ci: harden CI/CD security #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: E2E Tests | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| pr_number: | |
| description: 'PR number to test (checks out the PR merge ref)' | |
| required: false | |
| type: string | |
| aws_region: | |
| description: 'AWS region for deployment' | |
| default: 'us-east-1' | |
| concurrency: | |
| group: e2e-${{ inputs.pr_number || github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| id-token: write # OIDC — lets GitHub assume an AWS IAM role via short-lived token (no stored keys) | |
| contents: read | |
| jobs: | |
| e2e: | |
| runs-on: ubuntu-latest | |
| environment: e2e-testing | |
| timeout-minutes: 30 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| cdk-source: [npm, main] | |
| steps: | |
| - name: Resolve checkout ref | |
| id: ref | |
| env: | |
| PR_NUMBER: ${{ inputs.pr_number }} | |
| run: | | |
| if [[ -n "$PR_NUMBER" ]]; then | |
| echo "ref=refs/pull/${PR_NUMBER}/merge" >> "$GITHUB_OUTPUT" | |
| echo "Checking out PR #${PR_NUMBER} merge ref" | |
| else | |
| echo "ref=${{ github.ref }}" >> "$GITHUB_OUTPUT" | |
| echo "Checking out ${{ github.ref }}" | |
| fi | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| ref: ${{ steps.ref.outputs.ref }} | |
| persist-credentials: false | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version: '20.x' | |
| cache: 'npm' | |
| - name: Configure git | |
| run: | | |
| git config --global user.email "ci@amazon.com" | |
| git config --global user.name "CI" | |
| - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6 | |
| with: | |
| role-to-assume: ${{ secrets.E2E_AWS_ROLE_ARN }} | |
| aws-region: ${{ inputs.aws_region || 'us-east-1' }} | |
| - name: Get AWS Account ID | |
| id: aws | |
| run: echo "account_id=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_OUTPUT" | |
| - name: Get API keys from Secrets Manager | |
| uses: aws-actions/aws-secretsmanager-get-secrets@2cb1a461cbd4865ac4299648312e4704c646cd53 # v3 | |
| with: | |
| secret-ids: | | |
| E2E,${{ secrets.E2E_SECRET_ARN }} | |
| parse-json-secrets: true | |
| # Build @aws/agentcore-cdk from source for cross-package testing. | |
| # Requires secrets: CDK_REPO_NAME (org/repo), CDK_REPO_TOKEN (fine-grained PAT) | |
| - name: Build CDK package from main | |
| if: matrix.cdk-source == 'main' | |
| run: | | |
| git clone --depth 1 "https://x-access-token:${CDK_REPO_TOKEN}@github.com/${CDK_REPO}.git" /tmp/cdk-repo | |
| cd /tmp/cdk-repo | |
| npm ci | |
| npm run build | |
| TARBALL=$(npm pack --pack-destination "$RUNNER_TEMP" | tail -1) | |
| echo "CDK_TARBALL=$RUNNER_TEMP/$TARBALL" >> "$GITHUB_ENV" | |
| env: | |
| CDK_REPO_TOKEN: ${{ secrets.CDK_REPO_TOKEN }} | |
| CDK_REPO: ${{ secrets.CDK_REPO_NAME }} | |
| - run: npm ci | |
| - run: npm run build | |
| - name: Install CLI globally | |
| run: npm install -g "$(npm pack | tail -1)" | |
| - name: Run E2E tests (${{ matrix.cdk-source }}) | |
| env: | |
| AWS_ACCOUNT_ID: ${{ steps.aws.outputs.account_id }} | |
| AWS_REGION: ${{ inputs.aws_region || 'us-east-1' }} | |
| ANTHROPIC_API_KEY: ${{ env.E2E_ANTHROPIC_API_KEY }} | |
| OPENAI_API_KEY: ${{ env.E2E_OPENAI_API_KEY }} | |
| GEMINI_API_KEY: ${{ env.E2E_GEMINI_API_KEY }} | |
| CDK_TARBALL: ${{ env.CDK_TARBALL }} | |
| # Only run Bedrock tests on PRs to avoid creating ApiKeyCredentialProviders, | |
| # which have a 50-resource account limit and accumulate from interrupted runs. | |
| run: npx vitest run --project e2e strands-bedrock langgraph-bedrock |