From 12d72d94367132b0cf1170ac7a2e2a0868a0eca4 Mon Sep 17 00:00:00 2001 From: Matt Wise <768067+diranged@users.noreply.github.com> Date: Mon, 4 Sep 2023 11:50:55 -0700 Subject: [PATCH] fix: scope asset publishing scripts inside stage assembly directory (#1) Bringing in a copy of https://github.com/cdklabs/cdk-pipelines-github/pull/397 Co-authored-by: Nathan Cazell --- src/pipeline.ts | 4 +- test/__snapshots__/github.test.ts.snap | 149 ++++++++++++++++-- .../runner-provided.test.ts.snap | 2 +- test/__snapshots__/stage-options.test.ts.snap | 17 +- test/github.test.ts | 32 ++++ 5 files changed, 178 insertions(+), 26 deletions(-) diff --git a/src/pipeline.ts b/src/pipeline.ts index ab8138f1..44bee421 100644 --- a/src/pipeline.ts +++ b/src/pipeline.ts @@ -491,7 +491,7 @@ export class GitHubWorkflow extends PipelineBase { const installSuffix = this.cdkCliVersion ? `@${this.cdkCliVersion}` : ''; const cdkoutDir = options.assemblyDir; const jobId = node.uniqueId; - const assetId = assets[0].assetId; + const { assetId, assetManifestPath } = assets[0]; // check if asset is docker asset and if we have docker credentials const dockerLoginSteps: github.JobStep[] = []; @@ -511,7 +511,7 @@ export class GitHubWorkflow extends PipelineBase { this.assetHashMap[assetId] = jobId; fileContents.push(`echo '${ASSET_HASH_NAME}=${assetId}' >> $GITHUB_OUTPUT`); - const publishStepFile = path.join(cdkoutDir, `publish-${jobId}-step.sh`); + const publishStepFile = path.join(path.dirname(relativeToAssembly(assetManifestPath)), `publish-${jobId}-step.sh`); mkdirSync(path.dirname(publishStepFile), { recursive: true }); writeFileSync(publishStepFile, fileContents.join('\n'), { encoding: 'utf-8' }); diff --git a/test/__snapshots__/github.test.ts.snap b/test/__snapshots__/github.test.ts.snap index b4993a7c..0de4e7e0 100644 --- a/test/__snapshots__/github.test.ts.snap +++ b/test/__snapshots__/github.test.ts.snap @@ -58,7 +58,7 @@ jobs: registry: 000000000000.dkr.ecr.us-east-1.amazonaws.com - id: Publish name: Publish Assets-DockerAsset1 - run: /bin/bash ./cdk.out/publish-Assets-DockerAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-StageA/publish-Assets-DockerAsset1-step.sh Assets-FileAsset1: name: Publish Assets Assets-FileAsset1 needs: @@ -84,7 +84,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-StageA/publish-Assets-FileAsset1-step.sh Assets-FileAsset2: name: Publish Assets Assets-FileAsset2 needs: @@ -110,7 +110,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset2 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset2-step.sh + run: /bin/bash ./cdk.out/assembly-StageA/publish-Assets-FileAsset2-step.sh Assets-FileAsset3: name: Publish Assets Assets-FileAsset3 needs: @@ -136,7 +136,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset3 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset3-step.sh + run: /bin/bash ./cdk.out/assembly-StageA/publish-Assets-FileAsset3-step.sh Assets-FileAsset4: name: Publish Assets Assets-FileAsset4 needs: @@ -162,7 +162,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset4 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset4-step.sh + run: /bin/bash ./cdk.out/assembly-StageA/publish-Assets-FileAsset4-step.sh Assets-FileAsset5: name: Publish Assets Assets-FileAsset5 needs: @@ -188,7 +188,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset5 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset5-step.sh + run: /bin/bash ./cdk.out/assembly-StageB/publish-Assets-FileAsset5-step.sh Assets-FileAsset6: name: Publish Assets Assets-FileAsset6 needs: @@ -214,7 +214,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset6 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset6-step.sh + run: /bin/bash ./cdk.out/assembly-StageB/publish-Assets-FileAsset6-step.sh StageA-Pre: name: Pre permissions: @@ -374,6 +374,125 @@ jobs: " `; +exports[`pipeline publish asset scripts are in stage assembly directory 1`] = ` +"# AUTOMATICALLY GENERATED FILE, DO NOT EDIT MANUALLY. +# Generated by AWS CDK and [cdk-pipelines-github](https://github.com/cdklabs/cdk-pipelines-github) + +name: deploy +on: + push: + branches: + - main + workflow_dispatch: {} +jobs: + Build-Build: + name: Synthesize + permissions: + contents: read + id-token: none + runs-on: ubuntu-latest + needs: [] + env: {} + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Build + run: \\"\\" + - name: Upload cdk.out + uses: actions/upload-artifact@v3 + with: + name: cdk.out + path: cdk.out + Assets-FileAsset1: + name: Publish Assets Assets-FileAsset1 + needs: + - Build-Build + permissions: + contents: read + id-token: none + runs-on: ubuntu-latest + outputs: + asset-hash: \${{ steps.Publish.outputs.asset-hash }} + steps: + - name: Download cdk.out + uses: actions/download-artifact@v3 + with: + name: cdk.out + path: github.out + - name: Install + run: npm install --no-save cdk-assets + - name: Authenticate Via GitHub Secrets + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-region: ap-southeast-2 + role-duration-seconds: 1800 + role-skip-session-tagging: true + aws-access-key-id: \${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} + - id: Publish + name: Publish Assets-FileAsset1 + run: /bin/bash ./cdk.out/assembly-MyStage/publish-Assets-FileAsset1-step.sh + Assets-FileAsset2: + name: Publish Assets Assets-FileAsset2 + needs: + - Build-Build + permissions: + contents: read + id-token: none + runs-on: ubuntu-latest + outputs: + asset-hash: \${{ steps.Publish.outputs.asset-hash }} + steps: + - name: Download cdk.out + uses: actions/download-artifact@v3 + with: + name: cdk.out + path: github.out + - name: Install + run: npm install --no-save cdk-assets + - name: Authenticate Via GitHub Secrets + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-region: ap-southeast-2 + role-duration-seconds: 1800 + role-skip-session-tagging: true + aws-access-key-id: \${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} + - id: Publish + name: Publish Assets-FileAsset2 + run: /bin/bash ./cdk.out/assembly-MyStage/publish-Assets-FileAsset2-step.sh + MyStage-MyStack-Deploy: + name: Deploy MyStageMyStackD5720EA1 + permissions: + contents: read + id-token: none + needs: + - Build-Build + - Assets-FileAsset1 + - Assets-FileAsset2 + runs-on: ubuntu-latest + steps: + - name: Authenticate Via GitHub Secrets + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-region: us-east-1 + role-duration-seconds: 1800 + role-skip-session-tagging: true + aws-access-key-id: \${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::111111111111:role/cdk-hnb659fds-deploy-role-111111111111-us-east-1 + role-external-id: Pipeline + - id: Deploy + uses: aws-actions/aws-cloudformation-github-deploy@v1.2.0 + with: + name: MyStage-MyStack + template: https://cdk-hnb659fds-assets-111111111111-us-east-1.s3.us-east-1.amazonaws.com/\${{ + needs.Assets-FileAsset1.outputs.asset-hash }}.json + no-fail-on-empty-changeset: \\"1\\" + role-arn: arn:aws:iam::111111111111:role/cdk-hnb659fds-cfn-exec-role-111111111111-us-east-1 +" +`; + exports[`pipeline with GitHub hosted runner override 1`] = ` "# AUTOMATICALLY GENERATED FILE, DO NOT EDIT MANUALLY. # Generated by AWS CDK and [cdk-pipelines-github](https://github.com/cdklabs/cdk-pipelines-github) @@ -467,7 +586,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset1-step.sh Assets-FileAsset2: name: Publish Assets Assets-FileAsset2 if: github.repository == 'account/repo' @@ -497,7 +616,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset2 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset2-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset2-step.sh MyStack-MyStack-Deploy: name: Deploy MyStack098574E7 if: github.repository == 'account/repo' @@ -589,7 +708,7 @@ jobs: role-to-assume: arn:aws:iam::000000000000:role/GitHubActionRole - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset1-step.sh Assets-FileAsset2: name: Publish Assets Assets-FileAsset2 needs: @@ -617,7 +736,7 @@ jobs: role-to-assume: arn:aws:iam::000000000000:role/GitHubActionRole - id: Publish name: Publish Assets-FileAsset2 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset2-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset2-step.sh MyStack-MyStack-Deploy: name: Deploy MyStack098574E7 permissions: @@ -749,7 +868,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset1-step.sh Assets-FileAsset2: name: Publish Assets Assets-FileAsset2 needs: @@ -778,7 +897,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset2 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset2-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset2-step.sh MyStack-MyStack-Deploy: name: Deploy MyStack098574E7 permissions: @@ -905,7 +1024,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset1-step.sh Assets-FileAsset2: name: Publish Assets Assets-FileAsset2 needs: @@ -934,7 +1053,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset2 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset2-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset2-step.sh MyStack-MyStack-Deploy: name: Deploy MyStack098574E7 permissions: diff --git a/test/__snapshots__/runner-provided.test.ts.snap b/test/__snapshots__/runner-provided.test.ts.snap index 3243469c..068dcc29 100644 --- a/test/__snapshots__/runner-provided.test.ts.snap +++ b/test/__snapshots__/runner-provided.test.ts.snap @@ -51,7 +51,7 @@ jobs: run: npm install --no-save cdk-assets - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset1-step.sh MyStack-MyStack-Deploy: name: Deploy MyStack098574E7 permissions: diff --git a/test/__snapshots__/stage-options.test.ts.snap b/test/__snapshots__/stage-options.test.ts.snap index 2fc440fd..0c2a3684 100644 --- a/test/__snapshots__/stage-options.test.ts.snap +++ b/test/__snapshots__/stage-options.test.ts.snap @@ -61,7 +61,8 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash + ./cdk.out/assembly-MyPrePostStack/publish-Assets-FileAsset1-step.sh MyPrePostStack-PreDeployAction: name: PreDeployAction if: contains(fromJson('[\\"push\\", \\"pull_request\\"]'), github.event_name) @@ -187,7 +188,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset1-step.sh MyStack-MyStack-Deploy: name: Deploy MyStack098574E7 permissions: @@ -279,7 +280,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset1-step.sh MyStack-MyStack-Deploy: name: Deploy MyStack098574E7 permissions: @@ -371,7 +372,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStage1/publish-Assets-FileAsset1-step.sh MyStage1-MyStack-Deploy: name: Deploy MyStage1MyStack61AF4CC5 permissions: @@ -497,7 +498,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStageA/publish-Assets-FileAsset1-step.sh MyWave-PreWaveAction: name: PreWaveAction if: contains(github.event.issue.labels.*.name, 'deployToA') || @@ -656,7 +657,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStack/publish-Assets-FileAsset1-step.sh MyStack-MyStack-Deploy: name: Deploy MyStack098574E7 if: github.repository == 'github/repo' @@ -748,7 +749,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStageA/publish-Assets-FileAsset1-step.sh MyWave-MyStageA-MyStackA-Deploy: name: Deploy MyStageAMyStackA0F0BE321 if: success() && contains(github.event.issue.labels.*.name, 'deployToA') @@ -869,7 +870,7 @@ jobs: aws-secret-access-key: \${{ secrets.AWS_SECRET_ACCESS_KEY }} - id: Publish name: Publish Assets-FileAsset1 - run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh + run: /bin/bash ./cdk.out/assembly-MyStageA/publish-Assets-FileAsset1-step.sh MyStageA-MyStackA-Deploy: name: Deploy MyStageAMyStackA0F0BE321 if: success() && contains(github.event.issue.labels.*.name, 'deployToA') diff --git a/test/github.test.ts b/test/github.test.ts index f76750ad..38516320 100644 --- a/test/github.test.ts +++ b/test/github.test.ts @@ -223,6 +223,38 @@ test('pipeline with publish asset region override', () => { }); }); +test('pipeline publish asset scripts are in stage assembly directory', () => { + withTemporaryDirectory((dir) => { + const pipeline = new GitHubWorkflow(app, 'Pipeline', { + workflowPath: `${dir}/.github/workflows/deploy.yml`, + synth: new ShellStep('Build', { + commands: [], + }), + publishAssetsAuthRegion: 'ap-southeast-2', + }); + + const stage = new Stage(app, 'MyStage', { + env: { account: '111111111111', region: 'us-east-1' }, + }); + + const stack = new Stack(stage, 'MyStack'); + + new lambda.Function(stack, 'Function', { + code: lambda.Code.fromAsset(fixtures), + handler: 'index.handler', + runtime: lambda.Runtime.NODEJS_14_X, + }); + + pipeline.addStage(stage); + + app.synth(); + + const file = readFileSync(pipeline.workflowPath, 'utf-8'); + expect(file).toContain('./cdk.out/assembly-MyStage/publish-Assets'); + expect(file).toMatchSnapshot(); + }); +}); + test('pipeline with job settings', () => { withTemporaryDirectory((dir) => { const pipeline = new GitHubWorkflow(app, 'Pipeline', {