agentcore-cli/.github/workflows/e2e-tests.yml at main · CopilotKit/agentcore-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: E2E Tests
on:
  workflow_dispatch:
    inputs:
      pr_number:
        description: 'PR number to test (checks out the PR merge ref)'
        required: false
        type: string
      aws_region:
        description: 'AWS region for deployment'
        default: 'us-east-1'
        type: string

concurrency:
  group: e2e-${{ inputs.pr_number || github.ref }}
  cancel-in-progress: false

permissions:
  id-token: write # OIDC — lets GitHub assume an AWS IAM role via short-lived token (no stored keys)
  contents: read

jobs:
  e2e:
    runs-on: ubuntu-latest
    environment: e2e-testing
    timeout-minutes: 30
    env:
      # Single source for the AWS region default. This workflow is
      # dispatch-only, so the input always applies; the fallback guards the
      # case where the optional `aws_region` input is left blank on dispatch.
      AWS_REGION: ${{ inputs.aws_region || 'us-east-1' }}
    strategy:
      fail-fast: false
      matrix:
        cdk-source: [npm, main]
    steps:
      - name: Resolve checkout ref
        id: ref
        env:
          PR_NUMBER: ${{ inputs.pr_number }}
          GH_REF: ${{ github.ref }}
        run: |
          if [[ -n "$PR_NUMBER" ]]; then
            echo "ref=refs/pull/${PR_NUMBER}/merge" >> "$GITHUB_OUTPUT"
            echo "Checking out PR #${PR_NUMBER} merge ref"
          else
            echo "ref=${GH_REF}" >> "$GITHUB_OUTPUT"
            echo "Checking out ${GH_REF}"
          fi
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ steps.ref.outputs.ref }}
          persist-credentials: false
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: '20.x'
          cache: 'npm'
      - name: Configure git
        run: |
          git config --global user.email "ci@amazon.com"
          git config --global user.name "CI"
      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
        with:
          role-to-assume: ${{ secrets.E2E_AWS_ROLE_ARN }}
          aws-region: ${{ env.AWS_REGION }}
      - name: Get AWS Account ID
        id: aws
        run: echo "account_id=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_OUTPUT"
      - name: Get API keys from Secrets Manager
        uses: aws-actions/aws-secretsmanager-get-secrets@2cb1a461cbd4865ac4299648312e4704c646cd53 # v3
        with:
          secret-ids: |
            E2E,${{ secrets.E2E_SECRET_ARN }}
          parse-json-secrets: true

      # Build @aws/agentcore-cdk from source for cross-package testing.
      # Requires secrets: CDK_REPO_NAME (org/repo), CDK_REPO_TOKEN (fine-grained PAT)
      - name: Build CDK package from main
        if: matrix.cdk-source == 'main'
        run: |
          set -euo pipefail
          [ -n "${CDK_REPO_TOKEN:-}" ] && [ -n "${CDK_REPO:-}" ] || { echo "::error::Required secrets CDK_REPO_NAME and CDK_REPO_TOKEN are not configured"; exit 1; }
          git clone --depth 1 --branch main "https://x-access-token:${CDK_REPO_TOKEN}@github.com/${CDK_REPO}.git" /tmp/cdk-repo
          cd /tmp/cdk-repo
          npm ci
          npm run build
          TARBALL="$(npm pack --json --pack-destination "$RUNNER_TEMP" | jq -r '.[0].filename')"
          [ -n "$TARBALL" ] && [ "$TARBALL" != "null" ] || { echo "::error::npm pack produced no tarball"; exit 1; }
          CDK_TARBALL="$RUNNER_TEMP/$TARBALL"
          # Fail loud: a missing tarball would silently fall back to the published
          # CDK in installCdkTarball(), defeating the `main` matrix leg.
          [ -f "$CDK_TARBALL" ] || { echo "::error::CDK tarball not found at '$CDK_TARBALL'"; exit 1; }
          echo "CDK_TARBALL=$CDK_TARBALL" >> "$GITHUB_ENV"
        env:
          CDK_REPO_TOKEN: ${{ secrets.CDK_REPO_TOKEN }}
          CDK_REPO: ${{ secrets.CDK_REPO_NAME }}

      - run: npm ci
      - run: npm run build
      - name: Install CLI globally
        run: |
          set -euo pipefail
          TARBALL="$(npm pack --json | jq -r '.[0].filename')"
          [ -n "$TARBALL" ] && [ "$TARBALL" != "null" ] || { echo "::error::npm pack produced no tarball"; exit 1; }
          npm install -g "./$TARBALL"
      - name: Run E2E tests (${{ matrix.cdk-source }})
        env:
          AWS_ACCOUNT_ID: ${{ steps.aws.outputs.account_id }}
          ANTHROPIC_API_KEY: ${{ env.E2E_ANTHROPIC_API_KEY }}
          OPENAI_API_KEY: ${{ env.E2E_OPENAI_API_KEY }}
          GEMINI_API_KEY: ${{ env.E2E_GEMINI_API_KEY }}
          CDK_TARBALL: ${{ env.CDK_TARBALL }}
        # This manual/dispatch workflow runs the lighter Bedrock-related e2e subset
        # to keep the per-PR run fast, rather than the full suite (which runs in
        # e2e-tests-full.yml). The args below are vitest substring path filters, so
        # this matches every test file whose path contains `strands-bedrock` or
        # `langgraph-bedrock` (e.g. strands-bedrock, strands-bedrock-memory,
        # container-strands-bedrock, langgraph-bedrock), not just two suites.
        run: npx vitest run --project e2e strands-bedrock langgraph-bedrock