diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba97c65aa..8d7d7fb42 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -167,6 +167,13 @@ jobs: name: standalone_build-artifact path: dist/standalone overwrite: true + - name: "standalone: Upload artifact" + if: ${{ steps.git_remote.outputs.latest_commit == github.sha }} + uses: actions/upload-artifact@v4.4.0 + with: + name: standalone_build-artifact + path: dist/standalone + overwrite: true aws-cdk-cloud-assembly-schema_release_github: name: "@aws-cdk/cloud-assembly-schema: Publish to GitHub Releases" needs: @@ -999,8 +1006,40 @@ jobs: role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }} role-session-name: releasing@aws-cdk-cli output-credentials: true + mask-aws-account-id: true - name: Publish artifacts env: PUBLISHING_ROLE_ARN: ${{ vars.PUBLISHING_ROLE_ARN }} TARGET_BUCKETS: ${{ vars.TARGET_BUCKETS }} run: npx tsx projenrc/publish-to-adc.task.ts + record_timestamp: + name: "aws-cdk: Record publishing timestamp" + needs: release + runs-on: ubuntu-latest + permissions: + contents: write + environment: releasing + if: ${{ needs.release.outputs.latest_commit == github.sha }} + steps: + - name: Download build artifacts + uses: actions/download-artifact@v4 + with: + name: aws-cdk_build-artifact + path: dist + - name: Read version from build artifacts + id: aws-cdk-version + run: echo "version=$(cat dist/version.txt)" >> $GITHUB_OUTPUT + - name: Authenticate Via OIDC Role + id: creds + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-1 + role-duration-seconds: 14400 + role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }} + role-session-name: releasing@aws-cdk-cli + output-credentials: true + mask-aws-account-id: true + - name: Publish artifacts + run: |- + aws ssm put-parameter --name "/published/cdk/cli/version" --type "String" --value "${{ steps.aws-cdk-version.outputs.version }}" --overwrite + aws ssm put-parameter --name "/published/cdk/cli/timestamp" --type "String" --value "$(date +%s)" --overwrite diff --git a/.projen/tasks.json b/.projen/tasks.json index a892abc4a..cde31f1e1 100644 --- a/.projen/tasks.json +++ b/.projen/tasks.json @@ -9,6 +9,9 @@ { "exec": "yarn workspaces run build" }, + { + "exec": "tsx projenrc/build-standalone-zip.task.ts" + }, { "spawn": "eslint" }, diff --git a/.projenrc.ts b/.projenrc.ts index 74538dc45..04ee8a0fa 100644 --- a/.projenrc.ts +++ b/.projenrc.ts @@ -7,6 +7,7 @@ import { BundleCli } from './projenrc/bundle'; import { CodeCovWorkflow } from './projenrc/codecov'; import { ESLINT_RULES } from './projenrc/eslint'; import { JsiiBuild } from './projenrc/jsii'; +import { RecordPublishingTimestamp } from './projenrc/record-publishing-timestamp'; // 5.7 sometimes gives a weird error in `ts-jest` in `@aws-cdk/cli-lib-alpha` // https://github.com/microsoft/TypeScript/issues/60159 @@ -224,6 +225,9 @@ const repoProject = new yarn.Monorepo({ }, }); +new AdcPublishing(repoProject); +new RecordPublishingTimestamp(repoProject); + // Eslint for projen config // @ts-ignore repoProject.eslint = new pj.javascript.Eslint(repoProject, { diff --git a/projenrc/adc-publishing.ts b/projenrc/adc-publishing.ts index 62092ab4a..02a197a92 100644 --- a/projenrc/adc-publishing.ts +++ b/projenrc/adc-publishing.ts @@ -60,6 +60,7 @@ export class AdcPublishing extends Component { 'role-to-assume': '${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}', 'role-session-name': 'releasing@aws-cdk-cli', 'output-credentials': true, + 'mask-aws-account-id': true, }, }, { diff --git a/projenrc/record-publishing-timestamp.ts b/projenrc/record-publishing-timestamp.ts new file mode 100644 index 000000000..3c92c1033 --- /dev/null +++ b/projenrc/record-publishing-timestamp.ts @@ -0,0 +1,68 @@ +import { Monorepo } from 'cdklabs-projen-project-types/lib/yarn'; +import { Component } from 'projen'; +import { JobPermission } from 'projen/lib/github/workflows-model'; + +/** + * Record publishing timestamp to SSM + */ +export class RecordPublishingTimestamp extends Component { + constructor(private readonly project_: Monorepo) { + super(project_); + } + + public preSynthesize() { + const ssmPrefix = '/published/cdk/cli'; + + const releaseWf = this.project_.github?.tryFindWorkflow('release'); + if (!releaseWf) { + throw new Error('Could not find release workflow'); + } + + releaseWf.addJob('record_timestamp', { + name: 'aws-cdk: Record publishing timestamp', + environment: 'releasing', // <-- this has the configuration + needs: ['release'], + runsOn: ['ubuntu-latest'], + permissions: { + contents: JobPermission.WRITE, + }, + if: '${{ needs.release.outputs.latest_commit == github.sha }}', + steps: [ + { + name: 'Download build artifacts', + uses: 'actions/download-artifact@v4', + with: { + name: 'aws-cdk_build-artifact', + path: 'dist', + }, + }, + { + name: 'Read version from build artifacts', + id: 'aws-cdk-version', + run: 'echo "version=$(cat dist/version.txt)" >> $GITHUB_OUTPUT', + }, + { + name: 'Authenticate Via OIDC Role', + id: 'creds', + uses: 'aws-actions/configure-aws-credentials@v4', + with: { + 'aws-region': 'us-east-1', + 'role-duration-seconds': 14400, + 'role-to-assume': '${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}', + 'role-session-name': 'releasing@aws-cdk-cli', + 'output-credentials': true, + 'mask-aws-account-id': true, + }, + }, + { + name: 'Publish artifacts', + run: [ + `aws ssm put-parameter --name "${ssmPrefix}/version" --type "String" --value "\${{ steps.aws-cdk-version.outputs.version }}" --overwrite`, + `aws ssm put-parameter --name "${ssmPrefix}/timestamp" --type "String" --value "$(date +%s)" --overwrite`, + ].join('\n'), + }, + ], + }); + } +} +