aws · lucasmcdonald3 · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025
@@ -4,64 +4,5 @@
 on: [pull_request, workflow_call]
 
 jobs:
-  CI:
-    strategy:
-      matrix:
-          node: [18.x, 20.x, 22.x, latest]
-      fail-fast: false
-    runs-on: codebuild-AWS-ESDK-JS-Release-${{ github.run_id }}-${{ github.run_attempt }}-ubuntu-5.0-large
-    permissions:
-      id-token: write
-      contents: read
-    defaults:
-      run:
-        shell: bash
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true 
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{matrix.node}}
-      - name: Configure AWS Credentials for Tests
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: us-west-2
-          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
-          role-session-name: JavaScriptTests 
-      - name: Test Coverage Node ${{matrix.node}}
-        env: 
-          NODE_OPTIONS: "--max-old-space-size=4096"
-        run: |
-          npm ci
-          npm run build
-          npm run coverage-node
-      - name: Test Coverage Browser ${{matrix.node}}
-        env: 
-          NODE_OPTIONS: "--max-old-space-size=4096"
-        run: |
-          npm run coverage-browser
-      - name: Test compliance
-        env: 
-          NODE_OPTIONS: "--max-old-space-size=4096"
-        run: |
-          npm run lint
-          npm run test_conditions
-      - name: Run Test Vectors Node ${{matrix.node}}
-        env:
-          NODE_OPTIONS: "--max-old-space-size=4096"
-          NPM_CONFIG_UNSAFE_PERM: true
-          PUBLISH_LOCAL: true
-        run: |
-          npm run verdaccio-publish
-          npm run verdaccio-node-decrypt
-          npm run verdaccio-node-encrypt
-      - name: Run Test Vectors Browser node ${{matrix.node}} 
-        env:
-          NODE_OPTIONS: "--max-old-space-size=4096"
-          NPM_CONFIG_UNSAFE_PERM: true
-          PUBLISH_LOCAL: true
-        run: |
-          npm run verdaccio-publish
-          npm run verdaccio-browser-decrypt
-          npm run verdaccio-browser-encrypt
+  shared-ci:
+    uses: ./.github/workflows/shared-ci.yml
@@ -0,0 +1,75 @@
+name: Release
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+    inputs:
+      version_bump:
+        required: false
+        description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)'
+        default: ''
+      dist_tag:
+        description: 'NPM distribution tag'
+        required: false
+        default: 'latest'
+      branch:
+        description: 'The branch to release from'
+        required: false
+        default: 'master'
+
+env:
+  NODE_OPTIONS: "--max-old-space-size=4096"
+  NPM_CONFIG_UNSAFE_PERM: true
+
+jobs:
+  pre-release-ci:
+    uses: ./.github/workflows/shared-ci.yml
+
+  # Once all tests have passed, run semantic versioning
+  version:
+    runs-on: ubuntu-latest
+    needs: [pre-release-ci]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Setup Node.js 16
+        uses: actions/setup-node@v4
+        with:
+          node-version: '16'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci --unsafe-perm
+
+      - name: Configure git
+        env:
+          BRANCH: ${{ github.event.inputs.branch }}
+          VERSION_BUMP: ${{ github.event.inputs.version_bump }}
+        run: |
+          git config --global user.name "aws-crypto-tools-ci-bot"
+          git config --global user.email "[email protected]"
+          git checkout $BRANCH
+
+      - name: Version packages (dry run - no push)
+        run: |
+          # Generate new version and CHANGELOG entry and push it
+          npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish}
+          # Log the commit for posterity
+          git log -n 1
+
+  # Once semantic versioning has run and bumped versions, publish to npm
+  # TODO: Publish step that doesn't use OTP but instead follows
+  # https://docs.npmjs.com/trusted-publishers
+
+  # Once publishing is complete, validate that the published packages are useable
+  validate:
+    uses: ./.github/workflows/shared-ci.yml
+    # TODO: Uncomment when adding publish step
+    # needs: [publish]
+    with:
+      test-published-packages: true
@@ -0,0 +1,103 @@
+name: Shared CI Tests
+
+on:
+  workflow_call:
+    inputs:
+      test-published-packages:
+        description: 'Test against published packages instead of checked out code'
+        required: false
+        type: boolean
+        default: false
+
+env:
+  NODE_OPTIONS: "--max-old-space-size=4096"
+  NPM_CONFIG_UNSAFE_PERM: true
+
+jobs:
+  compliance:
+    # Don't lint or check Duvet annotations on already-published code
+    if: ${{ !inputs.test-published-packages }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Setup Node.js 18
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci --unsafe-perm
+
+      - name: Run compliance checks
+        run: |
+          npm run lint
+          npm run test_conditions
+
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: ['18', '20', '22']
+        test-type: ['node', 'browser']
+        test-category: ['coverage', 'vectors']
+    name: test-${{ matrix.test-category }}-${{ matrix.test-type }}${{ matrix.node-version }}
+    steps:
+      - name: Checkout code
+        # Always need repo for test scripts and configuration, even when testing published packages
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Configure AWS Credentials for Tests
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
+          role-session-name: JavaScriptTests
+
+      - name: Install dependencies
+        run: npm ci --unsafe-perm
+
+      - name: Build (for source code testing)
+        if: ${{ !inputs.test-published-packages }}
+        run: npm run build
+
+      - name: Run ${{ matrix.test-category }} tests (${{ matrix.test-type }})
+        run: |
+          # Skip coverage tests when testing published packages
+          if [ "${{ inputs.test-published-packages }}" = "true" ] && [ "${{ matrix.test-category }}" = "coverage" ]; then
+            echo "Skipping coverage tests for published packages validation"
+            exit 0
+          fi
+
+          # Run the appropriate test
+          if [ "${{ matrix.test-category }}" = "coverage" ]; then
+            npm run coverage-${{ matrix.test-type }}
+          elif [ "${{ matrix.test-category }}" = "vectors" ]; then
+            # Only publish locally when testing source code
+            if [ "${{ inputs.test-published-packages }}" != "true" ]; then
+              npm run verdaccio-publish
+            fi
+            npm run verdaccio-${{ matrix.test-type }}-decrypt
+            npm run verdaccio-${{ matrix.test-type }}-encrypt
+          else
+            echo "Error: Unrecognized test category '${{ matrix.test-category }}'"
+            exit 1
+          fi
@@ -26,7 +26,7 @@
     "build-browser": "tsc -b tsconfig.module.json",
     "build": "run-s build-*",
     "karma": "NODE_OPTIONS=--max-old-space-size=4096 karma start karma.conf.js",
-    "mocha": "mocha --exclude 'modules/*-+(browser|backend)/build/main/test/*.js'  modules/**/build/main/test/*test.js",
+    "mocha": "mocha --timeout 5000 --exclude 'modules/*-+(browser|backend)/build/main/test/*.js'  modules/**/build/main/test/*test.js",
     "coverage-browser": "npm run karma && nyc report -t .karma_output --check-coverage",
     "coverage-node": "nyc --instrument --all --check-coverage -n 'modules/**/build/main/src/*.js' -x 'modules/**/build/main/test/*.js' -x 'modules/*-+(browser|backend)/**/*.js' npm run mocha",
     "coverage-merge": "nyc merge .karma_output .nyc_output/browser.json",