chore: record publishing timestamps in SSM (#104)

Write publishing timestamps to SSM so that we can more effectively alarm
on problems caused by releases.

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>

.projenrc.ts

@@ -7,6 +7,7 @@ import { BundleCli } from './projenrc/bundle';
 import { CodeCovWorkflow } from './projenrc/codecov';
 import { ESLINT_RULES } from './projenrc/eslint';
 import { JsiiBuild } from './projenrc/jsii';
+import { RecordPublishingTimestamp } from './projenrc/record-publishing-timestamp';
 
 // 5.7 sometimes gives a weird error in `ts-jest` in `@aws-cdk/cli-lib-alpha`
 // https://github.com/microsoft/TypeScript/issues/60159
@@ -224,6 +225,9 @@ const repoProject = new yarn.Monorepo({
   },
 });
 
+new AdcPublishing(repoProject);
+new RecordPublishingTimestamp(repoProject);
+
 // Eslint for projen config
 // @ts-ignore
 repoProject.eslint = new pj.javascript.Eslint(repoProject, {

projenrc/adc-publishing.ts

@@ -60,6 +60,7 @@ export class AdcPublishing extends Component {
             'role-to-assume': '${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}',
             'role-session-name': 'releasing@aws-cdk-cli',
             'output-credentials': true,
+            'mask-aws-account-id': true,
           },
         },
         {

projenrc/record-publishing-timestamp.ts

@@ -0,0 +1,68 @@
+import { Monorepo } from 'cdklabs-projen-project-types/lib/yarn';
+import { Component } from 'projen';
+import { JobPermission } from 'projen/lib/github/workflows-model';
+
+/**
+ * Record publishing timestamp to SSM
+ */
+export class RecordPublishingTimestamp extends Component {
+  constructor(private readonly project_: Monorepo) {
+    super(project_);
+  }
+
+  public preSynthesize() {
+    const ssmPrefix = '/published/cdk/cli';
+
+    const releaseWf = this.project_.github?.tryFindWorkflow('release');
+    if (!releaseWf) {
+      throw new Error('Could not find release workflow');
+    }
+
+    releaseWf.addJob('record_timestamp', {
+      name: 'aws-cdk: Record publishing timestamp',
+      environment: 'releasing', // <-- this has the configuration
+      needs: ['release'],
+      runsOn: ['ubuntu-latest'],
+      permissions: {
+        contents: JobPermission.WRITE,
+      },
+      if: '${{ needs.release.outputs.latest_commit == github.sha }}',
+      steps: [
+        {
+          name: 'Download build artifacts',
+          uses: 'actions/download-artifact@v4',
+          with: {
+            name: 'aws-cdk_build-artifact',
+            path: 'dist',
+          },
+        },
+        {
+          name: 'Read version from build artifacts',
+          id: 'aws-cdk-version',
+          run: 'echo "version=$(cat dist/version.txt)" >> $GITHUB_OUTPUT',
+        },
+        {
+          name: 'Authenticate Via OIDC Role',
+          id: 'creds',
+          uses: 'aws-actions/configure-aws-credentials@v4',
+          with: {
+            'aws-region': 'us-east-1',
+            'role-duration-seconds': 14400,
+            'role-to-assume': '${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}',
+            'role-session-name': 'releasing@aws-cdk-cli',
+            'output-credentials': true,
+            'mask-aws-account-id': true,
+          },
+        },
+        {
+          name: 'Publish artifacts',
+          run: [
+            `aws ssm put-parameter --name "${ssmPrefix}/version" --type "String" --value "\${{ steps.aws-cdk-version.outputs.version }}" --overwrite`,
+            `aws ssm put-parameter --name "${ssmPrefix}/timestamp" --type "String" --value "$(date +%s)" --overwrite`,
+          ].join('\n'),
+        },
+      ],
+    });
+  }
+}
+