Merge branch 'develop' into fix/batch-sqs-handler-delete-message-batch-needs-batched

Author: Michal Ploski

.github/boring-cyborg.yml

@@ -1,10 +1,5 @@
 ##### Labeler ##########################################################################################################
 labelPRBasedOnFilePath:
-  area/utilities:
-    - aws_lambda_powertools/utilities/*
-    - aws_lambda_powertools/utilities/**/*
-    - aws_lambda_powertools/middleware_factory/*
-    - aws_lambda_powertools/middleware_factory/**/*
   area/logger:
     - aws_lambda_powertools/logging/*
     - aws_lambda_powertools/logging/**/*
@@ -42,6 +37,13 @@ labelPRBasedOnFilePath:
   area/feature_flags:
     - aws_lambda_powertools/feature_flags/*
     - aws_lambda_powertools/feature_flags/**/*
+  area/jmespath_util:
+    - aws_lambda_powertools/utilities/jmespath_utils/*
+  area/utilities:
+    - aws_lambda_powertools/utilities/*
+    - aws_lambda_powertools/utilities/**/*
+    - aws_lambda_powertools/middleware_factory/*
+    - aws_lambda_powertools/middleware_factory/**/*
 
   documentation:
     - docs/*

.github/mergify.yml

@@ -1,28 +1,29 @@
+queue_rules:
+  - name: default
+    conditions:
+      # Conditions to get out of the queue (= merged)
+      - check-success=Semantic Pull Request
+      - "#approved-reviews-by>=1"
+      - -title~=(WIP|wip)
+      - -label~="do-not-merge"
+      - "#changes-requested-reviews-by=0"
+
 pull_request_rules:
   - name: automatic merge for Dependabot pull requests
     conditions:
       - author~=^dependabot(|-preview)\[bot\]$
-#       - check-success=build  # matrix jobs aren't working in mergify
-      - -label~="do-not-merge"
-      - "#approved-reviews-by>=1"  # until we exclude major versions in dependabot
     actions:
-      merge:
-        strict: false
+      queue:
+        name: default
         method: squash
         commit_message: title+body
 
   - name: Automatic merge ⬇️ on approval ✔
     conditions:
       - base!=master
-      - "#approved-reviews-by>=1"
-      - "#changes-requested-reviews-by=0"
-      - -title~=(WIP|wip)
-#       - check-success=build  # matrix jobs aren't working in mergify
-      - check-success=Semantic Pull Request
-      - body~=(?m)^\[X\] Meet tenets criteria
+      - "#approved-reviews-by>=2"
     actions:
-      merge:
-        strict: smart
+      queue:
+        name: default
         method: squash
-        strict_method: merge
         commit_message: title+body

.github/workflows/codeql-analysis.yml

@@ -3,10 +3,6 @@ name: "CodeQL"
 on:
   push:
     branches: [develop]
-  pull_request:
-    branches: [develop]
-  schedule:
-    - cron: '0 21 * * 0'
 
 jobs:
   analyze:

.github/workflows/label_pr_on_title.yml

@@ -0,0 +1,87 @@
+name: Label PR based on title
+
+on:
+  workflow_run:
+    workflows: ["Record PR number"]
+    types:
+      - completed
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    # Guardrails to only ever run if PR recording workflow was indeed
+    # run in a PR event and ran successfully
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@v5
+        # For security, we only download artifacts tied to the successful PR recording workflow
+        with:
+          script: |
+            const fs = require('fs');
+
+            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+
+            const matchArtifact = artifacts.data.artifacts.filter(artifact => artifact.name == "pr")[0];
+
+            const artifact = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(artifact.data));
+      # NodeJS standard library doesn't provide ZIP capabilities; use system `unzip` command instead
+      - run: unzip pr.zip
+
+      - name: 'Label PR based on title'
+        uses: actions/github-script@v5
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # This safely runs in our base repo, not on fork
+          # thus allowing us to provide a write access token to label based on PR title
+          # and label PR based on semantic title accordingly
+          script: |
+            const fs = require('fs');
+            const pr_number = Number(fs.readFileSync('./number'));
+            const pr_title = fs.readFileSync('./title', 'utf-8').trim();
+
+            const FEAT_REGEX = /feat(\((.+)\))?(\:.+)/
+            const BUG_REGEX = /(fix|bug)(\((.+)\))?(\:.+)/
+            const DOCS_REGEX = /(docs|doc)(\((.+)\))?(\:.+)/
+            const CHORE_REGEX = /(chore)(\((.+)\))?(\:.+)/
+            const DEPRECATED_REGEX = /(deprecated)(\((.+)\))?(\:.+)/
+            const REFACTOR_REGEX = /(refactor)(\((.+)\))?(\:.+)/
+
+            const labels = {
+                "feature": FEAT_REGEX,
+                "bug": BUG_REGEX,
+                "documentation": DOCS_REGEX,
+                "internal": CHORE_REGEX,
+                "enhancement": REFACTOR_REGEX,
+                "deprecated": DEPRECATED_REGEX,
+            }
+
+            for (const label in labels) {
+                const matcher = new RegExp(labels[label])
+                const isMatch = matcher.exec(pr_title)
+                if (isMatch != null) {
+                    console.info(`Auto-labeling PR ${pr_number} with ${label}`)
+
+                    await github.rest.issues.addLabels({
+                      issue_number: pr_number,
+                      owner: context.repo.owner,
+                      repo: context.repo.repo,
+                      labels: [label]
+                    })
+
+                    break
+                }
+            }

.github/workflows/post_release.js

@@ -0,0 +1,112 @@
+const STAGED_LABEL = "status/staged-next-release";
+
+/**
+ * Fetch issues using GitHub REST API
+ *
+ * @param {object} gh_client - Pre-authenticated REST client (Octokit)
+ * @param {string} org - GitHub Organization
+ * @param {string} repository - GitHub repository
+ * @param {string} state - GitHub issue state (open, closed)
+ * @param {string} label - Comma-separated issue labels to fetch
+ * @return {Object[]} issues - Array of issues matching params
+ * @see {@link https://octokit.github.io/rest.js/v18#usage|Octokit client}
+ */
+const fetchIssues = async ({
+	gh_client,
+	org,
+	repository,
+	state = "open",
+	label = STAGED_LABEL,
+}) => {
+
+	try {
+		const { data: issues } = await gh_client.rest.issues.listForRepo({
+			owner: org,
+			repo: repository,
+			state: state,
+			labels: label,
+		});
+
+		return issues;
+
+	} catch (error) {
+		console.error(error);
+		throw new Error("Failed to fetch issues")
+	}
+
+};
+
+/**
+ * Notify new release and close staged GitHub issue
+ *
+ * @param {object} gh_client - Pre-authenticated REST client (Octokit)
+ * @param {string} owner - GitHub Organization
+ * @param {string} repository - GitHub repository
+ * @param {string} release_version - GitHub Release version
+ * @see {@link https://octokit.github.io/rest.js/v18#usage|Octokit client}
+ */
+const notifyRelease = async ({
+	gh_client,
+	owner,
+	repository,
+	release_version,
+}) => {
+	const release_url = `https://github.com/${owner}/${repository}/releases/tag/v${release_version}`;
+
+	const issues = await fetchIssues({
+		gh_client: gh_client,
+		org: owner,
+		repository: repository,
+	});
+
+	issues.forEach(async (issue) => {
+		console.info(`Updating issue number ${issue.number}`);
+
+		const comment = `This is now released under [${release_version}](${release_url}) version!`;
+		try {
+			await gh_client.rest.issues.createComment({
+				owner: owner,
+				repo: repository,
+				body: comment,
+				issue_number: issue.number,
+			});
+		} catch (error) {
+			console.error(error);
+			throw new Error(`Failed to update issue ${issue.number} about ${release_version} release`)
+		}
+
+
+		// Close issue and remove staged label; keep existing ones
+		const labels = issue.labels
+			.filter((label) => label.name != STAGED_LABEL)
+			.map((label) => label.name);
+
+		try {
+			await gh_client.rest.issues.update({
+				repo: repository,
+				owner: owner,
+				issue_number: issue.number,
+				state: "closed",
+				labels: labels,
+			});
+		} catch (error) {
+			console.error(error);
+			throw new Error("Failed to close issue")
+		}
+
+		console.info(`Issue number ${issue.number} closed and updated`);
+	});
+};
+
+// context: https://github.com/actions/toolkit/blob/main/packages/github/src/context.ts
+module.exports = async ({ github, context }) => {
+	const { RELEASE_TAG_VERSION } = process.env;
+	console.log(`Running post-release script for ${RELEASE_TAG_VERSION} version`);
+
+	await notifyRelease({
+		gh_client: github,
+		owner: context.repo.owner,
+		repository: context.repo.repo,
+		release_version: RELEASE_TAG_VERSION,
+	});
+};

.github/workflows/publish.yml

@@ -22,6 +22,7 @@ name: Publish to PyPi
 # 8. Builds a fresh version of docs including Changelog updates
 # 9. Push latest release source code to master using release title as the commit message
 # 10. Builds latest documentation for new release, and update latest alias pointing to the new release tag
+# 11. Close and notify all issues labeled "status/staged-next-release" about the release details
 
 #
 # === Fallback mechanism due to external failures ===
@@ -33,23 +34,12 @@ name: Publish to PyPi
 #
 # === Documentation hotfix ===
 #
-# 1. Trigger "Publish to PyPi" workflow manually: https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow
-# 2. Use the latest version released under Releases e.g. v1.21.1
-# 3. Set `Build and publish docs only` field to `true`
+# Look for rebuild latest docs workflow
 
 
 on:
   release:
     types: [published]
-  workflow_dispatch:
-    inputs:
-      publish_version:
-        description: 'Version to publish, e.g. v1.13.0'
-        required: true
-      publish_docs_only:
-        description: 'Build and publish docs only'
-        required: false
-        default: 'false'
 
 jobs:
   release:
@@ -59,46 +49,39 @@ jobs:
       with:
         fetch-depth: 0
     - name: Set up Python
-      uses: actions/setup-python@v2.2.2
+      uses: actions/setup-python@v2.3.1
       with:
         python-version: "3.8"
     - name: Set release notes tag
       run: |
         RELEASE_TAG_VERSION=${{ github.event.release.tag_name }}
-        # Replace publishing version if the workflow was triggered manually
-        test -n ${RELEASE_TAG_VERSION} && RELEASE_TAG_VERSION=${{ github.event.inputs.publish_version }}
         echo "RELEASE_TAG_VERSION=${RELEASE_TAG_VERSION:1}" >> $GITHUB_ENV
     - name: Ensure new version is also set in pyproject and CHANGELOG
-      if: ${{ github.event.inputs.publish_docs_only == false }}
       run: |
         grep --regexp "${RELEASE_TAG_VERSION}" CHANGELOG.md
         grep --regexp "version \= \"${RELEASE_TAG_VERSION}\"" pyproject.toml
     - name: Install dependencies
       run: make dev
     - name: Run all tests, linting and baselines
-      if: ${{ github.event.inputs.publish_docs_only == false }}
       run: make pr
     - name: Build python package and wheel
-      if: ${{ github.event.inputs.publish_docs_only == false }}
       run: poetry build
     - name: Upload to PyPi test
-      if: ${{ github.event.inputs.publish_docs_only == false }}
       run: make release-test
       env:
         PYPI_USERNAME: __token__
         PYPI_TEST_TOKEN: ${{ secrets.PYPI_TEST_TOKEN }}
     - name: Upload to PyPi prod
-      if: ${{ github.event.inputs.publish_docs_only == false }}
       run: make release-prod
       env:
         PYPI_USERNAME: __token__
         PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
     - name: publish lambda layer in SAR by triggering the internal codepipeline
-      if: ${{ github.event.inputs.publish_docs_only == false }}
       run: |
         aws ssm put-parameter --name "powertools-python-release-version" --value $RELEASE_TAG_VERSION --overwrite
         aws codepipeline start-pipeline-execution --name ${{ secrets.CODEPIPELINE_NAME }}
       env:
+        # Maintenance: Migrate to new OAuth mechanism
         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         AWS_DEFAULT_REGION: eu-west-1
@@ -125,11 +108,16 @@ jobs:
         publish_dir: ./api
         keep_files: true
         destination_dir: latest/api
+    - name: Close issues related to this release
+      uses: actions/github-script@v5
+      with:
+        script: |
+          const post_release = require('.github/workflows/post_release.js')
+          await post_release({github, context, core})
 
   sync_master:
     needs: release
     runs-on: ubuntu-latest
-    if: ${{ github.event.inputs.publish_docs_only == false }}
     steps:
     - uses: actions/checkout@v2
     - name: Sync master from detached head

.github/workflows/python_build.yml

@@ -23,13 +23,15 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2.2.2
+        uses: actions/setup-python@v2.3.1
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
         run: make dev
       - name: Formatting and Linting
         run: make lint
+      - name: Static type checking
+        run: make mypy
       - name: Test with pytest
         run: make test
       - name: Security baseline