aws-observability · pxaws · Aug 20, 2024 · Aug 19, 2024 · Aug 19, 2024 · Aug 19, 2024
@@ -0,0 +1,106 @@
+name: Build and Push aws-distro-opentelemetry-node-autoinstrumentation
+description: |
+  This action assumes that the repo was checked out. Builds and pushes/loads tarball and image files. Also performs scan
+  of the resultant image.
+
+inputs:
+  aws-region:
+    required: false
+    description: "AWS Region, required only if push_image is true"
+  image_uri_with_tag:
+    required: true
+    description: "Image URI with Tag"
+  image_registry:
+    required: false
+    description: "Image Registry, required only if push_image is true"
+  snapshot-ecr-role:
+    required: false
+    description: "IAM Role used for pushing to snapshot ecr, required only if push_image is true"
+  push_image:
+    required: true
+    description: "Whether push image to ECR"
+  load_image:
+    required: true
+    description: "Whether load the image for the following use, only load in PR build"
+  node_version:
+    required: true
+    description: "The node version used in actions"
+  package_name:
+    required: true
+    description: "The package name"
+  os:
+    required: true
+    description: "The os"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Action verification
+      if: ${{ (inputs.load_image == false || inputs.load_image == 'false') && (inputs.push_image == false || inputs.push_image == 'false') }}
+      shell: bash
+      run: |
+        echo "At least one of push_image or load_image must be true" 
+        exit 1
+
+    - name: Set up
+      uses: ./.github/actions/set_up
+      with:
+        node_version: ${{ inputs.node_version }}
+        package_name: ${{ inputs.package_name }}
+        os: ${{ inputs.os }}
+        run_unit_tests: true
+
+    - name: Configure AWS Credentials
+      if: ${{ inputs.push_image == true || inputs.push_image == 'true' }}
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ inputs.snapshot-ecr-role }}
+        aws-region: ${{ inputs.aws-region }}
+
+    - name: Install Dependencies, Compile, and Build Tarball
+      id: staging_tarball_build
+      shell: bash
+      run: |
+        npm install
+        npm run compile
+        cd aws-distro-opentelemetry-node-autoinstrumentation
+        npm pack
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to private AWS ECR
+      if: ${{ inputs.push_image == true || inputs.push_image == 'true' }}
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ inputs.image_registry }}
+      env:
+        AWS_REGION: ${{ inputs.aws-region }}
+
+    # Per https://docs.aws.amazon.com/AmazonECR/latest/public/docker-pull-ecr-image.html, it is possible to
+    # make unauthorized calls to get public ECR images (needed to build the ADOT Node docker image), but
+    # it can fail if you previously authenticated to a public repo. Adding this step to log out, so we
+    # ensure we can make unauthenticated call. This is important for making the pr_build workflow run on
+    # PRs created from forked repos.
+    - name: Logout of public AWS ECR
+      shell: bash
+      run: docker logout public.ecr.aws
+
+    - name: Build and push image according to input
+      uses: docker/build-push-action@v5
+      with:
+        push: ${{ inputs.push_image }}
+        context: .
+        file: ./Dockerfile
+        platforms: linux/amd64
+        tags: ${{ inputs.image_uri_with_tag }}
+        load: ${{ inputs.load_image }}
+
+    - name: Perform image scan
+      uses: ./.github/actions/image_scan
+      with:
+        image-ref: ${{ inputs.image_uri_with_tag }}
+        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
@@ -0,0 +1,33 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+name: image-scan
+description: |
+  This action performs a scan of a provided (local or public ECR remote) image, using Trivy.
+
+inputs:
+  image-ref:
+    required: true
+    description: "Reference for the image to be scanned"
+  severity:
+    required: true
+    description: "List of severities that will cause a failure"
+
+runs:
+  using: "composite"
+  steps:
+
+  # Per https://docs.aws.amazon.com/AmazonECR/latest/public/docker-pull-ecr-image.html, it is possible to
+  # make unauthorized calls to get public ECR images (needed to build the ADOT JavaScript docker image), but
+  # it can fail if you previously authenticated to a public repo. Adding this step to log out, so we
+  # ensure we can make unauthenticated call. This is important for making the pr_build workflow run on
+  # PRs created from forked repos.
+  - name: Logout of public AWS ECR
+    shell: bash
+    run: docker logout public.ecr.aws
+
+  - name: Run Trivy vulnerability scanner on image
+    uses: aquasecurity/trivy-action@master
+    with:
+      image-ref: ${{ inputs.image-ref }}
+      severity: ${{ inputs.severity }}
+      exit-code: '1'
@@ -0,0 +1,45 @@
+name: Set up
+description: |
+  This action assumes that the repo was checked out. Installs node, then runs the unit tests.
+
+inputs:
+  node_version:
+    required: true
+    description: "The node version used in actions"
+  package_name:
+    required: true
+    description: "The package name"
+  os:
+    required: true
+    description: "The os"
+  run_unit_tests:
+    required: true
+    description: "true/false flag indicating if we should run unit tests/benchmarks"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up node
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node_version }}
+
+    - name: Install dependencies and compile to build directory
+      shell: bash
+      run: |
+        npm install
+        npm run compile
+
+    - name: Cache NPM environment
+      # Preserves .tox directory between runs for faster installs
+      uses: actions/cache@v1
+      with:
+        path: |
+          .tox
+          ~/.cache/pip
+        key: v7-build-tox-cache-${{ inputs.node_version }}-${{ inputs.package_name }}-${{ inputs.os }}-${{ hashFiles('aws-distro-opentelemetry-node-autoinstrumentation/package.json', 'package-lock.json') }}
+
+    - name: Run unit tests/benchmarks
+      if: ${{ inputs.run_unit_tests == 'true' }}
+      shell: bash
+      run: npm run test
@@ -0,0 +1,81 @@
+# This workflow builds the aws-opentelemetry-js-distro JavaScript files, uploads to staging S3 bucket, and builds the project docker image that is pushed to a staging ECR repository
+name: NodeJS Instrumentation Main Build
+on:
+  push:
+    branches:
+      - main
+      - "release/v*"
+      - e2e-parallel
+
+env:
+  AWS_DEFAULT_REGION: us-east-1
+  STAGING_ECR_REGISTRY: 637423224110.dkr.ecr.us-east-1.amazonaws.com
+  # Another team is testing the `adot-autoinstrumentation-node-staging` image
+  # Temporarily use a testing image repo until that other team is done
+  STAGING_ECR_REPOSITORY: aws-observability/adot-autoinstrumentation-node-testing
+  STAGING_S3_BUCKET: ${{ secrets.STAGING_BUCKET_NAME }}
+
+concurrency:
+  group: node-instrumentation-main-build
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      aws_default_region: ${{ steps.node_output.outputs.awsDefaultRegion}}
+      node_image_tag: ${{ steps.node_output.outputs.node_image_tag}}
+      staging_image: ${{ steps.node_output.outputs.stagingImage}}
+      staging_registry: ${{ steps.node_output.outputs.stagingRegistry}}
+      staging_repository: ${{ steps.node_output.outputs.stagingRepository}}
+      staging_tarball_file: ${{ steps.staging_tarball_output.outputs.STAGING_TARBALL}}
+    steps:
+      - name: Checkout Contrib Repo @ SHA - ${{ github.sha }}
+        uses: actions/checkout@v4
+
+      - name: Get Node Distro Output
+        id: node_output
+        run: |
+          pkg_version=$(jq -r '.version' ./package.json)
+          echo "ADOT_NODE_VERSION=$pkg_version" >> $GITHUB_OUTPUT
+          shortsha="$(git rev-parse --short HEAD)"
+          echo "SHORT_SHA=$shortsha" >> $GITHUB_ENV
+          node_distro_tag=$pkg_version-$shortsha
+          echo "awsDefaultRegion=${{ env.AWS_DEFAULT_REGION }}" >> $GITHUB_OUTPUT
+          echo "node_image_tag=$node_distro_tag" >> $GITHUB_OUTPUT
+          echo "stagingRegistry=${{ env.STAGING_ECR_REGISTRY }}" >> $GITHUB_OUTPUT
+          echo "stagingRepository=${{ env.STAGING_ECR_REPOSITORY }}" >> $GITHUB_OUTPUT
+          echo "stagingImage=${{ env.STAGING_ECR_REGISTRY }}/${{ env.STAGING_ECR_REPOSITORY }}:$node_distro_tag" >> $GITHUB_OUTPUT
+
+      - name: Build and Push Tarball and Image Files
+        uses: ./.github/actions/artifacts_build
+        with:
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+          image_uri_with_tag: ${{ steps.node_output.outputs.stagingImage }}
+          image_registry: ${{ env.STAGING_ECR_REGISTRY }}
+          snapshot-ecr-role: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          push_image: true
+          load_image: false
+          node_version: "20"
+          package_name: aws-distro-opentelemetry-node-autoinstrumentation
+          os: ubuntu-latest
+
+      - name: Output Tarball File Name
+        id: staging_tarball_output
+        run: |
+          staging_tarball="aws-aws-distro-opentelemetry-node-autoinstrumentation-${{ steps.node_output.outputs.ADOT_NODE_VERSION }}.tgz"
+          echo "STAGING_TARBALL=$staging_tarball" >> $GITHUB_OUTPUT
+
+      - name: Upload Tarball to S3
+        run: |
+          aws s3 cp aws-distro-opentelemetry-node-autoinstrumentation/${{ steps.staging_tarball_output.outputs.STAGING_TARBALL }} s3://${{ env.STAGING_S3_BUCKET }}
+
+      - name: Upload Tarball to GitHub Actions
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ steps.staging_tarball_output.outputs.STAGING_TARBALL}}
+          path: aws-distro-opentelemetry-node-autoinstrumentation/${{ steps.staging_tarball_output.outputs.STAGING_TARBALL}}
@@ -48,5 +48,5 @@ node --require '@aws/aws-distro-opentelemetry-node-autoinstrumentation/register'
 ```shell
 curl http://localhost:8080/rolldice
 curl http://localhost:8080/http
-curl http://localhost:8080/aws-sdk
+curl http://localhost:8080/aws-sdk-s3
 ```