diff --git a/.github/workflows/ci_static-analysis.yaml b/.github/workflows/ci_static-analysis.yaml index 55f3b02..f0784a7 100644 --- a/.github/workflows/ci_static-analysis.yaml +++ b/.github/workflows/ci_static-analysis.yaml @@ -3,6 +3,7 @@ name: static analysis on: pull_request: + branches: [ master ] push: # Run once a day schedule: diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index 5bad6c4..8849d77 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -22,7 +22,7 @@ jobs: # x86 builds are only meaningful for Windows - os: windows-latest architecture: x86 - - os: macos-12 + - os: macos-13 architecture: x64 python: - 3.8 diff --git a/.github/workflows/python-examples.yml b/.github/workflows/python-examples.yml new file mode 100644 index 0000000..11ef847 --- /dev/null +++ b/.github/workflows/python-examples.yml @@ -0,0 +1,66 @@ +name: Python Examples Tests + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + examples: + runs-on: ubuntu-22.04 + strategy: + fail-fast: false + matrix: + python-version: ['3.8', '3.9', '3.10', '3.11', '3.12'] + include: + - python-version: '3.8' + tox-env: 'py38-examples' + - python-version: '3.9' + tox-env: 'py39-examples' + - python-version: '3.10' + tox-env: 'py310-examples' + - python-version: '3.11' + tox-env: 'py311-examples' + - python-version: '3.12' + tox-env: 'py312-examples' + permissions: + id-token: write + contents: read + env: + TOXENV: ${{ matrix.tox-env }} + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + + steps: + - uses: actions/checkout@v3 + + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-ESDK-CLI-Role-us-west-2 + role-session-name: CLITests + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v4 + with: + python-version: ${{ matrix.python-version }} + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install "tox < 4.0" + + # Python no longer bundles setuptools starting in 3.12 + - name: Install python version specific dependencies + if: matrix.python-version == '3.12' + run: | + pip install -r dev_requirements/ci-requirements.txt + + - name: Run examples tests with tox + run: tox diff --git a/.github/workflows/python-integration.yml b/.github/workflows/python-integration.yml new file mode 100644 index 0000000..1c6a56a --- /dev/null +++ b/.github/workflows/python-integration.yml @@ -0,0 +1,64 @@ +name: Python Integration Tests + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + integration: + runs-on: ubuntu-22.04 + strategy: + fail-fast: false + matrix: + python-version: ['3.8', '3.9', '3.10', '3.11', '3.12'] + include: + - python-version: '3.8' + tox-env: 'py38-integ' + - python-version: '3.9' + tox-env: 'py39-integ' + - python-version: '3.10' + tox-env: 'py310-integ' + - python-version: '3.11' + tox-env: 'py311-integ' + - python-version: '3.12' + tox-env: 'py312-integ' + permissions: + id-token: write + contents: read + env: + TOXENV: ${{ matrix.tox-env }} + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + + steps: + - uses: actions/checkout@v3 + + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-ESDK-CLI-Role-us-west-2 + role-session-name: CLITests + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v4 + with: + python-version: ${{ matrix.python-version }} + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install "tox < 4.0" + + # Python no longer bundles setuptools starting in 3.12 + - name: Install python version specific dependencies + if: matrix.python-version == '3.12' + run: | + pip install -r dev_requirements/ci-requirements.txt + + - name: Run integration tests with tox + run: tox diff --git a/cfn.yml b/cfn.yml new file mode 100644 index 0000000..c7728ef --- /dev/null +++ b/cfn.yml @@ -0,0 +1,54 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" + +Parameters: + ProjectName: + Type: String + Description: A prefix that will be applied to any names + Default: ESDK-CLI + GitHubRepo: + Type: String + Description: GitHub Repo that invokes CI + Default: aws/aws-encryption-sdk-cli + +Resources: + GitHubCIRole: + Type: 'AWS::IAM::Role' + Properties: + RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" + Description: "Access KMS Resources for CI from GitHub" + ManagedPolicyArns: + - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access" + AssumeRolePolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + }, + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" + ] + } + } + } + ] + } \ No newline at end of file