Merge pull request #191 from Asana/fix-github-actions-workflow

Fix github action publish workflow
Asana · Mar 14, 2024 · 0040753 · 0040753
2 parents 232a3dc + 6d791b0
commit 0040753
Showing 1 changed file with 82 additions and 35 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -6,62 +6,101 @@ on:
       version:
         required: true
 
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  GENERATOR_VERSION: 3.0.54
+  GENERATOR_NAME: swagger-codegen-cli.jar
+  JAR_ASANA: codegen/swagger/target/AsanaClientCodegen-swagger-codegen-1.0.0.jar
+  ACTUAL_LANG: com.asana.codegen.PythonClientCodegenGenerator
+  NAME: asana
+
 jobs:
   generate-python-library:
-    name: Generate python client library
+    name: Generate Python client library
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
+      - name: Authenticate to AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::403483446840:role/autogen_role_beta_github_actions_release_asana_client_libraries
+      - name: Get GitHub app token
+        uses: asana/get-github-app-token@v1
+        id: get-token
+        with:
+          github-app-name: asana-publish-client-libraries
+      - name: Checkout repo files and set the git token
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.get-token.outputs.app-token }}
+      - uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: "17"
-      - name: Setup environment variables
-        run: |
-          echo "generator_version=3.0.46" >> "$GITHUB_ENV"
-          echo "generator_name=swagger-codegen-cli.jar" >> "$GITHUB_ENV"
-          echo "jar_asana=codegen/swagger/target/AsanaClientCodegen-swagger-codegen-1.0.0.jar" >> "$GITHUB_ENV"
-          echo "actual_lang=com.asana.codegen.PythonClientCodegenGenerator" >> "$GITHUB_ENV"
-          echo "name=asana" >> "$GITHUB_ENV"
       - name: Download generator
         run: |
-          wget -q -O $generator_name https://repo1.maven.org/maven2/io/swagger/codegen/v3/swagger-codegen-cli/${{ env.generator_version }}/swagger-codegen-cli-${{ env.generator_version }}.jar
+          wget -q -O $GENERATOR_NAME https://repo1.maven.org/maven2/io/swagger/codegen/v3/swagger-codegen-cli/${{ env.GENERATOR_VERSION }}/swagger-codegen-cli-${{ env.GENERATOR_VERSION }}.jar
       - name: Build custom code
         run: |
           pushd codegen/swagger >/dev/null
           mvn package
           popd >/dev/null
       - name: Generate library
         run: >-
-          java -cp "${{ env.jar_asana }}:${{ env.generator_name }}"
+          java -cp "${{ env.JAR_ASANA }}:${{ env.GENERATOR_NAME }}"
           io.swagger.codegen.v3.cli.SwaggerCodegen
           generate
           --input-spec https://raw.githubusercontent.com/Asana/openapi/master/defs/asana_sdk_oas.yaml
           --template-dir "codegen/templates"
-          --lang "${{ env.actual_lang }}"
-          -DpackageName=${{ env.name }}
-          --additional-properties "packageVersion=${{ inputs.version }},projectName=${{ env.name }},packageName=${{ env.name }}"
+          --lang "${{ env.ACTUAL_LANG }}"
+          -DpackageName=${{ env.NAME }}
+          --additional-properties "packageVersion=${{ inputs.version }},projectName=${{ env.NAME }},packageName=${{ env.NAME }}"
       - name: Clean up generator
-        run: rm -rf codegen/swagger/target ${{ env.generator_name }} 
+        run: rm -rf codegen/swagger/target ${{ env.GENERATOR_NAME }}
       - name: Push changes to master branch
-        uses: EndBug/add-and-commit@v9
-        with:
-          message: 'Updated Python SDK: v${{ inputs.version }}'
-          committer_name: GitHub Actions
-          committer_email: [email protected]
-          tag: 'v${{ inputs.version }} --force'
-          tag_push: '--force'
-  build-n-publish-to-pypi:
+        run: |
+          git config user.name asana-publish-client-libraries[bot]
+          git config user.email 159857493+asana-publish-client-libraries[bot]@users.noreply.github.com
+          git add .
+          git commit -m 'Updated Python SDK: v${{ inputs.version }}'
+          git push origin master
+          git pull
+          git tag 'v${{ inputs.version }}' --force
+          git push origin --tags --force
+  publish-to-pypi:
     needs: generate-python-library
     name: Build and publish Python 🐍 distributions 📦 to TestPyPI and PyPI
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Authenticate to AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::403483446840:role/autogen_role_beta_github_actions_release_asana_client_libraries
+      - name: Load secrets
+        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        with:
+          secret-ids: |
+            PYPI_API,prod/github_actions_release_asana_client_libraries/pypi_api_token
+            TEST_PYPI_API,prod/github_actions_release_asana_client_libraries/test_pypi_api_token
+          # pypi_api_token secret is stored as {token:"***..."}.
+          # GitHub Actions environment variable name is PYPI_API so to access "token" from the json we can use PYPI_API_TOKEN
+          # test_pypi_api_token secret is stored as {token:"***..."}.
+          # GitHub Actions environment variable name is TEST_PYPI_API so to access "token" from the json we can use TEST_PYPI_API_TOKEN
+          parse-json-secrets: true
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: master
       - name: Set up Python 3.7
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.7
       - name: Install pypa/build
@@ -81,24 +120,32 @@ jobs:
       - name: Publish distribution 📦 to Test PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
+          password: ${{ env.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
       - name: Publish distribution 📦 to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
-  publish-to-github:
-    needs: build-n-publish-to-pypi
+          password: ${{ env.PYPI_API_TOKEN }}
+  publish-to-github-releases:
+    needs: publish-to-pypi
     name: Publish to GitHub Releases
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Authenticate to AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::403483446840:role/autogen_role_beta_github_actions_release_asana_client_libraries
+      - name: Get GitHub app token
+        uses: asana/get-github-app-token@v1
+        id: get-token
+        with:
+          github-app-name: asana-publish-client-libraries
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: master
       - name: Publish to GitHub Releases
-        uses: softprops/action-gh-release@v1
+        run: gh release create v${{ inputs.version }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: v${{ inputs.version }}
+          GH_TOKEN: ${{ steps.get-token.outputs.app-token }}