Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CI for forks by moving merge queue runs into a separate workflow #2359

Merged
merged 1 commit into from
Feb 13, 2023
Merged

Fix CI for forks by moving merge queue runs into a separate workflow #2359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 93 additions & 0 deletions .github/workflows/ci-merge-queue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

# This workflow runs CI for the GitHub merge queue.

name: Merge Queue CI
on:
merge_group:
types: [checks_requested]

# Allow one instance of this workflow per merge
concurrency:
group: ci-merge-queue-yml-${{ github.ref }}
cancel-in-progress: true

env:
ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci

jobs:
# This job will, if possible, save a docker login password to the job outputs. The token will
# be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
# The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
save-docker-login-token:
name: Save a docker login token
outputs:
docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
permissions:
id-token: write
contents: read
continue-on-error: true
runs-on: ubuntu-latest
steps:
- name: Attempt to load a docker login password
uses: aws-actions/configure-aws-credentials@v1-node16
with:
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
role-session-name: GitHubActions
aws-region: us-west-2
- name: Save the docker login password to the output
id: set-token
run: |
ENCRYPTED_PAYLOAD=$(
gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0
)
echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT

# This job detects if the PR made changes to build tools. If it did, then it builds a new
# build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases,
# it uploads the image as a build artifact for other jobs to download and use.
acquire-base-image:
name: Acquire Base Image
needs: save-docker-login-token
runs-on: ubuntu-latest
env:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v3
with:
path: smithy-rs
- name: Acquire base image
id: acquire
env:
DOCKER_BUILDKIT: 1
run: ./smithy-rs/.github/scripts/acquire-build-image
- name: Acquire credentials
uses: aws-actions/configure-aws-credentials@v1-node16
with:
role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
role-session-name: GitHubActions
aws-region: us-west-2
- name: Upload image
run: |
IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)"
docker tag "smithy-rs-base-image:${IMAGE_TAG}" "${{ env.ecr_repository }}:${IMAGE_TAG}"
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
docker push "${{ env.ecr_repository }}:${IMAGE_TAG}"

# Run shared CI after the Docker build image has either been rebuilt or found in ECR
ci:
needs:
- save-docker-login-token
- acquire-base-image
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' || toJSON(github.event.merge_group) != '{}' }}
uses: ./.github/workflows/ci.yml
with:
run_sdk_examples: true
secrets:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
8 changes: 3 additions & 5 deletions .github/workflows/ci-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@
name: CI
on:
pull_request:
merge_group:
types: [checks_requested]

# Allow one instance of this workflow per pull request, and cancel older runs when new changes are pushed
concurrency:
Expand All @@ -23,7 +21,7 @@ jobs:
# The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
save-docker-login-token:
name: Save a docker login token
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' || toJSON(github.event.merge_group) != '{}' }}
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' }}
outputs:
docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
permissions:
Expand Down Expand Up @@ -53,7 +51,7 @@ jobs:
acquire-base-image:
name: Acquire Base Image
needs: save-docker-login-token
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' || toJSON(github.event.merge_group) != '{}' }}
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' }}
runs-on: ubuntu-latest
env:
ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
Expand Down Expand Up @@ -88,7 +86,7 @@ jobs:
needs:
- save-docker-login-token
- acquire-base-image
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' || toJSON(github.event.merge_group) != '{}' }}
if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' }}
uses: ./.github/workflows/ci.yml
with:
run_sdk_examples: true
Expand Down