Update certbot version; add GH actions build (#2)

* Update certbot version; add GH actions build
* python 3.13

Author: stevetaggart

.editorconfig

@@ -0,0 +1,14 @@
+root = true
+
+[*]
+charset = utf-8
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.cs]
+indent_size = 4
+
+[*.{csv,editorconfig,cs,config,sql}]
+insert_final_newline = false

.github/workflows/build.yml

@@ -0,0 +1,138 @@
+name: Build Certbot Lambda Package
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  workflow_dispatch:
+
+jobs:
+  setup-build-workflow:
+    runs-on: ubuntu-latest
+
+    outputs:
+      IS_PRERELEASE: ${{ steps.set-vars.outputs.IS_PRERELEASE }}
+      IS_MERGE_TO_MAIN: ${{ steps.set-vars.outputs.IS_MERGE_TO_MAIN }}
+      IS_MERGE_TO_DEVELOP: ${{ steps.set-vars.outputs.IS_MERGE_TO_DEVELOP }}
+      REF_TO_BUILD_AND_TAG: ${{ steps.set-vars.outputs.REF_TO_BUILD_AND_TAG }}
+      IS_DEPENDABOT_PR: ${{ steps.actor_check.outputs.IS_DEPENDABOT_PR }}
+
+    steps:
+      - name: Set default env variables
+        id: set-vars
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const targetRef = '${{ github.base_ref }}';
+            const sourceRef = '${{ github.head_ref }}';
+            const mergeRef = '${{ github.ref }}';
+
+            const prIsDraft = '${{ github.event.pull_request.draft }}' === 'true';
+            const prMergedToMain = mergeRef === 'refs/heads/master';
+
+            const isPreRelease = !prMergedToMain
+
+            // For a detailed explanation of why we use different refs for different scenarios
+            // see https://docs.github.com/en/rest/reference/pulls#get-a-pull-request
+            const refToBuildAndTag = isPreRelease ? sourceRef : mergeRef;
+
+            Object.entries({
+              IS_PRERELEASE: isPreRelease,
+              IS_MERGE_TO_MAIN: prMergedToMain,
+              REF_TO_BUILD_AND_TAG: refToBuildAndTag,
+            }).forEach(pair => {
+              core.setOutput(...pair);
+              console.info(...pair);
+            });
+
+      - name: Check if Dependabot PR
+        id: actor_check
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const actor = '${{ github.actor}}';
+            const knownDependabotNames = [
+              'dependabot[bot]',
+              'dependabot'
+            ];
+            const isDependabotPR = knownDependabotNames.includes(actor);
+            core.info(`Is Dependabot PR: ${isDependabotPR}`);
+            core.setOutput('IS_DEPENDABOT_PR', isDependabotPR);
+
+  get-version:
+    runs-on: ubuntu-latest
+    needs: setup-build-workflow
+
+    outputs:
+      NEXT_VERSION: ${{ steps.get-version.outputs.NEXT_VERSION }}
+      NEXT_VERSION_NO_PREFIX: ${{ steps.get-version.outputs.NEXT_VERSION_NO_PREFIX }}
+
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Includes all history for all branches and tags
+
+      - id: get-version
+        uses: joemcbride/[email protected]
+        with:
+          calculate-prerelease-version: ${{ needs.setup-build-workflow.outputs.IS_PRERELEASE }}
+          branch-name: ${{ needs.setup-build-workflow.outputs.REF_TO_BUILD_AND_TAG }}
+          tag-prefix: certbot-
+          fallback-to-no-prefix-search: false
+          default-release-type: minor
+          create-ref: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: |
+          echo "The next version is ${{ env.NEXT_VERSION }}"
+          echo "The next version without the prefix is ${{ env.NEXT_VERSION_NO_PREFIX }}"
+            
+  build:
+    runs-on: ubuntu-latest
+    needs: get-version
+    permissions:
+      id-token: write
+      contents: read
+    env: 
+      CI: true
+      AWS_REGION: us-west-2
+      NEXT_VERSION: ${{ needs.get-version.outputs.NEXT_VERSION }}
+      NEXT_VERSION_NO_PREFIX: ${{ needs.get-version.outputs.NEXT_VERSION_NO_PREFIX }}
+      NEXT_BUILD_VERSION: ${{ needs.get-version.outputs.NEXT_BUILD_VERSION }}
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v5
+      
+    - name: Set up Python
+      uses: actions/setup-python@v6
+      with:
+        python-version: '3.13'
+      
+    - name: Run package script
+      run: ./package.sh
+        
+    - name: Show package size
+      run: |
+        echo "Package size:"
+        du -h certbot/certbot-lambda.zip || echo "certbot-lambda.zip not found"
+      
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: certbot-lambda-package
+        path: certbot/certbot-lambda.zip
+        retention-days: 30
+
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        role-to-assume: arn:aws:iam::888985673581:role/GithubActions-DovetailSofware_Org-OIDC
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ env.AWS_REGION }}
+
+    - name: Upload Certbot Lambda Assets to S3
+      working-directory: certbot
+      run: |
+        aws s3 cp . s3://jenkins-artifacts.us-west-2.dovetailnow.com/jobs/certbot-lambda/$NEXT_VERSION_NO_PREFIX --recursive --exclude "*" --include "*.zip"

package.sh

@@ -4,20 +4,32 @@ set -e
 
 readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 readonly CERTBOT_VERSION=$( awk -F= '$1 == "certbot"{ print $NF; }' "${SCRIPT_DIR}/requirements.txt" )
-readonly VENV="certbot/venv"
-readonly PYTHON="python3"
-readonly CERTBOT_ZIP_FILE="certbot.zip"
-readonly CERTBOT_SITE_PACKAGES=${VENV}/Lib/site-packages
+VENV="certbot/venv"
+readonly PYTHON="python"
+readonly CERTBOT_ZIP_FILE="certbot-lambda.zip"
+CERTBOT_SITE_PACKAGES=${VENV}/lib/site-packages
+
+readonly CI=$CI
 
 cd "${SCRIPT_DIR}"
 
-${PYTHON} -m venv "${VENV}"
-source "${VENV}/Scripts/activate"
+if [ "${CI}" = true ]; then
+    echo "Running in CI mode"
+    ${PYTHON} -m venv $VENV
+    VENV=$GITHUB_WORKSPACE/$VENV
+    source $VENV/bin/activate
+    CERTBOT_SITE_PACKAGES=${VENV}/lib/python3.13/site-packages
+else
+    echo "Running in local mode"
+    rm -rf ./certbot
+    ${PYTHON} -m venv "${VENV}"
+    source "${VENV}/Scripts/activate"
+fi
 
-pip3 install -r requirements.txt
+pip install -r requirements.txt
 
 pushd ${CERTBOT_SITE_PACKAGES}
-    zip -r -q ${SCRIPT_DIR}/certbot/${CERTBOT_ZIP_FILE} . -x "/*__pycache__/*"
+    7z a -tzip ${SCRIPT_DIR}/certbot/${CERTBOT_ZIP_FILE} . -xr!__pycache__
 popd
 
-zip -g "certbot/${CERTBOT_ZIP_FILE}" main.py
+7z a -tzip "certbot/${CERTBOT_ZIP_FILE}" main.py

requirements.txt

@@ -1,64 +1,4 @@
-acme==2.9.0
-apispec==6.3.0
-awscli==1.32.52
-awscli-local==0.22.0
-boto3==1.34.52
-botocore==1.34.52
-cachetools==5.0.0
-certbot==2.9.0
-certbot-dns-route53==2.9.0
-certbot-dns-tencentcloud==2.0.2
-certifi==2023.7.22
-cffi==1.15.1
-charset-normalizer==3.1.0
-click==8.1.3
-colorama==0.4.4
-ConfigArgParse==1.7
-configobj==5.0.8
-cryptography==42.0.5
-dill==0.3.6
-distro==1.9.0
-dnslib==0.9.23
-dnspython==2.3.0
-docutils==0.16
-ecdsa==0.18.0
-idna==3.4
-jmespath==1.0.1
-josepy==1.14.0
-lark==1.1.5
-localstack-client==2.5
-markdown-it-py==2.2.0
-mdurl==0.1.2
-packaging==23.1
-parsedatetime==2.6
-pbr==5.11.1
-pcore==0.2.1
-plux==1.5.0
-psh==0.2.12
-psutil==5.9.5
-psys==0.4.2
-pyaes==1.6.1
-pyasn1==0.5.0
-pycparser==2.21
-Pygments==2.15.1
-pyOpenSSL==24.0.0
-pyRFC3339==1.1
-python-dateutil==2.8.2
-python-dotenv==1.0.0
-python-hcl2==4.3.0
-python-jose==3.3.0
-pytz==2024.1
-pywin32==306
-PyYAML==6.0.1
-requests==2.31.0
-rich==13.3.4
-rsa==4.7.2
-s3transfer==0.10.0
-semver==3.0.0
-six==1.16.0
-stevedore==5.0.0
-tabulate==0.9.0
-tailer==0.4.1
-terraform-local==0.16.0
-urllib3==2.0.7
-windows-curses==2.3.2
+boto3==1.40.48
+certbot==5.1.0
+certbot-dns-route53==5.1.0
+cryptography==46.0.2