Skip to content

DO NOT MERGE: Flex Checksums #9848

DO NOT MERGE: Flex Checksums

DO NOT MERGE: Flex Checksums #9848

Workflow file for this run

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# This workflow runs CI and the PR Bot on pull requests that are not from forked repositories.
name: CI
on:
pull_request:
# Allow one instance of this workflow per pull request, and cancel older runs when new changes are pushed
concurrency:
group: ci-yaml-${{ github.ref }}
cancel-in-progress: true
env:
ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci
jobs:
# This job will, if possible, save a docker login password to the job outputs. The token will
# be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
# The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
save-docker-login-token:
name: Save a docker login token
timeout-minutes: 10
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
outputs:
docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
permissions:
id-token: write
contents: read
continue-on-error: true
runs-on: ubuntu-latest
steps:
- name: Attempt to load a docker login password
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
role-session-name: GitHubActions
aws-region: us-west-2
- name: Save the docker login password to the output
id: set-token
run: |
ENCRYPTED_PAYLOAD=$(
gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0
)
echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT
# This job detects if the PR made changes to build tools. If it did, then it builds a new
# build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases,
# it uploads the image as a build artifact for other jobs to download and use.
acquire-base-image:
name: Acquire Base Image
timeout-minutes: 60
needs: save-docker-login-token
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
runs-on: smithy_ubuntu-latest_8-core
env:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
with:
path: smithy-rs
- name: Acquire base image
id: acquire
env:
DOCKER_BUILDKIT: 1
run: ./smithy-rs/.github/scripts/acquire-build-image
- name: Acquire credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
role-session-name: GitHubActions
aws-region: us-west-2
- name: Upload image
run: |
IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)"
docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}"
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
docker push "${{ env.ecr_repository }}:${IMAGE_TAG}"
# Run shared CI after the Docker build image has either been rebuilt or found in ECR
ci:
needs:
- save-docker-login-token
- acquire-base-image
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
uses: ./.github/workflows/ci.yml
with:
run_sdk_examples: true
secrets:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}
# The PR bot requires a Docker build image, so make it depend on the `acquire-base-image` job.
pr_bot:
name: PR Bot
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
needs: acquire-base-image
uses: ./.github/workflows/pull-request-bot.yml
with:
issue_number: ${{ github.event.number }}
base_revision: ${{ github.event.pull_request.base.sha }}
head_revision: ${{ github.event.pull_request.head.sha }}
secrets:
SMITHY_RS_PULL_REQUEST_CDN_S3_BUCKET_NAME: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_S3_BUCKET_NAME }}
SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN }}
semver-checks:
name: Check PR semver compliance
runs-on: smithy_ubuntu-latest_8-core
timeout-minutes: 20
needs:
- save-docker-login-token
- acquire-base-image
# We need `always` here otherwise this job won't run if the previous job has been skipped
# See https://samanpavel.medium.com/github-actions-conditional-job-execution-e6aa363d2867
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
steps:
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.git_ref }}
- name: Get PR info
id: check-breaking-label
uses: actions/github-script@v7
with:
script: |
const response = await github.rest.pulls.get({
pull_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
});
const labels = response.data.labels.map(l => l.name);
const isBreaking = labels.includes("breaking-change");
const data = {
labels,
isBreaking
};
console.log("data:", data);
return data;
- name: Run semver check
uses: ./smithy-rs/.github/actions/docker-build
with:
action: check-semver
action-arguments: ${{ github.event.pull_request.base.sha }} ${{ fromJSON(steps.check-breaking-label.outputs.result).isBreaking }}
- name: Print help message
if: failure()
run: echo "::error::This pull request either contains breaking changes, or has cross-crate changes that may be backwards compatible, but that cargo-semver-checks cannot verify. Please scrutinize the change for backwards compatibility."