From 72227f1bb37acc003c283b8c73f71eb2de46fc7d Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 13:20:04 -0700 Subject: [PATCH 01/31] m --- .github/workflows/prod-release.yml | 178 +++++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 .github/workflows/prod-release.yml diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml new file mode 100644 index 00000000..7826fb11 --- /dev/null +++ b/.github/workflows/prod-release.yml @@ -0,0 +1,178 @@ +name: Release + +on: + # TODO: remove pull_request once tested in PR + pull_request: + workflow_dispatch: + inputs: + version_bump: + required: false + description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)' + default: '' + dist_tag: + description: 'NPM distribution tag' + required: false + default: 'latest' + branch: + description: 'The branch to release from' + required: false + default: 'master' + +env: + NODE_OPTIONS: "--max-old-space-size=4096" + NPM_CONFIG_UNSAFE_PERM: true + +jobs: + compliance: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node.js 18 + uses: actions/setup-node@v4 + with: + node-version: '18' + cache: 'npm' + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Run compliance checks + run: | + npm run lint + npm run test_conditions + + test-nodejs20: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node.js 20 + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install dependencies and build + run: | + npm ci --unsafe-perm + npm run build + + - name: Run Node.js tests + run: npm run coverage-node + + test-browser18: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node.js 18 + uses: actions/setup-node@v4 + with: + node-version: '18' + cache: 'npm' + + - name: Install dependencies and build + run: | + npm ci --unsafe-perm + npm run build + + - name: Run browser tests + run: npm run coverage-browser + + test-vectors-nodejs20: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node.js 20 + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install dependencies and build + run: | + npm ci --unsafe-perm + npm run build + + - name: Run integration tests with local publish + env: + PUBLISH_LOCAL: "true" + run: | + npm run verdaccio-publish + npm run verdaccio-node-decrypt + npm run verdaccio-node-encrypt + + test-vectors-browser18: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node.js 18 + uses: actions/setup-node@v4 + with: + node-version: '18' + cache: 'npm' + + - name: Install dependencies and build + run: | + npm ci --unsafe-perm + npm run build + + - name: Run integration tests with local publish + env: + PUBLISH_LOCAL: "true" + run: | + npm run verdaccio-publish + npm run verdaccio-browser-decrypt + npm run verdaccio-browser-encrypt + + # Once all tests have passed, run semantic versioning + version: + runs-on: ubuntu-latest + needs: [compliance, test-nodejs20, test-browser18, test-vectors-nodejs20, test-vectors-browser18] + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Setup Node.js 16 + uses: actions/setup-node@v4 + with: + node-version: '16' + cache: 'npm' + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Configure git + env: + BRANCH: ${{ github.event.inputs.branch }} + VERSION_BUMP: ${{ github.event.inputs.version_bump }} + run: | + git config --global user.name "aws-crypto-tools-ci-bot" + git config --global user.email "no-reply@noemail.local" + git checkout $BRANCH + + - name: Version packages + run: | + npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + git log -n 1 + + # Once semantic versioning has run and bumped versions, publish to npm + # TODO: Publish step that doesn't use OTP but instead follows + # https://docs.npmjs.com/trusted-publishers + + # Once publishing is complete, validate that the published packages are useable + # TODO: Publish step based on CodeBuild jobs From 02c712363e7debd00e73a79b26f048623202f08b Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 13:20:35 -0700 Subject: [PATCH 02/31] m --- .github/workflows/prod-release.yml | 64 +++++++++++++++--------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 7826fb11..6bf3cd2e 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -137,38 +137,38 @@ jobs: npm run verdaccio-browser-encrypt # Once all tests have passed, run semantic versioning - version: - runs-on: ubuntu-latest - needs: [compliance, test-nodejs20, test-browser18, test-vectors-nodejs20, test-vectors-browser18] - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Setup Node.js 16 - uses: actions/setup-node@v4 - with: - node-version: '16' - cache: 'npm' - - - name: Install dependencies - run: npm ci --unsafe-perm - - - name: Configure git - env: - BRANCH: ${{ github.event.inputs.branch }} - VERSION_BUMP: ${{ github.event.inputs.version_bump }} - run: | - git config --global user.name "aws-crypto-tools-ci-bot" - git config --global user.email "no-reply@noemail.local" - git checkout $BRANCH - - - name: Version packages - run: | - npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} - git log -n 1 + # version: + # runs-on: ubuntu-latest + # needs: [compliance, test-nodejs20, test-browser18, test-vectors-nodejs20, test-vectors-browser18] + # steps: + # - name: Checkout code + # uses: actions/checkout@v4 + # with: + # fetch-depth: 0 + # token: ${{ secrets.GITHUB_TOKEN }} + + # - name: Setup Node.js 16 + # uses: actions/setup-node@v4 + # with: + # node-version: '16' + # cache: 'npm' + + # - name: Install dependencies + # run: npm ci --unsafe-perm + + # - name: Configure git + # env: + # BRANCH: ${{ github.event.inputs.branch }} + # VERSION_BUMP: ${{ github.event.inputs.version_bump }} + # run: | + # git config --global user.name "aws-crypto-tools-ci-bot" + # git config --global user.email "no-reply@noemail.local" + # git checkout $BRANCH + + # - name: Version packages + # run: | + # npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # git log -n 1 # Once semantic versioning has run and bumped versions, publish to npm # TODO: Publish step that doesn't use OTP but instead follows From 7ca039a110a12e12206429e3e4aff788bb6df971 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 13:35:45 -0700 Subject: [PATCH 03/31] m --- .github/workflows/prod-release.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 6bf3cd2e..f0cbf77f 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Setup Node.js 18 uses: actions/setup-node@v4 @@ -51,6 +53,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Setup Node.js 20 uses: actions/setup-node@v4 @@ -71,6 +75,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Setup Node.js 18 uses: actions/setup-node@v4 @@ -91,6 +97,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Setup Node.js 20 uses: actions/setup-node@v4 @@ -116,6 +124,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Setup Node.js 18 uses: actions/setup-node@v4 From 365996b11d6238745b240f76eb6c7a6d7be23ab6 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 13:38:00 -0700 Subject: [PATCH 04/31] m --- .github/workflows/prod-release.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index f0cbf77f..b779df60 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -30,6 +30,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + submodules: true - name: Setup Node.js 18 uses: actions/setup-node@v4 @@ -55,6 +56,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + submodules: true - name: Setup Node.js 20 uses: actions/setup-node@v4 @@ -77,6 +79,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + submodules: true - name: Setup Node.js 18 uses: actions/setup-node@v4 @@ -99,6 +102,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + submodules: true - name: Setup Node.js 20 uses: actions/setup-node@v4 @@ -126,6 +130,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + submodules: true - name: Setup Node.js 18 uses: actions/setup-node@v4 From df6b270a48c061e529b70200b5a1be8294f9c377 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 13:43:25 -0700 Subject: [PATCH 05/31] m --- .github/workflows/prod-release.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index b779df60..c643bfb2 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -64,6 +64,13 @@ jobs: node-version: '20' cache: 'npm' + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 + role-session-name: JavaScriptTests + - name: Install dependencies and build run: | npm ci --unsafe-perm @@ -87,6 +94,13 @@ jobs: node-version: '18' cache: 'npm' + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 + role-session-name: JavaScriptTests + - name: Install dependencies and build run: | npm ci --unsafe-perm @@ -110,6 +124,13 @@ jobs: node-version: '20' cache: 'npm' + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 + role-session-name: JavaScriptTests + - name: Install dependencies and build run: | npm ci --unsafe-perm @@ -138,6 +159,13 @@ jobs: node-version: '18' cache: 'npm' + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 + role-session-name: JavaScriptTests + - name: Install dependencies and build run: | npm ci --unsafe-perm From e6c405e8953583d741b926b798695a075e9e4d0b Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 13:44:52 -0700 Subject: [PATCH 06/31] m --- .github/workflows/prod-release.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index c643bfb2..fc89db47 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -81,6 +81,9 @@ jobs: test-browser18: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read steps: - name: Checkout code uses: actions/checkout@v4 @@ -111,6 +114,9 @@ jobs: test-vectors-nodejs20: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read steps: - name: Checkout code uses: actions/checkout@v4 @@ -146,6 +152,9 @@ jobs: test-vectors-browser18: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read steps: - name: Checkout code uses: actions/checkout@v4 From 5b998e3413895ab443e40a85e1d5594c88688098 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 13:52:18 -0700 Subject: [PATCH 07/31] m --- .github/workflows/prod-release.yml | 64 +++++++++++++++--------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index fc89db47..3d3c826c 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -189,38 +189,38 @@ jobs: npm run verdaccio-browser-encrypt # Once all tests have passed, run semantic versioning - # version: - # runs-on: ubuntu-latest - # needs: [compliance, test-nodejs20, test-browser18, test-vectors-nodejs20, test-vectors-browser18] - # steps: - # - name: Checkout code - # uses: actions/checkout@v4 - # with: - # fetch-depth: 0 - # token: ${{ secrets.GITHUB_TOKEN }} - - # - name: Setup Node.js 16 - # uses: actions/setup-node@v4 - # with: - # node-version: '16' - # cache: 'npm' - - # - name: Install dependencies - # run: npm ci --unsafe-perm - - # - name: Configure git - # env: - # BRANCH: ${{ github.event.inputs.branch }} - # VERSION_BUMP: ${{ github.event.inputs.version_bump }} - # run: | - # git config --global user.name "aws-crypto-tools-ci-bot" - # git config --global user.email "no-reply@noemail.local" - # git checkout $BRANCH - - # - name: Version packages - # run: | - # npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} - # git log -n 1 + version: + runs-on: ubuntu-latest + needs: [compliance, test-nodejs20, test-browser18, test-vectors-nodejs20, test-vectors-browser18] + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + submodules: true + + - name: Setup Node.js 16 + uses: actions/setup-node@v4 + with: + node-version: '16' + cache: 'npm' + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Configure git + env: + BRANCH: ${{ github.event.inputs.branch }} + VERSION_BUMP: ${{ github.event.inputs.version_bump }} + run: | + git config --global user.name "aws-crypto-tools-ci-bot" + git config --global user.email "no-reply@noemail.local" + git checkout $BRANCH + + - name: Version packages + run: | + npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + git log -n 1 # Once semantic versioning has run and bumped versions, publish to npm # TODO: Publish step that doesn't use OTP but instead follows From 60f39e3af9605d8a10e5d6f0d7b0b1484b70a428 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 14:25:16 -0700 Subject: [PATCH 08/31] m --- .github/workflows/prod-release.yml | 78 ++++++++++++++++++++++++++++-- 1 file changed, 74 insertions(+), 4 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 3d3c826c..c839278d 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -215,11 +215,15 @@ jobs: run: | git config --global user.name "aws-crypto-tools-ci-bot" git config --global user.email "no-reply@noemail.local" - git checkout $BRANCH + # TODO: Uncomment when adding publish step + # git checkout $BRANCH # Commented out to test on current branch - - name: Version packages + - name: Version packages (dry run - no push) run: | - npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # For testing: no push to avoid modifying master branch + npx lerna version --conventional-commits --no-push --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # TODO: uncomment line below and remove line above when adding publish step + # npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} git log -n 1 # Once semantic versioning has run and bumped versions, publish to npm @@ -227,4 +231,70 @@ jobs: # https://docs.npmjs.com/trusted-publishers # Once publishing is complete, validate that the published packages are useable - # TODO: Publish step based on CodeBuild jobs + validate-nodejs: + runs-on: ubuntu-latest + # TODO: Uncomment when adding publish step + # needs: [publish] + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + submodules: true + + - name: Setup Node.js 20 + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 + role-session-name: JavaScriptTests + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Validate published packages - Node.js + env: + PUBLISH_LOCAL: "false" + run: | + npm run verdaccio-node-decrypt + npm run verdaccio-node-encrypt + + validate-browser: + runs-on: ubuntu-latest + # TODO: Uncomment when adding publish step + # needs: [publish] + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + submodules: true + + - name: Setup Node.js 18 + uses: actions/setup-node@v4 + with: + node-version: '18' + cache: 'npm' + + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 + role-session-name: JavaScriptTests + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Validate published packages - Browser + env: + PUBLISH_LOCAL: "false" + run: | + npm run verdaccio-browser-decrypt + npm run verdaccio-browser-encrypt From baf3332fa5dc6fd868ff8457bef65441aec49405 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 14:26:52 -0700 Subject: [PATCH 09/31] m --- .github/workflows/prod-release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index c839278d..5e175b1b 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -235,6 +235,9 @@ jobs: runs-on: ubuntu-latest # TODO: Uncomment when adding publish step # needs: [publish] + permissions: + id-token: write + contents: read steps: - name: Checkout code uses: actions/checkout@v4 @@ -269,6 +272,9 @@ jobs: runs-on: ubuntu-latest # TODO: Uncomment when adding publish step # needs: [publish] + permissions: + id-token: write + contents: read steps: - name: Checkout code uses: actions/checkout@v4 From 628f323b65ac1fc2810996a501240d13e251f657 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 14:39:48 -0700 Subject: [PATCH 10/31] m --- .github/workflows/prod-release.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 5e175b1b..614ae408 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -301,6 +301,11 @@ jobs: - name: Validate published packages - Browser env: PUBLISH_LOCAL: "false" + # This will fail until the publish step is run for the first time. + # A dependency change broke the browser tests. + # Commit fb10180dfb451ff5359ebc703c58eaf5393971ac fixes this. + # The first publish step for v4.2.2+ should make this pass. + # TODO: Remove this comment block after first successful publish of v4.2.2+. run: | npm run verdaccio-browser-decrypt npm run verdaccio-browser-encrypt From d4c66964768d10366a03fe6c5d28b73855991f46 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 15:05:03 -0700 Subject: [PATCH 11/31] m --- .github/workflows/prod-release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 614ae408..ff0fde9f 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -1,4 +1,6 @@ name: Release +permissions: + contents: read on: # TODO: remove pull_request once tested in PR @@ -215,8 +217,7 @@ jobs: run: | git config --global user.name "aws-crypto-tools-ci-bot" git config --global user.email "no-reply@noemail.local" - # TODO: Uncomment when adding publish step - # git checkout $BRANCH # Commented out to test on current branch + git checkout ${{ github.head_ref }} # Use PR branch or current branch - name: Version packages (dry run - no push) run: | From 39efcd545e9cfbce531018a60e16a9e733a165ff Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 16:24:24 -0700 Subject: [PATCH 12/31] m --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 71169e92..d90e57b0 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ "build-browser": "tsc -b tsconfig.module.json", "build": "run-s build-*", "karma": "NODE_OPTIONS=--max-old-space-size=4096 karma start karma.conf.js", - "mocha": "mocha --exclude 'modules/*-+(browser|backend)/build/main/test/*.js' modules/**/build/main/test/*test.js", + "mocha": "mocha --timeout 5000 --exclude 'modules/*-+(browser|backend)/build/main/test/*.js' modules/**/build/main/test/*test.js", "coverage-browser": "npm run karma && nyc report -t .karma_output --check-coverage", "coverage-node": "nyc --instrument --all --check-coverage -n 'modules/**/build/main/src/*.js' -x 'modules/**/build/main/test/*.js' -x 'modules/*-+(browser|backend)/**/*.js' npm run mocha", "coverage-merge": "nyc merge .karma_output .nyc_output/browser.json", From b8599e589c95853faa08a655d544fb2acb8f2f29 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 16:36:23 -0700 Subject: [PATCH 13/31] m --- .github/workflows/prod-release.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index ff0fde9f..fd890f09 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -3,8 +3,6 @@ permissions: contents: read on: - # TODO: remove pull_request once tested in PR - pull_request: workflow_dispatch: inputs: version_bump: @@ -217,14 +215,13 @@ jobs: run: | git config --global user.name "aws-crypto-tools-ci-bot" git config --global user.email "no-reply@noemail.local" - git checkout ${{ github.head_ref }} # Use PR branch or current branch + git checkout $BRANCH - name: Version packages (dry run - no push) run: | - # For testing: no push to avoid modifying master branch - npx lerna version --conventional-commits --no-push --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} - # TODO: uncomment line below and remove line above when adding publish step - # npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # Generate new version and CHANGELOG entry and push it + npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # Log the commit for posterity git log -n 1 # Once semantic versioning has run and bumped versions, publish to npm From fd51dd2b1085a906a137224ce2bc457c2229f841 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 29 Oct 2025 16:44:21 -0700 Subject: [PATCH 14/31] m --- .github/workflows/prod-release.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index fd890f09..694dc55b 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -143,8 +143,6 @@ jobs: npm run build - name: Run integration tests with local publish - env: - PUBLISH_LOCAL: "true" run: | npm run verdaccio-publish npm run verdaccio-node-decrypt @@ -181,8 +179,6 @@ jobs: npm run build - name: Run integration tests with local publish - env: - PUBLISH_LOCAL: "true" run: | npm run verdaccio-publish npm run verdaccio-browser-decrypt @@ -260,8 +256,6 @@ jobs: run: npm ci --unsafe-perm - name: Validate published packages - Node.js - env: - PUBLISH_LOCAL: "false" run: | npm run verdaccio-node-decrypt npm run verdaccio-node-encrypt @@ -297,8 +291,6 @@ jobs: run: npm ci --unsafe-perm - name: Validate published packages - Browser - env: - PUBLISH_LOCAL: "false" # This will fail until the publish step is run for the first time. # A dependency change broke the browser tests. # Commit fb10180dfb451ff5359ebc703c58eaf5393971ac fixes this. From 9ac58d2b0ad2a4d46452f943340d8b38230717d8 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 3 Nov 2025 11:14:48 -0800 Subject: [PATCH 15/31] m --- .github/workflows/prod-release.yml | 193 ++++++----------------------- 1 file changed, 38 insertions(+), 155 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 694dc55b..c520b499 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -3,6 +3,7 @@ permissions: contents: read on: + pull_request: workflow_dispatch: inputs: version_bump: @@ -46,11 +47,17 @@ jobs: npm run lint npm run test_conditions - test-nodejs20: + test: runs-on: ubuntu-latest permissions: id-token: write contents: read + strategy: + matrix: + node-version: ['18', '20'] + test-type: ['node', 'browser'] + test-category: ['coverage', 'vectors'] + name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }} steps: - name: Checkout code uses: actions/checkout@v4 @@ -58,10 +65,10 @@ jobs: fetch-depth: 0 submodules: true - - name: Setup Node.js 20 + - name: Setup Node.js ${{ matrix.node-version }} uses: actions/setup-node@v4 with: - node-version: '20' + node-version: ${{ matrix.node-version }} cache: 'npm' - name: Configure AWS Credentials for Tests @@ -76,118 +83,23 @@ jobs: npm ci --unsafe-perm npm run build - - name: Run Node.js tests - run: npm run coverage-node - - test-browser18: - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: true - - - name: Setup Node.js 18 - uses: actions/setup-node@v4 - with: - node-version: '18' - cache: 'npm' - - - name: Configure AWS Credentials for Tests - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 - role-session-name: JavaScriptTests - - - name: Install dependencies and build - run: | - npm ci --unsafe-perm - npm run build - - - name: Run browser tests - run: npm run coverage-browser - - test-vectors-nodejs20: - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: true - - - name: Setup Node.js 20 - uses: actions/setup-node@v4 - with: - node-version: '20' - cache: 'npm' - - - name: Configure AWS Credentials for Tests - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 - role-session-name: JavaScriptTests - - - name: Install dependencies and build - run: | - npm ci --unsafe-perm - npm run build - - - name: Run integration tests with local publish - run: | - npm run verdaccio-publish - npm run verdaccio-node-decrypt - npm run verdaccio-node-encrypt - - test-vectors-browser18: - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: true - - - name: Setup Node.js 18 - uses: actions/setup-node@v4 - with: - node-version: '18' - cache: 'npm' - - - name: Configure AWS Credentials for Tests - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 - role-session-name: JavaScriptTests - - - name: Install dependencies and build + - name: Run ${{ matrix.test-category }} tests (${{ matrix.test-type }}) run: | - npm ci --unsafe-perm - npm run build - - - name: Run integration tests with local publish - run: | - npm run verdaccio-publish - npm run verdaccio-browser-decrypt - npm run verdaccio-browser-encrypt + if [ "${{ matrix.test-category }}" = "coverage" ]; then + npm run coverage-${{ matrix.test-type }} + elif [ "${{ matrix.test-category }}" = "vectors" ]; then + npm run verdaccio-publish + npm run verdaccio-${{ matrix.test-type }}-decrypt + npm run verdaccio-${{ matrix.test-type }}-encrypt + else + echo "Error: Unrecognized test category '${{ matrix.test-category }}'" + exit 1 + fi # Once all tests have passed, run semantic versioning version: runs-on: ubuntu-latest - needs: [compliance, test-nodejs20, test-browser18, test-vectors-nodejs20, test-vectors-browser18] + needs: [compliance, test] steps: - name: Checkout code uses: actions/checkout@v4 @@ -211,13 +123,14 @@ jobs: run: | git config --global user.name "aws-crypto-tools-ci-bot" git config --global user.email "no-reply@noemail.local" - git checkout $BRANCH + git checkout ${{ github.head_ref }} # Use PR branch or current branch - name: Version packages (dry run - no push) run: | - # Generate new version and CHANGELOG entry and push it - npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} - # Log the commit for posterity + # For testing: no push to avoid modifying master branch + npx lerna version --conventional-commits --no-push --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # TODO: uncomment line below and remove line above when adding publish step + # npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} git log -n 1 # Once semantic versioning has run and bumped versions, publish to npm @@ -225,48 +138,18 @@ jobs: # https://docs.npmjs.com/trusted-publishers # Once publishing is complete, validate that the published packages are useable - validate-nodejs: - runs-on: ubuntu-latest - # TODO: Uncomment when adding publish step - # needs: [publish] - permissions: - id-token: write - contents: read - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: true - - - name: Setup Node.js 20 - uses: actions/setup-node@v4 - with: - node-version: '20' - cache: 'npm' - - - name: Configure AWS Credentials for Tests - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 - role-session-name: JavaScriptTests - - - name: Install dependencies - run: npm ci --unsafe-perm - - - name: Validate published packages - Node.js - run: | - npm run verdaccio-node-decrypt - npm run verdaccio-node-encrypt - - validate-browser: + validate: runs-on: ubuntu-latest # TODO: Uncomment when adding publish step # needs: [publish] permissions: id-token: write contents: read + strategy: + matrix: + node-version: ['18', '20'] + test-type: ['node', 'browser'] + name: validate-${{ matrix.test-type }}${{ matrix.node-version }} steps: - name: Checkout code uses: actions/checkout@v4 @@ -274,10 +157,10 @@ jobs: fetch-depth: 0 submodules: true - - name: Setup Node.js 18 + - name: Setup Node.js ${{ matrix.node-version }} uses: actions/setup-node@v4 with: - node-version: '18' + node-version: ${{ matrix.node-version }} cache: 'npm' - name: Configure AWS Credentials for Tests @@ -290,12 +173,12 @@ jobs: - name: Install dependencies run: npm ci --unsafe-perm - - name: Validate published packages - Browser + - name: Validate published packages - ${{ matrix.test-type }} # This will fail until the publish step is run for the first time. # A dependency change broke the browser tests. # Commit fb10180dfb451ff5359ebc703c58eaf5393971ac fixes this. # The first publish step for v4.2.2+ should make this pass. # TODO: Remove this comment block after first successful publish of v4.2.2+. run: | - npm run verdaccio-browser-decrypt - npm run verdaccio-browser-encrypt + npm run verdaccio-${{ matrix.test-type }}-decrypt + npm run verdaccio-${{ matrix.test-type }}-encrypt From 8e7815affee1b96b9663d0d420b6d2f7b720e1cd Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 3 Nov 2025 11:15:24 -0800 Subject: [PATCH 16/31] m --- .github/workflows/prod-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index c520b499..0f38a8dd 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -147,7 +147,7 @@ jobs: contents: read strategy: matrix: - node-version: ['18', '20'] + node-version: ['18', '20', '22'] test-type: ['node', 'browser'] name: validate-${{ matrix.test-type }}${{ matrix.node-version }} steps: From 7c0f63c03731892abdeaaca7ea3f829e754d4554 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 3 Nov 2025 11:15:52 -0800 Subject: [PATCH 17/31] m --- .github/workflows/prod-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 0f38a8dd..977c960c 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -54,7 +54,7 @@ jobs: contents: read strategy: matrix: - node-version: ['18', '20'] + node-version: ['18', '20', '22'] test-type: ['node', 'browser'] test-category: ['coverage', 'vectors'] name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }} From 998c005a8594e87c9f33d7decf8e685f68ba20ff Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 3 Nov 2025 11:22:06 -0800 Subject: [PATCH 18/31] m --- .github/workflows/prod-release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 977c960c..9d7c9c5f 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -53,6 +53,7 @@ jobs: id-token: write contents: read strategy: + fail-fast: false matrix: node-version: ['18', '20', '22'] test-type: ['node', 'browser'] @@ -146,6 +147,7 @@ jobs: id-token: write contents: read strategy: + fail-fast: false matrix: node-version: ['18', '20', '22'] test-type: ['node', 'browser'] From cdd94f2fe834483f2785aa8bbcacc565a3608023 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 3 Nov 2025 12:08:07 -0800 Subject: [PATCH 19/31] m --- .github/workflows/prod-release.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 9d7c9c5f..1cf60d4f 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -3,7 +3,6 @@ permissions: contents: read on: - pull_request: workflow_dispatch: inputs: version_bump: @@ -124,14 +123,13 @@ jobs: run: | git config --global user.name "aws-crypto-tools-ci-bot" git config --global user.email "no-reply@noemail.local" - git checkout ${{ github.head_ref }} # Use PR branch or current branch + git checkout $BRANCH - name: Version packages (dry run - no push) run: | - # For testing: no push to avoid modifying master branch - npx lerna version --conventional-commits --no-push --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} - # TODO: uncomment line below and remove line above when adding publish step - # npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # Generate new version and CHANGELOG entry and push it + npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # Log the commit for posterity git log -n 1 # Once semantic versioning has run and bumped versions, publish to npm From c0034993ff898c5de0193b9452a9661687728dcf Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 11 Nov 2025 15:56:23 -0800 Subject: [PATCH 20/31] m --- .github/workflows/ci.yml | 63 +-------------- .github/workflows/prod-release.yml | 121 ++--------------------------- .github/workflows/shared-ci.yml | 103 ++++++++++++++++++++++++ 3 files changed, 111 insertions(+), 176 deletions(-) create mode 100644 .github/workflows/shared-ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7105e122..ffa690e3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,64 +4,5 @@ name: ESDK JavaScript CI Tests on: [pull_request, workflow_call] jobs: - CI: - strategy: - matrix: - node: [18.x, 20.x, 22.x, latest] - fail-fast: false - runs-on: codebuild-AWS-ESDK-JS-Release-${{ github.run_id }}-${{ github.run_attempt }}-ubuntu-5.0-large - permissions: - id-token: write - contents: read - defaults: - run: - shell: bash - steps: - - uses: actions/checkout@v4 - with: - submodules: true - - uses: actions/setup-node@v4 - with: - node-version: ${{matrix.node}} - - name: Configure AWS Credentials for Tests - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 - role-session-name: JavaScriptTests - - name: Test Coverage Node ${{matrix.node}} - env: - NODE_OPTIONS: "--max-old-space-size=4096" - run: | - npm ci - npm run build - npm run coverage-node - - name: Test Coverage Browser ${{matrix.node}} - env: - NODE_OPTIONS: "--max-old-space-size=4096" - run: | - npm run coverage-browser - - name: Test compliance - env: - NODE_OPTIONS: "--max-old-space-size=4096" - run: | - npm run lint - npm run test_conditions - - name: Run Test Vectors Node ${{matrix.node}} - env: - NODE_OPTIONS: "--max-old-space-size=4096" - NPM_CONFIG_UNSAFE_PERM: true - PUBLISH_LOCAL: true - run: | - npm run verdaccio-publish - npm run verdaccio-node-decrypt - npm run verdaccio-node-encrypt - - name: Run Test Vectors Browser node ${{matrix.node}} - env: - NODE_OPTIONS: "--max-old-space-size=4096" - NPM_CONFIG_UNSAFE_PERM: true - PUBLISH_LOCAL: true - run: | - npm run verdaccio-publish - npm run verdaccio-browser-decrypt - npm run verdaccio-browser-encrypt + shared-ci: + uses: ./.github/workflows/shared-ci.yml diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 1cf60d4f..4cc24ba5 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -23,83 +23,13 @@ env: NPM_CONFIG_UNSAFE_PERM: true jobs: - compliance: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: true - - - name: Setup Node.js 18 - uses: actions/setup-node@v4 - with: - node-version: '18' - cache: 'npm' - - - name: Install dependencies - run: npm ci --unsafe-perm - - - name: Run compliance checks - run: | - npm run lint - npm run test_conditions - - test: - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - strategy: - fail-fast: false - matrix: - node-version: ['18', '20', '22'] - test-type: ['node', 'browser'] - test-category: ['coverage', 'vectors'] - name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }} - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: true - - - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - cache: 'npm' - - - name: Configure AWS Credentials for Tests - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 - role-session-name: JavaScriptTests - - - name: Install dependencies and build - run: | - npm ci --unsafe-perm - npm run build - - - name: Run ${{ matrix.test-category }} tests (${{ matrix.test-type }}) - run: | - if [ "${{ matrix.test-category }}" = "coverage" ]; then - npm run coverage-${{ matrix.test-type }} - elif [ "${{ matrix.test-category }}" = "vectors" ]; then - npm run verdaccio-publish - npm run verdaccio-${{ matrix.test-type }}-decrypt - npm run verdaccio-${{ matrix.test-type }}-encrypt - else - echo "Error: Unrecognized test category '${{ matrix.test-category }}'" - exit 1 - fi + pre-release-ci: + uses: ./.github/workflows/shared-ci.yml # Once all tests have passed, run semantic versioning version: runs-on: ubuntu-latest - needs: [compliance, test] + needs: [pre-release-ci] steps: - name: Checkout code uses: actions/checkout@v4 @@ -138,47 +68,8 @@ jobs: # Once publishing is complete, validate that the published packages are useable validate: - runs-on: ubuntu-latest + uses: ./.github/workflows/shared-ci.yml # TODO: Uncomment when adding publish step # needs: [publish] - permissions: - id-token: write - contents: read - strategy: - fail-fast: false - matrix: - node-version: ['18', '20', '22'] - test-type: ['node', 'browser'] - name: validate-${{ matrix.test-type }}${{ matrix.node-version }} - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: true - - - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - cache: 'npm' - - - name: Configure AWS Credentials for Tests - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 - role-session-name: JavaScriptTests - - - name: Install dependencies - run: npm ci --unsafe-perm - - - name: Validate published packages - ${{ matrix.test-type }} - # This will fail until the publish step is run for the first time. - # A dependency change broke the browser tests. - # Commit fb10180dfb451ff5359ebc703c58eaf5393971ac fixes this. - # The first publish step for v4.2.2+ should make this pass. - # TODO: Remove this comment block after first successful publish of v4.2.2+. - run: | - npm run verdaccio-${{ matrix.test-type }}-decrypt - npm run verdaccio-${{ matrix.test-type }}-encrypt + with: + test-published-packages: true diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml new file mode 100644 index 00000000..23403557 --- /dev/null +++ b/.github/workflows/shared-ci.yml @@ -0,0 +1,103 @@ +name: Shared CI Tests + +on: + workflow_call: + inputs: + test-published-packages: + description: 'Test against published packages instead of checked out code' + required: false + type: boolean + default: false + +env: + NODE_OPTIONS: "--max-old-space-size=4096" + NPM_CONFIG_UNSAFE_PERM: true + +jobs: + compliance: + # Don't lint or check Duvet annotations on already-published code + if: ${{ !inputs.test-published-packages }} + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + submodules: true + + - name: Setup Node.js 18 + uses: actions/setup-node@v4 + with: + node-version: '18' + cache: 'npm' + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Run compliance checks + run: | + npm run lint + npm run test_conditions + + test: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + fail-fast: false + matrix: + node-version: ['18', '20', '22'] + test-type: ['node', 'browser'] + test-category: ['coverage', 'vectors'] + name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }} + steps: + - name: Checkout code + # Always need repo for test scripts and configuration, even when testing published packages + uses: actions/checkout@v4 + with: + fetch-depth: 0 + submodules: true + + - name: Setup Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + cache: 'npm' + + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 + role-session-name: JavaScriptTests + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Build (for source code testing) + if: ${{ !inputs.test-published-packages }} + run: npm run build + + - name: Run ${{ matrix.test-category }} tests (${{ matrix.test-type }}) + run: | + # Skip coverage tests when testing published packages + if [ "${{ inputs.test-published-packages }}" = "true" ] && [ "${{ matrix.test-category }}" = "coverage" ]; then + echo "Skipping coverage tests for published packages validation" + exit 0 + fi + + # Run the appropriate test + if [ "${{ matrix.test-category }}" = "coverage" ]; then + npm run coverage-${{ matrix.test-type }} + elif [ "${{ matrix.test-category }}" = "vectors" ]; then + # Only publish locally when testing source code + if [ "${{ inputs.test-published-packages }}" != "true" ]; then + npm run verdaccio-publish + fi + npm run verdaccio-${{ matrix.test-type }}-decrypt + npm run verdaccio-${{ matrix.test-type }}-encrypt + else + echo "Error: Unrecognized test category '${{ matrix.test-category }}'" + exit 1 + fi From 7d2ba4ee3d407f75893eb1adbc2383f400260b41 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 11 Nov 2025 16:01:12 -0800 Subject: [PATCH 21/31] Potential fix for code scanning alert no. 20: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ffa690e3..0944227c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,7 @@ # This workflow performs tests in JavaScript. name: ESDK JavaScript CI Tests +permissions: + contents: read on: [pull_request, workflow_call] From eee75255ede016d43299788f5288b70fb09f4c12 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 11 Nov 2025 16:01:21 -0800 Subject: [PATCH 22/31] Potential fix for code scanning alert no. 21: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/shared-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 23403557..25aba095 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -18,6 +18,8 @@ jobs: # Don't lint or check Duvet annotations on already-published code if: ${{ !inputs.test-published-packages }} runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout code uses: actions/checkout@v4 From e435e39c92fce565677ba5069a77b67585ca0b0e Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 11 Nov 2025 16:05:17 -0800 Subject: [PATCH 23/31] m --- .github/workflows/ci.yml | 1 + .github/workflows/prod-release.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0944227c..7d035593 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,7 @@ name: ESDK JavaScript CI Tests permissions: contents: read + id-token: write on: [pull_request, workflow_call] diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 4cc24ba5..1e568174 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -1,6 +1,7 @@ name: Release permissions: contents: read + id-token: write on: workflow_dispatch: From 9b96e915a859960d584afea3da359d149497ebff Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 11 Nov 2025 16:10:22 -0800 Subject: [PATCH 24/31] m --- .github/workflows/shared-ci.yml | 35 ++++++++++++--------------------- 1 file changed, 13 insertions(+), 22 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 25aba095..d18eb353 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -49,7 +49,7 @@ jobs: strategy: fail-fast: false matrix: - node-version: ['18', '20', '22'] + node-version: ['18', '20', '22', 'latest'] test-type: ['node', 'browser'] test-category: ['coverage', 'vectors'] name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }} @@ -81,25 +81,16 @@ jobs: if: ${{ !inputs.test-published-packages }} run: npm run build - - name: Run ${{ matrix.test-category }} tests (${{ matrix.test-type }}) - run: | - # Skip coverage tests when testing published packages - if [ "${{ inputs.test-published-packages }}" = "true" ] && [ "${{ matrix.test-category }}" = "coverage" ]; then - echo "Skipping coverage tests for published packages validation" - exit 0 - fi + - name: Run coverage tests (${{ matrix.test-type }}) + if: ${{ matrix.test-category == 'coverage' }} + run: npm run coverage-${{ matrix.test-type }} + + - name: Publish locally for vector tests + if: ${{ matrix.test-category == 'vectors' && !inputs.test-published-packages }} + run: npm run verdaccio-publish - # Run the appropriate test - if [ "${{ matrix.test-category }}" = "coverage" ]; then - npm run coverage-${{ matrix.test-type }} - elif [ "${{ matrix.test-category }}" = "vectors" ]; then - # Only publish locally when testing source code - if [ "${{ inputs.test-published-packages }}" != "true" ]; then - npm run verdaccio-publish - fi - npm run verdaccio-${{ matrix.test-type }}-decrypt - npm run verdaccio-${{ matrix.test-type }}-encrypt - else - echo "Error: Unrecognized test category '${{ matrix.test-category }}'" - exit 1 - fi + - name: Run vector tests (${{ matrix.test-type }}) + if: ${{ matrix.test-category == 'vectors' }} + run: | + npm run verdaccio-${{ matrix.test-type }}-decrypt + npm run verdaccio-${{ matrix.test-type }}-encrypt From 41af56a19d9390d0a8c6218661e0dc6a57d64f75 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 11 Nov 2025 16:36:03 -0800 Subject: [PATCH 25/31] m --- .github/workflows/shared-ci.yml | 38 ++++++++------------------------- 1 file changed, 9 insertions(+), 29 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index d18eb353..2942920f 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -14,33 +14,6 @@ env: NPM_CONFIG_UNSAFE_PERM: true jobs: - compliance: - # Don't lint or check Duvet annotations on already-published code - if: ${{ !inputs.test-published-packages }} - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: true - - - name: Setup Node.js 18 - uses: actions/setup-node@v4 - with: - node-version: '18' - cache: 'npm' - - - name: Install dependencies - run: npm ci --unsafe-perm - - - name: Run compliance checks - run: | - npm run lint - npm run test_conditions - test: runs-on: ubuntu-latest permissions: @@ -49,9 +22,9 @@ jobs: strategy: fail-fast: false matrix: - node-version: ['18', '20', '22', 'latest'] + node-version: ['18.x', '20.x', '22.x', 'latest'] test-type: ['node', 'browser'] - test-category: ['coverage', 'vectors'] + test-category: ['coverage', 'vectors', 'compliance'] name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }} steps: - name: Checkout code @@ -94,3 +67,10 @@ jobs: run: | npm run verdaccio-${{ matrix.test-type }}-decrypt npm run verdaccio-${{ matrix.test-type }}-encrypt + + - name: Run compliance tests + # Don't run linting or check Duvet requirements for published packages + if: ${{ matrix.test-category == 'compliance' && !inputs.test-published-packages }} + run: | + npm run lint + npm run test_conditions From 8b30dcdcddd8bb17153e9fa537d55370e9c63ca2 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 17 Nov 2025 15:58:22 -0800 Subject: [PATCH 26/31] test on pr --- .github/workflows/prod-release.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 1e568174..b4f751c6 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -4,6 +4,7 @@ permissions: id-token: write on: + pull_request: workflow_dispatch: inputs: version_bump: @@ -54,13 +55,14 @@ jobs: run: | git config --global user.name "aws-crypto-tools-ci-bot" git config --global user.email "no-reply@noemail.local" - git checkout $BRANCH + git checkout ${{ github.head_ref }} # Use PR branch or current branch - name: Version packages (dry run - no push) run: | - # Generate new version and CHANGELOG entry and push it - npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} - # Log the commit for posterity + # For testing: no push to avoid modifying master branch + npx lerna version --conventional-commits --no-push --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # TODO: uncomment line below and remove line above when adding publish step + # npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} git log -n 1 # Once semantic versioning has run and bumped versions, publish to npm From c64bc61ff362a7b7f65de2bd961c7f9140f076ff Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 17 Nov 2025 16:13:51 -0800 Subject: [PATCH 27/31] m --- .github/workflows/shared-ci.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 2942920f..a4f897dd 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -24,8 +24,11 @@ jobs: matrix: node-version: ['18.x', '20.x', '22.x', 'latest'] test-type: ['node', 'browser'] - test-category: ['coverage', 'vectors', 'compliance'] - name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }} + # Determine test categories based on whether testing published packages or source code: + # - Testing published packages: only run vector tests + # - Testing source code: run coverage, vector, and compliance tests + test-category: ${{ fromJSON(inputs.test-published-packages == 'true' && '["vectors"]' || '["coverage", "vectors", "compliance"]') }} + name: test-${{ matrix.test-category }}-${{ matrix.test-type }}-${{ matrix.node-version }} steps: - name: Checkout code # Always need repo for test scripts and configuration, even when testing published packages @@ -70,7 +73,7 @@ jobs: - name: Run compliance tests # Don't run linting or check Duvet requirements for published packages - if: ${{ matrix.test-category == 'compliance' && !inputs.test-published-packages }} + if: ${{ matrix.test-category == 'compliance'}} run: | npm run lint npm run test_conditions From e4430a4d5f0c688b0ea713525540e9eed7f57055 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 17 Nov 2025 16:16:42 -0800 Subject: [PATCH 28/31] m --- .github/workflows/shared-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index a4f897dd..e31ab47b 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -27,7 +27,7 @@ jobs: # Determine test categories based on whether testing published packages or source code: # - Testing published packages: only run vector tests # - Testing source code: run coverage, vector, and compliance tests - test-category: ${{ fromJSON(inputs.test-published-packages == 'true' && '["vectors"]' || '["coverage", "vectors", "compliance"]') }} + test-category: ${{ fromJSON(inputs['test-published-packages'] && '["vectors"]' || '["coverage", "vectors", "compliance"]') }} name: test-${{ matrix.test-category }}-${{ matrix.test-type }}-${{ matrix.node-version }} steps: - name: Checkout code From 2862f82503c9294b4855e4860073e6f8933de5fc Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 17 Nov 2025 16:17:54 -0800 Subject: [PATCH 29/31] m --- .github/workflows/shared-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index e31ab47b..74ef2c06 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -25,7 +25,7 @@ jobs: node-version: ['18.x', '20.x', '22.x', 'latest'] test-type: ['node', 'browser'] # Determine test categories based on whether testing published packages or source code: - # - Testing published packages: only run vector tests + # - Testing published packages: only run vector tests (don't have build artifacts to test coverage or compliance) # - Testing source code: run coverage, vector, and compliance tests test-category: ${{ fromJSON(inputs['test-published-packages'] && '["vectors"]' || '["coverage", "vectors", "compliance"]') }} name: test-${{ matrix.test-category }}-${{ matrix.test-type }}-${{ matrix.node-version }} From cc90be57d470f7716179288d569c20d64dcb1fe7 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 17 Nov 2025 16:21:33 -0800 Subject: [PATCH 30/31] m --- .github/workflows/prod-release.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index b4f751c6..1e568174 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -4,7 +4,6 @@ permissions: id-token: write on: - pull_request: workflow_dispatch: inputs: version_bump: @@ -55,14 +54,13 @@ jobs: run: | git config --global user.name "aws-crypto-tools-ci-bot" git config --global user.email "no-reply@noemail.local" - git checkout ${{ github.head_ref }} # Use PR branch or current branch + git checkout $BRANCH - name: Version packages (dry run - no push) run: | - # For testing: no push to avoid modifying master branch - npx lerna version --conventional-commits --no-push --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} - # TODO: uncomment line below and remove line above when adding publish step - # npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # Generate new version and CHANGELOG entry and push it + npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # Log the commit for posterity git log -n 1 # Once semantic versioning has run and bumped versions, publish to npm From 96f321d38da511c1c5aa297c3a6dab1bf5b28c00 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 18 Nov 2025 13:07:55 -0800 Subject: [PATCH 31/31] m --- .github/workflows/ci.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d035593..e299c734 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,3 +9,13 @@ on: [pull_request, workflow_call] jobs: shared-ci: uses: ./.github/workflows/shared-ci.yml + pr-ci-all-required: + if: always() + needs: + - shared-ci + runs-on: ubuntu-22.04 + steps: + - name: Verify all required jobs passed + uses: re-actors/alls-green@release/v1 + with: + jobs: ${{ toJSON(needs) }}