Merge branch 'main' of github.com:awslabs/aws-crt-kotlin into kn-main

lauzadis · lauzadis · commit 8b95fc417967 · 2025-07-10T11:07:24.000-04:00
diff --git a/.changes/aa10152c-0040-46b3-8551-ed63aca0c6ee.json b/.changes/aa10152c-0040-46b3-8551-ed63aca0c6ee.json
@@ -0,0 +1,8 @@
+{
+    "id": "aa10152c-0040-46b3-8551-ed63aca0c6ee",
+    "type": "bugfix",
+    "description": "Enable building this project on JDK21 by setting -Xjdk-release flag",
+    "issues": [
+        "https://github.com/smithy-lang/smithy-kotlin/issues/1295"
+    ]
+}
diff --git a/.github/workflows/api-compat-verification.yml b/.github/workflows/api-compat-verification.yml
@@ -0,0 +1,34 @@
+name: API compatibility verification
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened, labeled, unlabeled ]
+    branches:
+      - main
+      - '*-main'
+
+jobs:
+  api-compat-verification:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Check for API compatibility
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'acknowledge-api-break') }}
+        run: |
+          git fetch origin ${{ github.base_ref }} --depth 1 && \
+          git diff remotes/origin/${{ github.base_ref }} --numstat "*.api" | awk '
+            BEGIN { s = 0 }
+            
+            # git diff numstat shows lines deleted in field 2, hence sum up field 2 across all items 
+            { s += $2 }
+            
+            # exit with the number of lines deleted as the result code so that `if failure()` works below
+            END { exit s }
+          '
+      - name: Error message
+        if: ${{ failure() }}
+        run: |
+          echo "::error ::This change modifies the public API in a way that may be backwards-incompatible. Carefully review this pull request and either:"
+          echo "::error ::* Revert the changes which caused the API incompatibility –or–"
+          echo "::error ::* Add the 'acknowledge-api-break' label to this PR (in rare cases warranting an API breakage)"
+          exit 1
diff --git a/.github/workflows/artifact-size-metrics.yml b/.github/workflows/artifact-size-metrics.yml
@@ -25,6 +25,8 @@ jobs:
         with:
           role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
           aws-region: us-west-2
+      - name: Configure Gradle
+        uses: awslabs/aws-kotlin-repo-tools/.github/actions/configure-gradle@main
       - name: Generate Artifact Size Metrics
         run: ./gradlew artifactSizeMetrics
       - name: Save Artifact Size Metrics
@@ -42,60 +44,15 @@ jobs:
         with:
           role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
           aws-region: us-west-2
+      - name: Configure Gradle
+        uses: awslabs/aws-kotlin-repo-tools/.github/actions/configure-gradle@main
       - name: Generate Artifact Size Metrics
         run: ./gradlew -Paws.kotlin.native=false artifactSizeMetrics
       - name: Analyze Artifact Size Metrics
         run: ./gradlew analyzeArtifactSizeMetrics
-      - name: Show Results
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const getComments = 
-              `query { 
-                repository(owner:"${context.repo.owner}", name:"${context.repo.repo}"){
-                  pullRequest(number: ${context.issue.number}) {
-                    id
-                    comments(last:100) {
-                      nodes {
-                        id
-                        body
-                        author {
-                          login
-                        }
-                        isMinimized
-                      }
-                    }
-                  }
-                } 
-              }`
-            
-            const response = await github.graphql(getComments)
-            const comments = response.repository.pullRequest.comments.nodes
-
-            const mutations = comments
-              .filter(comment => comment.author.login == 'github-actions' && !comment.isMinimized && comment.body.startsWith('Affected Artifacts'))
-              .map(comment =>
-                github.graphql(
-                  `mutation {
-                    minimizeComment(input:{subjectId:"${comment.id}", classifier:OUTDATED}){
-                      clientMutationId
-                    }
-                  }`
-                )
-              )
-            await Promise.all(mutations)
 
-            const fs = require('node:fs')
-            const comment = fs.readFileSync('build/reports/metrics/artifact-analysis.md', 'utf8')
-
-            const writeComment = 
-              `mutation {
-                addComment(input:{body:"""${comment}""", subjectId:"${response.repository.pullRequest.id}"}){
-                  clientMutationId
-                }
-              }`
-            
-            await github.graphql(writeComment)
+      - name: Show Results
+        uses: awslabs/aws-kotlin-repo-tools/.github/actions/artifact-size-metrics/show-results@main
 
       - name: Evaluate
         if: ${{ !contains(github.event.pull_request.labels.*.name, 'acknowledge-artifact-size-increase') }}
diff --git a/.github/workflows/changelog-verification.yml b/.github/workflows/changelog-verification.yml
@@ -1,5 +1,8 @@
 name: Changelog verification
 
+permissions:
+  id-token: write
+
 on:
   pull_request:
     types: [ opened, synchronize, reopened, labeled, unlabeled ]
@@ -11,16 +14,11 @@ jobs:
   changelog-verification:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: Check for changelog entry
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'no-changelog') }}
-        run: |
-          git fetch origin ${{ github.base_ref }} --depth 1 && \
-          git diff remotes/origin/${{ github.base_ref }} --name-only | grep -P "\.changes/[0-9a-f-]+\.json"
-      - name: Error message
-        if: ${{ failure() }}
-        run: |
-          echo "::error ::No new/updated changelog entry found in /.changes directory. Please either:"
-          echo "::error ::* Add a changelog entry (see CONTRIBUTING.md for instructions) –or–"
-          echo "::error ::* Add the 'no-changelog' label to this PR (in rare cases not warranting a changelog entry)"
-          exit 1
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+
+      - name: Verify changelog
+        uses: awslabs/aws-kotlin-repo-tools/.github/actions/changelog-verification@main
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -28,6 +28,14 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
+
+      - name: Configure JDK
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'corretto'
+          java-version: 17
+          cache: 'gradle'
+
       - name: Setup build environment
         uses: ./.github/actions/setup-build
       - name: Test with ${{ matrix.java-version }}
diff --git a/.github/workflows/kat-transform.yml b/.github/workflows/kat-transform.yml
@@ -45,6 +45,11 @@ jobs:
           java-version: 17
           cache: 'gradle'
 
+      - name: Configure Gradle
+        uses: awslabs/aws-kotlin-repo-tools/.github/actions/configure-gradle@main
+        with:
+          working-directory: ./aws-crt-kotlin
+
       - name: Build
         working-directory: ./aws-crt-kotlin
         shell: bash
diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
@@ -0,0 +1,15 @@
+name: Merge main
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  merge:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Merge main
+        uses: awslabs/aws-kotlin-repo-tools/.github/actions/merge-main@main
+        with:
+          ci-user-pat: ${{ secrets.CI_USER_PAT }}
+          exempt-branches: # Add any if required
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## [0.9.2] - 06/18/2025
+
+### Fixes
+* Update the set of supported `TlsCipherPreference` values to reflect the latest capabilities/support from CRT
+
 ## [0.9.1] - 01/28/2025
 
 ### Fixes
diff --git a/aws-crt-kotlin/api/aws-crt-kotlin.api b/aws-crt-kotlin/api/aws-crt-kotlin.api
@@ -821,6 +821,8 @@ public final class aws/sdk/kotlin/crt/io/TlsCipherPreference : java/lang/Enum {
 	public static final field KMS_PQ_TLS_V1_0_2019_06 Laws/sdk/kotlin/crt/io/TlsCipherPreference;
 	public static final field KMS_PQ_TLS_V1_0_2020_02 Laws/sdk/kotlin/crt/io/TlsCipherPreference;
 	public static final field KMS_PQ_TLS_V1_0_2020_07 Laws/sdk/kotlin/crt/io/TlsCipherPreference;
+	public static final field PQ_DEFAULT Laws/sdk/kotlin/crt/io/TlsCipherPreference;
+	public static final field PQ_TLSV1_2_2024_10 Laws/sdk/kotlin/crt/io/TlsCipherPreference;
 	public static final field PQ_TLS_V1_0_2021_05 Laws/sdk/kotlin/crt/io/TlsCipherPreference;
 	public static final field SYSTEM_DEFAULT Laws/sdk/kotlin/crt/io/TlsCipherPreference;
 	public static fun getEntries ()Lkotlin/enums/EnumEntries;
diff --git a/aws-crt-kotlin/common/src/aws/sdk/kotlin/crt/io/TlsCipherPreference.kt b/aws-crt-kotlin/common/src/aws/sdk/kotlin/crt/io/TlsCipherPreference.kt
@@ -19,54 +19,53 @@ public enum class TlsCipherPreference(public val value: Int) {
     SYSTEM_DEFAULT(0),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_TLS_V1_0_2019_06(1),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_SIKE_TLS_V1_0_2019_11(2),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_TLS_V1_0_2020_02(3),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_SIKE_TLS_V1_0_2020_02(4),
 
     /**
-     * This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
-    @Deprecated("This cipher preference is no longer supported. Use PQ_TLS_V1_0_2021_05 instead.")
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     KMS_PQ_TLS_V1_0_2020_07(5),
 
     /**
-     * This TlsCipherPreference supports TLS 1.0 through TLS 1.3, and contains Kyber Round 3 as its highest priority
-     * PQ algorithm. PQ algorithms in this preference list will be used in hybrid mode, and will be combined with a
-     * classical ECDHE key exchange.
-     *
-     * NIST has announced that Kyber will be first post-quantum key-agreement algorithm that it will standardize.
-     * However, the NIST standardization process might introduce minor changes that may cause the final Kyber standard
-     * to differ from the Kyber Round 3 implementation available in this preference list.
-     *
-     * Since this TlsCipherPreference contains algorithms that have not yet been officially standardized by NIST, this
-     * preference list, and any of the PQ algorithms in it, may stop being supported at any time.
-     *
-     * For more info see:
-     *   - https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid
-     *   - https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design
-     *   - https://aws.amazon.com/blogs/security/how-to-tune-tls-for-hybrid-post-quantum-cryptography-with-kyber/
-     *   - https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf
+     * This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.
      */
+    @Deprecated("This cipher preference is no longer supported. Use PQ_TLSV1_2_2024_10 instead.")
     PQ_TLS_V1_0_2021_05(6),
+
+    /**
+     * This TLS cipher preference list contains post-quantum key exchange algorithms that have been standardized by
+     * NIST. PQ algorithms in this preference list will be used in hybrid mode, and always combined with a classical
+     * ECDHE key exchange.
+     */
+    PQ_TLSV1_2_2024_10(7),
+
+    /**
+     * Recommended default policy with post-quantum algorithm support. This policy may change over time.
+     */
+    PQ_DEFAULT(8),
+
     ;
 
     /**
diff --git a/aws-crt-kotlin/jvm/src/aws/sdk/kotlin/crt/io/TlsContextJVM.kt b/aws-crt-kotlin/jvm/src/aws/sdk/kotlin/crt/io/TlsContextJVM.kt
@@ -36,6 +36,8 @@ private fun TlsCipherPreference.into(): TlsCipherPreferenceJni = when (this) {
     TlsCipherPreference.KMS_PQ_SIKE_TLS_V1_0_2020_02 -> TlsCipherPreferenceJni.TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2020_02
     TlsCipherPreference.KMS_PQ_TLS_V1_0_2020_07 -> TlsCipherPreferenceJni.TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07
     TlsCipherPreference.PQ_TLS_V1_0_2021_05 -> TlsCipherPreferenceJni.TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05
+    TlsCipherPreference.PQ_TLSV1_2_2024_10 -> TlsCipherPreferenceJni.TLS_CIPHER_PREF_PQ_TLSv1_2_2023
+    TlsCipherPreference.PQ_DEFAULT -> TlsCipherPreferenceJni.TLS_CIPHER_PQ_DEFAULT
 }
 
 private fun TlsVersion.into(): TlsVersionJni = when (this) {
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -47,6 +47,7 @@ subprojects {
     tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
         compilerOptions {
             jvmTarget.set(JvmTarget.JVM_1_8)
+            freeCompilerArgs.add("-Xjdk-release=1.8")
             freeCompilerArgs.add("-Xexpect-actual-classes")
         }
     }
diff --git a/gradle.properties b/gradle.properties
@@ -7,7 +7,7 @@ kotlin.daemon.jvmargs=-Xmx6g -XX:+HeapDumpOnOutOfMemoryError
 org.gradle.jvmargs=-Xmx2G -XX:MaxMetaspaceSize=1G
 
 # aws-crt-kotlin
-sdkVersion=0.9.2-SNAPSHOT
+sdkVersion=0.9.3-SNAPSHOT
 
 # publishing
 publishGroupName=aws.sdk.kotlin.crt
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -4,7 +4,7 @@ kotlin-version = "2.1.0"
 aws-kotlin-repo-tools-version = "0.4.27-kn"
 
 # libs
-crt-java-version = "0.33.10"
+crt-java-version = "0.38.1"
 coroutines-version = "1.9.0"
 binary-compatibility-validator-version = "0.16.3"
 
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip
+distributionUrl=https://services.gradle.org/distributions/gradle-8.14.2-bin.zip
 networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
