Merge branch 'main' into chore/idclaim-sub-default

Author: gpanshu

.github/workflows/closed_issue_message.yml

@@ -8,7 +8,7 @@ jobs:
     auto_comment:
         runs-on: ubuntu-latest
         steps:
-        - uses: aws-actions/closed-issue-message@v1
+        - uses: aws-actions/closed-issue-message@36b7048ea77bb834d16e7a7c5b5471ac767a4ca1 # v1
           with:
             # These inputs are both required
             repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/codecov_code_coverage.yml

@@ -8,11 +8,11 @@ on:
   push:
     branches:
       - 'main'
-      - 'dev-preview'
+      - 'v1'
   pull_request:
     branches:
       - 'main'
-      - 'dev-preview'
+      - 'v1'
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -24,10 +24,10 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
       # Execute unit tests
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3
         with:
           java-version: '11'
           distribution: 'corretto'
@@ -45,4 +45,4 @@ jobs:
         uses: codecov/codecov-action@v3
         with:
           name: report
-          files: code-coverage/*.xml
+          files: code-coverage/*.xml

.github/workflows/gradle.yml

@@ -15,9 +15,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
     - name: Set up JDK 11
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1
       with:
         java-version: 11
     - name: Grant execute permission for gradlew

.github/workflows/maven_release_publisher.yml

@@ -11,12 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1
         with:
           role-to-assume: ${{ secrets.AMPLIFY_ANDROID_RELEASE_PUBLISHER_ROLE }}
           aws-region: us-east-1
       - name: Start Integration Test
-        uses: aws-actions/aws-codebuild-run-build@v1
+        uses: aws-actions/aws-codebuild-run-build@f202c327329cbbebd13f986f74af162a8539b5fd # v1
         with:
           project-name: AmplifyAndroid-IntegrationTest
           env-vars-for-codebuild: |
@@ -26,11 +26,11 @@ jobs:
           ORG_GRADLE_PROJECT_useAwsSdkReleaseBuild: true
           NUMBER_OF_DEVICES_TO_TEST: 3
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1
         with:
           role-to-assume: ${{ secrets.AMPLIFY_ANDROID_RELEASE_PUBLISHER_ROLE }}
           aws-region: us-east-1
       - name: Start Maven Release Build
-        uses: aws-actions/aws-codebuild-run-build@v1
+        uses: aws-actions/aws-codebuild-run-build@f202c327329cbbebd13f986f74af162a8539b5fd # v1
         with:
           project-name: AmplifyAndroid-ReleasePublisher

.github/workflows/notify_comments.yml

@@ -24,5 +24,6 @@ jobs:
         env:
           WEBHOOK_URL: ${{ secrets.SLACK_COMMENT_WEBHOOK_URL }}
           BODY: ${{ toJson(github.event.comment.body) }}
+          COMMENT_URL: ${{github.event.comment.html_url}}
         shell: bash
-        run: echo $BODY | xargs -I {} curl -s POST "$WEBHOOK_URL" -H "Content-Type:application/json" --data '{"issue":"${{github.event.comment.html_url}}", "body":"{}"}'
+        run: echo $BODY | xargs -I {} curl -s POST "$WEBHOOK_URL" -H "Content-Type:application/json" --data '{"body":"{}", "issue":"'$COMMENT_URL'"}'

.github/workflows/notify_release.yml

@@ -21,6 +21,9 @@ jobs:
       - name: Run webhook curl command
         env:
           WEBHOOK_URL: ${{ secrets.SLACK_RELEASE_WEBHOOK_URL }}
+          VERSION: ${{github.event.release.html_url}}
+          REPO_URL: ${{github.event.repository.html_url}}
+          ACTION_NAME: ${{github.event.action}}
         shell: bash
-        run: curl -s POST "$WEBHOOK_URL" -H "Content-Type:application/json" --data '{"action":"${{github.event.action}}", "repo":"${{github.event.repository.html_url}}", "version":"${{github.event.release.html_url}}"}'
+        run: echo $VERSION | xargs -I {} curl -s POST "$WEBHOOK_URL" -H "Content-Type:application/json" --data '{"action":"'$ACTION_NAME'", "repo":"'$REPO_URL'", "version":"{}"}'
 

.github/workflows/publish_rollback.yml

@@ -0,0 +1,20 @@
+name: Publish Rollback Artifacts
+
+on:
+  workflow_dispatch:
+
+jobs:
+  publish_rollback:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 #2.2.0
+        with:
+          role-to-assume: ${{ secrets.AMPLIFY_ANDROID_RELEASE_PUBLISHER_ROLE }}
+          aws-region: us-east-1
+      - name: Start Maven Release Build
+        uses: aws-actions/aws-codebuild-run-build@d5a04846cedab61a0b7c897af0548af0d8fb14fb #1.0.12
+        with:
+          project-name: AmplifyAndroid-ReleasePublisher-V2

.github/workflows/release_pr.yml

@@ -9,7 +9,7 @@ on:
 env:
   GIT_USER_NAME: amplify-android-dev+ghops
   GIT_USER_EMAIL: [email protected]
-  BASE_BRANCH: ${{ github.event.ref }}
+  BASE_BRANCH: ${{ github.ref_name }}
 jobs:
   create_pr_for_next_release:
     runs-on: ubuntu-latest
@@ -19,7 +19,7 @@ jobs:
         sudo add-apt-repository -y ppa:git-core/ppa
         sudo apt-get update
         sudo apt-get install git -y
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
       with:
         ref: ${{ env.BASE_BRANCH }}
         fetch-depth: 0

.github/workflows/release_pr_approval_count.yml

@@ -14,7 +14,7 @@ jobs:
             &&  startsWith(github.event.pull_request.title, 'release:')
         }}
     steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
         id: get_approval_count
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}

.github/workflows/rollback_release.yml

@@ -0,0 +1,65 @@
+name: Rollback Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch_from:
+        description: 'The known good version to re-release (e.g. 2.9.1)'
+        required: true
+      deprecated_version:
+        description: 'The version you are rolling back (e.g. 2.9.2)'
+        required: true
+      new_version:
+        description: 'The new version number (e.g. 2.9.3)'
+
+
+
+jobs:
+  rollback-release:
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: "us-east-1"
+      BRANCH_FROM: ${{ inputs.branch_from }}
+      DEPRECATED_VERSION: ${{ inputs.deprecated_version }}
+      NEW_VERSION: ${{ inputs.new_version }}
+      CI_COMMIT_MESSAGE: Re-release v${{ inputs.branch_from }} as v${{ inputs.new_version }}
+      ROLLBACK_BRANCH: rollback_${{ inputs.deprecated_version }}
+      NEW_TAG: release_v${{ inputs.new_version }}
+    permissions:
+      id-token: write
+      contents: write
+      actions: write
+    steps:
+      - name: Checkout Source Code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ format('release_v{0}', env.BRANCH_FROM) }}
+          token: ${{ secrets.GH_WORKFLOW_TOKEN }}
+      - name: Create Rollback Branch
+        run: git checkout -b ${{ env.ROLLBACK_BRANCH }}
+      - name: Update Version
+        run: |
+          git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com
+          git config --global user.name github-actions[bot]
+          sed -i 's/POM_VERSION=${{ env.BRANCH_FROM }}/POM_VERSION=${{ env.NEW_VERSION }}/g' gradle.properties
+          echo -e '## [Release ${{ env.NEW_VERSION }}](https://github.com/${{ github.repository }}/releases/tag/${{ env.NEW_TAG }})\n\nThis is a re-release of version ${{ env.BRANCH_FROM }}. Use this instead of version ${{ env.DEPRECATED_VERSION }}.\n' | cat - CHANGELOG.md > temp && mv temp CHANGELOG.md
+          git add gradle.properties
+          git add CHANGELOG.md
+          git commit -m "${{ env.CI_COMMIT_MESSAGE }}"
+      - name: Tag Version
+        run: git tag "${{ env.NEW_TAG }}"
+      - name: Push Changes
+        run: git push --atomic origin ${{ env.ROLLBACK_BRANCH }} ${{ env.NEW_TAG }}
+      - name: Run Publish
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        with:
+          # The aws-codebuild-run-build action automatically passes the source version that the workflow
+          # is run on to Codebuild, and there is no override option. In order to run the Codebuild
+          # release with our newly-created tag version we dispatch another workflow on that tag.
+          script: |
+            github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'rollback_publish.yml',
+              ref: "${{ env.NEW_TAG }}",
+            })

.github/workflows/stale.yml

@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v4
+    - uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         operations-per-run: 200
@@ -21,4 +21,4 @@ jobs:
         # PRs wont go stale
         days-before-pr-stale: -1
         # Issues with any of these labels are checked.
-        any-of-labels: "pending-response, closing soon"
+        any-of-labels: "pending-response, closing soon"