ci: read CocoaPods trunk token from AWS secret (#2921)

Di Wu · web-flow · commit dc0d7db9e5f1 · 2023-05-24T17:17:18.000-07:00
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -4,13 +4,15 @@ version: 2.1
 
 orbs:
   aws-cli: circleci/aws-cli@3.1.4
+
   # Using inline orb for now
   getting-started-smoke-test:
     orbs:
       macos: circleci/macos@2
       node: circleci/node@5.0.2
       ruby: circleci/ruby@1.6.0
       aws-cli: circleci/aws-cli@3.1.1
+
     commands:
       send-metric-on-fail:
         description: Send failure datapoint to cloudwatch
@@ -321,6 +323,10 @@ jobs:
       - *restore_repo
       - restore_gems
       - check_bundle
+      - aws-cli/setup:
+          role-arn: $AWS_OIDC_ROLE_ARN
+          role-session-name: "${CIRCLE_WORKFLOW_JOB_ID}.release"
+          session-duration: '900'
       - run:
           name: Release pods
           command: bundle exec fastlane << parameters.lane >>
@@ -471,6 +477,7 @@ workflows:
       - deploy:
           name: deploy stable
           lane: release
+          context: amplify-swift-aws-oidc
           <<: *deploy_requires
           filters:
             branches:
@@ -496,4 +503,4 @@ workflows:
             - cloudwatch-monitoring
           xcode-version: "12.5.1"
           simulator-os-version: "14.5"
-          simulator-device: "iPhone 12"
+          simulator-device: "iPhone 12"
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -1,3 +1,4 @@
+require 'json'
 require_relative './amplify_pods.rb'
 
 opt_out_usage
@@ -6,15 +7,15 @@ default_platform(:ios)
 PLIST_KEY = "CFBundleShortVersionString"
 
 platform :ios do
-  before_all do 
-    # Perform a fetch before inferring the next version 
+  before_all do
+    # Perform a fetch before inferring the next version
     # to reduce race conditions with simultaneous pipelines attempting to create the same tag
     sh('git', 'fetch', '--tags', '-f')
     sh('git', 'fetch')
     sh('git', 'status')
   end
   desc "Create a pre-release version by pushing a tag to GitHub, and pushing pods to CocoaPods"
-  lane :unstable do 
+  lane :unstable do
     next_version = calculate_next_canary_version
     if next_version >= '2.0.0'
       UI.message("Received version: #{next_version}, exiting lane because version is larger than 2.0.0")
@@ -32,8 +33,17 @@ platform :ios do
     release_pods()
   end
 
-  desc "Create a release version by building and committing a changelog, pushing a tag to GitHub, and pushing pods to CocoaPods"  
+  desc "Create a release version by building and committing a changelog, pushing a tag to GitHub, and pushing pods to CocoaPods"
   lane :release do
+    # Define `COCOAPODS_TRUNK_TOKEN` env var for trunk authentication
+    # https://github.com/CocoaPods/cocoapods-trunk/commit/9e6ec1c1faf96fa837dc2ed70b5f54006b181ed6
+    secret = sh(
+        command: 'aws secretsmanager get-secret-value --secret-id ${COCOAPODS_SECRET_ARN}',
+        log: false
+    )
+
+    ENV['COCOAPODS_TRUNK_TOKEN'] = JSON.parse(secret)["SecretString"]
+
     next_version, commits = calculate_next_release_version(version_limit:'v2.0.0')
     if next_version >= '2.0.0'
       UI.message("Received version: #{next_version}, exiting lane because version is larger than 2.0.0")
@@ -46,7 +56,7 @@ platform :ios do
 
     changelog = build_changelog(version: next_version, commits: commits)
 
-    # Commit and push 
+    # Commit and push
     release_commit(version: next_version)
 
     # Create tag and push to origin
@@ -80,7 +90,7 @@ platform :ios do
       set_key_value(file: "build-support/dependencies.rb", key: "AMPLIFY_VERSION", value: version)
     end
   end
-  
+
   desc "Commit and push"
   private_lane :release_commit do |options|
     next_version = options[:version]
@@ -94,7 +104,7 @@ platform :ios do
     # push to origin
     sh('git', 'push', 'origin', 'release-v1')
   end
-  
+
   desc "Tag in git and push to GitHub"
   private_lane :add_tag do |options|
     next_version = options[:version]
@@ -136,7 +146,7 @@ platform :ios do
     changelog = options[:changelog]
     tag = "#{version}"
     plugin_root = File.expand_path("#{ENV['CIRCLE_WORKING_DIRECTORY']}/AmplifyPlugins")
-  
+
     sh('bundle', 'exec', 'swift', 'package', 'update')
 
     sh('bundle', 'exec', 'pod', 'repo', 'update')
