Release v5.7.3-dev.1 #1472
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". | |
name: release | |
run-name: Release ${{ github.ref_name }} | |
on: | |
push: | |
tags: | |
- v*.*.* | |
jobs: | |
build: | |
name: Build release package | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
outputs: | |
dist-tag: ${{ steps.publish-target.outputs.dist-tag }} | |
latest: ${{ steps.publish-target.outputs.latest }} | |
github-release: ${{ steps.publish-target.outputs.github-release }} | |
prerelease: ${{ steps.publish-target.outputs.prerelease }} | |
env: | |
CI: "true" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.sha }} | |
repository: ${{ github.repository }} | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
cache: yarn | |
node-version: "18" | |
- name: Install dependencies | |
run: yarn install --frozen-lockfile | |
- name: Prepare Release | |
run: yarn release ${{ github.ref_name }} | |
- name: Determine Target | |
id: publish-target | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
run: yarn ts-node projenrc/publish-target.ts ${{ github.ref_name }} | |
- name: Federate to AWS | |
if: fromJSON(steps.publish-target.outputs.github-release) | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: us-east-1 | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-session-name: GHA-aws-jsii-rosetta@${{ github.ref_name }} | |
- name: Sign Tarball | |
if: fromJSON(steps.publish-target.outputs.github-release) | |
run: |- | |
set -eo pipefail | |
export GNUPGHOME=$(mktemp -d) | |
echo "charset utf-8" > ${GNUPGHOME}/gpg.conf | |
echo "no-comments" >> ${GNUPGHOME}/gpg.conf | |
echo "no-emit-version" >> ${GNUPGHOME}/gpg.conf | |
echo "no-greeting" >> ${GNUPGHOME}/gpg.conf | |
secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.OPEN_PGP_KEY_ARN }} --query=SecretString --output=text) | |
privatekey=$(node -p "(${secret}).PrivateKey") | |
passphrase=$(node -p "(${secret}).Passphrase") | |
echo "::add-mask::${passphrase}" | |
unset secret | |
echo ${passphrase} | gpg --batch --yes --import --armor --passphrase-fd=0 <(echo "${privatekey}") | |
unset privatekey | |
for file in $(find dist -type f -not -iname "*.asc"); do | |
echo ${passphrase} | gpg --pinentry-mode=loopback --batch --yes --local-user="[email protected]" --detach-sign --armor --passphrase-fd=0 ${file} | |
done | |
unset passphrase | |
find ${GNUPGHOME} -type f -exec shred --remove {} \; | |
- name: Upload artifact | |
uses: actions/[email protected] | |
with: | |
name: release-package | |
path: ${{ github.workspace }}/dist | |
overwrite: true | |
release-to-github: | |
name: Create GitHub Release | |
needs: build | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
env: | |
CI: "true" | |
if: fromJSON(needs.build.outputs.github-release) | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: release-package | |
- name: Verify if release exists | |
id: release-exists | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: |- | |
if gh release view ${{ github.ref_name }} --repo=${{ github.repository }} &>/dev/null | |
then | |
echo "result=true" >> $GITHUB_OUTPUT | |
else | |
echo "result=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Create PreRelease | |
if: "!fromJSON(steps.release-exists.outputs.result) && fromJSON(needs.build.outputs.prerelease)" | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --prerelease --latest=${{ needs.build.outputs.latest }} | |
- name: Create Release | |
if: "!fromJSON(steps.release-exists.outputs.result) && !fromJSON(needs.build.outputs.prerelease)" | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --latest=${{ needs.build.outputs.latest }} | |
- name: Attach assets | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: gh release upload ${{ github.ref_name }} --repo=${{ github.repository }} --clobber ${{ github.workspace }}/**/* | |
release-npm-package: | |
name: Release to registry.npmjs.org | |
needs: build | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
env: | |
CI: "true" | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: release-package | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
always-auth: true | |
node-version: "18" | |
registry-url: https://registry.npmjs.org/ | |
- name: Federate to AWS | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: us-east-1 | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
role-session-name: GHA-aws-jsii-rosetta@${{ github.ref_name }} | |
- name: Set NODE_AUTH_TOKEN | |
run: |- | |
secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.NPM_TOKEN_ARN }} --query=SecretString --output=text) | |
token=$(node -p "(${secret}).token") | |
unset secret | |
echo "::add-mask::${token}" | |
echo "NODE_AUTH_TOKEN=${token}" >> $GITHUB_ENV | |
unset token | |
- name: Publish | |
run: npm publish ${{ github.workspace }}/js/jsii-*.tgz --access=public --tag=${{ needs.build.outputs.dist-tag }} | |
- name: Tag "latest" | |
if: fromJSON(needs.build.outputs.latest) | |
run: npm dist-tag add jsii-rosetta@${{ github.ref_name }} latest |