chore: validate release

imabhichow · imabhichow · commit 01a13f4c02bd · 2025-07-14T06:46:55.000-07:00
diff --git a/.github/workflows/ci_codebuild_batch.yml b/.github/workflows/ci_codebuild_batch.yml
@@ -1297,6 +1297,48 @@ jobs:
           project-name: python-esdk
           buildspec-override: codebuild/py312/decrypt_golden_manifest_with_masterkey.yml
           image-override: aws/codebuild/standard:7.0
+          
+  # Python Release Validation with test vectors
+  python_release_validation:
+    name: Python Release Validation with Test Vectors
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 7200
+      - name: Run CodeBuild
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 120
+        env:
+          VERSION: "4.0.2"
+        with:
+          project-name: python-esdk
+          buildspec-override: codebuild/release/validate_test_vectors.yml
+          image-override: aws/codebuild/standard:7.0
+          
+  # Python Release Validation with examples as alternate
+  python_release_examples_validation:
+    name: Python Release Validation with Examples
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 7200
+      - name: Run CodeBuild
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 120
+        env:
+          VERSION: "4.0.2"
+        with:
+          project-name: python-esdk
+          buildspec-override: codebuild/release/validate_released_with_examples.yml
+          image-override: aws/codebuild/standard:7.0
 
   # Code Coverage and Compliance jobs
   code_coverage:
diff --git a/codebuild/release/validate_released_with_examples.yml b/codebuild/release/validate_released_with_examples.yml
@@ -0,0 +1,117 @@
+version: 0.2
+
+env:
+  variables:
+    # VERSION should be passed in from the build environment
+    # Example: VERSION=4.02
+    REGION: "us-west-2"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.11
+    commands:
+      # Ensure VERSION is set
+      - |
+        if [ -z "$VERSION" ]; then
+          echo "ERROR: VERSION environment variable is not set"
+          echo "Please set VERSION to the released version to validate (e.g. VERSION=4.02)"
+          exit 1
+        fi
+      # Install the released package instead of the source
+      - echo "Installing aws-encryption-sdk version $VERSION"
+      - pip install "aws-encryption-sdk==$VERSION"
+      - pip install "tox < 4.0"
+  build:
+    commands:
+      # Create a simple tox.ini file for running examples with the installed package
+      - |
+        cat > release_validation_tox.ini << 'EOF'
+        [tox]
+        envlist = py311
+        skipsdist = True
+
+        [testenv]
+        passenv =
+            AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID
+            AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2
+            AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1
+            AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2
+            AWS_ACCESS_KEY_ID
+            AWS_SECRET_ACCESS_KEY
+            AWS_SESSION_TOKEN
+            AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+            AWS_PROFILE
+        deps =
+            pytest
+            pytest-mock
+            mock
+            coverage
+            pyyaml
+            moto
+            boto3
+            cryptography
+        commands =
+            # Run non-MPL examples
+            pytest examples/test/legacy/ -m examples
+            # Run all other examples
+            pytest examples/test/ -m examples --ignore examples/test/legacy/
+        EOF
+
+      # Run the examples with NUM_RETRIES to handle transient failures
+      - NUM_RETRIES=3
+      - |
+        while [ $NUM_RETRIES -gt 0 ]
+        do
+          tox -c release_validation_tox.ini -e py311
+          if [ $? -eq 0 ]; then
+            break
+          fi
+          NUM_RETRIES=$((NUM_RETRIES-1))
+          if [ $NUM_RETRIES -eq 0 ]; then
+            echo "All validation attempts failed, stopping"
+            exit 1;
+          else
+            echo "Validation failed, retrying in 60 seconds; will retry $NUM_RETRIES more times" && sleep 60
+          fi
+        done
+
+      # Assume special role for MPL-specific tests
+      - echo "Running tests with special role for MPL features"
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" --role-session-name "CB-ValidateReleased")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      
+      # Also install MPL requirements
+      - pip install -r requirements_mpl.txt
+      
+      # Run MPL-specific examples
+      - NUM_RETRIES=3
+      - |
+        while [ $NUM_RETRIES -gt 0 ]
+        do
+          # Only run the MPL-specific tests that require special permissions
+          # These would normally be run with py311-mplexamples-mpl
+          python -m pytest examples/test/ -m examples --ignore examples/test/legacy/
+          if [ $? -eq 0 ]; then
+            break
+          fi
+          NUM_RETRIES=$((NUM_RETRIES-1))
+          if [ $NUM_RETRIES -eq 0 ]; then
+            echo "All MPL validation attempts failed, stopping"
+            exit 1;
+          else
+            echo "MPL validation failed, retrying in 60 seconds; will retry $NUM_RETRIES more times" && sleep 60
+          fi
+        done
diff --git a/codebuild/release/validate_test_vectors.yml b/codebuild/release/validate_test_vectors.yml
@@ -0,0 +1,60 @@
+version: 0.2
+
+# Validation script for aws-encryption-sdk using test vectors to verify cryptographic operations
+# and interoperability with the keyring model
+
+phases:
+  install:
+    commands:
+      - pip install "tox < 4.0" poetry
+      - pip install --upgrade pip
+    runtime-versions:
+      python: latest
+      dotnet: 6.0
+  pre_build:
+    commands:
+      # Setup environment
+      - aws configure set region us-west-2
+      - git clone https://github.com/aws/aws-encryption-sdk.git esdk-dafny
+      - cd esdk-dafny && git submodule update --init --recursive && cd ..
+      # Install packages and setup environments
+      - pip install aws-encryption-sdk==$VERSION
+      - pyenv install --skip-existing 3.11.0 && pyenv local 3.11.0
+      - make -C esdk-dafny/mpl/StandardLibrary setup_net
+      - pip install pytest boto3 attrs cryptography
+      # Update the aws-encryption-sdk version in TestVectors
+      - sed -i "s/aws-encryption-sdk = \">=4.0.1\"/aws-encryption-sdk = \"==$VERSION\"/" \
+        esdk-dafny/TestVectors/runtimes/python/pyproject.toml
+  build:
+    commands:
+      - NUM_RETRIES=3
+      - |
+        run_command() {
+          eval "$1"
+          return $?
+        }
+        
+        # Navigate to TestVectors directory
+        cd esdk-dafny/TestVectors || exit 1
+        
+        while [ $NUM_RETRIES -gt 0 ]
+        do
+          
+          # Build TestVectors implementation in Python
+          CORES=$(nproc || echo 4)
+          if ! run_command "make transpile_python CORES=$CORES"; then
+            NUM_RETRIES=$((NUM_RETRIES-1))
+            [ $NUM_RETRIES -gt 0 ] && sleep 60 && continue
+            exit 1
+          fi
+          
+          # Run all the test vector commands together
+          if ! run_command "make test_generate_vectors_python && make test_encrypt_vectors_python && make test_decrypt_encrypt_vectors_python"; then
+            NUM_RETRIES=$((NUM_RETRIES-1))
+            [ $NUM_RETRIES -gt 0 ] && sleep 60 && continue
+            exit 1
+          fi
+          
+          # Success
+          break
+        done
