Add workflows to manually/weekly update the runtime lockfiles and the SDK lockfile (#3844)

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

# SPDX-License-Identifier: Apache-2.0

name: Update lockfiles manually

run-name: ${{ github.workflow }} (${{ inputs.base_branch }})

on:

  workflow_dispatch:

    inputs:

      base_branch:

        description: The name of the branch on which to run `cargo update` for lockfiles

        required: true

        type: string

      force_update_on_broken_dependencies:

        description: When true, it forces `cargo update` to update broken dependencies to the latest semver-compatible versions, without downgrading them to the last known working versions

        required: true

        type: boolean

        default: false

concurrency:

  group: ${{ github.workflow }}-${{ inputs.base_branch }}

  cancel-in-progress: true

jobs:

  cargo-update-runtime-lockfiles-and-sdk-lockfile:

    name: Run cargo update on the runtime lockfiles and the SDK lockfile

    if: ${{ github.event_name == 'workflow_dispatch' }}

    uses: ./.github/workflows/pull-request-updating-lockfiles.yml

    with:

      base_branch: ${{ inputs.base_branch }}

      force_update_on_broken_dependencies: ${{ inputs.force_update_on_broken_dependencies }}

    secrets:

      DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}

      SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}

      RELEASE_AUTOMATION_BOT_PAT: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

# SPDX-License-Identifier: Apache-2.0

# This is a shared workflow used by both `update-lockfiles.yml` and `manual-update-lockfiles.yml`.

name: Pull Request for Updating Lockfiles

on:

  workflow_call:

    inputs:

      base_branch:

        description: The name of the branch on which to run `cargo update` for lockfiles

        required: true

        type: string

      force_update_on_broken_dependencies:

        description: When true, it forces `cargo update` to update broken dependencies to the latest semver-compatible versions, without downgrading them to the last known working versions

        required: true

        type: boolean

    secrets:

      DOCKER_LOGIN_TOKEN_PASSPHRASE:

        required: true

      SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN:

        required: true

      RELEASE_AUTOMATION_BOT_PAT:

        required: true

env:

  ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci

jobs:

  save-docker-login-token:

    name: Save a docker login token

    timeout-minutes: 10

    outputs:

      docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}

    permissions:

      id-token: write

      contents: read

    continue-on-error: true

    runs-on: ubuntu-latest

    steps:

    - name: Attempt to load a docker login password

      uses: aws-actions/configure-aws-credentials@v4

      with:

        role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}

        role-session-name: GitHubActions

        aws-region: us-west-2

    - name: Save the docker login password to the output

      id: set-token

      run: |

        ENCRYPTED_PAYLOAD=$(

          gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0

        )

        echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT

  acquire-base-image:

    name: Acquire Base Image

    needs: save-docker-login-token

    runs-on: ubuntu-latest

    timeout-minutes: 60

    env:

      ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}

      DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}

    permissions:

      id-token: write

      contents: read

    steps:

    - uses: actions/checkout@v4

      with:

        path: smithy-rs

    - name: Acquire base image

      id: acquire

      env:

        DOCKER_BUILDKIT: 1

      run: ./smithy-rs/.github/scripts/acquire-build-image

    - name: Acquire credentials

      uses: aws-actions/configure-aws-credentials@v4

      with:

        role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}

        role-session-name: GitHubActions

        aws-region: us-west-2

    - name: Upload image

      run: |

        IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)"

        docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}"

        aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

        docker push "${{ env.ecr_repository }}:${IMAGE_TAG}"

  create-pull-request-for-updating-lockfiles:

    name: Create a Pull Request for updating lockfiles

    needs:

    - acquire-base-image

    runs-on: ubuntu-latest

    steps:

    - name: Checkout smithy-rs

      uses: actions/checkout@v4

      with:

        path: smithy-rs

        token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}

    - name: Create branch name for updating lockfiles

      id: branch-name-for-updating-lockfiles

      shell: bash

      run: |

        branch_name="update-all-lockfiles-$(date +%s)"

        echo "branch_name=${branch_name}" > $GITHUB_OUTPUT

    - name: Cargo update all lockfiles

      uses: ./smithy-rs/.github/actions/docker-build

      with:

        action: cargo-update-lockfiles

        action-arguments: ${{ inputs.base_branch }} ${{ steps.branch-name-for-updating-lockfiles.outputs.branch_name }} ${{ inputs.force_update_on_broken_dependencies }}

    - name: Create pull request

      working-directory: smithy-rs

      shell: bash

      env:

        GITHUB_TOKEN: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}

      run: |

        gh pr create \

          --title 'Run `cargo update` on the runtime lockfiles and the SDK lockfile' \

          --body 'If CI fails, commit the necessary fixes to this PR until all checks pass. If required, update entries in [crateNameToLastKnownWorkingVersions](https://github.com/smithy-lang/smithy-rs/blob/6b42eb5ca00a2dc9c46562452e495a2ec2e43d0f/aws/sdk/build.gradle.kts#L503-L504).' \

          --base ${{ inputs.base_branch }} \

          --head ${{ steps.branch-name-for-updating-lockfiles.outputs.branch_name }} \

          --label "needs-sdk-review"

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

# SPDX-License-Identifier: Apache-2.0

name: Update lockfiles scheduled

run-name: ${{ github.workflow }}

on:

  schedule:

    # Runs 22:00 UTC every Tuesday

  - cron: 0 22 * * 2

jobs:

  cargo-update-runtime-lockfiles-and-sdk-lockfile:

    name: Run cargo update on the runtime lockfiles and the SDK lockfile

    # Don't run on forked repositories

    if: github.repository == 'smithy-lang/smithy-rs'

    uses: ./.github/workflows/pull-request-updating-lockfiles.yml

    with:

      base_branch: main

      force_update_on_broken_dependencies: false

    secrets:

      DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}

      SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}

      RELEASE_AUTOMATION_BOT_PAT: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}

fun Project.registerCargoUpdateFor(

    dir: File,

    name: String,

    dependsOn: List<String> = emptyList(),

): TaskProvider<Exec> {

    return tasks.register<Exec>("cargoUpdate${name}Lockfile") {

        dependsOn(dependsOn)

        workingDir(dir)

        environment("RUSTFLAGS", "--cfg aws_sdk_unstable")

        commandLine("cargo", "update")

    }

}

val cargoUpdateAwsConfigLockfile = registerCargoUpdateFor(awsConfigPath, "AwsConfig")

val cargoUpdateAwsConfigLockfile = registerCargoUpdateFor(awsConfigPath, "AwsConfig", listOf("assemble"))

val cargoUpdateAwsRuntimeLockfile = registerCargoUpdateFor(awsRustRuntimePath, "AwsRustRuntime")

val cargoUpdateSmithyRuntimeLockfile = registerCargoUpdateFor(rustRuntimePath, "RustRuntime")

[[package]]

name = "runtime-versioner"

version = "0.1.0"

version = "0.1.1"

dependencies = [

 "anyhow",

 "camino",