Build publish lambda layer #107
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2023 SolarWinds, LLC. | |
| # All rights reserved. | |
| name: Build publish lambda layer | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| solarwinds-source: | |
| required: true | |
| description: 'solarwinds_apm source for build layers, e.g. RubyGem, Local' | |
| type: choice | |
| default: 'RubyGem' | |
| options: | |
| - RubyGem | |
| - Local | |
| publish-dest: | |
| required: true | |
| description: 'Publish destination, one of: staging, production' | |
| type: choice | |
| default: 'staging' | |
| options: | |
| - staging | |
| - production | |
| ruby-version: | |
| description: 'Supported ruby version for lambda layer' | |
| default: '3.2 3.3 3.4' | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| jobs: | |
| # build layer on arm64 and amd64, then upload to artifacts | |
| # act -j build_layer --container-architecture linux/arm64 | |
| build_layer: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: | |
| - x86_64 | |
| - arm64 | |
| runs-on: ${{ matrix.arch == 'arm64' && fromJSON('{"group":"apm-arm-runner"}') || 'ubuntu-latest' }} | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Build ruby lambda layer on ${{ matrix.arch }} | |
| run: | | |
| uname -a | |
| ./build.sh | |
| shell: bash | |
| working-directory: lambda/ | |
| env: | |
| GITHUB_RUBY_TOKEN: ${{ secrets.PACKAGE_GITHUB_TOKEN }} | |
| SOLARWINDS_SOURCE: ${{ github.event.inputs.solarwinds-source }} | |
| PUBLISH_DEST: ${{ github.event.inputs.publish-dest }} | |
| ALLOWED_RUBY_VERSION: ${{ github.event.inputs.ruby-version }} | |
| ARCHITECTURE: ${{ matrix.arch }} | |
| - name: Show directory contents | |
| run: | | |
| ls -al | |
| working-directory: lambda/ | |
| - name: Upload to artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ruby-layer-${{ matrix.arch }}.zip | |
| path: lambda/build/ruby-layer-${{ matrix.arch }}.zip | |
| # extract the built layer from artifacts, then scan it with reverselab | |
| reverselab_scan_layer: | |
| needs: | |
| - build_layer | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: | |
| - x86_64 | |
| - arm64 | |
| runs-on: ubuntu-latest | |
| outputs: | |
| apm_ruby_version: ${{ steps.version.outputs.SOLARWINDS_APM_VERSION }} | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: extract layer zip from artifacts | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: ruby-layer-${{ matrix.arch }}.zip | |
| path: lambda | |
| - name: extract current solarwinds_apm version | |
| id: version | |
| run: | | |
| if [ $SOLARWINDS_SOURCE = 'Local' ]; then \ | |
| APM_VERSION=$(ruby -r './lib/solarwinds_apm/version.rb' -e 'puts SolarWindsAPM::Version::STRING'); \ | |
| else \ | |
| apt-get update && apt-get install -y jq curl; \ | |
| APM_VERSION=$(curl -s https://rubygems.org/api/v1/gems/solarwinds_apm.json | jq -r .version); \ | |
| fi | |
| echo "SOLARWINDS_APM_VERSION=$APM_VERSION" >> $GITHUB_ENV | |
| echo "SOLARWINDS_APM_VERSION=$APM_VERSION" >> $GITHUB_OUTPUT | |
| env: | |
| SOLARWINDS_SOURCE: ${{ github.event.inputs.solarwinds-source }} | |
| - name: Scan build artifact on the Portal | |
| id: rl-scan | |
| env: | |
| RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }} | |
| uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1 | |
| with: | |
| artifact-to-scan: ./lambda/ruby-layer-${{ matrix.arch }}.zip | |
| rl-verbose: true | |
| rl-portal-server: solarwinds | |
| rl-portal-org: SolarWinds | |
| rl-portal-group: SaaS-Agents-SWO | |
| rl-package-url: solarwinds-apm-ruby/apm-ruby-lambda-layer-${{ matrix.arch }}@${{ env.SOLARWINDS_APM_VERSION }} | |
| - name: report the scan status | |
| if: success() || failure() | |
| run: | | |
| echo "The status is: '${{ steps.rl-scan.outputs.status }}'" | |
| echo "The description is: '${{ steps.rl-scan.outputs.description }}'" | |
| # extract the built layer from artifacts, then publish it based on region | |
| publish_layer: | |
| needs: | |
| - reverselab_scan_layer | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| aws_region: | |
| - ap-northeast-1 | |
| - ap-northeast-2 | |
| - ap-south-1 | |
| - ap-southeast-1 | |
| - ap-southeast-2 | |
| - ca-central-1 | |
| - eu-central-1 | |
| - eu-north-1 | |
| - eu-west-1 | |
| - eu-west-2 | |
| - eu-west-3 | |
| - sa-east-1 | |
| - us-east-1 | |
| - us-east-2 | |
| - us-west-1 | |
| - us-west-2 | |
| arch: | |
| - x86_64 | |
| - arm64 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: configure AWS ${{ inputs.publish-dest }} credential | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: ${{ inputs.publish-dest == 'production' && secrets.LAMBDA_PUBLISHER_ARN_PROD || inputs.publish-dest == 'staging' && secrets.LAMBDA_PUBLISHER_ARN_STAGING }} | |
| aws-region: ${{ matrix.aws_region }} | |
| - name: extract layer zip from artifacts | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: ruby-layer-${{ matrix.arch }}.zip | |
| path: lambda | |
| - name: format version for aws lambda and define lambda ruby version | |
| run: | | |
| APM_VERSION=$(echo "$APM_VERSION" | tr '.' '_') | |
| echo "SOLARWINDS_APM_VERSION=$APM_VERSION" >> $GITHUB_ENV | |
| echo "LAMBDA_RUBY_VERSION=$(echo $ALLOWED_RUBY_VERSION | sed 's/\([0-9]\+\.[0-9]\+\)/ruby\1/g')" >> $GITHUB_ENV | |
| env: | |
| APM_VERSION: ${{needs.reverselab_scan_layer.outputs.apm_ruby_version}} | |
| ALLOWED_RUBY_VERSION: ${{ github.event.inputs.ruby-version }} | |
| - name: publish lambda layer | |
| run: | | |
| cd lambda/ | |
| aws lambda publish-layer-version \ | |
| --layer-name solarwinds-apm-ruby-${{ matrix.arch }}-${{ env.SOLARWINDS_APM_VERSION }} \ | |
| --license-info "Apache 2.0" \ | |
| --compatible-architectures ${{ matrix.arch }} \ | |
| --compatible-runtimes ${{ env.LAMBDA_RUBY_VERSION }} \ | |
| --zip-file fileb://ruby-layer-${{ matrix.arch }}.zip \ | |
| --query 'LayerVersionArn' \ | |
| --output text | |
| - name: grant permissions to public for the published layer | |
| run: | | |
| layer_name=solarwinds-apm-ruby-${{ matrix.arch }}-${{ env.SOLARWINDS_APM_VERSION }} | |
| latest_version=$(aws lambda list-layer-versions --layer-name $layer_name | jq -r '.LayerVersions | max_by(.Version) | .Version') | |
| aws lambda add-layer-version-permission \ | |
| --layer-name $layer_name \ | |
| --statement-id apm-ruby-add-permission \ | |
| --action lambda:GetLayerVersion \ | |
| --principal '*' \ | |
| --version-number $latest_version \ | |
| --output text |