-
Notifications
You must be signed in to change notification settings - Fork 0
327 lines (284 loc) · 11.9 KB
/
release-lambda.yml
File metadata and controls
327 lines (284 loc) · 11.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
name: Release Lambda Extension
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
workflow_dispatch:
inputs:
version:
description: "Version number (e.g., 100). If not provided, auto-increments from latest."
required: false
type: string
regions:
description: "Comma-separated AWS regions to publish to (e.g., 'us-east-1,us-west-2')"
required: false
default: "us-east-1"
type: string
architectures:
description: "Architectures to build and publish"
required: false
default: "amd64,arm64"
type: choice
options:
- "amd64"
- "arm64"
- "amd64,arm64"
dry_run:
description: "Dry run - build but don't publish to AWS"
required: false
default: false
type: boolean
permissions:
id-token: write
contents: read
jobs:
prepare:
name: Prepare release
runs-on: ubuntu-24.04
outputs:
version: ${{ steps.version.outputs.version }}
regions_json: ${{ steps.vars.outputs.regions_json }}
build_matrix: ${{ steps.matrix.outputs.build_matrix }}
publish_matrix: ${{ steps.matrix.outputs.publish_matrix }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Determine version
id: version
run: |
if [ -n "${{ inputs.version }}" ]; then
# Strip 'v' prefix if present and extract number
VERSION=$(echo "${{ inputs.version }}" | sed 's/^v//')
echo "version=$VERSION" >> $GITHUB_OUTPUT
elif [[ "${{ github.ref }}" =~ ^refs/tags/v([0-9]+\.[0-9]+\.[0-9]+)$ ]]; then
# Convert semver to layer version number (e.g., 1.2.3 -> 10203)
SEMVER="${BASH_REMATCH[1]}"
MAJOR=$(echo "$SEMVER" | cut -d. -f1)
MINOR=$(echo "$SEMVER" | cut -d. -f2)
PATCH=$(echo "$SEMVER" | cut -d. -f3)
VERSION=$((MAJOR * 10000 + MINOR * 100 + PATCH))
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Converted $SEMVER to layer version $VERSION"
else
# Auto-increment will happen at publish time per-region
echo "version=auto" >> $GITHUB_OUTPUT
fi
- name: Set variables
id: vars
run: |
# Convert regions to JSON array (compact, single line)
REGIONS="${{ inputs.regions || 'us-east-1' }}"
REGIONS_JSON=$(echo "$REGIONS" | jq -c -R 'split(",") | map(gsub("^\\s+|\\s+$";""))')
echo "regions_json=$REGIONS_JSON" >> $GITHUB_OUTPUT
echo "Regions: $REGIONS_JSON"
- name: Build matrices
id: matrix
run: |
ARCHS="${{ inputs.architectures || 'amd64,arm64' }}"
REGIONS="${{ inputs.regions || 'us-east-1' }}"
# Build matrix for build job with platform-specific runners
BUILD_MATRIX='{"include":['
FIRST=true
for arch in ${ARCHS//,/ }; do
if [ "$FIRST" = true ]; then
FIRST=false
else
BUILD_MATRIX="$BUILD_MATRIX,"
fi
if [ "$arch" = "amd64" ]; then
BUILD_MATRIX="$BUILD_MATRIX{\"arch\":\"amd64\",\"runner\":\"ubuntu-24.04\",\"platform\":\"linux/amd64\",\"zig_target\":\"x86_64\"}"
else
BUILD_MATRIX="$BUILD_MATRIX{\"arch\":\"arm64\",\"runner\":\"ubuntu-24.04-arm\",\"platform\":\"linux/arm64\",\"zig_target\":\"aarch64\"}"
fi
done
BUILD_MATRIX="$BUILD_MATRIX]}"
echo "build_matrix=$BUILD_MATRIX" >> $GITHUB_OUTPUT
echo "Build matrix: $BUILD_MATRIX"
# Publish matrix: arch x region combinations
PUBLISH_MATRIX='{"include":['
FIRST=true
for region in ${REGIONS//,/ }; do
region=$(echo "$region" | xargs) # trim whitespace
for arch in ${ARCHS//,/ }; do
if [ "$FIRST" = true ]; then
FIRST=false
else
PUBLISH_MATRIX="$PUBLISH_MATRIX,"
fi
PUBLISH_MATRIX="$PUBLISH_MATRIX{\"arch\":\"$arch\",\"region\":\"$region\"}"
done
done
PUBLISH_MATRIX="$PUBLISH_MATRIX]}"
echo "publish_matrix=$PUBLISH_MATRIX" >> $GITHUB_OUTPUT
echo "Publish matrix: $PUBLISH_MATRIX"
build:
name: Build ${{ matrix.arch }}
runs-on: ${{ matrix.runner }}
needs: prepare
timeout-minutes: 30
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.prepare.outputs.build_matrix) }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Build Lambda extension
run: |
mkdir -p .layers
docker buildx build \
--progress plain \
--platform ${{ matrix.platform }} \
-f lambda/Dockerfile \
--build-arg VERSION=${{ github.ref_name }} \
--build-arg COMMIT=${{ github.sha }} \
--output type=local,dest=.layers/layer-${{ matrix.arch }} \
.
echo "Built extension:"
ls -la .layers/layer-${{ matrix.arch }}/extensions/
- name: Create Lambda layer zip
run: |
cd .layers/layer-${{ matrix.arch }}
# Create the zip with extensions directory
zip -r ../tero-edge-extension-${{ matrix.arch }}.zip extensions bin lib
cd ..
echo "Layer zip created:"
ls -lh *.zip
- name: Upload layer artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: tero-edge-extension-${{ matrix.arch }}
path: .layers/tero-edge-extension-${{ matrix.arch }}.zip
retention-days: 30
publish:
name: Publish ${{ matrix.arch }} to ${{ matrix.region }}
runs-on: ubuntu-24.04
needs: [prepare, build]
if: ${{ inputs.dry_run != true }}
strategy:
fail-fast: false
max-parallel: 5
matrix: ${{ fromJson(needs.prepare.outputs.publish_matrix) }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
with:
role-to-assume: ${{ secrets.AWS_LAMBDA_LAYER_ROLE_ARN }}
aws-region: ${{ matrix.region }}
- name: Set variables
id: vars
run: |
if [ "${{ matrix.arch }}" == "amd64" ]; then
ARCH_SUFFIX=""
COMPATIBLE_ARCH="x86_64"
else
ARCH_SUFFIX="-ARM"
COMPATIBLE_ARCH="arm64"
fi
# Add -dev suffix for workflow_dispatch (manual) runs
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
DEV_SUFFIX="-dev"
else
DEV_SUFFIX=""
fi
# Layer name: Tero-Edge-Extension[-ARM][-dev]
LAYER_NAME="Tero-Edge-Extension${ARCH_SUFFIX}${DEV_SUFFIX}"
echo "layer_name=$LAYER_NAME" >> $GITHUB_OUTPUT
echo "compatible_arch=$COMPATIBLE_ARCH" >> $GITHUB_OUTPUT
- name: Download layer artifact
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: tero-edge-extension-${{ matrix.arch }}
path: .layers
- name: Publish Lambda layer
id: publish
run: |
aws sts get-caller-identity
LAYER_NAME="${{ steps.vars.outputs.layer_name }}"
LAYER_FILE=".layers/tero-edge-extension-${{ matrix.arch }}.zip"
COMPATIBLE_ARCH="${{ steps.vars.outputs.compatible_arch }}"
echo "Publishing $LAYER_NAME to ${{ matrix.region }}..."
# Publish a single new version (AWS auto-increments)
PUBLISHED_VERSION=$(aws lambda publish-layer-version \
--layer-name "$LAYER_NAME" \
--description "Tero Edge Lambda Extension - Datadog telemetry proxy with policy-based filtering" \
--compatible-architectures "$COMPATIBLE_ARCH" \
--zip-file "fileb://${LAYER_FILE}" \
--query 'Version' \
--output text)
echo "Published version $PUBLISHED_VERSION"
# Make the layer version public
aws lambda add-layer-version-permission \
--layer-name "$LAYER_NAME" \
--version-number "$PUBLISHED_VERSION" \
--statement-id public-access \
--action lambda:GetLayerVersion \
--principal "*"
echo "Made version $PUBLISHED_VERSION public"
echo "published_version=$PUBLISHED_VERSION" >> $GITHUB_OUTPUT
# Output the layer ARN for reference
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
LAYER_ARN="arn:aws:lambda:${{ matrix.region }}:${ACCOUNT_ID}:layer:${LAYER_NAME}:${PUBLISHED_VERSION}"
echo "Layer ARN: $LAYER_ARN"
echo "layer_arn=$LAYER_ARN" >> $GITHUB_OUTPUT
- name: Summary
run: |
echo "### Published Layer" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "- **Layer Name:** ${{ steps.vars.outputs.layer_name }}" >> $GITHUB_STEP_SUMMARY
echo "- **Version:** ${{ steps.publish.outputs.published_version }}" >> $GITHUB_STEP_SUMMARY
echo "- **Region:** ${{ matrix.region }}" >> $GITHUB_STEP_SUMMARY
echo "- **Architecture:** ${{ steps.vars.outputs.compatible_arch }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Layer ARN:**" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "${{ steps.publish.outputs.layer_arn }}" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
upload-template:
name: Upload CloudFormation template
runs-on: ubuntu-24.04
needs: [prepare]
if: ${{ inputs.dry_run != true }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
with:
role-to-assume: ${{ secrets.AWS_LAMBDA_LAYER_ROLE_ARN }}
aws-region: us-east-1
- name: Upload template to S3
run: |
aws s3 cp lambda/template.yaml s3://tero-public/lambda/template.yaml \
--content-type "application/x-yaml"
echo "### Uploaded CloudFormation Template" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**URL:** https://tero-public.s3.amazonaws.com/lambda/template.yaml" >> $GITHUB_STEP_SUMMARY
release-summary:
name: Release Summary
runs-on: ubuntu-24.04
needs: [prepare, build, publish, upload-template]
if: always()
steps:
- name: Download all artifacts
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
path: artifacts
- name: Generate summary
run: |
echo "## Tero Edge Lambda Extension Release Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Build Artifacts" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Artifact | Size |" >> $GITHUB_STEP_SUMMARY
echo "|----------|------|" >> $GITHUB_STEP_SUMMARY
find artifacts -name "*.zip" -type f | while read f; do
NAME=$(basename "$f")
SIZE=$(du -h "$f" | cut -f1)
echo "| $NAME | $SIZE |" >> $GITHUB_STEP_SUMMARY
done
echo "" >> $GITHUB_STEP_SUMMARY
if [ "${{ inputs.dry_run }}" = "true" ]; then
echo "### Dry Run Mode" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Layers were built but not published to AWS." >> $GITHUB_STEP_SUMMARY
fi