Merge branch 'main' into add-RUSTFLAG-aws_sdk_unstable

smithy-lang · May 2, 2024 · 992b1b2 · 992b1b2
2 parents 13ad9cc + 6aec38f
commit 992b1b2
Show file tree

Hide file tree

Showing 251 changed files with 17,556 additions and 10,632 deletions.
diff --git a/.github/workflows/backport-pull-request.yml b/.github/workflows/backport-pull-request.yml
@@ -0,0 +1,55 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Open a backport PR to merge the release branch into main
+
+on:
+  # automatically called by release.yml
+  workflow_dispatch:
+  # can also be manually triggered when a patch fix is merged into the release branch and needs to be back-ported
+  workflow_call:
+    secrets:
+      RELEASE_AUTOMATION_BOT_PAT:
+        required: true
+
+env:
+  release_branch: smithy-rs-release-1.x.y
+
+jobs:
+  create-backport-pull-request:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
+
+    - name: Prepare backport branch
+      id: backport-branch
+      run: |
+        # This step assumes the merge runs cleanly without conflicts, which should be the case when
+        # this workflow is called by the release workflow right after a release tag has been created.
+        git config --local user.name "AWS SDK Rust Bot"
+        git config --local user.email "aws-sdk-rust-primary@amazon.com"
+
+        git fetch
+        git checkout origin/main
+        backport_branch="merge-${{ env.release_branch }}-to-main-$(date +%s)"
+        git checkout -b "${backport_branch}"
+
+        git merge "origin/${{ env.release_branch }}" -m 'Merge remote-tracking branch "origin/${{ env.release_branch }}" into "merge-${{ env.release_branch }}-to-main"'
+        git push origin HEAD
+
+        echo "branch_name=${backport_branch}" > $GITHUB_OUTPUT
+
+    - name: Create pull request
+      env:
+        GITHUB_TOKEN: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
+      run: |
+        gh pr create \
+          --title "Merge ${{ env.release_branch }} into main" \
+          --body "Merge it with \`gh pr merge --admin --merge\` or manually merge it with the merge commit (not squash merge)." \
+          --base main \
+          --head ${{ steps.backport-branch.outputs.branch_name }} \
+          --label "needs-sdk-review" \
+          --draft
diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
@@ -23,6 +23,7 @@ jobs:
   acquire-base-image:
     runs-on: smithy_ubuntu-latest_8-core
     name: Acquire Base Image
+    timeout-minutes: 60
     outputs:
       docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
     permissions:
@@ -68,3 +69,5 @@ jobs:
     secrets:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.acquire-base-image.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}
diff --git a/.github/workflows/ci-merge-queue.yml b/.github/workflows/ci-merge-queue.yml
@@ -22,6 +22,7 @@ jobs:
   # The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
   save-docker-login-token:
     name: Save a docker login token
+    timeout-minutes: 10
     outputs:
       docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
     permissions:
@@ -51,6 +52,7 @@ jobs:
     name: Acquire Base Image
     needs: save-docker-login-token
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     env:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
@@ -91,3 +93,5 @@ jobs:
     secrets:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}
diff --git a/.github/workflows/ci-pr-forks.yml b/.github/workflows/ci-pr-forks.yml
@@ -20,6 +20,7 @@ jobs:
     name: Acquire Base Image
     if: ${{ github.event.pull_request.head.repo.full_name != 'smithy-lang/smithy-rs' }}
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     steps:
     - uses: actions/checkout@v4
       with:
@@ -42,4 +43,5 @@ jobs:
     if: ${{ github.event.pull_request.head.repo.full_name != 'smithy-lang/smithy-rs' }}
     uses: ./.github/workflows/ci.yml
     with:
+      run_canary: false
       run_sdk_examples: true
diff --git a/.github/workflows/ci-pr.yml b/.github/workflows/ci-pr.yml
@@ -21,6 +21,7 @@ jobs:
   # The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
   save-docker-login-token:
     name: Save a docker login token
+    timeout-minutes: 10
     if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
     outputs:
       docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
@@ -50,6 +51,7 @@ jobs:
   # it uploads the image as a build artifact for other jobs to download and use.
   acquire-base-image:
     name: Acquire Base Image
+    timeout-minutes: 60
     needs: save-docker-login-token
     if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
     runs-on: smithy_ubuntu-latest_8-core
@@ -93,6 +95,8 @@ jobs:
     secrets:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}
 
   # The PR bot requires a Docker build image, so make it depend on the `acquire-base-image` job.
   pr_bot:
@@ -109,8 +113,9 @@ jobs:
       SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN }}
 
   semver-checks:
-    name: check the semver status of this PR
+    name: Check PR semver compliance
     runs-on: smithy_ubuntu-latest_8-core
+    timeout-minutes: 20
     needs:
     - save-docker-login-token
     - acquire-base-image
@@ -148,6 +153,6 @@ jobs:
       with:
         action: check-semver
         action-arguments: ${{ github.event.pull_request.base.sha }} ${{ fromJSON(steps.check-breaking-label.outputs.result).isBreaking }}
-    - name: print help message
+    - name: Print help message
       if: failure()
-      run: echo "::error::This pull request contains breaking changes. Please add the `breaking-changes` label and a changelog entry"
+      run: echo "::error::This pull request either contains breaking changes, or has cross-crate changes that may be backwards compatible, but that cargo-semver-checks cannot verify. Please scrutinize the change for backwards compatibility."
diff --git a/.github/workflows/ci-tls.yml b/.github/workflows/ci-tls.yml
@@ -11,6 +11,7 @@ env:
 
 name: Verify client TLS configuration
 on:
+  workflow_dispatch:
   pull_request:
   push:
     branches: [main]
@@ -19,13 +20,19 @@ jobs:
   verify-tls-config:
     name: Verify TLS configuration
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
     - name: Install packages
       shell: bash
       run: |
         sudo apt-get update
-        sudo apt-get -y install gcc make python3-pip nginx git ruby openjdk-17-jre pkg-config libssl-dev faketime
+        sudo apt-get -y install gcc make python3-pip nginx git ruby pkg-config libssl-dev faketime
         pip3 install certbuilder crlbuilder
+    - name: Configure JDK
+      uses: actions/setup-java@v4
+      with:
+        distribution: corretto
+        java-version: 17
     - name: Stop nginx
       run: sudo systemctl stop nginx
     - name: Checkout smithy-rs

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,6 +9,11 @@ name: Test
 on:
   workflow_call:
     inputs:
+      run_canary:
+        description: Whether to run the canary or not.
+        required: false
+        default: true
+        type: boolean
       run_sdk_examples:
         description: Whether to run the SDK example checks or not.
         required: false
@@ -27,9 +32,13 @@ on:
         required: false
       DOCKER_LOGIN_TOKEN_PASSPHRASE:
         required: false
+      CANARY_GITHUB_ACTIONS_ROLE_ARN:
+        required: false
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME:
+        required: false
 
 env:
-  rust_version: 1.74.1
+  rust_version: 1.75.0
   rust_toolchain_components: clippy,rustfmt
   ENCRYPTED_DOCKER_PASSWORD: ${{ secrets.ENCRYPTED_DOCKER_PASSWORD }}
   DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
@@ -39,6 +48,7 @@ jobs:
   # and also runs some checks/lints so that those are run sooner rather than later.
   generate:
     name: Generate
+    timeout-minutes: 25
     runs-on: smithy_ubuntu-latest_8-core
     # To avoid repeating setup boilerplate, we have the actual commands
     # in a matrix strategy. These commands get run in the steps after all the setup.
@@ -75,6 +85,7 @@ jobs:
   test-codegen:
     name: Test Codegen
     runs-on: ${{ matrix.test.runner }}
+    timeout-minutes: 30
     # To avoid repeating setup boilerplate, we have the actual test commands
     # in a matrix strategy. These commands get run in the steps after all the setup.
     strategy:
@@ -131,6 +142,7 @@ jobs:
   check-semver-hazards:
     name: Check for semver hazards
     runs-on: smithy_ubuntu-latest_8-core
+    timeout-minutes: 20
     steps:
     - uses: actions/checkout@v4
       with:
@@ -153,6 +165,7 @@ jobs:
     name: Test the SDK
     needs: generate
     runs-on: ${{ matrix.test.runner }}
+    timeout-minutes: 20
     # To avoid repeating setup boilerplate, we have the actual test commands
     # in a matrix strategy. These commands get run in the steps after all the setup.
     strategy:
@@ -226,6 +239,7 @@ jobs:
   test-rust-windows:
     name: Rust Tests on Windows
     runs-on: windows-latest
+    timeout-minutes: 20
     env:
       # Disable incremental compilation to reduce disk space use
       CARGO_INCREMENTAL: 0
@@ -260,6 +274,7 @@ jobs:
   test-exotic-platform-support:
     name: Exotic platform support
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     strategy:
       fail-fast: false
       matrix:
@@ -352,12 +367,57 @@ jobs:
       shell: bash
       run: cross test --target ${{ matrix.target }} --manifest-path "aws/rust-runtime/Cargo.toml" ${{ matrix.test_aws_exclude }} --workspace
 
+  # Run the canary against generated SDKs
+  #
+  # In addition to Matrix Success, this job will also be required to pass for merge.
+  # CI execution from forked repositories will skip this job, and when it does
+  # this skipped job will report its status as "Success".
+  # https://docs.github.com/en/actions/using-jobs/using-conditions-to-control-job-execution#overview
+  canary:
+    name: Canary
+    if: ${{ inputs.run_canary }}
+    needs: generate
+    runs-on: smithy_ubuntu-latest_8-core
+    timeout-minutes: 20
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        path: smithy-rs
+        ref: ${{ inputs.git_ref }}
+    - name: Configure credentials
+      id: creds
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: us-west-2
+        role-to-assume: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+        output-credentials: true
+    - name: Run canary
+      uses: ./smithy-rs/.github/actions/docker-build
+      with:
+        action: run-canary
+        action-arguments: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }} ${{ steps.creds.outputs.aws-access-key-id }} ${{ steps.creds.outputs.aws-secret-access-key }} ${{ steps.creds.outputs.aws-session-token }}
+
+  # This is always a failing job since forked repositories do not have necessary repository secrets
+  # to run the PR bot workflow or the canary workflow
+  ask-maintainer-to-run-pr-bot-and-canary:
+    name: Ask maintainer to run the PR bot and canary workflows
+    if: ${{ !inputs.run_canary }}
+    runs-on: ubuntu-latest
+    steps:
+    - run: |
+        echo "PR bot and canary cannot be invoked from a forked repository. Ask a maintainer to manually invoke them using your PR."
+        exit 1
+
   # This job is split out from the rest since it is not required to pass for merge
   check-sdk-examples:
     name: Check SDK Examples
     if: ${{ inputs.run_sdk_examples }}
     needs: generate
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
     - uses: actions/checkout@v4
       with:

diff --git a/.github/workflows/claim-crate-names.yml b/.github/workflows/claim-crate-names.yml
@@ -10,7 +10,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  rust_version: 1.74.1
+  rust_version: 1.75.0
 
 name: Claim unpublished crate names on crates.io
 run-name: ${{ github.workflow }}

diff --git a/.github/workflows/credentials-verification.yml b/.github/workflows/credentials-verification.yml
@@ -9,6 +9,7 @@ jobs:
   # Verifies the token used by the bot to publish crates to crates.io
   verify-crates-io-token:
     name: Verify Crates.io Token
+    if: github.repository == 'smithy-lang/smithy-rs'
     runs-on: ubuntu-latest
     steps:
     - name: Checkout smithy-rs
@@ -34,6 +35,7 @@ jobs:
   # Verifies the token used to perform actions on the repository on behalf of the bot user
   verify-personal-access-token:
     name: Verify Personal Access Token
+    if: github.repository == 'smithy-lang/smithy-rs'
     runs-on: ubuntu-latest
     steps:
     - name: Checkout smithy-rs

diff --git a/.github/workflows/dry-run-release-scheduled.yml b/.github/workflows/dry-run-release-scheduled.yml
@@ -0,0 +1,26 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# This workflow performs a scheduled dry-run for smithy-rs release.
+# When run, it only produces release artifacts, but will not cut a release tag in GitHub or publish to crates.io.
+
+name: Scheduled smithy-rs dry-run release
+run-name: ${{ github.workflow }}
+on:
+  schedule:
+    # Runs 00:00 UTC every day
+  - cron: 0 0 * * *
+
+jobs:
+  smithy-rs-scheduled-dry-run-release:
+    name: Scheduled dry-run release
+    uses: ./.github/workflows/release.yml
+    with:
+      commit_sha: main
+      dry_run: true
+      skip_ci: true
+    secrets:
+      RELEASE_AUTOMATION_BOT_PAT: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
+      RELEASE_AUTOMATION_BOT_CRATESIO_TOKEN: ${{ secrets.RELEASE_AUTOMATION_BOT_CRATESIO_TOKEN }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}