PYTHON-4417 Continue Release Workflow (#79)

mongodb · May 10, 2024 · 28b1394 · 28b1394
1 parent 89d7b91
commit 28b1394
Show file tree

Hide file tree

Showing 6 changed files with 110 additions and 32 deletions.
diff --git a/.github/actions/bump/action.yml b/.github/actions/bump/action.yml
@@ -3,24 +3,34 @@ description: "Bump Version and Create Tag"
 inputs:
   version:
     description: "The next version to set"
+    required: true
   post_version:
     description: "The post version to set"
+    required: true
   app_id:
     description: "The app id of the bot"
-  private_key:
+    required: true
+  app_private_key:
     description: "The private key of the bot"
+    required: true
   garasign_username:
     description: "The garasign username"
+    required: true
   garasign_password:
     description: "The garasign password"
+    required: true
   artifactory_username:
     description: "The artifactory username"
+    required: true
   artifactory_password:
     description: "The artifactory password"
+    required: true
   gpg_key_id:
     description: "The gpg key id"
+    required: true
   dry_run:
     description: "Whether this is a dry run"
+    required: true
 
 runs:
   using: composite
@@ -31,10 +41,6 @@ runs:
       app-id: ${{ inputs.app_id }}
       private-key: ${{ inputs.app_private_key }}
 
-  - uses: actions/checkout@v4
-    with:
-      token: ${{ steps.app-token.outputs.token }}
-
   - uses: actions/setup-python@v4
     with:
       python-version: '3.11'
@@ -50,44 +56,44 @@ runs:
     shell: bash
     run: |
       export CURRENT_VERSION=$(python setup.py --version)
-      export NEW_VERSION=${{inputs.version}}
+      export NEW_VERSION=${{ inputs.version }}
       sed -i "s/version = \"${CURRENT_VERSION}\"/version = \"${NEW_VERSION}\"/" pyproject.toml
       git add .
 
   - name: Commit the new version
     uses: mongodb-labs/drivers-github-tools/garasign/git-sign@main
     with:
-      command: git commit -a -m "BUMP ${{ inputs.version }}" -s --gpg-sign=${{ inputs.gpg_key_id }}
+      command: git commit -a -m \"BUMP ${{ inputs.version }}\" -s --gpg-sign=${{ inputs.gpg_key_id }}
       garasign_username: ${{ inputs.garasign_username }}
       garasign_password: ${{ inputs.garasign_password }}
-      artifactory_username: ${{ inputs.art_user }}
-      artifactory_password: ${{ inputs.art_password }}
+      artifactory_username: ${{ inputs.artifactory_username }}
+      artifactory_password: ${{ inputs.artifactory_password }}
 
   - name: Tag the new version
     uses: mongodb-labs/drivers-github-tools/garasign/git-sign@main
     with:
-      command: git tag -a "${{ inputs.version }}" -m "BUMP ${{ inputs.version }}" -s --local-user=${{ inputs.gpg_key_id }}
+      command: git tag -a \"${{ inputs.version }}\" -m \"BUMP ${{ inputs.version }}\" -s --local-user=${{ inputs.gpg_key_id }}
       garasign_username: ${{ inputs.garasign_username }}
       garasign_password: ${{ inputs.garasign_password }}
-      artifactory_username: ${{ inputs.artifactory_user }}
+      artifactory_username: ${{ inputs.artifactory_username }}
       artifactory_password: ${{ inputs.artifactory_password }}
       skip_setup: true
 
   - name: Set up the post version
     shell: bash
     run: |
       export CURRENT_VERSION=${{ inputs.version }}
-      export NEW_VERSION=${{ inputs.post_verion }}
+      export NEW_VERSION=${{ inputs.post_version }}
       sed -i "s/version = \"${CURRENT_VERSION}\"/version = \"${NEW_VERSION}\"/" pyproject.toml
       git add .
 
   - name: Commit the post version
     uses: mongodb-labs/drivers-github-tools/garasign/git-sign@main
     with:
-      command: git commit -a -m "BUMP ${{ inputs.post_verion }}" -s --gpg-sign=${{ inputs.gpg_key_id }}"
+      command: git commit -a -m \"BUMP ${{ inputs.post_version }}\" -s --gpg-sign=${{ inputs.gpg_key_id }}
       garasign_username: ${{ inputs.garasign_username }}
       garasign_password: ${{ inputs.garasign_password }}
-      artifactory_username: ${{ inputs.artifactory_user }}
+      artifactory_username: ${{ inputs.artifactory_username }}
       artifactory_password: ${{ inputs.artifactory_password }}
       skip_setup: true
 
@@ -108,6 +114,7 @@ runs:
         exit 1
       fi
       if [ ${{ inputs.dry_run }} != "true" ]; then
+        git remote set-url origin https://${{ steps.app-token.outputs.token }}@github.com/${{ github.repository }}.git
         git push origin --tags
         git push origin
       fi
diff --git a/.github/actions/publish/action.yml b/.github/actions/publish/action.yml
@@ -2,53 +2,90 @@
 name: Publish
 description: "Asset Publish Action"
 inputs:
+  version:
+    description: "The published version"
+    required: true
   garasign_username:
     description: "The garasign username"
+    required: true
   garasign_password:
     description: "The garasign password"
+    required: true
   artifactory_username:
     description: "The artifactory username"
+    required: true
   artifactory_password:
     description: "The artifactory password"
+    required: true
+  aws_role_arn:
+    description: "The aws role arn to assume"
+    required: true
+  aws_bucket_name:
+    description: "The aws s3 bucket name"
+    required: true
+  aws_region:
+    description: "The aws region for the s3 bucket"
+    required: true
   token:
     description: "The GitHub access token"
+    required: true
   dry_run:
     description: "Whether this is a dry run"
+    required: true
 
 runs:
   using: composite
   steps:
-    - uses: actions/checkout@v4
     - name: Download all the dists
       uses: actions/download-artifact@v3
       with:
         name: all-dist-${{ github.run_id }}
         path: dist/
-    - name: Get the list of dist files to sign
-      shell: bash
-      run: |
-        export dist_files=$(ls dist/*)
-        echo "DIST_FILES=\"${dist_files}\"" >> $GITHUB_ENV
-    - uses: mongodb-labs/drivers-github-tools/garasign/ggp-sign@main
+    - uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@main
       with:
         garasign_username: ${{ inputs.garasign_username }}
         garasign_password: ${{ inputs.garasign_password }}
-        artifactory_username: ${{ inputs.artifactory_user }}
+        artifactory_username: ${{ inputs.artifactory_username }}
         artifactory_password: ${{ inputs.artifactory_password }}
-        filenames: ${{ env.DIST_FILES }}
+        filenames: dist/*
     - name: Move the signature files to a separate directory
       shell: bash
       run: |
+          set -eux
           mkdir signatures
           mv dist/*.sig signatures
+    - uses: mongodb-labs/drivers-github-tools/papertrail@main
+      with:
+          product_name: winkerberos
+          release_version: ${{ inputs.version }}
+          filenames: dist/*
+          token: ${{ inputs.token }}
+    - name: Show files
+      shell: bash
+      run: |
+        ls -ltr signatures/*
+        cat papertrail.txt
+    - name: configure aws credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ inputs.aws_role_arn }}
+        role-session-name: s3uploadsession
+        aws-region: ${{ inputs.aws_region }}
+    - name: Upload signatures to s3
+      shell: bash
+      if: inputs.dry_run == 'false'
+      run: |
+        aws s3 cp ./signatures s3://${{ inputs.aws_bucket_name }}/winkerberos/${{ inputs.version }}/signatures --recursive
     - name: Create a draft release with release files
       shell: bash
       if: inputs.dry_run == 'false'
       env:
         GH_TOKEN: ${{ inputs.token }}
       run: |
+        echo "$GITHUB_RUN_ID" > release_run_id.txt
         gh release create ${{ github.ref_name }} --draft --verify-tag --title ${{ github.ref_name }} --notes ""
         gh release upload ${{ github.ref_name }} signatures/*.sig
+        gh release upload ${{ inputs.version }} release_run_id.txt
     # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#publishing-the-distribution-to-pypi
     - name: Publish distribution 📦 to PyPI
       if: inputs.dry_run == 'false'

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,5 +1,8 @@
 name: Build
-on: [push, pull_request]
+on:
+  push:
+    branches: [master]
+  pull_request:
 
 concurrency:
   group: build-${{ github.ref }}

diff --git a/.github/workflows/dist.yml b/.github/workflows/dist.yml
@@ -2,7 +2,7 @@ name: Dist
 
 on:
   push:
-    branches: [main]
+    branches: [master]
   workflow_dispatch:
   workflow_call:
   pull_request:

diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
@@ -0,0 +1,24 @@
+name: Upload Logs
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write
+
+jobs:
+  upload-logs:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+    - name: Download the metadata and upload the logs
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        set -ex
+        gh release download ${{ github.ref_name }}
+        run_id=$(cat release_run_id.txt)
+        gh run view --log $run_id > release_logs.txt
+        gh release upload ${{ github.ref_name }} release_logs.txt
diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml
@@ -4,24 +4,26 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: "The next version to set"
+        description: "The new version to set"
       post_version:
-        description: "The post version to set"
+        description: "The post (dev) version to set"
       dry_run:
-        description: "Whether this is a dry run"
-        default: "false"
+        description: "Dry Run?"
+        default: false
+        type: boolean
 
 jobs:
   bump-and-tag:
     environment: release
-    runs-on: windows-2019
+    runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/bump
         with:
           version: ${{ inputs.version }}
           post_version: ${{ inputs.post_version }}
           app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
           garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
           garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
           artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
@@ -31,7 +33,7 @@ jobs:
 
   build_dist:
     needs: [bump-and-tag]
-    uses: ./.github/dist.yml
+    uses: ./.github/workflows/dist.yml
 
   publish:
     needs: [build_dist]
@@ -41,11 +43,16 @@ jobs:
       id-token: write
       contents: write
     steps:
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/publish
         with:
+          version: ${{ inputs.version }}
           garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
           garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
           artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
           artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_bucket_name: ${{ secrets.AWS_BUCKET }}
+          aws_region: ${{ vars.AWS_REGION_NAME }}
           token: ${{ github.token }}
           dry_run: ${{ inputs.dry_run }}