Merge pull request #43 from AllenCell/feature/codeartifact-migration

CodeArtifact migration

Author: griffinfujioka

.github/workflows/test-and-check.yml

@@ -66,12 +66,38 @@ jobs:
     needs: [test]
     runs-on: [self-hosted, build]
 
+    permissions:
+      id-token: write        # Needed for OIDC
+      contents: read         # Needed to check out code
+
+    env:
+      AWS_REGION: ${{ vars.AWS_DEFAULT_REGION }}
+      AWS_ACCOUNT_ID: ${{ vars.AWS_SOFTWARE_ACCOUNT_ID }}
+      ENVIRONMENT: production
+
     steps:
     - uses: actions/checkout@v4
     - name: Set up Python
       uses: actions/setup-python@v4
       with:
         python-version: "3.9"
+
+    
+    - name: Configure AWS credentials via OIDC
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github_camera_alignment_core
+        aws-region: ${{ env.AWS_REGION }}
+
+    - name: Get CodeArtifact auth token
+      id: codeartifact
+      run: |
+        export CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token \
+          --domain ${{ env.ENVIRONMENT}} \
+          --domain-owner ${{ env.AWS_ACCOUNT_ID }} \
+          --query authorizationToken --output text)
+        echo "CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN" >> $GITHUB_ENV
+    
     - name: Install Dependencies
       run: |
         python -m pip install --upgrade pip
@@ -81,7 +107,7 @@ jobs:
         make build
     - name: Publish to internal package index
       env:
-        TWINE_USERNAME: ${{ secrets.ARTIFACTORY_USER }}
-        TWINE_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
+        TWINE_USERNAME: aws
+        TWINE_PASSWORD: ${{ env.CODEARTIFACT_AUTH_TOKEN }}
         TWINE_NON_INTERACTIVE: true
-      run: twine upload --verbose --repository-url='https://artifactory.corp.alleninstitute.org/artifactory/api/pypi/pypi-release-local' dist/*
+      run: twine upload --verbose --repository-url='https://${{ env.ENVIRONMENT}}-${{ env.AWS_ACCOUNT_ID }}.d.codeartifact.us-west-2.amazonaws.com/pypi/pypi-release-local/' dist/*

README.md

@@ -10,9 +10,7 @@ Core algorithms for aligning two-camera microscopy imagery
 
 `pip install camera_alignment_core==1.0.6`<br>
 
-This library is published to a private PyPI server ("Artifactory") accessible within the Allen Institute network or over VPN. This has downstream effects for how this library is installed into other Python packages.
-
-Having trouble installing? Start here: http://confluence.corp.alleninstitute.org/display/SF/Using+Artifactory#UsingArtifactory-Python.
+This library is published to a private PyPI server on AWS CodeArtifact accessible within the Allen Institute network or over VPN. This has downstream effects for how this library is installed into other Python packages.
 
 
 ## Documentation
@@ -134,9 +132,9 @@ see `Makefile` for others or to inspect the underlying scripts run as part of th
     Releasing fixes requires more than merging to main.
     1. everything in step 2 above: (eg, make lint type-check fmt import-sort )
     2. make doc:  (to confirm the docs build)
-    3. make publish: to publish to artifactory.  Requires a ~/.pypirc file with an entry like:
+    3. make publish: to publish to CodeArtifact.  Requires a ~/.pypirc file with an entry like:
         [release-local]
-        repository = https://artifactory.corp.alleninstitute.org/artifactory/api/pypi/pypi-release-local
+        repository = https://production-239877123246.d.codeartifact.us-west-2.amazonaws.com/pypi/pypi-release-local/
     4. Update the example-venv lockfile to use the new release.
         1. [Install uv](https://docs.astral.sh/uv/getting-started/installation/)
         2. `cd example-venv && uv lock && uv sync`