You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+18-20Lines changed: 18 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,8 +10,6 @@ This is especially useful in microservices where the releases are _binary_ + _Ia
10
10
11
11
The action comes with an **ecosystem**:
12
12
- Terraform modules to provide AWS roles and policies to [read](https://registry.terraform.io/modules/agilecustoms/ci-builder/aws/latest) and [publish](https://registry.terraform.io/modules/agilecustoms/ci-publisher/aws/latest) artifacts
13
-
- (Fall 2025) Terraform module to create security-aware GitHub repo
14
-
- (Fall 2025) GitHub action to access terraform modules from corporate private GH repos
15
13
- GitHub actions to use in build workflows, e.g., [setup-maven-codeartifact](https://github.com/agilecustoms/setup-maven-codeartifact)
16
14
- documentation and examples for all supported [artifact types](./docs/artifact-types/index.md)
17
15
-[Authorization and Security](./docs/authorization.md) — how to make releases secure, including self-service (dev-releases)
@@ -31,13 +29,13 @@ The action comes with an **ecosystem**:
31
29
32
30
## Artifact types ⇔ features
33
31
34
-
| Artifact type | floating tags | idempotency | dev-release — auto cleanup |
_See the respective artifact type to learn about idempotency limitations ⚠️_
43
41
@@ -58,10 +56,10 @@ on:
58
56
jobs:
59
57
Release:
60
58
runs-on: ubuntu-latest
61
-
environment: release
59
+
environment: release# has secret GH_TOKEN - a PAT with permission to bypass branch protection rule
62
60
permissions:
63
-
contents: read
64
-
id-token: write
61
+
contents: read# to checkout code
62
+
id-token: write# to assume AWS role via OIDC
65
63
steps:
66
64
# (example) package AWS Lambda code as a zip archive in ./s3 directory
67
65
@@ -79,7 +77,7 @@ jobs:
79
77
Assume:
80
78
- you store artifacts in AWS account "Dist" and its number is stored in GH org variable `AWS_ACCOUNT_DIST`
81
79
- you have an S3 bucket `mycompany-dist` in `us-east-1` region
82
-
- there is a role `ci/publisher` with permissions to upload files in this S3 bucket
80
+
- there is a role `ci/publisher` with permissions to upload files in this S3 bucket and trust policy that allows to assume this role from GH action
83
81
- you have repo `mycompany/myapp`
84
82
- current release branch `main` has a protection rule so all changes must be done via PR
85
83
- you have a GH environment `release` associated with branch `main`
@@ -93,7 +91,7 @@ Scenario:
93
91
- build steps (omitted) produced a directory `./s3` with files (like a zip archive for AWS Lambda)
94
92
95
93
The action will:
96
-
- generate a new version `v1.3.0`
94
+
- generate a new version `v1.3.0` (minor bump based on commit message prefix `feat:`)
97
95
- upload files from `./s3` directory to S3 bucket `mycompany-dist` at path `/myapp/v1.3.0/`
98
96
- update `CHANGELOG.md` with release notes
99
97
- push tags `v1.3.0`, `v1.3`, `v1` and `latest` to the remote repository
@@ -111,7 +109,7 @@ _There are no required inputs. The action only controls that the combination of
111
109
| aws-codeartifact-maven | | If true, then publish maven artifacts to AWS CodeArtifact |
112
110
| aws-ecr | | If true, then push docker image to AWS ECR, [example](./docs/artifact-types/aws-ecr.md) |
113
111
| aws-region | | AWS region |
114
-
| aws-role | | AWS IAM role to assume to publish, e.g., `/ci/publisher` |
112
+
| aws-role | | AWS IAM role to assume to publish, e.g., `ci/publisher` |
115
113
| aws-s3-bucket | | AWS S3 bucket to upload artifacts to |
116
114
| aws-s3-dir | | Allows you to specify AWS S3 bucket directory to upload artifacts to. By default, just place in `bucket/{repo-name}/{version}/*` |
117
115
| changelog-file | CHANGELOG.md | Changelog file path. Pass an empty string to disable changelog generation |
@@ -121,7 +119,7 @@ _There are no required inputs. The action only controls that the combination of
121
119
| floating-tags | true | When next version to be released is `1.2.4`, then also release `1.2`, `1` and `latest`. Not desired for public terraform modules |
122
120
| npm-extra-deps | | Additional npm dependencies needed to use non-default commit analyzer preset, e.g., `conventional-changelog-conventionalcommits@9.1.0`. Use white space or new line to specify multiple deps (extremely rare) |
123
121
| npm-visibility | public | Used together with env variable `NPM_TOKEN` to publish npm package. Specifies package visibility: public or private (not tested yet). [Example](./docs/artifact-types/npmjs.md) |
124
-
| node-version | 22 | Node.js version to publish npm packages. Default is 22 because it is the highest pre-cached in Ubuntu 24 |
122
+
| node-version | 22 | Node.js version to publish npm packages. Default is 22 because it is the highest pre-cached in Ubuntu 24 (latest at time of writing) |
125
123
| java-version | 21 | Java version to use with input `aws-codeartifact-maven`. [Example](./docs/artifact-types/aws-codeartifact-maven.md) |
126
124
| pre-publish-script | | Custom sh script that allows you to update version in arbitrary file(s), not only files governed by build tool (pom.xml, package.json, etc.). In this script you can use variable `$version`. See example in [npmjs](./docs/artifact-types/npmjs.md) |
127
125
| release-branches | (see description) | Semantic-release [branches](https://semantic-release.gitbook.io/semantic-release/usage/configuration#branches), mainly used to support [maintenance releases](./docs/features/maintenance-release.md) and [prereleases](./docs/features/prerelease.md) |
@@ -141,10 +139,10 @@ _There are no required inputs. The action only controls that the combination of
| GH_TOKEN | Takes GH PAT with permission to bypass the branch protection rule. Required if `release-gh: true` (default). See details in [Authorization and Security](./docs/authorization.md) |
147
-
| NPM_TOKEN | If specified, publish npm package in npmjs repo. See [details](./docs/artifact-types/npmjs.md) |
| GH_TOKEN | Takes GH PAT with permission to bypass the branch and tags protection rules. See details in [Authorization and Security](./docs/authorization.md) |
145
+
| NPM_TOKEN | If specified, publish npm package in npmjs repo. See [details](./docs/artifact-types/npmjs.md) |
Copy file name to clipboardExpand all lines: docs/roadmap.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,14 +1,18 @@
1
1
# Roadmap
2
2
3
-
Below is the list of potential future features:
3
+
Fall 2025:
4
+
- Terraform module to create security-aware GitHub repo
5
+
- GitHub action to access terraform modules from corporate private GH repos
6
+
- setup-maven-codeartifact support Maven 4
7
+
- publish in Maven central
8
+
- publish Python packages (pip and Twine) in CodeArtifact
4
9
10
+
Potential future features (not prioritized):
5
11
- publish in AWS CodeArtifact. Every artifact type will require a corresponding GH action like [setup-maven-codeartifact](https://github.com/agilecustoms/setup-maven-codeartifact)
6
12
- npm (and Yarn) repository
7
-
- pip (and Twine) repository
8
13
- Gradle repository
9
14
- publish in non-AWS repositories
10
15
- private npmjs repository
11
-
- Maven central
12
16
- GitHub release
13
17
- ability to specify a list of files to include release
14
18
- integration between release and issues/PRs, ex: close issues fixed in a release, see [semantic-release/github](https://github.com/semantic-release/github)
0 commit comments