udondan/iam-floyd

View on GitHub
.github/workflows/test-and-publish.yml

Summary

Maintainability
Test Coverage
---
name: Test / Publish / Release

concurrency:
  group: test-${{ github.head_ref }}
  cancel-in-progress: true

on:
  push:
    branches:
      - main
    paths:
      - VERSION
  pull_request:
    branches:
      - main
  workflow_dispatch:

jobs:
  finalize:
    name: Finalize
    runs-on: ubuntu-latest
    steps:
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: 3.9

      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false
          fetch-depth: 0

      - name: Get the version
        id: get_version
        run: echo "VERSION=$(cat VERSION)" >> $GITHUB_OUTPUT

      - name: Update version references
        run: make update-version-refs

      - name: Ensure CHANGELOG exists for version
        run: |
          if [ ! -f CHANGELOG/v${{ steps.get_version.outputs.VERSION }}.md ]; then
            echo "CHANGELOG/v${{ steps.get_version.outputs.VERSION }}.md does not exist"
            exit 1
          fi

      - name: Check for changes
        id: changes
        run: |
          set -xuo pipefail # we intentionally do not use -e here, as rc=1 means we have changes
          git diff
          echo "CHANGED=$(git ls-files -m | wc -l | xargs)" >> $GITHUB_OUTPUT

      - name: Commit changes
        run: |
          git config --local user.email "action@github.com"
          git config --local user.name "GitHub Action"
          git diff --exit-code || git commit -m "Finalize v${{ steps.get_version.outputs.VERSION }}" -a
        if: steps.changes.outputs.CHANGED > 0

      - name: Push changes
        uses: ad-m/github-push-action@master
        with:
          github_token: ${{ secrets.OVERRIDE_TOKEN }}
          branch: ${{ github.head_ref }}
        if: steps.changes.outputs.CHANGED > 0

      - name: Get current SHA
        run: git rev-parse HEAD > /tmp/sha

      - name: Store SHA as artifacts
        uses: actions/upload-artifact@v4
        with:
          name: ${{ github.run_id }}
          path: /tmp/sha

  test-iam-floyd:
    name: Test iam-floyd
    needs: finalize
    runs-on: ubuntu-latest
    steps:
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20.x

      - name: Fetch latest SHA
        uses: actions/download-artifact@v4
        with:
          name: ${{ github.run_id }}
          path: /tmp/sha

      - name: Store latest SHA as output
        id: get_sha
        run: echo "SHA=$(cat /tmp/sha/sha)" >> $GITHUB_OUTPUT

      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false
          fetch-depth: 0
          ref: ${{ steps.get_sha.outputs.SHA }}

      - name: Test npm package
        run: make install test-typescript
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Update package version
        run: |
          npm version "$(cat VERSION)" --allow-same-version --no-git-tag-version
          grep version package.json

      - name: Dry run npm publish
        run: make publish

  test-cdk-iam-floyd:
    name: Test cdk-iam-floyd
    needs: finalize
    runs-on: ubuntu-latest
    steps:
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20.x

      - name: Fetch latest SHA
        uses: actions/download-artifact@v4
        with:
          name: ${{ github.run_id }}
          path: /tmp/sha

      - name: Store latest SHA as output
        id: get_sha
        run: echo "SHA=$(cat /tmp/sha/sha)" >> $GITHUB_OUTPUT

      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false
          fetch-depth: 0
          ref: ${{ steps.get_sha.outputs.SHA }}

      - name: Build CDK variant
        run: |
          make install
          make cdk
          cat package.json

      - name: Test npm package
        run: |
          make package
          make test-typescript-cdk
          make cdk-test
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Update package version
        run: |
          npm version "$(cat VERSION)" --allow-same-version --no-git-tag-version
          grep version package.json

      - name: Dry run npm publish
        run: make publish

  release:
    name: Release
    if: |
      github.ref == 'refs/heads/main' && (
        github.event_name == 'push' ||
        github.event_name == 'workflow_dispatch'
      )
    needs:
      - test-iam-floyd
      - test-cdk-iam-floyd
    runs-on: ubuntu-latest
    steps:
      - name: Fetch latest SHA
        uses: actions/download-artifact@v4
        with:
          name: ${{ github.run_id }}
          path: /tmp/sha

      - name: Store latest SHA as output
        id: get_sha
        run: echo "SHA=$(cat /tmp/sha/sha)" >> $GITHUB_OUTPUT

      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false
          fetch-depth: 0
          ref: ${{ steps.get_sha.outputs.SHA }}

      - name: Get the version
        id: get_version
        run: echo "VERSION=$(cat VERSION)" >> $GITHUB_OUTPUT

      - name: Create tag
        run: |
          git config --local user.email "${{ secrets.RELEASE_MAIL }}"
          git config --local user.name "udondan"
          git tag -a "v${{ steps.get_version.outputs.VERSION }}" -m "Creates tag v${{ steps.get_version.outputs.VERSION }}"
          git push "https://udondan:${{ secrets.OVERRIDE_TOKEN }}@github.com/${{ github.repository }}.git" --tags
          touch CHANGELOG/v${{ steps.get_version.outputs.VERSION }}.md

      - name: Create release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.OVERRIDE_TOKEN }}
        with:
          tag_name: v${{ steps.get_version.outputs.VERSION }}
          release_name: v${{ steps.get_version.outputs.VERSION }}
          body_path: CHANGELOG/v${{ steps.get_version.outputs.VERSION }}.md

  publish-iam-floyd:
    name: Publish iam-floyd
    if: |
      github.ref == 'refs/heads/main' && (
        github.event_name == 'push' ||
        github.event_name == 'workflow_dispatch'
      )
    needs: release
    runs-on: ubuntu-latest
    steps:
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20.x
          registry-url: https://registry.npmjs.org

      - name: Fetch latest SHA
        uses: actions/download-artifact@v4
        with:
          name: ${{ github.run_id }}
          path: /tmp/sha

      - name: Store latest SHA as output
        id: get_sha
        run: echo "SHA=$(cat /tmp/sha/sha)" >> $GITHUB_OUTPUT

      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false
          fetch-depth: 0
          ref: ${{ steps.get_sha.outputs.SHA }}

      - name: Update package version
        run: |
          npm version "$(cat VERSION)" --allow-same-version --no-git-tag-version
          grep version package.json

      - name: Publish to npm
        run: make install build publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

  publish-cdk-iam-floyd:
    name: Publish cdk-iam-floyd
    if: |
      github.ref == 'refs/heads/main' && (
        github.event_name == 'push' ||
        github.event_name == 'workflow_dispatch'
      )
    needs: release
    runs-on: ubuntu-latest
    steps:
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20.x
          registry-url: https://registry.npmjs.org

      - name: Fetch latest SHA
        uses: actions/download-artifact@v4
        with:
          name: ${{ github.run_id }}
          path: /tmp/sha

      - name: Store latest SHA as output
        id: get_sha
        run: echo "SHA=$(cat /tmp/sha/sha)" >> $GITHUB_OUTPUT

      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false
          fetch-depth: 0
          ref: ${{ steps.get_sha.outputs.SHA }}

      - name: Update package version
        run: |
          npm version "$(cat VERSION)" --allow-same-version --no-git-tag-version
          grep version package.json

      - name: Build CDK variant
        run: |
          make install
          make cdk
          cat package.json

      - name: Publish to npm
        run: make build publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

  success:
    name: Test succeeded
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    needs:
      - test-iam-floyd
      - test-cdk-iam-floyd
    steps:
      - name: Report success
        run: echo 'Success'