chore: validate release

imabhichow · imabhichow · commit 1092a1f5d60a · 2025-07-14T10:04:21.000-07:00
diff --git a/.github/workflows/ci_codebuild_batch.yml b/.github/workflows/ci_codebuild_batch.yml
@@ -1297,6 +1297,45 @@ jobs:
           project-name: python-esdk
           buildspec-override: codebuild/py312/decrypt_golden_manifest_with_masterkey.yml
           image-override: aws/codebuild/standard:7.0
+          
+  # Python Release Validation with test vectors
+  python_release_validation:
+    name: Python Release Validation with Test Vectors
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 7200
+      - name: Run CodeBuild
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 120
+        with:
+          project-name: python-esdk
+          buildspec-override: codebuild/release/validate_test_vectors.yml
+          image-override: aws/codebuild/standard:7.0
+
+
+  # Python Release Validation with examples as alternate
+  python_release_examples_validation:
+    name: Python Release Validation with Examples
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 7200
+      - name: Run CodeBuild
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 120
+        with:
+          project-name: python-esdk
+          buildspec-override: codebuild/release/validate_released_with_examples.yml
+          image-override: aws/codebuild/standard:7.0
 
   # Code Coverage and Compliance jobs
   code_coverage:
diff --git a/codebuild/release/validate_released_with_examples.yml b/codebuild/release/validate_released_with_examples.yml
@@ -0,0 +1,142 @@
+version: 0.2
+
+env:
+  variables:
+    # Default VERSION if not provided externally
+    VERSION: 4.0.2
+    REGION: "us-west-2"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.11
+    commands:
+      - pip install "aws-encryption-sdk[MPL]==$VERSION"
+      - pip install "tox < 4.0"
+  build:
+    commands:
+      # Create a simple tox.ini file for running examples with the installed package
+      - |
+        cat > release_validation_tox.ini << EOF
+        [tox]
+        envlist = py311
+        skipsdist = True
+
+        [testenv]
+        passenv =
+            AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID
+            AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2
+            AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1
+            AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2
+            AWS_ACCESS_KEY_ID
+            AWS_SECRET_ACCESS_KEY
+            AWS_SESSION_TOKEN
+            AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+            AWS_PROFILE
+        deps =
+            pytest
+            pytest-mock
+            mock
+            coverage
+            pyyaml
+            moto
+            boto3
+            cryptography
+            aws-encryption-sdk[MPL]==$VERSION
+        commands =
+            # Run non-MPL examples
+            pytest examples/test/legacy/ -m examples
+            # Run all other examples
+            pytest examples/test/ -m examples --ignore examples/test/legacy/
+        EOF
+
+      # Run the examples with NUM_RETRIES to handle transient failures
+      - NUM_RETRIES=3
+      - |
+        while [ $NUM_RETRIES -gt 0 ]
+        do
+          tox -c release_validation_tox.ini -e py311
+          if [ $? -eq 0 ]; then
+            break
+          fi
+          NUM_RETRIES=$((NUM_RETRIES-1))
+          if [ $NUM_RETRIES -eq 0 ]; then
+            echo "All validation attempts failed, stopping"
+            exit 1;
+          else
+            echo "Validation failed, retrying in 60 seconds; will retry $NUM_RETRIES more times" && sleep 60
+          fi
+        done
+
+      # Assume special role for MPL-specific tests
+      - echo "Running tests with special role for MPL features"
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" --role-session-name "CB-ValidateReleased")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      
+      # Also install MPL requirements
+      - pip install -r requirements_mpl.txt
+      
+      # Run MPL-specific examples
+      - NUM_RETRIES=3
+      - |
+        while [ $NUM_RETRIES -gt 0 ]
+        do
+          # Create a fresh tox.ini for MPL tests with correct dependencies
+          echo "Creating MPL tox.ini with VERSION=$VERSION"
+          cat > mpl_validation_tox.ini << EOF
+          [tox]
+          envlist = py311
+          skipsdist = True
+
+          [testenv]
+          passenv =
+              AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID
+              AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2
+              AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1
+              AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2
+              AWS_ACCESS_KEY_ID
+              AWS_SECRET_ACCESS_KEY
+              AWS_SESSION_TOKEN
+              AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+              AWS_PROFILE
+          deps =
+              pytest
+              pytest-mock
+              mock
+              coverage
+              pyyaml
+              moto
+              boto3
+              cryptography
+              aws-encryption-sdk[MPL]==$VERSION
+              -r requirements_mpl.txt
+          commands =
+              # Only run the MPL-specific tests
+              pytest examples/test/ -m examples --ignore examples/test/legacy/
+          EOF
+          
+          # Run the MPL-specific tests
+          tox -c mpl_validation_tox.ini -e py311
+          if [ $? -eq 0 ]; then
+            break
+          fi
+          NUM_RETRIES=$((NUM_RETRIES-1))
+          if [ $NUM_RETRIES -eq 0 ]; then
+            echo "All MPL validation attempts failed, stopping"
+            exit 1;
+          else
+            echo "MPL validation failed, retrying in 60 seconds; will retry $NUM_RETRIES more times" && sleep 60
+          fi
+        done
diff --git a/codebuild/release/validate_test_vectors.yml b/codebuild/release/validate_test_vectors.yml
@@ -0,0 +1,65 @@
+version: 0.2
+
+env:
+  variables:
+    # Default VERSION if not provided externally
+    VERSION: 4.0.2
+
+phases:
+  install:
+    commands:
+      - cd ..
+      - pip install "tox < 4.0" poetry
+      - pip install --upgrade pip
+      # Get Dafny
+      - curl https://github.com/dafny-lang/dafny/releases/download/v4.9.0/dafny-4.9.0-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      - cd  aws-encryption-sdk-python/
+    runtime-versions:
+      python: latest
+      dotnet: 6.0
+  pre_build:
+    commands:
+      # Setup environment
+      - aws configure set region us-west-2
+      - git clone https://github.com/aws/aws-encryption-sdk.git
+      - cd aws-encryption-sdk && git submodule update --init --recursive && cd ..
+      # Install packages and setup environments
+      - pip install "aws-encryption-sdk[MPL]==$VERSION"
+      - pyenv install --skip-existing 3.11.0 && pyenv local 3.11.0
+      - make -C aws-encryption-sdk/mpl/StandardLibrary setup_net
+      - pip install pytest boto3 attrs cryptography
+  build:
+    commands:
+      - NUM_RETRIES=3
+      - |
+        run_command() {
+          eval "$1"
+          return $?
+        }
+        
+        # Navigate to TestVectors directory
+        cd aws-encryption-sdk/TestVectors || exit 1
+        
+        while [ $NUM_RETRIES -gt 0 ]
+        do
+          
+          # Build TestVectors implementation in Python
+          CORES=$(nproc || echo 4)
+          if ! run_command "make transpile_python CORES=$CORES"; then
+            NUM_RETRIES=$((NUM_RETRIES-1))
+            [ $NUM_RETRIES -gt 0 ] && sleep 60 && continue
+            exit 1
+          fi
+          
+          # Run all the test vector commands together
+          if ! run_command "make test_generate_vectors_python && make test_encrypt_vectors_python && make test_decrypt_encrypt_vectors_python"; then
+            NUM_RETRIES=$((NUM_RETRIES-1))
+            [ $NUM_RETRIES -gt 0 ] && sleep 60 && continue
+            exit 1
+          fi
+          
+          # Success
+          break
+        done
