diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7105e122..7d035593 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,67 +1,11 @@ # This workflow performs tests in JavaScript. name: ESDK JavaScript CI Tests +permissions: + contents: read + id-token: write on: [pull_request, workflow_call] jobs: - CI: - strategy: - matrix: - node: [18.x, 20.x, 22.x, latest] - fail-fast: false - runs-on: codebuild-AWS-ESDK-JS-Release-${{ github.run_id }}-${{ github.run_attempt }}-ubuntu-5.0-large - permissions: - id-token: write - contents: read - defaults: - run: - shell: bash - steps: - - uses: actions/checkout@v4 - with: - submodules: true - - uses: actions/setup-node@v4 - with: - node-version: ${{matrix.node}} - - name: Configure AWS Credentials for Tests - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 - role-session-name: JavaScriptTests - - name: Test Coverage Node ${{matrix.node}} - env: - NODE_OPTIONS: "--max-old-space-size=4096" - run: | - npm ci - npm run build - npm run coverage-node - - name: Test Coverage Browser ${{matrix.node}} - env: - NODE_OPTIONS: "--max-old-space-size=4096" - run: | - npm run coverage-browser - - name: Test compliance - env: - NODE_OPTIONS: "--max-old-space-size=4096" - run: | - npm run lint - npm run test_conditions - - name: Run Test Vectors Node ${{matrix.node}} - env: - NODE_OPTIONS: "--max-old-space-size=4096" - NPM_CONFIG_UNSAFE_PERM: true - PUBLISH_LOCAL: true - run: | - npm run verdaccio-publish - npm run verdaccio-node-decrypt - npm run verdaccio-node-encrypt - - name: Run Test Vectors Browser node ${{matrix.node}} - env: - NODE_OPTIONS: "--max-old-space-size=4096" - NPM_CONFIG_UNSAFE_PERM: true - PUBLISH_LOCAL: true - run: | - npm run verdaccio-publish - npm run verdaccio-browser-decrypt - npm run verdaccio-browser-encrypt + shared-ci: + uses: ./.github/workflows/shared-ci.yml diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml new file mode 100644 index 00000000..1e568174 --- /dev/null +++ b/.github/workflows/prod-release.yml @@ -0,0 +1,76 @@ +name: Release +permissions: + contents: read + id-token: write + +on: + workflow_dispatch: + inputs: + version_bump: + required: false + description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)' + default: '' + dist_tag: + description: 'NPM distribution tag' + required: false + default: 'latest' + branch: + description: 'The branch to release from' + required: false + default: 'master' + +env: + NODE_OPTIONS: "--max-old-space-size=4096" + NPM_CONFIG_UNSAFE_PERM: true + +jobs: + pre-release-ci: + uses: ./.github/workflows/shared-ci.yml + + # Once all tests have passed, run semantic versioning + version: + runs-on: ubuntu-latest + needs: [pre-release-ci] + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + submodules: true + + - name: Setup Node.js 16 + uses: actions/setup-node@v4 + with: + node-version: '16' + cache: 'npm' + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Configure git + env: + BRANCH: ${{ github.event.inputs.branch }} + VERSION_BUMP: ${{ github.event.inputs.version_bump }} + run: | + git config --global user.name "aws-crypto-tools-ci-bot" + git config --global user.email "no-reply@noemail.local" + git checkout $BRANCH + + - name: Version packages (dry run - no push) + run: | + # Generate new version and CHANGELOG entry and push it + npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # Log the commit for posterity + git log -n 1 + + # Once semantic versioning has run and bumped versions, publish to npm + # TODO: Publish step that doesn't use OTP but instead follows + # https://docs.npmjs.com/trusted-publishers + + # Once publishing is complete, validate that the published packages are useable + validate: + uses: ./.github/workflows/shared-ci.yml + # TODO: Uncomment when adding publish step + # needs: [publish] + with: + test-published-packages: true diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml new file mode 100644 index 00000000..2942920f --- /dev/null +++ b/.github/workflows/shared-ci.yml @@ -0,0 +1,76 @@ +name: Shared CI Tests + +on: + workflow_call: + inputs: + test-published-packages: + description: 'Test against published packages instead of checked out code' + required: false + type: boolean + default: false + +env: + NODE_OPTIONS: "--max-old-space-size=4096" + NPM_CONFIG_UNSAFE_PERM: true + +jobs: + test: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: + fail-fast: false + matrix: + node-version: ['18.x', '20.x', '22.x', 'latest'] + test-type: ['node', 'browser'] + test-category: ['coverage', 'vectors', 'compliance'] + name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }} + steps: + - name: Checkout code + # Always need repo for test scripts and configuration, even when testing published packages + uses: actions/checkout@v4 + with: + fetch-depth: 0 + submodules: true + + - name: Setup Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + cache: 'npm' + + - name: Configure AWS Credentials for Tests + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 + role-session-name: JavaScriptTests + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Build (for source code testing) + if: ${{ !inputs.test-published-packages }} + run: npm run build + + - name: Run coverage tests (${{ matrix.test-type }}) + if: ${{ matrix.test-category == 'coverage' }} + run: npm run coverage-${{ matrix.test-type }} + + - name: Publish locally for vector tests + if: ${{ matrix.test-category == 'vectors' && !inputs.test-published-packages }} + run: npm run verdaccio-publish + + - name: Run vector tests (${{ matrix.test-type }}) + if: ${{ matrix.test-category == 'vectors' }} + run: | + npm run verdaccio-${{ matrix.test-type }}-decrypt + npm run verdaccio-${{ matrix.test-type }}-encrypt + + - name: Run compliance tests + # Don't run linting or check Duvet requirements for published packages + if: ${{ matrix.test-category == 'compliance' && !inputs.test-published-packages }} + run: | + npm run lint + npm run test_conditions diff --git a/package.json b/package.json index 71169e92..d90e57b0 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ "build-browser": "tsc -b tsconfig.module.json", "build": "run-s build-*", "karma": "NODE_OPTIONS=--max-old-space-size=4096 karma start karma.conf.js", - "mocha": "mocha --exclude 'modules/*-+(browser|backend)/build/main/test/*.js' modules/**/build/main/test/*test.js", + "mocha": "mocha --timeout 5000 --exclude 'modules/*-+(browser|backend)/build/main/test/*.js' modules/**/build/main/test/*test.js", "coverage-browser": "npm run karma && nyc report -t .karma_output --check-coverage", "coverage-node": "nyc --instrument --all --check-coverage -n 'modules/**/build/main/src/*.js' -x 'modules/**/build/main/test/*.js' -x 'modules/*-+(browser|backend)/**/*.js' npm run mocha", "coverage-merge": "nyc merge .karma_output .nyc_output/browser.json",