From d9a210b5203e59b6070501a57852ce679d666976 Mon Sep 17 00:00:00 2001
From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com>
Date: Thu, 29 Aug 2024 13:33:12 -0700
Subject: [PATCH] chore: setup releases for v3 release candidates

---
 .github/workflows/release-v2-main.yml | 35 +++++++++++++++++++++++++--
 .github/workflows/release.yml         | 35 +++++++++++++++++++++++++--
 .gitignore                            |  1 +
 .projen/tasks.json                    | 17 +++++++++++++
 .projenrc.ts                          | 29 ++++++++++++++++++++--
 README.md                             | 17 ++++++++++++-
 package.json                          |  1 +
 7 files changed, 128 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release-v2-main.yml b/.github/workflows/release-v2-main.yml
index d5214a2..f043770 100644
--- a/.github/workflows/release-v2-main.yml
+++ b/.github/workflows/release-v2-main.yml
@@ -27,6 +27,8 @@ jobs:
           git config user.email "github-actions@github.com"
       - name: Install dependencies
         run: yarn install --check-files --frozen-lockfile
+      - name: Shrinkwrap
+        run: npx projen shrinkwrap
       - name: release:v2-main
         run: npx projen release:v2-main
       - name: Check if version has already been tagged
@@ -53,7 +55,9 @@ jobs:
           overwrite: true
   release_github:
     name: Publish to GitHub Releases
-    needs: release
+    needs:
+      - release
+      - release_npm
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -75,4 +79,31 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REPOSITORY: ${{ github.repository }}
           GITHUB_REF: ${{ github.sha }}
-        run: 'echo "DRY RUN: errout=$(mktemp); gh release create $(cat dist/releasetag.txt) -R $GITHUB_REPOSITORY -F dist/changelog.md -t $(cat dist/releasetag.txt) --target $GITHUB_REF 2> $errout && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" $errout; then cat $errout; exit $exitcode; fi"'
+        run: errout=$(mktemp); gh release create $(cat dist/releasetag.txt) -R $GITHUB_REPOSITORY -F dist/changelog.md -t $(cat dist/releasetag.txt) --target $GITHUB_REF 2> $errout && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" $errout; then cat $errout; exit $exitcode; fi
+  release_npm:
+    name: Publish to npm
+    needs: release
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha
+    steps:
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18.x
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-artifact
+          path: dist
+      - name: Restore build artifact permissions
+        run: cd dist && setfacl --restore=permissions-backup.acl
+        continue-on-error: true
+      - name: Release
+        env:
+          NPM_DIST_TAG: latest
+          NPM_REGISTRY: registry.npmjs.org
+          NPM_CONFIG_PROVENANCE: "true"
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npx -p publib@latest publib-npm
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3c5a0a6..6f47d80 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,6 +27,8 @@ jobs:
           git config user.email "github-actions@github.com"
       - name: Install dependencies
         run: yarn install --check-files --frozen-lockfile
+      - name: Shrinkwrap
+        run: npx projen shrinkwrap
       - name: release
         run: npx projen release
       - name: Check if version has already been tagged
@@ -53,7 +55,9 @@ jobs:
           overwrite: true
   release_github:
     name: Publish to GitHub Releases
-    needs: release
+    needs:
+      - release
+      - release_npm
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -75,4 +79,31 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REPOSITORY: ${{ github.repository }}
           GITHUB_REF: ${{ github.sha }}
-        run: 'echo "DRY RUN: errout=$(mktemp); gh release create $(cat dist/releasetag.txt) -R $GITHUB_REPOSITORY -F dist/changelog.md -t $(cat dist/releasetag.txt) --target $GITHUB_REF -p 2> $errout && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" $errout; then cat $errout; exit $exitcode; fi"'
+        run: errout=$(mktemp); gh release create $(cat dist/releasetag.txt) -R $GITHUB_REPOSITORY -F dist/changelog.md -t $(cat dist/releasetag.txt) --target $GITHUB_REF -p 2> $errout && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" $errout; then cat $errout; exit $exitcode; fi
+  release_npm:
+    name: Publish to npm
+    needs: release
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha
+    steps:
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18.x
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-artifact
+          path: dist
+      - name: Restore build artifact permissions
+        run: cd dist && setfacl --restore=permissions-backup.acl
+        continue-on-error: true
+      - name: Release
+        env:
+          NPM_DIST_TAG: v3-latest
+          NPM_REGISTRY: registry.npmjs.org
+          NPM_CONFIG_PROVENANCE: "true"
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npx -p publib@latest publib-npm
diff --git a/.gitignore b/.gitignore
index c0fb610..928da59 100644
--- a/.gitignore
+++ b/.gitignore
@@ -34,6 +34,7 @@ jspm_packages/
 **/*.d.ts
 **/*.js
 **/.DS_Store
+npm-shrinkwrap.json
 /test-reports/
 junit.xml
 !/jest.config.json
diff --git a/.projen/tasks.json b/.projen/tasks.json
index 3d9ae12..228f63e 100644
--- a/.projen/tasks.json
+++ b/.projen/tasks.json
@@ -207,6 +207,23 @@
         }
       ]
     },
+    "shrinkwrap": {
+      "name": "shrinkwrap",
+      "steps": [
+        {
+          "spawn": "bump"
+        },
+        {
+          "exec": "npm shrinkwrap"
+        },
+        {
+          "spawn": "unbump"
+        },
+        {
+          "exec": "git checkout HEAD -- yarn.lock"
+        }
+      ]
+    },
     "test": {
       "name": "test",
       "description": "Run tests",
diff --git a/.projenrc.ts b/.projenrc.ts
index 195403a..7ee3532 100644
--- a/.projenrc.ts
+++ b/.projenrc.ts
@@ -2,15 +2,17 @@ import { typescript } from 'projen';
 const project = new typescript.TypeScriptProject({
   name: 'cdk-assets',
   projenrcTs: true,
-  publishDryRun: true,
   defaultReleaseBranch: 'main',
   majorVersion: 3,
   prerelease: 'rc',
   releaseBranches: {
     'v2-main': {
       majorVersion: 2,
+      npmDistTag: 'latest',
     },
   },
+  releaseToNpm: true,
+  npmDistTag: 'v3-latest',
   autoApproveUpgrades: true,
   autoApproveOptions: {
     allowedUsernames: ['aws-cdk-automation'],
@@ -92,7 +94,13 @@ const project = new typescript.TypeScriptProject({
     include: ['bin/**/*.ts'],
   },
   srcdir: 'lib',
-  gitignore: ['**/*.d.ts', '**/*.js', '**/.DS_Store'],
+  gitignore: ['**/*.d.ts', '**/*.js', '**/.DS_Store', 'npm-shrinkwrap.json'],
+  releaseWorkflowSetupSteps: [
+    {
+      name: 'Shrinkwrap',
+      run: 'npx projen shrinkwrap',
+    },
+  ],
 });
 
 project.addPackageIgnore('*.ts');
@@ -105,4 +113,21 @@ project.eslint?.addRules({
   ],
 });
 
+project.addTask('shrinkwrap', {
+  steps: [
+    {
+      spawn: 'bump',
+    },
+    {
+      exec: 'npm shrinkwrap',
+    },
+    {
+      spawn: 'unbump',
+    },
+    {
+      exec: 'git checkout HEAD -- yarn.lock',
+    },
+  ],
+});
+
 project.synth();
diff --git a/README.md b/README.md
index f418995..e291d2f 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,19 @@
 # cdk-assets
 
+<!--BEGIN STABILITY BANNER-->
+
+---
+
+> V3 of cdk-assets is still under active development and is subject to non-backward compatible changes while
+> being released with the `rc` suffix. 
+> 
+> These changes are not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes 
+> will be announced in the release notes.
+
+---
+
+<!--END STABILITY BANNER-->
+
 A tool for publishing CDK assets to AWS environments.
 
 ## Overview
@@ -39,7 +53,8 @@ asset, or the name of the local Docker image.
 
 The `cdk-asset` tool can be used programmatically and via the CLI. Use
 programmatic access if you need more control over authentication than the
-default [`aws-sdk`](https://github.com/aws/aws-sdk-js) implementation allows.
+default [AWS SDK for JavaScript v3](https://github.com/aws/aws-sdk-js-v3) 
+implementation allows.
 
 Command-line use looks like this:
 
diff --git a/package.json b/package.json
index 8070aaf..f770766 100644
--- a/package.json
+++ b/package.json
@@ -23,6 +23,7 @@
     "pre-compile": "npx projen pre-compile",
     "release": "npx projen release",
     "release:v2-main": "npx projen release:v2-main",
+    "shrinkwrap": "npx projen shrinkwrap",
     "test": "npx projen test",
     "test:watch": "npx projen test:watch",
     "unbump": "npx projen unbump",