Skip to content
integration-patch-repair

integration-patch-repair #11

Sign in to view logs

integration-patch-repair

integration-patch-repair #11

Workflow file for this run

.github/workflows/integration_patch_repair.yml at 2381009
name: integration-patch-repair
on:
workflow_run:
workflows: ["integration-omnibus"]
types: [completed]
permissions:
contents: read
id-token: write
actions: read
env:
TARGET_RUN_ID: ${{ github.event.workflow_run.id }}
REPAIR_SCRIPT: ./tests/ci/integration/integration_patch_repair/repair.sh
jobs:
get-failing-targets:
name: get-failing-targets
# TEST-ONLY: also accept workflow_dispatch so a manually-triggered omnibus run repairs.
if: >-
(github.event.workflow_run.event == 'schedule' || github.event.workflow_run.event == 'workflow_dispatch') &&
github.event.workflow_run.conclusion == 'failure'
runs-on:
- codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
image:linux-5.0
instance-size:small
outputs:
targets: ${{ steps.targets.outputs.targets }}
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- name: Collect failing targets
id: targets
env:
GH_TOKEN: ${{ github.token }}
run: |
set -eo pipefail
targets=$("$REPAIR_SCRIPT" get-failing-targets "$TARGET_RUN_ID")
echo "Targets: $targets"
echo "targets=$targets" >> "$GITHUB_OUTPUT"
- name: Download each failing integration's logs
env:
GH_TOKEN: ${{ github.token }}
TARGETS: ${{ steps.targets.outputs.targets }}
run: |
set -eo pipefail
echo "$TARGETS" | jq -r '.[]' | while IFS='|' read -r integration version; do
"$REPAIR_SCRIPT" fetch-logs "$TARGET_RUN_ID" "$integration" "$version"
done
- uses: actions/upload-artifact@v4
if: always()
with:
name: patch-repair-logs
# Upload the whole tree so the <slug>/logs/ structure is preserved on
# download; reason restores it to the same path repair.sh reads from.
path: .integration-patch-repair/
if-no-files-found: ignore
reason:
name: reason (${{ matrix.target }})
needs: get-failing-targets
if: needs.get-failing-targets.outputs.targets != '[]' && needs.get-failing-targets.outputs.targets != ''
strategy:
fail-fast: false
max-parallel: 5
matrix:
target: ${{ fromJSON(needs.get-failing-targets.outputs.targets) }}
runs-on:
- codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
image:linux-5.0
instance-size:small
env:
CLAUDE_CODE_USE_BEDROCK: "1"
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "1" # Strip secret creds from the env Claude's Bash subprocesses inherit to guard against prompt injection
AWS_REGION: us-west-2
ANTHROPIC_DEFAULT_OPUS_MODEL: us.anthropic.claude-opus-4-8
ANTHROPIC_DEFAULT_SONNET_MODEL: us.anthropic.claude-sonnet-4-6
ANTHROPIC_DEFAULT_HAIKU_MODEL: us.anthropic.claude-haiku-4-5-20251001-v1:0
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: ./.github/actions/configure-aws-credentials
with:
roleName: AwsLcGitHubActionPatchRepairReasoningRole
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code@2.1.161
- name: Install Bash sandbox deps
# Claude Code's sandbox needs bubblewrap (filesystem/process isolation)
# and socat (relays Bash traffic through the domain-allowlist proxy).
run: sudo dnf install -y bubblewrap socat
- name: Download pre-fetched logs
uses: actions/download-artifact@v4
with:
name: patch-repair-logs
path: .integration-patch-repair/
continue-on-error: true
# Turn the target (e.g. "openvpn|release/2.6") into a slug with no | or /
# (e.g. "openvpn-release-2.6"), safe for artifact names and matching the
# work dir repair.sh writes to.
- name: Derive target slug
id: slug
env:
TARGET: ${{ matrix.target }}
run: |
slug=${TARGET//[|\/]/-}
slug=${slug%-}
echo "dir=$slug" >> "$GITHUB_OUTPUT"
- name: Repair the patch
env:
TARGET: ${{ matrix.target }}
run: |
set -exo pipefail
IFS='|' read -r integration version <<< "$TARGET"
"$REPAIR_SCRIPT" reason "$TARGET_RUN_ID" "$integration" "$version"
- uses: actions/upload-artifact@v4
if: always()
with:
name: patch-repair-${{ steps.slug.outputs.dir }}
path: .integration-patch-repair/${{ steps.slug.outputs.dir }}/
if-no-files-found: ignore
upload:
name: upload (${{ matrix.target }})
needs: [get-failing-targets, reason]
if: ${{ always() && needs.get-failing-targets.outputs.targets != '[]' && needs.get-failing-targets.outputs.targets != '' }}
strategy:
fail-fast: false
max-parallel: 5
matrix:
target: ${{ fromJSON(needs.get-failing-targets.outputs.targets) }}
runs-on:
- codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
image:linux-5.0
instance-size:small
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: ./.github/actions/configure-aws-credentials
with:
roleName: AwsLcGitHubActionPatchRepairUploadRole
- name: Derive target slug
id: slug
env:
TARGET: ${{ matrix.target }}
run: |
slug=${TARGET//[|\/]/-}
slug=${slug%-}
echo "dir=$slug" >> "$GITHUB_OUTPUT"
- name: Download results from reason job
uses: actions/download-artifact@v4
with:
name: patch-repair-${{ steps.slug.outputs.dir }}
path: .integration-patch-repair/${{ steps.slug.outputs.dir }}/
continue-on-error: true
- name: Upload results to S3
env:
TARGET: ${{ matrix.target }}
run: |
set -exo pipefail
export PATCH_REPAIR_BUCKET="${AWS_ACCOUNT_ID}-aws-lc-integration-patch-repair"
IFS='|' read -r integration version <<< "$TARGET"
"$REPAIR_SCRIPT" upload "$TARGET_RUN_ID" "$integration" "$version"