From d1fb6407df4d21fdd30eae6f5b85c75432ca5780 Mon Sep 17 00:00:00 2001 From: ADOT Patch workflow Date: Wed, 15 Oct 2025 12:16:58 -0700 Subject: [PATCH 01/11] use env vars in workflow --- .github/workflows/release-lambda.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-lambda.yml b/.github/workflows/release-lambda.yml index e887d1d1e..1706fbfc6 100644 --- a/.github/workflows/release-lambda.yml +++ b/.github/workflows/release-lambda.yml @@ -29,8 +29,10 @@ jobs: steps: - name: Set up regions matrix id: set-matrix + env: + AWS_REGIONS: ${{ github.event.inputs.aws_region }} run: | - IFS=',' read -ra REGIONS <<< "${{ github.event.inputs.aws_region }}" + IFS=',' read -ra REGIONS <<< "$AWS_REGIONS" MATRIX="[" for region in "${REGIONS[@]}"; do trimmed_region=$(echo "$region" | xargs) @@ -205,8 +207,11 @@ jobs: id: commit run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Create Release Notes + env: + VERSION: ${{ github.event.inputs.version }} + SHA_SHORT: ${{ steps.commit.outputs.sha_short }} run: | - echo "AWS OpenTelemetry Lambda Layer for Python version ${{ github.event.inputs.version }}-${{ steps.commit.outputs.sha_short }}" > release_notes.md + echo "AWS OpenTelemetry Lambda Layer for Python version ${VERSION}-${SHA_SHORT}" > release_notes.md echo "" >> release_notes.md echo "" >> release_notes.md echo "See new Lambda Layer ARNs:" >> release_notes.md @@ -218,12 +223,14 @@ jobs: id: create_release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + VERSION: ${{ github.event.inputs.version }} + SHA_SHORT: ${{ steps.commit.outputs.sha_short }} run: | gh release create --target "$GITHUB_REF_NAME" \ - --title "Release lambda-v${{ github.event.inputs.version }}-${{ steps.commit.outputs.sha_short }}" \ + --title "Release lambda-v${VERSION}-${SHA_SHORT}" \ --notes-file release_notes.md \ --draft \ - "lambda-v${{ github.event.inputs.version }}-${{ steps.commit.outputs.sha_short }}" \ + "lambda-v${VERSION}-${SHA_SHORT}" \ layer_arns.tf layer.zip echo Removing release_notes.md ... rm -f release_notes.md From 39b41d58899c0b227bbf0a97d3027ad3a540abfd Mon Sep 17 00:00:00 2001 From: ADOT Patch workflow Date: Wed, 15 Oct 2025 12:25:14 -0700 Subject: [PATCH 02/11] comment out steps for testing --- .github/workflows/release-lambda.yml | 171 ++++++++++++++------------- 1 file changed, 87 insertions(+), 84 deletions(-) diff --git a/.github/workflows/release-lambda.yml b/.github/workflows/release-lambda.yml index 1706fbfc6..0efb5d59d 100644 --- a/.github/workflows/release-lambda.yml +++ b/.github/workflows/release-lambda.yml @@ -10,6 +10,9 @@ on: description: 'Deploy to aws regions' required: true default: 'us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1, af-south-1, ap-east-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1, me-south-1, ap-southeast-5, ap-southeast-7, mx-central-1, ca-west-1, cn-north-1, cn-northwest-1' + push: + branches: + zhaez/patch-1 env: # Legacy list of commercial regions to deploy to. New regions should NOT be added here, and instead should be added to the `aws_region` default input to the workflow. @@ -57,92 +60,92 @@ jobs: with: name: layer.zip path: lambda-layer/src/build/aws-opentelemetry-python-layer.zip - publish-prod: - runs-on: ubuntu-latest - needs: build-layer - strategy: - matrix: - aws_region: ${{ fromJson(needs.build-layer.outputs.aws_regions_json) }} - steps: - - name: role arn - env: - LEGACY_COMMERCIAL_REGIONS: ${{ env.LEGACY_COMMERCIAL_REGIONS }} - run: | - LEGACY_COMMERCIAL_REGIONS_ARRAY=(${LEGACY_COMMERCIAL_REGIONS//,/ }) - FOUND=false - for REGION in "${LEGACY_COMMERCIAL_REGIONS_ARRAY[@]}"; do - if [[ "$REGION" == "${{ matrix.aws_region }}" ]]; then - FOUND=true - break - fi - done - if [ "$FOUND" = true ]; then - echo "Found ${{ matrix.aws_region }} in LEGACY_COMMERCIAL_REGIONS" - SECRET_KEY="LAMBDA_LAYER_RELEASE" - else - echo "Not found ${{ matrix.aws_region }} in LEGACY_COMMERCIAL_REGIONS" - SECRET_KEY="${{ matrix.aws_region }}_LAMBDA_LAYER_RELEASE" - fi - SECRET_KEY=${SECRET_KEY//-/_} - echo "SECRET_KEY=${SECRET_KEY}" >> $GITHUB_ENV - - uses: aws-actions/configure-aws-credentials@v4.0.2 - with: - role-to-assume: ${{ secrets[env.SECRET_KEY] }} - role-duration-seconds: 1200 - aws-region: ${{ matrix.aws_region }} - - name: Get s3 bucket name for release - run: | - echo BUCKET_NAME=python-lambda-layer-${{ github.run_id }}-${{ matrix.aws_region }} | tee --append $GITHUB_ENV - - name: download layer.zip - uses: actions/download-artifact@v4 - with: - name: layer.zip - - name: publish - run: | - aws s3 mb s3://${{ env.BUCKET_NAME }} - aws s3 cp aws-opentelemetry-python-layer.zip s3://${{ env.BUCKET_NAME }} - layerARN=$( - aws lambda publish-layer-version \ - --layer-name ${{ env.LAYER_NAME }} \ - --content S3Bucket=${{ env.BUCKET_NAME }},S3Key=aws-opentelemetry-python-layer.zip \ - --compatible-runtimes python3.10 python3.11 python3.12 python3.13 \ - --compatible-architectures "arm64" "x86_64" \ - --license-info "Apache-2.0" \ - --description "AWS Distro of OpenTelemetry Lambda Layer for Python Runtime" \ - --query 'LayerVersionArn' \ - --output text - ) - echo $layerARN - echo "LAYER_ARN=${layerARN}" >> $GITHUB_ENV - mkdir ${{ env.LAYER_NAME }} - echo $layerARN > ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} - cat ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} - - name: public layer - run: | - layerVersion=$( - aws lambda list-layer-versions \ - --layer-name ${{ env.LAYER_NAME }} \ - --query 'max_by(LayerVersions, &Version).Version' - ) - aws lambda add-layer-version-permission \ - --layer-name ${{ env.LAYER_NAME }} \ - --version-number $layerVersion \ - --principal "*" \ - --statement-id publish \ - --action lambda:GetLayerVersion - - name: upload layer arn artifact - if: ${{ success() }} - uses: actions/upload-artifact@v4 - with: - name: ${{ env.LAYER_NAME }}-${{ matrix.aws_region }} - path: ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} - - name: clean s3 - if: always() - run: | - aws s3 rb --force s3://${{ env.BUCKET_NAME }} + # publish-prod: + # runs-on: ubuntu-latest + # needs: build-layer + # strategy: + # matrix: + # aws_region: ${{ fromJson(needs.build-layer.outputs.aws_regions_json) }} + # steps: + # - name: role arn + # env: + # LEGACY_COMMERCIAL_REGIONS: ${{ env.LEGACY_COMMERCIAL_REGIONS }} + # run: | + # LEGACY_COMMERCIAL_REGIONS_ARRAY=(${LEGACY_COMMERCIAL_REGIONS//,/ }) + # FOUND=false + # for REGION in "${LEGACY_COMMERCIAL_REGIONS_ARRAY[@]}"; do + # if [[ "$REGION" == "${{ matrix.aws_region }}" ]]; then + # FOUND=true + # break + # fi + # done + # if [ "$FOUND" = true ]; then + # echo "Found ${{ matrix.aws_region }} in LEGACY_COMMERCIAL_REGIONS" + # SECRET_KEY="LAMBDA_LAYER_RELEASE" + # else + # echo "Not found ${{ matrix.aws_region }} in LEGACY_COMMERCIAL_REGIONS" + # SECRET_KEY="${{ matrix.aws_region }}_LAMBDA_LAYER_RELEASE" + # fi + # SECRET_KEY=${SECRET_KEY//-/_} + # echo "SECRET_KEY=${SECRET_KEY}" >> $GITHUB_ENV + # - uses: aws-actions/configure-aws-credentials@v4.0.2 + # with: + # role-to-assume: ${{ secrets[env.SECRET_KEY] }} + # role-duration-seconds: 1200 + # aws-region: ${{ matrix.aws_region }} + # - name: Get s3 bucket name for release + # run: | + # echo BUCKET_NAME=python-lambda-layer-${{ github.run_id }}-${{ matrix.aws_region }} | tee --append $GITHUB_ENV + # - name: download layer.zip + # uses: actions/download-artifact@v4 + # with: + # name: layer.zip + # - name: publish + # run: | + # aws s3 mb s3://${{ env.BUCKET_NAME }} + # aws s3 cp aws-opentelemetry-python-layer.zip s3://${{ env.BUCKET_NAME }} + # layerARN=$( + # aws lambda publish-layer-version \ + # --layer-name ${{ env.LAYER_NAME }} \ + # --content S3Bucket=${{ env.BUCKET_NAME }},S3Key=aws-opentelemetry-python-layer.zip \ + # --compatible-runtimes python3.10 python3.11 python3.12 python3.13 \ + # --compatible-architectures "arm64" "x86_64" \ + # --license-info "Apache-2.0" \ + # --description "AWS Distro of OpenTelemetry Lambda Layer for Python Runtime" \ + # --query 'LayerVersionArn' \ + # --output text + # ) + # echo $layerARN + # echo "LAYER_ARN=${layerARN}" >> $GITHUB_ENV + # mkdir ${{ env.LAYER_NAME }} + # echo $layerARN > ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} + # cat ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} + # - name: public layer + # run: | + # layerVersion=$( + # aws lambda list-layer-versions \ + # --layer-name ${{ env.LAYER_NAME }} \ + # --query 'max_by(LayerVersions, &Version).Version' + # ) + # aws lambda add-layer-version-permission \ + # --layer-name ${{ env.LAYER_NAME }} \ + # --version-number $layerVersion \ + # --principal "*" \ + # --statement-id publish \ + # --action lambda:GetLayerVersion + # - name: upload layer arn artifact + # if: ${{ success() }} + # uses: actions/upload-artifact@v4 + # with: + # name: ${{ env.LAYER_NAME }}-${{ matrix.aws_region }} + # path: ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} + # - name: clean s3 + # if: always() + # run: | + # aws s3 rb --force s3://${{ env.BUCKET_NAME }} generate-release-note: runs-on: ubuntu-latest - needs: publish-prod + needs: build-layer steps: - name: Checkout Repo @ SHA - ${{ github.sha }} uses: actions/checkout@v4 From 39058e7746496612ae7a483dc1054d7d3a72a18e Mon Sep 17 00:00:00 2001 From: ADOT Patch workflow Date: Wed, 15 Oct 2025 12:28:20 -0700 Subject: [PATCH 03/11] comment step out --- .github/workflows/release-lambda.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-lambda.yml b/.github/workflows/release-lambda.yml index 0efb5d59d..8c835653a 100644 --- a/.github/workflows/release-lambda.yml +++ b/.github/workflows/release-lambda.yml @@ -156,13 +156,13 @@ jobs: pattern: ${{ env.LAYER_NAME }}-* path: ${{ env.LAYER_NAME }} merge-multiple: true - - name: show layerARNs - run: | - for file in ${{ env.LAYER_NAME }}/* - do - echo $file - cat $file - done + # - name: show layerARNs + # run: | + # for file in ${{ env.LAYER_NAME }}/* + # do + # echo $file + # cat $file + # done - name: generate layer-note working-directory: ${{ env.LAYER_NAME }} run: | From 29188cf85eebf7e2fd3fb9130c77784f84640096 Mon Sep 17 00:00:00 2001 From: ADOT Patch workflow Date: Wed, 15 Oct 2025 12:41:44 -0700 Subject: [PATCH 04/11] test fixes --- .github/workflows/release-lambda.yml | 87 ++++++++++++++-------------- 1 file changed, 43 insertions(+), 44 deletions(-) diff --git a/.github/workflows/release-lambda.yml b/.github/workflows/release-lambda.yml index 8c835653a..0eb907048 100644 --- a/.github/workflows/release-lambda.yml +++ b/.github/workflows/release-lambda.yml @@ -150,12 +150,12 @@ jobs: - name: Checkout Repo @ SHA - ${{ github.sha }} uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v2 - - name: download layerARNs - uses: actions/download-artifact@v4 - with: - pattern: ${{ env.LAYER_NAME }}-* - path: ${{ env.LAYER_NAME }} - merge-multiple: true + # - name: download layerARNs + # uses: actions/download-artifact@v4 + # with: + # pattern: ${{ env.LAYER_NAME }}-* + # path: ${{ env.LAYER_NAME }} + # merge-multiple: true # - name: show layerARNs # run: | # for file in ${{ env.LAYER_NAME }}/* @@ -163,42 +163,42 @@ jobs: # echo $file # cat $file # done - - name: generate layer-note - working-directory: ${{ env.LAYER_NAME }} - run: | - echo "| Region | Layer ARN |" >> ../layer-note - echo "| ---- | ---- |" >> ../layer-note - for file in * - do - read arn < $file - echo "| " $file " | " $arn " |" >> ../layer-note - done - cat ../layer-note - - name: generate tf layer - working-directory: ${{ env.LAYER_NAME }} - run: | - echo "locals {" >> ../layer_arns.tf - echo " sdk_layer_arns = {" >> ../layer_arns.tf - for file in * - do - read arn < $file - echo " \""$file"\" = \""$arn"\"" >> ../layer_arns.tf - done - cd .. - echo " }" >> layer_arns.tf - echo "}" >> layer_arns.tf - terraform fmt layer_arns.tf - cat layer_arns.tf - - name: generate layer ARN constants for CDK - working-directory: ${{ env.LAYER_NAME }} - run: | - echo "{" > ../layer_cdk - for file in *; do - read arn < "$file" - echo " \"$file\": \"$arn\"," >> ../layer_cdk - done - echo "}" >> ../layer_cdk - cat ../layer_cdk + # - name: generate layer-note + # working-directory: ${{ env.LAYER_NAME }} + # run: | + # echo "| Region | Layer ARN |" >> ../layer-note + # echo "| ---- | ---- |" >> ../layer-note + # for file in * + # do + # read arn < $file + # echo "| " $file " | " $arn " |" >> ../layer-note + # done + # cat ../layer-note + # - name: generate tf layer + # working-directory: ${{ env.LAYER_NAME }} + # run: | + # echo "locals {" >> ../layer_arns.tf + # echo " sdk_layer_arns = {" >> ../layer_arns.tf + # for file in * + # do + # read arn < $file + # echo " \""$file"\" = \""$arn"\"" >> ../layer_arns.tf + # done + # cd .. + # echo " }" >> layer_arns.tf + # echo "}" >> layer_arns.tf + # terraform fmt layer_arns.tf + # cat layer_arns.tf + # - name: generate layer ARN constants for CDK + # working-directory: ${{ env.LAYER_NAME }} + # run: | + # echo "{" > ../layer_cdk + # for file in *; do + # read arn < "$file" + # echo " \"$file\": \"$arn\"," >> ../layer_cdk + # done + # echo "}" >> ../layer_cdk + # cat ../layer_cdk - name: download layer.zip uses: actions/download-artifact@v4 with: @@ -219,7 +219,6 @@ jobs: echo "" >> release_notes.md echo "See new Lambda Layer ARNs:" >> release_notes.md echo "" >> release_notes.md - cat layer-note >> release_notes.md echo "" >> release_notes.md echo "Notes:" >> release_notes.md - name: Create GH release @@ -234,7 +233,7 @@ jobs: --notes-file release_notes.md \ --draft \ "lambda-v${VERSION}-${SHA_SHORT}" \ - layer_arns.tf layer.zip + layer.zip echo Removing release_notes.md ... rm -f release_notes.md - name: Upload layer.zip and SHA-256 checksum to SDK Release Notes (tagged with latest) From 4981c95ce6ee92f212b5558239a0e6e80abdb218 Mon Sep 17 00:00:00 2001 From: ADOT Patch workflow Date: Wed, 15 Oct 2025 12:52:23 -0700 Subject: [PATCH 05/11] test fixes --- .github/workflows/release-lambda.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release-lambda.yml b/.github/workflows/release-lambda.yml index 0eb907048..943dc444d 100644 --- a/.github/workflows/release-lambda.yml +++ b/.github/workflows/release-lambda.yml @@ -236,13 +236,13 @@ jobs: layer.zip echo Removing release_notes.md ... rm -f release_notes.md - - name: Upload layer.zip and SHA-256 checksum to SDK Release Notes (tagged with latest) - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - LATEST_SDK_VERSION=$(gh release list --repo "aws-observability/aws-otel-python-instrumentation" --json tagName,isLatest -q 'map(select(.isLatest==true)) | .[0].tagName') - # Generate SHA-256 checksum for layer.zip - shasum -a 256 layer.zip > layer.zip.sha256 - # Upload layer.zip and its checksum to the latest SDK release note - gh release upload "$LATEST_SDK_VERSION" layer.zip layer.zip.sha256 --repo "aws-observability/aws-otel-python-instrumentation" --clobber - echo "✅ layer.zip successfully uploaded to $LATEST_SDK_VERSION in the upstream repo!" + # - name: Upload layer.zip and SHA-256 checksum to SDK Release Notes (tagged with latest) + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # run: | + # LATEST_SDK_VERSION=$(gh release list --repo "aws-observability/aws-otel-python-instrumentation" --json tagName,isLatest -q 'map(select(.isLatest==true)) | .[0].tagName') + # # Generate SHA-256 checksum for layer.zip + # shasum -a 256 layer.zip > layer.zip.sha256 + # # Upload layer.zip and its checksum to the latest SDK release note + # gh release upload "$LATEST_SDK_VERSION" layer.zip layer.zip.sha256 --repo "aws-observability/aws-otel-python-instrumentation" --clobber + # echo "✅ layer.zip successfully uploaded to $LATEST_SDK_VERSION in the upstream repo!" From f7093048cd52e357e7fe05a917ac1e51dbd5e77e Mon Sep 17 00:00:00 2001 From: ADOT Patch workflow Date: Wed, 15 Oct 2025 13:04:16 -0700 Subject: [PATCH 06/11] undo commented steps for testing --- .github/workflows/release-lambda.yml | 292 +++++++++++++-------------- 1 file changed, 145 insertions(+), 147 deletions(-) diff --git a/.github/workflows/release-lambda.yml b/.github/workflows/release-lambda.yml index 943dc444d..1706fbfc6 100644 --- a/.github/workflows/release-lambda.yml +++ b/.github/workflows/release-lambda.yml @@ -10,9 +10,6 @@ on: description: 'Deploy to aws regions' required: true default: 'us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1, af-south-1, ap-east-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1, me-south-1, ap-southeast-5, ap-southeast-7, mx-central-1, ca-west-1, cn-north-1, cn-northwest-1' - push: - branches: - zhaez/patch-1 env: # Legacy list of commercial regions to deploy to. New regions should NOT be added here, and instead should be added to the `aws_region` default input to the workflow. @@ -60,145 +57,145 @@ jobs: with: name: layer.zip path: lambda-layer/src/build/aws-opentelemetry-python-layer.zip - # publish-prod: - # runs-on: ubuntu-latest - # needs: build-layer - # strategy: - # matrix: - # aws_region: ${{ fromJson(needs.build-layer.outputs.aws_regions_json) }} - # steps: - # - name: role arn - # env: - # LEGACY_COMMERCIAL_REGIONS: ${{ env.LEGACY_COMMERCIAL_REGIONS }} - # run: | - # LEGACY_COMMERCIAL_REGIONS_ARRAY=(${LEGACY_COMMERCIAL_REGIONS//,/ }) - # FOUND=false - # for REGION in "${LEGACY_COMMERCIAL_REGIONS_ARRAY[@]}"; do - # if [[ "$REGION" == "${{ matrix.aws_region }}" ]]; then - # FOUND=true - # break - # fi - # done - # if [ "$FOUND" = true ]; then - # echo "Found ${{ matrix.aws_region }} in LEGACY_COMMERCIAL_REGIONS" - # SECRET_KEY="LAMBDA_LAYER_RELEASE" - # else - # echo "Not found ${{ matrix.aws_region }} in LEGACY_COMMERCIAL_REGIONS" - # SECRET_KEY="${{ matrix.aws_region }}_LAMBDA_LAYER_RELEASE" - # fi - # SECRET_KEY=${SECRET_KEY//-/_} - # echo "SECRET_KEY=${SECRET_KEY}" >> $GITHUB_ENV - # - uses: aws-actions/configure-aws-credentials@v4.0.2 - # with: - # role-to-assume: ${{ secrets[env.SECRET_KEY] }} - # role-duration-seconds: 1200 - # aws-region: ${{ matrix.aws_region }} - # - name: Get s3 bucket name for release - # run: | - # echo BUCKET_NAME=python-lambda-layer-${{ github.run_id }}-${{ matrix.aws_region }} | tee --append $GITHUB_ENV - # - name: download layer.zip - # uses: actions/download-artifact@v4 - # with: - # name: layer.zip - # - name: publish - # run: | - # aws s3 mb s3://${{ env.BUCKET_NAME }} - # aws s3 cp aws-opentelemetry-python-layer.zip s3://${{ env.BUCKET_NAME }} - # layerARN=$( - # aws lambda publish-layer-version \ - # --layer-name ${{ env.LAYER_NAME }} \ - # --content S3Bucket=${{ env.BUCKET_NAME }},S3Key=aws-opentelemetry-python-layer.zip \ - # --compatible-runtimes python3.10 python3.11 python3.12 python3.13 \ - # --compatible-architectures "arm64" "x86_64" \ - # --license-info "Apache-2.0" \ - # --description "AWS Distro of OpenTelemetry Lambda Layer for Python Runtime" \ - # --query 'LayerVersionArn' \ - # --output text - # ) - # echo $layerARN - # echo "LAYER_ARN=${layerARN}" >> $GITHUB_ENV - # mkdir ${{ env.LAYER_NAME }} - # echo $layerARN > ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} - # cat ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} - # - name: public layer - # run: | - # layerVersion=$( - # aws lambda list-layer-versions \ - # --layer-name ${{ env.LAYER_NAME }} \ - # --query 'max_by(LayerVersions, &Version).Version' - # ) - # aws lambda add-layer-version-permission \ - # --layer-name ${{ env.LAYER_NAME }} \ - # --version-number $layerVersion \ - # --principal "*" \ - # --statement-id publish \ - # --action lambda:GetLayerVersion - # - name: upload layer arn artifact - # if: ${{ success() }} - # uses: actions/upload-artifact@v4 - # with: - # name: ${{ env.LAYER_NAME }}-${{ matrix.aws_region }} - # path: ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} - # - name: clean s3 - # if: always() - # run: | - # aws s3 rb --force s3://${{ env.BUCKET_NAME }} - generate-release-note: + publish-prod: runs-on: ubuntu-latest needs: build-layer + strategy: + matrix: + aws_region: ${{ fromJson(needs.build-layer.outputs.aws_regions_json) }} + steps: + - name: role arn + env: + LEGACY_COMMERCIAL_REGIONS: ${{ env.LEGACY_COMMERCIAL_REGIONS }} + run: | + LEGACY_COMMERCIAL_REGIONS_ARRAY=(${LEGACY_COMMERCIAL_REGIONS//,/ }) + FOUND=false + for REGION in "${LEGACY_COMMERCIAL_REGIONS_ARRAY[@]}"; do + if [[ "$REGION" == "${{ matrix.aws_region }}" ]]; then + FOUND=true + break + fi + done + if [ "$FOUND" = true ]; then + echo "Found ${{ matrix.aws_region }} in LEGACY_COMMERCIAL_REGIONS" + SECRET_KEY="LAMBDA_LAYER_RELEASE" + else + echo "Not found ${{ matrix.aws_region }} in LEGACY_COMMERCIAL_REGIONS" + SECRET_KEY="${{ matrix.aws_region }}_LAMBDA_LAYER_RELEASE" + fi + SECRET_KEY=${SECRET_KEY//-/_} + echo "SECRET_KEY=${SECRET_KEY}" >> $GITHUB_ENV + - uses: aws-actions/configure-aws-credentials@v4.0.2 + with: + role-to-assume: ${{ secrets[env.SECRET_KEY] }} + role-duration-seconds: 1200 + aws-region: ${{ matrix.aws_region }} + - name: Get s3 bucket name for release + run: | + echo BUCKET_NAME=python-lambda-layer-${{ github.run_id }}-${{ matrix.aws_region }} | tee --append $GITHUB_ENV + - name: download layer.zip + uses: actions/download-artifact@v4 + with: + name: layer.zip + - name: publish + run: | + aws s3 mb s3://${{ env.BUCKET_NAME }} + aws s3 cp aws-opentelemetry-python-layer.zip s3://${{ env.BUCKET_NAME }} + layerARN=$( + aws lambda publish-layer-version \ + --layer-name ${{ env.LAYER_NAME }} \ + --content S3Bucket=${{ env.BUCKET_NAME }},S3Key=aws-opentelemetry-python-layer.zip \ + --compatible-runtimes python3.10 python3.11 python3.12 python3.13 \ + --compatible-architectures "arm64" "x86_64" \ + --license-info "Apache-2.0" \ + --description "AWS Distro of OpenTelemetry Lambda Layer for Python Runtime" \ + --query 'LayerVersionArn' \ + --output text + ) + echo $layerARN + echo "LAYER_ARN=${layerARN}" >> $GITHUB_ENV + mkdir ${{ env.LAYER_NAME }} + echo $layerARN > ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} + cat ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} + - name: public layer + run: | + layerVersion=$( + aws lambda list-layer-versions \ + --layer-name ${{ env.LAYER_NAME }} \ + --query 'max_by(LayerVersions, &Version).Version' + ) + aws lambda add-layer-version-permission \ + --layer-name ${{ env.LAYER_NAME }} \ + --version-number $layerVersion \ + --principal "*" \ + --statement-id publish \ + --action lambda:GetLayerVersion + - name: upload layer arn artifact + if: ${{ success() }} + uses: actions/upload-artifact@v4 + with: + name: ${{ env.LAYER_NAME }}-${{ matrix.aws_region }} + path: ${{ env.LAYER_NAME }}/${{ matrix.aws_region }} + - name: clean s3 + if: always() + run: | + aws s3 rb --force s3://${{ env.BUCKET_NAME }} + generate-release-note: + runs-on: ubuntu-latest + needs: publish-prod steps: - name: Checkout Repo @ SHA - ${{ github.sha }} uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v2 - # - name: download layerARNs - # uses: actions/download-artifact@v4 - # with: - # pattern: ${{ env.LAYER_NAME }}-* - # path: ${{ env.LAYER_NAME }} - # merge-multiple: true - # - name: show layerARNs - # run: | - # for file in ${{ env.LAYER_NAME }}/* - # do - # echo $file - # cat $file - # done - # - name: generate layer-note - # working-directory: ${{ env.LAYER_NAME }} - # run: | - # echo "| Region | Layer ARN |" >> ../layer-note - # echo "| ---- | ---- |" >> ../layer-note - # for file in * - # do - # read arn < $file - # echo "| " $file " | " $arn " |" >> ../layer-note - # done - # cat ../layer-note - # - name: generate tf layer - # working-directory: ${{ env.LAYER_NAME }} - # run: | - # echo "locals {" >> ../layer_arns.tf - # echo " sdk_layer_arns = {" >> ../layer_arns.tf - # for file in * - # do - # read arn < $file - # echo " \""$file"\" = \""$arn"\"" >> ../layer_arns.tf - # done - # cd .. - # echo " }" >> layer_arns.tf - # echo "}" >> layer_arns.tf - # terraform fmt layer_arns.tf - # cat layer_arns.tf - # - name: generate layer ARN constants for CDK - # working-directory: ${{ env.LAYER_NAME }} - # run: | - # echo "{" > ../layer_cdk - # for file in *; do - # read arn < "$file" - # echo " \"$file\": \"$arn\"," >> ../layer_cdk - # done - # echo "}" >> ../layer_cdk - # cat ../layer_cdk + - name: download layerARNs + uses: actions/download-artifact@v4 + with: + pattern: ${{ env.LAYER_NAME }}-* + path: ${{ env.LAYER_NAME }} + merge-multiple: true + - name: show layerARNs + run: | + for file in ${{ env.LAYER_NAME }}/* + do + echo $file + cat $file + done + - name: generate layer-note + working-directory: ${{ env.LAYER_NAME }} + run: | + echo "| Region | Layer ARN |" >> ../layer-note + echo "| ---- | ---- |" >> ../layer-note + for file in * + do + read arn < $file + echo "| " $file " | " $arn " |" >> ../layer-note + done + cat ../layer-note + - name: generate tf layer + working-directory: ${{ env.LAYER_NAME }} + run: | + echo "locals {" >> ../layer_arns.tf + echo " sdk_layer_arns = {" >> ../layer_arns.tf + for file in * + do + read arn < $file + echo " \""$file"\" = \""$arn"\"" >> ../layer_arns.tf + done + cd .. + echo " }" >> layer_arns.tf + echo "}" >> layer_arns.tf + terraform fmt layer_arns.tf + cat layer_arns.tf + - name: generate layer ARN constants for CDK + working-directory: ${{ env.LAYER_NAME }} + run: | + echo "{" > ../layer_cdk + for file in *; do + read arn < "$file" + echo " \"$file\": \"$arn\"," >> ../layer_cdk + done + echo "}" >> ../layer_cdk + cat ../layer_cdk - name: download layer.zip uses: actions/download-artifact@v4 with: @@ -219,6 +216,7 @@ jobs: echo "" >> release_notes.md echo "See new Lambda Layer ARNs:" >> release_notes.md echo "" >> release_notes.md + cat layer-note >> release_notes.md echo "" >> release_notes.md echo "Notes:" >> release_notes.md - name: Create GH release @@ -233,16 +231,16 @@ jobs: --notes-file release_notes.md \ --draft \ "lambda-v${VERSION}-${SHA_SHORT}" \ - layer.zip + layer_arns.tf layer.zip echo Removing release_notes.md ... rm -f release_notes.md - # - name: Upload layer.zip and SHA-256 checksum to SDK Release Notes (tagged with latest) - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # run: | - # LATEST_SDK_VERSION=$(gh release list --repo "aws-observability/aws-otel-python-instrumentation" --json tagName,isLatest -q 'map(select(.isLatest==true)) | .[0].tagName') - # # Generate SHA-256 checksum for layer.zip - # shasum -a 256 layer.zip > layer.zip.sha256 - # # Upload layer.zip and its checksum to the latest SDK release note - # gh release upload "$LATEST_SDK_VERSION" layer.zip layer.zip.sha256 --repo "aws-observability/aws-otel-python-instrumentation" --clobber - # echo "✅ layer.zip successfully uploaded to $LATEST_SDK_VERSION in the upstream repo!" + - name: Upload layer.zip and SHA-256 checksum to SDK Release Notes (tagged with latest) + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + LATEST_SDK_VERSION=$(gh release list --repo "aws-observability/aws-otel-python-instrumentation" --json tagName,isLatest -q 'map(select(.isLatest==true)) | .[0].tagName') + # Generate SHA-256 checksum for layer.zip + shasum -a 256 layer.zip > layer.zip.sha256 + # Upload layer.zip and its checksum to the latest SDK release note + gh release upload "$LATEST_SDK_VERSION" layer.zip layer.zip.sha256 --repo "aws-observability/aws-otel-python-instrumentation" --clobber + echo "✅ layer.zip successfully uploaded to $LATEST_SDK_VERSION in the upstream repo!" From d7f000f1f7a506831648f285cce6426bd414f225 Mon Sep 17 00:00:00 2001 From: Eric Zhang Date: Wed, 22 Oct 2025 12:05:07 -0700 Subject: [PATCH 07/11] remove brackets --- .github/workflows/release-lambda.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-lambda.yml b/.github/workflows/release-lambda.yml index 1706fbfc6..e135f3b09 100644 --- a/.github/workflows/release-lambda.yml +++ b/.github/workflows/release-lambda.yml @@ -211,7 +211,7 @@ jobs: VERSION: ${{ github.event.inputs.version }} SHA_SHORT: ${{ steps.commit.outputs.sha_short }} run: | - echo "AWS OpenTelemetry Lambda Layer for Python version ${VERSION}-${SHA_SHORT}" > release_notes.md + echo "AWS OpenTelemetry Lambda Layer for Python version $VERSION-$SHA_SHORT" > release_notes.md echo "" >> release_notes.md echo "" >> release_notes.md echo "See new Lambda Layer ARNs:" >> release_notes.md @@ -227,10 +227,10 @@ jobs: SHA_SHORT: ${{ steps.commit.outputs.sha_short }} run: | gh release create --target "$GITHUB_REF_NAME" \ - --title "Release lambda-v${VERSION}-${SHA_SHORT}" \ + --title "Release lambda-v$VERSION-$SHA_SHORT" \ --notes-file release_notes.md \ --draft \ - "lambda-v${VERSION}-${SHA_SHORT}" \ + "lambda-v$VERSION-$SHA_SHORT" \ layer_arns.tf layer.zip echo Removing release_notes.md ... rm -f release_notes.md From 646e5ac45c3608d4c4eff0fc1f36417a9004f7c2 Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Mon, 22 Sep 2025 17:18:32 -0700 Subject: [PATCH 08/11] feat: add self-validating workflow gate jobs (#477) Add gate jobs that fail if any workflow job fails OR if any job is missing from the gate's needs array. Prevents both job failures and configuration drift when adding new workflow jobs. Callout: I don't think it's possible to have one gate for both workflows, but it should not be the case that we add more over time. ### Testing: * Confirmed if even one subjob in a matrix fails, the job fails: [PASS](https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17930014615/job/50985189015?pr=477) * lint(lint) passes, but lint (spellcheck) fails, and all-pr-checks-pass fails. * Confirmed if a job is missing, the job fails: [PASS](https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17930365916/job/50986188220?pr=477) By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. --- .github/workflows/codeql.yml | 35 ++++++++++++++++++++++++++++++++++ .github/workflows/pr-build.yml | 35 ++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index dacf9c831..45a2648a0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -95,3 +95,38 @@ jobs: uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" + + all-codeql-checks-pass: + runs-on: ubuntu-latest + needs: [analyze] + if: always() + steps: + - name: Checkout to get workflow file + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 + + - name: Check all jobs succeeded and none missing + run: | + # Check if all needed jobs succeeded + results='${{ toJSON(needs) }}' + if echo "$results" | jq -r '.[] | .result' | grep -v success; then + echo "Some jobs failed" + exit 1 + fi + + # Extract all job names from workflow (excluding this gate job) + all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/codeql.yml | grep -v "all-codeql-checks-pass" | sort) + + # Extract job names from needs array + needed_jobs='${{ toJSON(needs) }}' + needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort) + + # Check if any jobs are missing from needs + missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list")) + if [ -n "$missing_jobs" ]; then + echo "ERROR: Jobs missing from needs array in all-codeql-checks-pass:" + echo "$missing_jobs" + echo "Please add these jobs to the needs array of all-codeql-checks-pass" + exit 1 + fi + + echo "All CodeQL checks passed and no jobs missing from gate!" diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index fbd265f50..dfc6b9c85 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -100,3 +100,38 @@ jobs: - name: Build with Gradle run: cd performance-tests; ./gradlew spotlessCheck + + all-pr-checks-pass: + runs-on: ubuntu-latest + needs: [static-code-checks, lint, spotless, build, build-lambda] + if: always() + steps: + - name: Checkout to get workflow file + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 + + - name: Check all jobs succeeded and none missing + run: | + # Check if all needed jobs succeeded + results='${{ toJSON(needs) }}' + if echo "$results" | jq -r '.[] | .result' | grep -v success; then + echo "Some jobs failed" + exit 1 + fi + + # Extract all job names from workflow (excluding this gate job) + all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/pr-build.yml | grep -v "all-pr-checks-pass" | sort) + + # Extract job names from needs array + needed_jobs='${{ toJSON(needs) }}' + needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort) + + # Check if any jobs are missing from needs + missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list")) + if [ -n "$missing_jobs" ]; then + echo "ERROR: Jobs missing from needs array in all-pr-checks-pass:" + echo "$missing_jobs" + echo "Please add these jobs to the needs array of all-pr-checks-pass" + exit 1 + fi + + echo "All checks passed and no jobs missing from gate!" From 2de80d4db27c5f793384680b6c0dba82c869137f Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Mon, 22 Sep 2025 13:13:35 -0700 Subject: [PATCH 09/11] feat: prevent versioned 3P GitHub actions in PR builds (#475) Add validation step to require commit SHAs instead of version tags for third-party GitHub actions in workflow files. Also fix the one we missed: `aquasecurity/trivy-action` - depending on `master` is pretty unusual and not trivial to catch, ultimately the Repo config `Require actions to be pinned to a full-length commit SHA` will protect against this if we missed any others. * `Python Instrumentation PR Build / static-code-checks (pull_request)` passes * `Check CHANGELOG` fails, causing PR-build to fail, but `Check for versioned GitHub action` passes: https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17924516041/job/50967250100?pr=475 * Added various [`@v` in code](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/475/commits/f2f05238fa228a26c211f5ffcba78725e92fe49d), only finds uncommented ones: https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17925754982/job/50971348934?pr=475 ``` Found versioned GitHub actions. Use commit SHAs instead: .github/actions/lambda_artifacts_build/action.yml:30: - uses: actions/checkout@v4 .github/actions/lambda_artifacts_build/action.yml:42: - uses: actions/checkout@v4 #v4 .github/workflows/daily-scan.yml:54: - uses: actions/checkout@v4 #v4 .github/workflows/daily-scan.yml:106: - uses: actions/checkout@v4 ``` By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. --- .github/actions/image_scan/action.yml | 2 +- .github/workflows/pr-build.yml | 55 +++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 1 deletion(-) diff --git a/.github/actions/image_scan/action.yml b/.github/actions/image_scan/action.yml index 31d5a78fe..519f6a708 100644 --- a/.github/actions/image_scan/action.yml +++ b/.github/actions/image_scan/action.yml @@ -32,7 +32,7 @@ runs: run: docker logout public.ecr.aws - name: Run Trivy vulnerability scanner on image - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 with: image-ref: ${{ inputs.image-ref }} severity: ${{ inputs.severity }} diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index dfc6b9c85..681c0a1ce 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -10,6 +10,61 @@ permissions: contents: read jobs: + static-code-checks: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 + with: + fetch-depth: 0 + + - name: Check CHANGELOG + if: always() + run: | + # Check if PR is from workflows bot or dependabot + if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then + echo "Skipping check: PR from aws-application-signals-bot" + exit 0 + fi + + if [[ "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then + echo "Skipping check: PR from dependabot" + exit 0 + fi + + # Check for skip changelog label + if echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq -r '.[]' | grep -q "skip changelog"; then + echo "Skipping check: skip changelog label found" + exit 0 + fi + + # Fetch base branch and check for CHANGELOG modifications + git fetch origin ${{ github.base_ref }} + if git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -q "CHANGELOG.md"; then + echo "CHANGELOG.md entry found - check passed" + exit 0 + fi + + echo "It looks like you didn't add an entry to CHANGELOG.md. If this change affects the SDK behavior, please update CHANGELOG.md and link this PR in your entry. If this PR does not need a CHANGELOG entry, you can add the 'Skip Changelog' label to this PR." + exit 1 + + - name: Check for versioned GitHub actions + if: always() + run: | + # Get changed GitHub workflow/action files + CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true) + + if [ -n "$CHANGED_FILES" ]; then + # Check for any versioned actions, excluding comments and this validation script + VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true) + if [ -n "$VIOLATIONS" ]; then + echo "Found versioned GitHub actions. Use commit SHAs instead:" + echo "$VIOLATIONS" + exit 1 + fi + fi + + echo "No versioned actions found in changed files" + build: runs-on: ubuntu-latest strategy: From 696ed8a8c141ddf4078713184a7b7b0a06d9ccab Mon Sep 17 00:00:00 2001 From: Eric Zhang Date: Wed, 22 Oct 2025 13:21:35 -0700 Subject: [PATCH 10/11] Revert "feat: prevent versioned 3P GitHub actions in PR builds (#475)" This reverts commit 2de80d4db27c5f793384680b6c0dba82c869137f. --- .github/actions/image_scan/action.yml | 2 +- .github/workflows/pr-build.yml | 55 --------------------------- 2 files changed, 1 insertion(+), 56 deletions(-) diff --git a/.github/actions/image_scan/action.yml b/.github/actions/image_scan/action.yml index 519f6a708..31d5a78fe 100644 --- a/.github/actions/image_scan/action.yml +++ b/.github/actions/image_scan/action.yml @@ -32,7 +32,7 @@ runs: run: docker logout public.ecr.aws - name: Run Trivy vulnerability scanner on image - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + uses: aquasecurity/trivy-action@master with: image-ref: ${{ inputs.image-ref }} severity: ${{ inputs.severity }} diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 681c0a1ce..dfc6b9c85 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -10,61 +10,6 @@ permissions: contents: read jobs: - static-code-checks: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 - with: - fetch-depth: 0 - - - name: Check CHANGELOG - if: always() - run: | - # Check if PR is from workflows bot or dependabot - if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then - echo "Skipping check: PR from aws-application-signals-bot" - exit 0 - fi - - if [[ "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then - echo "Skipping check: PR from dependabot" - exit 0 - fi - - # Check for skip changelog label - if echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq -r '.[]' | grep -q "skip changelog"; then - echo "Skipping check: skip changelog label found" - exit 0 - fi - - # Fetch base branch and check for CHANGELOG modifications - git fetch origin ${{ github.base_ref }} - if git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -q "CHANGELOG.md"; then - echo "CHANGELOG.md entry found - check passed" - exit 0 - fi - - echo "It looks like you didn't add an entry to CHANGELOG.md. If this change affects the SDK behavior, please update CHANGELOG.md and link this PR in your entry. If this PR does not need a CHANGELOG entry, you can add the 'Skip Changelog' label to this PR." - exit 1 - - - name: Check for versioned GitHub actions - if: always() - run: | - # Get changed GitHub workflow/action files - CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true) - - if [ -n "$CHANGED_FILES" ]; then - # Check for any versioned actions, excluding comments and this validation script - VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true) - if [ -n "$VIOLATIONS" ]; then - echo "Found versioned GitHub actions. Use commit SHAs instead:" - echo "$VIOLATIONS" - exit 1 - fi - fi - - echo "No versioned actions found in changed files" - build: runs-on: ubuntu-latest strategy: From 12cc6754e81cfd266969be74b66f5e68bba733c9 Mon Sep 17 00:00:00 2001 From: Eric Zhang Date: Wed, 22 Oct 2025 13:21:49 -0700 Subject: [PATCH 11/11] Revert "feat: add self-validating workflow gate jobs (#477)" This reverts commit 646e5ac45c3608d4c4eff0fc1f36417a9004f7c2. --- .github/workflows/codeql.yml | 35 ---------------------------------- .github/workflows/pr-build.yml | 35 ---------------------------------- 2 files changed, 70 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 45a2648a0..dacf9c831 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -95,38 +95,3 @@ jobs: uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" - - all-codeql-checks-pass: - runs-on: ubuntu-latest - needs: [analyze] - if: always() - steps: - - name: Checkout to get workflow file - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 - - - name: Check all jobs succeeded and none missing - run: | - # Check if all needed jobs succeeded - results='${{ toJSON(needs) }}' - if echo "$results" | jq -r '.[] | .result' | grep -v success; then - echo "Some jobs failed" - exit 1 - fi - - # Extract all job names from workflow (excluding this gate job) - all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/codeql.yml | grep -v "all-codeql-checks-pass" | sort) - - # Extract job names from needs array - needed_jobs='${{ toJSON(needs) }}' - needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort) - - # Check if any jobs are missing from needs - missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list")) - if [ -n "$missing_jobs" ]; then - echo "ERROR: Jobs missing from needs array in all-codeql-checks-pass:" - echo "$missing_jobs" - echo "Please add these jobs to the needs array of all-codeql-checks-pass" - exit 1 - fi - - echo "All CodeQL checks passed and no jobs missing from gate!" diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index dfc6b9c85..fbd265f50 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -100,38 +100,3 @@ jobs: - name: Build with Gradle run: cd performance-tests; ./gradlew spotlessCheck - - all-pr-checks-pass: - runs-on: ubuntu-latest - needs: [static-code-checks, lint, spotless, build, build-lambda] - if: always() - steps: - - name: Checkout to get workflow file - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 - - - name: Check all jobs succeeded and none missing - run: | - # Check if all needed jobs succeeded - results='${{ toJSON(needs) }}' - if echo "$results" | jq -r '.[] | .result' | grep -v success; then - echo "Some jobs failed" - exit 1 - fi - - # Extract all job names from workflow (excluding this gate job) - all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/pr-build.yml | grep -v "all-pr-checks-pass" | sort) - - # Extract job names from needs array - needed_jobs='${{ toJSON(needs) }}' - needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort) - - # Check if any jobs are missing from needs - missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list")) - if [ -n "$missing_jobs" ]; then - echo "ERROR: Jobs missing from needs array in all-pr-checks-pass:" - echo "$missing_jobs" - echo "Please add these jobs to the needs array of all-pr-checks-pass" - exit 1 - fi - - echo "All checks passed and no jobs missing from gate!"