lambda-runtime-factory/.github/workflows/release-runtime.yml at main · TartarusCode/lambda-runtime-factory · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: release-runtime

on:
  workflow_dispatch:
    inputs:
      runtime:
        description: "Runtime id to publish, or 'all'"
        required: true
        default: "all"
      arch:
        description: "Architecture to publish: x86_64, arm64, or 'all'"
        required: true
        default: "all"
      publicize:
        description: "Grant public layer permissions after publish"
        required: true
        default: false
        type: boolean

permissions:
  contents: read
  id-token: write

jobs:
  prepare-matrix:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.matrix.outputs.matrix }}
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-python@v6
        with:
          python-version: "3.11"
      - id: matrix
        env:
          INPUT_RUNTIME: ${{ github.event.inputs.runtime }}
          INPUT_ARCH: ${{ github.event.inputs.arch }}
        run: |
          python3 - <<'PY'
          import json
          import os
          import subprocess
          import sys
          from pathlib import Path

          root = Path.cwd()
          runtimes = json.loads(
              subprocess.check_output(
                  [sys.executable, "tools/runtime_lib/runtime_manifest.py", "list", "--json"],
                  cwd=root,
                  text=True,
              )
          )

          selected = os.environ["INPUT_RUNTIME"].strip()
          if selected and selected != "all":
              if selected not in runtimes:
                  raise SystemExit(f"Unknown runtime '{selected}'. Available: {', '.join(runtimes)}")
              runtimes = [selected]

          all_archs = ["x86_64", "arm64"]
          selected_arch = os.environ.get("INPUT_ARCH", "all").strip()
          if selected_arch and selected_arch != "all":
              if selected_arch not in all_archs:
                  raise SystemExit(f"Unknown arch '{selected_arch}'. Available: {', '.join(all_archs)}")
              archs = [selected_arch]
          else:
              archs = all_archs

          arch_runners = {
              "x86_64": "ubuntu-latest",
              "arm64": "ubuntu-24.04-arm",
          }
          matrix = json.dumps({
              "include": [
                  {
                      "runtime": runtime,
                      "arch": arch,
                      "runner": arch_runners.get(arch, "ubuntu-latest"),
                  }
                  for runtime in runtimes
                  for arch in archs
              ]
          })
          output_path = Path(os.environ["GITHUB_OUTPUT"])
          output_path.write_text(f"matrix={matrix}\n", encoding="utf-8")
          PY

  publish:
    needs: prepare-matrix
    runs-on: ${{ matrix.runner }}
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.prepare-matrix.outputs.matrix) }}
    env:
      SAM_CLI_TELEMETRY: "0"
      BUILD_BEST_EFFORT_AUDIT: "0"
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-python@v6
        with:
          python-version: "3.11"
      - name: Prepare cache directories
        run: |
          echo "DOWNLOAD_CACHE_DIR=${RUNNER_TEMP}/lambda-runtime-monorepo/cache/downloads" >> "$GITHUB_ENV"
          mkdir -p "${RUNNER_TEMP}/lambda-runtime-monorepo/cache/downloads"
      - name: Cache runtime downloads
        uses: actions/cache@v5
        with:
          path: ${{ env.DOWNLOAD_CACHE_DIR }}
          key: downloads-${{ runner.os }}-${{ matrix.runtime }}-${{ matrix.arch }}-${{ hashFiles(format('runtimes/{0}/runtime.json', matrix.runtime), format('runtimes/{0}/checksums/**', matrix.runtime)) }}
      - name: Install Grype
        run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v6
        with:
          role-to-assume: ${{ secrets.AWS_RELEASE_ROLE_ARN }}
          aws-region: us-east-1
      - name: Build runtime package
        run: make build RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
      - name: Audit runtime package
        run: bash tools/bin/audit-runtime "${{ matrix.runtime }}" "${{ matrix.arch }}"
      - name: Upload runtime artifact to S3
        run: make upload RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
      - name: Publish Lambda layer
        if: ${{ github.event.inputs.publicize != 'true' }}
        run: make publish RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
      - name: Publish and publicize Lambda layer
        if: ${{ github.event.inputs.publicize == 'true' }}
        run: make publicize RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
      - name: Summarize latest layer arns
        run: |
          {
            echo "### ${{ matrix.runtime }} (${{ matrix.arch }})"
            bash tools/bin/latest-runtime "${{ matrix.runtime }}" "${{ matrix.arch }}"
            echo
          } >> "$GITHUB_STEP_SUMMARY"