Skip to content

Assert stack outputs created by current codebase is readable by released backend client #5182

Assert stack outputs created by current codebase is readable by released backend client

Assert stack outputs created by current codebase is readable by released backend client #5182

Workflow file for this run

name: health_checks
on:
push:
branches:
- main
- hotfix
pull_request:
branches:
- main
- hotfix
- feature/**
schedule:
# Every day at At minute 0 past hour 0, 6, 12, and 18 UTC.
# This is to make sure that there is at least one workflow run every 24 hours
# taking into account that
# 1) scheduled runs may not fire at exact prescribed time;
# 2) transient failures may happen and auto recover;
- cron: '0 0,6,12,18 * * *'
workflow_dispatch:
jobs:
install:
strategy:
matrix:
# Windows install must happen on the same worker size as subsequent jobs.
# Larger workers use different drive (C: instead of D:) to check out project and NPM installation
# creates file system links that include drive letter.
# Changing between standard and custom workers requires full install cache invalidation
os: [ubuntu-latest, macos-14, windows-latest]
node: [18, 20]
runs-on: ${{ matrix.os }}
timeout-minutes: 10
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node }}
- uses: ./.github/actions/install_with_cache
with:
node-version: ${{ matrix.node }}
build:
strategy:
matrix:
node: [18, 20]
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node }}
- uses: ./.github/actions/build_with_cache
with:
node-version: ${{ matrix.node }}
test_with_coverage:
needs:
- build
strategy:
matrix:
os: [ubuntu-latest, macos-14, windows-latest]
node: [18, 20]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node }}
- uses: ./.github/actions/restore_build_cache
with:
node-version: ${{ matrix.node }}
- run: npm run set-script-shell
- run: npm run test:coverage:threshold
test_scripts:
needs:
- build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: |
npm run set-script-shell
npm run test:scripts
test_with_baseline_dependencies:
needs:
- install
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- name: Pin some dependencies to nearest patch and rebuild
run: |
npx tsx scripts/set_baseline_dependency_versions.ts
npm install
# print out diff for auditing or troubleshooting
git diff
npm run build
- name: Run unit and integration tests
run: |
npm run set-script-shell
npm run test
check_api_changes:
if: github.event_name == 'pull_request'
needs:
- build
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout pull request ref
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- name: Publish packages locally
timeout-minutes: 2
run: |
npm run start:npm-proxy
# keep git diff with version increment to make sure test projects resolve right version
npm run publish:local -- --keepGitDiff
- name: Checkout base branch
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
path: base-branch-content
ref: ${{ github.event.pull_request.base.sha }}
- name: Check API changes
run: |
mkdir api-validation-projects
npx tsx scripts/check_api_changes.ts base-branch-content api-validation-projects
do_include_e2e:
needs:
- install
runs-on: ubuntu-latest
permissions:
# This is required so that the step can read the labels on the pull request
pull-requests: read
env:
# The do_include_e2e script needs to query pull request labels
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
outputs:
run_e2e: ${{ steps.check.outputs.run_e2e }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- name: Check if E2E tests should run
id: check
run: echo "run_e2e=$(npx tsx scripts/do_include_e2e.ts)" >> "$GITHUB_OUTPUT"
- run: echo run_e2e set to ${{ steps.check.outputs.run_e2e }}
e2e_iam_access_drift:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
runs-on: ubuntu-latest
timeout-minutes: 25
needs:
- do_include_e2e
- build
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- name: Get baseline commit sha
id: get_baseline_commit_sha
env:
GH_TOKEN: ${{ github.token }}
run: |
if [[ ${{ github.event_name }} == 'push' ]]; then
# The SHA of the most recent commit on ref before the push.
baseline_commit_sha="${{ github.event.before }}"
elif [[ ${{ github.event_name }} == 'pull_request' ]]; then
# The SHA of the HEAD commit on base branch.
baseline_commit_sha="${{ github.event.pull_request.base.sha }}"
elif [[ ${{ github.event_name }} == 'schedule' ]] || [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then
# The SHA of the parent of HEAD commit on main branch.
# This assumes linear history of main branch, i.e. one parent.
# These events have only information about HEAD commit, hence the need for lookup.
baseline_commit_sha=$(gh api /repos/${{ github.repository }}/commits/${{ github.sha }} | jq -r '.parents[0].sha')
else
echo Unable to determine baseline commit sha;
exit 1;
fi
echo baseline commit sha is $baseline_commit_sha;
echo "baseline_commit_sha=$baseline_commit_sha" >> "$GITHUB_OUTPUT";
- name: Checkout baseline version
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
ref: ${{ steps.get_baseline_commit_sha.outputs.baseline_commit_sha }}
- uses: ./.github/actions/setup_node
- name: Install and build baseline version
run: |
npm ci
npm run build
- name: Move baseline version
id: move_baseline_version
run: |
BASELINE_DIR=$(mktemp -d)
# Command below makes shell include .hidden files in file system commands (i.e. mv).
# This is to make sure that .git directory is moved with the repo content.
shopt -s dotglob
mv ./* $BASELINE_DIR
echo "baseline_dir=$BASELINE_DIR" >> "$GITHUB_OUTPUT";
- name: Checkout current version
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- name: Configure test tooling credentials
uses: ./.github/actions/setup_profile
with:
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }}
aws-region: us-west-2
profile-name: e2e-tooling
- name: Configure test execution credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2
with:
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
aws-region: us-west-2
- name: Run e2e iam access drift test
run: npm run test:dir packages/integration-tests/lib/test-e2e/iam_access_drift.test.js
env:
BASELINE_DIR: ${{ steps.move_baseline_version.outputs.baseline_dir }}
e2e_deployment:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: [ubuntu-latest, macos-14-xlarge, windows-latest]
node-version: [18, 20]
# skip multiple node version test on other os
exclude:
- os: macos-14-xlarge
node-version: 20
- os: windows-latest
node-version: 20
runs-on: ${{ matrix.os }}
timeout-minutes: 25
needs:
- do_include_e2e
- build
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node-version }}
- uses: ./.github/actions/restore_build_cache
- run: cd packages/cli && npm link
- name: Configure test tooling credentials
uses: ./.github/actions/setup_profile
with:
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }}
aws-region: us-west-2
profile-name: e2e-tooling
- name: Configure test execution credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2
with:
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
aws-region: us-west-2
- name: Run e2e deployment tests
run: npm run test:dir packages/integration-tests/lib/test-e2e/deployment.test.js
e2e_backend_output:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: [ubuntu-latest, macos-14-xlarge, windows-latest]
node-version: [18, 20]
# skip multiple node version test on other os
exclude:
- os: macos-14-xlarge
node-version: 20
- os: windows-latest
node-version: 20
runs-on: ${{ matrix.os }}
timeout-minutes: 25
needs:
- do_include_e2e
- build
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node-version }}
- uses: ./.github/actions/restore_build_cache
- run: cd packages/cli && npm link
- name: Configure test tooling credentials
uses: ./.github/actions/setup_profile
with:
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }}
aws-region: us-west-2
profile-name: e2e-tooling
- name: Configure test execution credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2
with:
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
aws-region: us-west-2
- name: Run e2e backend output tests
run: npm run test:dir packages/integration-tests/lib/test-e2e/backend_output.test.js
e2e_create_amplify:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: [ubuntu-latest, macos-14, windows-latest]
node-version: [18, 20]
# skip multiple node version test on other os
exclude:
- os: macos-14
node-version: 20
- os: windows-latest
node-version: 20
runs-on: ${{ matrix.os }}
timeout-minutes: ${{ matrix.os == 'windows-latest' && 35 || 25 }}
needs:
- do_include_e2e
- build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node-version }}
- uses: ./.github/actions/restore_build_cache
- run: cd packages/cli && npm link
- name: Run e2e create-amplify tests
run: npm run test:dir packages/integration-tests/lib/test-e2e/create_amplify.test.js
e2e_package_manager:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: [ubuntu-latest, macos-14, windows-latest]
pkg-manager: [npm, yarn-classic, yarn-modern, pnpm]
node-version: ['20']
env:
PACKAGE_MANAGER: ${{ matrix.pkg-manager }}
runs-on: ${{ matrix.os }}
timeout-minutes: 25
needs:
- build
- do_include_e2e
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- name: Checkout aws-amplify/amplify-cli repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node-version }}
- name: Restore Build Cache
uses: ./.github/actions/restore_build_cache
- name: Configure test tooling credentials
uses: ./.github/actions/setup_profile
with:
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }}
aws-region: us-west-2
profile-name: e2e-tooling
- name: Configure test execution credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2
with:
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
aws-region: us-west-2
- name: Run E2E flow tests with ${{ matrix.pkg-manager }}
shell: bash
run: |
PACKAGE_MANAGER=${{matrix.pkg-manager}} npm run test:dir packages/integration-tests/src/package_manager_sanity_checks.test.ts
lint:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run lint
check_dependencies:
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: npm run check:dependencies
check_tsconfig_refs:
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: npm run check:tsconfig-refs
check_api_extract:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run check:api
docs_build_and_publish:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run docs
- if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # version 4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs
publish_branch: docs
check_pr_size:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: git fetch origin
- run: npm run diff:check ${{ github.event.pull_request.base.sha }}
check_pr_changesets:
if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'github-actions[bot]'
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
# fetch full history so that changeset can properly compute divergence point
fetch-depth: 0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- name: Validate that PR has changeset
run: npx changeset status --since origin/${{ github.event.pull_request.base.ref }}
- name: Validate changeset is not missing packages
run: npx tsx scripts/check_changeset_completeness.ts ${{ github.event.pull_request.base.sha }}
- name: Validate that changeset has necessary dependency updates
run: |
npx changeset version
npm update
npm run check:dependencies
check_package_versions:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: npx changeset version
- run: npm run check:package-versions
update_package_versions:
if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }}
needs:
- install
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- id: is_version_packages_commit
run: echo "is_version_packages_commit=$(npx tsx scripts/is_version_packages_commit.ts)" >> "$GITHUB_OUTPUT"
- name: Create or update Version Packages PR
# if this push is NOT merging a version packages PR, then we update/create the version packages PR
if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'false' }}
uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # version 1.4.7
with:
createGithubReleases: false
# this should never be called, but if something happens and it does get called, this ensures that a premature publish won't happen
publish: echo Cannot publish during update version step
env:
# we are also omitting the NPM_TOKEN here to eliminate the possibility of publishing to NPM during this step
# we still need the GITHUB_TOKEN so that the version packages PR can be updated
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish_package_versions:
if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }}
needs:
- test_with_coverage
- e2e_package_manager
- e2e_deployment
- e2e_create_amplify
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- id: is_version_packages_commit
run: echo "is_version_packages_commit=$(npx tsx scripts/is_version_packages_commit.ts)" >> "$GITHUB_OUTPUT"
- name: Publish packages
# if this push is merging a version packages PR, then we publish the new versions
if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'true' }}
id: changeset_publish
uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # version 1.4.7
with:
publish: npm run publish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Update hotfix branch
if: ${{ steps.changeset_publish.outputs.published == 'true' && github.ref_name == 'main' }}
run: git push origin main:hotfix --force
codeql:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
# Minimal depth 2 so we can checkout the commit before possible merge commit.
fetch-depth: 2
- name: Initialize CodeQL
uses: github/codeql-action/init@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # version 2.17.2
with:
languages: javascript
queries: +security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # version 2.17.2
with:
category: /language:javascript
dependency-review:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Dependency Review
uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # version 4.3.2
with:
config-file: ./.github/dependency_review_config.yml