-
Notifications
You must be signed in to change notification settings - Fork 195
153 lines (143 loc) · 6.07 KB
/
ci-pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# This workflow runs CI and the PR Bot on pull requests that are not from forked repositories.
name: CI
on:
pull_request:
# Allow one instance of this workflow per pull request, and cancel older runs when new changes are pushed
concurrency:
group: ci-yaml-${{ github.ref }}
cancel-in-progress: true
env:
ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci
jobs:
# This job will, if possible, save a docker login password to the job outputs. The token will
# be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
# The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
save-docker-login-token:
name: Save a docker login token
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
outputs:
docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
permissions:
id-token: write
contents: read
continue-on-error: true
runs-on: ubuntu-latest
steps:
- name: Attempt to load a docker login password
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
role-session-name: GitHubActions
aws-region: us-west-2
- name: Save the docker login password to the output
id: set-token
run: |
ENCRYPTED_PAYLOAD=$(
gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0
)
echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT
# This job detects if the PR made changes to build tools. If it did, then it builds a new
# build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases,
# it uploads the image as a build artifact for other jobs to download and use.
acquire-base-image:
name: Acquire Base Image
needs: save-docker-login-token
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
runs-on: smithy_ubuntu-latest_8-core
env:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
with:
path: smithy-rs
- name: Acquire base image
id: acquire
env:
DOCKER_BUILDKIT: 1
run: ./smithy-rs/.github/scripts/acquire-build-image
- name: Acquire credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
role-session-name: GitHubActions
aws-region: us-west-2
- name: Upload image
run: |
IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)"
docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}"
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
docker push "${{ env.ecr_repository }}:${IMAGE_TAG}"
# Run shared CI after the Docker build image has either been rebuilt or found in ECR
ci:
needs:
- save-docker-login-token
- acquire-base-image
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
uses: ./.github/workflows/ci.yml
with:
run_sdk_examples: true
secrets:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
# The PR bot requires a Docker build image, so make it depend on the `acquire-base-image` job.
pr_bot:
name: PR Bot
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
needs: acquire-base-image
uses: ./.github/workflows/pull-request-bot.yml
with:
issue_number: ${{ github.event.number }}
base_revision: ${{ github.event.pull_request.base.sha }}
head_revision: ${{ github.event.pull_request.head.sha }}
secrets:
SMITHY_RS_PULL_REQUEST_CDN_S3_BUCKET_NAME: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_S3_BUCKET_NAME }}
SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN }}
semver-checks:
name: check the semver status of this PR
runs-on: smithy_ubuntu-latest_8-core
needs:
- save-docker-login-token
- acquire-base-image
# We need `always` here otherwise this job won't run if the previous job has been skipped
# See https://samanpavel.medium.com/github-actions-conditional-job-execution-e6aa363d2867
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
steps:
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.git_ref }}
- name: Get PR info
id: check-breaking-label
uses: actions/github-script@v7
with:
script: |
const response = await github.rest.pulls.get({
pull_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
});
const labels = response.data.labels.map(l => l.name);
const isBreaking = labels.includes("breaking-change");
const data = {
labels,
isBreaking
};
console.log("data:", data);
return data;
- name: Run semver check
uses: ./smithy-rs/.github/actions/docker-build
with:
action: check-semver
action-arguments: ${{ github.event.pull_request.base.sha }} ${{ fromJSON(steps.check-breaking-label.outputs.result).isBreaking }}
- name: print help message
if: failure()
run: echo "::error::This pull request contains breaking changes. Please add the `breaking-changes` label and a changelog entry"