agentcore-cli/.github/workflows/e2e-tests.yml at eb979e33bb6d96090c4e9f8105146b11e679edb7 · aws/agentcore-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: E2E Tests
on:
  workflow_dispatch:
    inputs:
      aws_region:
        description: 'AWS region for deployment'
        default: 'us-east-1'
      cdk_branch:
        description: 'CDK repo branch to build from (default: main)'
        default: 'main'
  pull_request_target:
    branches: [main]

concurrency:
  group: e2e-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: false

permissions:
  id-token: write # OIDC — lets GitHub assume an AWS IAM role via short-lived token (no stored keys)
  contents: read

jobs:
  authorize:
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request_target'
    outputs:
      is_authorized: ${{ steps.check.outputs.is_authorized }}
    steps:
      - name: Check authorization
        id: check
        run: |
          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            echo "✅ Manual workflow dispatch — authorized"
            echo "is_authorized=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          AUTHORIZED_USERS="${{ secrets.AUTHORIZED_USERS }}"
          if [[ ",$AUTHORIZED_USERS," == *",${{ github.actor }},"* ]]; then
            echo "✅ User ${{ github.actor }} is authorized"
            echo "is_authorized=true" >> "$GITHUB_OUTPUT"
          else
            echo "⏭️ User ${{ github.actor }} is not in AUTHORIZED_USERS — skipping E2E tests."
            echo "ℹ️ External contributors: ask a maintainer to run the E2E tests manually via workflow_dispatch."
            echo "is_authorized=false" >> "$GITHUB_OUTPUT"
          fi

  e2e:
    needs: authorize
    if: needs.authorize.outputs.is_authorized == 'true'
    runs-on: ubuntu-latest
    environment: e2e-testing
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
      - uses: actions/setup-node@v6
        with:
          node-version: '20.x'
          cache: 'npm'
      - name: Configure git
        run: |
          git config --global user.email "ci@amazon.com"
          git config --global user.name "CI"
      - uses: astral-sh/setup-uv@v7
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v6
        with:
          role-to-assume: ${{ secrets.E2E_AWS_ROLE_ARN }}
          aws-region: ${{ inputs.aws_region || 'us-east-1' }}
      - name: Get AWS Account ID
        id: aws
        run: echo "account_id=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_OUTPUT"
      - name: Get API keys from Secrets Manager
        uses: aws-actions/aws-secretsmanager-get-secrets@v2
        with:
          secret-ids: |
            E2E,${{ secrets.E2E_SECRET_ARN }}
          parse-json-secrets: true

      - name: Generate GitHub App Token
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: aws
      # Build @aws/agentcore-cdk from source for cross-package testing.
      # Requires secret: CDK_REPO_NAME (org/repo). Token is generated by the App above.
      - name: Build CDK package
        run: |
          CDK_BRANCH="${{ inputs.cdk_branch || 'main' }}"
          echo "Building CDK from branch: $CDK_BRANCH"
          git clone --depth 1 --branch "$CDK_BRANCH" "https://x-access-token:${CDK_REPO_TOKEN}@github.com/${CDK_REPO}.git" /tmp/cdk-repo
          cd /tmp/cdk-repo
          npm ci
          npm run build
          TARBALL=$(npm pack --pack-destination "$RUNNER_TEMP" | tail -1)
          echo "CDK_TARBALL=$RUNNER_TEMP/$TARBALL" >> "$GITHUB_ENV"
        env:
          CDK_REPO_TOKEN: ${{ steps.app-token.outputs.token }}
          CDK_REPO: ${{ secrets.CDK_REPO_NAME }}

      - run: npm ci
      - run: npm run build
      - name: Install CLI globally
        run: npm install -g "$(npm pack | tail -1)"

      - name: Detect changed e2e test files
        id: changed
        run: |
          BASE_SHA=${{ github.event.pull_request.base.sha || 'HEAD~1' }}
          CHANGED=$(git diff --name-only "$BASE_SHA"..HEAD -- 'e2e-tests/*.test.ts' \
            | grep -v '^e2e-tests/strands-bedrock\.test\.ts$' \
            | tr '\n' ' ')
          echo "extra_tests=$CHANGED" >> "$GITHUB_OUTPUT"
          echo "Changed e2e tests: ${CHANGED:-none}"

      - name: Run E2E tests
        env:
          AWS_ACCOUNT_ID: ${{ steps.aws.outputs.account_id }}
          AWS_REGION: ${{ inputs.aws_region || 'us-east-1' }}
          ANTHROPIC_API_KEY: ${{ env.E2E_ANTHROPIC_API_KEY }}
          OPENAI_API_KEY: ${{ env.E2E_OPENAI_API_KEY }}
          GEMINI_API_KEY: ${{ env.E2E_GEMINI_API_KEY }}
          CDK_TARBALL: ${{ env.CDK_TARBALL }}
        # Always run strands-bedrock as baseline, plus any e2e test files changed in the PR
        run: npx vitest run --project e2e e2e-tests/strands-bedrock.test.ts ${{ steps.changed.outputs.extra_tests }}