diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 000000000..806891736 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +# Each line is a file pattern followed by one or more owners. +# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# Default code owner for everything is our aws-crypto-tools group +* @aws/aws-crypto-tools diff --git a/.github/workflows/daily_ci.yml b/.github/workflows/daily_ci.yml new file mode 100644 index 000000000..ce920fa9f --- /dev/null +++ b/.github/workflows/daily_ci.yml @@ -0,0 +1,24 @@ +# This workflow runs every weekday at 15:00 UTC (8AM PDT) +name: Daily CI + +on: + schedule: + - cron: "00 15 * * 1-5" + +jobs: + daily-ci-verification: + # Don't run the cron builds on forks + if: github.event_name != 'schedule' || github.repository_owner == 'aws' + uses: ./.github/workflows/library_dafny_verification.yml + with: + dafny: '4.2.0' + # daily-ci-java: + # if: github.event_name != 'schedule' || github.repository_owner == 'aws' + # uses: ./.github/workflows/library_java_tests.yml + # with: + # dafny: '4.2.0' + daily-ci-net: + if: github.event_name != 'schedule' || github.repository_owner == 'aws' + uses: ./.github/workflows/library_net_tests.yml + with: + dafny: '4.2.0' diff --git a/.github/workflows/library_dafny_verification.yml b/.github/workflows/library_dafny_verification.yml index 33dc497c0..886e36b6e 100644 --- a/.github/workflows/library_dafny_verification.yml +++ b/.github/workflows/library_dafny_verification.yml @@ -2,31 +2,15 @@ name: Library Dafny verification on: - pull_request: - push: - branches: - - public-v4 - workflow_dispatch: - # Manual trigger for this workflow, either the normal version - # or the nightly build that uses the latest Dafny prerelease - # (accordingly to the "nightly" parameter). + workflow_call: inputs: - nightly: - description: 'Run the nightly build' - required: false - type: boolean - schedule: - # Nightly build against Dafny's nightly prereleases, - # for early warning of verification issues or regressions. - # Timing chosen to be adequately after Dafny's own nightly build, - # but this might need to be tweaked: - # https://github.com/dafny-lang/dafny/blob/master/.github/workflows/deep-tests.yml#L16 - - cron: "30 16 * * *" + dafny: + description: 'The Dafny version to run' + required: true + type: string jobs: verification: - # Don't run the nightly build on forks - if: github.event_name != 'schedule' || github.repository_owner == 'aws' strategy: matrix: library: [ @@ -34,26 +18,24 @@ jobs: ] os: [ macos-latest ] runs-on: ${{ matrix.os }} - environment: "MPL_DAFNY" env: DOTNET_CLI_TELEMETRY_OPTOUT: 1 DOTNET_NOLOGO: 1 steps: + - name: Support longpaths + run: | + git config --global core.longpaths true + - uses: actions/checkout@v2 - name: Init Submodules run: | git submodule update --init libraries git submodule update --init --recursive mpl - - name: Support longpaths - run: | - git config --global core.longpaths true - - name: Setup Dafny uses: dafny-lang/setup-dafny-action@v1.6.1 with: - # A && B || C is the closest thing to an if .. then ... else ... or ?: expression the GitHub Actions syntax supports. - dafny-version: ${{ (github.event_name == 'schedule' || inputs.nightly) && 'nightly-latest' || '4.2.0' }} + dafny-version: ${{ inputs.dafny }} - name: Verify ${{ matrix.library }} Dafny code shell: bash diff --git a/.github/workflows/library_java_tests.yml b/.github/workflows/library_java_tests.yml index bba8a6723..34e092a31 100644 --- a/.github/workflows/library_java_tests.yml +++ b/.github/workflows/library_java_tests.yml @@ -2,22 +2,15 @@ name: Library Java tests on: - pull_request: - push: - branches: - - public-v4 - schedule: - # Nightly build against Dafny's nightly prereleases, - # for early warning of verification issues or regressions. - # Timing chosen to be adequately after Dafny's own nightly build, - # but this might need to be tweaked: - # https://github.com/dafny-lang/dafny/blob/master/.github/workflows/deep-tests.yml#L16 - - cron: "30 16 * * *" + workflow_call: + inputs: + dafny: + description: 'The Dafny version to run' + required: true + type: string jobs: testJava: - # Don't run the nightly build on forks - if: github.event_name != 'schedule' || github.repository_owner == 'aws' strategy: matrix: library: [ @@ -30,41 +23,31 @@ jobs: macos-latest ] runs-on: ${{ matrix.os }} - environment: "MPL_DAFNY" permissions: id-token: write contents: read steps: - - uses: actions/checkout@v2 + - name: Support longpaths + run: | + git config --global core.longpaths true + + - uses: actions/checkout@v3 - name: Init Submodules - env: - # This secret is in the configured environment - # Token created on # 09/26/2023 - # expires in ~30 days 10/26/2023 - MPL_PAT: ${{ secrets.MPL_DAFNY }} run: | - AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')" - git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH" - git config --global --add url.https://github.com/.insteadOf git@github.com: git submodule update --init libraries git submodule update --init --recursive mpl - - name: Support longpaths - run: | - git config --global core.longpaths true - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v2 with: aws-region: us-west-2 - # TODO: This role was manually created. - role-to-assume: arn:aws:iam::370957321024:role/ESDK-Dafny-Private-CA-Read - role-session-name: JavaPrivateESDKDafnyTests + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Dafny-Role-us-west-2 + role-session-name: JavaTests - name: Setup Dafny uses: dafny-lang/setup-dafny-action@v1.6.1 with: - # A && B || C is the closest thing to an if .. then ... else ... or ?: expression the GitHub Actions syntax supports. - dafny-version: ${{ (github.event_name == 'schedule' || inputs.nightly) && 'nightly-latest' || '4.2.0' }} + dafny-version: ${{ inputs.dafny }} - name: Setup Java 8 uses: actions/setup-java@v3 @@ -80,19 +63,8 @@ jobs: CORES=$(node -e 'console.log(os.cpus().length)') make build_java CORES=$CORES - # KMS and MPL tests need to use credentials which can call KMS - - name: Configure AWS Credentials for Tests - uses: aws-actions/configure-aws-credentials@v1 - if: matrix.library == 'ComAmazonawsKms' || matrix.library == 'AwsCryptographicMaterialProviders' || matrix.library == 'TestVectorsAwsCryptographicMaterialProviders' - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-ESDK-Dafny-Role-us-west-2 - role-session-name: JavaTests - - name: Test ${{ matrix.library }} working-directory: ./${{ matrix.library }} - # TODO: DDB currently has no tests - if: matrix.library != 'ComAmazonawsDynamodb' run: | make test_java diff --git a/.github/workflows/library_net_tests.yml b/.github/workflows/library_net_tests.yml index 1d4a3876f..bc8ee9348 100644 --- a/.github/workflows/library_net_tests.yml +++ b/.github/workflows/library_net_tests.yml @@ -2,17 +2,12 @@ name: Library net tests on: - pull_request: - push: - branches: - - mainline - schedule: - # Nightly build against Dafny's nightly prereleases, - # for early warning of verification issues or regressions. - # Timing chosen to be adequately after Dafny's own nightly build, - # but this might need to be tweaked: - # https://github.com/dafny-lang/dafny/blob/master/.github/workflows/deep-tests.yml#L16 - - cron: "30 16 * * *" + workflow_call: + inputs: + dafny: + description: 'The Dafny version to run' + required: true + type: string env: # Used in examples @@ -27,8 +22,6 @@ env: jobs: testDotNet: - # Don't run the nightly build on forks - if: github.event_name != 'schedule' || github.repository_owner == 'aws' strategy: matrix: os: [ @@ -69,8 +62,7 @@ jobs: - name: Setup Dafny uses: dafny-lang/setup-dafny-action@v1.6.1 with: - # A && B || C is the closest thing to an if .. then ... else ... or ?: expression the GitHub Actions syntax supports. - dafny-version: ${{ (github.event_name == 'schedule' || inputs.nightly) && 'nightly-latest' || '4.2.0' }} + dafny-version: ${{ inputs.dafny }} - name: Download Dependencies working-directory: ./AwsEncryptionSDK diff --git a/.github/workflows/nighly_dafny.yml b/.github/workflows/nighly_dafny.yml new file mode 100644 index 000000000..4a2d64c4b --- /dev/null +++ b/.github/workflows/nighly_dafny.yml @@ -0,0 +1,29 @@ +# This workflow invokes other workflows with the nightly Dafny build +name: Dafny Nightly + +on: + schedule: + # Nightly build against Dafny's nightly prereleases, + # for early warning of verification issues or regressions. + # Timing chosen to be adequately after Dafny's own nightly build, + # but this might need to be tweaked: + # https://github.com/dafny-lang/dafny/blob/master/.github/workflows/deep-tests.yml#L16 + - cron: "30 16 * * *" + +jobs: + dafny-nightly-verification: + # Don't run the cron builds on forks + if: github.event_name != 'schedule' || github.repository_owner == 'aws' + uses: ./.github/workflows/library_dafny_verification.yml + with: + dafny: 'nightly-latest' + # dafny-nightly-java: + # if: github.event_name != 'schedule' || github.repository_owner == 'aws' + # uses: ./.github/workflows/library_java_tests.yml + # with: + # dafny: 'nightly-latest' + dafny-nightly-net: + if: github.event_name != 'schedule' || github.repository_owner == 'aws' + uses: ./.github/workflows/library_net_tests.yml + with: + dafny: 'nightly-latest' diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml new file mode 100644 index 000000000..1133bf1de --- /dev/null +++ b/.github/workflows/pull.yml @@ -0,0 +1,19 @@ +# This workflow runs for every pull request +name: PR CI + +on: + pull_request: + +jobs: + pr-ci-verification: + uses: ./.github/workflows/library_dafny_verification.yml + with: + dafny: '4.2.0' + # pr-ci-java: + # uses: ./.github/workflows/library_java_tests.yml + # with: + # dafny: '4.2.0' + pr-ci-net: + uses: ./.github/workflows/library_net_tests.yml + with: + dafny: '4.2.0' diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 000000000..3261cb06c --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,21 @@ +# This workflow runs for every push to main +name: Push CI + +on: + push: + branches: + - main + +jobs: + push-ci-verification: + uses: ./.github/workflows/library_dafny_verification.yml + with: + dafny: '4.2.0' + # push-ci-java: + # uses: ./.github/workflows/library_java_tests.yml + # with: + # dafny: '4.2.0' + push-ci-net: + uses: ./.github/workflows/library_net_tests.yml + with: + dafny: '4.2.0'