Skip to content

Commit 6616425

Browse files
leandrodamascenaleandrodamascena
authored
Merge branch 'develop' into fix/appsync-async-resolver
2 parents 97f7191 + 0f545c6 commit 6616425

File tree

85 files changed

+1667
-627
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

85 files changed

+1667
-627
lines changed

.github/workflows/codeql-analysis.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828

2929
steps:
3030
- name: Checkout repository
31-
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
31+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3232

3333
# Initializes the CodeQL tools for scanning.
3434
- name: Initialize CodeQL

.github/workflows/dependency-review.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,6 @@ jobs:
1717
runs-on: ubuntu-latest
1818
steps:
1919
- name: 'Checkout Repository'
20-
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
20+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2121
- name: 'Dependency Review'
22-
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
22+
uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5

.github/workflows/label_pr_on_title.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ jobs:
5050
pull-requests: write # label respective PR
5151
steps:
5252
- name: Checkout repository
53-
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
53+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
5454
- name: "Label PR based on title"
5555
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
5656
env:

.github/workflows/layer_govcloud.yml

Lines changed: 217 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,217 @@
1+
# GovCloud Layer Publish
2+
# ---
3+
# This workflow publishes a specific layer version in an AWS account based on the environment input.
4+
#
5+
# Using a matrix, we pull each architecture and python version of the layer and store them as artifacts
6+
# we upload them to each of the GovCloud AWS accounts.
7+
#
8+
# A number of safety checks are performed to ensure safety.
9+
10+
on:
11+
workflow_dispatch:
12+
inputs:
13+
environment:
14+
description: Deployment environment
15+
type: choice
16+
options:
17+
- Gamma
18+
- Prod
19+
required: true
20+
version:
21+
description: Layer version to duplicate
22+
type: string
23+
required: true
24+
workflow_call:
25+
inputs:
26+
environment:
27+
description: Deployment environment
28+
type: string
29+
required: true
30+
version:
31+
description: Layer version to duplicate
32+
type: string
33+
required: true
34+
35+
name: Layer Deployment (GovCloud)
36+
run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }}
37+
38+
jobs:
39+
download:
40+
runs-on: ubuntu-latest
41+
permissions:
42+
id-token: write
43+
contents: read
44+
strategy:
45+
matrix:
46+
layer:
47+
- AWSLambdaPowertoolsPythonV3-python38
48+
- AWSLambdaPowertoolsPythonV3-python39
49+
- AWSLambdaPowertoolsPythonV3-python310
50+
- AWSLambdaPowertoolsPythonV3-python311
51+
- AWSLambdaPowertoolsPythonV3-python312
52+
arch:
53+
- arm64
54+
- x86_64
55+
environment: Prod (Readonly)
56+
steps:
57+
- name: Configure AWS Credentials
58+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
59+
with:
60+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
61+
aws-region: us-east-1
62+
mask-aws-account-id: true
63+
- name: Grab Zip
64+
run: |
65+
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip
66+
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} > ${{ matrix.layer }}_${{ matrix.arch }}.json
67+
- name: Store Zip
68+
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
69+
with:
70+
name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
71+
path: ${{ matrix.layer }}_${{ matrix.arch }}.zip
72+
retention-days: 1
73+
if-no-files-found: error
74+
- name: Store Metadata
75+
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
76+
with:
77+
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
78+
path: ${{ matrix.layer }}_${{ matrix.arch }}.json
79+
retention-days: 1
80+
if-no-files-found: error
81+
82+
copy_east:
83+
name: Copy (East)
84+
needs: download
85+
runs-on: ubuntu-latest
86+
permissions:
87+
id-token: write
88+
contents: read
89+
strategy:
90+
matrix:
91+
layer:
92+
- AWSLambdaPowertoolsPythonV3-python38
93+
- AWSLambdaPowertoolsPythonV3-python39
94+
- AWSLambdaPowertoolsPythonV3-python310
95+
- AWSLambdaPowertoolsPythonV3-python311
96+
- AWSLambdaPowertoolsPythonV3-python312
97+
arch:
98+
- arm64
99+
- x86_64
100+
environment: GovCloud ${{ inputs.environment }} (East)
101+
steps:
102+
- name: Download Zip
103+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
104+
with:
105+
name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
106+
- name: Download Metadata
107+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
108+
with:
109+
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
110+
- name: Verify Layer Signature
111+
run: |
112+
SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
113+
test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
114+
- name: Configure AWS Credentials
115+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
116+
with:
117+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
118+
aws-region: us-gov-east-1
119+
mask-aws-account-id: true
120+
- name: Create Layer
121+
id: create-layer
122+
run: |
123+
LAYER_VERSION=$(aws --region us-gov-east-1 lambda publish-layer-version \
124+
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
125+
--zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
126+
--compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
127+
--compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
128+
--license-info "MIT-0" \
129+
--description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
130+
--query 'Version' \
131+
--output text)
132+
133+
echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
134+
135+
aws --region us-gov-east-1 lambda add-layer-version-permission \
136+
--layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \
137+
--statement-id 'PublicLayer' \
138+
--action lambda:GetLayerVersion \
139+
--principal '*' \
140+
--version-number "$LAYER_VERSION"
141+
- name: Verify Layer
142+
env:
143+
LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
144+
run: |
145+
REMOTE_SHA=$(aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
146+
SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
147+
test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
148+
aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output table
149+
150+
copy_west:
151+
name: Copy (West)
152+
needs: download
153+
runs-on: ubuntu-latest
154+
permissions:
155+
id-token: write
156+
contents: read
157+
strategy:
158+
matrix:
159+
layer:
160+
- AWSLambdaPowertoolsPythonV3-python38
161+
- AWSLambdaPowertoolsPythonV3-python39
162+
- AWSLambdaPowertoolsPythonV3-python310
163+
- AWSLambdaPowertoolsPythonV3-python311
164+
- AWSLambdaPowertoolsPythonV3-python312
165+
arch:
166+
- arm64
167+
- x86_64
168+
environment:
169+
name: GovCloud ${{ inputs.environment }} (West)
170+
steps:
171+
- name: Download Zip
172+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
173+
with:
174+
name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
175+
- name: Download Metadata
176+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
177+
with:
178+
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
179+
- name: Verify Layer Signature
180+
run: |
181+
SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
182+
test "$(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64)" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
183+
- name: Configure AWS Credentials
184+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
185+
with:
186+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
187+
aws-region: us-gov-west-1
188+
mask-aws-account-id: true
189+
- name: Create Layer
190+
id: create-layer
191+
run: |
192+
LAYER_VERSION=$(aws --region us-gov-west-1 lambda publish-layer-version \
193+
--layer-name ${{ matrix.layer }}-${{ matrix.arch }} \
194+
--zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
195+
--compatible-runtimes "$(jq -r '.CompatibleRuntimes[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
196+
--compatible-architectures "$(jq -r '.CompatibleArchitectures[0]' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
197+
--license-info "MIT-0" \
198+
--description "$(jq -r '.Description' '${{ matrix.layer }}_${{ matrix.arch }}.json')" \
199+
--query 'Version' \
200+
--output text)
201+
202+
echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
203+
204+
aws --region us-gov-west-1 lambda add-layer-version-permission \
205+
--layer-name '${{ matrix.layer }}-${{ matrix.arch }}' \
206+
--statement-id 'PublicLayer' \
207+
--action lambda:GetLayerVersion \
208+
--principal '*' \
209+
--version-number "$LAYER_VERSION"
210+
- name: Verify Layer
211+
env:
212+
LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
213+
run: |
214+
REMOTE_SHA=$(aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --query 'Content.CodeSha256' --output text)
215+
SHA=$(jq -r '.Content.CodeSha256' '${{ matrix.layer }}_${{ matrix.arch }}.json')
216+
test "$REMOTE_SHA" == "$SHA" && echo "SHA OK: ${SHA}" || exit 1
217+
aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ env.LAYER_VERSION }}' --output table

.github/workflows/layer_govcloud_verify.yml

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
# GovCloud Layer Verification
2+
# ---
3+
# This workflow queries the GovCloud layer info in production only
4+
5+
on:
6+
workflow_dispatch:
7+
inputs:
8+
version:
9+
description: Layer version to verify information
10+
type: string
11+
required: true
12+
workflow_call:
13+
inputs:
14+
version:
15+
description: Layer version to verify information
16+
type: string
17+
required: true
18+
19+
name: Layer Verification (GovCloud)
20+
run-name: Layer Verification (GovCloud)
21+
22+
jobs:
23+
commercial:
24+
runs-on: ubuntu-latest
25+
permissions:
26+
id-token: write
27+
contents: read
28+
strategy:
29+
matrix:
30+
layer:
31+
- AWSLambdaPowertoolsPythonV3-python38
32+
- AWSLambdaPowertoolsPythonV3-python39
33+
- AWSLambdaPowertoolsPythonV3-python310
34+
- AWSLambdaPowertoolsPythonV3-python311
35+
- AWSLambdaPowertoolsPythonV3-python312
36+
arch:
37+
- arm64
38+
- x86_64
39+
environment: Prod (Readonly)
40+
steps:
41+
- name: Configure AWS Credentials
42+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
43+
with:
44+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
45+
aws-region: us-east-1
46+
mask-aws-account-id: true
47+
- name: Output ${{ matrix.layer }}-${{ matrix.arch }}
48+
run: |
49+
aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
50+
51+
gov_east:
52+
name: Verify (East)
53+
needs: commercial
54+
runs-on: ubuntu-latest
55+
permissions:
56+
id-token: write
57+
contents: read
58+
strategy:
59+
matrix:
60+
layer:
61+
- AWSLambdaPowertoolsPythonV3-python38
62+
- AWSLambdaPowertoolsPythonV3-python39
63+
- AWSLambdaPowertoolsPythonV3-python310
64+
- AWSLambdaPowertoolsPythonV3-python311
65+
- AWSLambdaPowertoolsPythonV3-python312
66+
arch:
67+
- arm64
68+
- x86_64
69+
environment: GovCloud Prod (East)
70+
steps:
71+
- name: Configure AWS Credentials
72+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
73+
with:
74+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
75+
aws-region: us-gov-east-1
76+
mask-aws-account-id: true
77+
- name: Verify Layer ${{ matrix.layer }}-${{ matrix.arch }}
78+
id: verify-layer
79+
run: |
80+
aws --region us-gov-east-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-east-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'
81+
82+
gov_west:
83+
name: Verify (West)
84+
needs: commercial
85+
runs-on: ubuntu-latest
86+
permissions:
87+
id-token: write
88+
contents: read
89+
strategy:
90+
matrix:
91+
layer:
92+
- AWSLambdaPowertoolsPythonV3-python38
93+
- AWSLambdaPowertoolsPythonV3-python39
94+
- AWSLambdaPowertoolsPythonV3-python310
95+
- AWSLambdaPowertoolsPythonV3-python311
96+
- AWSLambdaPowertoolsPythonV3-python312
97+
arch:
98+
- arm64
99+
- x86_64
100+
environment: GovCloud Prod (West)
101+
steps:
102+
- name: Configure AWS Credentials
103+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
104+
with:
105+
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
106+
aws-region: us-gov-east-1
107+
mask-aws-account-id: true
108+
- name: Verify Layer ${{ matrix.layer }}-${{ matrix.arch }}
109+
id: verify-layer
110+
run: |
111+
aws --region us-gov-west-1 lambda get-layer-version-by-arn --arn 'arn:aws-us-gov:lambda:us-gov-west-1:${{ secrets.AWS_ACCOUNT_ID }}:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }}' | jq -r '{"Layer Version Arn": .LayerVersionArn, "Version": .Version, "Description": .Description, "Compatible Runtimes": .CompatibleRuntimes[0], "Compatible Architectures": .CompatibleArchitectures[0], "SHA": .Content.CodeSha256} | keys[] as $k | [$k, .[$k]] | @tsv' | column -t -s $'\t'

.github/workflows/layer_rename.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -66,14 +66,14 @@ jobs:
6666
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-x86:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_x86_64.zip
6767
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-x86:${{ inputs.version }} > ${{ matrix.layer }}_x86_64.json
6868
- name: Store Zip
69-
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
69+
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
7070
with:
7171
name: ${{ matrix.layer }}_x86_64.zip
7272
path: ${{ matrix.layer }}_x86_64.zip
7373
retention-days: 1
7474
if-no-files-found: error
7575
- name: Store Metadata
76-
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
76+
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
7777
with:
7878
name: ${{ matrix.layer }}_x86_64.json
7979
path: ${{ matrix.layer }}_x86_64.json

.github/workflows/on_label_added.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ jobs:
4747
permissions:
4848
pull-requests: write # comment on PR
4949
steps:
50-
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
50+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
5151
# Maintenance: Persist state per PR as an artifact to avoid spam on label add
5252
- name: "Suggest split large Pull Request"
5353
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1

.github/workflows/on_merged_pr.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ jobs:
4949
issues: write # label issue with pending-release
5050
if: needs.get_pr_details.outputs.prIsMerged == 'true'
5151
steps:
52-
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
52+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
5353
- name: "Label PR related issue for release"
5454
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
5555
env:

0 commit comments

Comments
 (0)