diff --git a/.github/actions/codebuild-docker-run/action.yml b/.github/actions/codebuild-docker-run/action.yml index 8cd1e547c8c..fa1b4ec8646 100644 --- a/.github/actions/codebuild-docker-run/action.yml +++ b/.github/actions/codebuild-docker-run/action.yml @@ -24,11 +24,11 @@ inputs: ipv6: description: 'Enables IPv6 networking in the container. Implies --privileged' required: false - default: false + default: '' withCredentials: description: 'Whether to passthru the CodeBuild credentials' required: false - default: false + default: '' user: description: 'Run the docker container as a non-root user' required: false diff --git a/.github/actions/codebuild-docker-run/codebuild-docker-run.sh b/.github/actions/codebuild-docker-run/codebuild-docker-run.sh index 398a593e48c..b481718c866 100755 --- a/.github/actions/codebuild-docker-run/codebuild-docker-run.sh +++ b/.github/actions/codebuild-docker-run/codebuild-docker-run.sh @@ -50,10 +50,10 @@ fi PASSTHRU_ENV_VARS=("GOPROXY" "AWS_DEFAULT_REGION" "AWS_REGION") -if [[ "${INPUT_WITH_CREDENTIALS}" == true ]] && +if [[ "${INPUT_WITH_CREDENTIALS}" == "true" ]] && [[ ! "${ENV_FLAGS}" =~ ECS_CONTAINER_METADATA_URI_V4 ]] && [[ ! "${ENV_FLAGS}" =~ AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ]]; then - PASSTHRU_ENV_VARS+=(ECS_CONTAINER_METADATA_URI_V4 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) + PASSTHRU_ENV_VARS+=(ECS_CONTAINER_METADATA_URI_V4 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN) fi for ev in "${PASSTHRU_ENV_VARS[@]}"; do diff --git a/.github/actions/configure-aws-credentials/action.yml b/.github/actions/configure-aws-credentials/action.yml index cca5f4fae04..3ae4e56cae3 100644 --- a/.github/actions/configure-aws-credentials/action.yml +++ b/.github/actions/configure-aws-credentials/action.yml @@ -20,8 +20,10 @@ runs: uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/AwsLcGitHubActionsOidcRole + role-session-name: ${{ github.run_id }}-${{ github.run_attempt }} - name: Retrieve GitHub Actions Role Credentials uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/${{ inputs.roleName }} + role-session-name: ${{ github.run_id }}-${{ github.run_attempt }} role-chaining: true diff --git a/.github/workflows/android-omnibus.yml b/.github/workflows/android-omnibus.yml new file mode 100644 index 00000000000..4faf7e4ca15 --- /dev/null +++ b/.github/workflows/android-omnibus.yml @@ -0,0 +1,60 @@ +name: android-omnibus +on: + push: + branches: ["*"] + pull_request_target: + branches: ["*"] +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }} + cancel-in-progress: true +env: + GOPROXY: https://proxy.golang.org,direct +permissions: + id-token: write + contents: read + +jobs: + device-farm: + name: android-${{ matrix.fips && 'fips-' || '' }}${{ matrix.release && 'release' || 'debug' }}-${{ matrix.shared && 'shared' || 'static' }} + runs-on: + - codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }} + image:linux-5.0 + instance-size:medium + strategy: + matrix: + fips: [false, true] + release: [false, true] + shared: [false, true] + exclude: + - fips: true + release: false + steps: + - uses: actions/checkout@v5 + with: + ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }} + - name: Query Environment + id: env + run: | + echo staging_url=${ECR_STAGING_REPO} >> "$GITHUB_OUTPUT" + - name: Retrieve Credentials + uses: ./.github/actions/configure-aws-credentials + with: + roleName: AwsLcGitHubActionDeviceFarmRole + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + - uses: ./.github/actions/codebuild-docker-run + name: Run Container + with: + image: ${{ steps.login-ecr.outputs.registry }}/aws-lc/android:latest + withCredentials: true + run: | + chmod +x ./tests/ci/android/AWSLCAndroidTestRunner/gradlew + cd ./tests/ci + python3 -m venv .env && . .env/bin/activate && pip install -r requirements.txt + ./kickoff_devicefarm_job.sh \ + --test-name "AWS-LC Android GitHub Action ${{ github.run_id }}-${{ github.run_attempt }}" \ + --fips ${{ matrix.fips }} \ + --release ${{ matrix.release }} \ + --shared ${{ matrix.shared }} \ + --action start-job diff --git a/.github/workflows/image-build-android.yml b/.github/workflows/image-build-android.yml index 3ab9a07c498..937c1c44a61 100644 --- a/.github/workflows/image-build-android.yml +++ b/.github/workflows/image-build-android.yml @@ -23,6 +23,7 @@ concurrency: env: GOPROXY: https://proxy.golang.org,direct DOCKER_BUILD_RECORD_UPLOAD: false +# Critical: Caution must be used when expanding permissions beyond these as we checkout untrusted pull request code permissions: id-token: write contents: read @@ -37,6 +38,8 @@ jobs: android: ${{ steps.images.outputs.latest }} steps: - uses: actions/checkout@v5 + with: + ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }} - name: Query Environment id: env run: | @@ -70,7 +73,7 @@ jobs: ./.github/docker_images/scripts/verify-go-version.sh 1.25 push: - if: ${{ github.event_name != 'pull_request' }} + if: ${{ github.event_name != 'pull_request_target' }} runs-on: codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }} image:linux-5.0 diff --git a/tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py b/tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py index d1504038b51..fda6e6fffa4 100644 --- a/tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py +++ b/tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py @@ -61,7 +61,7 @@ def __init__( self.minimal_oidc_role) self.device_farm_role = create_device_farm_role( - self, "AwsLcGitHubActionDeviceFarmRole", env, self.minimal_oidc_role) + self, "AwsLcGitHubActionDeviceFarmRole", env, self.minimal_oidc_role, ecr_repos) self.device_farm_role.grant_assume_role(self.minimal_oidc_role) self.docker_image_build_role = create_docker_image_build_role( @@ -72,7 +72,8 @@ def __init__( def create_device_farm_role(scope: Construct, id: str, env: typing.Union[Environment, typing.Dict[str, typing.Any]], - principal: iam.IPrincipal) -> iam.Role: + principal: iam.IPrincipal, + repos: typing.List[ecr.IRepository]) -> iam.Role: device_farm_policy = iam.PolicyDocument.from_json( device_farm_access_policy_in_json(env) ) @@ -81,6 +82,44 @@ def create_device_farm_role(scope: Construct, id: str, assumed_by=iam.SessionTagsPrincipal(principal), inline_policies={ "device_farm_policy": device_farm_policy, + "metrics_policy": iam.PolicyDocument( + statements=[ + iam.PolicyStatement( + effect=iam.Effect.ALLOW, + actions=[ + "cloudwatch:PutMetricData" + ], + resources=["*"], + conditions={ + "StringEquals": { + "aws:RequestedRegion": [env.region], + "cloudwatch:namespace": [AWS_LC_METRIC_NS], + } + } + ), + ] + ), + "ecr": iam.PolicyDocument( + statements=[ + iam.PolicyStatement( + effect=iam.Effect.ALLOW, + actions=[ + "ecr:GetAuthorizationToken", + ], + resources=["*"], + ), + iam.PolicyStatement( + effect=iam.Effect.ALLOW, + actions=[ + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + ], + resources=[ + x.repository_arn for x in repos], + ), + ], + ), }) return device_farm_role diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_android_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_android_omnibus.yaml index 6ad739371fc..198e9a25ffd 100644 --- a/tests/ci/cdk/cdk/codebuild/github_ci_android_omnibus.yaml +++ b/tests/ci/cdk/cdk/codebuild/github_ci_android_omnibus.yaml @@ -6,46 +6,10 @@ version: 0.2 # Doc for batch https://docs.aws.amazon.com/codebuild/latest/userguide/batch-build-buildspec.html#build-spec.batch.build-list batch: build-list: - - identifier: ubuntu2404_android_nonfips_static_debug - buildspec: ./tests/ci/codebuild/android/run_android_static_debug.yml + - identifier: migrated + buildspec: ./tests/ci/codebuild/common/no_op.yml env: type: LINUX_CONTAINER - privileged-mode: true - compute-type: BUILD_GENERAL1_MEDIUM - # TODO(CryptoAlg-1276): replace |620771051181| and |us-west-2| with corresponding env variables. - image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest - - identifier: ubuntu2404_android_nonfips_static_release - buildspec: ./tests/ci/codebuild/android/run_android_static_release.yml - env: - type: LINUX_CONTAINER - privileged-mode: true - compute-type: BUILD_GENERAL1_MEDIUM - image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest - - identifier: ubuntu2404_android_nonfips_shared_debug - buildspec: ./tests/ci/codebuild/android/run_android_shared_debug.yml - env: - type: LINUX_CONTAINER - privileged-mode: true - compute-type: BUILD_GENERAL1_MEDIUM - image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest - - identifier: ubuntu2404_android_nonfips_shared_release - buildspec: ./tests/ci/codebuild/android/run_android_shared_release.yml - env: - type: LINUX_CONTAINER - privileged-mode: true - compute-type: BUILD_GENERAL1_MEDIUM - image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest - - identifier: ubuntu2404_android_fips_shared_release - buildspec: ./tests/ci/codebuild/android/run_android_fips_shared.yml - env: - type: LINUX_CONTAINER - privileged-mode: true - compute-type: BUILD_GENERAL1_MEDIUM - image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest - - identifier: ubuntu2404_android_fips_static_release - buildspec: ./tests/ci/codebuild/android/run_android_fips_static.yml - env: - type: LINUX_CONTAINER - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest + privileged-mode: false + compute-type: BUILD_GENERAL1_SMALL + image: aws/codebuild/standard:7.0