feat!: Release Amazon S3 Encryption Client for Python

.duvet/.gitignore

@@ -0,0 +1,3 @@
+reports/
+requirements/
+specification/

.duvet/config.toml

@@ -0,0 +1,43 @@
+'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json"
+
+[[source]]
+pattern = "src/**/*.py"
+type = "implementation"
+comment-style = { meta = "##=", content = "##%" }
+[[source]]
+pattern = "test/**/*.py"
+type = "test"
+comment-style = { meta = "##=", content = "##%" }
+[[source]]
+pattern = "compliance_exceptions/**/*.md"
+type = "exception"
+comment-style = { meta = "##=", content = "##%" }
+
+# Include required specifications here
+[[specification]]
+source = "specification/s3-encryption/materials/keyrings.md"
+[[specification]]
+source = "specification/s3-encryption/materials/s3-keyring.md"
+[[specification]]
+source = "specification/s3-encryption/materials/s3-kms-keyring.md"
+[[specification]]
+source = "specification/s3-encryption/client.md"
+[[specification]]
+source = "specification/s3-encryption/decryption.md"
+[[specification]]
+source = "specification/s3-encryption/encryption.md"
+[[specification]]
+source = "specification/s3-encryption/key-commitment.md"
+[[specification]]
+source = "specification/s3-encryption/key-derivation.md"
+[[specification]]
+source = "specification/s3-encryption/data-format/content-metadata.md"
+[[specification]]
+source = "specification/s3-encryption/data-format/metadata-strategy.md"
+
+[report.html]
+enabled = true
+
+# Enable snapshots to prevent requirement coverage regressions
+[report.snapshot]
+enabled = false

.github/workflows/all-ci.yml

@@ -0,0 +1,66 @@
+name: All CI
+
+on:
+  push:
+    branches: [ main, staging ]
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      python-version:
+        description: 'Python version to use'
+        default: '3.11'
+        required: false
+        type: string
+
+jobs:
+  python-lint:
+    name: Lint
+    uses: ./.github/workflows/lint.yml
+
+  run-test-server:
+    permissions:
+      id-token: write
+      contents: read
+    name: Run TestServer Tests
+    uses: ./.github/workflows/test-server.yml
+    with:
+      python-version: ${{ inputs.python-version || '3.11' }}
+    secrets: inherit
+
+  python-integ:
+    permissions:
+      id-token: write
+      contents: read
+    name: Python Integration Tests
+    uses: ./.github/workflows/python-integ.yml
+    with:
+      python-version: ${{ inputs.python-version || '3.11' }}
+    secrets: inherit
+
+  python-perf:
+    permissions:
+      id-token: write
+      contents: read
+    name: Python Performance Tests
+    uses: ./.github/workflows/python-perf.yml
+    with:
+      python-version: ${{ inputs.python-version || '3.11' }}
+    secrets: inherit
+
+  run-duvet:
+    permissions:
+      id-token: write
+      contents: read
+      pages: write
+    name: Run Duvet
+    uses: ./.github/workflows/duvet.yml
+    secrets: inherit
+
+  run-duvet-test-server:
+    permissions:
+      id-token: write
+      contents: read
+      pages: write
+    name: Run Duvet
+    uses: ./.github/workflows/duvet-test-server.yml
+    secrets: inherit

.github/workflows/daily_ci.yml

@@ -0,0 +1,50 @@
+name: Daily CI
+
+on:
+  schedule:
+    # 5 AM PST = 1 PM UTC, Monday–Friday
+    - cron: "0 13 * * 1-5"
+  workflow_dispatch:
+    inputs:
+      python-version:
+        description: 'Python version to use'
+        default: '3.11'
+        required: false
+        type: string
+
+jobs:
+  run-test-server:
+    permissions:
+      id-token: write
+      contents: read
+    name: Run TestServer Tests
+    uses: ./.github/workflows/test-server.yml
+    with:
+      python-version: ${{ inputs.python-version || '3.11' }}
+    secrets: inherit
+
+  python-integ:
+    permissions:
+      id-token: write
+      contents: read
+    name: Python Integration Tests
+    uses: ./.github/workflows/python-integ.yml
+    with:
+      python-version: ${{ inputs.python-version || '3.11' }}
+    secrets: inherit
+
+  notify:
+    needs:
+      [
+        run-test-server,
+        python-integ
+      ]
+    permissions:
+      id-token: write
+      contents: read
+    if: ${{ failure() }}
+    uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
+    with:
+      message: "Daily CI failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+    secrets:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_CI }}

.github/workflows/duvet-test-server.yml

@@ -0,0 +1,121 @@
+name: Generate Duvet Report for TestServer
+
+on:
+  workflow_call:
+    # Optional inputs that can be provided when calling this workflow
+
+jobs:
+  duvet:
+    runs-on: macos-latest
+    permissions:
+      id-token: write
+      contents: read
+      pages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      # There are a lot of submodules here
+      # This initializes the checkouts in parallel (--jobs)
+      # rather than in series the way actions/checkout@v6 does it.
+
+      - name: Get CPU count
+        id: cpu-count
+        run: echo "count=$(node -p 'require("os").cpus().length')" >> $GITHUB_OUTPUT
+
+      - name: Setup git submodules with PAT
+        run: |
+          git config --global url."https://github.com/".insteadOf "git@github.com:"
+          git config --global credential.helper store
+          echo "https://x-token-auth:${{ secrets.PAT_FOR_SPEC }}@github.com" > ~/.git-credentials
+
+      - name: Optimize git for performance
+        run: |
+          git config --global fetch.parallel ${{ steps.cpu-count.outputs.count }}
+          git config --global submodule.fetchJobs ${{ steps.cpu-count.outputs.count }}
+          git config --global remote.origin.tagOpt --no-tags
+
+      - name: Checkout submodules with --jobs
+        run: |
+          git submodule update --init --depth 1 --single-branch --jobs ${{ steps.cpu-count.outputs.count }} test-server/
+
+
+      - name: Checkout CPP code cpp-v3
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+          repository: aws/aws-sdk-cpp
+          ref: main
+          path: test-server/cpp-v3-server/aws-sdk-cpp/
+
+      - name: Setup Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+
+      - name: Build and install duvet
+        run: |
+          cargo install duvet --locked
+
+      - name: Run duvet
+        if: always()
+        run: cd test-server && make duvet
+
+      - name: Upload duvet reports
+        if: always()
+        uses: actions/upload-artifact@v7
+        with:
+          name: test-server-reports
+          include-hidden-files: true
+          path: test-server/*-server/.duvet/reports/report.html
+
+      - name: Generate compliance dashboard
+        if: always()
+        run: |
+          cd test-server/spec-compliance-dashboard
+          python generate_compliance_dashboard.py
+
+      - name: Create dashboard redirect index.html
+        if: always()
+        run: |
+          cat > test-server/index.html << 'EOF'
+          <!DOCTYPE html>
+          <html lang="en">
+          <head>
+              <meta charset="UTF-8">
+              <meta http-equiv="refresh" content="0; url=spec-compliance-dashboard/compliance_homepage.html">
+              <title>Redirecting to Compliance Dashboard...</title>
+          </head>
+          <body>
+              <p>Redirecting to <a href="spec-compliance-dashboard/compliance_homepage.html">Compliance Dashboard</a>...</p>
+          </body>
+          </html>
+          EOF
+
+      - name: Upload compliance dashboard
+        if: always()
+        uses: actions/upload-artifact@v7
+        with:
+          name: compliance-dashboard
+          include-hidden-files: true
+          path: |
+            test-server/spec-compliance-dashboard/compliance_homepage.html
+            test-server/*/compliance_summary_report.html
+            test-server/*/.duvet/reports/report.html
+            test-server/spec-compliance-dashboard/templates/*
+            test-server/index.html
+
+      - name: Setup Pages
+        if: always() && (github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/fireegg-test-servers') && github.event_name == 'push'
+        uses: actions/configure-pages@v5
+
+      - name: Upload Pages artifact
+        if: always() && (github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/fireegg-test-servers') && github.event_name == 'push'
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: test-server/
+
+      - name: Deploy to GitHub Pages
+        if: always() && (github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/fireegg-test-servers') && github.event_name == 'push'
+        uses: actions/deploy-pages@v4

.github/workflows/duvet.yml

@@ -0,0 +1,40 @@
+name: duvet on the local S3EC-Python
+
+on:
+  workflow_call:
+    # Optional inputs that can be provided when calling this workflow
+
+jobs:
+  test:
+    runs-on: ubuntu-slim
+    permissions:
+      id-token: write
+      contents: read
+      pages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Checkout specific specification
+        run: git submodule update --init --recursive specification
+
+      - name: Setup Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+
+      - name: Install duvet
+        run: |
+          cargo install duvet --locked
+
+      - name: Run duvet
+        run: make duvet
+
+      - name: Upload duvet reports
+        uses: actions/upload-artifact@v7
+        with:
+          name: reports
+          include-hidden-files: true
+          path: .duvet/reports/report.html
+

.github/workflows/lint.yml

@@ -0,0 +1,29 @@
+name: Lint
+
+on:
+  push:
+    branches: [ main ]
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  lint:
+    runs-on: macos-15
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.11'
+
+      - name: Install Uv
+        run: pip install uv
+
+      - name: Install dependencies and run linting
+        run: |
+          make install
+          make format-check
+          make lint