ci: add Rust release workflows for aws-esdk#916
Open
lucasmcdonald3 wants to merge 6 commits into
Open
Conversation
Publishes the aws-esdk crate to crates.io via GitHub Actions using a crates.io API token issued under the Crypto Tools CI bot account (stored as the CARGO_REGISTRY_TOKEN repo secret, gated by the crates-io-publish environment). Manual workflow_dispatch only. Version is taken from Cargo.toml; the optional input acts as a typo safeguard. Towards: P432256706
- Rewrite rust-release.yml to match the DBESDK design (Cargo.toml is the source of truth, optional input is a typo safeguard, jq for metadata, post-publish test_published.sh with crates.io propagation poll). - Add rust-start-release.yml that runs AwsEncryptionSDK/runtimes/rust/ start_release.sh on a CI runner and opens a release PR back to mainline.
lucasmcdonald3
changed the title
Mirror the corresponding fix on aws-database-encryption-sdk-dynamodb: hard-fail dispatch on non-mainline, check out mainline explicitly, and push/open the release PR using the Crypto Tools CI bot's PAT (pulled via the existing GitHub-CI-CI-Bot-Credential-Access-Role) so the PR fires required-checks workflows. Drop the 'or after merging' option from the generated PR body.
There was a problem hiding this comment.
Pull request overview
Adds two GitHub Actions workflows to move the aws-esdk Rust release process off developer laptops: one regenerates releases/rust/esdk/ and opens a release PR as the CI bot, and the other publishes to crates.io and runs the post-publish smoke test from the release PR's branch.
Changes:
- New
rust-start-release.yml: validates a N.N.N version, sets up Dafny/Java/Rust, runsstart_release.sh, commits the regenerated release dir, and opens a PR as the CI bot using a PAT pulled from AWS Secrets Manager. - New
rust-release.yml: gated on thecrates-io-publishenvironment, optionally validates the input version againstCargo.toml, dry-runs and runscargo publish, polls crates.io for availability, and runstest_published.sh.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/workflows/rust-start-release.yml |
New workflow that regenerates releases/rust/esdk/ on a release branch and opens the release PR as the CI bot. |
.github/workflows/rust-release.yml |
New workflow that publishes aws-esdk to crates.io and runs the post-publish smoke test against the new version. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+163
to
+174
| gh pr create \ | ||
| --base mainline \ | ||
| --head "${BRANCH}" \ | ||
| --title "chore(release): aws-esdk v${VERSION}" \ | ||
| --body "Automated release PR generated by \`rust-start-release.yml\` for aws-esdk v${VERSION}. | ||
|
|
||
| Reviewer checklist: | ||
| - Update \`CHANGELOG.md\` inside AwsEncryptionSDK/runtimes/rust/ with the changes for this version. | ||
| - If this is a major version bump, update \`SUPPORT_POLICY.rst\` for Rust. | ||
| - After approval and BEFORE merging, dispatch the \`Rust Release\` workflow on this branch to publish to crates.io and run \`test_published.sh\`. | ||
|
|
||
| Do NOT merge this PR before publishing." |
Comment on lines
+31
to
+39
| jobs: | ||
| publish: | ||
| name: Publish aws-esdk to crates.io | ||
| runs-on: ubuntu-22.04 | ||
| environment: crates-io-publish | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| steps: |
Comment on lines
+63
to
+75
| - name: Verify input version matches Cargo.toml (if provided) | ||
| if: ${{ github.event.inputs.version != '' }} | ||
| shell: bash | ||
| env: | ||
| INPUT_VERSION: ${{ github.event.inputs.version }} | ||
| CARGO_VERSION: ${{ steps.cargo.outputs.version }} | ||
| run: | | ||
| set -euo pipefail | ||
| if [ "${INPUT_VERSION}" != "${CARGO_VERSION}" ]; then | ||
| echo "::error::Input version '${INPUT_VERSION}' does not match Cargo.toml version '${CARGO_VERSION}'." | ||
| exit 1 | ||
| fi | ||
| echo "Input version matches Cargo.toml: ${CARGO_VERSION}" |
| run: | | ||
| set -euo pipefail | ||
| BRANCH="release/esdk/v${VERSION}" | ||
| git checkout -b "${BRANCH}" |
Comment on lines
+77
to
+87
| - name: Cargo publish (dry run) | ||
| shell: bash | ||
| working-directory: releases/rust/esdk | ||
| run: cargo publish --dry-run | ||
|
|
||
| - name: Cargo publish | ||
| shell: bash | ||
| working-directory: releases/rust/esdk | ||
| env: | ||
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| run: cargo publish |
| type: string | ||
|
|
||
| permissions: {} | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
Adds two GHA workflows that move RELEASE off developer laptops:
rust-start-release.ymlregeneratesreleases/rust/esdk/and opens the release PR, andrust-release.ymlpublishesaws-esdkto crates.io and runstest_published.shon the release PR's branch.Squash/merge commit message, if applicable:
ci: add Rust release workflows for aws-esdk
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.