From 35d7e2146746d8203f26e5add73be9589c35cef8 Mon Sep 17 00:00:00 2001 From: Shubham Chaturvedi Date: Wed, 4 Mar 2026 14:53:45 -0800 Subject: [PATCH 1/9] Allow GHA to git push --- .github/workflows/prod-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index a27b3799b..353e64622 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -1,6 +1,6 @@ name: Release permissions: - contents: read + contents: write id-token: write on: From 567a57eff801f3f03ac4ea420960b4c56917735c Mon Sep 17 00:00:00 2001 From: Shubham Chaturvedi Date: Wed, 4 Mar 2026 14:58:28 -0800 Subject: [PATCH 2/9] fix(CI): Empty commit From da296ca86bb039d618b9b4510d8c2af3e8bfe728 Mon Sep 17 00:00:00 2001 From: Shubham Chaturvedi Date: Wed, 4 Mar 2026 16:29:24 -0800 Subject: [PATCH 3/9] fix(ci): release bot credentials --- .github/workflows/prod-release.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 353e64622..104b1e503 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -47,6 +47,28 @@ jobs: - name: Install dependencies run: npm ci --unsafe-perm + - name: Configure AWS Credentials for Release + uses: aws-actions/configure-aws-credentials@v5 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2 + role-session-name: CI_Bot_Release + + # Use AWS Secrets Manager GHA to retrieve CI Bot Creds + - name: Get CI Bot Creds Secret + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: Github/aws-crypto-tools-ci-bot + parse-json-secrets: true + + # Log in as the CI Bot + - name: Log in as CI Bot + run: | + echo ${{ env.GITHUB_AWS_CRYPTO_TOOLS_CI_BOT_ESDK_RELEASE_TOKEN }} > token.txt + gh auth login --with-token < token.txt + rm token.txt + gh auth status + - name: Configure git env: BRANCH: ${{ github.event.inputs.branch }} From f60f673a99c9dfd9508d17a5d1a67665b10ea3cd Mon Sep 17 00:00:00 2001 From: Shubham Chaturvedi Date: Wed, 4 Mar 2026 17:31:47 -0800 Subject: [PATCH 4/9] fix(ci): git auth --- .github/workflows/prod-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 104b1e503..3bdb26af0 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -68,6 +68,7 @@ jobs: gh auth login --with-token < token.txt rm token.txt gh auth status + gh auth setup-git - name: Configure git env: From f10fb3acc811e9edbe2f455d9e0ca4c37313e39c Mon Sep 17 00:00:00 2001 From: Shubham Chaturvedi Date: Thu, 5 Mar 2026 11:39:38 -0800 Subject: [PATCH 5/9] fix(ci-debug): log auth username --- .github/workflows/prod-release.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 3bdb26af0..379740a68 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -79,6 +79,20 @@ jobs: git config --global user.email "no-reply@noemail.local" git checkout $BRANCH + - name: Verify git auth identity + run: | + echo "=== gh auth status ===" + gh auth status + echo "" + echo "=== Git credential helper config ===" + git config --global --get-regexp credential + echo "" + echo "=== Git remote URL ===" + git remote -v + echo "" + echo "=== Authenticated GitHub user ===" + gh api user --jq '.login' + - name: Version packages (dry run - no push) run: | # Generate new version and CHANGELOG entry and push it From 1d544b4407fff167c37ad173b4619c564874c0d2 Mon Sep 17 00:00:00 2001 From: Shubham Chaturvedi Date: Thu, 5 Mar 2026 14:26:23 -0800 Subject: [PATCH 6/9] fix(ci): git release auth --- .github/workflows/prod-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 379740a68..131370f3c 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -37,6 +37,7 @@ jobs: with: fetch-depth: 0 submodules: true + persist-credentials: false - name: Setup Node.js 16 uses: actions/setup-node@v4 From f8a307b6f46b782b4cacb68ce1505956cc590175 Mon Sep 17 00:00:00 2001 From: Shubham Chaturvedi Date: Thu, 5 Mar 2026 16:03:11 -0800 Subject: [PATCH 7/9] fix(ci): force pull in publish step --- .github/workflows/prod-release.yml | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 131370f3c..211a882f1 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -80,21 +80,7 @@ jobs: git config --global user.email "no-reply@noemail.local" git checkout $BRANCH - - name: Verify git auth identity - run: | - echo "=== gh auth status ===" - gh auth status - echo "" - echo "=== Git credential helper config ===" - git config --global --get-regexp credential - echo "" - echo "=== Git remote URL ===" - git remote -v - echo "" - echo "=== Authenticated GitHub user ===" - gh api user --jq '.login' - - - name: Version packages (dry run - no push) + - name: Version packages run: | # Generate new version and CHANGELOG entry and push it npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} @@ -106,6 +92,8 @@ jobs: needs: [pre-release-ci, version] steps: - uses: actions/checkout@v4 + with: + ref: ${{ github.event.inputs.branch }} - uses: actions/setup-node@v4 with: From b1a770a922a69c6569fe714fed4480f8ee60d593 Mon Sep 17 00:00:00 2001 From: Shubham Chaturvedi Date: Thu, 5 Mar 2026 16:59:02 -0800 Subject: [PATCH 8/9] fix(ci): npm token for publish --- .github/workflows/prod-release.yml | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 211a882f1..74fc5bc88 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -100,12 +100,39 @@ jobs: node-version: '20' registry-url: 'https://registry.npmjs.org' + - name: Configure AWS Credentials for Publish + uses: aws-actions/configure-aws-credentials@v5 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2 + role-session-name: CI_Bot_Publish + + - name: Get NPM Token + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: npm/aws-crypto-tools-ci-bot/2FA + parse-json-secrets: true + # Ensure npm 11.5.1 or later is installed - name: Update npm run: npm install -g npm@latest - run: npm ci --unsafe-perm - run: npm run build --if-present - - run: npx lerna publish from-package --yes --dist-tag ${{ github.event.inputs.dist_tag }} + + # Generate OTP from the 2FA secret key, waiting for next TOTP window to maximize validity + - name: Generate OTP and publish + run: | + npm install otplib --no-save + OTP=$(node -e " + const auth = require('otplib').authenticator; + setTimeout(() => + console.log(auth.generate(process.env.OTP_SECRET_KEY)), + auth.timeRemaining() * 1000); + ") + npx lerna publish from-package --yes --otp $OTP --dist-tag ${{ github.event.inputs.dist_tag }} + env: + NODE_AUTH_TOKEN: ${{ env.NPM_AWS_CRYPTO_TOOLS_CI_BOT_2FA_NPM_TOKEN }} + OTP_SECRET_KEY: ${{ env.NPM_AWS_CRYPTO_TOOLS_CI_BOT_2FA_OTP_SECRET_KEY }} # Once publishing is complete, validate that the published packages are useable validate: From 4c09ded581174fa4fff6075ae941cd5b6fd1f836 Mon Sep 17 00:00:00 2001 From: Shubham Chaturvedi Date: Fri, 6 Mar 2026 09:46:22 -0800 Subject: [PATCH 9/9] fix(ci): npm otp fix for publish --- .github/workflows/prod-release.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 74fc5bc88..9b513bc0e 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -122,12 +122,13 @@ jobs: # Generate OTP from the 2FA secret key, waiting for next TOTP window to maximize validity - name: Generate OTP and publish run: | - npm install otplib --no-save + npm install otplib@12 --no-save OTP=$(node -e " - const auth = require('otplib').authenticator; - setTimeout(() => - console.log(auth.generate(process.env.OTP_SECRET_KEY)), - auth.timeRemaining() * 1000); + const { authenticator } = require('otplib'); + const remaining = authenticator.timeRemaining(); + setTimeout(() => { + console.log(authenticator.generate(process.env.OTP_SECRET_KEY)); + }, remaining * 1000); ") npx lerna publish from-package --yes --otp $OTP --dist-tag ${{ github.event.inputs.dist_tag }} env: