Add publication to release workflow

Mark R. Tuttle · Mark R. Tuttle · commit d7def9d35c64 · 2022-11-05T16:55:26.000-04:00
diff --git a/.github/cloudformation/README.md b/.github/cloudformation/README.md
@@ -0,0 +1,4 @@
+These are
+[AWS CloudFormation templates](https://aws.amazon.com/cloudformation/resources/templates/)
+for maintaining the Azure DevOps and Microsoft Marketplace credentials
+used to publish the CBMC Proof Debugger.
diff --git a/.github/cloudformation/azure.yaml b/.github/cloudformation/azure.yaml
@@ -0,0 +1,33 @@
+Description: >
+  Login credentials for the Azure DevOps account used to manage the
+  model-checking publisher in the Microsoft Marketplace.
+
+Resources:
+
+  AzureDevOpsUsername:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: AzureDevOpsUsername
+      Description: >
+        Username for the Azure DevOps account used to manage the
+        model-checking publisher in the Microsoft Marketplace.
+
+  AzureDevOpsPassword:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: AzureDevOpsPassword
+      Description: >
+        Password for the Azure DevOps account used to manage the
+        model-checking publisher in the Microsoft Marketplace.
+
+Outputs:
+
+  AzureDevOpsUsername:
+    Value: !Ref AzureDevOpsUsername
+    Export:
+      Name: AzureDevOpsUsername
+
+  AzureDevOpsPassword:
+    Value: !Ref AzureDevOpsPassword
+    Export:
+      Name: AzureDevOpsPassword
diff --git a/.github/cloudformation/oidc.yaml b/.github/cloudformation/oidc.yaml
@@ -0,0 +1,23 @@
+Description:
+  Register the GitHub identity provider with the AWS security token service.
+
+Resources:
+  GithubIdentityProvider:
+    Type: AWS::IAM::OIDCProvider
+    Properties:
+      Url:
+        # The GitHub identity provider supporting OIDC
+        https://token.actions.githubusercontent.com
+      ThumbprintList:
+        # The GitHub certification authority (the signature of its certificate)
+        - 6938fd4d98bab03faadb97b34396831e3780aea1
+      ClientIdList:
+        # The AWS security token service
+        - sts.amazonaws.com
+
+
+Outputs:
+  GithubIdentityProvider:
+    Value: !Ref GithubIdentityProvider
+    Export:
+      Name: GithubIdentityProvider
diff --git a/.github/cloudformation/token.yaml b/.github/cloudformation/token.yaml
@@ -0,0 +1,66 @@
+Description: >
+  The personal access token for the Azure DevOps account used to manage the
+  model-checking publisher in the Microsoft Marketplace.
+  Enable storage of the PAT in the AWS Secrets Manager and access to the PAT
+  from the GitHub workflows in model-checking/cbmc-proof-debugger.
+
+Parameters:
+  GithubRepoOrganization:
+    Type: String
+    Description: GitHub organization for the cbmc-proof-debugger
+    Default: model-checking
+  GithubRepoName:
+    Type: String
+    Description: GitHub repository for the cbmc-proof-debugger
+    Default: cbmc-proof-debugger
+
+Resources:
+
+  PublisherToken:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: AzureDevOpsPAT
+      Description: >
+        The personal access token for the Azure DevOps account used to
+        manage the model-checking publisher in the Microsoft Marketplace.
+
+  PublisherTokenReader:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: PublisherTokenReader
+      Description: >
+        This role can retrieve the personal access token for the model
+        checking publisher in the Microsoft Marketplace.
+
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Federated: !ImportValue GithubIdentityProvider
+            Action: sts:AssumeRoleWithWebIdentity
+            Condition:
+              StringEquals:
+                token.actions.githubusercontent.com:aud: sts.amazonaws.com
+              StringLike:
+                token.actions.githubusercontent.com:sub:
+                  !Sub repo:${GithubRepoOrganization}/${GithubRepoName}:*
+
+      Policies:
+        - PolicyName: PublisherTokenAccess
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: secretsmanager:GetSecretValue
+                Resource: !Ref PublisherToken
+
+Outputs:
+  PublisherToken:
+    Value: !Ref PublisherToken
+    Export:
+      Name: PublisherToken
+  PublisherTokenReader:
+    Value: !GetAtt PublisherTokenReader.Arn
+    Export:
+      Name: PublisherTokenReader
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,41 +1,58 @@
 name: Release CBMC proof debugger
 
-# A new release is triggered by a new tag of the form debugger-VERSION.
+# A new tag of the form debugger-VERSION will trigger a new release,
+# upload the package to the release page, and publish the package
+# to the Microsoft Marketplace for Visual Studio Code extensions
+# using the Model Checking publisher.
 
-# GitHub has deprecated actions/create-release
-# https://github.com/actions/create-release
+# Code checkout notes:
+#   GitHub has deprecated actions/create-release
+#   https://github.com/actions/create-release
 #
-# GitHub recommends four actions including
-#   softprops/action-gh-release is highly rated but includes deprecated code
-#     https://github.com/softprops/action-gh-release
-#   ncipollo/release-action@v1
-#     https://github.com/ncipollo/release-action
+#   GitHub recommends four actions including
+#     softprops/action-gh-release is highly rated but includes deprecated code
+#       https://github.com/softprops/action-gh-release
+#     ncipollo/release-action@v1
+#       https://github.com/ncipollo/release-action
+
+# AWS credentials notes:
+#   GitHub has decprecated Node12 in favor of Node16
+#   We use the workaround recommended by the AWS credentials package, see
+#   https://github.com/aws-actions/configure-aws-credentials/issues/489
+#     #issuecomment-1278145876
 
 on:
   push:
     tags:
       - debugger-*
 
+env:
+  AWS_ROLE: arn:aws:iam::${{secrets.AWS_ACCOUNT}}:role/PublisherTokenReader
+  AWS_REGION: us-west-2
+  PAT_ID: AzureDevOpsPAT
+
 jobs:
   Release:
     name: Release proof debugger
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     steps:
 
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      - name: Get version numbers
+      - name: Validate release and tagged version numbers
+        # $GITHUB_REF is refs/tags/debugger-VERSION
         run: |
-          # The environment variable GITHUB_REF is refs/tags/debugger-*
-          echo "PACKAGE_VERSION=$(jq -r '.version' package.json)" >> $GITHUB_ENV
-          echo "TAG_VERSION=$(echo ${{ github.ref }} | cut -d "/" -f 3 | cut -d "-" -f 2)" >> $GITHUB_ENV
-      - name: Compare version numbers
-        run: |
-          if [[ ${{ env.PACKAGE_VERSION }} != ${{ env.TAG_VERSION }} ]]; then
-            echo "Package version ${{env.PACKAFGE_VERSION}} does not match tag version ${{env.TAG_VERSION}}"
+          REL=$(jq -r '.version' package.json)
+          TAG=$(echo $GITHUB_REF | cut -d "/" -f 3 | cut -d "-" -f 2)
+          if [[ $REL != $TAG ]]; then
+            echo Release version $REL does not match tagged version $TAG
             exit 1
           fi
+          echo "VERSION=$REL" >> $GITHUB_ENV
 
       - name: Create package
         run: make setup-ubuntu package
@@ -46,10 +63,21 @@ jobs:
           artifacts: "*.vsix"
           artifactContentType: application/zip
           body: |
-            This release is CBMC Proof Debugger version ${{ env.TAG_VERSION }}.  For the latest release, go to the [Marketplace](https://marketplace.visualstudio.com/vscode) for Visual Studio Code extensions.
+            This release is CBMC Proof Debugger version ${{ env.VERSION }}.  For the latest release, go to the [Marketplace](https://marketplace.visualstudio.com/vscode) for Visual Studio Code extensions.
 
-            To install this release, download the package `proof-debugger-${{ env.TAG_VERSION }}.vsix` below and install it with
+            To install this release, download the package `proof-debugger-${{ env.VERSION }}.vsix` below and install it with
 
             ```
-            code --install-extension proof-debugger-${{ env.TAG_VERSION }}.vsix
+            code --install-extension proof-debugger-${{ env.VERSION }}.vsix
             ```
+
+      - name: Authenticate GitHub workflow to AWS
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Publish release
+        run: |
+          VSCE_PAT=$(aws secretsmanager get-secret-value --secret-id $PAT_ID | jq -r '.SecretString')
+          make publish
