aws-lambda-python-template/.github/workflows/create-release.yaml at main · simlal/aws-lambda-python-template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Create and Publish Release

on:
  workflow_dispatch:
    inputs:
      bump_type:
        description: "Version bump type"
        required: true
        default: "patch"
        type: choice
        options:
          - patch
          - minor
          - major
      branch:
        description: "Branch to release from"
        required: true
        default: "main"
        type: choice
        options:
          - main
          - dev
      additional_notes:
        description: "Additional release notes (OPTIONAL)"
        required: false
        type: string

jobs:
  create-release:
    name: Create and Publish Release
    runs-on: ubuntu-latest
    permissions:
      contents: write
      actions: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.inputs.branch }}
          token: ${{ secrets.GITHUB_TOKEN }}

      # Validate secrets
      - name: Preflight Check for Secrets
        run: |
          echo "Validating GitHub Actions secrets in repo=${{ github.event.repository.name }}"
          MISSING_SECRETS=()

          # Explicitly check each secret
          if [[ -z "${{ secrets.AWS_ACCESS_KEY_ID }}" ]]; then
            echo "❌ AWS_ACCESS_KEY_ID is missing"
            MISSING_SECRETS+=("AWS_ACCESS_KEY_ID")
          else
            echo "✅ AWS_ACCESS_KEY_ID found"
          fi

          if [[ -z "${{ secrets.AWS_SECRET_ACCESS_KEY }}" ]]; then
            echo "❌ AWS_SECRET_ACCESS_KEY is missing"
            MISSING_SECRETS+=("AWS_SECRET_ACCESS_KEY")
          else
            echo "✅ AWS_SECRET_ACCESS_KEY found"
          fi

          if [[ -z "${{ secrets.AWS_REGION_NAME }}" ]]; then
            echo "❌ AWS_REGION_NAME is missing"
            MISSING_SECRETS+=("AWS_REGION_NAME")
          else
            echo "✅ AWS_REGION_NAME found"
          fi

          # Secret validation check
          if [ ${#MISSING_SECRETS[@]} -ne 0 ]; then
            echo "One or more required secrets are missing: ${MISSING_SECRETS[@]}. Please set them before running the workflow."
            exit 1
          else
            echo "✅ All required secrets are set. Proceeding..."
          fi

      # Setup tools
      - name: Install uv
        uses: astral-sh/setup-uv@v5

      # Quality checks
      - name: Run linting with ruff
        run: uv tool run ruff check

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

      - name: Get AWS Account ID
        id: aws-account
        run: |
          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
          echo "account_id=${ACCOUNT_ID}" >> $GITHUB_OUTPUT

      - name: Run pre-commit
        run: pre-commit run --all-files

      # Version handling
      - name: Get current version
        id: current-version
        run: |
          CURRENT_VERSION=$(uv version)
          echo "current_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT

      - name: Bump version
        id: bump-version
        run: |
          BUMPED_VERSION=$(uv version --bump ${{ github.event.inputs.bump_type }} | awk -F '=> ' '{print $2}')
          echo "new_version=$BUMPED_VERSION" >> $GITHUB_OUTPUT
          # Sync the lock file
          uv sync

      # Commit and push changes
      - name: Set git config
        run: |
          git config user.name "GitHub Actions"
          git config user.email "actions@github.com"

      - name: Commit bumped version
        run: |
          git add pyproject.toml uv.lock
          git commit -m "Bump version to ${{ steps.bump-version.outputs.new_version }} [skip ci]"
          git push origin ${{ github.event.inputs.branch }}

      # Create release
      - name: Generate release description
        id: release-desc
        run: |
          BRANCH_NAME="${{ github.event.inputs.branch }}"
          NEW_VERSION="${{ steps.bump-version.outputs.new_version }}"
          ADDITIONAL_NOTES="${{ github.event.inputs.additional_notes }}"

          if [[ -n $ADDITIONAL_NOTES ]]; then
          FORMATTED_NOTES=" Additional Notes: $ADDITIONAL_NOTES"
          else
            FORMATTED_NOTES=""
          fi

          if [[ "$BRANCH_NAME" == "dev" ]]; then
            echo "RELEASE_TITLE=Development Release v$NEW_VERSION" >> $GITHUB_OUTPUT
            echo "RELEASE_DESC=Development stage release. Only for development purposes.$FORMATTED_NOTES" >> $GITHUB_OUTPUT
          else
            echo "RELEASE_TITLE=Release v$NEW_VERSION" >> $GITHUB_OUTPUT
            echo "RELEASE_DESC=Production release.$FORMATTED_NOTES" >> $GITHUB_OUTPUT
          fi

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v1
        with:
          tag_name: v${{ steps.bump-version.outputs.new_version }}
          name: ${{ steps.release-desc.outputs.RELEASE_TITLE }}
          body: ${{ steps.release-desc.outputs.RELEASE_DESC }}
          draft: false
          prerelease: ${{ github.event.inputs.branch == 'dev' }}
          generate_release_notes: true
          token: ${{ secrets.GITHUB_TOKEN }}
          target_commitish: ${{ github.event.inputs.branch }}