ci: add Rust release workflows for aws-db-esdk #2280
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| # This workflow publishes the aws-db-esdk crate to crates.io and runs | ||
| # the post-publish smoke test against the published version | ||
| # (`cargo publish` and `./test_published.sh N.N.N`). | ||
| # | ||
| # Regenerating `releases/rust/db_esdk/` and opening a release PR is | ||
| # automated by the `Rust Start Release` workflow (rust-start-release.yml) | ||
| # and should be run before this workflow. | ||
| # | ||
| # This workflow should be dispatched on the release PR's branch | ||
| # (head ref) BEFORE the PR is merged, so a failed publish or failed | ||
| # smoke test leaves the unmerged PR for cleanup. | ||
| # | ||
| # Authenticates to crates.io with a long-lived API token issued under the | ||
| # Crypto Tools CI bot account, stored in the CARGO_REGISTRY_TOKEN repo | ||
| # secret and gated by the `crates-io-publish` GitHub environment. | ||
| name: Rust Release | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| version: | ||
| description: "Optional. If provided, must match releases/rust/db_esdk/Cargo.toml version exactly (N.N.N format, e.g. '1.2.5'). Used as a typo safeguard; if omitted, the version in Cargo.toml is published as-is." | ||
| required: false | ||
| type: string | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| publish: | ||
| name: Publish aws-db-esdk to crates.io | ||
| runs-on: ubuntu-22.04 | ||
| environment: crates-io-publish | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| steps: | ||
| - name: Support longpaths on Git checkout | ||
| run: | | ||
| git config --global core.longpaths true | ||
|
|
||
| - uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Rust Toolchain for GitHub CI | ||
| uses: actions-rust-lang/setup-rust-toolchain@v1 | ||
| with: | ||
| components: rustfmt, clippy | ||
|
|
||
| - name: Read crate version from Cargo.toml | ||
| id: cargo | ||
| shell: bash | ||
| working-directory: releases/rust/db_esdk | ||
| run: | | ||
| set -euo pipefail | ||
| CRATE_VERSION="$(cargo metadata --no-deps --format-version=1 | jq -r '.packages[0].version')" | ||
| CRATE_NAME="$(cargo metadata --no-deps --format-version=1 | jq -r '.packages[0].name')" | ||
| echo "version=${CRATE_VERSION}" >> "$GITHUB_OUTPUT" | ||
| echo "name=${CRATE_NAME}" >> "$GITHUB_OUTPUT" | ||
| echo "Will publish ${CRATE_NAME} v${CRATE_VERSION}" | ||
|
|
||
| - name: Verify input version matches Cargo.toml (if provided) | ||
| if: ${{ github.event.inputs.version != '' }} | ||
| shell: bash | ||
| env: | ||
| INPUT_VERSION: ${{ github.event.inputs.version }} | ||
| CARGO_VERSION: ${{ steps.cargo.outputs.version }} | ||
| run: | | ||
| set -euo pipefail | ||
| if [ "${INPUT_VERSION}" != "${CARGO_VERSION}" ]; then | ||
| echo "::error::Input version '${INPUT_VERSION}' does not match Cargo.toml version '${CARGO_VERSION}'." | ||
| exit 1 | ||
| fi | ||
| echo "Input version matches Cargo.toml: ${CARGO_VERSION}" | ||
|
|
||
| - name: Cargo publish (dry run) | ||
| shell: bash | ||
| working-directory: releases/rust/db_esdk | ||
| run: cargo publish --dry-run | ||
|
|
||
| - name: Cargo publish | ||
| shell: bash | ||
| working-directory: releases/rust/db_esdk | ||
| env: | ||
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| run: cargo publish | ||
|
|
||
| - name: Configure AWS Credentials for test_published.sh | ||
| uses: aws-actions/configure-aws-credentials@v6 | ||
| with: | ||
| aws-region: us-west-2 | ||
| role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2 | ||
| role-session-name: DDBEC-Rust-Release-TestPublished | ||
| special-characters-workaround: "true" | ||
|
|
||
| - name: Wait for new version to be available on crates.io | ||
| shell: bash | ||
| env: | ||
| CRATE_NAME: ${{ steps.cargo.outputs.name }} | ||
| CRATE_VERSION: ${{ steps.cargo.outputs.version }} | ||
| run: | | ||
| set -euo pipefail | ||
| # crates.io can take a few seconds to surface a freshly-published | ||
| # version via the sparse index. Poll for up to 5 minutes. | ||
| for i in $(seq 1 60); do | ||
| if curl -fsSL "https://crates.io/api/v1/crates/${CRATE_NAME}/${CRATE_VERSION}" >/dev/null 2>&1; then | ||
| echo "${CRATE_NAME} v${CRATE_VERSION} is available on crates.io" | ||
| exit 0 | ||
| fi | ||
| echo "Attempt ${i}: ${CRATE_NAME} v${CRATE_VERSION} not yet available; sleeping 5s" | ||
| sleep 5 | ||
| done | ||
| echo "::error::${CRATE_NAME} v${CRATE_VERSION} did not appear on crates.io within 5 minutes" | ||
| exit 1 | ||
|
|
||
| - name: Test the published crate | ||
| shell: bash | ||
| working-directory: DynamoDbEncryption/runtimes/rust | ||
| run: ./test_published.sh "${{ steps.cargo.outputs.version }}" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,155 @@ | ||
| # This workflow regenerates `releases/rust/db_esdk/` for a new version | ||
| # of the aws-db-esdk crate by running | ||
| # DynamoDbEncryption/runtimes/rust/start_release.sh, committing the | ||
| # result on a release branch, and opening a PR back to main. | ||
| # | ||
| # `cargo publish` and `test_published.sh` live in rust-release.yml and | ||
| # should be dispatched on the resulting PR's branch before merging. | ||
| # | ||
| # This workflow does NOT need any crates.io credentials; it only writes | ||
| # to the repo (via secrets.GITHUB_TOKEN) and assumes AWS via OIDC for | ||
| # the tests that start_release.sh runs. | ||
| name: Rust Start Release | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| version: | ||
| description: "New aws-db-esdk version in N.N.N format (e.g. '1.2.5')." | ||
| required: true | ||
| type: string | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| start-release: | ||
| name: Run start_release.sh and open a release PR | ||
| runs-on: ubuntu-22.04 | ||
| permissions: | ||
| id-token: write | ||
| contents: write | ||
| pull-requests: write | ||
| env: | ||
| RUST_MIN_STACK: 838860800 | ||
| steps: | ||
| - name: Validate version input | ||
| shell: bash | ||
| env: | ||
| VERSION: ${{ github.event.inputs.version }} | ||
| run: | | ||
| set -euo pipefail | ||
| if ! [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
| echo "::error::Version '${VERSION}' must be in N.N.N format (e.g. '1.2.5')." | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/configure-aws-credentials@v6 | ||
| with: | ||
| aws-region: us-west-2 | ||
| role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2 | ||
| role-session-name: DDBEC-Rust-Start-Release | ||
| special-characters-workaround: "true" | ||
|
|
||
| - name: Support longpaths on Git checkout | ||
| run: | | ||
| git config --global core.longpaths true | ||
|
|
||
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Init Submodules | ||
| shell: bash | ||
| run: | | ||
| git submodule update --init --recursive submodules/smithy-dafny | ||
| git submodule update --init --recursive submodules/MaterialProviders | ||
|
|
||
| - name: Setup Rust Toolchain for GitHub CI | ||
| uses: actions-rust-lang/setup-rust-toolchain@v1 | ||
| with: | ||
| components: rustfmt, clippy | ||
|
|
||
| - name: Setup Dafny | ||
| uses: ./submodules/MaterialProviders/.github/actions/setup_dafny/ | ||
| with: | ||
| dafny-version: 4.10.0 | ||
|
|
||
| - name: Setup Java 17 for codegen | ||
| uses: actions/setup-java@v5 | ||
| with: | ||
| distribution: "corretto" | ||
| java-version: "17" | ||
|
|
||
| - name: Install Smithy-Dafny codegen dependencies | ||
| uses: ./submodules/MaterialProviders/.github/actions/install_smithy_dafny_codegen_dependencies | ||
| with: | ||
| mpl-submodule-path: ./submodules/MaterialProviders/ | ||
|
|
||
| - name: Configure Git | ||
| shell: bash | ||
| run: | | ||
| git config --global user.name "GitHub Actions" | ||
| git config --global user.email "actions@github.com" | ||
|
|
||
| - name: Create release branch | ||
| id: branch | ||
| shell: bash | ||
| env: | ||
| VERSION: ${{ github.event.inputs.version }} | ||
| run: | | ||
| set -euo pipefail | ||
| BRANCH="release/db_esdk/v${VERSION}" | ||
| git checkout -b "${BRANCH}" | ||
| echo "name=${BRANCH}" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Run start_release.sh | ||
| shell: bash | ||
| working-directory: DynamoDbEncryption/runtimes/rust | ||
| env: | ||
| VERSION: ${{ github.event.inputs.version }} | ||
| run: ./start_release.sh "${VERSION}" | ||
|
|
||
| - name: Commit regenerated releases/rust/db_esdk | ||
| shell: bash | ||
| env: | ||
| VERSION: ${{ github.event.inputs.version }} | ||
| run: | | ||
| set -euo pipefail | ||
| # Submodule dirs and other transient state must not be committed. | ||
| git add releases/rust/db_esdk DynamoDbEncryption/runtimes/rust/Cargo.toml | ||
| if git diff --cached --quiet; then | ||
| echo "::error::start_release.sh produced no changes; nothing to release." | ||
| exit 1 | ||
| fi | ||
| git commit -m "chore(release): aws-db-esdk v${VERSION}" | ||
|
|
||
| - name: Push release branch | ||
| shell: bash | ||
| env: | ||
| BRANCH: ${{ steps.branch.outputs.name }} | ||
| run: | | ||
| set -euo pipefail | ||
| git push origin "${BRANCH}" | ||
|
|
||
| - name: Open release PR | ||
| shell: bash | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
lucasmcdonald3 marked this conversation as resolved.
Outdated
|
||
| BRANCH: ${{ steps.branch.outputs.name }} | ||
| VERSION: ${{ github.event.inputs.version }} | ||
| run: | | ||
| set -euo pipefail | ||
| gh pr create \ | ||
|
Member
There was a problem hiding this comment. Just mentioning. Someone may have to push a empty commit to this branch for the CI in PR to run and I am fine with that. GitHub does not allow CI to run in bot created PR |
||
| --base main \ | ||
| --head "${BRANCH}" \ | ||
| --title "chore(release): aws-db-esdk v${VERSION}" \ | ||
| --body "Automated release PR generated by \`rust-start-release.yml\` for aws-db-esdk v${VERSION}. | ||
|
|
||
| Reviewer checklist: | ||
| - Update \`CHANGELOG.md\` in the root directory with the changes for this version. | ||
| - If this is a major version bump, update \`SUPPORT_POLICY.rst\` for Rust. | ||
| - After approval, dispatch the \`Rust Release\` workflow on this branch (or after merging) to publish to crates.io and run \`test_published.sh\`. | ||
|
lucasmcdonald3 marked this conversation as resolved.
Outdated
|
||
|
|
||
| Do NOT merge this PR before publishing." | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.