Unverified Commit 7ace5031 authored by ysaito1001's avatar ysaito1001 Committed by GitHub
Browse files

Remove merge queue (#4124) 

The merge queue was introduced when there were around 10 developers
working simultaneously in this repository. However, with the fewer
number of developers, the value of the queue has diminished. In some
cases, the wait time in the queue can delay the release of urgent fixes.

Note that we can re-enable the merge queue in the future if needed.

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._
parent 855a457a

.github/workflows/ci-merge-queue.yml

deleted100644 → 0
+0 −103
Original line number Diff line number Diff line 
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

# SPDX-License-Identifier: Apache-2.0



# This workflow runs CI for the GitHub merge queue.



name: Merge Queue CI

on:

  merge_group:

    types: [checks_requested]



# Allow one instance of this workflow per merge

concurrency:

  group: ci-merge-queue-yml-${{ github.ref }}

  cancel-in-progress: true



env:

  ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci



permissions:

  actions: read

  contents: read

  id-token: write

  pull-requests: read



jobs:

  # This job will, if possible, save a docker login password to the job outputs. The token will

  # be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.

  # The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE

  save-docker-login-token:

    name: Save a docker login token

    timeout-minutes: 10

    outputs:

      docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}

    permissions:

      id-token: write

      contents: read

    continue-on-error: true

    runs-on: ubuntu-latest

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - name: Attempt to load a docker login password

      uses: aws-actions/configure-aws-credentials@v4

      with:

        role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}

        role-session-name: GitHubActions

        aws-region: us-west-2

    - name: Save the docker login password to the output

      id: set-token

      run: |

        ENCRYPTED_PAYLOAD=$(

          gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0

        )

        echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT



  # This job detects if the PR made changes to build tools. If it did, then it builds a new

  # build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases,

  # it uploads the image as a build artifact for other jobs to download and use.

  acquire-base-image:

    name: Acquire Base Image

    needs: save-docker-login-token

    runs-on: ubuntu-latest

    timeout-minutes: 60

    env:

      ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}

      DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}

    permissions:

      id-token: write

      contents: read

    steps:

    - uses: GitHubSecurityLab/actions-permissions/monitor@v1

    - uses: actions/checkout@v4

      with:

        path: smithy-rs

    - name: Acquire base image

      id: acquire

      env:

        DOCKER_BUILDKIT: 1

      run: ./smithy-rs/.github/scripts/acquire-build-image

    - name: Acquire credentials

      uses: aws-actions/configure-aws-credentials@v4

      with:

        role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}

        role-session-name: GitHubActions

        aws-region: us-west-2

    - name: Upload image

      run: |

        IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)"

        docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}"

        aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

        docker push "${{ env.ecr_repository }}:${IMAGE_TAG}"



  # Run shared CI after the Docker build image has either been rebuilt or found in ECR

  ci:

    needs:

    - save-docker-login-token

    - acquire-base-image

    if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' || toJSON(github.event.merge_group) != '{}' }}

    uses: ./.github/workflows/ci.yml

    secrets:

      ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}

      DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}

      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}

      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}