chore: validate release

imabhichow · imabhichow · commit 73ca27de2fbc · 2025-07-14T15:02:57.000-07:00
diff --git a/.github/workflows/ci_codebuild_batch.yml b/.github/workflows/ci_codebuild_batch.yml
@@ -1297,6 +1297,45 @@ jobs:
           project-name: python-esdk
           buildspec-override: codebuild/py312/decrypt_golden_manifest_with_masterkey.yml
           image-override: aws/codebuild/standard:7.0
+          
+  # Python Release Validation with test vectors
+  python_release_validation:
+    name: Python Release Validation with Test Vectors
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 7200
+      - name: Run CodeBuild
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 120
+        with:
+          project-name: python-esdk
+          buildspec-override: codebuild/release/validate_test_vectors.yml
+          image-override: aws/codebuild/standard:7.0
+
+
+  # Python Release Validation with examples as alternate
+  python_release_examples_validation:
+    name: Python Release Validation with Examples
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 7200
+      - name: Run CodeBuild
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 120
+        with:
+          project-name: python-esdk
+          buildspec-override: codebuild/release/validate_released_with_examples.yml
+          image-override: aws/codebuild/standard:7.0
 
   # Code Coverage and Compliance jobs
   code_coverage:
diff --git a/codebuild/release/validate_released_with_examples.yml b/codebuild/release/validate_released_with_examples.yml
@@ -0,0 +1,80 @@
+version: 0.2
+
+env:
+  variables:
+    # Default VERSION if not provided externally
+    VERSION: 4.0.2
+    REGION: "us-west-2"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.11
+    commands:
+      - pip install "tox < 4.0"
+      - pip install --upgrade pip
+      - echo "Installing aws-encryption-sdk version $VERSION"
+      - pip install "aws-encryption-sdk[MPL]==$VERSION"
+  build:
+    commands:
+      # Verify installation
+      - python -c "import aws_encryption_sdk; print(f'Using aws-encryption-sdk version: {aws_encryption_sdk.__version__}')"
+      
+      # Set initial retry count
+      - NUM_RETRIES=3
+      
+      # Run non-MPL-specific tests with the MPL installed
+      - |
+        echo "Running standard examples"
+        while [ $NUM_RETRIES -gt 0 ]
+        do
+          tox -e validate-pypi-release -- $VERSION
+          if [ $? -eq 0 ]; then
+            echo "Standard examples successful"
+            break
+          fi
+          NUM_RETRIES=$((NUM_RETRIES-1))
+          if [ $NUM_RETRIES -eq 0 ]; then
+            echo "All standard example attempts failed, stopping"
+            exit 1
+          else
+            echo "Standard examples failed, retrying in 60 seconds; will retry $NUM_RETRIES more times" && sleep 60
+          fi
+        done
+      
+      # Assume special role for MPL-specific tests
+      - echo "Running tests with special role for MPL features"
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" --role-session-name "CB-ValidateReleased")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      
+      # Run MPL examples with a fresh retry count
+      - NUM_RETRIES=3
+      - |
+        echo "Running MPL examples"
+        while [ $NUM_RETRIES -gt 0 ]
+        do
+          tox -e validate-pypi-release-mpl -- $VERSION
+          if [ $? -eq 0 ]; then
+            echo "MPL examples successful"
+            break
+          fi
+          NUM_RETRIES=$((NUM_RETRIES-1))
+          if [ $NUM_RETRIES -eq 0 ]; then
+            echo "All MPL example attempts failed, stopping"
+            exit 1
+          else
+            echo "MPL examples failed, retrying in 60 seconds; will retry $NUM_RETRIES more times" && sleep 60
+          fi
+        done
diff --git a/codebuild/release/validate_test_vectors.yml b/codebuild/release/validate_test_vectors.yml
@@ -0,0 +1,65 @@
+version: 0.2
+
+env:
+  variables:
+    # Default VERSION if not provided externally
+    VERSION: 4.0.2
+
+phases:
+  install:
+    commands:
+      - cd ..
+      - pip install "tox < 4.0" poetry
+      - pip install --upgrade pip
+      # Get Dafny
+      - curl https://github.com/dafny-lang/dafny/releases/download/v4.9.0/dafny-4.9.0-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      - cd  aws-encryption-sdk-python/
+    runtime-versions:
+      python: latest
+      dotnet: 6.0
+  pre_build:
+    commands:
+      # Setup environment
+      - aws configure set region us-west-2
+      - git clone https://github.com/aws/aws-encryption-sdk.git
+      - cd aws-encryption-sdk && git submodule update --init --recursive && cd ..
+      # Install packages and setup environments
+      - pip install "aws-encryption-sdk[MPL]==$VERSION"
+      - pyenv install --skip-existing 3.11.0 && pyenv local 3.11.0
+      - make -C aws-encryption-sdk/mpl/StandardLibrary setup_net
+      - pip install pytest boto3 attrs cryptography
+  build:
+    commands:
+      - NUM_RETRIES=3
+      - |
+        run_command() {
+          eval "$1"
+          return $?
+        }
+        
+        # Navigate to TestVectors directory
+        cd aws-encryption-sdk/TestVectors || exit 1
+        
+        while [ $NUM_RETRIES -gt 0 ]
+        do
+          
+          # Build TestVectors implementation in Python
+          CORES=$(nproc || echo 4)
+          if ! run_command "make transpile_python CORES=$CORES"; then
+            NUM_RETRIES=$((NUM_RETRIES-1))
+            [ $NUM_RETRIES -gt 0 ] && sleep 60 && continue
+            exit 1
+          fi
+          
+          # Run all the test vector commands together
+          if ! run_command "make test_generate_vectors_python && make test_encrypt_vectors_python && make test_decrypt_encrypt_vectors_python"; then
+            NUM_RETRIES=$((NUM_RETRIES-1))
+            [ $NUM_RETRIES -gt 0 ] && sleep 60 && continue
+            exit 1
+          fi
+          
+          # Success
+          break
+        done
