Skip to content

Fix: CDS-1756 reduce custom-resource function permissions scope (#124) #191

Fix: CDS-1756 reduce custom-resource function permissions scope (#124)

Fix: CDS-1756 reduce custom-resource function permissions scope (#124) #191

Workflow file for this run

name: Publish
on:
push:
paths:
- 'template.yaml'
workflow_dispatch:
env:
AWS_DEFAULT_REGION: eu-central-1
AWS_SERVERLESS_BUCKET: coralogix-serverless-repo
AWS_S3_PREFIX: coralogix-aws-shipper
REPO_BUCKET_PREFIX: coralogix-serverless-repo
jobs:
check_version:
if: ${{ github.event_name != 'workflow_dispatch' && github.ref == 'refs/heads/master' }}
runs-on: ubuntu-latest
outputs:
template_updated: ${{ env.updated }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 2 # Fetches the last two commits for comparison
- name: install yq
run: sudo snap install yq
- name: check if specific value has changed
id: check_change
run: |
set -xv
# Extract the value from the current commit
current=$(yq '.Metadata."AWS::ServerlessRepo::Application".SemanticVersion' template.yaml)
echo "current_version=$current" >> $GITHUB_ENV
# Extract the value from the previous commit
git checkout HEAD^ template.yaml
previous=$(yq '.Metadata."AWS::ServerlessRepo::Application".SemanticVersion' template.yaml)
# Compare the two values
echo "updated=false" >> $GITHUB_ENV
[ "$current" != "$previous" ] && echo "updated=true" >> $GITHUB_ENV
lastcommit=$(git log -1 --pretty=%B)
[[ $lastcommit =~ .*skip-version-check.* ]] && echo "updated=true" >> $GITHUB_ENV
set +xv
- name: create tag
if: env.updated == 'true'
uses: actions/github-script@v7
with:
script: |
github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: 'refs/tags/${{ env.current_version }}',
sha: context.sha
})
validate:
name: validate
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- uses: aws-actions/setup-sam@v2
with:
use-installer: true
- name: sam validate
working-directory: ./
run: sam validate
build:
name: build
needs: validate
if: ${{ github.event_name == 'workflow_dispatch' || success() }}
runs-on: ubuntu-latest
strategy:
matrix:
target:
- arm64
- x86-64
steps:
- name: checkout
uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: 'pip' # caching pip dependencies
- run: pip3 install cargo-lambda
- uses: aws-actions/setup-sam@v2
with:
use-installer: true
- name: start ssh agent for rust private dependencies
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: install protobuf compiler
run: |
sudo apt-get update
sudo apt-get install -y protobuf-compiler
- name: install yq
run: sudo snap install yq
- name: get_version
id: get_version
run: |
set -xv
# Extract the value from the current commit
current=$(yq '.Metadata."AWS::ServerlessRepo::Application".SemanticVersion' template.yaml)
echo "current_version=$current" >> $GITHUB_ENV
- name: sam build
env:
RUST_ARCH: ${{ matrix.target }}
run: sam build
- name: package
run: |
sam package \
--s3-bucket ${{ env.AWS_SERVERLESS_BUCKET }} \
--s3-prefix '${{ env.AWS_S3_PREFIX }}/${{ matrix.target }}' \
--output-template-file packaged.yaml
- name: s3upload-x86-64-build
if: ${{ matrix.target == 'x86-64' }}
run: |
aws s3 cp \
$(yq -r '.Resources | to_entries | .[] | select(.key == "LambdaLayer" or .key == "LambdaFunction") | .value.Properties | to_entries | .[] | select(.key == "ContentUri" or .key == "CodeUri") | .value' packaged.yaml) \
s3://${{ env.AWS_SERVERLESS_BUCKET }}-${{ env.AWS_DEFAULT_REGION }}/coralogix-aws-shipper-${{ matrix.target }}.zip
- name: s3upload-${{ matrix.target }}-build-versioned
run: |
aws s3 cp \
$(yq -r '.Resources | to_entries | .[] | select(.key == "LambdaLayer" or .key == "LambdaFunction") | .value.Properties | to_entries | .[] | select(.key == "ContentUri" or .key == "CodeUri") | .value' packaged.yaml) \
s3://${{ env.AWS_SERVERLESS_BUCKET }}-${{ env.AWS_DEFAULT_REGION }}/coralogix-aws-shipper-${{ matrix.target }}-${{ env.current_version }}.zip
- name: store-arm64-package
uses: actions/upload-artifact@v4
# only store the arm64 package as this is the
# only one that will be published to SAR
if: ${{ matrix.target == 'arm64' }}
with:
name: packaged.yaml
path: packaged.yaml
publish:
name: publish
needs: [check_version , build]
if: ${{ github.event_name == 'workflow_dispatch' || (success() && needs.check_version.outputs.template_updated == 'true' && github.ref == 'refs/heads/master') }}
runs-on: ubuntu-latest
env:
AWS_SERVERLESS_BUCKET: coralogix-serverless-repo
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: download
uses: actions/download-artifact@v4
with:
name: packaged.yaml
- name: publish
run: sam publish --template packaged.yaml
- name: store
run: |
aws s3 cp \
$(yq -r '.Resources | to_entries | .[] | select(.key == "LambdaLayer" or .key == "LambdaFunction") | .value.Properties | to_entries | .[] | select(.key == "ContentUri" or .key == "CodeUri") | .value' packaged.yaml) \
s3://${{ env.AWS_SERVERLESS_BUCKET }}-${{ env.AWS_DEFAULT_REGION }}/coralogix-aws-shipper.zip
# upload custom resource
aws s3 cp \
$(yq -r '.Resources | to_entries | .[] | select(.key == "CustomResourceFunction") | .value.Properties | .CodeUri' packaged.yaml) \
s3://${{ env.AWS_SERVERLESS_BUCKET }}-${{ env.AWS_DEFAULT_REGION }}/coralogix-aws-shipper-custom-resource.zip