Merge branch 'main' into robin-aws/fix-nightly-build-2024-10-28

Author: robin-aws

.github/dependabot.yml

@@ -20,3 +20,7 @@ updates:
     directory: ".github/workflows"
     schedule:
       interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "DynamoDbEncryption/runtimes/rust"
+    schedule:
+      interval: "daily"

.github/workflows/check-files.yml

@@ -7,14 +7,14 @@ on:
 
 jobs:
   require-approvals:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       issues: write
       pull-requests: write
     env:
       # unfortunately we can't check if the approver is part of the CODEOWNERS. This is a subset of aws/aws-crypto-tools-team
       # to add more allowlisted approvers just modify this env variable
-      maintainers: seebees, texastony, ShubhamChaturvedi7, lucasmcdonald3, josecorella, imabhichow, rishav-karanjit, antonf-amzn, justplaz, ajewellamz
+      maintainers: seebees, texastony, ShubhamChaturvedi7, lucasmcdonald3, josecorella, imabhichow, rishav-karanjit, antonf-amzn, kessplas, ajewellamz, RitvikKapila
     steps:
       - uses: actions/checkout@v3
         with:

.github/workflows/check_only_key_word.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   grep-only-verification-keyword:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       issues: write
       pull-requests: write

.github/workflows/ci_codegen.yml

@@ -17,7 +17,7 @@ jobs:
         # Note dotnet is only used for formatting generated code
         # in this workflow
         dotnet-version: ["6.0.x"]
-        os: [ubuntu-latest]
+        os: [ubuntu-22.04]
     runs-on: ${{ matrix.os }}
     defaults:
       run:
@@ -39,7 +39,7 @@ jobs:
       # and to translate version strings such as "nightly-latest"
       # to an actual DAFNY_VERSION.
       - name: Setup Dafny
-        uses: dafny-lang/[email protected]
+        uses: ./submodules/MaterialProviders/.github/actions/setup_dafny/
         with:
           dafny-version: ${{ inputs.dafny }}
 
@@ -51,6 +51,15 @@ jobs:
       - name: Create temporary global.json
         run: echo '{"sdk":{"rollForward":"latestFeature","version":"6.0.0"}}' > ./global.json
 
+      - name: Setup Java 17 for codegen
+        uses: actions/setup-java@v4
+        with:
+          distribution: "corretto"
+          java-version: "17"
+
+      - name: Install Smithy-Dafny codegen dependencies
+        uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
+
       - uses: ./.github/actions/polymorph_codegen
         with:
           dafny: ${{ inputs.dafny }}

.github/workflows/ci_duvet.yml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   duvet:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3
 

.github/workflows/ci_examples_java.yml

@@ -29,7 +29,7 @@ jobs:
       max-parallel: 1
       matrix:
         java-version: [8, 11, 16, 17]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write
@@ -53,7 +53,7 @@ jobs:
           java-version: ${{ matrix.java-version }}
 
       - name: Setup Dafny
-        uses: dafny-lang/[email protected]
+        uses: ./submodules/MaterialProviders/.github/actions/setup_dafny/
         with:
           dafny-version: ${{ inputs.dafny }}
 
@@ -71,6 +71,10 @@ jobs:
         run: |
           sed "s/mplDependencyJavaVersion=.*/mplDependencyJavaVersion=${{inputs.mpl-version}}/g" project.properties > project.properties2; mv project.properties2 project.properties
 
+      - name: Install Smithy-Dafny codegen dependencies
+        if: ${{ inputs.regenerate-code }}
+        uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
+
       - name: Regenerate code using smithy-dafny if necessary
         if: ${{ inputs.regenerate-code }}
         uses: ./.github/actions/polymorph_codegen

.github/workflows/ci_examples_net.yml

@@ -27,7 +27,7 @@ jobs:
       matrix:
         library: [DynamoDbEncryption]
         dotnet-version: ["6.0.x"]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write
@@ -46,7 +46,7 @@ jobs:
           dotnet-version: ${{ matrix.dotnet-version }}
 
       - name: Setup Dafny
-        uses: dafny-lang/[email protected]
+        uses: ./submodules/MaterialProviders/.github/actions/setup_dafny/
         with:
           dafny-version: ${{ inputs.dafny }}
 
@@ -59,6 +59,10 @@ jobs:
           git submodule update --init --recursive
           git rev-parse HEAD
 
+      - name: Install Smithy-Dafny codegen dependencies
+        if: ${{ inputs.regenerate-code }}
+        uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
+
       - name: Regenerate code using smithy-dafny if necessary
         if: ${{ inputs.regenerate-code }}
         uses: ./.github/actions/polymorph_codegen

.github/workflows/ci_static_analysis.yml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   not-grep:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v2
       - name: not-grep

.github/workflows/ci_test_java.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         library: [DynamoDbEncryption]
         java-version: [8, 11, 16, 17]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write
@@ -47,7 +47,7 @@ jobs:
           submodules: recursive
 
       - name: Setup Dafny
-        uses: dafny-lang/[email protected]
+        uses: ./submodules/MaterialProviders/.github/actions/setup_dafny/
         with:
           dafny-version: ${{ inputs.dafny }}
 
@@ -65,6 +65,10 @@ jobs:
         run: |
           sed "s/mplDependencyJavaVersion=.*/mplDependencyJavaVersion=${{inputs.mpl-version}}/g" project.properties > project.properties2; mv project.properties2 project.properties
 
+      - name: Install Smithy-Dafny codegen dependencies
+        if: ${{ inputs.regenerate-code }}
+        uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
+
       - name: Regenerate code using smithy-dafny if necessary
         if: ${{ inputs.regenerate-code }}
         uses: ./.github/actions/polymorph_codegen

.github/workflows/ci_test_latest_released_mpl_java.yml

@@ -0,0 +1,130 @@
+# This workflow is for testing that the latest released version
+# of the MPL is compatible with the current DB-ESDK Head
+name: Test Latest Released MPL Java with DB-ESDK HEAD
+
+on:
+  schedule:
+    - cron: "00 16 * * 1-5"
+  workflow_dispatch: # allows triggering this manually through the Actions UI
+    inputs:
+      run_test_vectors:
+        description: "Run Test Vectors?"
+        required: false
+        default: true
+        type: boolean
+
+jobs:
+  getVersion:
+    # Don't run the cron builds on forks
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/dafny_version.yml
+  getVerifyVersion:
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/dafny_verify_version.yml
+  getMplDependencyJavaVersion:
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/mpl_dependency_java_version.yml
+  testJava:
+    needs: [getVersion, getMplDependencyJavaVersion]
+    strategy:
+      max-parallel: 1
+      matrix:
+        java-version: [17]
+        os: [ubuntu-22.04]
+    runs-on: ${{ matrix.os }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2
+          role-session-name: DDBEC-Dafny-Java-Tests
+
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Setup Java ${{ matrix.java-version }}
+        uses: actions/setup-java@v4
+        with:
+          distribution: "corretto"
+          java-version: ${{ matrix.java-version }}
+
+      - name: Setup Dafny
+        uses: ./submodules/MaterialProviders/.github/actions/setup_dafny/
+        with:
+          dafny-version: ${{ needs.getVersion.outputs.version }}
+
+      - name: Install Smithy-Dafny codegen dependencies
+        if: ${{ inputs.regenerate-code }}
+        uses: ./.github/actions/install_smithy_dafny_codegen_dependencies
+
+      - name: Regenerate code using smithy-dafny if necessary
+        if: ${{ inputs.regenerate-code }}
+        uses: ./.github/actions/polymorph_codegen
+        with:
+          dafny: ${{ env.DAFNY_VERSION }}
+          library: DynamoDbEncryption
+          diff-generated-code: false
+          update-and-regenerate-mpl: true
+
+      # The following two steps: "Build and deploy to maven local" and "Run Extensive Tests"
+      # mimic the tests in ./codebuild/staging/release-staging.yml
+      - name: Build and deploy to maven local
+        shell: bash
+        working-directory: ./DynamoDbEncryption
+        run: |
+          # Run transpile by itself. We don't want to locally build the MPL because
+          # we want to verify that the version pulled down from maven works correctly
+          make transpile_implementation_java
+          make transpile_test_java
+          make mvn_local_deploy
+          make test_java
+
+      - name: Run Extensive Tests
+        working-directory: ./DynamoDbEncryption
+        run: |
+          gradle -p runtimes/java clean
+          gradle -p runtimes/java test
+
+      # This makes sure that we are using the correct MPL version to test the DB-ESDK.
+      # If this contains a SNAPSHOT version, this will fail because'
+      # we are NOT building the MPL recursively but pulling from Maven.
+      - name: Update project.properties to use the correct MPL version (from project.properties in DB-ESDK)
+        working-directory: ./submodules/MaterialProviders/
+        run: |
+          sed "s/mplVersion=.*/mplVersion=${{needs.getMplDependencyJavaVersion.outputs.version}}/g" project.properties > project.properties2; mv project.properties2 project.properties
+
+      # The following three steps: "Transpile MPL Test Vectors without recursively building the MPL",
+      # "Run Test Vectors", and "Test Examples" mimic the tests in ./codebuild/staging/validate-staging.yml
+      - name: Transpile MPL Test Vectors without recursively building the MPL
+        working-directory: ./submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders
+        run: |
+          # Run transpile by itself. We don't want to locally build the MPL because
+          # we want to verify that the version pulled down from maven works correctly
+          make transpile_implementation_java
+          make transpile_test_java
+          make mvn_local_deploy
+
+      - name: Run Test Vectors
+        if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && ${{inputs.run_test_vectors}})
+        working-directory: ./TestVectors
+        run: |
+          # Spin up ddb local
+          docker run --name dynamodb -d -p 8000:8000 amazon/dynamodb-local -jar DynamoDBLocal.jar -port 8000 -inMemory -cors *
+          # Run transpile by itself so we don't locally build the MPL.
+          make transpile_implementation_java
+          make transpile_test_java
+          gradle -p runtimes/java runTests
+
+      - name: Test Examples
+        working-directory: ./Examples
+        run: |
+          # Run Simple Examples
+          gradle -p runtimes/java/DynamoDbEncryption test
+          # Run Migration Examples
+          gradle -p runtimes/java/Migration/PlaintextToAWSDBE test
+          gradle -p runtimes/java/Migration/DDBECToAWSDBE test