aws · josecorella · Jul 10, 2024 · Jul 9, 2024 · Jul 9, 2024 · Jul 9, 2024
@@ -0,0 +1,68 @@
+# This workflow checks if specfic files were modified,
+# if they were they require more than one approval from CODEOWNERS
+name: Check Release Files
+
+on:
+  pull_request:
+
+jobs:
+  require-approvals:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    env:
+      # unfortunately we can't check if the approver is part of the CODEOWNERS. This is a subset of aws/aws-crypto-tools-team
+      # to add more allowlisted approvers just modify this env variable
+      maintainers: seebees, texastony, ShubhamChaturvedi7, lucasmcdonald3, josecorella, imabhichow, rishav-karanjit, antonf-amzn, justplaz, ajewellamz
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Get Files changed
+        id: file-changes
+        shell: bash
+        run:
+          #  *release.yml files are responsible for releasing builds
+          # we require multiple approvers if any of those files change
+          # when adding any release file, it must be appended with *release
+          # we also want to check if there are changes to this file
+          echo "FILES=$(git diff --name-only origin/main origin/${GITHUB_HEAD_REF} .github/workflows/*release.yml .github/workflows/check-files.yml | tr '\n' ' ')" >> "$GITHUB_OUTPUT"
+
+      - name: Check if FILES is not empty
+        id: comment
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          FILES: ${{ steps.file-changes.outputs.FILES }}
+        if: ${{env.FILES != ''}}
+        run: |
+          COMMENT="Detected changes to the release files or to the check-files action"
+          COMMENT_URL="https://api.github.com/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments"
+          curl -s -H "Authorization: token ${GITHUB_TOKEN}" -X POST $COMMENT_URL -d "{\"body\":\"$COMMENT\"}"
+
+      - name: Check Approvers
+        id: approvers
+        if: steps.comment.outcome == 'success'
+        # if this step fails we want to continue to post a message on the PR.
+        continue-on-error: true
+        # we are using this action because it does the heavy lifting for us, it uses the github_token enabled
+        # for github actions, this is ok because tokens are created for every workflow run and they expire at the end
+        # of the job
+        uses: peternied/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          min-required: 2
+          required-approvers-list: ${{env.maintainers}}
+
+      - name: Post Approvers Result
+        if: steps.approvers.outcome == 'failure'
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          COMMENT="Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS"
+          COMMENT_URL="https://api.github.com/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments"
+          curl -s -H "Authorization: token ${GITHUB_TOKEN}" -X POST $COMMENT_URL -d "{\"body\":\"$COMMENT\"}"
+          exit 1
@@ -1,10 +1,12 @@
 # This workflow regenerates code using smithy-dafny and checks that the output matches what's checked in.
 name: Library Code Generation
 on:
-  pull_request:
-  push:
-    branches:
-      - main
+  workflow_call:
+    inputs:
+      dafny:
+        description: "The dafny version to run"
+        required: true
+        type: string
 
 jobs:
   code-generation:
@@ -38,7 +40,7 @@ jobs:
       - name: Setup Dafny
         uses: dafny-lang/[email protected]
         with:
-          dafny-version: 4.2.0
+          dafny-version: ${{ inputs.dafny }}
 
       - name: Setup .NET Core SDK ${{ matrix.dotnet-version }}
         uses: actions/setup-dotnet@v4

@@ -2,31 +2,20 @@
 name: Java Examples
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-    # Manual trigger for this workflow, either the normal version
-    # or the nightly build that uses the latest Dafny prerelease
-    # (accordingly to the "nightly" parameter).
+  workflow_call:
     inputs:
-      nightly:
-        description: "Run the nightly build"
+      dafny:
+        description: "The Dafny version to run"
+        required: true
+        type: string
+      regenerate-code:
+        description: "Regenerate code using smithy-dafny"
         required: false
+        default: false
         type: boolean
-  schedule:
-    # Nightly build against Dafny's nightly prereleases,
-    # for early warning of verification issues or regressions.
-    # Timing chosen to be adequately after Dafny's own nightly build,
-    # but this might need to be tweaked:
-    # https://github.com/dafny-lang/dafny/blob/master/.github/workflows/deep-tests.yml#L16
-    - cron: "30 16 * * *"
 
 jobs:
   testJava:
-    # Don't run the nightly build on forks
-    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
     strategy:
       max-parallel: 1
       matrix:
@@ -57,11 +46,10 @@ jobs:
       - name: Setup Dafny
         uses: dafny-lang/[email protected]
         with:
-          # A && B || C is the closest thing to an if .. then ... else ... or ?: expression the GitHub Actions syntax supports.
-          dafny-version: ${{ (github.event_name == 'schedule' || inputs.nightly) && 'nightly-latest' || '4.2.0' }}
+          dafny-version: ${{ inputs.dafny }}
 
       - name: Regenerate code using smithy-dafny if necessary
-        if: ${{ github.event_name == 'schedule' || inputs.nightly }}
+        if: ${{ inputs.regenerate-code }}
         uses: ./.github/actions/polymorph_codegen
         with:
           dafny: ${{ env.DAFNY_VERSION }}

@@ -2,10 +2,17 @@
 name: dotnet examples
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
+  workflow_call:
+    inputs:
+      dafny:
+        description: "The Dafny version to run"
+        required: true
+        type: string
+      regenerate-code:
+        description: "Regenerate code using smithy-dafny"
+        required: false
+        default: false
+        type: boolean
 
 jobs:
   dotNetExamples:
@@ -36,7 +43,16 @@ jobs:
       - name: Setup Dafny
         uses: dafny-lang/[email protected]
         with:
-          dafny-version: ${{ '4.2.0' }}
+          dafny-version: ${{ inputs.dafny }}
+
+      - name: Regenerate code using smithy-dafny if necessary
+        if: ${{ inputs.regenerate-code }}
+        uses: ./.github/actions/polymorph_codegen
+        with:
+          dafny: ${{ env.DAFNY_VERSION }}
+          library: DynamoDbEncryption
+          diff-generated-code: false
+          update-and-regenerate-mpl: true
 
       - name: Download Dependencies
         working-directory: ./${{ matrix.library }}

@@ -2,31 +2,20 @@
 name: Library Java tests
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-    # Manual trigger for this workflow, either the normal version
-    # or the nightly build that uses the latest Dafny prerelease
-    # (accordingly to the "nightly" parameter).
+  workflow_call:
     inputs:
-      nightly:
-        description: "Run the nightly build"
+      dafny:
+        description: "The Dafny version to run"
+        required: true
+        type: string
+      regenerate-code:
+        description: "Regenerate code using smithy-dafny"
         required: false
+        default: false
         type: boolean
-  schedule:
-    # Nightly build against Dafny's nightly prereleases,
-    # for early warning of verification issues or regressions.
-    # Timing chosen to be adequately after Dafny's own nightly build,
-    # but this might need to be tweaked:
-    # https://github.com/dafny-lang/dafny/blob/master/.github/workflows/deep-tests.yml#L16
-    - cron: "30 16 * * *"
 
 jobs:
   testJava:
-    # Don't run the nightly build on forks
-    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
     strategy:
       matrix:
         library: [DynamoDbEncryption]
@@ -51,11 +40,10 @@ jobs:
       - name: Setup Dafny
         uses: dafny-lang/[email protected]
         with:
-          # A && B || C is the closest thing to an if .. then ... else ... or ?: expression the GitHub Actions syntax supports.
-          dafny-version: ${{ (github.event_name == 'schedule' || inputs.nightly) && 'nightly-latest' || '4.2.0' }}
+          dafny-version: ${{ inputs.dafny }}
 
       - name: Regenerate code using smithy-dafny if necessary
-        if: ${{ github.event_name == 'schedule' || inputs.nightly }}
+        if: ${{ inputs.regenerate-code }}
         uses: ./.github/actions/polymorph_codegen
         with:
           dafny: ${{ env.DAFNY_VERSION }}

@@ -2,32 +2,20 @@
 name: test dotnet
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-    # Manual trigger for this workflow, either the normal version
-    # or the nightly build that uses the latest Dafny prerelease
-    # (accordingly to the "nightly" parameter).
+  workflow_call:
     inputs:
-      nightly:
-        description: "Run the nightly build"
+      dafny:
+        description: "The Dafny version to run"
+        required: true
+        type: string
+      regenerate-code:
+        description: "Regenerate code using smithy-dafny"
         required: false
+        default: false
         type: boolean
-  schedule:
-    # Nightly build against Dafny's nightly prereleases,
-    # for early warning of verification issues or regressions.
-    # Timing chosen to be adequately after Dafny's own nightly build,
-    # but this might need to be tweaked:
-    # https://github.com/dafny-lang/dafny/blob/master/.github/workflows/deep-tests.yml#L16
-    - cron: "30 16 * * *"
 
 jobs:
   testDotNet:
-    # Don't run the nightly build on forks
-    # Disabled until we reintroduce DynamoDbEncryption, since a matrix vector cannot be empty
-    if: (github.event_name != 'schedule' || github.repository_owner == 'aws')
     strategy:
       matrix:
         library: [DynamoDbEncryption]
@@ -56,11 +44,10 @@ jobs:
       - name: Setup Dafny
         uses: dafny-lang/[email protected]
         with:
-          # A && B || C is the closest thing to an if .. then ... else ... or ?: expression the GitHub Actions syntax supports.
-          dafny-version: ${{ (github.event_name == 'schedule' || inputs.nightly) && 'nightly-latest' || '4.2.0' }}
+          dafny-version: ${{ inputs.dafny }}
 
       - name: Regenerate code using smithy-dafny if necessary
-        if: ${{ github.event_name == 'schedule' || inputs.nightly }}
+        if: ${{ inputs.regenerate-code }}
         uses: ./.github/actions/polymorph_codegen
         with:
           dafny: ${{ env.DAFNY_VERSION }}

@@ -2,15 +2,23 @@
 name: Library Java Test Vectors
 
 on:
-  pull_request:
-  push:
-    branches:
-      - main
+  workflow_call:
+    inputs:
+      dafny:
+        description: "The Dafny version to run"
+        required: true
+        type: string
+      regenerate-code:
+        description: "Regenerate code using smithy-dafny"
+        required: false
+        default: false
+        type: boolean
 
 jobs:
   testJava:
     strategy:
       matrix:
+        library: [TestVectors]
         java-version: [8, 11, 16, 17]
         os: [
             # Run on ubuntu image that comes pre-configured with docker
@@ -41,7 +49,16 @@ jobs:
       - name: Setup Dafny
         uses: dafny-lang/[email protected]
         with:
-          dafny-version: "4.2.0"
+          dafny-version: ${{ inputs.dafny }}
+
+      - name: Regenerate code using smithy-dafny if necessary
+        if: ${{ inputs.regenerate-code }}
+        uses: ./.github/actions/polymorph_codegen
+        with:
+          dafny: ${{ env.DAFNY_VERSION }}
+          library: ${{ matrix.library }}
+          diff-generated-code: false
+          update-and-regenerate-mpl: true
 
       - name: Setup Java ${{ matrix.java-version }}
         uses: actions/setup-java@v4
@@ -51,13 +68,13 @@ jobs:
 
       - name: Build TestVectors implementation
         shell: bash
-        working-directory: ./TestVectors
+        working-directory: ${{matrix.library}}
         run: |
           # This works because `node` is installed by default on GHA runners
           CORES=$(node -e 'console.log(os.cpus().length)')
           make build_java CORES=$CORES
 
       - name: Test TestVectors
-        working-directory: ./TestVectors
+        working-directory: ${{matrix.library}}
         run: |
           make test_java