Skip to content

Commit ba726b5

Browse files
lucasmcdonald3lucasmcdonald3
authored
chore: Run CodeBuild CI from Github Actions (#1213)
1 parent 03bc7bd commit ba726b5

File tree

3 files changed

+203
-103
lines changed

3 files changed

+203
-103
lines changed

.github/workflows/ci.yml

+112
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
name: AWS CodeBuild CI
2+
on:
3+
pull_request:
4+
push:
5+
schedule:
6+
- cron: "0 0 * * *" # Daily at 00:00 UTC (4 PM PDT)
7+
8+
permissions:
9+
id-token: write
10+
contents: read
11+
12+
jobs:
13+
staticAnalysis:
14+
name: Static Analysis
15+
runs-on: ubuntu-latest
16+
steps:
17+
- name: Configure AWS Credentials
18+
uses: aws-actions/configure-aws-credentials@v1
19+
with:
20+
role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
21+
aws-region: us-west-2
22+
role-duration-seconds: 3600
23+
- name: Run Static Analysis
24+
uses: aws-actions/aws-codebuild-run-build@v1
25+
timeout-minutes: 60
26+
with:
27+
project-name: AWS-ESDK-Java-CI
28+
buildspec-override: codebuild/ci/static-analysis.yml
29+
compute-type-override: BUILD_GENERAL1_MEDIUM
30+
image-override: aws/codebuild/amazonlinux2-x86_64-standard:3.0
31+
vectorTests:
32+
name: Vector Tests
33+
runs-on: ubuntu-latest
34+
strategy:
35+
fail-fast: true
36+
matrix:
37+
platform:
38+
- distribution: openjdk
39+
image: "aws/codebuild/standard:3.0"
40+
- distribution: corretto
41+
image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2
42+
version: [ 8, 11 ]
43+
steps:
44+
- name: Configure AWS Credentials
45+
uses: aws-actions/configure-aws-credentials@v1
46+
with:
47+
role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
48+
aws-region: us-west-2
49+
role-duration-seconds: 3600
50+
- name: Vector Tests ${{ matrix.platform.distribution }}${{ matrix.version }}
51+
uses: aws-actions/aws-codebuild-run-build@v1
52+
timeout-minutes: 60
53+
with:
54+
project-name: AWS-ESDK-Java-CI
55+
buildspec-override: codebuild/ci/vectors-ci.yml
56+
compute-type-override: BUILD_GENERAL1_LARGE
57+
image-override: ${{ matrix.platform.image }}
58+
env-vars-for-codebuild: JAVA_ENV_VERSION
59+
env:
60+
JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }}
61+
releaseCI:
62+
name: Release CI
63+
runs-on: ubuntu-latest
64+
steps:
65+
- name: Configure AWS Credentials
66+
uses: aws-actions/configure-aws-credentials@v1
67+
with:
68+
role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
69+
aws-region: us-west-2
70+
role-duration-seconds: 3600
71+
- name: Release CI
72+
uses: aws-actions/aws-codebuild-run-build@v1
73+
timeout-minutes: 60
74+
with:
75+
project-name: AWS-ESDK-Java-CI
76+
buildspec-override: codebuild/ci/release-ci.yml
77+
compute-type-override: BUILD_GENERAL1_LARGE
78+
image-override: aws/codebuild/standard:3.0
79+
validateCI:
80+
name: Validate CI
81+
runs-on: ubuntu-latest
82+
needs: releaseCI
83+
strategy:
84+
fail-fast: true
85+
matrix:
86+
platform:
87+
- distribution: openjdk
88+
image: "aws/codebuild/standard:3.0"
89+
- distribution: corretto
90+
image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2
91+
version: [ 8, 11 ]
92+
steps:
93+
- name: Configure AWS Credentials
94+
uses: aws-actions/configure-aws-credentials@v1
95+
with:
96+
role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
97+
aws-region: us-west-2
98+
role-duration-seconds: 3600
99+
- name: Validate CI ${{ matrix.platform.distribution }}${{ matrix.version }}
100+
uses: aws-actions/aws-codebuild-run-build@v1
101+
timeout-minutes: 60
102+
with:
103+
project-name: AWS-ESDK-Java-CI
104+
buildspec-override: codebuild/ci/validate-ci.yml
105+
compute-type-override: BUILD_GENERAL1_MEDIUM
106+
image-override: ${{ matrix.platform.image }}
107+
env-vars-for-codebuild: |
108+
JAVA_ENV_VERSION,
109+
JAVA_NUMERIC_VERSION
110+
env:
111+
JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }}
112+
JAVA_NUMERIC_VERSION: ${{ matrix.version }}

cfn/ci_cd.yml

+91-14
Original file line numberDiff line numberDiff line change
@@ -44,16 +44,10 @@ Resources:
4444
BuildSpec: codebuild/ci/ci.yml
4545
GitCloneDepth: 1
4646
GitSubmodulesConfig:
47-
FetchSubmodules: false
47+
FetchSubmodules: true
4848
InsecureSsl: false
4949
ReportBuildStatus: false
5050
Type: GITHUB
51-
Triggers:
52-
BuildType: BUILD_BATCH
53-
Webhook: true
54-
FilterGroups:
55-
- - Type: EVENT
56-
Pattern: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED
5751
Artifacts:
5852
Type: NO_ARTIFACTS
5953
Cache:
@@ -93,7 +87,9 @@ Resources:
9387
Source:
9488
Location: !Ref SourceLocation
9589
BuildSpec: codebuild/release/release.yml
96-
GitCloneDepth: 1
90+
## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth
91+
## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project.
92+
GitCloneDepth: 0
9793
GitSubmodulesConfig:
9894
FetchSubmodules: false
9995
InsecureSsl: false
@@ -136,14 +132,15 @@ Resources:
136132
Path: /service-role/
137133
RoleName: !Sub "codebuild-${ProjectName}-service-role-ci"
138134
AssumeRolePolicyDocument: >-
139-
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]}
135+
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"token.actions.githubusercontent.com:aud":"sts.amazonaws.com"},"StringLike":{"token.actions.githubusercontent.com:sub":"repo:aws/aws-encryption-sdk-java:*"}}}]}
140136
MaxSessionDuration: 3600
141137
ManagedPolicyArns:
142138
- !Ref CryptoToolsKMS
143139
- !Ref CodeBuildBatchPolicy
144140
- !Ref CodeBuildBasePolicy
145141
- !Ref SecretsManagerPolicyCI
146142
- !Ref ParameterStorePolicy
143+
- !Ref CodeBuildBasePolicyCI
147144
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
148145
- "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
149146

@@ -158,6 +155,7 @@ Resources:
158155
ManagedPolicyArns:
159156
- !Ref CryptoToolsKMS
160157
- !Ref CodeBuildBatchPolicy
158+
- !Ref CodeBuildBatchPolicyRelease
161159
- !Ref CodeBuildBasePolicy
162160
- !Ref SecretsManagerPolicyRelease
163161
- !Ref ParameterStorePolicy
@@ -184,12 +182,37 @@ Resources:
184182
"Action": [
185183
"codebuild:StartBuild",
186184
"codebuild:StopBuild",
187-
"codebuild:RetryBuild"
185+
"codebuild:RetryBuild",
186+
"codebuild:BatchGetBuilds"
188187
]
189188
}
190189
]
191190
}
192191
192+
CodeBuildBatchPolicyRelease:
193+
Type: "AWS::IAM::ManagedPolicy"
194+
Properties:
195+
ManagedPolicyName: !Sub >-
196+
CodeBuildBuildBatchPolicy-${ProjectName}-Release-${AWS::Region}-codebuild-${ProjectName}-release-service-role
197+
Path: /service-role/
198+
PolicyDocument: !Sub |
199+
{
200+
"Version": "2012-10-17",
201+
"Statement": [
202+
{
203+
"Effect": "Allow",
204+
"Resource": [
205+
"arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/AWS-ESDK-Java-Release"
206+
],
207+
"Action": [
208+
"codebuild:StartBuild",
209+
"codebuild:StopBuild",
210+
"codebuild:RetryBuild"
211+
]
212+
}
213+
]
214+
}
215+
193216
CodeBuildBasePolicy:
194217
Type: "AWS::IAM::ManagedPolicy"
195218
Properties:
@@ -212,7 +235,8 @@ Resources:
212235
"Action": [
213236
"logs:CreateLogGroup",
214237
"logs:CreateLogStream",
215-
"logs:PutLogEvents"
238+
"logs:PutLogEvents",
239+
"logs:GetLogEvents"
216240
]
217241
},
218242
{
@@ -244,6 +268,56 @@ Resources:
244268
]
245269
}
246270
271+
CodeBuildBasePolicyCI:
272+
Type: "AWS::IAM::ManagedPolicy"
273+
Properties:
274+
ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-CI-${AWS::Region}"
275+
Path: /service-role/
276+
PolicyDocument: !Sub |
277+
{
278+
"Version": "2012-10-17",
279+
"Statement": [
280+
{
281+
"Effect": "Allow",
282+
"Resource": [
283+
"arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI",
284+
"arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI:*"
285+
],
286+
"Action": [
287+
"logs:CreateLogGroup",
288+
"logs:CreateLogStream",
289+
"logs:PutLogEvents"
290+
]
291+
},
292+
{
293+
"Effect": "Allow",
294+
"Resource": [
295+
"arn:aws:s3:::codepipeline-us-west-2-*"
296+
],
297+
"Action": [
298+
"s3:PutObject",
299+
"s3:GetObject",
300+
"s3:GetObjectVersion",
301+
"s3:GetBucketAcl",
302+
"s3:GetBucketLocation"
303+
]
304+
},
305+
{
306+
"Effect": "Allow",
307+
"Action": [
308+
"codebuild:CreateReportGroup",
309+
"codebuild:CreateReport",
310+
"codebuild:UpdateReport",
311+
"codebuild:BatchPutTestCases",
312+
"codebuild:BatchPutCodeCoverages"
313+
],
314+
"Resource": [
315+
"arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/AWS-ESDK-Java-CI-*"
316+
]
317+
}
318+
]
319+
}
320+
247321
AccountIdParameter:
248322
Type: "AWS::SSM::Parameter"
249323
Properties:
@@ -264,7 +338,8 @@ Resources:
264338
{
265339
"Effect": "Allow",
266340
"Resource": [
267-
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A"
341+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-xjAvTM",
342+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-Credentials-eBrSNB"
268343
],
269344
"Action": "secretsmanager:GetSecretValue"
270345
}
@@ -283,8 +358,10 @@ Resources:
283358
{
284359
"Effect": "Allow",
285360
"Resource": [
286-
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A",
287-
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm"
361+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ",
362+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS",
363+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm",
364+
"arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
288365
],
289366
"Action": "secretsmanager:GetSecretValue"
290367
}

codebuild/ci/ci.yml

-89
This file was deleted.

0 commit comments

Comments
 (0)