Merge branch 'mainline' into fix-brittleness-messagebody

.github/workflows/library_dafny_verification.yml

@@ -21,7 +21,7 @@ jobs:
         library: [
           AwsEncryptionSDK
         ]
-        os: [ macos-latest ]
+        os: [ macos-12 ]
     runs-on: ${{ matrix.os }}
     env:
       DOTNET_CLI_TELEMETRY_OPTOUT: 1

.github/workflows/library_interop_tests.yml

@@ -27,7 +27,7 @@ jobs:
         os: [
           windows-latest,
           ubuntu-latest,
-          macos-latest,
+          macos-12,
         ]
     runs-on: ${{ matrix.os }}
     permissions:
@@ -117,7 +117,7 @@ jobs:
       matrix:
         os: [
           ubuntu-latest,
-          macos-latest,
+          macos-12,
         ]
     runs-on: ${{ matrix.os }}
     permissions:
@@ -213,7 +213,7 @@ jobs:
       matrix:
         os: [
           ubuntu-latest,
-          macos-latest,
+          macos-12,
         ]
     runs-on: ${{ matrix.os }}
     permissions:

.github/workflows/library_java_tests.yml

@@ -25,7 +25,7 @@ jobs:
           # TODO just test on mac for now
           #windows-latest,
           #ubuntu-latest,
-          macos-latest
+          macos-12
         ]
     runs-on: ${{ matrix.os }}
     permissions:

.github/workflows/library_net_tests.yml

@@ -33,7 +33,7 @@ jobs:
         os: [
           windows-latest,
           ubuntu-latest,
-          macos-latest,
+          macos-12,
         ]
     runs-on: ${{ matrix.os }}
     permissions:
@@ -246,4 +246,4 @@ jobs:
             ESDK_NET_V400_POLICY="forbid" \
             DAFNY_AWS_ESDK_TEST_VECTOR_MANIFEST_PATH="$NET_401_VECTORS/manifest.json" \
             dotnet test --framework net6.0 --logger "console;verbosity=quiet"
-          fi
+          fi

.github/workflows/nighly_dafny.yml

@@ -31,3 +31,46 @@ jobs:
     with:
       dafny: 'nightly-latest'
       regenerate-code: true
+
+  cut-issue-on-failure:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    needs:
+      [
+        dafny-nightly-verification,
+        dafny-nightly-net,
+      ]
+    if: ${{ always() && contains(needs.*.result, 'failure') }}
+    steps:
+      # We need access to the role that is able to get CI Bot Creds
+      - name: Configure AWS Credentials for Release
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2
+          role-session-name: Dafny_Issue_Blocker
+
+      # Use AWS Secrets Manger GHA to retrieve CI Bot Creds
+      - name: Get CI Bot Creds Secret
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: Github/aws-crypto-tools-ci-bot
+          parse-json-secrets: true
+
+      - name: Create release blocker on dafny-lang/dafny
+        env:
+          GH_TOKEN: ${{ env.GITHUB_AWS_CRYPTO_TOOLS_CI_BOT_ESDK_RELEASE_TOKEN }}
+        run: |
+          id=$(gh search issues -R dafny-lang/dafny --match title "[PRERELEASE REGRESSION] Dafny prerelease regression from ${{ github.repository }}" --json number,state -q '[.[] | select( .state=="open" )][0].number')
+          if [ -n "$id" ]; then
+            gh issue comment -R dafny-lang/dafny $id \
+              -b "Another failure in ${{ github.workflow_ref }}. \
+                See ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          else
+            gh issue create -R dafny-lang/dafny \
+              -t "[PRERELEASE REGRESSION] Dafny prerelease regression from ${{ github.repository }}" \
+              -b "Failure in ${{ github.workflow_ref }}. \
+                See ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          fi

.github/workflows/sem_ver.yml

@@ -0,0 +1,53 @@
+# This workflow tests the installation of semantic release
+name: Semantic Release Test Installation
+
+on:
+  pull_request:
+
+jobs:
+  semantic-release:
+    runs-on: macos-12
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Support longpaths on Git checkout
+        run: |
+          git config --global core.longpaths true
+      
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+      # We need access to the role that is able to get CI Bot Creds
+      - name: Configure AWS Credentials for Release
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2
+          role-session-name: CI_Bot_Release
+
+      - name: Upgrade Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 21
+
+      # Use AWS Secrets Manger GHA to retrieve CI Bot Creds
+      - name: Get CI Bot Creds Secret
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: Github/aws-crypto-tools-ci-bot
+          parse-json-secrets: true
+
+      # Log in as the CI Bot
+      - name: Log in as CI Bot
+        run: |
+          echo ${{env.GITHUB_AWS_CRYPTO_TOOLS_CI_BOT_ESDK_RELEASE_TOKEN}} > token.txt
+          gh auth login --with-token < token.txt
+          rm token.txt
+          gh auth status
+
+      # Test to see if we can setup semantic release
+      - name: Test Semantic Release Installation
+        uses: actions/checkout@v4
+      - run: |
+          make setup_semantic_release

.github/workflows/semantic_release.yml

@@ -0,0 +1,77 @@
+# This workflow runs semantic release, bumps, generates changelog, and tags the project
+name: Semantic Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Is this a dry run to validate semantic-release behaves as expected? (y/n)"
+        required: true
+        type: string
+
+jobs:
+  semantic-release:
+    # there is no easy way in gha to check if the actor is part of the team, running semantic release is a more
+    # privileged operation, so we must make sure this list of users is a subset of the users labeled as maintainers of
+    # https://github.com/orgs/aws/teams/aws-crypto-tools
+    if: contains('["seebees","texastony","ShubhamChaturvedi7","lucasmcdonald3","josecorella","imabhichow","rishav-karanjit","antonf-amzn","justplaz","ajewellamz","RitvikKapila"]', github.actor)
+    runs-on: macos-12
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Support longpaths on Git checkout
+        run: |
+          git config --global core.longpaths true
+      - uses: actions/checkout@v3
+      # We only pull in the submodules we need to build the library
+      - run: git submodule update --init libraries
+
+      # We need access to the role that is able to get CI Bot Creds
+      - name: Configure AWS Credentials for Release
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2
+          role-session-name: CI_Bot_Release
+
+      - name: Upgrade Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 21
+
+      # Use AWS Secrets Manger GHA to retrieve CI Bot Creds
+      - name: Get CI Bot Creds Secret
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: Github/aws-crypto-tools-ci-bot
+          parse-json-secrets: true
+
+      # Log in as the CI Bot
+      - name: Log in as CI Bot
+        run: |
+          echo ${{env.GITHUB_AWS_CRYPTO_TOOLS_CI_BOT_ESDK_RELEASE_TOKEN}} > token.txt
+          gh auth login --with-token < token.txt
+          rm token.txt
+          gh auth status
+
+      # Set up semantic release
+      - name: Setup Semantic Release
+        run: |
+          make setup_semantic_release
+
+      # Run semantic release in dry run mode if input matches
+      - name: Run Semantic Release in dry run mode
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        if: ${{inputs.dry-run == 'y'}}
+        run: |
+          make dry_run_semantic_release
+
+      # Run semantic release if input matches
+      - name: Run Semantic Release
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        if: ${{inputs.dry-run == 'n'}}
+        run: |
+          make run_semantic_release

.releaserc.cjs

@@ -0,0 +1,136 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+/*
+  First run `make setup_semantic_release` to install the required dependencies.
+
+  Using this config semantic-release will search for the latest tag
+  evaluate all commits after that tag
+  generate release notes and a version bump.
+  It will commit these changes, push these changes, and publish a new version tag.
+
+  This file requires a `--branches` option to function.
+  This is to facilitate point releases if needed.
+
+  `npx semantic-release --branches main`
+*/
+
+// This project has several runtimes
+// each one has files that need to be updated.
+// We model all the files and the runtimes here in this structure
+const Runtimes = {
+  net: {
+    "AwsEncryptionSDK/runtimes/net/ESDK.csproj": {
+      dependencies: [],
+      assemblyInfo: []
+    }
+  },
+};
+
+/**
+ * @type {import('semantic-release').GlobalConfig}
+ */
+module.exports = {
+  branches: ["mainline"],
+  repositoryUrl:
+    "[email protected]:aws/aws-encryption-sdk-dafny.git",
+  plugins: [
+    // Check the commits since the last release
+    ["@semantic-release/commit-analyzer",
+      {
+        "preset": "conventionalcommits",
+        "parserOpts": {
+          "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES"]
+        },
+        "presetConfig": {
+          "types": [
+            {"type": "feat", "section": "Features"},
+            {"type": "fix", "section": "Fixes"},
+            {"type": "chore", "section": "Maintenance"},
+            {"type": "docs", "section": "Maintenance"},
+            {"type": "revert", "section": "Fixes"},
+            {"type": "style", "hidden": true},
+            {"type": "refactor", "hidden": true},
+            {"type": "perf", "hidden": true},
+            {"type": "test", "hidden": true}
+          ]
+        },
+        "releaseRules": [
+          {"type": "docs", "release": "patch"},
+          {"type": "revert", "release": "patch"},
+          {"type": "chore", "release": "patch"}
+        ]
+      },
+    ],
+    // Based on the commits generate release notes
+    ["@semantic-release/release-notes-generator",
+      {
+        "preset": "conventionalcommits",
+        "parserOpts": {
+          "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES"]
+        },
+        "presetConfig": {
+            "types": [
+                {"type": "feat", "section": "Features"},
+                {"type": "fix", "section": "Fixes"},
+                {"type": "chore", "section": "Maintenance"},
+                {"type": "docs", "section": "Maintenance"},
+                {"type": "revert", "section": "Fixes"},
+                {"type": "style", "hidden": true},
+                {"type": "refactor", "hidden": true},
+                {"type": "perf", "hidden": true},
+                {"type": "test", "hidden": true}
+            ]
+        }
+      }
+    ],
+    // Update the change log with the generated release notes
+    [
+      "@semantic-release/changelog",
+      {
+        changelogFile: "CHANGELOG.md",
+        changelogTitle: "# Changelog",
+      },
+    ],
+
+    // Bump the various versions
+    [
+      "semantic-release-replace-plugin",
+      {
+        replacements: [
+          // Update the version for all DotNet projects
+          // Does not update the dependencies
+          {
+            files: Object.keys(Runtimes.net),
+            from: "<Version>.*</Version>",
+            to: "<Version>${nextRelease.version}</Version>",
+            results: Object.keys(Runtimes.net).map(CheckResults),
+            countMatches: true,
+          },
+        ],
+      },
+    ],
+    // Commit and push changes the changelog and versions bumps
+    [
+      "@semantic-release/git",
+      {
+        assets: [
+          "CHANGELOG.md",
+          ...Object.values(Runtimes).flatMap((r) => Object.keys(r)),
+          ...Object.values(Runtimes.net).flatMap((r) => r.assemblyInfo),
+        ],
+        message:
+          "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}",
+      },
+    ],
+  ],
+};
+
+function CheckResults(file) {
+  return {
+    file,
+    hasChanged: true,
+    numMatches: 1,
+    numReplacements: 1,
+  };
+}

AwsEncryptionSDK/codebuild/release/release-prod.yml

@@ -27,7 +27,7 @@ phases:
       - unzip -qq dafny.zip && rm dafny.zip
       - export PATH="$PWD/dafny:$PATH"
       # Switch back to the main directory
-      - cd private-aws-encryption-sdk-dafny-staging/AwsEncryptionSDK
+      - cd aws-encryption-sdk-dafny/AwsEncryptionSDK
   pre_build:
     commands:
       # UNIQUE_ID should be passed in as an environment variable. It is used to tie

AwsEncryptionSDK/codebuild/release/release-staging.yml

@@ -37,7 +37,7 @@ phases:
       - sudo apt update
       - sudo apt-get install mono-devel -y
       # Switch back to the main directory
-      - cd private-aws-encryption-sdk-dafny-staging/AwsEncryptionSDK
+      - cd aws-encryption-sdk-dafny/AwsEncryptionSDK
   pre_build:
     commands:
       # UNIQUE_ID should be passed in as an environment variable. It is used to tie