Add configure-aws-credentials composite workflow with release support#4386
Conversation
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
| uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 | ||
| with: | ||
| aws-region: us-east-2 | ||
| role-to-assume: arn:aws:iam::692859939525:role/therock-ci |
There was a problem hiding this comment.
We could also update
TheRock/.github/workflows/release_portable_linux_packages.yml
Lines 274 to 279 in aee2385
but that workflow uses more than just the therock-{release_type}-artifacts bucket, it also uses
For multi-arch release workflows, I plan on having the existing build workflows upload artifacts,logs,etc. to therock-{release_type}-artifacts and then have new workflow code copy from those buckets to e.g. therock-{release_type}-tarball
By the way, I decided to NOT update
TheRock/.github/workflows/manifest-diff.yml
Lines 66 to 71 in aee2385
There was a problem hiding this comment.
Updating release_portable_linux_packages.yml should be fine as the role allows to access the other buckets as well. Can be in a follow up however.
| self.assertEqual(config.name, "therock-ci-artifacts") | ||
|
|
||
| def _write_event(self, event: dict) -> str: | ||
| f = tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False) |
There was a problem hiding this comment.
From my agent's review:
The event-payload fork detection tests use tempfile and finally: os.unlink(...) - fine, but could use tempfile.NamedTemporaryFile(delete=True) with a context manager instead of manual cleanup.
There was a problem hiding this comment.
tempfile.NamedTemporaryFile(delete=True) won't work on Windows, as the file can't be reopened for read by another command while already opened by the context manager:
> with open(event_path) as f:
^^^^^^^^^^^^^^^^
E PermissionError: [Errno 13] Permission denied:
'C:\\Users\\NOD-SH~1\\AppData\\Local\\Temp\\tmpjr8p04dq.json'
We could use tempfile.TemporaryDirectory() though:
with tempfile.TemporaryDirectory() as tmpdir:
event_path = Path(tmpdir) / "event.json"
event_path.write_text(
json.dumps({"pull_request": {"head": {"repo": {"fork": True}}}})
)How about we keep the NamedTemporaryFile and manual unlink() but add more comments? That matches recently added test code in https://github.com/ROCm/TheRock/blob/main/build_tools/github_actions/tests/configure_multi_arch_ci_test.py more closely too.
There was a problem hiding this comment.
Oh we can also keep as is for consistency :)
| uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 | ||
| with: | ||
| aws-region: us-east-2 | ||
| role-to-assume: arn:aws:iam::692859939525:role/therock-ci |
There was a problem hiding this comment.
Updating release_portable_linux_packages.yml should be fine as the role allows to access the other buckets as well. Can be in a follow up however.
| iam_namespace: str | None = field(default="arn:aws:iam::692859939525:role") | ||
| """Namespace for write_access_iam_role (e.g. 'arn:aws:iam::692859939525:role')""" |
There was a problem hiding this comment.
arn:aws:iam actually is the prefix, partition, service, which will always be the same here. 692859939525 is the account ID. We could also just store stat one. And should role be deduced from iam_role?
NamedTemporaryFile(delete=True) holds an exclusive lock on Windows, preventing the code under test from opening the file. Use delete=False with try/finally cleanup, matching the pattern in configure_multi_arch_ci_test.py. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…#4386) ## Motivation For multi-arch release workflows (#3334), I want to reuse the existing workflows like `.github/workflows/multi_arch_build_portable_linux_artifacts.yml` but have them upload to `therock-dev-artifacts`, `therock-nightly-artifacts`, etc. instead of `therock-ci-artifacts`. The `_retrieve_bucket_info()` function in `build_tools/_therock_utils/workflow_outputs.py` already selects the right bucket based on the `RELEASE_TYPE` environment variable, but this also requires switching the role from ```diff -role-to-assume: arn:aws:iam::692859939525:role/therock-ci +role-to-assume: arn:aws:iam::692859939525:role/therock-dev ``` I decided to take the chance to translate our [s3_buckets.md](https://github.com/ROCm/TheRock/blob/main/docs/development/s3_buckets.md) into a s3_buckets.py file with two users: * The existing `_retrieve_bucket_info()` function in `build_tools/_therock_utils/workflow_outputs.py` * A new `build_tools/github_actions/write_artifacts_bucket_info.py` script used by a `.github/actions/configure_aws_artifacts_credentials/action.yml` composite workflow that handles looking up the role and calling `aws-actions/configure-aws-credentials` (with `special-characters-workaround` set on Windows) ## Technical Details This is in contrast to what was recently done for native linux packages (which we can migrate in a follow-up): https://github.com/ROCm/TheRock/blob/aee23850c29ad0f47e9f5a1ba494af54b25e23cf/.github/workflows/multi_arch_build_native_linux_packages.yml#L100-L131 https://github.com/ROCm/TheRock/blob/aee23850c29ad0f47e9f5a1ba494af54b25e23cf/.github/workflows/multi_arch_build_native_linux_packages.yml#L169-L173 We could put similar code directly in the composite workflow instead of adding the python scripts, but this is significantly easier to test and then match the behavior between different workflows and scripts that want to interface with the buckets. ## Test Plan * Unit tests * CI on this PR (which should authenticate with `therock-ci` and upload to `therock-ci-artifacts`) * Watch CI on PRs from forks (which should skip authentication and upload to `therock-ci-artifacts-external` as before) ## Test Result Composite action worked: https://github.com/ROCm/TheRock/actions/runs/24109830592/job/70341723332?pr=4386#step:15:1 ## Submission Checklist - [x] Look over the contributing guidelines at https://github.com/ROCm/ROCm/blob/develop/CONTRIBUTING.md#pull-requests. --------- Co-authored-by: Claude <noreply@anthropic.com>
2 participants
Motivation
For multi-arch release workflows (#3334), I want to reuse the existing workflows like
.github/workflows/multi_arch_build_portable_linux_artifacts.ymlbut have them upload totherock-dev-artifacts,therock-nightly-artifacts, etc. instead oftherock-ci-artifacts. The_retrieve_bucket_info()function inbuild_tools/_therock_utils/workflow_outputs.pyalready selects the right bucket based on theRELEASE_TYPEenvironment variable, but this also requires switching the role fromI decided to take the chance to translate our s3_buckets.md into a s3_buckets.py file with two users:
_retrieve_bucket_info()function inbuild_tools/_therock_utils/workflow_outputs.pybuild_tools/github_actions/write_artifacts_bucket_info.pyscript used by a.github/actions/configure_aws_artifacts_credentials/action.ymlcomposite workflow that handles looking up the role and callingaws-actions/configure-aws-credentials(withspecial-characters-workaroundset on Windows)Technical Details
This is in contrast to what was recently done for native linux packages (which we can migrate in a follow-up):
TheRock/.github/workflows/multi_arch_build_native_linux_packages.yml
Lines 100 to 131 in aee2385
TheRock/.github/workflows/multi_arch_build_native_linux_packages.yml
Lines 169 to 173 in aee2385
We could put similar code directly in the composite workflow instead of adding the python scripts, but this is significantly easier to test and then match the behavior between different workflows and scripts that want to interface with the buckets.
Test Plan
therock-ciand upload totherock-ci-artifacts)therock-ci-artifacts-externalas before)Test Result
Composite action worked: https://github.com/ROCm/TheRock/actions/runs/24109830592/job/70341723332?pr=4386#step:15:1
Submission Checklist