Skip to content

catch errors during secret refreshes #7720

catch errors during secret refreshes

catch errors during secret refreshes #7720

Workflow file for this run

name: health_checks
on:
push:
branches:
- main
- hotfix
pull_request:
branches:
- main
- hotfix
- feature/**
schedule:
# Every day at minute 0 past hour 0, 6, 12, and 18 UTC.
# This is to make sure that there is at least one workflow run every 24 hours
# taking into account that
# 1) scheduled runs may not fire at exact prescribed time;
# 2) transient failures may happen and auto recover;
- cron: '0 0,6,12,18 * * *'
workflow_dispatch:
inputs:
desired-cdk-version:
description: 'AWS CDK version (exact or tag). Defaults to package-locked version.'
required: false
type: string
include-package-manager-e2e-tests:
description: 'Include package manager e2e tests?'
required: false
type: boolean
default: true
include-create-amplify-e2e-tests:
description: 'Include create-amplify e2e tests?'
required: false
type: boolean
default: true
include-macos:
description: 'Include MacOS?'
required: false
type: boolean
default: true
include-windows:
description: 'Include Windows?'
required: false
type: boolean
default: true
node:
description: 'Node versions list (as JSON array).'
required: false
type: string
default: '["18", "20", "22"]'
workflow_call:
inputs:
desired-cdk-version:
description: 'AWS CDK version (exact or tag). Defaults to package-locked version.'
required: false
type: string
include-package-manager-e2e-tests:
description: 'Include package manager e2e tests?'
required: false
type: boolean
default: true
include-create-amplify-e2e-tests:
description: 'Include create-amplify e2e tests?'
required: false
type: boolean
default: true
include-macos:
description: 'Include MacOS?'
required: false
type: boolean
default: true
include-windows:
description: 'Include Windows?'
required: false
type: boolean
default: true
node:
description: 'Node versions list (as JSON array).'
required: false
type: string
default: '["18", "20", "22"]'
env:
# Health checks can run on un-released code. Often work in progress.
# Disable data from there.
AMPLIFY_DISABLE_TELEMETRY: true
jobs:
# This workflow may be called by variety of events.
# This steps resolves and applies appropriate defaults depending on the trigger.
resolve_inputs:
runs-on: ubuntu-latest
outputs:
cdk_version: ${{ steps.resolve_inputs.outputs.cdk_version }}
os: ${{ steps.resolve_inputs.outputs.os }}
os_for_e2e: ${{ steps.resolve_inputs.outputs.os_for_e2e }}
node: ${{ steps.resolve_inputs.outputs.node }}
steps:
- name: Resolve Inputs
id: resolve_inputs
# This is intentionally in pure bash to make this job independent of repo checkout and fast.
run: |
if [ -z "${{ inputs.desired-cdk-version }}" ]; then
echo "cdk_version=FROM_PACKAGE_LOCK" >> "$GITHUB_OUTPUT"
else
echo "cdk_version=$(npm view aws-cdk@${{ inputs.desired-cdk-version }} version)" >> "$GITHUB_OUTPUT"
fi
# Build JSON array in readable way in bash...
os='["ubuntu-latest"'
os_for_e2e='["ubuntu-latest"'
if [ "${{ inputs.include-macos }}" != "false" ]; then
os+=', "macos-14"'
os_for_e2e+=', "macos-14-xlarge"'
fi
if [ "${{ inputs.include-windows }}" != "false" ]; then
os+=', "windows-latest"'
os_for_e2e+=', "windows-latest"'
fi
os+=']'
os_for_e2e+=']'
echo "os=$os" >> "$GITHUB_OUTPUT"
echo "os_for_e2e=$os_for_e2e" >> "$GITHUB_OUTPUT"
if [ -z "${{ inputs.node }}" ]; then
echo 'node=["18", "20", "22"]' >> "$GITHUB_OUTPUT"
else
echo 'node=${{ inputs.node }}' >> "$GITHUB_OUTPUT"
fi
- run: echo cdk_version set to ${{ steps.resolve_inputs.outputs.cdk_version }}
- run: echo os set to ${{ steps.resolve_inputs.outputs.os }}
- run: echo os_for_e2e set to ${{ steps.resolve_inputs.outputs.os_for_e2e }}
- run: echo node set to ${{ steps.resolve_inputs.outputs.node }}
install:
strategy:
matrix:
# Windows install must happen on the same worker size as subsequent jobs.
# Larger workers use different drive (C: instead of D:) to check out project and NPM installation
# creates file system links that include drive letter.
# Changing between standard and custom workers requires full install cache invalidation
os: ${{ fromJSON(needs.resolve_inputs.outputs.os) }}
node: ${{ fromJSON(needs.resolve_inputs.outputs.node) }}
# Always include Node 18 and Ubuntu. Non-testing jobs depend on it.
include:
- os: ubuntu-latest
node: 18
runs-on: ${{ matrix.os }}
needs:
- resolve_inputs
timeout-minutes: 10
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node }}
- uses: ./.github/actions/install_with_cache
with:
node-version: ${{ matrix.node }}
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
build:
strategy:
matrix:
node: ${{ fromJSON(needs.resolve_inputs.outputs.node) }}
# Always include Node 18. Non-testing jobs depend on it.
include:
- node: 18
runs-on: ubuntu-latest
needs:
- install
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node }}
- uses: ./.github/actions/build_with_cache
with:
node-version: ${{ matrix.node }}
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
test_with_coverage:
needs:
- build
- resolve_inputs
strategy:
matrix:
os: ${{ fromJSON(needs.resolve_inputs.outputs.os) }}
node: ${{ fromJSON(needs.resolve_inputs.outputs.node) }}
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node }}
- uses: ./.github/actions/restore_build_cache
with:
node-version: ${{ matrix.node }}
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: npm run set-script-shell
- run: npm run test:coverage:threshold
test_scripts:
needs:
- build
- resolve_inputs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_build_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: |
npm run set-script-shell
npm run test:scripts
test_with_baseline_dependencies:
needs:
- install
- resolve_inputs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_install_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- name: Pin some dependencies to nearest patch and rebuild
run: |
npx tsx scripts/set_baseline_dependency_versions.ts
npm install
# print out diff for auditing or troubleshooting
git diff
npm run build
- name: Run unit and integration tests
run: |
npm run set-script-shell
npm run test
check_api_changes:
if: github.event_name == 'pull_request'
needs:
- build
- resolve_inputs
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout pull request ref
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_build_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- name: Publish packages locally
timeout-minutes: 2
run: |
npm run start:npm-proxy
# keep git diff with version increment to make sure test projects resolve right version
npm run publish:local -- --keepGitDiff
- name: Checkout base branch
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
path: base-branch-content
ref: ${{ github.event.pull_request.base.sha }}
- name: Check API changes
run: |
mkdir api-validation-projects
npx tsx scripts/check_api_changes.ts base-branch-content api-validation-projects
handle_dependabot_version_update:
if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]'
runs-on: ubuntu-latest
needs:
- install
- resolve_inputs
permissions:
# This is required so that this job can add the 'run-e2e' label and push to the pull request
pull-requests: write
contents: write
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
fetch-depth: 0
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_install_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- name: Handle Dependabot version update pull request
run: npx tsx scripts/dependabot_handle_version_update.ts "$BASE_SHA"
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
# The dependabot_handler_version_update script needs to add the 'run-e2e' pull request label
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
do_include_e2e:
needs:
- install
- resolve_inputs
runs-on: ubuntu-latest
permissions:
# This is required so that the step can read the labels on the pull request
pull-requests: read
env:
# The do_include_e2e script needs to query pull request labels
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
outputs:
run_e2e: ${{ steps.check.outputs.run_e2e }}
include_package_manager_e2e: ${{ steps.check_package_manager.outputs.include_package_manager_e2e }}
include_create_amplify_e2e: ${{ steps.check_create_amplify.outputs.include_create_amplify_e2e }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_install_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- name: Check if any E2E tests should run
id: check
run: echo "run_e2e=$(npx tsx scripts/do_include_e2e.ts)" >> "$GITHUB_OUTPUT"
- run: echo run_e2e set to ${{ steps.check.outputs.run_e2e }}
- name: Check if Package Manager E2E tests should be included
id: check_package_manager
run: |
if [ -z "${{ inputs.include-package-manager-e2e-tests }}" ]; then
echo "include_package_manager_e2e=true" >> "$GITHUB_OUTPUT"
else
echo "include_package_manager_e2e=${{ inputs.include-package-manager-e2e-tests }}" >> "$GITHUB_OUTPUT"
fi
- run: echo include_package_manager_e2e set to ${{ steps.check_package_manager.outputs.include_package_manager_e2e }}
- name: Check if Create Amplify E2E tests should be included
id: check_create_amplify
run: |
if [ -z "${{ inputs.include-create-amplify-e2e-tests }}" ]; then
echo "include_create_amplify_e2e=true" >> "$GITHUB_OUTPUT"
else
echo "include_create_amplify_e2e=${{ inputs.include-create-amplify-e2e-tests }}" >> "$GITHUB_OUTPUT"
fi
- run: echo include_create_amplify_e2e set to ${{ steps.check_create_amplify.outputs.include_create_amplify_e2e }}
e2e_iam_access_drift:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
runs-on: ubuntu-latest
timeout-minutes: 25
needs:
- do_include_e2e
- build
- resolve_inputs
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
# This checkout is needed for the setup_baseline_version action to run `checkout` inside
# See /~https://github.com/actions/checkout/issues/692
- name: Checkout version for baseline
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Setup baseline version
uses: ./.github/actions/setup_baseline_version
id: setup_baseline_version
with:
node_version: 18
- name: Checkout current version
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Run e2e iam access drift test
uses: ./.github/actions/run_with_e2e_account
with:
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }}
node_version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
run: npm run test:dir packages/integration-tests/lib/test-e2e/iam_access_drift.test.js
env:
BASELINE_DIR: ${{ steps.setup_baseline_version.outputs.baseline_dir }}
e2e_amplify_outputs_backwards_compatibility:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
runs-on: ubuntu-latest
timeout-minutes: 25
needs:
- do_include_e2e
- build
- resolve_inputs
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
# This checkout is needed for the setup_baseline_version action to run `checkout` inside
# See /~https://github.com/actions/checkout/issues/692
- name: Checkout version for baseline
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Setup baseline version
uses: ./.github/actions/setup_baseline_version
id: setup_baseline_version
with:
node_version: 18
- name: Checkout current version
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Run e2e amplify outputs backwards compatibility test
uses: ./.github/actions/run_with_e2e_account
with:
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }}
node_version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
run: npm run test:dir packages/integration-tests/lib/test-e2e/amplify_outputs_backwards_compatibility.test.js
env:
BASELINE_DIR: ${{ steps.setup_baseline_version.outputs.baseline_dir }}
e2e_generate_deployment_tests_matrix:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.generateMatrix.outputs.matrix }}
timeout-minutes: 5
needs:
- do_include_e2e
- build
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/restore_build_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: echo "$(npx tsx scripts/generate_sparse_test_matrix.ts 'packages/integration-tests/lib/test-e2e/deployment/*.deployment.test.js' '${{ needs.resolve_inputs.outputs.node }}' '${{ needs.resolve_inputs.outputs.os_for_e2e }}')"
- id: generateMatrix
run: echo "matrix=$(npx tsx scripts/generate_sparse_test_matrix.ts 'packages/integration-tests/lib/test-e2e/deployment/*.deployment.test.js' '${{ needs.resolve_inputs.outputs.node }}' '${{ needs.resolve_inputs.outputs.os_for_e2e }}')" >> "$GITHUB_OUTPUT"
e2e_deployment:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix: ${{ fromJson(needs.e2e_generate_deployment_tests_matrix.outputs.matrix) }}
runs-on: ${{ matrix.os }}
name: e2e_deployment ${{ matrix.displayNames }} ${{ matrix.node-version }} ${{ matrix.os }}
timeout-minutes: ${{ matrix.os == 'windows-latest' && 35 || 25 }}
needs:
- do_include_e2e
- build
- e2e_generate_deployment_tests_matrix
- resolve_inputs
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Run e2e deployment tests
uses: ./.github/actions/run_with_e2e_account
with:
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }}
node_version: ${{ matrix.node-version }}
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
link_cli: true
run: |
npm run test:dir ${{ matrix.testPaths }}
e2e_generate_sandbox_tests_matrix:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.generateMatrix.outputs.matrix }}
timeout-minutes: 5
needs:
- do_include_e2e
- build
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/restore_build_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: echo "$(npx tsx scripts/generate_sparse_test_matrix.ts 'packages/integration-tests/lib/test-e2e/sandbox/*.sandbox.test.js' '${{ needs.resolve_inputs.outputs.node }}' '${{ needs.resolve_inputs.outputs.os_for_e2e }}')"
- id: generateMatrix
run: echo "matrix=$(npx tsx scripts/generate_sparse_test_matrix.ts 'packages/integration-tests/lib/test-e2e/sandbox/*.sandbox.test.js' '${{ needs.resolve_inputs.outputs.node }}' '${{ needs.resolve_inputs.outputs.os_for_e2e }}')" >> "$GITHUB_OUTPUT"
e2e_sandbox:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix: ${{ fromJson(needs.e2e_generate_sandbox_tests_matrix.outputs.matrix) }}
runs-on: ${{ matrix.os }}
name: e2e_sandbox ${{ matrix.displayNames }} ${{ matrix.node-version }} ${{ matrix.os }}
timeout-minutes: ${{ matrix.os == 'windows-latest' && 35 || 25 }}
needs:
- do_include_e2e
- build
- e2e_generate_sandbox_tests_matrix
- resolve_inputs
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Run e2e sandbox tests
uses: ./.github/actions/run_with_e2e_account
with:
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }}
node_version: ${{ matrix.node-version }}
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
link_cli: true
run: npm run test:dir ${{ matrix.testPaths }}
e2e_backend_output:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
runs-on: ubuntu-latest
timeout-minutes: 25
needs:
- do_include_e2e
- build
- resolve_inputs
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Run e2e backend output tests
uses: ./.github/actions/run_with_e2e_account
with:
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }}
node_version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
link_cli: true
run: npm run test:dir packages/integration-tests/lib/test-e2e/backend_output.test.js
e2e_create_amplify:
if: needs.do_include_e2e.outputs.run_e2e == 'true' && needs.do_include_e2e.outputs.include_create_amplify_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: ${{ fromJSON(needs.resolve_inputs.outputs.os) }}
node-version: ${{ fromJSON(needs.resolve_inputs.outputs.node) }}
# skip multiple node version test on other os
exclude:
- os: macos-14
node-version: 20
- os: windows-latest
node-version: 20
- os: macos-14
node-version: 22
- os: windows-latest
node-version: 22
runs-on: ${{ matrix.os }}
timeout-minutes: ${{ matrix.os == 'windows-latest' && 35 || 25 }}
needs:
- do_include_e2e
- build
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: ${{ matrix.node-version }}
- uses: ./.github/actions/restore_build_cache
with:
node-version: ${{ matrix.node-version }}
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: cd packages/cli && npm link
- name: Run e2e create-amplify tests
run: npm run test:dir packages/integration-tests/lib/test-e2e/create_amplify.test.js
e2e_package_manager:
if: needs.do_include_e2e.outputs.run_e2e == 'true' && needs.do_include_e2e.outputs.include_package_manager_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: ${{ fromJSON(needs.resolve_inputs.outputs.os) }}
pkg-manager: [npm, yarn-classic, yarn-modern, pnpm]
node-version: ['22']
env:
PACKAGE_MANAGER: ${{ matrix.pkg-manager }}
runs-on: ${{ matrix.os }}
timeout-minutes: 25
needs:
- build
- do_include_e2e
- resolve_inputs
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- name: Checkout aws-amplify/amplify-backend repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run E2E flow tests with ${{ matrix.pkg-manager }}
uses: ./.github/actions/run_with_e2e_account
with:
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }}
node_version: ${{ matrix.node-version }}
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
shell: bash
run: |
PACKAGE_MANAGER=${{matrix.pkg-manager}} npm run test:dir packages/integration-tests/src/package_manager_sanity_checks.test.ts
lint:
runs-on: ubuntu-latest
needs:
- build
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_build_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: npm run lint
check_dependencies:
runs-on: ubuntu-latest
needs:
- install
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_install_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: npm run check:dependencies
check_tsconfig_refs:
runs-on: ubuntu-latest
needs:
- install
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_install_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: npm run check:tsconfig-refs
check_api_extract:
runs-on: ubuntu-latest
needs:
- build
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_build_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: npm run check:api
docs_build_and_publish:
runs-on: ubuntu-latest
needs:
- build
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_build_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: npm run docs
- if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # version 4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs
publish_branch: docs
check_pr_size:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs:
- install
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_install_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: git fetch origin
- run: npm run diff:check "$BASE_SHA"
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
check_pr_changesets:
if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'github-actions[bot]'
runs-on: ubuntu-latest
needs:
- install
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
# fetch full history so that changeset can properly compute divergence point
fetch-depth: 0
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_install_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- name: Validate that PR has changeset
run: npx changeset status --since origin/"$BASE_REF"
env:
BASE_REF: ${{ github.event.pull_request.base.ref }}
- name: Validate changeset is not missing packages
run: npx tsx scripts/check_changeset_completeness.ts "$BASE_SHA"
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
- name: Validate that changeset has necessary dependency updates
run: |
npx changeset version
npm update
npm run check:dependencies
check_package_versions:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
timeout-minutes: 10
needs:
- install
- resolve_inputs
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_install_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- run: npx changeset version
- run: npm run check:package-versions
update_package_versions:
if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }}
needs:
- install
- resolve_inputs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_install_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- id: is_version_packages_commit
run: echo "is_version_packages_commit=$(npx tsx scripts/is_version_packages_commit.ts)" >> "$GITHUB_OUTPUT"
- name: Create or update Version Packages PR
# if this push is NOT merging a version packages PR, then we update/create the version packages PR
if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'false' }}
uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # version 1.4.7
with:
createGithubReleases: false
# this should never be called, but if something happens and it does get called, this ensures that a premature publish won't happen
publish: echo Cannot publish during update version step
env:
# we are also omitting the NPM_TOKEN here to eliminate the possibility of publishing to NPM during this step
# we still need the GITHUB_TOKEN so that the version packages PR can be updated
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish_package_versions:
if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }}
needs:
- test_with_coverage
- e2e_package_manager
- e2e_deployment
- e2e_sandbox
- e2e_create_amplify
- resolve_inputs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- uses: ./.github/actions/setup_node
with:
node-version: 18
- uses: ./.github/actions/restore_build_cache
with:
node-version: 18
cdk-version: ${{ needs.resolve_inputs.outputs.cdk_version }}
- id: is_version_packages_commit
run: echo "is_version_packages_commit=$(npx tsx scripts/is_version_packages_commit.ts)" >> "$GITHUB_OUTPUT"
- name: Publish packages
# if this push is merging a version packages PR, then we publish the new versions
if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'true' }}
id: changeset_publish
uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # version 1.4.7
with:
publish: npm run publish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Update hotfix branch
if: ${{ steps.changeset_publish.outputs.published == 'true' && github.ref_name == 'main' }}
run: git push origin main:hotfix --force
codeql:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
with:
# Minimal depth 2 so we can checkout the commit before possible merge commit.
fetch-depth: 2
- name: Initialize CodeQL
uses: github/codeql-action/init@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # version 2.17.2
with:
languages: javascript
queries: +security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # version 2.17.2
with:
category: /language:javascript
dependency-review:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
- name: Dependency Review
uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # version 4.3.2
with:
config-file: ./.github/dependency_review_config.yml