From 800eb44e309026869c3cb4b31984b2318ab64926 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 2 Jul 2025 10:24:06 -0700 Subject: [PATCH 1/7] chore(CI): migrate CB CI jobs to GHA --- cfn.yml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 cfn.yml diff --git a/cfn.yml b/cfn.yml new file mode 100644 index 00000000..90889773 --- /dev/null +++ b/cfn.yml @@ -0,0 +1,54 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" + +Parameters: + ProjectName: + Type: String + Description: A prefix that will be applied to any names + Default: DDBEC-Python + GitHubRepo: + Type: String + Description: GitHub Repo that invokes CI + Default: aws/aws-dynamodb-encryption-python + +Resources: + GitHubCIRole: + Type: 'AWS::IAM::Role' + Properties: + RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" + Description: "Access KMS Resources for CI from GitHub" + ManagedPolicyArns: + - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access" + AssumeRolePolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + }, + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" + ] + } + } + } + ] + } From c723507ca1f40d4cd4e5f3d8c249c4c939ad4f45 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 2 Jul 2025 15:15:24 -0700 Subject: [PATCH 2/7] more --- .github/workflows/ci_integration.yml | 79 ++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/ci_integration.yml diff --git a/.github/workflows/ci_integration.yml b/.github/workflows/ci_integration.yml new file mode 100644 index 00000000..6ee0fb00 --- /dev/null +++ b/.github/workflows/ci_integration.yml @@ -0,0 +1,79 @@ +# This workflow runs integration tests with AWS KMS keys +name: integration-tests + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + # Run once a day + schedule: + - cron: '0 0 * * *' + +jobs: + test: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + python-version: ['3.8', '3.9', '3.10', '3.11', '3.12'] + include: + - python-version: '3.8' + toxenv: 'py38-integ-slow' + - python-version: '3.9' + toxenv: 'py39-integ-slow' + - python-version: '3.10' + toxenv: 'py310-integ-slow' + - python-version: '3.11' + toxenv: 'py311-integ-slow' + - python-version: '3.12' + toxenv: 'py312-integ-slow' + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install "tox < 4.0" + + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Python-Role-us-west-2 + role-session-name: DDBEC-Python-Tests + + - name: Test with tox + env: + TOXENV: ${{ matrix.toxenv }} + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + run: tox + + coverage: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install "tox < 4.0" + + - name: Run coverage + env: + TOXENV: coverage + run: tox From 070b8a3329213cc22083ca9536ad43e8544d7f0c Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 2 Jul 2025 15:18:08 -0700 Subject: [PATCH 3/7] more --- .github/workflows/ci_integration.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci_integration.yml b/.github/workflows/ci_integration.yml index 6ee0fb00..88367e78 100644 --- a/.github/workflows/ci_integration.yml +++ b/.github/workflows/ci_integration.yml @@ -42,6 +42,12 @@ jobs: python -m pip install --upgrade pip pip install "tox < 4.0" + # Python no longer bundles setuptools starting in 3.12 + - name: Install python version specific dependencies + if: matrix.python-version == '3.12' + run: | + pip install setuptools + - name: Configure AWS Credentials for Tests uses: aws-actions/configure-aws-credentials@v4 with: @@ -71,7 +77,7 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install "tox < 4.0" + pip install "tox < 4.0" - name: Run coverage env: From 00851708e8b3a1c72473a350ab9deef0984bdd7a Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 2 Jul 2025 15:19:23 -0700 Subject: [PATCH 4/7] permissions --- .github/workflows/ci_integration.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci_integration.yml b/.github/workflows/ci_integration.yml index 88367e78..d2055184 100644 --- a/.github/workflows/ci_integration.yml +++ b/.github/workflows/ci_integration.yml @@ -28,6 +28,9 @@ jobs: toxenv: 'py311-integ-slow' - python-version: '3.12' toxenv: 'py312-integ-slow' + permissions: + id-token: write + contents: read steps: - uses: actions/checkout@v4 From afbb7b1176ee29188c3095e86ee12c4a8b5b21a5 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 2 Jul 2025 15:20:18 -0700 Subject: [PATCH 5/7] setuptools --- .github/workflows/ci_integration.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci_integration.yml b/.github/workflows/ci_integration.yml index d2055184..231d8fbe 100644 --- a/.github/workflows/ci_integration.yml +++ b/.github/workflows/ci_integration.yml @@ -81,6 +81,7 @@ jobs: run: | python -m pip install --upgrade pip pip install "tox < 4.0" + pip install setuptools - name: Run coverage env: From 8bd317a4e24ed2bf1339a7174f4368c7cf8348bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Corella?= <39066999+josecorella@users.noreply.github.com> Date: Wed, 2 Jul 2025 15:30:59 -0700 Subject: [PATCH 6/7] Update cfn.yml Co-authored-by: Lucas McDonald --- cfn.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfn.yml b/cfn.yml index 90889773..306fbb63 100644 --- a/cfn.yml +++ b/cfn.yml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" +Description: "IAM Role for CI from Github" Parameters: ProjectName: From 3f69763f1789b2f014ba0f55c7fe6dd24d5dc5d3 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 2 Jul 2025 16:31:41 -0700 Subject: [PATCH 7/7] move and rename --- cfn.yml => cfn/github_permissions.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cfn.yml => cfn/github_permissions.yml (100%) diff --git a/cfn.yml b/cfn/github_permissions.yml similarity index 100% rename from cfn.yml rename to cfn/github_permissions.yml