Add GitHub Actions workflows for hybrid npm/Maven/NuGet publishing (#1099)

chungjac · web-flow · commit e9b806c8bd6f · 2025-11-06T22:00:16.000-08:00
## Problem Relied on Github Actions to do the version increment, but actually any commits going into main but be done via PR, or have the appropriate permissions ``` remote: error: GH013: Repository rule violations found for refs/heads/main. remote: Review all repository rules at https://github.com/aws/aws-toolkit-common/rules?ref=refs%2Fheads%2Fmain remote: remote: - Changes must be made through a pull request. remote: remote: - 4 of 4 required status checks are expected. remote: To https://github.com/aws/aws-toolkit-common ! [remote rejected] main -> main (push declined due to repository rule violations) error: failed to push some refs to 'https://github.com/aws/aws-toolkit-common' Error: Process completed with exit code 1. ``` ## Solution Codepipelines has permission as it authenticates as `aws-toolkit-automation` user with write permissions to be able to push commits directly into `main` ### New Flow 1. When user merges PR to main, triggers Github Actions workflow which immediately triggers the CodePipeline 2. CodePipeline goes through stages 1. clone repo 2. aws-toolkit-automation commits version increment to main 3. build maven/nuget 4. publish maven/nuget 3. When aws-toolkit-automation commits version increment to main, Github Actions workflow will publish npm  ## License By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,21 +1,19 @@
-name: Publish packages
+name: Publish npm package
 
 on:
-  workflow_dispatch:
   push:
     branches: [main]
 
 permissions:
   id-token: write # Required for OIDC authentication with npm
-  contents: write # Required to push version commits
 
 jobs:
-  publish:
+  publish-npm:
+    # Only run if the commit is from aws-toolkit-automation (version increment)
+    if: github.event.head_commit.author.name == 'aws-toolkit-automation'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -24,71 +22,12 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
           scope: '@aws-toolkits'
 
-      - name: Validate release commits
-        run: |
-          VERSION=$(cat version)
-          echo "validating for package version: $VERSION"
-          
-          # Now we check if there are any "interesting" commits to create a release version. These are any
-          # commits that are neither 1. from dependabot or 2. a release commit.
-          AUTHOR_DEPENDABOT="dependabot[bot]"
-          AUTHOR_AUTOMATION="aws-toolkit-automation"
-          
-          SHOULD_RELEASE=false
-          for author in $(git log --pretty=%an)
-          do
-              if [ "$author" = $AUTHOR_DEPENDABOT ]; then
-                  # Ignore dependabot commits, keep searching.
-                  continue
-              elif [ "$author" != $AUTHOR_AUTOMATION ]; then
-                  # Found a commit to release since last release.
-                  SHOULD_RELEASE=true
-                  echo "found at least one commit to release, author: $author"
-              fi
-              
-              # If the commit wasn't from dependabot, then we have enough information.
-              break
-          done
-          
-          if [ $SHOULD_RELEASE != true ]; then
-              echo "no commits detected that are not from '$AUTHOR_DEPENDABOT' or '$AUTHOR_AUTOMATION'. skipping release."
-              exit 1
-          fi
-
-      - name: Increment version and commit
-        run: |
-          git config --global user.name "aws-toolkit-automation"
-          git config --global user.email "<>"
-          
-          # increase the version
-          cat version | (IFS="." ; read a b c && echo $a.$b.$((c + 1)) > version)
-          VERSION=$(cat version)
-          echo "version is now: $VERSION"
-          
-          git add version
-          git commit -m "Release version $VERSION"
-          git push origin main
-
-      - name: Build npm package
+      - name: Build and publish npm package
         run: |
           VERSION=$(cat version)
+          echo "Publishing npm package version: $VERSION"
           cd telemetry/vscode
           npm ci
           npm version "$VERSION"
           npm pack
-
-      - name: Publish to npm
-        run: |
-          cd telemetry/vscode
           npm publish $(ls -1 *.tgz) --access public
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: arn:aws:iam::305657142372:role/GitHubActionsCodePipelineRole
-          role-session-name: github-actions-codepipeline
-          aws-region: us-west-2
-
-      - name: Trigger CodePipeline for Maven/NuGet
-        run: |
-          aws codepipeline start-pipeline-execution --name PackagePipeline
diff --git a/.github/workflows/trigger-codepipeline.yml b/.github/workflows/trigger-codepipeline.yml
@@ -0,0 +1,26 @@
+name: Trigger CodePipeline for Maven/NuGet
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  id-token: write # Required for OIDC authentication with AWS
+
+jobs:
+  trigger-pipeline:
+    # Only run if NOT from aws-toolkit-automation (avoid triggering on version commits)
+    if: github.event.head_commit.author.name != 'aws-toolkit-automation'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::305657142372:role/GitHubActionsCodePipelineRole
+          role-session-name: github-actions-codepipeline
+          aws-region: us-west-2
+
+      - name: Trigger CodePipeline for Maven/NuGet
+        run: |
+          echo "Triggering CodePipeline for user commit by ${{ github.event.head_commit.author.name }}"
+          aws codepipeline start-pipeline-execution --name PackagePipeline
