aws · skmcgrail · Nov 14, 2025 · Nov 13, 2025 · Nov 13, 2025 · sgmenda-aws
@@ -0,0 +1,27 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+name: 'configure-aws-credentials'
+description: 'A helper for configure AWS credentials for AWS-LC GitHub actions'
+inputs:
+  roleName:
+    description: "The target IAM role to assume using the OIDC role credentials"
+    required: true
+    default: 'AwsLcGitHubActionStandardRole'
+runs:
+  using: 'composite'
+  steps:
+    - name: Query Environment
+      id: env
+      shell: bash
+      run: |
+        echo aws_account_id=${AWS_ACCOUNT_ID} >> "$GITHUB_OUTPUT"
+    - name: Retrieve OIDC Role Credentials
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/AwsLcGitHubActionsOidcRole
+    - name: Retrieve GitHub Actions Role Credentials
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/${{ inputs.roleName }}
+        role-chaining: true
@@ -0,0 +1,94 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+FROM public.ecr.aws/ubuntu/ubuntu:24.04 AS base
+
+SHELL ["/bin/bash", "-c"]
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+
+ENV ANDROID_SDK_URL=commandlinetools-linux-13114758_latest
+ENV ANDROID_HOME=/opt/sdk
+ENV ANDROID_SDK_ROOT=/opt/sdk
+ENV GRADLE_VERSION=gradle-7.6.4
+ENV GOROOT=/usr/local/go
+ENV PATH="$GOROOT/bin:/opt/sdk/cmdline-tools/latest/bin:$PATH"
+# ------------------------------------------------------
+# --- Android SDK
+
+RUN <<EOF
+set -ex
+apt-get update -y
+apt-get -y --no-install-recommends upgrade
+apt-get -y --no-install-recommends install \
+    git \
+    libunwind-dev \
+    openjdk-17-jdk \
+    perl \
+    python3.12 \
+    python3.12-venv \
+    python3-pip \
+    unzip \
+    wget
+EOF
+
+# Setup Android SDK
+RUN <<EOF
+# Set Java 17 as default
+export JAVA17_ALT=$(update-alternatives --list java | grep java-17 | head -1)
+update-alternatives --set java $JAVA17_ALT
+
+# Set Java 17 for SDK manager compatibility
+export JAVA_HOME=$(find /usr/lib/jvm -name "*java-17*" -type d | head -1)
+export PATH=$JAVA_HOME/bin:$PATH
+
+# install android-sdk from url source
+mkdir /opt/sdk
+mkdir /opt/sdk/cmdline-tools
+mkdir /opt/cmdline-tools-tmp
+cd /opt/cmdline-tools-tmp
+wget -q https://dl.google.com/android/repository/${ANDROID_SDK_URL}.zip
+unzip ${ANDROID_SDK_URL}.zip
+
+# move to its final location and export path
+mv ./cmdline-tools ${ANDROID_HOME}/cmdline-tools/latest
+cd $ANDROID_HOME/cmdline-tools/latest/bin
+./sdkmanager --update
+yes | ./sdkmanager --licenses
+
+# Preinstall AWSLCAndroidTestRunner android dependencies, so they don't need to be
+# rebuilt for each new gradle build run.
+./sdkmanager "ndk;28.2.13676358" \
+    "build-tools;33.0.3" \
+    "cmake;3.18.1" \
+    "platforms;android-30"
+
+cd /opt
+wget -q https://services.gradle.org/distributions/${GRADLE_VERSION}-all.zip
+rm -rf /opt/cmdline-tools-tmp
+rm -rf /tmp/*
+EOF
+
+# Preinstall gradle dependencies, so they don't need to be redownloaded in the CI.
+COPY . /tmp/triggerGradleDownloads/
+
+RUN <<EOF
+cd /tmp/triggerGradleDownloads
+echo "JAVA_HOME=$JAVA_HOME"
+java -version
+echo "PATH=$PATH"
+./gradlew --no-daemon --refresh-dependencies androidDependencies lint
+EOF
+
+# Install Go
+ENV GOENV_ROOT="/.goenv"
+ENV PATH="${GOENV_ROOT}/shims:${GOENV_ROOT}/bin:/go/bin:$PATH"
+
+COPY --from=scripts setup-go-compiler.sh /tmp
+RUN <<EOF
+setup_script="/tmp/setup-go-compiler.sh"
+${setup_script}
+EOF
+
+RUN rm -rf /tmp/*
@@ -0,0 +1,102 @@
+name: image-build-android
+on:
+  workflow_call:
+    inputs:
+      concurrency_prefix:
+        default: image-build-android
+        required: false
+        type: string
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - .github/docker_images/aws-lc/android/Dockerfile
+      - .github/docker_images/scripts/**
+  pull_request_target:
+    branches: [main]
+    paths:
+      - .github/docker_images/aws-lc/android/Dockerfile
+      - .github/docker_images/scripts/**
+concurrency:
+  group: ${{ inputs.concurrency_prefix || github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+env:
+  GOPROXY: https://proxy.golang.org,direct
+  DOCKER_BUILD_RECORD_UPLOAD: false
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on:
+      codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
+      image:linux-5.0
+      instance-size:small
+    outputs:
+      android: ${{ steps.images.outputs.latest }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Query Environment
+        id: env
+        run: |
+          echo staging_url=${ECR_STAGING_REPO} >> "$GITHUB_OUTPUT"
+      - name: Retrieve Credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          roleName: AwsLcGitHubActionDockerImageBuildRole
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Generate Staging Image Names
+        id: images
+        run: |
+          echo latest=${{ steps.env.outputs.staging_url }}:$(uuidgen) >> "$GITHUB_OUTPUT"
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v6
+        with:
+          file: ./.github/docker_images/aws-lc/android/Dockerfile
+          context: ./.github/docker_images/aws-lc/android
+          build-contexts: |
+            scripts=./.github/docker_images/scripts
+          tags: ${{ steps.images.outputs.latest }}
+          push: true
+      - uses: ./.github/actions/codebuild-docker-run
+        name: Validate Container
+        with:
+          image: ${{ steps.images.outputs.latest }}
+          run: |
+            ./.github/docker_images/scripts/verify-go-version.sh 1.25
+
+  push:
+    if: ${{ github.event_name != 'pull_request' }}
+    runs-on:
+      codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
+      image:linux-5.0
+      instance-size:small
+    needs:
+      - build
+    outputs:
+      android: ${{ steps.images.outputs.android }}
+    steps:
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Get ECR Registry & Repository Details
+        id: ecr
+        run: |
+          echo registry_url=${ECR_REGISTRY_URL} >> "$GITHUB_OUTPUT"
+      - name: Generate Staging Image Names
+        id: images
+        run: |
+          echo latest=${{ steps.ecr.outputs.registry_url }}/aws-lc/android:latest >> "$GITHUB_OUTPUT"
+      - name: Pull Images From Staging
+        run: |
+          docker pull ${{ needs.build.outputs.android }}
+      - name: Tag Images
+        run: |
+          docker tag ${{ needs.build.outputs.android }} ${{ steps.images.outputs.latest }}
+      - name: Push Images
+        run: |
+          docker push ${{ steps.images.outputs.latest }}
@@ -49,3 +49,5 @@ jobs:
     uses: ./.github/workflows/image-build-windows.yml
   verification:
     uses: ./.github/workflows/image-build-formal-verification.yml
+  android:
+    uses: ./.github/workflows/image-build-android.yml