From 6d6e6284d714993562d2f5f2be9b187c49d4aac8 Mon Sep 17 00:00:00 2001
From: Sean McGrail <mcgrails@amazon.com>
Date: Thu, 13 Nov 2025 19:58:22 +0000
Subject: [PATCH 1/2] Migrate Android build files to new docker image directory

---
 .../docker_images/aws-lc/android}/Dockerfile        |   0
 .../docker_images/aws-lc/android}/build.gradle      |   0
 .../docker_images/aws-lc/android}/gradle.properties |   0
 .../android}/gradle/wrapper/gradle-wrapper.jar      | Bin
 .../gradle/wrapper/gradle-wrapper.properties        |   0
 .../docker_images/aws-lc/android}/gradlew           |   0
 .../docker_images/aws-lc/android}/settings.gradle   |   0
 .../aws-lc/android}/src/main/AndroidManifest.xml    |   0
 8 files changed, 0 insertions(+), 0 deletions(-)
 rename {tests/ci/docker_images/linux-x86/ubuntu-24.04_android => .github/docker_images/aws-lc/android}/Dockerfile (100%)
 rename {tests/ci/docker_images/linux-x86/ubuntu-24.04_android => .github/docker_images/aws-lc/android}/build.gradle (100%)
 rename {tests/ci/docker_images/linux-x86/ubuntu-24.04_android => .github/docker_images/aws-lc/android}/gradle.properties (100%)
 rename {tests/ci/docker_images/linux-x86/ubuntu-24.04_android => .github/docker_images/aws-lc/android}/gradle/wrapper/gradle-wrapper.jar (100%)
 rename {tests/ci/docker_images/linux-x86/ubuntu-24.04_android => .github/docker_images/aws-lc/android}/gradle/wrapper/gradle-wrapper.properties (100%)
 rename {tests/ci/docker_images/linux-x86/ubuntu-24.04_android => .github/docker_images/aws-lc/android}/gradlew (100%)
 rename {tests/ci/docker_images/linux-x86/ubuntu-24.04_android => .github/docker_images/aws-lc/android}/settings.gradle (100%)
 rename {tests/ci/docker_images/linux-x86/ubuntu-24.04_android => .github/docker_images/aws-lc/android}/src/main/AndroidManifest.xml (100%)

diff --git a/tests/ci/docker_images/linux-x86/ubuntu-24.04_android/Dockerfile b/.github/docker_images/aws-lc/android/Dockerfile
similarity index 100%
rename from tests/ci/docker_images/linux-x86/ubuntu-24.04_android/Dockerfile
rename to .github/docker_images/aws-lc/android/Dockerfile
diff --git a/tests/ci/docker_images/linux-x86/ubuntu-24.04_android/build.gradle b/.github/docker_images/aws-lc/android/build.gradle
similarity index 100%
rename from tests/ci/docker_images/linux-x86/ubuntu-24.04_android/build.gradle
rename to .github/docker_images/aws-lc/android/build.gradle
diff --git a/tests/ci/docker_images/linux-x86/ubuntu-24.04_android/gradle.properties b/.github/docker_images/aws-lc/android/gradle.properties
similarity index 100%
rename from tests/ci/docker_images/linux-x86/ubuntu-24.04_android/gradle.properties
rename to .github/docker_images/aws-lc/android/gradle.properties
diff --git a/tests/ci/docker_images/linux-x86/ubuntu-24.04_android/gradle/wrapper/gradle-wrapper.jar b/.github/docker_images/aws-lc/android/gradle/wrapper/gradle-wrapper.jar
similarity index 100%
rename from tests/ci/docker_images/linux-x86/ubuntu-24.04_android/gradle/wrapper/gradle-wrapper.jar
rename to .github/docker_images/aws-lc/android/gradle/wrapper/gradle-wrapper.jar
diff --git a/tests/ci/docker_images/linux-x86/ubuntu-24.04_android/gradle/wrapper/gradle-wrapper.properties b/.github/docker_images/aws-lc/android/gradle/wrapper/gradle-wrapper.properties
similarity index 100%
rename from tests/ci/docker_images/linux-x86/ubuntu-24.04_android/gradle/wrapper/gradle-wrapper.properties
rename to .github/docker_images/aws-lc/android/gradle/wrapper/gradle-wrapper.properties
diff --git a/tests/ci/docker_images/linux-x86/ubuntu-24.04_android/gradlew b/.github/docker_images/aws-lc/android/gradlew
similarity index 100%
rename from tests/ci/docker_images/linux-x86/ubuntu-24.04_android/gradlew
rename to .github/docker_images/aws-lc/android/gradlew
diff --git a/tests/ci/docker_images/linux-x86/ubuntu-24.04_android/settings.gradle b/.github/docker_images/aws-lc/android/settings.gradle
similarity index 100%
rename from tests/ci/docker_images/linux-x86/ubuntu-24.04_android/settings.gradle
rename to .github/docker_images/aws-lc/android/settings.gradle
diff --git a/tests/ci/docker_images/linux-x86/ubuntu-24.04_android/src/main/AndroidManifest.xml b/.github/docker_images/aws-lc/android/src/main/AndroidManifest.xml
similarity index 100%
rename from tests/ci/docker_images/linux-x86/ubuntu-24.04_android/src/main/AndroidManifest.xml
rename to .github/docker_images/aws-lc/android/src/main/AndroidManifest.xml

From 5099f0b739421972de01094f08297701f205ea12 Mon Sep 17 00:00:00 2001
From: Sean McGrail <mcgrails@amazon.com>
Date: Thu, 13 Nov 2025 22:58:13 +0000
Subject: [PATCH 2/2] Add Android Workflow Build

---
 .../configure-aws-credentials/action.yml      |  27 +++++
 .../docker_images/aws-lc/android/Dockerfile   | 104 +++++++++++-------
 .github/workflows/image-build-android.yml     | 102 +++++++++++++++++
 .github/workflows/image-build.yml             |   2 +
 4 files changed, 195 insertions(+), 40 deletions(-)
 create mode 100644 .github/actions/configure-aws-credentials/action.yml
 create mode 100644 .github/workflows/image-build-android.yml

diff --git a/.github/actions/configure-aws-credentials/action.yml b/.github/actions/configure-aws-credentials/action.yml
new file mode 100644
index 00000000000..cca5f4fae04
--- /dev/null
+++ b/.github/actions/configure-aws-credentials/action.yml
@@ -0,0 +1,27 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+name: 'configure-aws-credentials'
+description: 'A helper for configure AWS credentials for AWS-LC GitHub actions'
+inputs:
+  roleName:
+    description: "The target IAM role to assume using the OIDC role credentials"
+    required: true
+    default: 'AwsLcGitHubActionStandardRole'
+runs:
+  using: 'composite'
+  steps:
+    - name: Query Environment
+      id: env
+      shell: bash
+      run: |
+        echo aws_account_id=${AWS_ACCOUNT_ID} >> "$GITHUB_OUTPUT"
+    - name: Retrieve OIDC Role Credentials
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/AwsLcGitHubActionsOidcRole
+    - name: Retrieve GitHub Actions Role Credentials
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/${{ inputs.roleName }}
+        role-chaining: true
diff --git a/.github/docker_images/aws-lc/android/Dockerfile b/.github/docker_images/aws-lc/android/Dockerfile
index dd64b609952..1c85cd77409 100644
--- a/.github/docker_images/aws-lc/android/Dockerfile
+++ b/.github/docker_images/aws-lc/android/Dockerfile
@@ -1,7 +1,7 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-FROM ubuntu:24.04
+FROM public.ecr.aws/ubuntu/ubuntu:24.04 AS base
 
 SHELL ["/bin/bash", "-c"]
 
@@ -17,54 +17,78 @@ ENV PATH="$GOROOT/bin:/opt/sdk/cmdline-tools/latest/bin:$PATH"
 # ------------------------------------------------------
 # --- Android SDK
 
-RUN set -ex && \
-    apt-get update -y && \
-    apt-get -y --no-install-recommends upgrade && \
-    apt-get -y --no-install-recommends install \
+RUN <<EOF
+set -ex
+apt-get update -y
+apt-get -y --no-install-recommends upgrade
+apt-get -y --no-install-recommends install \
+    git \
+    libunwind-dev \
+    openjdk-17-jdk \
+    perl \
     python3.12 \
     python3.12-venv \
     python3-pip \
-    openjdk-17-jdk \
-    perl \
-    libunwind-dev \
-    wget \
-    unzip && \
+    unzip \
+    wget
+EOF
+
+# Setup Android SDK
+RUN <<EOF
 # Set Java 17 as default
-    export JAVA17_ALT=$(update-alternatives --list java | grep java-17 | head -1) && \
-    update-alternatives --set java $JAVA17_ALT && \
+export JAVA17_ALT=$(update-alternatives --list java | grep java-17 | head -1)
+update-alternatives --set java $JAVA17_ALT
+
 # Set Java 17 for SDK manager compatibility
-    export JAVA_HOME=$(find /usr/lib/jvm -name "*java-17*" -type d | head -1) && \
-    export PATH=$JAVA_HOME/bin:$PATH && \
+export JAVA_HOME=$(find /usr/lib/jvm -name "*java-17*" -type d | head -1)
+export PATH=$JAVA_HOME/bin:$PATH
+
 # install android-sdk from url source
-    mkdir /opt/sdk && \
-    mkdir /opt/sdk/cmdline-tools && \
-    mkdir /opt/cmdline-tools-tmp && \
-    cd /opt/cmdline-tools-tmp && \
-    wget -q https://dl.google.com/android/repository/${ANDROID_SDK_URL}.zip && \
-    unzip  ${ANDROID_SDK_URL}.zip && \
+mkdir /opt/sdk
+mkdir /opt/sdk/cmdline-tools
+mkdir /opt/cmdline-tools-tmp
+cd /opt/cmdline-tools-tmp
+wget -q https://dl.google.com/android/repository/${ANDROID_SDK_URL}.zip
+unzip ${ANDROID_SDK_URL}.zip
+
 # move to its final location and export path
-    mv ./cmdline-tools ${ANDROID_HOME}/cmdline-tools/latest && \
-    cd $ANDROID_HOME/cmdline-tools/latest/bin && \
-    ./sdkmanager --update && \
-    yes | ./sdkmanager --licenses && \
+mv ./cmdline-tools ${ANDROID_HOME}/cmdline-tools/latest
+cd $ANDROID_HOME/cmdline-tools/latest/bin
+./sdkmanager --update
+yes | ./sdkmanager --licenses
+
 # Preinstall AWSLCAndroidTestRunner android dependencies, so they don't need to be
 # rebuilt for each new gradle build run.
-    ./sdkmanager "ndk;28.2.13676358" \
+./sdkmanager "ndk;28.2.13676358" \
     "build-tools;33.0.3" \
     "cmake;3.18.1" \
-    "platforms;android-30" && \
-    cd /opt && \
-    wget -q https://services.gradle.org/distributions/${GRADLE_VERSION}-all.zip && \
-    rm -rf /opt/cmdline-tools-tmp && \
-    rm -rf /tmp/*
+    "platforms;android-30"
+
+cd /opt
+wget -q https://services.gradle.org/distributions/${GRADLE_VERSION}-all.zip
+rm -rf /opt/cmdline-tools-tmp
+rm -rf /tmp/*
+EOF
+
 # Preinstall gradle dependencies, so they don't need to be redownloaded in the CI.
-COPY linux-x86/ubuntu-24.04_android /tmp/triggerGradleDownloads/
-RUN  cd /tmp/triggerGradleDownloads && \
-     echo "JAVA_HOME=$JAVA_HOME" && \
-     java -version && \
-     echo "PATH=$PATH" && \
-     ./gradlew --no-daemon --refresh-dependencies androidDependencies lint && \
-     rm -rf /tmp/triggerGradleDownloads
-
-COPY dependencies/install_common_dependencies.sh /
-RUN set -ex && /install_common_dependencies.sh && rm install_common_dependencies.sh
+COPY . /tmp/triggerGradleDownloads/
+
+RUN <<EOF
+cd /tmp/triggerGradleDownloads
+echo "JAVA_HOME=$JAVA_HOME"
+java -version
+echo "PATH=$PATH"
+./gradlew --no-daemon --refresh-dependencies androidDependencies lint
+EOF
+
+# Install Go
+ENV GOENV_ROOT="/.goenv"
+ENV PATH="${GOENV_ROOT}/shims:${GOENV_ROOT}/bin:/go/bin:$PATH"
+
+COPY --from=scripts setup-go-compiler.sh /tmp
+RUN <<EOF
+setup_script="/tmp/setup-go-compiler.sh"
+${setup_script}
+EOF
+
+RUN rm -rf /tmp/*
diff --git a/.github/workflows/image-build-android.yml b/.github/workflows/image-build-android.yml
new file mode 100644
index 00000000000..3ab9a07c498
--- /dev/null
+++ b/.github/workflows/image-build-android.yml
@@ -0,0 +1,102 @@
+name: image-build-android
+on:
+  workflow_call:
+    inputs:
+      concurrency_prefix:
+        default: image-build-android
+        required: false
+        type: string
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - .github/docker_images/aws-lc/android/Dockerfile
+      - .github/docker_images/scripts/**
+  pull_request_target:
+    branches: [main]
+    paths:
+      - .github/docker_images/aws-lc/android/Dockerfile
+      - .github/docker_images/scripts/**
+concurrency:
+  group: ${{ inputs.concurrency_prefix || github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+env:
+  GOPROXY: https://proxy.golang.org,direct
+  DOCKER_BUILD_RECORD_UPLOAD: false
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on:
+      codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
+      image:linux-5.0
+      instance-size:small
+    outputs:
+      android: ${{ steps.images.outputs.latest }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Query Environment
+        id: env
+        run: |
+          echo staging_url=${ECR_STAGING_REPO} >> "$GITHUB_OUTPUT"
+      - name: Retrieve Credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          roleName: AwsLcGitHubActionDockerImageBuildRole
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Generate Staging Image Names
+        id: images
+        run: |
+          echo latest=${{ steps.env.outputs.staging_url }}:$(uuidgen) >> "$GITHUB_OUTPUT"
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v6
+        with:
+          file: ./.github/docker_images/aws-lc/android/Dockerfile
+          context: ./.github/docker_images/aws-lc/android
+          build-contexts: |
+            scripts=./.github/docker_images/scripts
+          tags: ${{ steps.images.outputs.latest }}
+          push: true
+      - uses: ./.github/actions/codebuild-docker-run
+        name: Validate Container
+        with:
+          image: ${{ steps.images.outputs.latest }}
+          run: |
+            ./.github/docker_images/scripts/verify-go-version.sh 1.25
+
+  push:
+    if: ${{ github.event_name != 'pull_request' }}
+    runs-on:
+      codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
+      image:linux-5.0
+      instance-size:small
+    needs:
+      - build
+    outputs:
+      android: ${{ steps.images.outputs.android }}
+    steps:
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Get ECR Registry & Repository Details
+        id: ecr
+        run: |
+          echo registry_url=${ECR_REGISTRY_URL} >> "$GITHUB_OUTPUT"
+      - name: Generate Staging Image Names
+        id: images
+        run: |
+          echo latest=${{ steps.ecr.outputs.registry_url }}/aws-lc/android:latest >> "$GITHUB_OUTPUT"
+      - name: Pull Images From Staging
+        run: |
+          docker pull ${{ needs.build.outputs.android }}
+      - name: Tag Images
+        run: |
+          docker tag ${{ needs.build.outputs.android }} ${{ steps.images.outputs.latest }}
+      - name: Push Images
+        run: |
+          docker push ${{ steps.images.outputs.latest }}
diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
index 0f3f66565ae..830b3eef932 100644
--- a/.github/workflows/image-build.yml
+++ b/.github/workflows/image-build.yml
@@ -49,3 +49,5 @@ jobs:
     uses: ./.github/workflows/image-build-windows.yml
   verification:
     uses: ./.github/workflows/image-build-formal-verification.yml
+  android:
+    uses: ./.github/workflows/image-build-android.yml
\ No newline at end of file