Skip to content

Migrate Android Device Farm Testing #2833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
+116 −48
Draft

Migrate Android Device Farm Testing #2833

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/actions/codebuild-docker-run/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ inputs:
ipv6:
description: 'Enables IPv6 networking in the container. Implies --privileged'
required: false
default: false
default: ''
withCredentials:
description: 'Whether to passthru the CodeBuild credentials'
required: false
default: false
default: ''
user:
description: 'Run the docker container as a non-root user'
required: false
Expand Down
4 changes: 2 additions & 2 deletions .github/actions/codebuild-docker-run/codebuild-docker-run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,10 @@ fi

PASSTHRU_ENV_VARS=("GOPROXY" "AWS_DEFAULT_REGION" "AWS_REGION")

if [[ "${INPUT_WITH_CREDENTIALS}" == true ]] &&
if [[ "${INPUT_WITH_CREDENTIALS}" == "true" ]] &&
[[ ! "${ENV_FLAGS}" =~ ECS_CONTAINER_METADATA_URI_V4 ]] &&
[[ ! "${ENV_FLAGS}" =~ AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ]]; then
PASSTHRU_ENV_VARS+=(ECS_CONTAINER_METADATA_URI_V4 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
PASSTHRU_ENV_VARS+=(ECS_CONTAINER_METADATA_URI_V4 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN)
fi

for ev in "${PASSTHRU_ENV_VARS[@]}"; do
Expand Down
2 changes: 2 additions & 0 deletions .github/actions/configure-aws-credentials/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,10 @@ runs:
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/AwsLcGitHubActionsOidcRole
role-session-name: ${{ github.run_id }}-${{ github.run_attempt }}
- name: Retrieve GitHub Actions Role Credentials
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/${{ inputs.roleName }}
role-session-name: ${{ github.run_id }}-${{ github.run_attempt }}
role-chaining: true
60 changes: 60 additions & 0 deletions .github/workflows/android-omnibus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: android-omnibus
on:
push:
branches: ["*"]
pull_request_target:
branches: ["*"]
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
env:
GOPROXY: https://proxy.golang.org,direct
permissions:
id-token: write
contents: read

jobs:
device-farm:
name: android-${{ matrix.fips && 'fips-' || '' }}${{ matrix.release && 'release' || 'debug' }}-${{ matrix.shared && 'shared' || 'static' }}
runs-on:
- codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
image:linux-5.0
instance-size:medium
strategy:
matrix:
fips: [false, true]
release: [false, true]
shared: [false, true]
exclude:
- fips: true
release: false
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
- name: Query Environment
id: env
run: |
echo staging_url=${ECR_STAGING_REPO} >> "$GITHUB_OUTPUT"
- name: Retrieve Credentials
uses: ./.github/actions/configure-aws-credentials
with:
roleName: AwsLcGitHubActionDeviceFarmRole
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- uses: ./.github/actions/codebuild-docker-run
name: Run Container
with:
image: ${{ steps.login-ecr.outputs.registry }}/aws-lc/android:latest
withCredentials: true
run: |
chmod +x ./tests/ci/android/AWSLCAndroidTestRunner/gradlew
cd ./tests/ci
python3 -m venv .env && . .env/bin/activate && pip install -r requirements.txt
./kickoff_devicefarm_job.sh \
--test-name "AWS-LC Android GitHub Action ${{ github.run_id }}-${{ github.run_attempt }}" \
--fips ${{ matrix.fips }} \
--release ${{ matrix.release }} \
--shared ${{ matrix.shared }} \
--action start-job
5 changes: 4 additions & 1 deletion .github/workflows/image-build-android.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ concurrency:
env:
GOPROXY: https://proxy.golang.org,direct
DOCKER_BUILD_RECORD_UPLOAD: false
# Critical: Caution must be used when expanding permissions beyond these as we checkout untrusted pull request code
permissions:
id-token: write
contents: read
Expand All @@ -37,6 +38,8 @@ jobs:
android: ${{ steps.images.outputs.latest }}
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
- name: Query Environment
id: env
run: |
Expand Down Expand Up @@ -70,7 +73,7 @@ jobs:
./.github/docker_images/scripts/verify-go-version.sh 1.25

push:
if: ${{ github.event_name != 'pull_request' }}
if: ${{ github.event_name != 'pull_request_target' }}
runs-on:
codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
image:linux-5.0
Expand Down
43 changes: 41 additions & 2 deletions tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ def __init__(
self.minimal_oidc_role)

self.device_farm_role = create_device_farm_role(
self, "AwsLcGitHubActionDeviceFarmRole", env, self.minimal_oidc_role)
self, "AwsLcGitHubActionDeviceFarmRole", env, self.minimal_oidc_role, ecr_repos)
self.device_farm_role.grant_assume_role(self.minimal_oidc_role)

self.docker_image_build_role = create_docker_image_build_role(
Expand All @@ -72,7 +72,8 @@ def __init__(

def create_device_farm_role(scope: Construct, id: str,
env: typing.Union[Environment, typing.Dict[str, typing.Any]],
principal: iam.IPrincipal) -> iam.Role:
principal: iam.IPrincipal,
repos: typing.List[ecr.IRepository]) -> iam.Role:
device_farm_policy = iam.PolicyDocument.from_json(
device_farm_access_policy_in_json(env)
)
Expand All @@ -81,6 +82,44 @@ def create_device_farm_role(scope: Construct, id: str,
assumed_by=iam.SessionTagsPrincipal(principal),
inline_policies={
"device_farm_policy": device_farm_policy,
"metrics_policy": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"cloudwatch:PutMetricData"
],
resources=["*"],
conditions={
"StringEquals": {
"aws:RequestedRegion": [env.region],
"cloudwatch:namespace": [AWS_LC_METRIC_NS],
}
}
),
]
),
"ecr": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ecr:GetAuthorizationToken",
],
resources=["*"],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
],
resources=[
x.repository_arn for x in repos],
),
],
),
})

return device_farm_role
Expand Down
46 changes: 5 additions & 41 deletions tests/ci/cdk/cdk/codebuild/github_ci_android_omnibus.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,46 +6,10 @@ version: 0.2
# Doc for batch https://docs.aws.amazon.com/codebuild/latest/userguide/batch-build-buildspec.html#build-spec.batch.build-list
batch:
build-list:
- identifier: ubuntu2404_android_nonfips_static_debug
buildspec: ./tests/ci/codebuild/android/run_android_static_debug.yml
- identifier: migrated
buildspec: ./tests/ci/codebuild/common/no_op.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_MEDIUM
# TODO(CryptoAlg-1276): replace |620771051181| and |us-west-2| with corresponding env variables.
image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest
- identifier: ubuntu2404_android_nonfips_static_release
buildspec: ./tests/ci/codebuild/android/run_android_static_release.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_MEDIUM
image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest
- identifier: ubuntu2404_android_nonfips_shared_debug
buildspec: ./tests/ci/codebuild/android/run_android_shared_debug.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_MEDIUM
image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest
- identifier: ubuntu2404_android_nonfips_shared_release
buildspec: ./tests/ci/codebuild/android/run_android_shared_release.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_MEDIUM
image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest
- identifier: ubuntu2404_android_fips_shared_release
buildspec: ./tests/ci/codebuild/android/run_android_fips_shared.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_MEDIUM
image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest
- identifier: ubuntu2404_android_fips_static_release
buildspec: ./tests/ci/codebuild/android/run_android_fips_static.yml
env:
type: LINUX_CONTAINER
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-24.04_android_latest
privileged-mode: false
compute-type: BUILD_GENERAL1_SMALL
image: aws/codebuild/standard:7.0
Loading