packaged.yaml` is placed in the correct destination.
This has the advantage of reducing build time, avoiding build
discrepancies, and ensuring the `version` embedded in the binary always
refers to a concrete version rather then tag. As a result of
"symlinking" the file, we no longer need to protect against a folder
ballooning in size over successive builds. `latest/` and `beta/` should
now only contain one file.
  • Loading branch information
jta authored May 24, 2024
1 parent e446533 commit 332c3e3
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 27 deletions.
17 changes: 2 additions & 15 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -144,26 +144,13 @@ jobs:
- name: AWS Info
run: aws sts get-caller-identity

- name: aws sam release (versioned)
- name: aws sam release
run: make release-all
env:
TAG: fromJSON('{"workflow_dispatch": "latest", "push": "beta"}')[github.event_name]
VERSION: ${{ needs.github-release.outputs.VERSION }}
AWS_REGION: ${{ matrix.region }}

- name: aws sam release (beta)
if: github.event_name == 'push'
run: make release-all
env:
VERSION: beta
AWS_REGION: ${{ matrix.region }}

- name: aws sam release (stable)
if: github.event_name == 'workflow_dispatch'
run: make release-all
env:
VERSION: latest
AWS_REGION: ${{ matrix.region }}

- name: delete pre-releases
uses: dev-drprasad/delete-older-releases@v0.3.4
with:
Expand Down
20 changes: 8 additions & 12 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -139,18 +139,14 @@ ifeq ($(S3_BUCKET_PREFIX),)
$(error S3_BUCKET_PREFIX is empty. Cannot proceed with release.)
endif
$(MAKE) sam-package
@echo "Copying packaged.yaml to S3"
aws s3 cp $(SAM_BUILD_DIR)/$(APP)/$(AWS_REGION)/packaged.yaml s3://$(S3_BUCKET_PREFIX)-$(AWS_REGION)/apps/$(APP)/$(VERSION)/
@echo "Fetching objects with prefix: apps/$(APP)/$(VERSION)/ and filtering by last modified date"
# calculate a week ago in platform agnostic manner
@current_date_seconds=`date -u +"%s"`; \
one_week_ago_seconds=$$((current_date_seconds - 7 * 24 * 3600)); \
week_ago=`date -u -r "$$one_week_ago_seconds" +"%Y-%m-%d%H:%M:%SZ"`; \
objects=`aws s3api list-objects --bucket $(S3_BUCKET_PREFIX)-$(AWS_REGION) --prefix apps/$(APP)/$(VERSION)/ --query "Contents[?LastModified>='$$week_ago'].[Key]" --output text`; \
for object in $$objects; do \
echo "Setting ACL for object: $$object"; \
aws s3api put-object-acl --bucket $(S3_BUCKET_PREFIX)-$(AWS_REGION) --key $$object --acl public-read; \
done
@echo "Resetting assets to be public readable"
aws s3 cp --acl public-read --recursive s3://$(S3_BUCKET_PREFIX)-$(AWS_REGION)/apps/$(APP)/$(VERSION)/ s3://$(S3_BUCKET_PREFIX)-$(AWS_REGION)/apps/$(APP)/$(VERSION)/
@echo "Copying stack definition"
aws s3 cp --acl public-read $(SAM_BUILD_DIR)/$(APP)/$(AWS_REGION)/packaged.yaml s3://$(S3_BUCKET_PREFIX)-$(AWS_REGION)/apps/$(APP)/$(VERSION)/
ifeq ($(TAG),)
else
aws s3 cp --acl public-read $(SAM_BUILD_DIR)/$(APP)/$(AWS_REGION)/packaged.yaml s3://$(S3_BUCKET_PREFIX)-$(AWS_REGION)/apps/$(APP)/$(TAG)/
endif

## sam-package-all-regions: Packages and uploads all SAM applications to S3 across multiple regions
sam-package-all-regions:
Expand Down

0 comments on commit 332c3e3

Please sign in to comment.