Run canary as part of CI (#3525)

## Motivation and Context
CI now runs
[canary](https://github.com/smithy-lang/smithy-rs/tree/main/tools/ci-cdk/canary-lambda/src/latest)
on pull requests.

## Description
Historically, canary has been running only during releases and daily in
the
[aws-sdk-rust](https://github.com/awslabs/aws-sdk-rust/actions/workflows/canary.yaml)
repository. This presents a problem of action at a distance where a
potential bug that may hurt canary won't immediately be caught when a PR
is merged to `main` in `smithy-rs` (such as code under code under
`#[cfg(debug_assertions)]` was not used during canary's lambda execution
and the definition of an item only used under that resulted in unused
warning). This PR will address that problem.

PRs from forked repositories cannot run the `Canary` job (it will be
skipped). A maintainer can run it on their behalf within
`smithy-lang:smithy-rs` using a newly added [manual
workflow](https://github.com/smithy-lang/smithy-rs/pull/3525/files#diff-1b1b5b27850107cb97519c98de99d35a49b90277ccb52201b842e9b81feb5d47).

After we merge this to main, we will update the branch protection so
that the `Canary` job is required for merge, in addition to ` Matrix
Success ` (this will not affect PRs from forked repositories since the
`Canary` job will be skipped a skipped job will [report its status as
Success](https://docs.github.com/en/actions/using-jobs/using-conditions-to-control-job-execution),
but a manual canary run should pass).

## Testing
- Verified a PR in `smithy-lang:smithy-rs` ran the canary
([passed](https://github.com/smithy-lang/smithy-rs/actions/runs/8473703578/job/23219021189?pr=3525)).
- Verified a PR in a `smithy-rs` fork cannot run the canary and
[indicated that a maintainer needs to run it
manually](https://github.com/smithy-lang/smithy-rs/actions/runs/8473799146/job/23218944122?pr=3528)
- Verified a maintainer can manually invoke the canary using a PR from a
fork
([passed](https://github.com/smithy-lang/smithy-rs/actions/runs/8474050953))
- Verified internal release pipeline passed with [the changes to
canary-runner](https://github.com/smithy-lang/smithy-rs/pull/3525/files#diff-cc953ba68fec8cf937e1aa70181a901150fc5f1a74bf6ca1075d522c63d1eb6f)

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._

Author: ysaito1001

.github/workflows/canary.yml

@@ -68,3 +68,5 @@ jobs:
     secrets:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.acquire-base-image.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}

.github/workflows/ci-main.yml

@@ -91,3 +91,5 @@ jobs:
     secrets:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}

.github/workflows/ci-merge-queue.yml

@@ -42,4 +42,5 @@ jobs:
     if: ${{ github.event.pull_request.head.repo.full_name != 'smithy-lang/smithy-rs' }}
     uses: ./.github/workflows/ci.yml
     with:
+      run_canary: false
       run_sdk_examples: true

.github/workflows/ci-pr-forks.yml

@@ -93,6 +93,8 @@ jobs:
     secrets:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}
 
   # The PR bot requires a Docker build image, so make it depend on the `acquire-base-image` job.
   pr_bot:

.github/workflows/ci-pr.yml

@@ -9,6 +9,11 @@ name: Test
 on:
   workflow_call:
     inputs:
+      run_canary:
+        description: Whether to run the canary or not.
+        required: false
+        default: true
+        type: boolean
       run_sdk_examples:
         description: Whether to run the SDK example checks or not.
         required: false
@@ -27,6 +32,10 @@ on:
         required: false
       DOCKER_LOGIN_TOKEN_PASSPHRASE:
         required: false
+      CANARY_GITHUB_ACTIONS_ROLE_ARN:
+        required: false
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME:
+        required: false
 
 env:
   rust_version: 1.74.1
@@ -315,6 +324,49 @@ jobs:
       shell: bash
       run: cross test --target ${{ matrix.target }} --manifest-path "aws/rust-runtime/Cargo.toml" ${{ matrix.test_aws_exclude }} --workspace
 
+  # Run the canary against generated SDKs
+  #
+  # In addition to Matrix Success, this job will also be required to pass for merge.
+  # CI execution from forked repositories will skip this job, and when it does
+  # this skipped job will report its status as "Success".
+  # https://docs.github.com/en/actions/using-jobs/using-conditions-to-control-job-execution#overview
+  canary:
+    name: Canary
+    if: ${{ inputs.run_canary }}
+    needs: generate
+    runs-on: smithy_ubuntu-latest_8-core
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        path: smithy-rs
+        ref: ${{ inputs.git_ref }}
+    - name: Configure credentials
+      id: creds
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: us-west-2
+        role-to-assume: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+        output-credentials: true
+    - name: Run canary
+      uses: ./smithy-rs/.github/actions/docker-build
+      with:
+        action: run-canary
+        action-arguments: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }} ${{ steps.creds.outputs.aws-access-key-id }} ${{ steps.creds.outputs.aws-secret-access-key }} ${{ steps.creds.outputs.aws-session-token }}
+
+  # This is always a failing job since forked repositories do not have necessary repository secrets
+  # to run the PR bot workflow or the canary workflow
+  ask-maintainer-to-run-pr-bot-and-canary:
+    name: Ask maintainer to run the PR bot and canary workflows
+    if: ${{ !inputs.run_canary }}
+    runs-on: ubuntu-latest
+    steps:
+    - run: |
+        echo "PR bot and canary cannot be invoked from a forked repository. Ask a maintainer to manually invoke them using your PR."
+        exit 1
+
   # This job is split out from the rest since it is not required to pass for merge
   check-sdk-examples:
     name: Check SDK Examples

.github/workflows/ci.yml

@@ -8,11 +8,98 @@ on:
         description: The PR number to invoke the canary for.
         required: true
         type: string
+run-name: ${{ github.workflow }} for Pull Request ${{ inputs.pull_request_number }}
+
+# Allow one instance of this workflow per pull request, and cancel older runs when new changes are pushed
+concurrency:
+  group: manual-canary-${{ inputs.pull_request_number }}
+  cancel-in-progress: true
 
 jobs:
+  get-pr-info:
+    name: Get PR info
+    runs-on: ubuntu-latest
+    steps:
+    - name: Get PR info
+      id: get-pr-info
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const response = await github.rest.pulls.get({
+            pull_number: ${{ inputs.pull_request_number }},
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+          });
+          const data = {
+            commit_sha: response.data.head.sha,
+          };
+          console.log("data:", data);
+          return data;
+    outputs:
+      pull_data: ${{ steps.get-pr-info.outputs.result }}
+
+  acquire-base-image:
+    name: Acquire Base Image
+    needs:
+    - get-pr-info
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        path: smithy-rs
+            # The ref used needs to match the HEAD revision of the PR being diffed, or else
+          # the `docker-build` action won't find the built Docker image.
+        ref: ${{ fromJSON(needs.get-pr-info.outputs.pull_data).commit_sha }}
+        fetch-depth: 0
+    - name: Acquire base image
+      id: acquire
+      run: ./smithy-rs/.github/scripts/acquire-build-image
+    - name: Upload base image
+      uses: actions/upload-artifact@v4
+      with:
+        name: smithy-rs-base-image
+        path: smithy-rs-base-image
+        retention-days: 1
+
+  generate:
+    name: Generate
+    needs:
+    - acquire-base-image
+    - get-pr-info
+    runs-on: smithy_ubuntu-latest_8-core
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        path: smithy-rs
+        ref: ${{ fromJSON(needs.get-pr-info.outputs.pull_data).commit_sha }}
+    - name: Generate a subset of SDKs for the canary
+      uses: ./smithy-rs/.github/actions/docker-build
+      with:
+        action: generate-aws-sdk-for-canary
+
   canary:
     name: Canary
-    runs-on: ubuntu-latest
+    needs:
+    - generate
+    - get-pr-info
+    runs-on: smithy_ubuntu-latest_8-core
+    permissions:
+      id-token: write
+      contents: read
     steps:
-    - name: Invoke canary
-      run: echo "Hello World"
+    - uses: actions/checkout@v4
+      with:
+        path: smithy-rs
+        ref: ${{ fromJSON(needs.get-pr-info.outputs.pull_data).commit_sha }}
+    - name: Configure credentials
+      id: creds
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: us-west-2
+        role-to-assume: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+        output-credentials: true
+    - name: Run canary
+      uses: ./smithy-rs/.github/actions/docker-build
+      with:
+        action: run-canary
+        action-arguments: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }} ${{ steps.creds.outputs.aws-access-key-id }} ${{ steps.creds.outputs.aws-secret-access-key }} ${{ steps.creds.outputs.aws-session-token }}

.github/workflows/manual-canary.yml

@@ -167,12 +167,14 @@ RUN set -eux; \
         python3-pip \
         shadow-utils \
         cmake \
-        tar; \
+        tar \
+        unzip; \
     yum clean all; \
     rm -rf /var/cache/yum; \
     groupadd build; \
     useradd -m -g build build; \
     chmod 775 /home/build;
+RUN set -eux; cd /tmp; curl 'https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip' -o awscliv2.zip && unzip awscliv2.zip && ./aws/install
 COPY --chown=build:build --from=local_tools /opt/cargo /opt/cargo
 COPY --chown=build:build --from=cargo_deny /opt/cargo/bin/cargo-deny /opt/cargo/bin/cargo-deny
 COPY --chown=build:build --from=cargo_udeps /opt/cargo/bin/cargo-udeps /opt/cargo/bin/cargo-udeps

tools/ci-build/Dockerfile

@@ -153,15 +153,42 @@ impl Options {
                 lambda_execution_role_arn: String,
             }
             #[derive(Deserialize)]
-            struct Outer {
+            enum Outer {
                 #[serde(rename = "aws-sdk-rust-canary-stack")]
-                inner: Inner,
+                AwsSdkRust {
+                    #[serde(flatten)]
+                    aws_sdk_rust_canary_stack: Inner,
+                },
+                #[serde(rename = "smithy-rs-canary-stack")]
+                SmithyRs {
+                    #[serde(flatten)]
+                    smithy_rs_canary_stack: Inner,
+                },
+            }
+            impl Outer {
+                fn into_inner(self) -> Inner {
+                    match self {
+                        Outer::AwsSdkRust {
+                            aws_sdk_rust_canary_stack,
+                        } => aws_sdk_rust_canary_stack,
+                        Outer::SmithyRs {
+                            smithy_rs_canary_stack,
+                        } => smithy_rs_canary_stack,
+                    }
+                }
             }
 
             let value: Outer = serde_json::from_reader(
                 std::fs::File::open(cdk_output).context("open cdk output")?,
             )
             .context("read cdk output")?;
+            let Inner {
+                lambda_code_s3_bucket_name,
+                lambda_test_s3_bucket_name,
+                lambda_test_s3_mrap_bucket_arn,
+                lambda_test_s3_express_bucket_name,
+                lambda_execution_role_arn,
+            } = value.into_inner();
             Ok(Options {
                 rust_version: run_opt.rust_version,
                 sdk_release_tag: run_opt.sdk_release_tag,
@@ -171,11 +198,11 @@ impl Options {
                 lambda_function_memory_size_in_mb: run_opt
                     .lambda_function_memory_size_in_mb
                     .unwrap_or(DEFAULT_LAMBDA_FUNCTION_MEMORY_SIZE_IN_MB),
-                lambda_code_s3_bucket_name: value.inner.lambda_code_s3_bucket_name,
-                lambda_test_s3_bucket_name: value.inner.lambda_test_s3_bucket_name,
-                lambda_test_s3_mrap_bucket_arn: value.inner.lambda_test_s3_mrap_bucket_arn,
-                lambda_test_s3_express_bucket_name: value.inner.lambda_test_s3_express_bucket_name,
-                lambda_execution_role_arn: value.inner.lambda_execution_role_arn,
+                lambda_code_s3_bucket_name,
+                lambda_test_s3_bucket_name,
+                lambda_test_s3_mrap_bucket_arn,
+                lambda_test_s3_express_bucket_name,
+                lambda_execution_role_arn,
             })
         } else {
             Ok(Options {

tools/ci-cdk/canary-runner/src/run.rs

@@ -0,0 +1,14 @@
+#!/bin/bash
+#
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+
+set -eux
+
+cd smithy-rs
+
+# Generate only SDKs used by canary (see BASE_MANIFEST in build_bundle.rs of canary-runner)
+./gradlew -Paws.services=+ec2,+s3,+sso,+ssooidc,+sts,+transcribestreaming :aws:sdk:assemble
+
+mv aws/sdk/build/aws-sdk ../artifacts/