Replace credentials cache with identity cache #7276
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | |
# SPDX-License-Identifier: Apache-2.0 | |
# This workflow runs CI and the PR Bot on pull requests that are not from forked repositories. | |
name: CI | |
on: | |
pull_request: | |
# Allow one instance of this workflow per pull request, and cancel older runs when new changes are pushed | |
concurrency: | |
group: ci-yaml-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci | |
jobs: | |
# This job will, if possible, save a docker login password to the job outputs. The token will | |
# be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h. | |
# The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE | |
save-docker-login-token: | |
name: Save a docker login token | |
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' }} | |
outputs: | |
docker-login-password: ${{ steps.set-token.outputs.docker-login-password }} | |
permissions: | |
id-token: write | |
contents: read | |
continue-on-error: true | |
runs-on: ubuntu-latest | |
steps: | |
- name: Attempt to load a docker login password | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }} | |
role-session-name: GitHubActions | |
aws-region: us-west-2 | |
- name: Save the docker login password to the output | |
id: set-token | |
run: | | |
ENCRYPTED_PAYLOAD=$( | |
gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0 | |
) | |
echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT | |
# This job detects if the PR made changes to build tools. If it did, then it builds a new | |
# build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases, | |
# it uploads the image as a build artifact for other jobs to download and use. | |
acquire-base-image: | |
name: Acquire Base Image | |
needs: save-docker-login-token | |
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' }} | |
runs-on: smithy_ubuntu-latest_8-core | |
env: | |
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }} | |
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
path: smithy-rs | |
- name: Acquire base image | |
id: acquire | |
env: | |
DOCKER_BUILDKIT: 1 | |
run: ./smithy-rs/.github/scripts/acquire-build-image | |
- name: Acquire credentials | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }} | |
role-session-name: GitHubActions | |
aws-region: us-west-2 | |
- name: Upload image | |
run: | | |
IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)" | |
docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}" | |
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws | |
docker push "${{ env.ecr_repository }}:${IMAGE_TAG}" | |
# Run shared CI after the Docker build image has either been rebuilt or found in ECR | |
ci: | |
needs: | |
- save-docker-login-token | |
- acquire-base-image | |
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' }} | |
uses: ./.github/workflows/ci.yml | |
with: | |
run_sdk_examples: true | |
secrets: | |
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }} | |
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} | |
# The PR bot requires a Docker build image, so make it depend on the `acquire-base-image` job. | |
pr_bot: | |
name: PR Bot | |
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' }} | |
needs: acquire-base-image | |
uses: ./.github/workflows/pull-request-bot.yml | |
with: | |
issue_number: ${{ github.event.number }} | |
base_revision: ${{ github.event.pull_request.base.sha }} | |
head_revision: ${{ github.event.pull_request.head.sha }} | |
secrets: | |
SMITHY_RS_PULL_REQUEST_CDN_S3_BUCKET_NAME: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_S3_BUCKET_NAME }} | |
SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN }} | |
semver-checks: | |
name: check the semver status of this PR | |
runs-on: smithy_ubuntu-latest_8-core | |
needs: | |
- save-docker-login-token | |
- acquire-base-image | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
path: smithy-rs | |
ref: ${{ inputs.git_ref }} | |
- name: Get PR info | |
id: check-breaking-label | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const response = await github.rest.pulls.get({ | |
pull_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
}); | |
const labels = response.data.labels.map(l => l.name); | |
const isBreaking = labels.includes("breaking-change"); | |
const data = { | |
labels, | |
isBreaking | |
}; | |
console.log("data:", data); | |
return data; | |
- name: Run semver check | |
uses: ./smithy-rs/.github/actions/docker-build | |
with: | |
action: check-semver | |
action-arguments: ${{ github.event.pull_request.base.sha }} ${{ fromJSON(steps.check-breaking-label.outputs.result).isBreaking }} | |
- name: print help message | |
if: failure() | |
run: echo "::error::This pull request contains breaking changes. Please add the `breaking-changes` label and a changelog entry" |