From 88e345e85075fac5c9df2690f3dc23e16010e209 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 13 May 2026 15:01:51 -0700 Subject: [PATCH 1/8] ci: add Java 17 and 21 to CI matrix --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d25be2b..b2eeff89 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,7 +39,7 @@ jobs: # image: "aws/codebuild/amazonlinux-x86_64-standard:5.0" - distribution: corretto image: "aws/codebuild/amazonlinux-x86_64-standard:5.0" # Corretto only runs on AL2 - version: [ 8, 11 ] + version: [ 8, 11, 17, 21 ] steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v2 @@ -69,7 +69,7 @@ jobs: # image: "aws/codebuild/standard:3.0" - distribution: corretto image: "aws/codebuild/amazonlinux-x86_64-standard:5.0" # Corretto only runs on AL2 - version: [ 8, 11 ] + version: [ 8, 11, 17, 21 ] steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v2 @@ -99,7 +99,7 @@ jobs: # image: "aws/codebuild/standard:3.0" - distribution: corretto image: "aws/codebuild/amazonlinux-x86_64-standard:5.0" # Corretto only runs on AL2 - version: [ 8, 11 ] + version: [ 8, 11, 17, 21 ] steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v2 @@ -130,7 +130,7 @@ jobs: # image: "aws/codebuild/standard:3.0" - distribution: corretto image: "aws/codebuild/amazonlinux-x86_64-standard:5.0" # Corretto only runs on AL2 - version: [ 8, 11 ] + version: [ 8, 11, 17, 21 ] steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v2 @@ -182,7 +182,7 @@ jobs: # image: "aws/codebuild/standard:3.0" - distribution: corretto image: "aws/codebuild/amazonlinux-x86_64-standard:5.0" # Corretto only runs on AL2 - version: [ 8, 11 ] + version: [ 8, 11, 17, 21 ] steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v2 From 526bc3cff7e8deba40c0a1822ae0e809d8b3e878 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 13 May 2026 22:15:01 +0000 Subject: [PATCH 2/8] =?UTF-8?q?fix:=20bump=20Node=2016=20=E2=86=92=2022=20?= =?UTF-8?q?in=20vectors-generator=20CI?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Node 16 is EOL. The latest @aws-crypto/integration-node pulls @smithy/core which requires crypto.getRandomValues() (Node 19+). Bump to Node 22 LTS. --- codebuild/ci/vectors-generator.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/codebuild/ci/vectors-generator.yml b/codebuild/ci/vectors-generator.yml index b3256fb7..1333753c 100644 --- a/codebuild/ci/vectors-generator.yml +++ b/codebuild/ci/vectors-generator.yml @@ -5,7 +5,7 @@ phases: runtime-versions: java: $JAVA_ENV_VERSION commands: - - n 16 + - n 22 # Install the Javascript ESDK run test vectors - npm install -g @aws-crypto/integration-node From d04b6bc826f90fd2bfff4d1de467e73e8490674b Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 14 May 2026 09:23:21 -0700 Subject: [PATCH 3/8] build: upgrade jacoco-maven-plugin to 0.8.12 for Java 17/21 support --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7454e2d5..a7d53544 100644 --- a/pom.xml +++ b/pom.xml @@ -198,7 +198,7 @@ org.jacoco jacoco-maven-plugin - 0.8.8 + 0.8.12 From d65da56baed4e3cfdde4a4cef9df46114091aa77 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 14 May 2026 11:23:53 -0700 Subject: [PATCH 4/8] ci: skip jacoco in validate step (external repo has old version) --- codebuild/ci/validate-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/codebuild/ci/validate-ci.yml b/codebuild/ci/validate-ci.yml index dc01d96e..e9a51107 100644 --- a/codebuild/ci/validate-ci.yml +++ b/codebuild/ci/validate-ci.yml @@ -28,6 +28,7 @@ phases: mvn verify \ -Pcodeartifact \ -Dcheckstyle.skip \ + -Djacoco.skip=true \ -Desdk.version=$VERSION_HASH \ -Dmaven.compiler.target=$JAVA_NUMERIC_VERSION \ -Dmaven.compiler.source=$JAVA_NUMERIC_VERSION \ From 620afa88e705e6b1d631bcd4dbbb9b931007d81a Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 14 May 2026 11:40:19 -0700 Subject: [PATCH 5/8] ci: remove validateCI job (redundant with releaseCI, uses deprecated workshop) --- .github/workflows/ci.yml | 37 +----------------------------------- codebuild/ci/validate-ci.yml | 1 - 2 files changed, 1 insertion(+), 37 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b2eeff89..4f056559 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -170,39 +170,4 @@ jobs: env-vars-for-codebuild: GITHUB_EVENT_NAME env: GITHUB_EVENT_NAME: $GITHUB_EVENT_NAME - validateCI: - name: Validate CI - runs-on: ubuntu-latest - needs: releaseCI - strategy: - fail-fast: true - matrix: - platform: - # - distribution: openjdk - # image: "aws/codebuild/standard:3.0" - - distribution: corretto - image: "aws/codebuild/amazonlinux-x86_64-standard:5.0" # Corretto only runs on AL2 - version: [ 8, 11, 17, 21 ] - steps: - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} - aws-region: us-west-2 - role-duration-seconds: 3600 - - name: Validate CI ${{ matrix.platform.distribution }}${{ matrix.version }} - uses: aws-actions/aws-codebuild-run-build@v1 - timeout-minutes: 60 - with: - project-name: AWS-ESDK-Java-CI - buildspec-override: codebuild/ci/validate-ci.yml - compute-type-override: BUILD_GENERAL1_MEDIUM - image-override: ${{ matrix.platform.image }} - env-vars-for-codebuild: | - JAVA_ENV_VERSION, - JAVA_NUMERIC_VERSION, - GITHUB_EVENT_NAME - env: - JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }} - JAVA_NUMERIC_VERSION: ${{ matrix.version }} - GITHUB_EVENT_NAME: $GITHUB_EVENT_NAME + diff --git a/codebuild/ci/validate-ci.yml b/codebuild/ci/validate-ci.yml index e9a51107..dc01d96e 100644 --- a/codebuild/ci/validate-ci.yml +++ b/codebuild/ci/validate-ci.yml @@ -28,7 +28,6 @@ phases: mvn verify \ -Pcodeartifact \ -Dcheckstyle.skip \ - -Djacoco.skip=true \ -Desdk.version=$VERSION_HASH \ -Dmaven.compiler.target=$JAVA_NUMERIC_VERSION \ -Dmaven.compiler.source=$JAVA_NUMERIC_VERSION \ From 0167e3a5563a56ea8f3c20a442286ebecbb48b06 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 14 May 2026 11:41:11 -0700 Subject: [PATCH 6/8] ci: remove validate-ci.yml buildspec (no longer used) --- codebuild/ci/validate-ci.yml | 38 ------------------------------------ 1 file changed, 38 deletions(-) delete mode 100644 codebuild/ci/validate-ci.yml diff --git a/codebuild/ci/validate-ci.yml b/codebuild/ci/validate-ci.yml deleted file mode 100644 index dc01d96e..00000000 --- a/codebuild/ci/validate-ci.yml +++ /dev/null @@ -1,38 +0,0 @@ -version: 0.2 - -env: - variables: - REGION: us-east-1 - DOMAIN: crypto-tools-internal - REPOSITORY: java-esdk-ci - parameter-store: - ACCOUNT: /CodeBuild/AccountId - -phases: - install: - commands: - - pip install awscli - runtime-versions: - java: $JAVA_ENV_VERSION - pre_build: - commands: - - VERSION_HASH="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)-$CODEBUILD_RESOLVED_SOURCE_VERSION-$GITHUB_EVENT_NAME" - - export SETTINGS_FILE=$(pwd)/codebuild/ci/settings.xml - - git clone https://github.com/aws-samples/busy-engineers-document-bucket.git - - cd busy-engineers-document-bucket/exercises/java/encryption-context-complete - - export CODEARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain $DOMAIN --domain-owner $ACCOUNT --query authorizationToken --output text --region ${REGION}) - - export CODEARTIFACT_REPO_URL=https://${DOMAIN}-${ACCOUNT}.d.codeartifact.${REGION}.amazonaws.com/maven/${REPOSITORY} - build: - commands: - - | - mvn verify \ - -Pcodeartifact \ - -Dcheckstyle.skip \ - -Desdk.version=$VERSION_HASH \ - -Dmaven.compiler.target=$JAVA_NUMERIC_VERSION \ - -Dmaven.compiler.source=$JAVA_NUMERIC_VERSION \ - -Dcodeartifact.token=$CODEARTIFACT_TOKEN \ - -Dcodeartifact.url=$CODEARTIFACT_REPO_URL \ - --no-transfer-progress \ - -T 4 \ - -s $SETTINGS_FILE From 93576df5b2501bd6bc2397576fd26eb0518c3232 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 14 May 2026 13:10:03 -0700 Subject: [PATCH 7/8] ci: replace busy-engineers validate with in-repo consumer smoke test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The old validateCI job cloned aws-samples/busy-engineers-document-bucket (a deprecated workshop) and ran mvn verify on it. Its tests only exercised data model POJOs and never called AwsCrypto encrypt/decrypt. The only real value was confirming the published artifact is resolvable and compilable by a downstream consumer. This replaces it with a minimal in-repo consumer that pulls the artifact from CodeArtifact, compiles against the ESDK public API, and instantiates AwsCrypto — validating the same thing without depending on an external repo. See: https://github.com/aws-samples/busy-engineers-document-bucket/blob/master/exercises/java/encryption-context-complete/src/test --- .github/workflows/ci.yml | 34 ++++++++++++++++ codebuild/ci/validate-ci.yml | 35 +++++++++++++++++ codebuild/ci/validate-consumer/pom.xml | 39 +++++++++++++++++++ .../src/main/java/validate/EsdkSmokeTest.java | 24 ++++++++++++ 4 files changed, 132 insertions(+) create mode 100644 codebuild/ci/validate-ci.yml create mode 100644 codebuild/ci/validate-consumer/pom.xml create mode 100644 codebuild/ci/validate-consumer/src/main/java/validate/EsdkSmokeTest.java diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f056559..45f779ea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -171,3 +171,37 @@ jobs: env: GITHUB_EVENT_NAME: $GITHUB_EVENT_NAME + validateCI: + name: Validate CI + runs-on: ubuntu-latest + needs: releaseCI + strategy: + fail-fast: true + matrix: + platform: + - distribution: corretto + image: "aws/codebuild/amazonlinux-x86_64-standard:5.0" + version: [ 8, 11, 17, 21 ] + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Validate CI ${{ matrix.platform.distribution }}${{ matrix.version }} + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: AWS-ESDK-Java-CI + buildspec-override: codebuild/ci/validate-ci.yml + compute-type-override: BUILD_GENERAL1_MEDIUM + image-override: ${{ matrix.platform.image }} + env-vars-for-codebuild: | + JAVA_ENV_VERSION, + JAVA_NUMERIC_VERSION, + GITHUB_EVENT_NAME + env: + JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }} + JAVA_NUMERIC_VERSION: ${{ matrix.version }} + GITHUB_EVENT_NAME: $GITHUB_EVENT_NAME diff --git a/codebuild/ci/validate-ci.yml b/codebuild/ci/validate-ci.yml new file mode 100644 index 00000000..cb9e8761 --- /dev/null +++ b/codebuild/ci/validate-ci.yml @@ -0,0 +1,35 @@ +version: 0.2 + +env: + variables: + REGION: us-east-1 + DOMAIN: crypto-tools-internal + REPOSITORY: java-esdk-ci + parameter-store: + ACCOUNT: /CodeBuild/AccountId + +phases: + install: + commands: + - pip install awscli + runtime-versions: + java: $JAVA_ENV_VERSION + pre_build: + commands: + - VERSION_HASH="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)-$CODEBUILD_RESOLVED_SOURCE_VERSION-$GITHUB_EVENT_NAME" + - export SETTINGS_FILE=$(pwd)/codebuild/ci/settings.xml + - cd codebuild/ci/validate-consumer + - export CODEARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain $DOMAIN --domain-owner $ACCOUNT --query authorizationToken --output text --region ${REGION}) + - export CODEARTIFACT_REPO_URL=https://${DOMAIN}-${ACCOUNT}.d.codeartifact.${REGION}.amazonaws.com/maven/${REPOSITORY} + build: + commands: + - | + mvn compile exec:java \ + -Dexec.mainClass="validate.EsdkSmokeTest" \ + -Pcodeartifact \ + -Desdk.version=$VERSION_HASH \ + -Djava.version=$JAVA_NUMERIC_VERSION \ + -Dcodeartifact.token=$CODEARTIFACT_TOKEN \ + -Dcodeartifact.url=$CODEARTIFACT_REPO_URL \ + --no-transfer-progress \ + -s $SETTINGS_FILE diff --git a/codebuild/ci/validate-consumer/pom.xml b/codebuild/ci/validate-consumer/pom.xml new file mode 100644 index 00000000..26494abf --- /dev/null +++ b/codebuild/ci/validate-consumer/pom.xml @@ -0,0 +1,39 @@ + + + 4.0.0 + + com.amazonaws.esdk + validate-consumer + 1.0-SNAPSHOT + Smoke test that the ESDK artifact is resolvable and compiles + + + UTF-8 + ${java.version} + ${java.version} + 8 + LATEST + + + + + com.amazonaws + aws-encryption-sdk-java + ${esdk.version} + + + + + + codeartifact + + + codeartifact + ${codeartifact.url} + + + + + diff --git a/codebuild/ci/validate-consumer/src/main/java/validate/EsdkSmokeTest.java b/codebuild/ci/validate-consumer/src/main/java/validate/EsdkSmokeTest.java new file mode 100644 index 00000000..b7ba6b31 --- /dev/null +++ b/codebuild/ci/validate-consumer/src/main/java/validate/EsdkSmokeTest.java @@ -0,0 +1,24 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package validate; + +import com.amazonaws.encryptionsdk.AwsCrypto; +import com.amazonaws.encryptionsdk.CommitmentPolicy; +import com.amazonaws.encryptionsdk.CryptoResult; +import com.amazonaws.encryptionsdk.MasterKeyProvider; +import com.amazonaws.encryptionsdk.jce.JceMasterKey; + +/** + * Smoke test that the published ESDK artifact is resolvable + * and that key public API classes are importable and usable. + */ +public class EsdkSmokeTest { + public static void main(String[] args) { + AwsCrypto crypto = AwsCrypto.builder() + .withCommitmentPolicy(CommitmentPolicy.RequireEncryptRequireDecrypt) + .build(); + System.out.println("ESDK artifact resolved and AwsCrypto instantiated successfully."); + System.out.println("AwsCrypto version info: " + crypto.toString()); + } +} From 26001b169077128b6df0f12451595f99f59f0188 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 14 May 2026 13:32:37 -0700 Subject: [PATCH 8/8] ci: add GitHub Actions job to test validate-consumer compiles --- .github/workflows/ci.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 45f779ea..9ad9207e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -149,6 +149,27 @@ jobs: env-vars-for-codebuild: JAVA_ENV_VERSION env: JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }} + validateConsumerCompiles: + name: Validate Consumer Smoke Test + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + java-version: [ 8, 11, 17, 21 ] + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: corretto + java-version: ${{ matrix.java-version }} + - name: Compile and run smoke test against Maven Central + working-directory: codebuild/ci/validate-consumer + run: | + mvn compile exec:java \ + -Dexec.mainClass="validate.EsdkSmokeTest" \ + -Desdk.version=3.0.1 \ + -Djava.version=${{ matrix.java-version }} \ + --no-transfer-progress releaseCI: name: Release CI runs-on: ubuntu-latest