ensure that al2 image is actually al2 (#313)

Author: DmitriyMusatkin

.github/docker-images/al2-x64/Dockerfile

@@ -1,4 +1,4 @@
-FROM amazonlinux:latest
+FROM amazonlinux:2
 
 
 ###############################################################################
@@ -14,14 +14,11 @@ RUN yum -y update \
     python3-devel \
     python3-pip \
     make \
-    cmake3 \
     gcc \
     gcc-c++ \
     which \
     && yum clean all \
-    && rm -rf /var/cache/yum \
-    && cmake --version \
-    && ctest --version
+    && rm -rf /var/cache/yum
 
 ###############################################################################
 # Python/AWS CLI
@@ -37,6 +34,7 @@ WORKDIR /tmp
 RUN curl -sSL https://d19elf31gohf1l.cloudfront.net/_binaries/cmake/cmake-3.13-manylinux1-x64.tar.gz -o cmake.tar.gz \
     && tar xvzf cmake.tar.gz -C /usr/local \
     && cmake --version \
+    && ctest --version \
     && rm -f /tmp/cmake.tar.gz
 
 ###############################################################################

.github/docker-images/al2023-x64/Dockerfile

@@ -0,0 +1,45 @@
+FROM amazonlinux:2023
+
+
+###############################################################################
+# Install prereqs
+###############################################################################
+RUN yum -y update \
+    && yum -y install \
+    tar \
+    git \
+    sudo \
+    # Python
+    python3 \
+    python3-devel \
+    python3-pip \
+    make \
+    gcc \
+    gcc-c++ \
+    which \
+    && yum clean all \
+    && rm -rf /var/cache/yum
+
+###############################################################################
+# Python/AWS CLI
+###############################################################################
+RUN python3 -m pip install setuptools virtualenv \
+    && python3 -m pip install --upgrade awscli \
+    && aws --version
+
+###############################################################################
+# Install pre-built CMake
+###############################################################################
+WORKDIR /tmp
+RUN curl -sSL https://d19elf31gohf1l.cloudfront.net/_binaries/cmake/cmake-3.13-manylinux1-x64.tar.gz -o cmake.tar.gz \
+    && tar xvzf cmake.tar.gz -C /usr/local \
+    && cmake --version \
+    && ctest --version \
+    && rm -f /tmp/cmake.tar.gz
+
+###############################################################################
+# Install entrypoint
+###############################################################################
+ADD entrypoint.sh /usr/local/bin/builder
+RUN chmod a+x /usr/local/bin/builder
+ENTRYPOINT ["/usr/local/bin/builder"]

.github/workflows/create-channel.yml

@@ -16,17 +16,24 @@ on:
 
 env:
   AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  AWS_REGION: 'us-east-1'
+  CRT_CI_ROLE: ${{ secrets.CRT_CI_ROLE_ARN }}
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  id-token: write # This is required for requesting the JWT
 
 # nothing
 jobs:
   package:
     name: Package builder app
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
     - name: Checkout Source
       uses: actions/checkout@v4
 
@@ -54,7 +61,7 @@ jobs:
 
   standard-images:
     name: ${{ matrix.variant.name }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -68,6 +75,7 @@ jobs:
         - name: musllinux-1-1-x64
         - name: al2012-x64
         - name: al2-x64
+        - name: al2023-x64
         - name: ubuntu-18-x64
         - name: ubuntu-20-x64
         - name: ubuntu-20-aarch64  
@@ -89,6 +97,11 @@ jobs:
         - name: openwrt-x64-openjdk8
 
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
     - name: Checkout Sources
       uses: actions/checkout@v4
 
@@ -109,8 +122,9 @@ jobs:
       uses: whoan/docker-build-with-cache-action@v8
       with:
         registry: ${{ secrets.AWS_ECR_REPO }}
-        username: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        username: ${{ steps.creds.outputs.aws-access-key-id }}
+        password: ${{ steps.creds.outputs.aws-secret-access-key }}
+        session: ${{ steps.creds.outputs.aws-session-token }}
         image_name: aws-crt-${{ matrix.variant.name }}
         image_tag: ${{ steps.tag.outputs.release_tag }}
         context: .github/docker-images/${{ matrix.variant.name }}

.github/workflows/create-release.yml

@@ -6,19 +6,30 @@ on:
     types: [published]
   workflow_dispatch:
 
-
 env:
   AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  AWS_REGION: 'us-east-1'
+  CRT_CI_ROLE: ${{ secrets.CRT_CI_ROLE_ARN }}
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  id-token: write # This is required for requesting the JWT
 
 jobs:
   package:
     name: Package builder app
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
     - name: Checkout Source
       uses: actions/checkout@v4
 
@@ -48,7 +59,7 @@ jobs:
 
   export-linux-images:
     name: Release aws-crt-${{ matrix.variant }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -62,6 +73,7 @@ jobs:
         - name: musllinux-1-1-x64
         - name: al2012-x64
         - name: al2-x64
+        - name: al2023-x64
         - name: ubuntu-18-x64
         - name: ubuntu-20-x64
         - name: ubuntu-20-aarch64  
@@ -83,6 +95,11 @@ jobs:
         - name: openwrt-x64-openjdk8
 
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
     - name: Checkout Sources
       uses: actions/checkout@v4
 
@@ -100,8 +117,9 @@ jobs:
       uses: whoan/docker-build-with-cache-action@v8
       with:
         registry: ${{ secrets.AWS_ECR_REPO }}
-        username: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        username: ${{ steps.creds.outputs.aws-access-key-id }}
+        password: ${{ steps.creds.outputs.aws-secret-access-key }}
+        session: ${{ steps.creds.outputs.aws-session-token }}
         image_name: aws-crt-${{ matrix.variant.name }}
         image_tag: ${{ steps.tag.outputs.release_tag }}
         context: .github/docker-images/${{ matrix.variant.name }}
@@ -134,9 +152,14 @@ jobs:
 
   upload-ci-script:
     name: Upload container ci script
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-2024
 
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
     - name: Checkout Source
       uses: actions/checkout@v4
 

.github/workflows/lint.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   autopep8:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
     - name: Checkout Source

.github/workflows/sanity-test.yml

@@ -12,14 +12,16 @@ on:
 
 env:
   AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  AWS_REGION: 'us-east-1'
+  CRT_CI_ROLE: ${{ secrets.CRT_CI_ROLE_ARN }}
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  id-token: write # This is required for requesting the JWT
 
 jobs:
   cleanup:
     name: Clean up previous branch jobs
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
     - name: Clean up previous branch jobs
       uses: rokroskar/workflow-run-cleanup-action@master
@@ -28,7 +30,7 @@ jobs:
 
   unit_test:
     name: Unit Tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
     - name: Checkout Source
       uses: actions/checkout@v4
@@ -38,9 +40,14 @@ jobs:
 
   package:
     name: Package builder app
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
     - name: Checkout Source
       uses: actions/checkout@v4
 
@@ -78,7 +85,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        host: [ubuntu-22.04, macos-12, macos-13, macos-14, windows-2022]
+        host: [ubuntu-22.04, macos-13, macos-14, windows-2022]
     needs: package
     runs-on: ${{ matrix.host }}
     steps:
@@ -137,7 +144,7 @@ jobs:
 
   # Make sure cross compiling works
   cross_compile:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: [package]
     strategy:
       matrix:
@@ -204,6 +211,10 @@ jobs:
         compiler: [gcc-8, clang-9]
         std: [c++11, c++14, c++17, c++2a]
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
     - name: Checkout Source
       uses: actions/checkout@v4
 
@@ -227,7 +238,7 @@ jobs:
           - aws-iot-device-sdk-python-v2
 
     needs: package
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
     - name: Install builder
       uses: actions/download-artifact@v4
@@ -254,6 +265,11 @@ jobs:
     needs: package
     runs-on: ubuntu-20.04
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
     - name: Checkout Source
       uses: actions/checkout@v4
 
@@ -281,8 +297,13 @@ jobs:
         - musllinux-1-1-x64
 
     needs: package
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
     - name: Checkout Source
       uses: actions/checkout@v4
 
@@ -314,8 +335,13 @@ jobs:
           - swift-5-al2-x64
 
     needs: package
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
     - name: Checkout Source
       uses: actions/checkout@v4
 
@@ -334,7 +360,7 @@ jobs:
 
   sanity-tests-passed:
     name: All Sanity Tests passed
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs:
     - unit_test
     - sanity_test

builder/core/host.py

@@ -70,7 +70,11 @@ def current_host():
     def _discover_host():
         platform = current_os()
         if platform == 'linux':
-            if _file_contains('/etc/system-release', 'Amazon Linux release 2'):
+            # Note: that AL2 and AL2023 have the same substring. Check for AL2023 explicitly.
+            # And also check that AL2 has "2 (", which is common to all base distributions of AL2
+            if _file_contains('/etc/system-release', 'Amazon Linux release 2023'):
+                return 'al2023'
+            if _file_contains('/etc/system-release', 'Amazon Linux release 2 ('):
                 return 'al2'
             if _file_contains('/etc/system-release', 'Bare Metal') or _file_contains('/etc/system-release', 'Amazon Linux AMI'):
                 return 'al2012'