BFD-2906: Automate Maven Release Process (#2061)

Co-authored-by: Brian Burton <[email protected]>
Co-authored-by: Michael J Burling <[email protected]>

.github/workflows/build-release.yml

@@ -0,0 +1,195 @@
+---
+name: "Build Release"
+on:
+  workflow_dispatch:
+    inputs:
+      releaseBranch:
+        description: "The branch on which a release is based"
+        required: false
+        default: master
+      releaseVersion:
+        description: "Version to be used as tag and release"
+        required: true
+        default: X.Y.Z
+      developmentVersion:
+        description: 'Post-release Development version. Should be "(releaseVersion + 1)-SNAPSHOT"'
+        required: true
+        default: X.Y.Z-SNAPSHOT
+      awsRegion:
+        description: "AWS Region to upload artifacts to"
+        required: true
+        default: us-east-1
+
+permissions:
+  id-token: write # This is required for requesting the AWS IAM OIDC JWT
+  contents: write # This is required for actions/checkout
+
+env:
+  # AWS Code Artifact Repository
+  CA_REPOSITORY: bfd-mgmt
+  CA_DOMAIN: bfd-mgmt
+  AWS_REGION: ${{ inputs.awsRegion }}
+
+jobs:
+  mvn-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate Inputs
+        run: |
+          echo "Validating inputs to ensure they conform to expected formats..."
+          echo "${{ inputs.releaseVersion }}" | grep -P '^\d+\.\d+\.\d+$'
+          echo "${{ inputs.developmentVersion }}" | grep -P '^\d+\.\d+\.\d+-SNAPSHOT$'
+
+      - name: "Generate an App Token"
+        id: generate_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.BFD_RELEASE_APP_ID }}
+          private-key: ${{ secrets.BFD_RELEASE_APP_KEY }}
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.GHA_AWS_IAM_ROLE_ARN }}
+          role-session-name: build-release
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to ECR
+        uses: aws-actions/amazon-ecr-login@v1
+        with:
+          mask-password: "true"
+
+      - name: Checkout
+        if: github.event_name == 'workflow_dispatch'
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.releaseBranch }}
+          token: ${{ steps.generate_token.outputs.token }}
+
+      - name: Setup JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: "21"
+          distribution: corretto
+
+      - name: Configure the git user
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "GitHub Actions"
+
+      - name: Generate maven toolchain config
+        run: |
+          cat << EOF > ~/.m2/toolchains.xml
+          <toolchains>
+            <toolchain>
+              <type>jdk</type>
+              <provides>
+                <version>21</version>
+                <vendor>OpenJDK</vendor>
+              </provides>
+              <configuration>
+                <jdkHome>$JAVA_HOME</jdkHome>
+              </configuration>
+            </toolchain>
+          </toolchains>
+          EOF
+
+      - name: Set Authorization Token
+        run: |
+          CODEARTIFACT_AUTH_TOKEN="$(aws codeartifact get-authorization-token --domain "$CA_DOMAIN" --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --query authorizationToken --output text --region us-east-1)"
+          echo "::add-mask::$CODEARTIFACT_AUTH_TOKEN"
+          echo CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN >> $GITHUB_ENV
+
+      - name: Get Repository Endpoint
+        run: |
+          CA_REPOSITORY_ENDPOINT="$(aws codeartifact get-repository-endpoint --domain "$CA_DOMAIN" --repository "$CA_REPOSITORY" --format maven --query repositoryEndpoint --output text)"
+          echo "::add-mask::$CA_REPOSITORY_ENDPOINT"
+          echo CA_REPOSITORY_ENDPOINT=$CA_REPOSITORY_ENDPOINT >> $GITHUB_ENV
+
+      - name: Get ECR Registry Namespace
+        run: |
+          ECR_REPOSITORY_NAMESPACE="$(aws ecr describe-registry --region "$AWS_REGION" | jq -r '.registryId').dkr.ecr.${AWS_REGION}.amazonaws.com"
+          echo "::add-mask::$ECR_REPOSITORY_NAMESPACE"
+          echo ECR_REPOSITORY_NAMESPACE=$ECR_REPOSITORY_NAMESPACE >> $GITHUB_ENV
+
+      - name: Configure additional maven settings.xml
+        run: |-
+          cat <<"EOF" > ~/.m2/settings.xml
+          <settings xmlns="http://maven.apache.org/settings/1.0.0" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"
+          xsi:schemalocation="http://maven.apache.org/settings/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
+            <servers>
+              <server>
+                <username>aws</username>
+                <password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
+                <id>${env.CA_DOMAIN}-${env.CA_REPOSITORY}</id>
+              </server>
+              <server>
+                <id>github</id>
+                <username>${env.GITHUB_ACTOR}</username>
+                <password>${env.GITHUB_TOKEN}</password>
+              </server>
+            </servers>
+          </settings>
+          EOF
+
+      - name: "Prepare and Perform Release"
+        if: github.event_name == 'workflow_dispatch'
+        run: |-
+          mvn --batch-mode --activate-profiles test-release \
+              -Dtag="$BFD_RELEASE" \
+              -DreleaseVersion="$BFD_RELEASE" \
+              -DdevelopmentVersion="$BFD_DEV_VERSION" \
+              release:prepare release:perform
+        working-directory: ./apps
+        env:
+          BFD_RELEASE: ${{ inputs.releaseVersion }}
+          BFD_DEV_VERSION: ${{ inputs.developmentVersion }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: "Perform Exceptional Rollback"
+        if: failure()
+        run: mvn release:rollback
+        working-directory: ./apps
+
+      - name: Pull Release Files
+        run: |
+          readarray -t assets < <(echo "$CA_DATA_DICTIONARY_ASSETS" | jq -r -c '.[]')
+          for asset in "${assets[@]}"
+          do
+            aws codeartifact get-package-version-asset \
+              --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} \
+              --domain "$CA_DOMAIN" \
+              --repository "$CA_REPOSITORY" \
+              --asset "$asset" \
+              --package-version "${{ inputs.releaseVersion }}" \
+              --package "$CA_PACKAGE" \
+              --namespace "$CA_NAMESPACE" \
+              --format maven \
+              --region "$AWS_REGION" \
+              "${asset/$CA_PACKAGE-/}" 1>/dev/null
+          done
+        env:
+          CA_NAMESPACE: gov.cms.bfd
+          CA_PACKAGE: bfd-server-war
+          CA_DATA_DICTIONARY_ASSETS: |
+            [
+              "bfd-server-war-V1-data-dictionary-${{ inputs.releaseVersion }}.csv",
+              "bfd-server-war-V2-data-dictionary-${{ inputs.releaseVersion }}.csv",
+              "bfd-server-war-V1-data-dictionary-${{ inputs.releaseVersion }}.json",
+              "bfd-server-war-V2-data-dictionary-${{ inputs.releaseVersion }}.json",
+              "bfd-server-war-data-dictionary-${{ inputs.releaseVersion }}.xlsx"
+            ]
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          prerelease: true
+          generate_release_notes: true
+          fail_on_unmatched_files: true
+          tag_name: "${{ inputs.releaseVersion }}"
+          name: "v${{ inputs.releaseVersion }}"
+          files: |
+            *.csv
+            *.json
+            *.xlsx

.github/workflows/ci-java.yml

@@ -100,14 +100,6 @@ jobs:
           </toolchains>
           EOF
 
-      - name: 'Run Maven Build on FDA Drug Utility'
-        run: mvn --threads 1C --batch-mode -Dmaven.build.cache.enabled=false install
-        working-directory: ./apps/bfd-data-fda
-
-      - name: 'Run Maven Build on NPI Org Utility'
-        run: mvn --threads 1C --batch-mode -Dmaven.build.cache.enabled=false install
-        working-directory: ./apps/bfd-data-npi
-
       - name: 'Run Maven Build'
         run: mvn --threads 1C --quiet --batch-mode -Dmaven.build.cache.enabled=false verify
         working-directory: ./apps

apps/bfd-data-fda/pom.xml

@@ -13,7 +13,6 @@
     <groupId>gov.cms.bfd.data.fda.utility</groupId>
     <artifactId>bfd-data-fda</artifactId>
     <packaging>jar</packaging>
-    <version>1.0-SNAPSHOT</version>
 
     <description>
         FDA Drug code lookup jar

apps/bfd-data-fda/src/main/java/gov/cms/bfd/data/fda/lookup/FdaDrugCodeDisplayLookup.java

@@ -204,6 +204,7 @@ protected Map<String, String> getFdaProcessedData(
     }
     return ndcProcessedData;
   }
+
   /**
    * Returns a inputStream from file name passed in.
    *

apps/bfd-data-npi/pom.xml

@@ -12,7 +12,6 @@
     <groupId>gov.cms.bfd.data.npi</groupId>
     <artifactId>bfd-data-npi</artifactId>
     <packaging>jar</packaging>
-    <version>1.0-SNAPSHOT</version>
 
     <description>
         NPI Org code lookup jar

apps/bfd-data-npi/src/main/java/gov/cms/bfd/data/npi/utility/App.java

@@ -12,6 +12,7 @@
  */
 public final class App {
   private static final Logger LOGGER = LoggerFactory.getLogger(App.class);
+
   /**
    * The name of the classpath resource (for the project's main web application) for the NPI "Orgs"
    * TSV file.

apps/bfd-server/bfd-server-war/pom.xml

@@ -347,7 +347,7 @@
         <dependency>
             <groupId>gov.cms.bfd.data.fda.utility</groupId>
             <artifactId>bfd-data-fda</artifactId>
-            <version>${bfd.data.fda.version}</version>
+            <version>${project.version}</version>
         </dependency>
     </dependencies>
 

apps/bfd-server/pom.xml

@@ -77,7 +77,7 @@
             <dependency>
                 <groupId>gov.cms.bfd.data.fda.utility</groupId>
                 <artifactId>bfd-data-fda</artifactId>
-                <version>${bfd.data.fda.version}</version>
+                <version>${project.version}</version>
             </dependency>
         </dependencies>
     </dependencyManagement>
@@ -93,7 +93,7 @@
         <dependency>
             <groupId>gov.cms.bfd.data.npi</groupId>
             <artifactId>bfd-data-npi</artifactId>
-            <version>${bfd.data.npi.version}</version>
+            <version>${project.version}</version>
         </dependency>
     </dependencies>
 

apps/pom.xml

@@ -38,13 +38,15 @@
 
     <scm>
         <!-- URL format taken from http://www.sonatype.com/people/2009/09/maven-tips-and-tricks-using-github/ -->
-        <connection>scm:git:git@github.com:CMSgov/beneficiary-fhir-data.git</connection>
-        <developerConnection>scm:git:git@github.com:CMSgov/beneficiary-fhir-data.git</developerConnection>
+        <connection>scm:git:https://github.com/CMSgov/beneficiary-fhir-data.git</connection>
+        <developerConnection>scm:git:https://github.com/CMSgov/beneficiary-fhir-data.git</developerConnection>
         <url>https://github.com/CMSgov/beneficiary-fhir-data</url>
         <tag>HEAD</tag>
     </scm>
 
     <modules>
+        <module>bfd-data-npi</module>
+        <module>bfd-data-fda</module>
         <module>bfd-shared-utils</module>
         <module>bfd-shared-test-utils</module>
         <module>bfd-model</module>
@@ -68,8 +70,6 @@
             they are reproducible bit-by-bit no matter when/where they are generated.
             See https://maven.apache.org/guides/mini/guide-reproducible-builds.html -->
         <project.build.outputTimestamp>2022-01-01T00:00:00Z</project.build.outputTimestamp>
-        <bfd.data.fda.version>1.0-SNAPSHOT</bfd.data.fda.version>
-        <bfd.data.npi.version>1.0-SNAPSHOT</bfd.data.npi.version>
         <maven.jacoco.plugin.version>0.8.11</maven.jacoco.plugin.version>
         <!-- Disable jacoco until automated coverage generation is desired -->
         <maven.jacoco.skip>true</maven.jacoco.skip>

ops/terraform/env/mgmt/github-actions-iam.tf

@@ -49,7 +49,54 @@ resource "aws_iam_policy" "github_actions_s3its" {
   "Version": "2012-10-17"
 }
 POLICY
+}
 
+resource "aws_iam_policy" "github_actions_ecr" {
+  name = "bfd-${local.env}-ecr-rw"
+  path = "/"
+  policy = jsonencode(
+    {
+      Statement = [
+        {
+          Action = [
+            "ecr:GetAuthorizationToken",
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+          Sid      = "GetAuthorizationToken"
+        },
+        {
+          Action = [
+            "ecr:BatchGetImage",
+            "ecr:BatchCheckLayerAvailability",
+            "ecr:CompleteLayerUpload",
+            "ecr:GetDownloadUrlForLayer",
+            "ecr:InitiateLayerUpload",
+            "ecr:PutImage",
+            "ecr:UploadLayerPart",
+          ]
+          Effect = "Allow"
+          Resource = [
+            "arn:aws:ecr:us-east-1:${local.account_id}:repository/bfd-db-migrator",
+            "arn:aws:ecr:us-east-1:${local.account_id}:repository/bfd-server",
+            "arn:aws:ecr:us-east-1:${local.account_id}:repository/bfd-pipeline-app",
+          ]
+          Sid = "AllowPushPull"
+        },
+        {
+          Sid    = "AllowDescribeRegistry",
+          Effect = "Allow",
+          Action = [
+            "ecr:DescribeRegistry"
+          ],
+          Resource = [
+            "*"
+          ]
+        }
+      ]
+      Version = "2012-10-17"
+    }
+  )
 }
 
 data "tls_certificate" "github_actions" {
@@ -68,8 +115,9 @@ resource "aws_iam_role" "github_actions" {
   description = "OIDC Assumable GitHub Actions Role"
 
   managed_policy_arns = [
-    aws_iam_policy.code_artifact_ro.arn,
-    aws_iam_policy.github_actions_s3its.arn
+    aws_iam_policy.code_artifact_rw.arn,
+    aws_iam_policy.github_actions_s3its.arn,
+    aws_iam_policy.github_actions_ecr.arn
   ]
 
   assume_role_policy = jsonencode(

ops/terraform/env/mgmt/iam.tf

@@ -136,7 +136,8 @@ resource "aws_iam_policy" "code_artifact_rw" {
         "codeartifact:ReadFromRepository",
         "codeartifact:TagResource",
         "codeartifact:UntagResource",
-        "codeartifact:UpdatePackageVersionsStatus"
+        "codeartifact:UpdatePackageVersionsStatus",
+        "codeartifact:GetAuthorizationToken"
       ],
       "Effect": "Allow",
       "Resource": [
@@ -147,18 +148,15 @@ resource "aws_iam_policy" "code_artifact_rw" {
       "Sid": "CodeArtifactReadWrite"
     },
     {
-      "Action": "codeartifact:GetAuthorizationToken",
+      "Action": "sts:GetServiceBearerToken",
       "Effect": "Allow",
-      "Resource": [
-        "${aws_codeartifact_domain.this.arn}"
-      ],
-      "Sid": "CodeArtifactAuthToken"
+      "Resource": "*",
+      "Sid": "TempCreds"
     }
   ],
   "Version": "2012-10-17"
 }
 POLICY
-
 }
 
 resource "aws_iam_policy" "code_artifact_ro" {