feat(release): adding automation to publish on SAR on new GH releases

lmammino · Oct 30, 2023 · 4a5343d · 4a5343d
1 parent 1b74d09
commit 4a5343d
Show file tree

Hide file tree

Showing 4 changed files with 158 additions and 0 deletions.
diff --git a/.github/aws/README.md b/.github/aws/README.md
@@ -0,0 +1,9 @@
+This folder contains the SAM template that is used to bootstrap the necessary infrastructure and integration between GitHub and AWS.
+
+This is intended to be a one off operation to he deployed manually. Once deployed, the GitHub repository will be able to perform certain operations against the given AWS account (e.g. publish files in a bucket or publish to the Serverless Application Repository).
+
+Deploy with:
+
+```bash
+sam deploy
+```
diff --git a/.github/aws/samconfig.toml b/.github/aws/samconfig.toml
@@ -0,0 +1,14 @@
+version = 0.1
+[default.deploy.parameters]
+stack_name = "lmammino-oidc-authorized-github-actions"
+resolve_s3 = true
+s3_prefix = "lmammino-oidc-authorized-github-actions"
+region = "eu-west-1"
+confirm_changeset = true
+capabilities = [
+  "CAPABILITY_AUTO_EXPAND",
+  "CAPABILITY_NAMED_IAM",
+  "CAPABILITY_IAM",
+]
+parameter_overrides = "GitHubThumbprint=\"1b511abead59c6ce207077c0bf0e0043b1382612\" GitHubRepoName=\"lmammino/oidc-authorizer\""
+image_repositories = []
diff --git a/.github/aws/template.yml b/.github/aws/template.yml
@@ -0,0 +1,76 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: "Provision the services required to setup the CI/CD using GitHub actions for lmammino/oidc-authorizer"
+
+Parameters:
+  GitHubThumbprint:
+    Type: String
+    Description: The thumbprint of the GitHub TLS certificate
+    Default: "1b511abead59c6ce207077c0bf0e0043b1382612" # Might need to be refreshed when the cert is rotated
+  GitHubRepoName:
+    Type: String
+    Description: The name of the repository
+    Default: "lmammino/oidc-authorizer"
+
+Resources:
+  SarArtifactsBucket:
+    Type: AWS::S3::Bucket
+
+  SarArtifactBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref SarArtifactsBucket
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: serverlessrepo.amazonaws.com
+            Action: s3:GetObject
+            Resource: !Sub arn:aws:s3:::${SarArtifactsBucket}/*
+            Condition:
+              StringEquals:
+                aws:SourceAccount: !Ref "AWS::AccountId"
+
+  GitHubOIDCProvider:
+    Type: AWS::IAM::OIDCProvider
+    Properties:
+      Url: "https://token.actions.githubusercontent.com"
+      ClientIdList:
+        - "sts.amazonaws.com"
+      ThumbprintList:
+        - !Ref GitHubThumbprint
+
+  GitHubIAMRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Path: "/"
+      RoleName: GitHubActionLmamminoOidcProvider
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !Ref GitHubOIDCProvider
+            Condition:
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubRepoName}:*
+      MaxSessionDuration: 3600
+      Description: !Sub "Github Actions role for ${GitHubRepoName}"
+      Policies:
+        - PolicyName: "AllowWriteToSarArtifactsBucket"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "s3:PutObject*"
+                Resource:
+                  - !Sub "arn:aws:s3:::${SarArtifactsBucket}/*"
+
+Outputs:
+  SarArtifactsBucket:
+    Description: The name of the generated SAR artifacts bucket
+    Value: !Ref SarArtifactsBucket
+  GitHubIamRoleArn:
+    Description: The ARN of the role that needs to be assumed by GitHub
+    Value: !GetAtt GitHubIAMRole.Arn
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,59 @@
+name: Release
+
+on:
+  # TODO: add on release creation
+  workflow_dispatch: {}
+
+env:
+  AWS_REGION: eu-west-1
+  SAR_ARTIFACT_BUCKET: ${{ secrets.SAR_ARTIFACT_BUCKET }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v3
+
+      - uses: aws-actions/setup-sam@v2
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_REPO_ROLE_ARN }}
+          aws-region: eu-west-1
+
+      - name: Install rust
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+
+      - name: Install zig
+        uses: goto-bus-stop/setup-zig@v2
+
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ~/.cargo/bin
+            target
+          key: ${{ runner.os }}-release-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Install cargo lambda
+        run: |
+          if [ ! -f  ~/.cargo/bin/cargo-lambda ]
+          then
+            cargo install --locked cargo-lambda
+          else
+            echo "Cargo Lambda already installed"
+          fi
+
+      - name: Sam build
+        run: |
+          sam build
+          sam package --output-template-file .aws-sam/packaged.yml --s3-bucket ${{ secrets.SAR_ARTIFACT_BUCKET }}
+
+      - name: Sam publish
+        run: sam publish --template .aws-sam/packaged.yml --region eu-west-1