Skip to content

Commit 4082205

Browse files
originalphiloriginalphil
committed
Merge branch 'main' into aea-5986-add-pypi-publish-to-tag-release-devcontainer-workflow
2 parents 03dbb89 + 6713f00 commit 4082205

10 files changed

Lines changed: 1804 additions & 161 deletions

File tree

.gitallowed

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,3 +8,5 @@ token = os\.environ\.get\(\"GH_TOKEN\"\)
88
poetry\.lock
99
\-Dsonar\.token=\"\$SONAR_TOKEN\"
1010
token: "\${{ steps\.generate-token\.outputs\.token }}"
11+
id-token: 'write'
12+
id-token: "write"

.github/workflows/pull_request.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
secrets:
1515
AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
1616
AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
17-
17+
1818
pr_title_format_check:
1919
uses: ./.github/workflows/pr_title_check.yml
2020

@@ -30,14 +30,14 @@ jobs:
3030
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
3131
secrets:
3232
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
33-
33+
3434
tag_release:
3535
needs: get_config_values
3636
uses: ./.github/workflows/tag-release-devcontainer.yml
3737
permissions:
38-
contents: read
3938
packages: read
40-
attestations: read
39+
id-token: write
40+
contents: write
4141
with:
4242
dry_run: true
4343
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

.github/workflows/release.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ jobs:
2020
tag_release:
2121
needs: [quality_checks, get_config_values]
2222
uses: ./.github/workflows/tag-release-devcontainer.yml
23+
permissions:
24+
id-token: write
25+
contents: write
2326
with:
2427
dry_run: false
2528
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

.github/workflows/tag-release-devcontainer.yml

Lines changed: 33 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,16 @@ on:
2929
required: false
3030
type: string
3131
default: "main"
32+
update_jira:
33+
description: "Whether to update Jira issues during semantic-release"
34+
required: false
35+
type: boolean
36+
default: false
37+
jira_release_prefix:
38+
description: "Release prefix sent to Jira release tagging"
39+
required: false
40+
type: string
41+
default: ""
3242
extra_artifact_name:
3343
description: "An extra artifact to include in the release"
3444
required: false
@@ -63,12 +73,17 @@ on:
6373
NPM_TOKEN:
6474
required: false
6575
description: "NPM token to publish packages"
66-
76+
EXECUTE_JIRA_LAMBDA_ROLE:
77+
required: false
78+
description: "ARN of the role to assume when executing the Jira update lambda"
6779
PYPI_TOKEN:
6880
required: false
6981
description: "PyPI token to publish packages"
7082
jobs:
7183
tag_release:
84+
permissions:
85+
id-token: "write"
86+
contents: "write"
7287
runs-on: ubuntu-22.04
7388
container:
7489
image: ${{ inputs.pinned_image }}
@@ -84,6 +99,16 @@ jobs:
8499
- name: copy .tool-versions
85100
run: |
86101
cp /home/vscode/.tool-versions "$HOME/.tool-versions"
102+
103+
- name: connect to dev account to run release notes lambda
104+
uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
105+
if: ${{ inputs.update_jira }}
106+
with:
107+
aws-region: eu-west-2
108+
role-to-assume: ${{ secrets.EXECUTE_JIRA_LAMBDA_ROLE }}
109+
role-session-name: execute-jira-lambda-session
110+
unset-current-credentials: true
111+
87112
- name: Clone calling repo
88113
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
89114
with:
@@ -101,6 +126,7 @@ jobs:
101126
package-lock.json
102127
release.config.cjs
103128
releaseNotesTemplates/commit.hbs
129+
packages/
104130
- name: Install semantic release dependencies globally
105131
run: |
106132
cd common_workflow_config
@@ -113,7 +139,9 @@ jobs:
113139
cp release.config.cjs ../
114140
mkdir -p ../releaseNotesTemplates
115141
cp releaseNotesTemplates/commit.hbs ../releaseNotesTemplates/
142+
cp -r packages/semantic_release_jira ../packages/
116143
echo "Current dir is ${PWD}"
144+
echo "NODE_PATH=$(npm root --quiet -g)" >> "$GITHUB_ENV"
117145
- name: Setup Git branch for semantic-release
118146
run: |
119147
# When running from a PR, GitHub checks out a merge commit
@@ -200,6 +228,8 @@ jobs:
200228
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
201229
MAIN_BRANCH: ${{ inputs.main_branch }}
202230
EXTRA_ASSET: ${{ inputs.extra_artifact_name }}
231+
UPDATE_JIRA: ${{ inputs.update_jira }}
232+
JIRA_RELEASE_PREFIX: ${{ inputs.jira_release_prefix }}
203233
PYPI_PUBLISH: ${{ inputs.pypi_publish }}
204234
PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
205235

@@ -212,6 +242,8 @@ jobs:
212242
TAG_FORMAT: ${{ inputs.tag_format }}
213243
MAIN_BRANCH: ${{ inputs.main_branch }}
214244
EXTRA_ASSET: ${{ inputs.extra_artifact_name }}
245+
UPDATE_JIRA: ${{ inputs.update_jira }}
246+
JIRA_RELEASE_PREFIX: ${{ inputs.jira_release_prefix }}
215247
PYPI_PUBLISH: ${{ inputs.pypi_publish }}
216248
PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
217249
run: |

.trivyignore.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,3 +31,6 @@ vulnerabilities:
3131
- id: CVE-2026-2229
3232
statement: undici vulnerability accepted as risk
3333
expired_at: 2026-06-01
34+
- id: CVE-2026-33036
35+
statement: fast-xml-parser vulnerability accepted as risk
36+
expired_at: 2026-06-01

0 commit comments

Comments
 (0)