Loading .github/workflows/ci-merge-queue.ymldeleted 100644 → 0 +0 −103 Original line number Diff line number Diff line # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # This workflow runs CI for the GitHub merge queue. name: Merge Queue CI on: merge_group: types: [checks_requested] # Allow one instance of this workflow per merge concurrency: group: ci-merge-queue-yml-${{ github.ref }} cancel-in-progress: true env: ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci permissions: actions: read contents: read id-token: write pull-requests: read jobs: # This job will, if possible, save a docker login password to the job outputs. The token will # be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h. # The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE save-docker-login-token: name: Save a docker login token timeout-minutes: 10 outputs: docker-login-password: ${{ steps.set-token.outputs.docker-login-password }} permissions: id-token: write contents: read continue-on-error: true runs-on: ubuntu-latest steps: - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Attempt to load a docker login password uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }} role-session-name: GitHubActions aws-region: us-west-2 - name: Save the docker login password to the output id: set-token run: | ENCRYPTED_PAYLOAD=$( gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0 ) echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT # This job detects if the PR made changes to build tools. If it did, then it builds a new # build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases, # it uploads the image as a build artifact for other jobs to download and use. acquire-base-image: name: Acquire Base Image needs: save-docker-login-token runs-on: ubuntu-latest timeout-minutes: 60 env: ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }} DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} permissions: id-token: write contents: read steps: - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v4 with: path: smithy-rs - name: Acquire base image id: acquire env: DOCKER_BUILDKIT: 1 run: ./smithy-rs/.github/scripts/acquire-build-image - name: Acquire credentials uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }} role-session-name: GitHubActions aws-region: us-west-2 - name: Upload image run: | IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)" docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}" aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws docker push "${{ env.ecr_repository }}:${IMAGE_TAG}" # Run shared CI after the Docker build image has either been rebuilt or found in ECR ci: needs: - save-docker-login-token - acquire-base-image if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' || toJSON(github.event.merge_group) != '{}' }} uses: ./.github/workflows/ci.yml secrets: ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }} DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }} CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }} .github/workflows/ci.yml +1 −1 Original line number Diff line number Diff line Loading @@ -33,7 +33,7 @@ on: required: false env: rust_version: 1.81.0 rust_version: 1.82.0 rust_toolchain_components: clippy,rustfmt ENCRYPTED_DOCKER_PASSWORD: ${{ secrets.ENCRYPTED_DOCKER_PASSWORD }} DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} Loading .github/workflows/claim-crate-names.yml +1 −1 Original line number Diff line number Diff line Loading @@ -10,7 +10,7 @@ concurrency: cancel-in-progress: true env: rust_version: 1.81.0 rust_version: 1.82.0 name: Claim unpublished crate names on crates.io run-name: ${{ github.workflow }} Loading .github/workflows/github-pages.yml +1 −1 Original line number Diff line number Diff line Loading @@ -8,7 +8,7 @@ on: name: Update GitHub Pages env: rust_version: 1.81.0 rust_version: 1.82.0 # Allow only one doc pages build to run at a time for the entire smithy-rs repo concurrency: Loading .github/workflows/pull-request-bot.yml +1 −1 Original line number Diff line number Diff line Loading @@ -30,7 +30,7 @@ env: apt_dependencies: libssl-dev gnuplot jq java_version: 17 rust_toolchain_components: clippy,rustfmt rust_nightly_version: nightly-2024-06-30 rust_nightly_version: nightly-2025-05-04 jobs: generate-diff: Loading Loading
.github/workflows/ci-merge-queue.ymldeleted 100644 → 0 +0 −103 Original line number Diff line number Diff line # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # This workflow runs CI for the GitHub merge queue. name: Merge Queue CI on: merge_group: types: [checks_requested] # Allow one instance of this workflow per merge concurrency: group: ci-merge-queue-yml-${{ github.ref }} cancel-in-progress: true env: ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci permissions: actions: read contents: read id-token: write pull-requests: read jobs: # This job will, if possible, save a docker login password to the job outputs. The token will # be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h. # The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE save-docker-login-token: name: Save a docker login token timeout-minutes: 10 outputs: docker-login-password: ${{ steps.set-token.outputs.docker-login-password }} permissions: id-token: write contents: read continue-on-error: true runs-on: ubuntu-latest steps: - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Attempt to load a docker login password uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }} role-session-name: GitHubActions aws-region: us-west-2 - name: Save the docker login password to the output id: set-token run: | ENCRYPTED_PAYLOAD=$( gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0 ) echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT # This job detects if the PR made changes to build tools. If it did, then it builds a new # build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases, # it uploads the image as a build artifact for other jobs to download and use. acquire-base-image: name: Acquire Base Image needs: save-docker-login-token runs-on: ubuntu-latest timeout-minutes: 60 env: ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }} DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} permissions: id-token: write contents: read steps: - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v4 with: path: smithy-rs - name: Acquire base image id: acquire env: DOCKER_BUILDKIT: 1 run: ./smithy-rs/.github/scripts/acquire-build-image - name: Acquire credentials uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }} role-session-name: GitHubActions aws-region: us-west-2 - name: Upload image run: | IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)" docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}" aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws docker push "${{ env.ecr_repository }}:${IMAGE_TAG}" # Run shared CI after the Docker build image has either been rebuilt or found in ECR ci: needs: - save-docker-login-token - acquire-base-image if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' || toJSON(github.event.merge_group) != '{}' }} uses: ./.github/workflows/ci.yml secrets: ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }} DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }} CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}
.github/workflows/ci.yml +1 −1 Original line number Diff line number Diff line Loading @@ -33,7 +33,7 @@ on: required: false env: rust_version: 1.81.0 rust_version: 1.82.0 rust_toolchain_components: clippy,rustfmt ENCRYPTED_DOCKER_PASSWORD: ${{ secrets.ENCRYPTED_DOCKER_PASSWORD }} DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }} Loading
.github/workflows/claim-crate-names.yml +1 −1 Original line number Diff line number Diff line Loading @@ -10,7 +10,7 @@ concurrency: cancel-in-progress: true env: rust_version: 1.81.0 rust_version: 1.82.0 name: Claim unpublished crate names on crates.io run-name: ${{ github.workflow }} Loading
.github/workflows/github-pages.yml +1 −1 Original line number Diff line number Diff line Loading @@ -8,7 +8,7 @@ on: name: Update GitHub Pages env: rust_version: 1.81.0 rust_version: 1.82.0 # Allow only one doc pages build to run at a time for the entire smithy-rs repo concurrency: Loading
.github/workflows/pull-request-bot.yml +1 −1 Original line number Diff line number Diff line Loading @@ -30,7 +30,7 @@ env: apt_dependencies: libssl-dev gnuplot jq java_version: 17 rust_toolchain_components: clippy,rustfmt rust_nightly_version: nightly-2024-06-30 rust_nightly_version: nightly-2025-05-04 jobs: generate-diff: Loading
