diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 55303b9..eeb328a 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -8,23 +8,228 @@ on: push: branches: [main, master, preprod, prod] pull_request: - types: [opened, synchronize, reopened] + types: [opened, synchronize, reopened, closed] name: Python jobs: flake8: name: Flake8 - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 timeout-minutes: 5 + if: github.event_name != 'pull_request' || github.event.action != 'closed' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: 3.9 - name: Flake8 uses: docker://public.ecr.aws/u9q7y3l4/github-actions-flake8 black: name: Black - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 timeout-minutes: 5 + if: github.event_name != 'pull_request' || github.event.action != 'closed' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: 3.9 - name: Black uses: docker://public.ecr.aws/u9q7y3l4/github-actions-black + test: + name: Test + runs-on: ubuntu-22.04 + timeout-minutes: 5 + if: github.event_name != 'pull_request' || github.event.action != 'closed' + permissions: + id-token: write + contents: read + steps: + - run: | + git config --global credential.helper 'cache --timeout=315360000' + (echo protocol=https; echo host=github.com; echo username=${{ secrets.MS_READ_PACKAGES_GITHUB_PAT }}; echo password=) | git credential approve + (echo protocol=https; echo host=github.com; echo username=${{ secrets.MS_READ_PACKAGES_GITHUB_PAT }}; echo password=) | base64 + git clone https://github.com/mobsuccess-devops/mobsuccess-python + name: GitHub Credentials + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: 3.9 + - name: Install dependencies + run: sudo apt-get install libffi7 + - uses: actions/cache@v4 + with: + path: | + ~/.mobsuccessvenv + venv + key: ${{ runner.os }}-venv-${{ hashFiles('requirements*.txt') }} + restore-keys: | + ${{ runner.os }}-venv- + - name: Configure AWS Credentials (eu-central-1) + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: arn:aws:iam::983851922138:role/GHA,CodeArtifact + aws-region: eu-central-1 + role-duration-seconds: 900 + - name: Login CodeArtifact + run: aws codeartifact login --tool pip --domain mobsuccess --domain-owner 983851922138 --repository python + - run: make test + pyright: + name: Pyright + runs-on: ubuntu-22.04 + timeout-minutes: 10 + if: github.event_name != 'pull_request' || github.event.action != 'closed' + permissions: + id-token: write + contents: read + steps: + - run: | + git config --global credential.helper 'cache --timeout=315360000' + (echo protocol=https; echo host=github.com; echo username=${{ secrets.MS_READ_PACKAGES_GITHUB_PAT }}; echo password=) | git credential approve + (echo protocol=https; echo host=github.com; echo username=${{ secrets.MS_READ_PACKAGES_GITHUB_PAT }}; echo password=) | base64 + git clone https://github.com/mobsuccess-devops/mobsuccess-python + name: GitHub Credentials + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: 3.9 + - name: Install dependencies + run: sudo apt-get install libffi7 + - uses: actions/cache@v4 + with: + path: | + ~/.mobsuccessvenv + venv + key: ${{ runner.os }}-venv-${{ hashFiles('requirements*.txt') }} + restore-keys: | + ${{ runner.os }}-venv- + - name: Configure AWS Credentials (eu-central-1) + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: arn:aws:iam::983851922138:role/GHA,CodeArtifact + aws-region: eu-central-1 + role-duration-seconds: 900 + - name: Login CodeArtifact + run: aws codeartifact login --tool pip --domain mobsuccess --domain-owner 983851922138 --repository python + - run: make pyright + check_stubs: + name: Check Stubs + runs-on: ubuntu-22.04 + timeout-minutes: 5 + if: github.event_name != 'pull_request' || github.event.action != 'closed' + steps: + - uses: actions/checkout@v4 + - run: | + if [ -n "$(find . -name '*.pyi')" ]; then + echo "This repository must not contain *.pyi files" + exit 1 + fi + prepare-publish: + name: Prepare Publish + runs-on: ubuntu-22.04 + timeout-minutes: 1 + if: github.event_name != 'pull_request' || github.event.action != 'closed' + outputs: + version-postfix: ${{ steps.prepare.outputs.version-postfix }} + role: ${{ steps.prepare.outputs.role }} + aws-account-id: ${{ steps.prepare.outputs.aws-account-id }} + permissions: + id-token: write + contents: read + steps: + - name: Prepare + id: prepare + run: | + role=arn:aws:iam::983851922138:role/GHA,$(basename $GITHUB_REPOSITORY) + aws_account_id=983851922138 + case ${{github.ref}} in + refs/heads/master) + echo "version-postfix: " + echo "::set-output name=version-postfix::" + ;; + *) + pr_number=${{github.event.number}} + if [ -z "$pr_number" ]; then + pr_number=${{github.event.issue.number}} + fi + echo "version-postfix: .dev$pr_number" + echo "::set-output name=version-postfix::.dev$pr_number" + ;; + esac + echo role: $role + echo "::set-output name=role::$role" + echo "::set-output name=aws-account-id::$aws_account_id" + publish: + runs-on: ubuntu-22.04 + needs: [prepare-publish] + name: Publish + timeout-minutes: 5 + if: github.event_name != 'pull_request' || github.event.action != 'closed' + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: 3.9 + - name: Install dependencies + run: sudo apt-get install libffi7 + - run: | + python3 -m venv venv + source venv/bin/activate + - uses: actions/cache@v4 + with: + path: | + ${{ env.pythonLocation }} + venv + key: ${{ env.pythonLocation }}-${{ hashFiles('requirements*.txt') }} + - name: Configure AWS Credentials (eu-central-1) + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: arn:aws:iam::983851922138:role/GHA,CodeArtifact + aws-region: eu-central-1 + role-duration-seconds: 900 + - name: Login CodeArtifact + run: aws codeartifact login --tool pip --domain mobsuccess --domain-owner 983851922138 --repository python + - run: source venv/bin/activate && for r in requirements*.txt; do pip install -r $r; done + - uses: aws-actions/setup-sam@v1 + - uses: aws-actions/configure-aws-credentials@v1 + name: Configure AWS Credentials (eu-central-1) + with: + role-to-assume: ${{needs.prepare-publish.outputs.role}} + aws-region: eu-central-1 + role-duration-seconds: 900 + - name: Build and publish + run: | + export TWINE_USERNAME=aws + export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain mobsuccess --domain-owner ${{ needs.prepare-publish.outputs.aws-account-id }} --query authorizationToken --output text` + export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain mobsuccess --domain-owner ${{ needs.prepare-publish.outputs.aws-account-id }} --repository python --format pypi --query repositoryEndpoint --output text` + export PYTHON_PACKAGE_VERSION_POSTFIX=.$GITHUB_RUN_ID${{needs.prepare-publish.outputs.version-postfix}} + echo PYTHON_PACKAGE_VERSION_POSTFIX=$PYTHON_PACKAGE_VERSION_POSTFIX + if [ -e Makefile ] && grep -q ^stubs: Makefile; then source venv/bin/activate && make stubs; fi + source venv/bin/activate && python setup.py sdist bdist_wheel + package_name=$(grep ^Name: *.egg-info/PKG-INFO | sed -e 's/^.*: //') + package_version=$(grep ^Version: *.egg-info/PKG-INFO | sed -e 's/^.*: //') + aws codeartifact delete-package-versions --domain mobsuccess --repo python --format pypi --package "$package_name" --versions "$package_version" || true + source venv/bin/activate && twine upload --verbose dist/* + notify: + needs: + [ + flake8, + black, + test, + pyright, + check_stubs, + publish, + ] + if: failure() + runs-on: ubuntu-22.04 + steps: + - name: Notify + uses: mobsuccess-devops/github-actions-notify@master + with: + notify-type: "workflow-failure" + slack-token: ${{ secrets.SLACK_TOKEN_MSBOT }} + slack-channel: ${{ vars.SLACK_CHANNEL_NOTIFY_WORKFLOW_FAIL }} + platform-pat: ${{ secrets.MS_PLATFORM_LIST_USERS_PAT }} # DO NOT EDIT: END