More robust sample testing ruby (#103)

environment security and more robust testing

Author: skyero-aws

.github/dependabot.yml

@@ -10,4 +10,4 @@ updates:
     directory: "/"
     open-pull-requests-limit: 2
     schedule:
-      interval: "daily"
+      interval: "weekly"

.github/scripts/clean_up_stream_table.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+aws kinesis delete-stream --stream-name $STREAM_NAME || true
+
+## Reset the values of checkpoint, leaseCounter, ownerSwitchesSinceCheckpoint, and leaseOwner in DynamoDB table
+echo "Resetting DDB table"
+aws dynamodb update-item \
+  --table-name $APP_NAME \
+  --key '{"leaseKey": {"S": "shardId-000000000000"}}' \
+  --update-expression "SET checkpoint = :checkpoint, leaseCounter = :counter, ownerSwitchesSinceCheckpoint = :switches, leaseOwner = :owner" \
+  --expression-attribute-values '{
+    ":checkpoint": {"S": "TRIM_HORIZON"},
+    ":counter": {"N": "0"},
+    ":switches": {"N": "0"},
+    ":owner": {"S": "AVAILABLE"}
+  }' \
+  --return-values NONE
+
+# Delete all tables
+#for i in {1..5}; do
+#  aws dynamodb delete-table --table-name $APP_NAME && break ||
+#  echo "Retrying DynamoDB Table deletion in 10s" && sleep 10
+#done
+#for SUFFIX in "-CoordinatorState" "-WorkerMetricStats" "-LeaseManagement"; do
+#  if aws dynamodb describe-table --table-name $APP_NAME$SUFFIX &>/dev/null; then
+#    echo "Deleting table $APP_NAME$SUFFIX"
+#    aws dynamodb delete-table --table-name $APP_NAME$SUFFIX || true
+#  fi
+#done

.github/scripts/create_stream.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+
+for i in {1..10}; do
+  if aws kinesis create-stream --stream-name $STREAM_NAME --shard-count 1; then
+    break
+  else
+    echo "Stream creation failed, attempt $i/10. Waiting $((i * 3)) seconds..."
+    sleep $((i * 3))
+  fi
+done
+aws kinesis wait stream-exists --stream-name $STREAM_NAME

.github/scripts/manipulate_properties.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+set -e
+
+# Manipulate sample.properties file that the KCL application pulls properties from (ex: streamName, applicationName)
+# Depending on the OS, different properties need to be changed
+if [[ "$RUNNER_OS" == "macOS" ]]; then
+  sed -i "" "s/kclrbsample/$STREAM_NAME/g" samples/sample.properties
+  sed -i "" "s/RubyKCLSample/$APP_NAME/g" samples/sample.properties
+  sed -i "" 's/us-east-5/us-east-1/g' samples/sample.properties
+  grep -v "idleTimeBetweenReadsInMillis" samples/sample.properties > samples/temp.properties
+  echo "idleTimeBetweenReadsInMillis = 250" >> samples/temp.properties
+  mv samples/temp.properties samples/sample.properties
+elif [[ "$RUNNER_OS" == "Linux" ]]; then
+  sed -i "s/kclrbsample/$STREAM_NAME/g" samples/sample.properties
+  sed -i "s/RubyKCLSample/$APP_NAME/g" samples/sample.properties
+  sed -i 's/us-east-5/us-east-1/g' samples/sample.properties
+  sed -i "/idleTimeBetweenReadsInMillis/c\idleTimeBetweenReadsInMillis = 250" samples/sample.properties
+elif [[ "$RUNNER_OS" == "Windows" ]]; then
+  sed -i "s/kclrbsample/$STREAM_NAME/g" samples/sample.properties
+  sed -i "s/RubyKCLSample/$APP_NAME/g" samples/sample.properties
+  sed -i 's/us-east-5/us-east-1/g' samples/sample.properties
+  sed -i "/idleTimeBetweenReadsInMillis/c\idleTimeBetweenReadsInMillis = 250" samples/sample.properties
+
+  echo '@echo off' > samples/run_script.bat
+  echo 'ruby %~dp0\sample_kcl.rb %*' >> samples/run_script.bat
+  sed -i 's/executableName = sample_kcl.rb/executableName = run_script.bat/' samples/sample.properties
+else
+  echo "Unknown OS: $RUNNER_OS"
+  exit 1
+fi
+
+cat samples/sample.properties

.github/scripts/put_words_to_stream.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -e
+
+cd samples
+ruby sample_kcl_producer.rb -t 10 -d 1 --stream $STREAM_NAME
+
+# Get records from stream to verify they exist before continuing
+SHARD_ITERATOR=$(aws kinesis get-shard-iterator --stream-name $STREAM_NAME --shard-id shardId-000000000000 --shard-iterator-type TRIM_HORIZON --query 'ShardIterator' --output text)
+INITIAL_RECORDS=$(aws kinesis get-records --shard-iterator $SHARD_ITERATOR)
+RECORD_COUNT_BEFORE=$(echo $INITIAL_RECORDS | jq '.Records | length')
+
+if [ "$RECORD_COUNT_BEFORE" -eq 0 ]; then
+  echo "No records found in stream. Test cannot proceed."
+  exit 1
+fi
+echo "Found $RECORD_COUNT_BEFORE records in stream before KCL start"

.github/scripts/start_kcl.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+chmod +x samples/sample_kcl.rb
+
+# Reset the values of checkpoint, leaseCounter, ownerSwitchesSinceCheckpoint, and leaseOwner in DynamoDB table
+echo "Resetting checkpoint for shardId-000000000000"
+aws dynamodb update-item \
+  --table-name $APP_NAME \
+  --key '{"leaseKey": {"S": "shardId-000000000000"}}' \
+  --update-expression "SET checkpoint = :checkpoint, leaseCounter = :counter, ownerSwitchesSinceCheckpoint = :switches, leaseOwner = :owner" \
+  --expression-attribute-values '{
+    ":checkpoint": {"S": "TRIM_HORIZON"},
+    ":counter": {"N": "0"},
+    ":switches": {"N": "0"},
+    ":owner": {"S": "AVAILABLE"}
+  }' \
+  --return-values NONE 2>/dev/null || echo "DynamoDB table not found or update failed - KCL will create it"
+
+# Get records from stream to verify they exist before continuing
+SHARD_ITERATOR=$(aws kinesis get-shard-iterator --stream-name $STREAM_NAME --shard-id shardId-000000000000 --shard-iterator-type TRIM_HORIZON --query 'ShardIterator' --output text)
+INITIAL_RECORDS=$(aws kinesis get-records --shard-iterator $SHARD_ITERATOR)
+RECORD_COUNT_BEFORE=$(echo $INITIAL_RECORDS | jq '.Records | length')
+
+echo "Found $RECORD_COUNT_BEFORE records in stream before KCL start"
+
+if [[ "$RUNNER_OS" == "macOS" ]]; then
+  brew install coreutils
+  (cd samples && gtimeout 300 rake run properties_file=sample.properties 2>&1 | tee ../kcl_output.log) || [ $? -eq 124 ]
+elif [[ "$RUNNER_OS" == "Linux" ]]; then
+  (cd samples && timeout 300 rake run properties_file=sample.properties 2>&1 | tee ../kcl_output.log) || [ $? -eq 124 ]
+elif [[ "$RUNNER_OS" == "Windows" ]]; then
+  (cd samples && timeout 300 rake run properties_file=sample.properties 2>&1 | tee ../kcl_output.log) || [ $? -eq 124 ]
+else
+  echo "Unknown OS: $RUNNER_OS"
+  exit 1
+fi
+
+echo "---------ERROR LOGS HERE-------"
+grep -i error kcl_output.log || echo "No errors found in logs"

.github/scripts/verify_kcl.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+LEASE_EXISTS=$(aws dynamodb scan --table-name $APP_NAME --select "COUNT" --query "Count" --output text || echo "0")
+CHECKPOINT_EXISTS=$(aws dynamodb scan --table-name $APP_NAME --select "COUNT" --filter-expression "attribute_exists(checkpoint) AND checkpoint <> :trim_horizon" --expression-attribute-values '{":trim_horizon": {"S": "TRIM_HORIZON"}}' --query "Count" --output text || echo "0")
+
+echo "Found $LEASE_EXISTS leases and $CHECKPOINT_EXISTS non-TRIM-HORIZON checkpoint in DynamoDB"
+
+echo "Printing checkpoint values"
+aws dynamodb scan --table-name $APP_NAME --projection-expression "leaseKey,checkpoint" --output json
+
+if [ "$LEASE_EXISTS" -gt 0 ] && [ "$CHECKPOINT_EXISTS" -gt 0 ]; then
+  echo "Test passed: Found both leases and non-TRIM_HORIZON checkpoints in DDB (KCL is fully functional)"
+  exit 0
+else
+  echo "Test failed: KCL not fully functional"
+  echo "Lease(s) found: $LEASE_EXISTS"
+  echo "non-TRIM_HORIZON checkpoint(s) found: $CHECKPOINT_EXISTS"
+  exit 1
+fi

.github/workflows/ruby.yml

@@ -5,42 +5,76 @@
 # This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
 # For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
 
-name: Sample Run and Dependabot Auto-merge
+name: Sample Run Tests and Dependabot
 on:
   push:
     branches: [ master ]
+  pull_request_target:
+    branches: [ master ]
+    types: [opened, synchronize, reopened, unlabeled]
 
-permissions:
-  id-token: write
-  contents: write
-  pull-requests: write
-  statuses: write
+concurrency:
+  group: ruby.yml
+  cancel-in-progress: false
 
 jobs:
+  # Evaluates if the sample tests should run. If the workflow is triggered by a push OR
+  # is triggered by a pull request without the 'skip-sample-tests' label, the sample tests should run.
+  # Otherwise, the sample tests will be skipped
+  check-if-should-run:
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'push' || (github.event_name == 'pull_request_target' && !contains(github.event.pull_request.labels.*.name, 'skip-sample-tests')) }}
+    outputs:
+      should_run: 'true'
+      is_fork: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork }}
+    steps:
+      - run: echo "Evaluating workflow conditions"
+
+  # Workflow will pause and wait here if it is triggered by a fork PR. The workflow will continue to wait until
+  # an approved member of the environment 'manual_approval' allows the workflow to run
+  wait-for-approval:
+    needs: [ check-if-should-run ]
+    if: ${{ needs.check-if-should-run.outputs.is_fork == 'true' }}
+    runs-on: ubuntu-latest
+    environment: manual-approval
+    steps:
+      - run: echo "Fork PR approved by a team member."
+
+  # Sample run tests of the KCL
+  # Runs only if (check-if-should-run allows AND (the PR is not from a fork OR it has been approved to run))
   sample-run:
-    timeout-minutes: 8
+    needs: [ check-if-should-run, wait-for-approval ]
+    permissions:
+      id-token: write
+    if: ${{ always() && needs.check-if-should-run.outputs.should_run == 'true' && (needs.check-if-should-run.outputs.is_fork != 'true' || needs.wait-for-approval.result == 'success') }}
+    timeout-minutes: 20
     runs-on: ${{ matrix.os }}
     defaults:
       run:
         shell: bash
 
+    # Initialize matrix based on PR labels (more-tests label runs more tests)
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: [ '3.0', '3.4' ]
-        jdk-version: [ "8", "11",  "17", "21", "24" ]
+        ruby-version: ${{ github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'more-tests') && fromJSON('["3.0", "3.4"]') || fromJSON('["3.0"]') }}
+        jdk-version: ${{ github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'more-tests') && fromJSON('["8", "11", "17", "21", "24"]') || fromJSON('["8", "11"]') }}
         os: [ ubuntu-latest, macOS-latest, windows-latest ]
 
     steps:
-      - name: Checkout working directory
+      # For pull_request_target, checkout PR head instead of merge commit
+      - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }}
 
+      # Configure AWS Credentials. Role session name is unique to avoid OIDC errors when running multiple tests concurrently
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: arn:aws:iam::751999266872:role/GitHubRuby
-          role-session-name: myGitHubActionsRuby
+          role-to-assume: ${{ secrets.AWS_ARN_GHA }}
+          role-session-name: GHA-${{ github.run_id }}-${{ matrix.ruby-version }}-${{ matrix.jdk-version }}-${{ matrix.os }}
 
       - name: Set up JDK ${{ matrix.jdk-version }}
         uses: actions/setup-java@v4
@@ -53,44 +87,82 @@ jobs:
         with:
           ruby-version: ${{ matrix.ruby-version }}
 
-      - name: Install Bundler and run tests
+      - name: Install dependencies and run tests
         run: |
-          gem install bundler
+          gem install bundler aws-sdk-kinesis aws-kclrb
+          if [ "${{ matrix.os }}" != "windows-latest" ]; then gem install rake; fi
           bundle install
           bundle update --bundler
           bundle exec rspec
 
-      - name: Install Rake (ubuntu and macOS)
-        if: ${{ matrix.os != 'windows-latest' }}
+      # Create unique identifiers for the stream name and application name
+      - name: Set up unique identifiers
         run: |
-          gem install rake
+          STREAM_NAME="kclrbsample-${{ matrix.os }}-rb${{ matrix.ruby-version }}-jdk${{ matrix.jdk-version }}"
+          APP_NAME="RubyKCLSample-${{ matrix.os }}-rb${{ matrix.ruby-version }}-jdk${{ matrix.jdk-version }}"
+          echo "STREAM_NAME=$STREAM_NAME" >> $GITHUB_ENV
+          echo "APP_NAME=$APP_NAME" >> $GITHUB_ENV
 
-      - name: Install Kinesis SDK
+      # Manipulate sample.properties file to use unique stream name, application name, and OS specific program changes
+      - name: Manipulate sample.properties file
         run: |
-          gem install aws-sdk-kinesis
-
-      - name: Running KCL producer
+          chmod +x .github/scripts/manipulate_properties.sh
+          .github/scripts/manipulate_properties.sh
+        env:
+          RUNNER_OS: ${{ matrix.os }}
+          STREAM_NAME: ${{ env.STREAM_NAME }}
+          APP_NAME: ${{ env.APP_NAME }}
+
+      # Create kinesis stream with unique name and wait for it to exist
+      - name: Create and wait Kinesis stream
         run: |
-          cd samples
-          rake "run_producer[10]"
+          chmod +x .github/scripts/create_stream.sh
+          .github/scripts/create_stream.sh
+        env:
+          STREAM_NAME: ${{ env.STREAM_NAME }}
 
-      - name: Running KCL consumer (windows or ubuntu)
-        if: ${{ matrix.os != 'macOS-latest'}}
+      # Put words to sample stream with unique name based on run ID
+      - name: Put words to sample stream
         run: |
-          cd samples
-          timeout 45 rake run properties_file=sample.properties || status="$?"; if (( status == 124 )); then exit 0; else exit 1; fi; exit "$status"
+          chmod +x .github/scripts/put_words_to_stream.sh
+          .github/scripts/put_words_to_stream.sh
+        env:
+          STREAM_NAME: ${{ env.STREAM_NAME }}
 
-      - name: Running KCL consumer (macOS)
-        if: ${{ matrix.os == 'macOS-latest'}}
+      # Run sample KCL application
+      - name: Start KCL application
+        run: |
+          chmod +x .github/scripts/start_kcl.sh
+          .github/scripts/start_kcl.sh
+        env:
+          RUNNER_OS: ${{ matrix.os }}
+          STREAM_NAME: ${{ env.STREAM_NAME }}
+
+      # Check and verify results of KCL test
+      - name: Verify KCL Functionality
         run: |
-          brew install coreutils
-          cd samples
-          gtimeout 45 rake run properties_file=sample.properties || status="$?"; if (( status == 124 )); then exit 0; else exit 1; fi; exit "$status"
+          chmod +x .github/scripts/verify_kcl.sh
+          .github/scripts/verify_kcl.sh
+        env:
+          APP_NAME: ${{ env.APP_NAME }}
+
+      # Clean up all existing Streams and DDB tables
+      - name: Clean up Kinesis Stream and DynamoDB table
+        if: always()
+        run: |
+          chmod +x .github/scripts/clean_up_stream_table.sh
+          .github/scripts/clean_up_stream_table.sh
+        env:
+          STREAM_NAME: ${{ env.STREAM_NAME }}
+          APP_NAME: ${{ env.APP_NAME }}
 
   auto-merge-dependabot:
     needs: [sample-run]
     runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]'
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Fetch Dependabot metadata
         id: metadata
@@ -99,12 +171,12 @@ jobs:
           alert-lookup: true
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
-#      - name: Approve PR
-#        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
-#        run: gh pr review --approve "$PR_URL"
-#        env:
-#          PR_URL: ${{github.event.pull_request.html_url}}
-#          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Approve PR
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
 #      - name: Enable auto-merge for Dependabot PRs
 #        if: steps.metadata.outputs.update-type != 'version-update:semver-major'