From 74a0e45562174fc8bfbc9741c273d38abafe23e4 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 22 Nov 2022 16:14:49 -0800 Subject: [PATCH 1/8] chore: Migrate CI to start from GHA --- .github/workflows/ci.yml | 115 +++++++++++++++++++++++++++++++++++++++ cfn/ci_cd.yml | 15 ++--- 2 files changed, 121 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..7d23a1e19 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,115 @@ +name: AWS CodeBuild CI +on: + pull_request: + push: + schedule: + - cron: "0 0 * * *" # Daily at 00:00 UTC (4 PM PDT) + +env: + PROJECT_NAME: AWS-ESDK-Java-CI + +permissions: + id-token: write + +jobs: + staticAnalysis: + name: Static Analysis + runs-on: ubuntu-latest + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Run Static Analysis + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: $PROJECT_NAME + buildspec-override: codebuild/ci/static-analysis.yml + compute-type-override: BUILD_GENERAL1_MEDIUM + image-override: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + vectorTests: + name: Vector Tests + runs-on: ubuntu-latest + strategy: + matrix: + distribution: [ openjdk, corretto ] + version: [ 8, 11 ] + image: [ "aws/codebuild/standard:3.0", "aws/codebuild/amazonlinux2-x86_64-standard:3.0" ] + exclude: + - distribution: corretto + image: aws/codebuild/standard:3.0 # Corretto only runs on AL2 + - distribution: openjdk + image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Vector Tests ${{ matrix.distribution }}${{ matrix.version }} + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: $PROJECT_NAME + buildspec-override: codebuild/ci/vectors-ci.yml + compute-type-override: BUILD_GENERAL1_LARGE + image-override: ${{ matrix.image }} + env-vars-for-codebuild: JAVA_ENV_VERSION + env: + JAVA_ENV_VERSION: ${{ matrix.distribution }}${{ matrix.version }} + releaseCI: + name: Release CI + runs-on: ubuntu-latest + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Release CI + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: $PROJECT_NAME + buildspec-override: codebuild/ci/release-ci.yml + compute-type-override: BUILD_GENERAL1_LARGE + image-override: aws/codebuild/standard:3.0 + validateCI: + name: Validate CI + runs-on: ubuntu-latest + strategy: + matrix: + distribution: [ openjdk, corretto ] + version: [ 8, 11 ] + image: [ "aws/codebuild/standard:3.0", "aws/codebuild/amazonlinux2-x86_64-standard:3.0" ] + exclude: + - distribution: corretto + image: aws/codebuild/standard:3.0 # Corretto only runs on AL2 + - distribution: openjdk + image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Validate CI ${{ matrix.distribution }}${{ matrix.version }} + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: $PROJECT_NAME + buildspec-override: codebuild/ci/vectors-ci.yml + compute-type-override: BUILD_GENERAL1_MEDIUM + image-override: ${{ matrix.image }} + env-vars-for-codebuild: | + JAVA_ENV_VERSION, + JAVA_NUMERIC_VERSION + env: + JAVA_ENV_VERSION: ${{ matrix.distribution }}${{ matrix.version }} + JAVA_NUMERIC_VERSION: ${{ matrix.version }} diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index c49c2de33..e75659f0f 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -44,16 +44,10 @@ Resources: BuildSpec: codebuild/ci/ci.yml GitCloneDepth: 1 GitSubmodulesConfig: - FetchSubmodules: false + FetchSubmodules: true InsecureSsl: false ReportBuildStatus: false Type: GITHUB - Triggers: - BuildType: BUILD_BATCH - Webhook: true - FilterGroups: - - - Type: EVENT - Pattern: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED Artifacts: Type: NO_ARTIFACTS Cache: @@ -137,6 +131,7 @@ Resources: RoleName: !Sub "codebuild-${ProjectName}-service-role-ci" AssumeRolePolicyDocument: >- {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]} + {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"token.actions.githubusercontent.com:aud":"sts.amazonaws.com"},"StringLike":{"token.actions.githubusercontent.com:sub":"repo:aws/aws-encryption-sdk-java:*"}}}]} MaxSessionDuration: 3600 ManagedPolicyArns: - !Ref CryptoToolsKMS @@ -184,7 +179,8 @@ Resources: "Action": [ "codebuild:StartBuild", "codebuild:StopBuild", - "codebuild:RetryBuild" + "codebuild:RetryBuild", + "codebuild:BatchGetBuilds" ] } ] @@ -212,7 +208,8 @@ Resources: "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", - "logs:PutLogEvents" + "logs:PutLogEvents", + "logs:GetLogEvents" ] }, { From a6a807796ed7485390a5b063666410b780706db3 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Tue, 22 Nov 2022 16:16:07 -0800 Subject: [PATCH 2/8] chore: Migrate CI to start from GHA --- .github/workflows/ci.yml | 2 +- codebuild/ci/ci.yml | 89 ---------------------------------------- 2 files changed, 1 insertion(+), 90 deletions(-) delete mode 100644 codebuild/ci/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d23a1e19..39b95d57d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -104,7 +104,7 @@ jobs: timeout-minutes: 60 with: project-name: $PROJECT_NAME - buildspec-override: codebuild/ci/vectors-ci.yml + buildspec-override: codebuild/ci/validate-ci.yml compute-type-override: BUILD_GENERAL1_MEDIUM image-override: ${{ matrix.image }} env-vars-for-codebuild: | diff --git a/codebuild/ci/ci.yml b/codebuild/ci/ci.yml deleted file mode 100644 index 7c64ccf1d..000000000 --- a/codebuild/ci/ci.yml +++ /dev/null @@ -1,89 +0,0 @@ -version: 0.2 - -# TODO: Replace/Augment build-graph with build-matrix -# Note: It's possible that 9 builds will be running concurrently with the current arrangement - -batch: - fast-fail: false - build-graph: - - identifier: static_analysis - buildspec: codebuild/ci/static-analysis.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - ######### Start Vector tests ######### - - identifier: vectors_ci_openjdk8 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: openjdk8 - image: aws/codebuild/standard:3.0 - - identifier: vectors_ci_openjdk11 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: openjdk11 - image: aws/codebuild/standard:3.0 - - identifier: vectors_ci_corretto8 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: corretto8 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - - identifier: vectors_ci_corretto11 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: corretto11 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - ######### End Vector tests ######### - - identifier: release_ci - buildspec: codebuild/ci/release-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - image: aws/codebuild/standard:3.0 - ######### Start JAR Smoke tests ######### - - identifier: validate_ci_openjdk8 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - variables: - JAVA_ENV_VERSION: openjdk8 - JAVA_NUMERIC_VERSION: 8 - image: aws/codebuild/standard:3.0 - - identifier: validate_ci_openjdk11 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - variables: - JAVA_ENV_VERSION: openjdk11 - JAVA_NUMERIC_VERSION: 11 - image: aws/codebuild/standard:3.0 - - identifier: validate_ci_corretto8 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - variables: - JAVA_ENV_VERSION: corretto8 - JAVA_NUMERIC_VERSION: 8 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - - identifier: validate_ci_corretto11 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - variables: - JAVA_ENV_VERSION: corretto11 - JAVA_NUMERIC_VERSION: 11 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - ######### End JAR Smoke tests ######### From f9cfe1cd42dc1f0bf0bc4440a945049df12bee6f Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Nov 2022 10:41:48 -0800 Subject: [PATCH 3/8] Update ci.yml --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 39b95d57d..753517042 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -82,6 +82,7 @@ jobs: validateCI: name: Validate CI runs-on: ubuntu-latest + needs: releaseCI strategy: matrix: distribution: [ openjdk, corretto ] From dc99beaa9372ea182058f6c288820742d5b2ee61 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Nov 2022 12:06:24 -0800 Subject: [PATCH 4/8] Update ci.yml --- .github/workflows/ci.yml | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 753517042..64fb50cd4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,15 +34,14 @@ jobs: name: Vector Tests runs-on: ubuntu-latest strategy: + fail-fast: true matrix: - distribution: [ openjdk, corretto ] - version: [ 8, 11 ] - image: [ "aws/codebuild/standard:3.0", "aws/codebuild/amazonlinux2-x86_64-standard:3.0" ] - exclude: - - distribution: corretto - image: aws/codebuild/standard:3.0 # Corretto only runs on AL2 + platform: - distribution: openjdk - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + image: "aws/codebuild/standard:3.0" + - distribution: corretto + image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2 + version: [ 8, 11 ] steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 @@ -50,17 +49,17 @@ jobs: role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} aws-region: us-west-2 role-duration-seconds: 3600 - - name: Vector Tests ${{ matrix.distribution }}${{ matrix.version }} + - name: Vector Tests ${{ matrix.platform.distribution }}${{ matrix.version }} uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: project-name: $PROJECT_NAME buildspec-override: codebuild/ci/vectors-ci.yml compute-type-override: BUILD_GENERAL1_LARGE - image-override: ${{ matrix.image }} + image-override: ${{ matrix.platform.image }} env-vars-for-codebuild: JAVA_ENV_VERSION env: - JAVA_ENV_VERSION: ${{ matrix.distribution }}${{ matrix.version }} + JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }} releaseCI: name: Release CI runs-on: ubuntu-latest @@ -84,15 +83,14 @@ jobs: runs-on: ubuntu-latest needs: releaseCI strategy: + fail-fast: true matrix: - distribution: [ openjdk, corretto ] - version: [ 8, 11 ] - image: [ "aws/codebuild/standard:3.0", "aws/codebuild/amazonlinux2-x86_64-standard:3.0" ] - exclude: - - distribution: corretto - image: aws/codebuild/standard:3.0 # Corretto only runs on AL2 + platform: - distribution: openjdk - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + image: "aws/codebuild/standard:3.0" + - distribution: corretto + image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2 + version: [ 8, 11 ] steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 @@ -100,17 +98,17 @@ jobs: role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} aws-region: us-west-2 role-duration-seconds: 3600 - - name: Validate CI ${{ matrix.distribution }}${{ matrix.version }} + - name: Validate CI ${{ matrix.platform.distribution }}${{ matrix.version }} uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: project-name: $PROJECT_NAME buildspec-override: codebuild/ci/validate-ci.yml compute-type-override: BUILD_GENERAL1_MEDIUM - image-override: ${{ matrix.image }} + image-override: ${{ matrix.platform.image }} env-vars-for-codebuild: | JAVA_ENV_VERSION, JAVA_NUMERIC_VERSION env: - JAVA_ENV_VERSION: ${{ matrix.distribution }}${{ matrix.version }} + JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }} JAVA_NUMERIC_VERSION: ${{ matrix.version }} From 9170a800123ff4b4ab0887fa365563d6fa9c5b35 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Nov 2022 12:20:30 -0800 Subject: [PATCH 5/8] Update ci.yml --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 64fb50cd4..bd9b4b499 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,7 +6,7 @@ on: - cron: "0 0 * * *" # Daily at 00:00 UTC (4 PM PDT) env: - PROJECT_NAME: AWS-ESDK-Java-CI + CODEBUILD_PROJECT_NAME: AWS-ESDK-Java-CI permissions: id-token: write @@ -26,7 +26,7 @@ jobs: uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: - project-name: $PROJECT_NAME + project-name: $CODEBUILD_PROJECT_NAME buildspec-override: codebuild/ci/static-analysis.yml compute-type-override: BUILD_GENERAL1_MEDIUM image-override: aws/codebuild/amazonlinux2-x86_64-standard:3.0 @@ -53,7 +53,7 @@ jobs: uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: - project-name: $PROJECT_NAME + project-name: $CODEBUILD_PROJECT_NAME buildspec-override: codebuild/ci/vectors-ci.yml compute-type-override: BUILD_GENERAL1_LARGE image-override: ${{ matrix.platform.image }} @@ -74,7 +74,7 @@ jobs: uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: - project-name: $PROJECT_NAME + project-name: $CODEBUILD_PROJECT_NAME buildspec-override: codebuild/ci/release-ci.yml compute-type-override: BUILD_GENERAL1_LARGE image-override: aws/codebuild/standard:3.0 @@ -102,7 +102,7 @@ jobs: uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: - project-name: $PROJECT_NAME + project-name: $CODEBUILD_PROJECT_NAME buildspec-override: codebuild/ci/validate-ci.yml compute-type-override: BUILD_GENERAL1_MEDIUM image-override: ${{ matrix.platform.image }} From 9b8b8a290182eea88c49ebf5f7a22297bb9df188 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Nov 2022 15:12:41 -0800 Subject: [PATCH 6/8] Update ci_cd.yml --- cfn/ci_cd.yml | 90 ++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 85 insertions(+), 5 deletions(-) diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index e75659f0f..73331d03b 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -87,7 +87,9 @@ Resources: Source: Location: !Ref SourceLocation BuildSpec: codebuild/release/release.yml - GitCloneDepth: 1 + ## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth + ## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project. + GitCloneDepth: 0 GitSubmodulesConfig: FetchSubmodules: false InsecureSsl: false @@ -130,7 +132,6 @@ Resources: Path: /service-role/ RoleName: !Sub "codebuild-${ProjectName}-service-role-ci" AssumeRolePolicyDocument: >- - {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]} {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"token.actions.githubusercontent.com:aud":"sts.amazonaws.com"},"StringLike":{"token.actions.githubusercontent.com:sub":"repo:aws/aws-encryption-sdk-java:*"}}}]} MaxSessionDuration: 3600 ManagedPolicyArns: @@ -139,6 +140,7 @@ Resources: - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicyCI - !Ref ParameterStorePolicy + - !Ref CodeBuildBasePolicyCI - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -153,6 +155,7 @@ Resources: ManagedPolicyArns: - !Ref CryptoToolsKMS - !Ref CodeBuildBatchPolicy + - !Ref CodeBuildBatchPolicyRelease - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicyRelease - !Ref ParameterStorePolicy @@ -186,6 +189,30 @@ Resources: ] } + CodeBuildBatchPolicyRelease: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub >- + CodeBuildBuildBatchPolicy-${ProjectName}-Release-${AWS::Region}-codebuild-${ProjectName}-release-service-role + Path: /service-role/ + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/AWS-ESDK-Java-Release" + ], + "Action": [ + "codebuild:StartBuild", + "codebuild:StopBuild", + "codebuild:RetryBuild" + ] + } + ] + } + CodeBuildBasePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -241,6 +268,56 @@ Resources: ] } + CodeBuildBasePolicyCI: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-CI-${AWS::Region}" + Path: /service-role/ + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI", + "arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI:*" + ], + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + }, + { + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::codepipeline-us-west-2-*" + ], + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketAcl", + "s3:GetBucketLocation" + ] + }, + { + "Effect": "Allow", + "Action": [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages" + ], + "Resource": [ + "arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/AWS-ESDK-Java-CI-*" + ] + } + ] + } + AccountIdParameter: Type: "AWS::SSM::Parameter" Properties: @@ -261,7 +338,8 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A" + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-xjAvTM", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-Credentials-eBrSNB" ], "Action": "secretsmanager:GetSecretValue" } @@ -280,8 +358,10 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A", - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm" + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U" ], "Action": "secretsmanager:GetSecretValue" } From 707a59ca116c481bd993b9ef78fd9f24ea51607e Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Nov 2022 15:17:02 -0800 Subject: [PATCH 7/8] chore: Fix CI script --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bd9b4b499..dd0df040d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,7 @@ env: permissions: id-token: write + contents: read jobs: staticAnalysis: From e40179452b104e8b461c56c952c752f651ebead9 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Nov 2022 15:25:50 -0800 Subject: [PATCH 8/8] chore: Fix CI script --- .github/workflows/ci.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dd0df040d..43112040b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,9 +5,6 @@ on: schedule: - cron: "0 0 * * *" # Daily at 00:00 UTC (4 PM PDT) -env: - CODEBUILD_PROJECT_NAME: AWS-ESDK-Java-CI - permissions: id-token: write contents: read @@ -27,7 +24,7 @@ jobs: uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: - project-name: $CODEBUILD_PROJECT_NAME + project-name: AWS-ESDK-Java-CI buildspec-override: codebuild/ci/static-analysis.yml compute-type-override: BUILD_GENERAL1_MEDIUM image-override: aws/codebuild/amazonlinux2-x86_64-standard:3.0 @@ -54,7 +51,7 @@ jobs: uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: - project-name: $CODEBUILD_PROJECT_NAME + project-name: AWS-ESDK-Java-CI buildspec-override: codebuild/ci/vectors-ci.yml compute-type-override: BUILD_GENERAL1_LARGE image-override: ${{ matrix.platform.image }} @@ -75,7 +72,7 @@ jobs: uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: - project-name: $CODEBUILD_PROJECT_NAME + project-name: AWS-ESDK-Java-CI buildspec-override: codebuild/ci/release-ci.yml compute-type-override: BUILD_GENERAL1_LARGE image-override: aws/codebuild/standard:3.0 @@ -103,7 +100,7 @@ jobs: uses: aws-actions/aws-codebuild-run-build@v1 timeout-minutes: 60 with: - project-name: $CODEBUILD_PROJECT_NAME + project-name: AWS-ESDK-Java-CI buildspec-override: codebuild/ci/validate-ci.yml compute-type-override: BUILD_GENERAL1_MEDIUM image-override: ${{ matrix.platform.image }}