Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/build-artifacts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ jobs:
java-distribution: ${{ matrix.java-distribution || needs.get-configs.outputs.java-distribution }}
kotlin-version: ${{ needs.get-configs.outputs.kotlin-version }}
ktlint-version: ${{ needs.get-configs.outputs.ktlint-version }}
gradle-version: ${{ needs.get-configs.outputs.gradle-version }}

- name: Log tool versions
uses: ./.github/actions/print-build-versions
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/configs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ on:
kotlin-version:
description: "Kotlin compiler (kotlinc) version"
value: ${{ jobs.get-configs.outputs.kotlin-version }}
dokka-version:
description: "Dokka version for the JVM binding Javadoc jar"
value: ${{ jobs.get-configs.outputs.dokka-version }}
ktlint-version:
description: "ktlint version"
value: ${{ jobs.get-configs.outputs.ktlint-version }}
Expand Down Expand Up @@ -66,6 +69,7 @@ jobs:
JAVA_VERSION: '21'
JAVA_DISTRIBUTION: 'corretto'
KOTLIN_VERSION: '2.4.0'
DOKKA_VERSION: '1.9.20' # keep in sync with bindings-jvm/build.gradle.kts
KTLINT_VERSION: '1.8.0'
GRADLE_VERSION: '8.14'
JNA_VERSION: '5.19.1' # keep in sync with bindings-jvm/build.sh
Expand All @@ -83,6 +87,7 @@ jobs:
java-version: ${{ env.JAVA_VERSION }}
java-distribution: ${{ env.JAVA_DISTRIBUTION }}
kotlin-version: ${{ env.KOTLIN_VERSION }}
dokka-version: ${{ env.DOKKA_VERSION }}
ktlint-version: ${{ env.KTLINT_VERSION }}
gradle-version: ${{ env.GRADLE_VERSION }}
jna-version: ${{ env.JNA_VERSION }}
Expand All @@ -102,6 +107,7 @@ jobs:
echo "java-version = ${{ env.JAVA_VERSION }}"
echo "java-distribution = ${{ env.JAVA_DISTRIBUTION }}"
echo "kotlin-version = ${{ env.KOTLIN_VERSION }}"
echo "dokka-version = ${{ env.DOKKA_VERSION }}"
echo "ktlint-version = ${{ env.KTLINT_VERSION }}"
echo "gradle-version = ${{ env.GRADLE_VERSION }}"
echo "jna-version = ${{ env.JNA_VERSION }}"
Expand Down
115 changes: 115 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,26 @@
printf '%s\n' "$fingerprint" > release/signing-key.pem.sha256
echo "public key SHA-256: $fingerprint"

- name: Configure AWS credentials for Maven signing key
if: ${{ !contains(inputs.tag, '-beta') }}
uses: aws-actions/configure-aws-credentials@v6.2.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow or composite action Medium

Unpinned 3rd party Action 'Release' step
Uses Step
uses 'aws-actions/configure-aws-credentials' with ref 'v6.2.0', not a pinned commit hash
with:
role-to-assume: ${{ secrets.MAVEN_SIGNING_ROLE_ARN }}
aws-region: ${{ secrets.AWS_REGION }}

- name: Add Maven PGP public key to release assets
if: ${{ !contains(inputs.tag, '-beta') }}
env:
MAVEN_GPG_SECRET_ID: ${{ secrets.MAVEN_GPG_SECRET_ID }}
run: |
set -euo pipefail
secret_json="$(aws secretsmanager get-secret-value \
--secret-id "$MAVEN_GPG_SECRET_ID" --query SecretString --output text)"
key="release/cloudformation-validate-maven-signing-key.asc"
printf '%s' "$secret_json" | jq -r '.publicKey' > "$key"
printf '%s' "$secret_json" | jq -r '.fingerprint' > "$key.fingerprint"
echo "Maven PGP public key fingerprint: $(cat "$key.fingerprint")"

- name: Create GitHub Release
uses: softprops/action-gh-release@v3
with:
Expand All @@ -205,6 +225,101 @@
files: release/*
fail_on_unmatched_files: true

publish-maven:
needs: [ get-configs, version-and-tag, release ]
if: ${{ !contains(inputs.tag, '-beta') }}
runs-on: ubuntu-latest
environment: release-maven
permissions:
contents: read
id-token: write
env:
WORKING_DIR: ${{ needs.get-configs.outputs.working-dir }}
steps:
- uses: actions/checkout@v6
with:
ref: ${{ inputs.tag }}

- name: Setup JVM toolchain
uses: ./.github/actions/setup-jvm-toolchain
with:
java-version: ${{ needs.get-configs.outputs.java-version }}
java-distribution: ${{ needs.get-configs.outputs.java-distribution }}
kotlin-version: ${{ needs.get-configs.outputs.kotlin-version }}
ktlint-version: ${{ needs.get-configs.outputs.ktlint-version }}
gradle-version: ${{ needs.get-configs.outputs.gradle-version }}

- name: Verify committed jar is present and multi-platform
working-directory: ${{ env.WORKING_DIR }}/bindings-jvm
run: |
set -euo pipefail
jar="generated/cloudformation-validate.jar"
if [ ! -f "$jar" ]; then
echo "::error::Missing $jar. Run the Build Artifacts workflow and merge its PR first."
exit 1
fi
for prefix in linux-x86-64 darwin-aarch64 win32-x86-64; do
if ! unzip -Z1 "$jar" | grep -q "^$prefix/"; then
echo "::error::native library for $prefix missing from committed jar; the all-platform merge did not run"
exit 1
fi
done
echo "Committed jar carries all three platform natives."

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6.2.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow or composite action Medium

Unpinned 3rd party Action 'Release' step
Uses Step
uses 'aws-actions/configure-aws-credentials' with ref 'v6.2.0', not a pinned commit hash
with:
role-to-assume: ${{ secrets.MAVEN_SIGNING_ROLE_ARN }}
aws-region: ${{ secrets.AWS_REGION }}

- name: Fetch PGP signing key
id: signing-secrets
env:
MAVEN_GPG_SECRET_ID: ${{ secrets.MAVEN_GPG_SECRET_ID }}
run: |
set -euo pipefail

secret_json="$(aws secretsmanager get-secret-value \
--secret-id "$MAVEN_GPG_SECRET_ID" --query SecretString --output text)"
{
echo "signing_key<<__EOF_KEY__"
printf '%s' "$secret_json" | jq -r '.privateKey'
echo "__EOF_KEY__"
echo "signing_password<<__EOF_PASS__"
printf '%s' "$secret_json" | jq -r '.passphrase'
echo "__EOF_PASS__"
} >> "$GITHUB_OUTPUT"

- name: Build signed Central Portal bundle
working-directory: ${{ env.WORKING_DIR }}/bindings-jvm
env:
ORG_GRADLE_PROJECT_signingKey: ${{ steps.signing-secrets.outputs.signing_key }}
ORG_GRADLE_PROJECT_signingPassword: ${{ steps.signing-secrets.outputs.signing_password }}
run: |
set -euo pipefail
gradle --no-daemon --console=plain centralBundle
ls -lh build/central/

- name: Verify every artifact is signed
working-directory: ${{ env.WORKING_DIR }}/bindings-jvm
run: |
set -euo pipefail
bundle="$(ls build/central/*-bundle.zip)"
tmp="$(mktemp -d)"
unzip -qo "$bundle" -d "$tmp"
base="$tmp/software/amazon/cloudformation/cloudformation-validate/${{ inputs.tag }}"
missing=0
for suffix in .jar -sources.jar -javadoc.jar .pom; do
f="cloudformation-validate-${{ inputs.tag }}${suffix}"
for companion in asc md5 sha1; do
if [ ! -f "$base/$f.$companion" ]; then
echo "::error::missing $f.$companion in bundle"
missing=1
fi
done
done
[ "$missing" -eq 0 ] && echo "All artifacts carry .asc/.md5/.sha1." || exit 1

publish-npm:
needs: [ get-configs, version-and-tag, release ]
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ engine.free();
### JVM (Kotlin)

```kotlin
import com.amazonaws.cloudformation.validation.*
import software.amazon.cloudformation.validate.*
import java.io.File

val engine = RegoEngine()
Expand Down
4 changes: 2 additions & 2 deletions src/bindings-jvm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ JVM bindings for [`cloudformation-validate`](https://github.com/aws-cloudformati
via [UniFFI](https://mozilla.github.io/uniffi-rs/). Compiles the full validation pipeline into a native shared library
with auto-generated Kotlin bindings, packaged as a JAR with bundled natives.

All types live in `com.amazonaws.cloudformation.validation`.
All types live in `software.amazon.cloudformation.validate`.

For a complete, runnable example, see
[examples](https://github.com/aws-cloudformation/cloudformation-validate/tree/main/src/bindings-jvm/examples).
Expand All @@ -15,7 +15,7 @@ For a complete, runnable example, see
diagnostics for the same template and config.

```kotlin
import com.amazonaws.cloudformation.validation.*
import software.amazon.cloudformation.validate.*
import java.io.File

val engine = RegoEngine()
Expand Down
2 changes: 1 addition & 1 deletion src/bindings-jvm/bench/settings.gradle.kts
Original file line number Diff line number Diff line change
@@ -1 +1 @@
rootProject.name = "bindings-jvm-bench"
rootProject.name = "cloudformation-validate-bench"
24 changes: 12 additions & 12 deletions src/bindings-jvm/bench/src/main/kotlin/Benchmark.kt
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
import com.amazonaws.cloudformation.validation.JvmCelEngine
import com.amazonaws.cloudformation.validation.JvmRegoEngine
import com.amazonaws.cloudformation.validation.JvmSemanticModel
import com.amazonaws.cloudformation.validation.SchemaValidator
import com.amazonaws.cloudformation.validation.ValidateConfig
import com.amazonaws.cloudformation.validation.diagnostics.DetailedReport
import com.amazonaws.cloudformation.validation.engine.EngineConfig
import com.amazonaws.cloudformation.validation.gson.buildBindingsGson
import com.amazonaws.cloudformation.validation.rules.RuleFilterConfig
import com.amazonaws.cloudformation.validation.rules.Severity
import com.amazonaws.cloudformation.validation.templatemodel.PseudoParameterOverrides
import com.amazonaws.cloudformation.validation.version
import software.amazon.cloudformation.validate.JvmCelEngine
import software.amazon.cloudformation.validate.JvmRegoEngine
import software.amazon.cloudformation.validate.JvmSemanticModel
import software.amazon.cloudformation.validate.SchemaValidator
import software.amazon.cloudformation.validate.ValidateConfig
import software.amazon.cloudformation.validate.diagnostics.DetailedReport
import software.amazon.cloudformation.validate.engine.EngineConfig
import software.amazon.cloudformation.validate.gson.buildBindingsGson
import software.amazon.cloudformation.validate.rules.RuleFilterConfig
import software.amazon.cloudformation.validate.rules.Severity
import software.amazon.cloudformation.validate.templatemodel.PseudoParameterOverrides
import software.amazon.cloudformation.validate.version
import com.google.gson.JsonArray
import com.google.gson.JsonObject
import java.io.File
Expand Down
Loading
Loading