chore: automated release pipeline (#4)

Use release please Release-As: 0.1.0
garden-io · Apr 12, 2023 · 50df0b1 · 50df0b1
1 parent d75d126
commit 50df0b1
Show file tree

Hide file tree

Showing 10 changed files with 720 additions and 53 deletions.
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -0,0 +1,38 @@
+name: GitHub Action Lint
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+env:
+  ACTIONLINT_VERSION: "1.6.17"
+  ACTIONLINT_SHA256: "a4641cd9b81e06070936fa017feb1f4f69cec0ceed41f00072e94910beb6bdd7"
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # 2.3.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            objects.githubusercontent.com:443
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # 3.0.2
+      - name: Download actionlint
+        run: |
+          curl -s -L -o actionlint.tar.gz "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
+          if ! sha256sum actionlint.tar.gz | grep "${ACTIONLINT_SHA256}"; then
+            echo "Checksum verification failed. Please make sure that nobody tampered with the releases of github.com/rhysd/actionlint"
+            echo "Actual checksum: "
+            sha256sum actionlint.tar.gz
+            exit 1
+          fi
+          tar -ztvf actionlint.tar.gz
+          tar xvzf actionlint.tar.gz actionlint
+        shell: bash
+      - name: Check workflow files
+        run: ./actionlint -color
+        shell: bash
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -0,0 +1,118 @@
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+name: release-please
+jobs:
+  release-please:
+    permissions:
+      contents: write # google-github-actions/release-please-action
+      pull-requests: write # google-github-actions/release-please-action
+      actions: write # actions/upload-artifact
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      release_version: "${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }}"
+    steps:
+      - uses: google-github-actions/release-please-action@c078ea33917ab8cfa5300e48f4b7e6b16606aede # v3.7.8
+        id: release
+        with:
+          release-type: node
+          package-name: garden-dev-cluster
+          extra-files: |
+            README.md
+
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        if: ${{ steps.release.outputs.release_created }}
+
+      - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2.5.2
+        with:
+          node-version: 18
+        if: ${{ steps.release.outputs.release_created }}
+
+      - name: Setup Cloud Formation Formatter
+        if: ${{ steps.release.outputs.release_created }}
+        run: |
+          gh release download --repo aws-cloudformation/rain --pattern "*_linux-amd64.zip" --output "rain.zip"
+          unzip -j "rain.zip" "*/rain"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run cdk synth
+        if: ${{ steps.release.outputs.release_created }}
+        run: |
+          npm install
+          npm run synth
+          ./rain fmt cdk.out/garden-dev-cluster.template.json > garden-dev-cluster.template.yaml
+          cat garden-dev-cluster.template.yaml
+        env:
+          CDK_RELEASE_VERSION:  "${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }}"
+
+      - name: Archive release assets
+        if: ${{ steps.release.outputs.release_created }}
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: release-assets
+          path: |
+            cdk.out
+            garden-dev-cluster.template.yaml
+
+  upload-assets:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # actions/checkout
+      id-token: write # aws-actions/configure-aws-credentials
+      actions: read # actions/download-artifact
+    strategy:
+      matrix:
+        region: [
+          "ap-northeast-1",
+          "ap-northeast-2",
+          "ap-south-1",
+          "ap-southeast-1",
+          "ap-southeast-2",
+          "ca-central-1",
+          "eu-central-1",
+          "eu-north-1",
+          "eu-west-1",
+          "eu-west-2",
+          "eu-west-3",
+          "sa-east-1",
+          "us-east-1",
+          "us-east-2",
+          "us-west-2"
+        ]
+    needs:
+      - release-please
+    if: ${{ needs.release-please.outputs.release_created }}
+    steps:
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        # these if statements ensure that a publication only occurs when
+        # a new release is created:
+
+      - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2.5.2
+        with:
+          node-version: 18
+
+      - name: Download a single artifact
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: release-assets
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # 2.0.0
+        with:
+          role-to-assume: ${secrets.AWS_ROLE}
+          role-session-name: github-action-dev-cluster-cdk-release
+          aws-region: ${{ matrix.region }}
+
+      - run: npm install
+      - run: npm run upload-assets
+        env:
+          AWS_REGION: ${{ matrix.region }}
+
+      - run: s3cmd cp garden-dev-cluster.template.yaml s3://garden-cfn-public-releases/dev-cluster/${{ needs.release-please.outputs.release_version }}/garden-dev-cluster.template.yaml