Skip to content

chore: Migrate CodeBuild release to GHA (without publishing step) #1614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 31 commits into from
Nov 20, 2025
Merged

chore: Migrate CodeBuild release to GHA (without publishing step) #1614

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
72227f1
m
Oct 29, 2025
02c7123
m
Oct 29, 2025
7ca039a
m
Oct 29, 2025
365996b
m
Oct 29, 2025
df6b270
m
Oct 29, 2025
e6c405e
m
Oct 29, 2025
5b998e3
m
Oct 29, 2025
60f39e3
m
Oct 29, 2025
baf3332
m
Oct 29, 2025
628f323
m
Oct 29, 2025
d4c6696
m
Oct 29, 2025
39efcd5
m
Oct 29, 2025
b8599e5
m
Oct 29, 2025
fd51dd2
m
Oct 29, 2025
9ac58d2
m
Nov 3, 2025
8e7815a
m
Nov 3, 2025
7c0f63c
m
Nov 3, 2025
998c005
m
Nov 3, 2025
cdd94f2
m
Nov 3, 2025
c003499
m
Nov 11, 2025
7d2ba4e
Potential fix for code scanning alert no. 20: Workflow does not conta…
lucasmcdonald3 Nov 12, 2025
eee7525
Potential fix for code scanning alert no. 21: Workflow does not conta…
lucasmcdonald3 Nov 12, 2025
e435e39
m
Nov 12, 2025
9b96e91
m
Nov 12, 2025
41af56a
m
Nov 12, 2025
8b30dcd
test on pr
Nov 17, 2025
c64bc61
m
Nov 18, 2025
e4430a4
m
Nov 18, 2025
2862f82
m
Nov 18, 2025
cc90be5
m
Nov 18, 2025
96f321d
m
Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 13 additions & 59 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,67 +1,21 @@
# This workflow performs tests in JavaScript.
name: ESDK JavaScript CI Tests
permissions:
contents: read
id-token: write

on: [pull_request, workflow_call]

jobs:
CI:
strategy:
matrix:
node: [18.x, 20.x, 22.x, latest]
fail-fast: false
runs-on: codebuild-AWS-ESDK-JS-Release-${{ github.run_id }}-${{ github.run_attempt }}-ubuntu-5.0-large
permissions:
id-token: write
contents: read
defaults:
run:
shell: bash
shared-ci:
uses: ./.github/workflows/shared-ci.yml
pr-ci-all-required:
if: always()
needs:
- shared-ci
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Verify all required jobs passed
uses: re-actors/alls-green@release/v1
with:
submodules: true
- uses: actions/setup-node@v4
with:
node-version: ${{matrix.node}}
- name: Configure AWS Credentials for Tests
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
role-session-name: JavaScriptTests
- name: Test Coverage Node ${{matrix.node}}
env:
NODE_OPTIONS: "--max-old-space-size=4096"
run: |
npm ci
npm run build
npm run coverage-node
- name: Test Coverage Browser ${{matrix.node}}
env:
NODE_OPTIONS: "--max-old-space-size=4096"
run: |
npm run coverage-browser
- name: Test compliance
env:
NODE_OPTIONS: "--max-old-space-size=4096"
run: |
npm run lint
npm run test_conditions
- name: Run Test Vectors Node ${{matrix.node}}
env:
NODE_OPTIONS: "--max-old-space-size=4096"
NPM_CONFIG_UNSAFE_PERM: true
PUBLISH_LOCAL: true
run: |
npm run verdaccio-publish
npm run verdaccio-node-decrypt
npm run verdaccio-node-encrypt
- name: Run Test Vectors Browser node ${{matrix.node}}
env:
NODE_OPTIONS: "--max-old-space-size=4096"
NPM_CONFIG_UNSAFE_PERM: true
PUBLISH_LOCAL: true
run: |
npm run verdaccio-publish
npm run verdaccio-browser-decrypt
npm run verdaccio-browser-encrypt
jobs: ${{ toJSON(needs) }}
76 changes: 76 additions & 0 deletions .github/workflows/prod-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: Release
permissions:
contents: read
id-token: write

on:
workflow_dispatch:
inputs:
version_bump:
required: false
description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)'
default: ''
dist_tag:
description: 'NPM distribution tag'
required: false
default: 'latest'
branch:
description: 'The branch to release from'
required: false
default: 'master'

env:
NODE_OPTIONS: "--max-old-space-size=4096"
NPM_CONFIG_UNSAFE_PERM: true

jobs:
pre-release-ci:
uses: ./.github/workflows/shared-ci.yml

# Once all tests have passed, run semantic versioning
version:
runs-on: ubuntu-latest
needs: [pre-release-ci]
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true

- name: Setup Node.js 16
Copy link
Contributor

@seebees seebees Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why 16?

Copy link
Contributor Author

@lucasmcdonald3 lucasmcdonald3 Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's what the CodeBuild uses today

uses: actions/setup-node@v4
with:
node-version: '16'
cache: 'npm'

- name: Install dependencies
run: npm ci --unsafe-perm

- name: Configure git
env:
BRANCH: ${{ github.event.inputs.branch }}
VERSION_BUMP: ${{ github.event.inputs.version_bump }}
run: |
git config --global user.name "aws-crypto-tools-ci-bot"
git config --global user.email "no-reply@noemail.local"
git checkout $BRANCH

- name: Version packages (dry run - no push)
run: |
# Generate new version and CHANGELOG entry and push it
npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish}
# Log the commit for posterity
git log -n 1

# Once semantic versioning has run and bumped versions, publish to npm
# TODO: Publish step that doesn't use OTP but instead follows
# https://docs.npmjs.com/trusted-publishers

# Once publishing is complete, validate that the published packages are useable
validate:
uses: ./.github/workflows/shared-ci.yml
# TODO: Uncomment when adding publish step
# needs: [publish]
with:
test-published-packages: true
79 changes: 79 additions & 0 deletions .github/workflows/shared-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: Shared CI Tests

on:
workflow_call:
inputs:
test-published-packages:
description: 'Test against published packages instead of checked out code'
required: false
type: boolean
default: false

env:
NODE_OPTIONS: "--max-old-space-size=4096"
NPM_CONFIG_UNSAFE_PERM: true

jobs:
test:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
strategy:
fail-fast: false
matrix:
node-version: ['18.x', '20.x', '22.x', 'latest']
test-type: ['node', 'browser']
# Determine test categories based on whether testing published packages or source code:
# - Testing published packages: only run vector tests (don't have build artifacts to test coverage or compliance)
# - Testing source code: run coverage, vector, and compliance tests
test-category: ${{ fromJSON(inputs['test-published-packages'] && '["vectors"]' || '["coverage", "vectors", "compliance"]') }}
name: test-${{ matrix.test-category }}-${{ matrix.test-type }}-${{ matrix.node-version }}
steps:
- name: Checkout code
# Always need repo for test scripts and configuration, even when testing published packages
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true

- name: Setup Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'

- name: Configure AWS Credentials for Tests
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
role-session-name: JavaScriptTests

- name: Install dependencies
run: npm ci --unsafe-perm

- name: Build (for source code testing)
if: ${{ !inputs.test-published-packages }}
run: npm run build

- name: Run coverage tests (${{ matrix.test-type }})
if: ${{ matrix.test-category == 'coverage' }}
run: npm run coverage-${{ matrix.test-type }}

- name: Publish locally for vector tests
if: ${{ matrix.test-category == 'vectors' && !inputs.test-published-packages }}
run: npm run verdaccio-publish

- name: Run vector tests (${{ matrix.test-type }})
if: ${{ matrix.test-category == 'vectors' }}
run: |
npm run verdaccio-${{ matrix.test-type }}-decrypt
npm run verdaccio-${{ matrix.test-type }}-encrypt

- name: Run compliance tests
# Don't run linting or check Duvet requirements for published packages
if: ${{ matrix.test-category == 'compliance'}}
run: |
npm run lint
npm run test_conditions
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"build-browser": "tsc -b tsconfig.module.json",
"build": "run-s build-*",
"karma": "NODE_OPTIONS=--max-old-space-size=4096 karma start karma.conf.js",
"mocha": "mocha --exclude 'modules/*-+(browser|backend)/build/main/test/*.js' modules/**/build/main/test/*test.js",
"mocha": "mocha --timeout 5000 --exclude 'modules/*-+(browser|backend)/build/main/test/*.js' modules/**/build/main/test/*test.js",
"coverage-browser": "npm run karma && nyc report -t .karma_output --check-coverage",
"coverage-node": "nyc --instrument --all --check-coverage -n 'modules/**/build/main/src/*.js' -x 'modules/**/build/main/test/*.js' -x 'modules/*-+(browser|backend)/**/*.js' npm run mocha",
"coverage-merge": "nyc merge .karma_output .nyc_output/browser.json",
Expand Down
Loading