generated from amazon-archives/__template_Apache-2.0
-
Notifications
You must be signed in to change notification settings - Fork 237
404 lines (390 loc) · 16.9 KB
/
ci.yml
File metadata and controls
404 lines (390 loc) · 16.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# This is the shared CI workflow that is run by both `ci-pr.yml` and `ci-main.yml` depending
# on if a pull request is being checked, or if the `main` branch is being checked after merge.
name: Test
on:
workflow_call:
inputs:
run_canary:
description: Whether to run the canary or not.
required: false
default: true
type: boolean
git_ref:
description: |
The git reference that all checks should be run against. It can be a branch, a tag or a commit SHA.
If unspecified, it will default to the git reference or SHA that triggered the execution of this workflow.
required: false
type: string
default: ''
secrets:
# the docker login password for ECR (encrypted with the DOCKER_LOGIN_TOKEN_PASSPHRASE)
ENCRYPTED_DOCKER_PASSWORD:
required: false
DOCKER_LOGIN_TOKEN_PASSPHRASE:
required: false
CANARY_GITHUB_ACTIONS_ROLE_ARN:
required: false
CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME:
required: false
env:
rust_version: 1.86.0
rust_toolchain_components: clippy,rustfmt
ENCRYPTED_DOCKER_PASSWORD: ${{ secrets.ENCRYPTED_DOCKER_PASSWORD }}
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
jobs:
# The `generate` job runs scripts that produce artifacts that are required by the `test` job,
# and also runs some checks/lints so that those are run sooner rather than later.
generate:
name: Generate
timeout-minutes: 30
runs-on: smithy_ubuntu-latest_8-core
# To avoid repeating setup boilerplate, we have the actual commands
# in a matrix strategy. These commands get run in the steps after all the setup.
strategy:
fail-fast: false
matrix:
# These correspond to scripts in tools/ci-scripts that will be run in the Docker build image
actions:
- action: generate-aws-sdk
- action: generate-aws-sdk-smoketest
- action: generate-smithy-rs-release
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.git_ref }}
# `generate-smithy-rs-release` requires access to previous tags to determine if a numerical suffix is needed
# to make the release tag unique
fetch-depth: 0
# The models from aws-sdk-rust are needed to generate the full SDK for CI
- uses: actions/checkout@v4
with:
repository: awslabs/aws-sdk-rust
path: aws-sdk-rust
- name: Run ${{ matrix.actions.action }}
uses: ./smithy-rs/.github/actions/docker-build
with:
action: ${{ matrix.actions.action }}
# Test the code generator and other parts (styles and lints) that don't require
# code to have already been generated in order to run.
test-codegen:
name: Test Codegen
runs-on: ${{ matrix.test.runner }}
timeout-minutes: 35
# To avoid repeating setup boilerplate, we have the actual test commands
# in a matrix strategy. These commands get run in the steps after all the setup.
strategy:
fail-fast: false
matrix:
# These correspond to scripts in tools/ci-scripts that will be run in the Docker build image
test:
- action: check-aws-sdk-adhoc-tests
runner: ubuntu-latest
- action: check-client-codegen-integration-tests
runner: smithy_ubuntu-latest_8-core
- action: check-client-codegen-unit-tests
runner: smithy_ubuntu-latest_8-core
- action: check-core-codegen-unit-tests
runner: smithy_ubuntu-latest_8-core
- action: check-rust-runtimes
runner: smithy_ubuntu-latest_8-core
fetch-depth: 0
- action: check-sdk-codegen-unit-tests
runner: smithy_ubuntu-latest_8-core
- action: check-fuzzgen
runner: ubuntu-latest
- action: check-server-codegen-integration-tests
runner: smithy_ubuntu-latest_8-core
- action: check-server-codegen-integration-tests-python
runner: ubuntu-latest
- action: check-server-codegen-unit-tests
runner: ubuntu-latest
- action: check-server-codegen-unit-tests-python
runner: ubuntu-latest
- action: check-serde-codegen-unit-tests
runner: ubuntu-latest
- action: check-server-e2e-test
runner: ubuntu-latest
- action: check-server-python-e2e-test
runner: ubuntu-latest
- action: check-style-and-lints
runner: ubuntu-latest
- action: check-book
runner: ubuntu-latest
- action: check-tools
runner: smithy_ubuntu-latest_8-core
- action: check-deterministic-codegen
runner: smithy_ubuntu-latest_8-core
- action: check-codegen-version
runner: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.git_ref }}
# Defaults to 1 if not set
fetch-depth: ${{ matrix.test.fetch-depth }}
- name: Run ${{ matrix.test.action }}
uses: ./smithy-rs/.github/actions/docker-build
with:
action: ${{ matrix.test.action }}
# Separate from the main checks above because it uses aws-sdk-rust from GitHub
check-semver-hazards:
name: Check for semver hazards
runs-on: smithy_ubuntu-latest_8-core
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.git_ref }}
fetch-depth: 0
- uses: actions/checkout@v4
with:
repository: awslabs/aws-sdk-rust
path: aws-sdk-rust
fetch-depth: 0
- name: Run check-semver-hazards
uses: ./smithy-rs/.github/actions/docker-build
with:
action: check-semver-hazards
# Test all the things that require generated code. Note: the Rust runtimes require codegen
# to be checked since `aws-config` depends on the generated STS client.
test-sdk:
name: Test the SDK
needs: generate
runs-on: ${{ matrix.test.runner }}
timeout-minutes: 30
# To avoid repeating setup boilerplate, we have the actual test commands
# in a matrix strategy. These commands get run in the steps after all the setup.
strategy:
fail-fast: false
matrix:
# These correspond to scripts in tools/ci-scripts that will be run in the Docker build image
test:
- action: check-aws-config
runner: smithy_ubuntu-latest_8-core
- action: check-aws-sdk-canary
runner: ubuntu-latest
- action: check-aws-sdk-cargo-deny
runner: ubuntu-latest
- action: check-only-aws-sdk-services
runner: smithy_ubuntu-latest_8-core
- action: check-aws-sdk-smoketest-docs-clippy-udeps
runner: smithy_ubuntu-latest_8-core
- action: check-aws-sdk-smoketest-unit-tests
runner: smithy_ubuntu-latest_8-core
- action: check-aws-sdk-standalone-integration-tests
runner: ubuntu-latest
- action: check-aws-sdk-benchmarks
runner: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.git_ref }}
- name: Run ${{ matrix.test.action }}
uses: ./smithy-rs/.github/actions/docker-build
with:
action: ${{ matrix.test.action }}
test-rust-windows:
name: Rust Tests on Windows
runs-on: windows-latest
timeout-minutes: 30
env:
# Disable incremental compilation to reduce disk space use
CARGO_INCREMENTAL: 0
RUSTDOCFLAGS: -D warnings
RUSTFLAGS: -D warnings
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.git_ref }}
# Pinned to the commit hash of v2.7.3
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84
with:
shared-key: ${{ runner.os }}-${{ env.rust_version }}-${{ github.job }}
workspaces: |
.
tools
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.rust_version }}
components: ${{ env.rust_toolchain_components }}
# To fix OpenSSL not found on Windows: https://github.com/sfackler/rust-openssl/issues/1542
- run: echo "VCPKG_ROOT=$env:VCPKG_INSTALLATION_ROOT" | Out-File -FilePath $env:GITHUB_ENV -Append
- run: vcpkg install openssl:x64-windows-static-md
- name: Run tests
shell: bash
run: tools/ci-scripts/test-windows.sh
# We make sure that smithy-rs can be compiled on platforms that are not
# natively supported by GitHub actions. We run as many tests as we can on
# those platforms, but not all of them, because they require a more
# complicated setup involving architecture emulation.
test-exotic-platform-support:
name: Exotic platform support
runs-on: ubuntu-latest
timeout-minutes: 25
env:
CROSS_CONFIG: Cross.toml
strategy:
fail-fast: false
# We always exclude `aws-smithy-http-server-python`, `aws-smithy-http-server-typescript`, and `aws-smithy-experimental` since they are experimental.
# We exclude `aws-smithy-http-client` due to FIPS related feature flags and aws-lc-fips target support
matrix:
include:
- target: i686-unknown-linux-gnu
build_smithy_rs_features: --all-features
build_aws_exclude: ''
build_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental --exclude aws-smithy-http-client
test_smithy_rs_features: --all-features
test_aws_exclude: ''
test_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental --exclude aws-smithy-http-client
- target: powerpc-unknown-linux-gnu
build_smithy_rs_features: ''
build_aws_exclude: --exclude aws-inlineable
build_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental --exclude aws-smithy-http-client
test_smithy_rs_features: ''
test_aws_exclude: --exclude aws-inlineable
test_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental --exclude aws-smithy-http-client
- target: powerpc64-unknown-linux-gnu
build_smithy_rs_features: ''
build_aws_exclude: --exclude aws-inlineable
build_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental --exclude aws-smithy-http-client
test_smithy_rs_features: ''
test_aws_exclude: --exclude aws-inlineable
test_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental --exclude aws-smithy-http-client
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ inputs.git_ref }}
# Pinned to the commit hash of v2.7.3
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84
with:
shared-key: ${{ runner.os }}-${{ env.rust_version }}-${{ github.job }}-${{ matrix.target }}
workspaces: |
.
tools
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.rust_version }}
components: ${{ env.rust_toolchain_components }}
targets: ${{ matrix.target }}
- name: Sets OpenSSL env vars on i686
run: |
echo "OPENSSL_LIB_DIR=/usr/lib/i386-linux-gnu" >> $GITHUB_ENV
echo "OPENSSL_INCLUDE_DIR=/usr/include/i386-linux-gnu" >> $GITHUB_ENV
if: matrix.target == 'i686-unknown-linux-gnu'
- name: Sets OpenSSL env vars on ppc and ppc64
run: |
echo "OPENSSL_DIR=/openssl" >> $GITHUB_ENV
if: matrix.target != 'i686-unknown-linux-gnu'
- name: Configure cross
shell: bash
# configure and cross compile openssl locally on ppc and ppc64 to be able to run aws-smithy-client tests.
# since cross dropped support for openssl, we use the build script from version 0.16.
run: |
cargo install cross --locked --version 0.2.4
cat > Cross.toml << EOF
[target.i686-unknown-linux-gnu]
pre-build = ["dpkg --add-architecture i386", "apt-get update && apt-get install --assume-yes pkg-config:i386 libssl-dev:i386"]
[target.i686-unknown-linux-gnu.env]
passthrough = [
"OPENSSL_LIB_DIR",
"OPENSSL_INCLUDE_DIR",
]
[target.powerpc-unknown-linux-gnu]
pre-build = ["curl -L -s https://github.com/cross-rs/cross/raw/c183ee37a9dc6b0e6b6a6ac9c918173137bad4ef/docker/openssl.sh | sed 's/curl https/curl -L https/' > /tmp/openssl.sh && bash /tmp/openssl.sh linux-ppc powerpc-linux-gnu-"]
[target.powerpc-unknown-linux-gnu.env]
passthrough = ["OPENSSL_DIR"]
[target.powerpc64-unknown-linux-gnu]
pre-build = ["curl -L -s https://github.com/cross-rs/cross/raw/c183ee37a9dc6b0e6b6a6ac9c918173137bad4ef/docker/openssl.sh | sed 's/curl https/curl -L https/' > /tmp/openssl.sh && bash /tmp/openssl.sh linux-ppc64 powerpc64-linux-gnu-"]
[target.powerpc64-unknown-linux-gnu.env]
passthrough = ["OPENSSL_DIR"]
EOF
- name: Build Smithy-rs rust-runtime crates
shell: bash
run: cross build -vv --target ${{ matrix.target }} --manifest-path "rust-runtime/Cargo.toml" ${{ matrix.build_smithy_rs_exclude }} --workspace ${{ matrix.build_smithy_rs_features }}
- name: Build AWS rust-runtime crates
shell: bash
run: cross build -vv --target ${{ matrix.target }} --manifest-path "aws/rust-runtime/Cargo.toml" ${{ matrix.build_aws_exclude }} --workspace
- name: Test Smithy-rs rust-runtime crates
shell: bash
run: cross test --target ${{ matrix.target }} --manifest-path "rust-runtime/Cargo.toml" ${{ matrix.test_smithy_rs_exclude }} --workspace ${{ matrix.test_smithy_rs_features }}
- name: Test AWS rust-runtime crates
shell: bash
run: cross test --target ${{ matrix.target }} --manifest-path "aws/rust-runtime/Cargo.toml" ${{ matrix.test_aws_exclude }} --workspace
# Run the canary against generated SDKs
#
# In addition to Matrix Success, this job will also be required to pass for merge.
# CI execution from forked repositories will skip this job, and when it does
# this skipped job will report its status as "Success".
# https://docs.github.com/en/actions/using-jobs/using-conditions-to-control-job-execution#overview
canary:
name: Canary
if: ${{ inputs.run_canary }}
needs: generate
runs-on: smithy_ubuntu-latest_8-core
timeout-minutes: 30
permissions:
id-token: write
contents: read
actions: read
pull-requests: read
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.git_ref }}
- name: Configure credentials
id: creds
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-to-assume: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
output-credentials: true
- name: Run canary
uses: ./smithy-rs/.github/actions/docker-build
with:
action: run-canary
action-arguments: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }} ${{ steps.creds.outputs.aws-access-key-id }} ${{ steps.creds.outputs.aws-secret-access-key }} ${{ steps.creds.outputs.aws-session-token }}
# This is always a failing job since forked repositories do not have necessary repository secrets
# to run the PR bot workflow or the canary workflow
ask-maintainer-to-run-pr-bot-and-canary:
name: Ask maintainer to run the PR bot and canary workflows
if: ${{ !inputs.run_canary }}
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- run: |
echo "PR bot and canary cannot be invoked from a forked repository. Ask a maintainer to manually invoke them using your PR."
exit 1
# Pseudo-job that depends on matrix jobs so that we don't have to enter
# the myriad of test matrix combinations into GitHub's protected branch rules
require-all:
needs:
- generate
- test-codegen
- check-semver-hazards
- test-sdk
- test-rust-windows
- test-exotic-platform-support
# Run this job even if its dependency jobs fail
if: always()
runs-on: ubuntu-latest
name: Matrix Success
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Verify jobs succeeded
# Pinned to commit hash of v1.2.2
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
with:
jobs: ${{ toJSON(needs) }}