-
Notifications
You must be signed in to change notification settings - Fork 64
517 lines (514 loc) · 20.2 KB
/
health_checks.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
name: health_checks
on:
push:
branches:
- main
- hotfix
pull_request:
branches:
- main
- hotfix
- feature/**
schedule:
# Every day at At minute 0 past hour 0, 6, 12, and 18 UTC.
# This is to make sure that there is at least one workflow run every 24 hours
# taking into account that
# 1) scheduled runs may not fire at exact prescribed time;
# 2) transient failures may happen and auto recover;
- cron: '0 0,6,12,18 * * *'
workflow_dispatch:
jobs:
install:
strategy:
matrix:
# Windows install must happen on the same worker size as subsequent jobs.
# Larger workers use different drive (C: instead of D:) to check out project and NPM installation
# creates file system links that include drive letter.
# Changing between standard and custom workers requires full install cache invalidation
os: [ubuntu-latest, macos-14, windows-latest]
node: [18, 20]
runs-on: ${{ matrix.os }}
timeout-minutes: 10
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node }}
- uses: ./.github/actions/install_with_cache
with:
node-version: ${{ matrix.node }}
build:
strategy:
matrix:
node: [18, 20]
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node }}
- uses: ./.github/actions/build_with_cache
with:
node-version: ${{ matrix.node }}
test_with_coverage:
needs:
- build
strategy:
matrix:
os: [ubuntu-latest, macos-14, windows-latest]
node: [18, 20]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node }}
- uses: ./.github/actions/restore_build_cache
with:
node-version: ${{ matrix.node }}
- run: npm run set-script-shell
- run: npm run test:coverage:threshold
test_scripts:
needs:
- build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: |
npm run set-script-shell
npm run test:scripts
test_with_baseline_dependencies:
needs:
- install
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- name: Pin some dependencies to nearest patch and rebuild
run: |
npx tsx scripts/set_baseline_dependency_versions.ts
npm install
# print out diff for auditing or troubleshooting
git diff
npm run build
- name: Run unit and integration tests
run: |
npm run set-script-shell
npm run test
check_api_changes:
if: github.event_name == 'pull_request'
needs:
- build
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout pull request ref
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- name: Publish packages locally
timeout-minutes: 2
run: |
npm run start:npm-proxy
# keep git diff with version increment to make sure test projects resolve right version
npm run publish:local -- --keepGitDiff
- name: Checkout base branch
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
path: base-branch-content
ref: ${{ github.event.pull_request.base.sha }}
- name: Check API changes
run: |
mkdir api-validation-projects
npx tsx scripts/check_api_changes.ts base-branch-content api-validation-projects
do_include_e2e:
needs:
- install
runs-on: ubuntu-latest
permissions:
# This is required so that the step can read the labels on the pull request
pull-requests: read
env:
# The do_include_e2e script needs to query pull request labels
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
outputs:
run_e2e: ${{ steps.check.outputs.run_e2e }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- name: Check if E2E tests should run
id: check
run: echo "run_e2e=$(npx tsx scripts/do_include_e2e.ts)" >> "$GITHUB_OUTPUT"
- run: echo run_e2e set to ${{ steps.check.outputs.run_e2e }}
e2e_iam_access_drift:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
runs-on: ubuntu-latest
timeout-minutes: 25
needs:
- do_include_e2e
- build
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- name: Get baseline commit sha
id: get_baseline_commit_sha
env:
GH_TOKEN: ${{ github.token }}
run: |
if [[ ${{ github.event_name }} == 'push' ]]; then
# The SHA of the most recent commit on ref before the push.
baseline_commit_sha="${{ github.event.before }}"
elif [[ ${{ github.event_name }} == 'pull_request' ]]; then
# The SHA of the HEAD commit on base branch.
baseline_commit_sha="${{ github.event.pull_request.base.sha }}"
elif [[ ${{ github.event_name }} == 'schedule' ]] || [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then
# The SHA of the parent of HEAD commit on main branch.
# This assumes linear history of main branch, i.e. one parent.
# These events have only information about HEAD commit, hence the need for lookup.
baseline_commit_sha=$(gh api /repos/${{ github.repository }}/commits/${{ github.sha }} | jq -r '.parents[0].sha')
else
echo Unable to determine baseline commit sha;
exit 1;
fi
echo baseline commit sha is $baseline_commit_sha;
echo "baseline_commit_sha=$baseline_commit_sha" >> "$GITHUB_OUTPUT";
- name: Checkout baseline version
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
ref: ${{ steps.get_baseline_commit_sha.outputs.baseline_commit_sha }}
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- name: Move baseline version
id: move_baseline_version
run: |
BASELINE_DIR=$(mktemp -d)
# Command below makes shell include .hidden files in file system commands (i.e. mv).
# This is to make sure that .git directory is moved with the repo content.
shopt -s dotglob
mv ./* $BASELINE_DIR
echo "baseline_dir=$BASELINE_DIR" >> "$GITHUB_OUTPUT";
- name: Checkout current version
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- name: Configure test tooling credentials
uses: ./.github/actions/setup_profile
with:
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }}
aws-region: us-west-2
profile-name: e2e-tooling
- name: Configure test execution credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2
with:
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
aws-region: us-west-2
- name: Run e2e iam access drift test
run: npm run test:dir packages/integration-tests/lib/test-e2e/iam_access_drift.test.js
env:
BASELINE_DIR: ${{ steps.move_baseline_version.outputs.baseline_dir }}
e2e_deployment:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: [ubuntu-latest, macos-14-xlarge, windows-latest]
node-version: [18, 20]
# skip multiple node version test on other os
exclude:
- os: macos-14-xlarge
node-version: 20
- os: windows-latest
node-version: 20
runs-on: ${{ matrix.os }}
timeout-minutes: 25
needs:
- do_include_e2e
- build
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node-version }}
- uses: ./.github/actions/restore_build_cache
- run: cd packages/cli && npm link
- name: Configure test tooling credentials
uses: ./.github/actions/setup_profile
with:
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }}
aws-region: us-west-2
profile-name: e2e-tooling
- name: Configure test execution credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2
with:
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
aws-region: us-west-2
- name: Run e2e deployment tests
run: npm run test:dir packages/integration-tests/lib/test-e2e/deployment.test.js
e2e_create_amplify:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: [ubuntu-latest, macos-14, windows-latest]
node-version: [18, 20]
# skip multiple node version test on other os
exclude:
- os: macos-14
node-version: 20
- os: windows-latest
node-version: 20
runs-on: ${{ matrix.os }}
timeout-minutes: ${{ matrix.os == 'windows-latest' && 35 || 25 }}
needs:
- do_include_e2e
- build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node-version }}
- uses: ./.github/actions/restore_build_cache
- run: cd packages/cli && npm link
- name: Run e2e create-amplify tests
run: npm run test:dir packages/integration-tests/lib/test-e2e/create_amplify.test.js
e2e_package_manager:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: [ubuntu-latest, macos-14, windows-latest]
pkg-manager: [npm, yarn-classic, yarn-modern, pnpm]
node-version: ['20']
env:
PACKAGE_MANAGER: ${{ matrix.pkg-manager }}
runs-on: ${{ matrix.os }}
timeout-minutes: 25
needs:
- build
- do_include_e2e
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- name: Checkout aws-amplify/amplify-cli repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node-version }}
- name: Restore Build Cache
uses: ./.github/actions/restore_build_cache
- name: Configure test tooling credentials
uses: ./.github/actions/setup_profile
with:
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }}
aws-region: us-west-2
profile-name: e2e-tooling
- name: Configure test execution credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2
with:
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
aws-region: us-west-2
- name: Run E2E flow tests with ${{ matrix.pkg-manager }}
shell: bash
run: |
PACKAGE_MANAGER=${{matrix.pkg-manager}} npm run test:dir packages/integration-tests/src/package_manager_sanity_checks.test.ts
lint:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run lint
check_dependencies:
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: npm run check:dependencies
check_tsconfig_refs:
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: npm run check:tsconfig-refs
check_api_extract:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run check:api
docs_build_and_publish:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run docs
- if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # version 4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs
publish_branch: docs
check_pr_size:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: git fetch origin
- run: npm run diff:check "$BASE_SHA"
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
check_pr_changesets:
if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'github-actions[bot]'
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
# fetch full history so that changeset can properly compute divergence point
fetch-depth: 0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- name: Validate that PR has changeset
run: npx changeset status --since origin/"$BASE_REF"
env:
BASE_REF: ${{ github.event.pull_request.base.ref }}
- name: Validate changeset is not missing packages
run: npx tsx scripts/check_changeset_completeness.ts "$BASE_SHA"
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
- name: Validate that changeset has necessary dependency updates
run: |
npx changeset version
npm update
npm run check:dependencies
check_package_versions:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: npx changeset version
- run: npm run check:package-versions
update_package_versions:
if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }}
needs:
- install
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- id: is_version_packages_commit
run: echo "is_version_packages_commit=$(npx tsx scripts/is_version_packages_commit.ts)" >> "$GITHUB_OUTPUT"
- name: Create or update Version Packages PR
# if this push is NOT merging a version packages PR, then we update/create the version packages PR
if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'false' }}
uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # version 1.4.7
with:
createGithubReleases: false
# this should never be called, but if something happens and it does get called, this ensures that a premature publish won't happen
publish: echo Cannot publish during update version step
env:
# we are also omitting the NPM_TOKEN here to eliminate the possibility of publishing to NPM during this step
# we still need the GITHUB_TOKEN so that the version packages PR can be updated
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish_package_versions:
if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }}
needs:
- test_with_coverage
- e2e_package_manager
- e2e_deployment
- e2e_create_amplify
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- id: is_version_packages_commit
run: echo "is_version_packages_commit=$(npx tsx scripts/is_version_packages_commit.ts)" >> "$GITHUB_OUTPUT"
- name: Publish packages
# if this push is merging a version packages PR, then we publish the new versions
if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'true' }}
id: changeset_publish
uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # version 1.4.7
with:
publish: npm run publish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Update hotfix branch
if: ${{ steps.changeset_publish.outputs.published == 'true' && github.ref_name == 'main' }}
run: git push origin main:hotfix --force
codeql:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
# Minimal depth 2 so we can checkout the commit before possible merge commit.
fetch-depth: 2
- name: Initialize CodeQL
uses: github/codeql-action/init@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # version 2.17.2
with:
languages: javascript
queries: +security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # version 2.17.2
with:
category: /language:javascript
dependency-review:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Dependency Review
uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # version 4.3.2
with:
config-file: ./.github/dependency_review_config.yml