forked from smithy-lang/smithy-rs
-
Notifications
You must be signed in to change notification settings - Fork 0
347 lines (326 loc) · 13.8 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# This workflow performs a release of smithy-rs. It is manually
# kicked off via GitHub Actions workflow dispatch.
# Allow only one release to run at a time
concurrency:
group: release-smithy-rs-${{ inputs.dry_run }}
cancel-in-progress: true
env:
rust_version: 1.74.1
name: Release smithy-rs
run-name: ${{ inputs.dry_run && 'Dry run' || 'Prod run' }} - ${{ github.workflow }} ${{ inputs.stable_semantic_version }}/${{ inputs.unstable_semantic_version }} (${{ inputs.commit_sha }})
on:
workflow_dispatch:
inputs:
commit_sha:
description: |
Commit SHA: The SHA of the git commit that you want to release.
You must use the non-abbreviated SHA (e.g. b2318b0 won't work!).
required: true
type: string
stable_semantic_version:
description: |
Stable semantic version: The semver tag that you want to release for stable crates (e.g. 1.0.2)
required: true
type: string
unstable_semantic_version:
description: |
Unstable semantic version: The semver tag that you want to release for unstable crates (e.g. 0.52.1)
required: true
type: string
dry_run:
description: |
Dry run: When selected, it only produces release artifacts, but will not cut a release tag in GitHub or publish to crates.io
required: true
type: boolean
default: true
jobs:
check-actor-for-prod-run:
name: Check actor for prod run
if: inputs.dry_run == false
runs-on: ubuntu-latest
env:
ACTOR: ${{ github.actor }}
steps:
- name: Check actor for prod run
run: |
set -e
if [ "${ACTOR}" != "aws-sdk-rust-ci" ]; then
echo "Error: The current actor is '${ACTOR}' but only 'aws-sdk-rust-ci' is allowed to run a prod release workflow."
exit 1
fi
echo "The current actor is 'aws-sdk-rust-ci', continuing with the workflow."
# We'll need to build a base image to work against if:
# - a release was kicked off before the image build step triggered by a push to the release branch/main completed
# - a dry-run release was kicked off against a feature branch to test automation changes
# This job will be a no-op if an image had already been built.
acquire-base-image:
name: Acquire Base Image
needs:
- check-actor-for-prod-run
# We need `always` here otherwise this job won't run if the previous job has been skipped
# See https://samanpavel.medium.com/github-actions-conditional-job-execution-e6aa363d2867
if: |
always() &&
(needs.check-actor-for-prod-run.result == 'success' || needs.check-actor-for-prod-run.result == 'skipped')
runs-on: smithy_ubuntu-latest_16-core
steps:
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.commit_sha }}
fetch-depth: 0
- name: Acquire base image
id: acquire
run: ./smithy-rs/.github/scripts/acquire-build-image
- name: Upload base image
uses: actions/upload-artifact@v4
with:
name: smithy-rs-base-image
path: smithy-rs-base-image
retention-days: 1
release-ci:
name: Prerelease checks
if: inputs.dry_run == false
needs:
- acquire-base-image
uses: ./.github/workflows/ci.yml
with:
run_sdk_examples: false
git_ref: ${{ inputs.commit_sha }}
check-semver-hazards:
name: Check for semver hazards
needs:
- acquire-base-image
# We need `always` here otherwise this job won't run if the previous job has been skipped
# See https://samanpavel.medium.com/github-actions-conditional-job-execution-e6aa363d2867
if: always()
runs-on: smithy_ubuntu-latest_8-core
steps:
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.commit_sha }}
fetch-depth: 0
- uses: actions/checkout@v4
with:
repository: awslabs/aws-sdk-rust
path: aws-sdk-rust
fetch-depth: 0
- name: Run check-semver-hazards
uses: ./smithy-rs/.github/actions/docker-build
with:
action: check-semver-hazards
action-arguments: ${{ inputs.stable_semantic_version }} ${{ inputs.unstable_semantic_version }}
get-or-create-release-branch:
name: Get or create a release branch
needs:
- acquire-base-image
- check-semver-hazards
- release-ci
# We need `always` here otherwise this job won't run if the previous job has been skipped
# See https://samanpavel.medium.com/github-actions-conditional-job-execution-e6aa363d2867
if: |
always() &&
needs.acquire-base-image.result == 'success' &&
(needs.release-ci.result == 'success' || needs.release-ci.result == 'skipped')
runs-on: ubuntu-latest
outputs:
release_branch: ${{ steps.branch-push.outputs.release_branch }}
new_release_series: ${{ steps.branch-push.outputs.new_release_series }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit_sha }}
token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
fetch-depth: 0
- name: Get or create release branch
id: branch-push
shell: bash
env:
SEMANTIC_VERSION: ${{ inputs.stable_semantic_version }}
DRY_RUN: ${{ inputs.dry_run }}
run: |
set -e
./.github/scripts/get-or-create-release-branch.sh output
cat output > $GITHUB_OUTPUT
upgrade-gradle-properties:
name: Upgrade gradle.properties
needs:
- get-or-create-release-branch
# See https://github.com/actions/runner/issues/2205#issuecomment-1381988186 for an explanation as to why
# we need this here _even though_ the job we depend on is never skipped.
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
outputs:
release_branch: ${{ needs.get-or-create-release-branch.outputs.release_branch }}
commit_sha: ${{ steps.gradle-push.outputs.commit_sha }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit_sha }}
path: smithy-rs
fetch-depth: 0
token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
- name: Upgrade gradle.properties
uses: ./smithy-rs/.github/actions/docker-build
with:
action: upgrade-gradle-properties
action-arguments: ${{ inputs.stable_semantic_version }} ${{ inputs.unstable_semantic_version }}
- name: Download all artifacts
uses: ./smithy-rs/.github/actions/download-all-artifacts
- name: Push gradle.properties changes
id: gradle-push
working-directory: upgrade-gradle-properties/smithy-rs
shell: bash
env:
SEMANTIC_VERSION: ${{ inputs.stable_semantic_version }}
RELEASE_COMMIT_SHA: ${{ inputs.commit_sha }}
RELEASE_BRANCH_NAME: ${{ needs.get-or-create-release-branch.outputs.release_branch }}
DRY_RUN: ${{ inputs.dry_run }}
run: |
set -x
# For debugging purposes
git status
if ! git diff-index --quiet HEAD; then
# gradle.properties was changed, we need to commit and push the diff
git -c 'user.name=AWS SDK Rust Bot' -c '[email protected]' commit gradle.properties --message "Upgrade the smithy-rs runtime crates version to ${SEMANTIC_VERSION}"
# This will fail if we tried to release from a non-HEAD commit on the release branch.
# The only scenario where we would try to release a non-HEAD commit from the release branch is
# to retry a release action execution that failed due to a transient issue.
# In that case, we expect the commit to be releasable as-is, i.e. the runtime crate version in gradle.properties
# should already be the expected one.
if [[ "${DRY_RUN}" == "true" ]]; then
# During dry-runs, "git push" without "--force" can fail if smithy-rs-release-x.y.z-preview is behind
# smithy-rs-release-x.y.z, but that does not matter much during dry-runs.
git push --force origin "HEAD:refs/heads/${RELEASE_BRANCH_NAME}"
else
git push origin "HEAD:refs/heads/${RELEASE_BRANCH_NAME}"
fi
echo "commit_sha=$(git rev-parse HEAD)" > $GITHUB_OUTPUT
else
echo "commit_sha=${RELEASE_COMMIT_SHA}" > $GITHUB_OUTPUT
fi
release:
name: Release
needs:
- upgrade-gradle-properties
# See https://github.com/actions/runner/issues/2205#issuecomment-1381988186 for an explanation as to why
# we need this here _even though_ the job we depend on is never skipped.
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
steps:
- name: Install Rust
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.rust_version }}
- name: Checkout smithy-rs
uses: actions/checkout@v4
with:
ref: ${{ needs.upgrade-gradle-properties.outputs.commit_sha }}
path: smithy-rs
token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
- name: Generate release artifacts
uses: ./smithy-rs/.github/actions/docker-build
with:
action: generate-smithy-rs-release
- name: Download all artifacts
uses: ./smithy-rs/.github/actions/download-all-artifacts
- name: Push smithy-rs changes
shell: bash
working-directory: smithy-rs-release/smithy-rs
id: push-changelog
env:
RELEASE_BRANCH_NAME: ${{ needs.upgrade-gradle-properties.outputs.release_branch }}
DRY_RUN: ${{ inputs.dry_run }}
run: |
if ! git diff-index --quiet HEAD; then
echo "Pushing release commits..."
# This will fail if we tried to release from a non-HEAD commit on the release branch.
# The only scenario where we would try to release a non-HEAD commit from the release branch is
# to retry a release action execution that failed due to a transient issue.
# In that case, we expect the commit to be releasable as-is, i.e. the changelog should have already
# been processed.
git fetch --unshallow
if [[ "${DRY_RUN}" == "true" ]]; then
# During dry-runs, "git push" without "--force" can fail if smithy-rs-release-x.y.z-preview is behind
# smithy-rs-release-x.y.z, but that does not matter much during dry-runs.
git push --force origin "HEAD:refs/heads/${RELEASE_BRANCH_NAME}"
git push --dry-run origin "HEAD:refs/heads/${RELEASE_BRANCH_NAME}"
else
echo "attempting to push $(git rev-parse HEAD) to $RELEASE_BRANCH_NAME $(git rev-parse $RELEASE_BRANCH_NAME)"
git push origin "HEAD:refs/heads/${RELEASE_BRANCH_NAME}"
fi
fi
echo "commit_sha=$(git rev-parse HEAD)" > $GITHUB_OUTPUT
- name: Tag release
uses: actions/github-script@v7
with:
github-token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
script: |
const createReleaseScript = require("./smithy-rs/.github/workflows/release-scripts/create-release.js");
await createReleaseScript({
github,
isDryRun: ${{ inputs.dry_run }},
releaseManifestPath: "smithy-rs-release/smithy-rs-release-manifest.json",
releaseCommitish: "${{ steps.push-changelog.outputs.commit_sha }}"
});
- name: Publish to crates.io
shell: bash
working-directory: smithy-rs-release/crates-to-publish
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.RELEASE_AUTOMATION_BOT_CRATESIO_TOKEN }}
run: |
cargo install --path "$(realpath ../smithy-rs/tools/ci-build/publisher)"
# Verify the publisher tool installed successfully
publisher --version
if [[ "${{ inputs.dry_run }}" == "true" ]]; then
if [[ ! -f aws-smithy-types/Cargo.toml ]]; then
echo "Crates to publish not found!"
exit 1
fi
echo "Checking cargo auth token..."
# This version has already been yanked. This command succeeds if we have a token with permission to yank the crate.
cargo yank aws-sigv4 --version 0.55.0
else
publisher publish -y --location .
fi
trim-changelog-next-on-main:
name: Remove released entries from CHANGELOG.next.toml on the main branch
if: inputs.dry_run == false && needs.get-or-create-release-branch.outputs.new_release_series == true
needs:
- get-or-create-release-branch
- release
runs-on: ubuntu-latest
steps:
- name: Checkout smithy-rs
uses: actions/checkout@v4
with:
ref: ${{ inputs.commit_sha }}
path: smithy-rs
token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
- name: Empty CHANGELOG.next.toml
uses: ./smithy-rs/.github/actions/docker-build
with:
action: generate-new-changelog-next-toml
- name: Download all artifacts
uses: ./smithy-rs/.github/actions/download-all-artifacts
- name: Push smithy-rs changes
working-directory: generate-new-changelog-next-toml/smithy-rs
shell: bash
run: |
set -eux
# This will fail if other commits have been pushed to `main` after `commit_sha`
# In particular, this will ALWAYS fail if you are creating a new release series from
# a commit that is not the current tip of `main`.
# We can build more refined automation to handle this case in the future - until then, it'll require
# a manual PR to edit the current CHANGELOG.next.toml file and remove the released entries.
git -c 'user.name=AWS SDK Rust Bot' -c '[email protected]' commit CHANGELOG.next.toml --message "Remove released entries from \`CHANGELOG.next.toml\`"
git push origin main