Add automated releasing, reset version to v0.1.0 (#40)

Author: gl-johnson

.codeclimate.yml

@@ -42,6 +42,12 @@ plugins:
   # Markdown
   markdownlint:
     enabled: true
+    checks:
+      # Disable checks that conflict with our preferred changelog format
+      MD022:
+        enabled: false
+      MD032:
+        enabled: false
     issue_override:
       severity: info # Should be redundant as CC says markdownlint defaults to
                      # info already, but including it here to remind us it's so

CHANGELOG.md

@@ -6,10 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
-## [8.0.0] - 2022-09-08
+## [0.1.0] - 2023-02-14
 
 ### Added
-
 - Add support for Role Memberships endpoint
   [conjur-api-python#30](https://github.com/cyberark/conjur-api-python/pull/33)
 - Add support for Check Privilege endpoint
@@ -36,14 +35,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   [conjur-api-python#19](https://github.com/cyberark/conjur-api-python/pull/19)
 
 ### Changed
-
 - Include system truststore certs even if cert_file config is present
   [conjur-api-python#37](https://github.com/cyberark/conjur-api-python/pull/37)
 - Abstract authentication flow into new `AuthenticationStrategyInterface`
   [conjur-api-python#20](https://github.com/cyberark/conjur-api-python/pull/20)
 - Store API key in `CreditentialsData` object
   [conjur-api-python#23](https://github.com/cyberark/conjur-api-python/pull/23)
 
-
-[Unreleased]: https://github.com/cyberark/conjur-api-python/compare/v8.0.0...HEAD
-[8.0.0]: https://github.com/cyberark/conjur-api-python/releases/tag/v8.0.0
+[Unreleased]: https://github.com/cyberark/conjur-api-python/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/cyberark/conjur-api-python/releases/tag/v0.1.0

CONTRIBUTING.md

@@ -111,24 +111,40 @@ The connection parameters to Conjur are:
 
 ## Releases
 
-This section describes the requirements for releasing a Conjur python SDK.
-
-### Checklist
-
-1. Create a release branch from main
-2. Verify that all changes related to the version are applied to `README`,`CHANGELOG` and `NOTICES` files
-3. Verify that Jenkins Pipeline is green
-4. Bump the version in `conjur_api.__init__.py` file
-5. Merge the branch into main
-6. Create and push a tag using the following naming convention: v<version_number>, for example `v8.1.0`
-7. Follow the Jenkins Pipeline and verify that it's green and that `Publish to PyPI` step ended successfully
-8. Log into https://pypi.org and verify that the package uploaded successfully
-9. Import the package locally by running `pip install conjur-api==<version_number>`, for example 
-   `pip install conjur-api==8.1.0`
-10. Create a release page from the tag.
-    [Click here for assistance](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository)
-11. On the releases page, write all the changes affecting this version (This can be taken from the changelog)
-12. Update all stakeholders that the release was completed successfully
+Releases should be created by maintainers only. To create and promote a release, follow the instructions in this section.
+
+### Update the changelog and notices
+
+**NOTE:** If the Changelog and NOTICES.txt are already up-to-date, skip this
+step and promote the desired release build from the main branch.
+
+1. Create a new branch for the version bump.
+1. Based on the changelog content, determine the new version number and update.
+1. Review the git log and ensure the [changelog](CHANGELOG.md) contains all
+   relevant recent changes with references to GitHub issues or PRs, if possible.
+1. Review the changes since the last tag, and if the dependencies have changed
+   revise the [NOTICES](NOTICES.txt) to correctly capture the included
+   dependencies and their licenses / copyrights.
+1. Commit these changes - `Bump version to x.y.z` is an acceptable commit
+   message - and open a PR for review.
+
+### Release and Promote
+
+1. Merging into the main branch will automatically trigger a release build.
+   If successful, this release can be promoted at a later time.
+1. Jenkins build parameters can be utilized to promote a successful release
+   or manually trigger aditional releases as needed.
+1. Reference the [internal automated release doc](https://github.com/conjurinc/docs/blob/master/reference/infrastructure/automated_releases.md#release-and-promotion-process)
+for releasing and promoting.
+
+### Manual Verification
+
+1. Log into [PyPI](https://pypi.org)and verify that the package uploaded successfully
+1. Import the package locally by running `pip install conjur-api==<version_number>`,
+for example `pip install conjur-api==0.0.5`
+1. Verify git release page from the tag.
+[Click here for assistance](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository)
+
 
 ## Contributing workflow
 

Jenkinsfile

@@ -1,5 +1,27 @@
 #!/usr/bin/env groovy
 
+// Automated release, promotion and dependencies
+properties([
+  // Include the automated release parameters for the build
+  release.addParams(),
+  // Dependencies of the project that should trigger builds
+  // dependencies([ ])
+])
+
+// Performs release promotion.  No other stages will be run
+if (params.MODE == "PROMOTE") {
+  release.promote(params.VERSION_TO_PROMOTE) { sourceVersion, targetVersion, assetDirectory ->
+    // Any assets from sourceVersion Github release are available in assetDirectory
+    // Any version number updates from sourceVersion to targetVersion occur here
+    // Any publishing of targetVersion artifacts occur here
+    // Anything added to assetDirectory will be attached to the Github Release
+
+    // Publish target version.
+    sh "summon -e production ./ci/publish/publish_package ${targetVersion}"
+  }
+  return
+}
+
 pipeline {
   agent { label 'executor-v2' }
 
@@ -8,13 +30,48 @@ pipeline {
     buildDiscarder(logRotator(numToKeepStr: '30'))
   }
 
+  environment {
+    // Sets the MODE to the specified or autocalculated value as appropriate
+    MODE = release.canonicalizeMode()
+  }
+
   triggers {
     cron(getDailyCronString())
   }
+
   stages {
-      stage('Linting') {
+    // Aborts any builds triggered by another project that wouldn't include any changes
+    stage ("Skip build if triggering job didn't create a release") {
+      when {
+        expression {
+          MODE == "SKIP"
+        }
+      }
+      steps {
+        script {
+          currentBuild.result = 'ABORTED'
+          error("Aborting build because this build was triggered from upstream, but no release was built")
+        }
+      }
+    }
+
+    stage('Validate') {
+      parallel {
+        stage('Changelog') {
+          steps { sh './ci/test/parse-changelog.sh' }
+        }
+        stage('Linting') {
         steps { sh './ci/test/test_linting.sh' }
+        }
       }
+    }
+
+    // Generates a VERSION file based on the current build number and latest version in CHANGELOG.md
+    stage('Validate changelog and set version') {
+      steps {
+        updateVersion("CHANGELOG.md", "${BUILD_NUMBER}")
+      }
+    }
 
     stage('Unit tests') {
       steps {
@@ -55,27 +112,25 @@ pipeline {
       }
     }
 
-    stage('Publish to PyPI') {
-      steps {
-        echo 'Check if publish is required'
-        sh 'summon -e production ./ci/publish/run_is_publish_required'
-
-        echo 'Publish to PyPi'
-        sh 'summon -e production ./ci/publish/publish_package'
-      }
+    stage('Release') {
       when {
-        tag "v*"
+        expression {
+          MODE == "RELEASE"
+        }
+      }
+
+      steps {
+        release { billOfMaterialsDirectory, assetDirectory, toolsDirectory ->
+          // Publish release artifacts to all the appropriate locations
+          // Copy any artifacts to assetDirectory to attach them to the Github release
+        }
       }
     }
   }
+
   post {
     always {
       cleanupAndNotify(currentBuild.currentResult)
     }
-    unsuccessful {
-      script {
-          cleanupAndNotify(currentBuild.currentResult, notify_team_teams = 'Secrets Manager HQ')
-      }
-    }
   }
 }

ci/publish/Dockerfile.publish

@@ -1,4 +1,4 @@
-FROM ubuntu:20.04
+FROM ubuntu:23.04
 ENV INSTALL_DIR=/opt/conjur-api-python3
 ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update && \

ci/publish/build_publish_container

@@ -1,37 +1,71 @@
 #!/bin/bash -e
 
-CURRENT_DIR=$(pwd)
+main() {
+TWINE_REPOSITORY_URL="https://upload.pypi.org/legacy/"
+replace_version="$1"
 
-REQUIRED_VARS=( "TWINE_REPOSITORY_URL"
-                "TWINE_USERNAME"
-                "TWINE_PASSWORD" )
+check_required_vars
+update_version
+build_publish_container
+publish_to_pypi
+}
 
-# Sanity check
-for required_var in "${REQUIRED_VARS[@]}"; do
-  if [[ "${!required_var}" == "" ]]; then
-    echo "ERROR: '$required_var' not set!"
+check_required_vars() {
+  REQUIRED_VARS=( "TWINE_USERNAME"
+                  "TWINE_PASSWORD" )
+
+  for required_var in "${REQUIRED_VARS[@]}"; do
+    if [[ "${!required_var}" == "" ]]; then
+      echo "ERROR: '$required_var' not set! Ensure you are running this script with Summon."
+      exit 1
+    fi
+  done
+}
+
+update_version() {
+  if [ -z "$replace_version" ]; then
+    echo "No version argument supplied"
     exit 1
+  else
+    echo "Updating module to version $replace_version"
+    local path="./conjur_api/__init__.py"
+    local sed_expr="s/__version__ =.+/__version__ = \"$replace_version\"/"
+
+    if [[ "$OSTYPE" == "darwin"* ]]; then
+      sed -E -i "" -e "$sed_expr" "$path"
+    else
+      sed -E -i -e "$sed_expr" "$path"
+    fi
   fi
-done
-
-echo "Publishing to PyPI..."
-rm -rf $CURRENT_DIR/dist/
-docker run --rm \
-           -t \
-           -e TWINE_REPOSITORY_URL \
-           -e TWINE_USERNAME \
-           -e TWINE_PASSWORD \
-           -v "$(pwd):/opt/conjur-api-python3" \
-           conjur-api-python3-publish bash -exc "
-               echo 'Installing new versions of pip and wheel...'
-               /usr/bin/env pip3 install --upgrade pip wheel
-
-               echo 'Building distributable package...'
-               /usr/bin/env python3 -m build
-
-               echo 'Testing artifacts in dist/*'
-               /usr/bin/env twine check dist/*
-
-               echo 'Publishing package to \$TWINE_REPOSITORY_URL using account '\$TWINE_USERNAME'...'
-               /usr/bin/env twine upload --repository $TWINE_REPOSITORY_URL dist/*
-           "
+}
+
+build_publish_container() {
+  docker build -f ./ci/publish/Dockerfile.publish \
+             -t conjur-api-python3-publish \
+             .
+}
+
+publish_to_pypi() {
+  echo "Publishing to PyPI..."
+  rm -rf ./dist/
+  docker run --rm \
+            -t \
+            -e TWINE_REPOSITORY_URL \
+            -e TWINE_USERNAME \
+            -e TWINE_PASSWORD \
+            conjur-api-python3-publish bash -exc "
+                echo 'Installing new versions of pip and wheel...'
+                /usr/bin/env pip3 install --upgrade pip wheel
+
+                echo 'Building distributable package...'
+                /usr/bin/env python3 -m build
+
+                echo 'Testing artifacts in dist/*'
+                /usr/bin/env twine check dist/*
+
+                echo 'Publishing package to '\$TWINE_REPOSITORY_URL' using account '\$TWINE_USERNAME'...'
+                /usr/bin/env twine upload --skip-existing --repository-url $TWINE_REPOSITORY_URL dist/*
+            "
+}
+
+main "$@"