chore: Migrate CodeBuild release to GHA (without publishing step) (#1614)

lucasmcdonald3 · web-flow · commit 53f07cc81c13 · 2025-11-20T09:46:25.000-08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,67 +1,21 @@
 # This workflow performs tests in JavaScript.
 name: ESDK JavaScript CI Tests 
+permissions:
+  contents: read
+  id-token: write
 
 on: [pull_request, workflow_call]
 
 jobs:
-  CI:
-    strategy:
-      matrix:
-          node: [18.x, 20.x, 22.x, latest]
-      fail-fast: false
-    runs-on: codebuild-AWS-ESDK-JS-Release-${{ github.run_id }}-${{ github.run_attempt }}-ubuntu-5.0-large
-    permissions:
-      id-token: write
-      contents: read
-    defaults:
-      run:
-        shell: bash
+  shared-ci:
+    uses: ./.github/workflows/shared-ci.yml
+  pr-ci-all-required:
+    if: always()
+    needs:
+      - shared-ci
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - name: Verify all required jobs passed
+        uses: re-actors/alls-green@release/v1
         with:
-          submodules: true 
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{matrix.node}}
-      - name: Configure AWS Credentials for Tests
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: us-west-2
-          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
-          role-session-name: JavaScriptTests 
-      - name: Test Coverage Node ${{matrix.node}}
-        env: 
-          NODE_OPTIONS: "--max-old-space-size=4096"
-        run: |
-          npm ci
-          npm run build
-          npm run coverage-node
-      - name: Test Coverage Browser ${{matrix.node}}
-        env: 
-          NODE_OPTIONS: "--max-old-space-size=4096"
-        run: |
-          npm run coverage-browser
-      - name: Test compliance
-        env: 
-          NODE_OPTIONS: "--max-old-space-size=4096"
-        run: |
-          npm run lint
-          npm run test_conditions
-      - name: Run Test Vectors Node ${{matrix.node}}
-        env:
-          NODE_OPTIONS: "--max-old-space-size=4096"
-          NPM_CONFIG_UNSAFE_PERM: true
-          PUBLISH_LOCAL: true
-        run: |
-          npm run verdaccio-publish
-          npm run verdaccio-node-decrypt
-          npm run verdaccio-node-encrypt
-      - name: Run Test Vectors Browser node ${{matrix.node}} 
-        env:
-          NODE_OPTIONS: "--max-old-space-size=4096"
-          NPM_CONFIG_UNSAFE_PERM: true
-          PUBLISH_LOCAL: true
-        run: |
-          npm run verdaccio-publish
-          npm run verdaccio-browser-decrypt
-          npm run verdaccio-browser-encrypt
+          jobs: ${{ toJSON(needs) }}
diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml
@@ -0,0 +1,76 @@
+name: Release
+permissions:
+  contents: read
+  id-token: write
+
+on:
+  workflow_dispatch:
+    inputs:
+      version_bump:
+        required: false
+        description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)'
+        default: ''
+      dist_tag:
+        description: 'NPM distribution tag'
+        required: false
+        default: 'latest'
+      branch:
+        description: 'The branch to release from'
+        required: false
+        default: 'master'
+
+env:
+  NODE_OPTIONS: "--max-old-space-size=4096"
+  NPM_CONFIG_UNSAFE_PERM: true
+
+jobs:
+  pre-release-ci:
+    uses: ./.github/workflows/shared-ci.yml
+
+  # Once all tests have passed, run semantic versioning
+  version:
+    runs-on: ubuntu-latest
+    needs: [pre-release-ci]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Setup Node.js 16
+        uses: actions/setup-node@v4
+        with:
+          node-version: '16'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci --unsafe-perm
+
+      - name: Configure git
+        env:
+          BRANCH: ${{ github.event.inputs.branch }}
+          VERSION_BUMP: ${{ github.event.inputs.version_bump }}
+        run: |
+          git config --global user.name "aws-crypto-tools-ci-bot"
+          git config --global user.email "no-reply@noemail.local"
+          git checkout $BRANCH
+
+      - name: Version packages (dry run - no push)
+        run: |
+          # Generate new version and CHANGELOG entry and push it
+          npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish}
+          # Log the commit for posterity
+          git log -n 1
+
+  # Once semantic versioning has run and bumped versions, publish to npm
+  # TODO: Publish step that doesn't use OTP but instead follows
+  # https://docs.npmjs.com/trusted-publishers
+
+  # Once publishing is complete, validate that the published packages are useable
+  validate:
+    uses: ./.github/workflows/shared-ci.yml
+    # TODO: Uncomment when adding publish step
+    # needs: [publish]
+    with:
+      test-published-packages: true
diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml
@@ -0,0 +1,79 @@
+name: Shared CI Tests
+
+on:
+  workflow_call:
+    inputs:
+      test-published-packages:
+        description: 'Test against published packages instead of checked out code'
+        required: false
+        type: boolean
+        default: false
+
+env:
+  NODE_OPTIONS: "--max-old-space-size=4096"
+  NPM_CONFIG_UNSAFE_PERM: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: ['18.x', '20.x', '22.x', 'latest']
+        test-type: ['node', 'browser']
+        # Determine test categories based on whether testing published packages or source code:
+        # - Testing published packages: only run vector tests (don't have build artifacts to test coverage or compliance)
+        # - Testing source code: run coverage, vector, and compliance tests
+        test-category: ${{ fromJSON(inputs['test-published-packages'] && '["vectors"]' || '["coverage", "vectors", "compliance"]') }}
+    name: test-${{ matrix.test-category }}-${{ matrix.test-type }}-${{ matrix.node-version }}
+    steps:
+      - name: Checkout code
+        # Always need repo for test scripts and configuration, even when testing published packages
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Configure AWS Credentials for Tests
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
+          role-session-name: JavaScriptTests
+
+      - name: Install dependencies
+        run: npm ci --unsafe-perm
+
+      - name: Build (for source code testing)
+        if: ${{ !inputs.test-published-packages }}
+        run: npm run build
+
+      - name: Run coverage tests (${{ matrix.test-type }})
+        if: ${{ matrix.test-category == 'coverage' }}
+        run: npm run coverage-${{ matrix.test-type }}
+
+      - name: Publish locally for vector tests
+        if: ${{ matrix.test-category == 'vectors' && !inputs.test-published-packages }}
+        run: npm run verdaccio-publish
+
+      - name: Run vector tests (${{ matrix.test-type }})
+        if: ${{ matrix.test-category == 'vectors' }}
+        run: |
+          npm run verdaccio-${{ matrix.test-type }}-decrypt
+          npm run verdaccio-${{ matrix.test-type }}-encrypt
+
+      - name: Run compliance tests
+        # Don't run linting or check Duvet requirements for published packages
+        if: ${{ matrix.test-category == 'compliance'}}
+        run: |
+          npm run lint
+          npm run test_conditions
diff --git a/package.json b/package.json
@@ -26,7 +26,7 @@
     "build-browser": "tsc -b tsconfig.module.json",
     "build": "run-s build-*",
     "karma": "NODE_OPTIONS=--max-old-space-size=4096 karma start karma.conf.js",
-    "mocha": "mocha --exclude 'modules/*-+(browser|backend)/build/main/test/*.js'  modules/**/build/main/test/*test.js",
+    "mocha": "mocha --timeout 5000 --exclude 'modules/*-+(browser|backend)/build/main/test/*.js'  modules/**/build/main/test/*test.js",
     "coverage-browser": "npm run karma && nyc report -t .karma_output --check-coverage",
     "coverage-node": "nyc --instrument --all --check-coverage -n 'modules/**/build/main/src/*.js' -x 'modules/**/build/main/test/*.js' -x 'modules/*-+(browser|backend)/**/*.js' npm run mocha",
     "coverage-merge": "nyc merge .karma_output .nyc_output/browser.json",
