Merge branch 'main' into integ-logging

aws · Oct 21, 2024 · 54ff65d · 54ff65d
2 parents 31e9bfb + 9cd117f
commit 54ff65d
Show file tree

Hide file tree

Showing 173 changed files with 4,373 additions and 1,580 deletions.
diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml
@@ -10,6 +10,9 @@ on:
 jobs:
   bench:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read  # This is required for actions/checkout
+      id-token: write # This is required for requesting the JWT
     steps:
       - uses: actions/checkout@v3
 
@@ -34,10 +37,10 @@ jobs:
         run: cargo criterion --message-format json > criterion_output.log
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4.0.1
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: s2ntlsghabenchsession
           aws-region: us-west-2
 
       - name: Emit CloudWatch metrics

diff --git a/.github/workflows/ci_compliance.yml b/.github/workflows/ci_compliance.yml
@@ -9,6 +9,10 @@ on:
     types: [checks_requested]
     branches: [main]
 
+permissions:
+  contents: read  # This is required for actions/checkout
+  id-token: write # This is required for requesting the JWT/OIDC
+
 jobs:
   duvet:
     runs-on: ubuntu-latest
@@ -28,8 +32,8 @@ jobs:
         with:
           s2n-quic-dir: ./s2n-quic
           report-script: compliance/generate_report.sh
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: S2ntlsGHAS3Session
           aws-s3-bucket-name: s2n-tls-ci-artifacts
           aws-s3-region: us-west-2
           cdn: https://d3fqnyekunr9xg.cloudfront.net

diff --git a/.github/workflows/ci_rust.yml b/.github/workflows/ci_rust.yml
@@ -44,15 +44,19 @@ jobs:
       - name: Generate
         run: ${{env.ROOT_PATH}}/generate.sh
 
-      - name: Tests
+      # Ensure that all tests pass with the default feature set
+      - name: Default Tests
+        working-directory: ${{env.ROOT_PATH}}
+        run: cargo test
+
+      - name: "Feature Tests: Fingerprint, kTLS, QUIC, and PQ"
         working-directory: ${{env.ROOT_PATH}}
         # Test all features except for FIPS, which is tested separately.
         run: cargo test --features unstable-fingerprint,unstable-ktls,quic,pq
 
-      # Ensure that all tests pass with the default feature set
-      - name: Default Tests
+      - name: "Feature Test: Renegotiate"
         working-directory: ${{env.ROOT_PATH}}
-        run: cargo test
+        run: cargo test --features unstable-renegotiate
 
       - name: Test external build
         # if this test is failing, make sure that api headers are appropriately
@@ -254,6 +258,7 @@ jobs:
       - name: Run cargo clippy
         run: |
           cargo clippy --manifest-path ${{env.ROOT_PATH}}/Cargo.toml --all-targets -- -D warnings
+          cargo clippy --manifest-path ${{env.ROOT_PATH}}/Cargo.toml --all-targets --all-features -- -D warnings
 
   msrv:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/gha_failure_monitor.yml b/.github/workflows/gha_failure_monitor.yml
diff --git a/.github/workflows/private_fork_pr_codebuild.yml b/.github/workflows/private_fork_pr_codebuild.yml
diff --git a/.github/workflows/usage_guide.yml b/.github/workflows/usage_guide.yml
@@ -18,6 +18,7 @@ env:
 permissions:
   contents: write
   statuses: write
+  id-token: write # This is required for requesting the JWT/OIDC
 
 jobs:
   build-deploy:
@@ -39,22 +40,22 @@ jobs:
         run: |
           cd docs/usage-guide
           mdbook build
-      
+
       - name: Deploy documentation to gh-pages
         uses: JamesIves/github-pages-deploy-action@v4.5.0
         if: github.event_name == 'push'
         with:
           target-folder: usage-guide
           folder: docs/usage-guide/book
-  
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4.0.1
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-1
-      
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: s2ntlsghauseageguidesession
+          aws-region: us-west-2
+
       - name: Upload to S3
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         id: s3
@@ -63,8 +64,8 @@ jobs:
           aws s3 sync docs/usage-guide/book "s3://s2n-tls-ci-artifacts/$TARGET" --acl private --follow-symlinks
           URL="$CDN/$TARGET/index.html"
           echo "URL=$URL" >> $GITHUB_OUTPUT
-      
-      - name: Output mdbook url 
+
+      - name: Output mdbook url
         uses: ouzi-dev/commit-status-updater@v2.0.1
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with: