ci: split pipeline into PR, Merge, and Release workflows (#642)

- PR: test + build validation only (no deploys)
- Merge: test, build, beta deploy, e2e tests
- Release: test, build, gamma, prod, public ECR publish

Additional improvements:
- Replace sccache with Swatinem/rust-cache
- Use prebuilt cargo-nextest binary
- Trim unnecessary musl targets from test jobs
- Consolidate load-matrix jobs in release workflow
- Bump Python from 3.8 to 3.13
- Normalize download-artifact to @v4
- Remove unused env vars
- Fix paths-ignore globs
- Replace docker import with docker build

Author: bnusunny

.github/workflows/merge.yaml

@@ -0,0 +1,382 @@
+name: Merge
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "docs/**"
+      - "examples/**"
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  CARGO_TERM_COLOR: always
+  SAM_TEMPLATE_X86_64: template-x86_64.yaml
+  SAM_TEMPLATE_ARM64: template-arm64.yaml
+  GITHUB_RUNNER_ROLE: arn:aws:iam::621808641063:role/GitHubRunnerRole
+  BETA_STACK_NAME: lambda-adapter-beta
+  BETA_PIPELINE_EXECUTION_ROLE: arn:aws:iam::477159140107:role/aws-sam-cli-managed-beta-pip-PipelineExecutionRole-13NXRWTRTHDCJ
+  BETA_CLOUDFORMATION_EXECUTION_ROLE: arn:aws:iam::477159140107:role/aws-sam-cli-managed-beta-CloudFormationExecutionR-132I77VBFOWQ2
+  BETA_ARTIFACTS_BUCKET: aws-sam-cli-managed-beta-pipeline-artifactsbucket-889nlo0z1nt0
+  BETA_IMAGE_REPOSITORY: 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/aws-sam-cli-managed-beta-pipeline-resources-imagerepository-0hbn3hxi9pcm
+  BETA_REGION: ap-northeast-1
+  RUST_BACKTRACE: full
+
+jobs:
+  test:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+
+      - name: Configure Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install cargo-nextest
+        run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin
+
+      - name: linting
+        run: |
+          cargo fmt --all -- --check
+          cargo clippy -- -Dwarnings
+
+      - name: run unit and integration tests
+        run: cargo nextest run --profile ci
+
+  build:
+    needs: [test]
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.13"
+
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install stable toolchain
+        run: |
+          rustup target add x86_64-unknown-linux-musl
+          rustup target add aarch64-unknown-linux-musl
+
+      - name: Install cargo lambda
+        run: pip3 install cargo-lambda
+
+      - name: Configure Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Add cargo pkg version to env vars
+        run: |
+          echo "CARGO_PKG_VERSION=$(cargo metadata --no-deps --format-version=1 | jq -r '.packages[0].version')" >> $GITHUB_ENV
+
+      - name: Build x86_64 Layer
+        run: sam build --template ${SAM_TEMPLATE_X86_64} --parameter-overrides CargoPkgVersion=${CARGO_PKG_VERSION} -b build-x86_64
+
+      - name: Tar files
+        run: tar -cvf build-x86_64.tar build-x86_64
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: aws-sam-build-x86_64
+          path: build-x86_64.tar
+
+      - name: Build arm64 Layer
+        run: sam build --template ${SAM_TEMPLATE_ARM64} --parameter-overrides CargoPkgVersion=${CARGO_PKG_VERSION} -b build-arm64
+
+      - name: Tar files
+        run: tar -cvf build-arm64.tar build-arm64
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: aws-sam-build-arm64
+          path: build-arm64.tar
+
+  package-beta:
+    needs: [build]
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.13"
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Assume the github runner role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ env.BETA_REGION }}
+          role-to-assume: ${{ env.GITHUB_RUNNER_ROLE }}
+
+      - name: Assume the beta pipeline user role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
+          role-skip-session-tagging: true
+          aws-region: ${{ env.BETA_REGION }}
+          role-to-assume: ${{ env.BETA_PIPELINE_EXECUTION_ROLE }}
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: aws-sam-build-x86_64
+
+      - name: extract build_x86_64
+        run: |
+          tar -xvf build-x86_64.tar
+
+      - name: Upload x86_64 layer to beta artifact buckets
+        run: |
+          sam package \
+            --template build-x86_64/template.yaml \
+            --s3-bucket ${BETA_ARTIFACTS_BUCKET} \
+            --image-repository ${BETA_IMAGE_REPOSITORY} \
+            --region ${BETA_REGION} \
+            --output-template-file packaged-beta-x86_64.yaml
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: packaged-beta-x86_64.yaml
+          path: packaged-beta-x86_64.yaml
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: aws-sam-build-arm64
+
+      - name: extract build_arm64
+        run: |
+          tar -xvf build-arm64.tar
+
+      - name: Upload arm64 layer to beta artifact buckets
+        run: |
+          sam package \
+            --template build-arm64/template.yaml \
+            --s3-bucket ${BETA_ARTIFACTS_BUCKET} \
+            --image-repository ${BETA_IMAGE_REPOSITORY} \
+            --region ${BETA_REGION} \
+            --output-template-file packaged-beta-arm64.yaml
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: packaged-beta-arm64.yaml
+          path: packaged-beta-arm64.yaml
+
+      - name: Create and push the x86_64 docker image to beta ecr repo
+        run: |
+          aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com
+          printf 'FROM scratch\nADD build-x86_64/LambdaAdapterLayerX86/extensions/. /\n' | docker build --provenance=false --platform=linux/amd64 -t 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/awsguru/aws-lambda-adapter:latest-x86_64 -f- .
+          docker push 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/awsguru/aws-lambda-adapter:latest-x86_64
+
+      - name: Create and push the arm64 docker image to beta ecr repo
+        run: |
+          printf 'FROM scratch\nADD build-arm64/LambdaAdapterLayerArm64/extensions/. /\n' | docker build --provenance=false --platform=linux/arm64 -t 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/awsguru/aws-lambda-adapter:latest-aarch64 -f- .
+          docker push 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/awsguru/aws-lambda-adapter:latest-aarch64
+
+      - name: create and push the multi-arch manifest to beta ecr repo
+        run: |
+          docker manifest create 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/awsguru/aws-lambda-adapter:latest \
+              477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/awsguru/aws-lambda-adapter:latest-x86_64 \
+              477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/awsguru/aws-lambda-adapter:latest-aarch64
+          docker manifest push 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/awsguru/aws-lambda-adapter:latest
+
+  deploy-beta:
+    needs: [package-beta]
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.13"
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Assume the github runner role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ env.BETA_REGION }}
+          role-to-assume: ${{ env.GITHUB_RUNNER_ROLE }}
+
+      - name: Assume the beta pipeline user role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
+          role-skip-session-tagging: true
+          aws-region: ${{ env.BETA_REGION }}
+          role-to-assume: ${{ env.BETA_PIPELINE_EXECUTION_ROLE }}
+
+      - name: Add cargo pkg version to env vars
+        run: |
+          echo "CARGO_PKG_VERSION=$(cargo metadata --no-deps --format-version=1 | jq -r '.packages[0].version')" >> $GITHUB_ENV
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: packaged-beta-x86_64.yaml
+
+      - name: Deploy x86_64 layer to beta account
+        run: |
+          sam deploy --stack-name ${BETA_STACK_NAME}-x86 \
+            --template packaged-beta-x86_64.yaml \
+            --parameter-overrides CargoPkgVersion=${CARGO_PKG_VERSION} \
+            --capabilities CAPABILITY_IAM \
+            --region ${BETA_REGION} \
+            --s3-bucket ${BETA_ARTIFACTS_BUCKET} \
+            --image-repository ${BETA_IMAGE_REPOSITORY} \
+            --no-fail-on-empty-changeset \
+            --role-arn ${BETA_CLOUDFORMATION_EXECUTION_ROLE}
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: packaged-beta-arm64.yaml
+
+      - name: Deploy arm64 layer to beta account
+        run: |
+          sam deploy --stack-name ${BETA_STACK_NAME}-arm64 \
+            --template packaged-beta-arm64.yaml \
+            --parameter-overrides CargoPkgVersion=${CARGO_PKG_VERSION} \
+            --capabilities CAPABILITY_IAM \
+            --region ${BETA_REGION} \
+            --s3-bucket ${BETA_ARTIFACTS_BUCKET} \
+            --image-repository ${BETA_IMAGE_REPOSITORY} \
+            --no-fail-on-empty-changeset \
+            --role-arn ${BETA_CLOUDFORMATION_EXECUTION_ROLE}
+
+  e2e-test-zip:
+    needs: [deploy-beta]
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install stable toolchain
+        run: |
+          rustup target add x86_64-unknown-linux-musl
+
+      - name: Install cargo lambda
+        run: pip3 install cargo-lambda
+
+      - name: Configure Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install cargo-nextest
+        run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.13"
+
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Assume the github runner role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ env.BETA_REGION }}
+          role-to-assume: ${{ env.GITHUB_RUNNER_ROLE }}
+
+      - name: Assume the beta pipeline user role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
+          role-skip-session-tagging: true
+          aws-region: ${{ env.BETA_REGION }}
+          role-to-assume: ${{ env.BETA_PIPELINE_EXECUTION_ROLE }}
+
+      - name: deploy the zip x86 integration test stacks for the beta environment
+        working-directory: ./tests/e2e_tests/fixtures/go-httpbin-zip
+        run: |
+          sam build
+          sam deploy --stack-name ${BETA_STACK_NAME}-zip-x86 \
+            --capabilities CAPABILITY_IAM \
+            --region ${BETA_REGION} \
+            --s3-bucket ${BETA_ARTIFACTS_BUCKET} \
+            --image-repository ${BETA_IMAGE_REPOSITORY} \
+            --no-fail-on-empty-changeset \
+            --role-arn ${BETA_CLOUDFORMATION_EXECUTION_ROLE}
+
+      - name: run e2e tests
+        run: |
+          API_ENDPOINT=https://httpbin-rest-zip.beta.adapter.awsguru.dev/ API_AUTH_TYPE="open" cargo nextest run --run-ignored ignored-only --profile ci
+          API_ENDPOINT=https://httpbin-http-zip.beta.adapter.awsguru.dev/ API_AUTH_TYPE="open" cargo nextest run --run-ignored ignored-only --profile ci
+          API_ENDPOINT=https://httpbin-alb-zip.beta.adapter.awsguru.dev/ API_AUTH_TYPE="open" cargo nextest run --run-ignored ignored-only --profile ci
+          API_ENDPOINT=https://c26abn6izvm4xvbfs5baaflifm0hqvsn.lambda-url.ap-northeast-1.on.aws/ API_AUTH_TYPE="iam" cargo nextest run --run-ignored ignored-only --profile ci
+
+  e2e-test-oci:
+    needs: [deploy-beta]
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install stable toolchain
+        run: |
+          rustup target add x86_64-unknown-linux-musl
+
+      - name: Install cargo lambda
+        run: pip3 install cargo-lambda
+
+      - name: Configure Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install cargo-nextest
+        run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.13"
+
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Assume the github runner role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ env.BETA_REGION }}
+          role-to-assume: ${{ env.GITHUB_RUNNER_ROLE }}
+
+      - name: Assume the beta pipeline user role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
+          role-skip-session-tagging: true
+          aws-region: ${{ env.BETA_REGION }}
+          role-to-assume: ${{ env.BETA_PIPELINE_EXECUTION_ROLE }}
+
+      - name: deploy the oci x86 integration test stacks for the beta environment
+        working-directory: ./tests/e2e_tests/fixtures/go-httpbin
+        run: |
+          aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com
+          sam build
+          sam deploy --stack-name ${BETA_STACK_NAME}-oci-x86 \
+            --capabilities CAPABILITY_IAM \
+            --region ${BETA_REGION} \
+            --s3-bucket ${BETA_ARTIFACTS_BUCKET} \
+            --image-repository ${BETA_IMAGE_REPOSITORY} \
+            --no-fail-on-empty-changeset \
+            --role-arn ${BETA_CLOUDFORMATION_EXECUTION_ROLE}
+
+      - name: run e2e tests
+        run: |
+          API_ENDPOINT=https://httpbin-rest-oci.beta.adapter.awsguru.dev/ API_AUTH_TYPE="open" cargo nextest run --run-ignored ignored-only --profile ci
+          API_ENDPOINT=https://httpbin-http-oci.beta.adapter.awsguru.dev/ API_AUTH_TYPE="open" cargo nextest run --run-ignored ignored-only --profile ci
+          API_ENDPOINT=https://httpbin-alb-oci.beta.adapter.awsguru.dev/ API_AUTH_TYPE="open" cargo nextest run --run-ignored ignored-only --profile ci
+          API_ENDPOINT=https://3w6rb56t3lzefztvndn4zg3xru0taszm.lambda-url.ap-northeast-1.on.aws/ API_AUTH_TYPE="iam" cargo nextest run --run-ignored ignored-only --profile ci