.github/workflows/release_build.yml

name: Release Build
on:
  workflow_dispatch:
    inputs:
      version:
        description: The version to tag the release with, e.g., 1.2.0
        required: true

env:
  AWS_DEFAULT_REGION: us-east-1
  AWS_PUBLIC_ECR_REGION: us-east-1
  AWS_PRIVATE_ECR_REGION: us-west-2
  RELEASE_PUBLIC_REPOSITORY: public.ecr.aws/aws-observability/adot-autoinstrumentation-python
  RELEASE_PRIVATE_REPOSITORY: 020628701572.dkr.ecr.us-west-2.amazonaws.com/adot-autoinstrumentation-python
  RELEASE_PRIVATE_REGISTRY: 020628701572.dkr.ecr.us-west-2.amazonaws.com
  PACKAGE_NAME: aws-opentelemetry-distro

permissions:
  id-token: write
  contents: write

jobs:
  build:
    environment: Release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo @ SHA - ${{ github.sha }}
        uses: actions/checkout@v4

      - name: Build Wheel and Image Files
        uses: ./.github/actions/artifacts_build
        with:
          image_uri_with_tag: "adot-autoinstrumentation-python:test"
          push_image: false
          load_image: true
          python_version: "3.10"
          package_name: aws-opentelemetry-distro
          os: ubuntu-latest

      # TODO: Add some sort of smoke/integration testing before we go
      # release the artifacts. adot java for reference:
      # https://github.com/aws-observability/aws-otel-java-instrumentation/tree/93870a550ac30988fbdd5d3bf1e8f9f1b37916f5/smoke-tests

      - name: Configure AWS credentials for PyPI secrets
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRETS_MANAGER }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
      
      - name: Get PyPI secrets
        uses: aws-actions/aws-secretsmanager-get-secrets@v1
        id: pypi_secrets
        with:
          secret-ids: |
            PROD_PYPI_TOKEN,${{ secrets.PYPI_PROD_TOKEN_SECRET_ARN }}
            TEST_PYPI_TOKEN,${{ secrets.PYPI_TEST_TOKEN_SECRET_ARN }}
          parse-json-secrets: true

      - name: Configure AWS credentials for private ECR
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN_ECR_RELEASE }}
          aws-region: ${{ env.AWS_PRIVATE_ECR_REGION }}

      - name: Log in to AWS private ECR
        uses: docker/login-action@v3
        with:
          registry: ${{ env.RELEASE_PRIVATE_REGISTRY }}

      - name: Configure AWS credentials for public ECR
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN_ECR_RELEASE }}
          aws-region: ${{ env.AWS_PUBLIC_ECR_REGION }}

      - name: Log in to AWS public ECR
        uses: docker/login-action@v3
        with:
          registry: public.ecr.aws

      # The step below publishes to testpypi in order to catch any issues
      # with the package configuration that would cause a failure to upload to pypi.
      - name: Install twine
        run: pip install twine
      
      - name: Publish to TestPyPI
        env:
          TWINE_USERNAME: '__token__'
          TWINE_PASSWORD: ${{ env.TEST_PYPI_TOKEN_API_TOKEN }}
        run: |
          twine upload --repository testpypi --skip-existing --verbose dist/aws_opentelemetry_distro-${{ github.event.inputs.version }}-py3-none-any.whl

      # Publish to prod PyPI
      - name: Publish to PyPI
        env:
          TWINE_USERNAME: '__token__'
          TWINE_PASSWORD: ${{ env.PROD_PYPI_TOKEN_API_TOKEN }}
        run: |
          twine upload --skip-existing --verbose dist/aws_opentelemetry_distro-${{ github.event.inputs.version }}-py3-none-any.whl

      # Publish to public ECR
      - name: Build and push public ECR image
        uses: docker/build-push-action@v5
        with:
          push: true
          context: .
          file: ./Dockerfile
          platforms: linux/amd64,linux/arm64
          tags: |
            ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}

      # Publish to private ECR
      - name: Build and push private ECR image
        uses: docker/build-push-action@v5
        with:
          push: true
          context: .
          file: ./Dockerfile
          platforms: linux/amd64,linux/arm64
          tags: |
            ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}

      # Publish to GitHub releases
      - name: Create GH release
        id: create_release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
        run: |
          gh release create --target "$GITHUB_REF_NAME" \
             --title "Release v${{ github.event.inputs.version }}" \
             --draft \
             "v${{ github.event.inputs.version }}" \
             dist/aws_opentelemetry_distro-${{ github.event.inputs.version }}-py3-none-any.whl