Merge Queue CI #443
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | |
# SPDX-License-Identifier: Apache-2.0 | |
# This workflow runs CI for the GitHub merge queue. | |
name: Merge Queue CI | |
on: | |
merge_group: | |
types: [checks_requested] | |
# Allow one instance of this workflow per merge | |
concurrency: | |
group: ci-merge-queue-yml-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci | |
jobs: | |
# This job will, if possible, save a docker login password to the job outputs. The token will | |
# be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h. | |
# The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE | |
save-docker-login-token: | |
name: Save a docker login token | |
outputs: | |
docker-login-password: ${{ steps.set-token.outputs.docker-login-password }} | |
permissions: | |
id-token: write | |
contents: read | |
continue-on-error: true | |
runs-on: ubuntu-latest | |
steps: | |
- name: Attempt to load a docker login password | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }} | |
role-session-name: GitHubActions | |
aws-region: us-west-2 | |
- name: Save the docker login password to the output | |
id: set-token | |
run: | | |
ENCRYPTED_PAYLOAD=$( | |
gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0 | |
) | |
echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT | |
# This job detects if the PR made changes to build tools. If it did, then it builds a new | |
# build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases, | |
# it uploads the image as a build artifact for other jobs to download and use. | |
acquire-base-image: | |
name: Acquire Base Image | |
needs: save-docker-login-token | |
runs-on: ubuntu-latest | |
env: | |
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }} | |
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
path: smithy-rs | |
- name: Acquire base image | |
id: acquire | |
env: | |
DOCKER_BUILDKIT: 1 | |
run: ./smithy-rs/.github/scripts/acquire-build-image | |
- name: Acquire credentials | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }} | |
role-session-name: GitHubActions | |
aws-region: us-west-2 | |
- name: Upload image | |
run: | | |
IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)" | |
docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}" | |
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws | |
docker push "${{ env.ecr_repository }}:${IMAGE_TAG}" | |
# Run shared CI after the Docker build image has either been rebuilt or found in ECR | |
ci: | |
needs: | |
- save-docker-login-token | |
- acquire-base-image | |
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' || toJSON(github.event.merge_group) != '{}' }} | |
uses: ./.github/workflows/ci.yml | |
with: | |
run_sdk_examples: true | |
secrets: | |
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }} | |
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} |