Skip to content

Release v5.5.21

Release v5.5.21 #1509

Workflow file for this run

# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".
name: release
run-name: Release ${{ github.ref_name }}
on:
push:
tags:
- v*.*.*
jobs:
build:
name: Build release package
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
outputs:
dist-tag: ${{ steps.publish-target.outputs.dist-tag }}
latest: ${{ steps.publish-target.outputs.latest }}
github-release: ${{ steps.publish-target.outputs.github-release }}
prerelease: ${{ steps.publish-target.outputs.prerelease }}
env:
CI: "true"
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.sha }}
repository: ${{ github.repository }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
cache: yarn
node-version: "18"
- name: Install dependencies
run: yarn install --frozen-lockfile
- name: Prepare Release
run: yarn release ${{ github.ref_name }}
- name: Determine Target
id: publish-target
env:
GITHUB_TOKEN: ${{ github.token }}
run: yarn ts-node projenrc/publish-target.ts ${{ github.ref_name }}
- name: Federate to AWS
if: fromJSON(steps.publish-target.outputs.github-release)
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GHA-aws-jsii-rosetta@${{ github.ref_name }}
- name: Sign Tarball
if: fromJSON(steps.publish-target.outputs.github-release)
run: |-
set -eo pipefail
export GNUPGHOME=$(mktemp -d)
echo "charset utf-8" > ${GNUPGHOME}/gpg.conf
echo "no-comments" >> ${GNUPGHOME}/gpg.conf
echo "no-emit-version" >> ${GNUPGHOME}/gpg.conf
echo "no-greeting" >> ${GNUPGHOME}/gpg.conf
secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.OPEN_PGP_KEY_ARN }} --query=SecretString --output=text)
privatekey=$(node -p "(${secret}).PrivateKey")
passphrase=$(node -p "(${secret}).Passphrase")
echo "::add-mask::${passphrase}"
unset secret
echo ${passphrase} | gpg --batch --yes --import --armor --passphrase-fd=0 <(echo "${privatekey}")
unset privatekey
for file in $(find dist -type f -not -iname "*.asc"); do
echo ${passphrase} | gpg --pinentry-mode=loopback --batch --yes --local-user="[email protected]" --detach-sign --armor --passphrase-fd=0 ${file}
done
unset passphrase
find ${GNUPGHOME} -type f -exec shred --remove {} \;
- name: Upload artifact
uses: actions/[email protected]
with:
name: release-package
path: ${{ github.workspace }}/dist
overwrite: true
release-to-github:
name: Create GitHub Release
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
env:
CI: "true"
if: fromJSON(needs.build.outputs.github-release)
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: release-package
- name: Verify if release exists
id: release-exists
env:
GH_TOKEN: ${{ github.token }}
run: |-
if gh release view ${{ github.ref_name }} --repo=${{ github.repository }} &>/dev/null
then
echo "result=true" >> $GITHUB_OUTPUT
else
echo "result=false" >> $GITHUB_OUTPUT
fi
- name: Create PreRelease
if: "!fromJSON(steps.release-exists.outputs.result) && fromJSON(needs.build.outputs.prerelease)"
env:
GH_TOKEN: ${{ github.token }}
run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --prerelease --latest=${{ needs.build.outputs.latest }}
- name: Create Release
if: "!fromJSON(steps.release-exists.outputs.result) && !fromJSON(needs.build.outputs.prerelease)"
env:
GH_TOKEN: ${{ github.token }}
run: gh release create ${{ github.ref_name }} --repo=${{ github.repository }} --generate-notes --title=${{ github.ref_name }} --verify-tag --latest=${{ needs.build.outputs.latest }}
- name: Attach assets
env:
GH_TOKEN: ${{ github.token }}
run: gh release upload ${{ github.ref_name }} --repo=${{ github.repository }} --clobber ${{ github.workspace }}/**/*
release-npm-package:
name: Release to registry.npmjs.org
needs: build
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
env:
CI: "true"
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: release-package
- name: Setup Node.js
uses: actions/setup-node@v4
with:
always-auth: true
node-version: "18"
registry-url: https://registry.npmjs.org/
- name: Federate to AWS
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GHA-aws-jsii-rosetta@${{ github.ref_name }}
- name: Set NODE_AUTH_TOKEN
run: |-
secret=$(aws secretsmanager get-secret-value --secret-id=${{ secrets.NPM_TOKEN_ARN }} --query=SecretString --output=text)
token=$(node -p "(${secret}).token")
unset secret
echo "::add-mask::${token}"
echo "NODE_AUTH_TOKEN=${token}" >> $GITHUB_ENV
unset token
- name: Publish
run: npm publish ${{ github.workspace }}/js/jsii-*.tgz --access=public --tag=${{ needs.build.outputs.dist-tag }}
- name: Tag "latest"
if: fromJSON(needs.build.outputs.latest)
run: npm dist-tag add jsii-rosetta@${{ github.ref_name }} latest