-
Notifications
You must be signed in to change notification settings - Fork 33
250 lines (215 loc) · 9.47 KB
/
pr-build.yml
File metadata and controls
250 lines (215 loc) · 9.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
name: Python Instrumentation PR Build
on:
pull_request:
types:
- opened
- reopened
- synchronize
- labeled
- unlabeled
branches:
- main
- "release/v*"
permissions:
id-token: write
contents: read
env:
USER: ${{ github.event.pull_request.user.login }}
LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }}
jobs:
static-code-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
with:
fetch-depth: 0
# This action wrapper by raven-actions provides cross-platform support and caching
# Catches the same issues as GitHub's web editor: syntax errors, type mismatches,
# undefined inputs/secrets, circular dependencies, and more
# Note: actionlint cannot validate composite actions - see https://github.com/rhysd/actionlint/issues/350
- name: Validate GitHub Actions workflows
if: always()
uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518 # v2.1.1
with:
files: .github/workflows/*.yml
# Temporarily ignore specific shellcheck codes while we systematically fix them
# SC2027: The surrounding quotes actually unquote this
# SC2086: Double quote to prevent globbing and word splitting
# SC2129: Consider using { cmd1; cmd2; } >> file instead of individual redirects
# SC2162: read without -r will mangle backslashes
# SC2206: Quote to prevent word splitting/globbing, or split robustly with mapfile or read -a
flags: |
-ignore SC2027
-ignore SC2086
-ignore SC2129
-ignore SC2162
-ignore SC2206
- name: Check CHANGELOG
if: always()
run: |
# Check if PR is from workflows bot or dependabot
if [[ "${{ env.USER }}" == "aws-application-signals-bot" ]]; then
echo "Skipping check: PR from aws-application-signals-bot"
exit 0
fi
if [[ "${{ env.USER }}" == "dependabot[bot]" ]]; then
echo "Skipping check: PR from dependabot"
exit 0
fi
# Check for skip changelog label
if echo '${{ env.LABELS }}' | jq -r '.[]' | grep -q "skip changelog"; then
echo "Skipping check: skip changelog label found"
exit 0
fi
# Fetch base branch and check for CHANGELOG modifications
git fetch origin ${{ github.base_ref }}
if git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -q "CHANGELOG.md"; then
echo "CHANGELOG.md entry found - check passed"
exit 0
fi
echo "It looks like you didn't add an entry to CHANGELOG.md. If this change affects the SDK behavior, please update CHANGELOG.md and link this PR in your entry. If this PR does not need a CHANGELOG entry, you can add the 'Skip Changelog' label to this PR."
exit 1
- name: Check for versioned GitHub actions
if: always()
run: |
# Get changed GitHub workflow/action files
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
if [ -n "$CHANGED_FILES" ]; then
# Check for any versioned actions, excluding comments and this validation script
VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true)
if [ -n "$VIOLATIONS" ]; then
echo "Found versioned GitHub actions. Use commit SHAs instead:"
echo "$VIOLATIONS"
exit 1
fi
fi
echo "No versioned actions found in changed files"
- name: Check for github.event in run steps
if: always()
run: |
# Get changed GitHub workflow/action files
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
if [ -n "$CHANGED_FILES" ]; then
VIOLATIONS=""
for file in $CHANGED_FILES; do
# Extract all 'run' step values excluding this validation step
RUN_STEPS=$(yq eval '.. | select(has("run") and has("name") and .name != "Check for github.event in run steps") | .run' "$file" 2>/dev/null || echo "")
if echo "$RUN_STEPS" | grep -q "github\.event\."; then
VIOLATIONS="$VIOLATIONS$file: Contains github.event.* in run step\n"
fi
done
if [ -n "$VIOLATIONS" ]; then
echo -e "Found github.event.* usage in run steps. This can lead to script injection vulnerabilities:"
echo -e "$VIOLATIONS"
exit 1
fi
fi
echo "No github.event usage found in run steps"
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false # ensures the entire test matrix is run, even if one permutation fails
matrix:
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
steps:
- name: Checkout Repo @ SHA - ${{ github.sha }}
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
- name: Build Wheel and Image Files
uses: ./.github/actions/artifacts_build
with:
image_uri_with_tag: pr-build/${{ matrix.python-version }}
push_image: false
load_image: true
python_version: ${{ matrix.python-version }}
package_name: aws-opentelemetry-distro
os: ubuntu-latest
trivyignore-file: .github/trivy/pr-build.trivyignore.yaml
platforms: linux/amd64
- name: Set up and run contract tests with pytest
run: |
bash scripts/set-up-contract-tests.sh
pip install pytest
pytest contract-tests/tests
build-lambda:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo @ SHA - ${{ github.sha }}
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
- uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0
with:
python-version: '3.x'
- name: Build sample lambda function
working-directory: lambda-layer/sample-apps
run: ./package-lambda-function.sh
- name: Build layers
working-directory: lambda-layer/src
run: |
./build-lambda-layer.sh
pip install tox
tox
lint:
runs-on: ubuntu-latest
strategy:
fail-fast: false # ensures the entire test matrix is run, even if one permutation fails
matrix:
tox-environment: ["spellcheck", "lint"]
steps:
- name: Checkout Repo @ SHA - ${{ github.sha }}
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
- name: Install libsnappy-dev
if: ${{ matrix.tox-environment == 'lint' }}
run: sudo apt-get update && sudo apt-get install -y libsnappy-dev
- name: Set up
uses: ./.github/actions/set_up
with:
python_version: 3.11
package_name: aws-opentelemetry-distro
os: ubuntu-latest
run_unit_tests: false
- name: Run ${{ matrix.tox-environment }} with tox
run: tox -e ${{ matrix.tox-environment }}
spotless:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo @ SHA - ${{ github.sha }}
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
- name: Gradle validation
uses: gradle/actions/wrapper-validation@ed408507eac070d1f99cc633dbcf757c94c7933a #4.4.3
- name: Set up Java
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #v5.0.0
with:
java-version: 17
distribution: temurin
- name: Setup Gradle
uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a #4.4.3
- name: Build with Gradle
run: cd performance-tests; ./gradlew spotlessCheck
all-pr-checks-pass:
runs-on: ubuntu-latest
needs: [static-code-checks, lint, spotless, build, build-lambda]
if: always()
steps:
- name: Checkout to get workflow file
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
- name: Check all jobs succeeded and none missing
run: |
# Check if all needed jobs succeeded
results='${{ toJSON(needs) }}'
if echo "$results" | jq -r '.[] | .result' | grep -v success; then
echo "Some jobs failed"
exit 1
fi
# Extract all job names from workflow (excluding this gate job)
all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/pr-build.yml | grep -v "all-pr-checks-pass" | sort)
# Extract job names from needs array
needed_jobs='${{ toJSON(needs) }}'
needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort)
# Check if any jobs are missing from needs
missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list"))
if [ -n "$missing_jobs" ]; then
echo "ERROR: Jobs missing from needs array in all-pr-checks-pass:"
echo "$missing_jobs"
echo "Please add these jobs to the needs array of all-pr-checks-pass"
exit 1
fi
echo "All checks passed and no jobs missing from gate!"