-
Notifications
You must be signed in to change notification settings - Fork 193
158 lines (148 loc) · 6.41 KB
/
ci-pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# This workflow runs CI and the PR Bot on pull requests that are not from forked repositories.
name: CI
on:
pull_request:
# Allow one instance of this workflow per pull request, and cancel older runs when new changes are pushed
concurrency:
group: ci-yaml-${{ github.ref }}
cancel-in-progress: true
env:
ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci
jobs:
# This job will, if possible, save a docker login password to the job outputs. The token will
# be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
# The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
save-docker-login-token:
name: Save a docker login token
timeout-minutes: 10
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
outputs:
docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
permissions:
id-token: write
contents: read
continue-on-error: true
runs-on: ubuntu-latest
steps:
- name: Attempt to load a docker login password
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
role-session-name: GitHubActions
aws-region: us-west-2
- name: Save the docker login password to the output
id: set-token
run: |
ENCRYPTED_PAYLOAD=$(
gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0
)
echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT
# This job detects if the PR made changes to build tools. If it did, then it builds a new
# build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases,
# it uploads the image as a build artifact for other jobs to download and use.
acquire-base-image:
name: Acquire Base Image
timeout-minutes: 60
needs: save-docker-login-token
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
runs-on: smithy_ubuntu-latest_8-core
env:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
with:
path: smithy-rs
- name: Acquire base image
id: acquire
env:
DOCKER_BUILDKIT: 1
run: ./smithy-rs/.github/scripts/acquire-build-image
- name: Acquire credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
role-session-name: GitHubActions
aws-region: us-west-2
- name: Upload image
run: |
IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)"
docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}"
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
docker push "${{ env.ecr_repository }}:${IMAGE_TAG}"
# Run shared CI after the Docker build image has either been rebuilt or found in ECR
ci:
needs:
- save-docker-login-token
- acquire-base-image
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
uses: ./.github/workflows/ci.yml
with:
run_sdk_examples: true
secrets:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}
# The PR bot requires a Docker build image, so make it depend on the `acquire-base-image` job.
pr_bot:
name: PR Bot
if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
needs: acquire-base-image
uses: ./.github/workflows/pull-request-bot.yml
with:
issue_number: ${{ github.event.number }}
base_revision: ${{ github.event.pull_request.base.sha }}
head_revision: ${{ github.event.pull_request.head.sha }}
secrets:
SMITHY_RS_PULL_REQUEST_CDN_S3_BUCKET_NAME: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_S3_BUCKET_NAME }}
SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN }}
semver-checks:
name: Check PR semver compliance
runs-on: smithy_ubuntu-latest_8-core
timeout-minutes: 20
needs:
- save-docker-login-token
- acquire-base-image
# We need `always` here otherwise this job won't run if the previous job has been skipped
# See https://samanpavel.medium.com/github-actions-conditional-job-execution-e6aa363d2867
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
steps:
- uses: actions/checkout@v4
with:
path: smithy-rs
ref: ${{ inputs.git_ref }}
- name: Get PR info
id: check-breaking-label
uses: actions/github-script@v7
with:
script: |
const response = await github.rest.pulls.get({
pull_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
});
const labels = response.data.labels.map(l => l.name);
const isBreaking = labels.includes("breaking-change");
const data = {
labels,
isBreaking
};
console.log("data:", data);
return data;
- name: Run semver check
uses: ./smithy-rs/.github/actions/docker-build
with:
action: check-semver
action-arguments: ${{ github.event.pull_request.base.sha }} ${{ fromJSON(steps.check-breaking-label.outputs.result).isBreaking }}
- name: Print help message
if: failure()
run: echo "::error::This pull request either contains breaking changes, or has cross-crate changes that may be backwards compatible, but that cargo-semver-checks cannot verify. Please scrutinize the change for backwards compatibility."