Install from code artifact (#12)

## Why is this change necessary?
Need a configuration option to be able to install from CodeArtifact


 ## How does this change address the issue?
Adds a step in CI to authenticate with the OIDC role. Creates scripts to
be able to authenticate locally. Updates pyproject.toml to specify
CodeArtifact


 ## What side effects does this change have?
None


 ## How is this change tested?
In downstream repos that use CodeArtifact and those that don't

For CI in this repo, it was deemed prohibitive to try and actively
install from CodeArtifact, so there's a script that updates any
instantiated templates pyproject.toml to point it back to PyPI

Author: ejfine

.copier-answers.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.6-6-g2b24a38
+_commit: v0.0.7-44-gea357db
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: Copier template for creating Python libraries and executables
 python_ci_versions:

.devcontainer/create-aws-profile.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 set -ex
 
 mkdir -p ~/.aws
@@ -10,10 +10,16 @@ else
 fi
 
 cat >> ~/.aws/config <<EOF
+
+
+
+
 [profile localstack]
 region=us-east-1
 output=json
 endpoint_url = $LOCALSTACK_ENDPOINT_URL
+
+
 EOF
 cat >> ~/.aws/credentials <<EOF
 [localstack]

.devcontainer/manual-setup-deps.sh

@@ -1,27 +1,48 @@
 #!/usr/bin/env sh
 # can pass in the full major.minor.patch version of python as an optional argument
 # can set `--skip-lock` as optional argument to just install dependencies without verifying lock file
+# can set `--optionally-lock` to check for a uv.lock file in the project directory and only respect the lock if it already exists (useful for initially instantiating the repository) (mutually exclusive with --skip-lock)
+
 set -ex
 
 # Ensure that uv won't use the default system Python
 python_version="3.12.7"
 
 # Parse arguments
 skip_lock=false
+optionally_lock=false
 while [ "$#" -gt 0 ]; do
     case $1 in
         --skip-lock) skip_lock=true ;;
+        --optionally-lock) optionally_lock=true ;;
         *) python_version="${1:-$python_version}" ;; # Take the first non-flag argument as the input
     esac
     shift
 done
 
+# Ensure that --skip-lock and --optionally-lock are mutually exclusive
+if [ "$skip_lock" = "true" ] && [ "$optionally_lock" = "true" ]; then
+    echo "Error: --skip-lock and --optionally-lock cannot be used together." >&2
+    exit 1
+fi
+
 export UV_PYTHON="$python_version"
 export UV_PYTHON_PREFERENCE=only-system
 
 SCRIPT_DIR="$(dirname "$0")"
 PROJECT_ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
 
+# If optionally_lock is set, decide whether to skip locking based on the presence of uv.lock
+if [ "$optionally_lock" = "true" ]; then
+    if [ ! -f "$PROJECT_ROOT_DIR/uv.lock" ]; then
+        skip_lock=true
+    else
+        skip_lock=false
+    fi
+fi
+
+
+
 # Ensure that the lock file is in a good state
 if [ "$skip_lock" = "false" ]; then
     uv lock --check --directory "$PROJECT_ROOT_DIR"

.devcontainer/on-create-command.sh

@@ -7,6 +7,6 @@ git config --global --add safe.directory /workspaces/copier-python-package-templ
 
 sh .devcontainer/on-create-command-boilerplate.sh
 
-sh .devcontainer/manual-setup-deps.sh
-
 pre-commit install --install-hooks
+
+sh .devcontainer/manual-setup-deps.sh --optionally-lock

.github/actions/install_deps_uv/action.yml

@@ -14,6 +14,19 @@ inputs:
     description: What's the relative path to the project?
     required: false
     default: ./
+  code-artifact-auth-role-name:
+    type: string
+    description: What's the role name to use for CodeArtifact authentication?
+    required: false
+    default: no-code-artifact
+  code-artifact-auth-role-account-id:
+    type: string
+    description: What's the AWS Account ID that the role is in?
+    required: false
+  code-artifact-auth-region:
+    type: string
+    description: What region should the role use?
+    required: false
 
 
 runs:
@@ -41,12 +54,22 @@ runs:
       run: .github/actions/install_deps_uv/install-ci-tooling.ps1 ${{ env.PYTHON_VERSION }}
       shell: pwsh
 
+    - name: OIDC Auth for CodeArtifact
+      if: ${{ inputs.code-artifact-auth-role-name != 'no-code-artifact' }}
+      uses: aws-actions/configure-aws-credentials@v4.0.2
+      with:
+        role-to-assume: arn:aws:iam::${{ inputs.code-artifact-auth-role-account-id }}:role/${{ inputs.code-artifact-auth-role-name }}
+        aws-region: ${{ inputs.code-artifact-auth-region }}
+
     - name: Install Dependencies (Linux)
       if: ${{ inputs.uv-sync && runner.os == 'Linux' }}
       run: |
         sh .devcontainer/manual-setup-deps.sh ${{ env.PYTHON_VERSION }}
       shell: bash
 
+
+
+
     - name: Install Dependencies (Windows)
       if: ${{ inputs.uv-sync && runner.os == 'Windows' }}
       run: .github/actions/install_deps_uv/manual-setup-deps.ps1 ${{ env.PYTHON_VERSION }}

.github/workflows/ci.yaml

@@ -77,6 +77,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4.2.2
 
+      - name: Move python script that replaces private package registry information to temp folder so it doesn't get deleted
+        run: |
+          mv .github/workflows/replace_private_package_registries.py $RUNNER_TEMP
+
       - name: Install python tooling
         uses: ./.github/actions/install_deps_uv
         with:
@@ -107,7 +111,12 @@ jobs:
 
 
       - name: install new dependencies
+        env:
+          CODEARTIFACT_AUTH_TOKEN: 'faketoken'
+          UV_NO_CACHE: 'true'
         run: |
+          # Remove any specification of a Python repository having a default other than PyPI...because in this CI pipeline we can only install from PyPI
+          python $RUNNER_TEMP/replace_private_package_registries.py
           sh .devcontainer/manual-setup-deps.sh ${{ matrix.python-version }} --skip-lock
           # Add everything to git so that pre-commit recognizes the files and runs on them
           git add .

.github/workflows/replace_private_package_registries.py

@@ -0,0 +1,57 @@
+"""Update any project files that point to a private package registry to use public ones.
+
+Since the CI pipelines for testing these copier templates don't have access to private registries, we can't test installing from them as part of CI.
+
+Seems minimal risk, since the only problem we'd be missing is if the pyproject.toml (or similar config files) had syntax errors that would have been
+caught by pre-commit.
+"""
+
+import re
+from pathlib import Path
+
+
+def process_file(file_path: Path):
+    # Read the entire file content
+    content = file_path.read_text()
+
+    # Regex to match a block starting with [[tool.uv.index]]
+    # until the next block header (a line starting with [[) or the end of the file.
+    pattern = re.compile(r"(\[\[tool\.uv\.index\]\].*?)(?=\n\[\[|$)", re.DOTALL)
+
+    # Find all uv.index blocks.
+    blocks = pattern.findall(content)
+
+    # Check if any block contains "default = true"
+    if not any("default = true" in block for block in blocks):
+        print(f"No changes in: {file_path}")
+        return
+
+    # If at least one block contains "default = true", remove all uv.index blocks.
+    new_content = pattern.sub("", content)
+
+    # Ensure file ends with a newline before appending the new block.
+    if not new_content.endswith("\n"):
+        new_content += "\n"
+
+    # Append the new block.
+    new_block = '[[tool.uv.index]]\nname = "pypi"\nurl = "https://pypi.org/simple/"\n'
+    new_content += new_block
+
+    # Write the updated content back to the file.
+    _ = file_path.write_text(new_content)
+    print(f"Updated file: {file_path}")
+
+
+def main():
+    base_dir = Path(".")
+    # Use rglob to find all pyproject.toml files recursively.
+    for file_path in base_dir.rglob("pyproject.toml"):
+        # Check if the file is at most two levels deep.
+        # The relative path's parts count should be <= 3 (e.g. "pyproject.toml" is 1 part,
+        # "subdir/pyproject.toml" is 2 parts, and "subdir/subsubdir/pyproject.toml" is 3 parts).
+        if len(file_path.relative_to(base_dir).parts) <= 3:
+            process_file(file_path)
+
+
+if __name__ == "__main__":
+    main()

copier.yml

@@ -26,6 +26,14 @@ python_version:
     help: What version of Python is used for development?
     default: "3.12.7"
 
+python_package_registry:
+    type: str
+    help: What registry should Python Packgaes be installed from?
+    choices:
+        - PyPI
+        - AWS CodeArtifact
+    default: PyPI
+
 python_ci_versions:
     type: str
     help: What versions should Python run CI on the instantiated template?
@@ -35,6 +43,31 @@ python_ci_versions:
       - "3.13.2"
 
 
+aws_identity_center_id:
+    type: str
+    help: What's the ID of your Organization's AWS Identity center, e.g. d-9145c20053?
+    when: "{{ python_package_registry == 'AWS CodeArtifact' }}"
+
+aws_org_home_region:
+    type: str
+    help: What is the home region of the AWS Organization (where all of the central infrastructure is deployed)?
+    default: us-east-1
+    when: "{{ python_package_registry == 'AWS CodeArtifact' }}"
+
+aws_central_infrastructure_account_id:
+    type: str
+    help: What's the ID of your Organization's AWS Account containing Central Infrastructure (e.g. CodeArtifact)?
+    when: "{{ python_package_registry == 'AWS CodeArtifact' }}"
+
+core_infra_base_access_profile_name:
+    type: str
+    help: What's the AWS Identity Center Profile name for base access to the Central Infrastructure account (i.e. to read from CodeArtifact)?
+    when: "{{ python_package_registry == 'AWS CodeArtifact' }}"
+    default: CoreInfraBaseAccess
+
+
+
+
 
 # Questions specific to this template
 

template/.devcontainer/code-artifact-auth.sh.jinja

@@ -0,0 +1,47 @@
+{% if python_package_registry is defined and python_package_registry == "AWS CodeArtifact" %}{% raw %}#!/usr/bin/env bash
+set -ex
+
+# If none of these are set we can't possibly continue and should fail so you can fix it
+if [ -z "$AWS_PROFILE" ] && [ -z "$AWS_ACCESS_KEY_ID" ] && [ -z "$CODEARTIFACT_AUTH_TOKEN" ]; then
+    echo "No AWS profile, access key, or auth token found, cannot proceed."
+    exit 1
+else
+    # Only regenerate the token if it doesn't exist or wasn't already set as an environmental variable (e.g. during CI or passed into a docker image build)
+    if [ -z "$CODEARTIFACT_AUTH_TOKEN" ]; then
+        echo "Fetching CodeArtifact token"
+        if [ -z "$CI" ]; then
+            PROFILE_ARGS="--profile={% endraw %}{{ core_infra_base_access_profile_name }}{% raw %}"
+        else
+            PROFILE_ARGS=""
+        fi
+
+        # Check if AWS credentials are valid by trying to retrieve the caller identity.
+        # If the ARN is not returned, assume credentials are expired or not set correctly.
+        caller_identity=$(aws sts get-caller-identity --region={% endraw %}{{ aws_org_home_region }}{% raw %} $PROFILE_ARGS --query Arn --output text 2>/dev/null || echo "")
+        if [ -z "$caller_identity" ]; then
+            if [ -n "$CI" ]; then
+                echo "Error: In CI environment, aws sso login should never be called...something is wrong with this script or your workflow...perhaps you did not OIDC Auth yet in CI?"
+                exit 1
+            fi
+            echo "SSO credentials not found or expired, logging in..."
+            aws sso login $PROFILE_ARGS
+        else
+            echo "Using existing AWS credentials: $caller_identity"
+        fi
+
+        set +x
+        export CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token \
+            --domain {% endraw %}{{ repo_org_name }}{% raw %} \
+            --domain-owner {% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %} \
+            --region {% endraw %}{{ aws_org_home_region }}{% raw %} \
+            --query authorizationToken \
+            --output text $PROFILE_ARGS)
+        set -x
+    fi
+
+    set +x
+    export UV_INDEX_CODE_ARTIFACT_PRIMARY_PASSWORD="$CODEARTIFACT_AUTH_TOKEN"
+    export UV_INDEX_CODE_ARTIFACT_STAGING_PASSWORD="$CODEARTIFACT_AUTH_TOKEN"
+    set -x
+
+fi{% endraw %}{% else %}{% raw %}# Placeholder file not being used by these copier template answers{% endraw %}{% endif %}