Rename integration-patch-repair to autofix-integration-failures

Author: prasden

…b/workflows/integration_patch_repair.yml …rkflows/autofix_integration_failures.yml.github/workflows/integration_patch_repair.yml renamed to .github/workflows/autofix_integration_failures.yml .github/workflows/integration_patch_repair.yml renamed to .github/workflows/autofix_integration_failures.yml

@@ -1,4 +1,4 @@
-name: integration-patch-repair
+name: autofix
 
 on:
   workflow_run:
@@ -12,12 +12,11 @@ permissions:
 
 env:
   TARGET_RUN_ID: ${{ github.event.workflow_run.id }}
-  REPAIR_SCRIPT: ./tests/ci/integration/integration_patch_repair/repair.sh
+  AUTOFIX_SCRIPT: ./tests/ci/integration/autofix_integration_failures/autofix.sh
 
 jobs:
-
-  get-failing-targets:
-    name: get-failing-targets
+  get-failing-integrations:
+    name: get-failing-integrations
     if: >-
       github.event.workflow_run.event == 'schedule' &&
       github.event.workflow_run.conclusion == 'failure'
@@ -36,37 +35,35 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          set -eo pipefail
-          targets=$("$REPAIR_SCRIPT" get-failing-targets "$TARGET_RUN_ID")
+          targets=$("$AUTOFIX_SCRIPT" get-failing-targets "$TARGET_RUN_ID")
           echo "Targets: $targets"
           echo "targets=$targets" >> "$GITHUB_OUTPUT"
       - name: Download each failing integration's logs
         env:
           GH_TOKEN: ${{ github.token }}
           TARGETS: ${{ steps.targets.outputs.targets }}
         run: |
-          set -eo pipefail
-          echo "$TARGETS" | jq -r '.[]' | while IFS='|' read -r integration version; do
-            "$REPAIR_SCRIPT" fetch-logs "$TARGET_RUN_ID" "$integration" "$version"
+          echo "$TARGETS" | jq -r '.[] | "\(.integration)\t\(.version)"' \
+            | while IFS=$'\t' read -r integration version; do
+            "$AUTOFIX_SCRIPT" fetch-logs "$TARGET_RUN_ID" "$integration" "$version"
           done
       - uses: actions/upload-artifact@v4
         if: always()
         with:
-          name: patch-repair-logs
-          # Upload the whole tree so the <slug>/logs/ structure is preserved on
-          # download; reason restores it to the same path repair.sh reads from.
-          path: .integration-patch-repair/
+          name: autofix-logs
+          # Save the logs folder so the `reason` job find the logs.
+          path: .autofix/
           if-no-files-found: ignore
 
   reason:
-    name: reason (${{ matrix.target }})
-    needs: get-failing-targets
-    if: needs.get-failing-targets.outputs.targets != '[]' && needs.get-failing-targets.outputs.targets != ''
+    name: reason (${{ matrix.target.dir }})
+    needs: get-failing-integrations
+    if: needs.get-failing-integrations.outputs.targets != '[]' && needs.get-failing-integrations.outputs.targets != ''
     strategy:
       fail-fast: false
       max-parallel: 5
       matrix:
-        target: ${{ fromJSON(needs.get-failing-targets.outputs.targets) }}
+        target: ${{ fromJSON(needs.get-failing-integrations.outputs.targets) }}
     runs-on:
       - codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
         image:linux-5.0
@@ -84,7 +81,7 @@ jobs:
           persist-credentials: false
       - uses: ./.github/actions/configure-aws-credentials
         with:
-          roleName: AwsLcGitHubActionPatchRepairReasoningRole
+          roleName: AwsLcGitHubActionAutofixReasoningRole
       - name: Install Claude Code
         run: npm install -g @anthropic-ai/claude-code@2.1.161
       - name: Install Bash sandbox deps
@@ -94,43 +91,32 @@ jobs:
       - name: Download pre-fetched logs
         uses: actions/download-artifact@v4
         with:
-          name: patch-repair-logs
-          path: .integration-patch-repair/
+          name: autofix-logs
+          path: .autofix/
         continue-on-error: true
-      # Turn the target (e.g. "openvpn|release/2.6") into a slug with no | or /
-      # (e.g. "openvpn-release-2.6"), safe for artifact names and matching the
-      # work dir repair.sh writes to.
-      - name: Derive target slug
-        id: slug
-        env:
-          TARGET: ${{ matrix.target }}
-        run: |
-          slug=${TARGET//[|\/]/-}
-          slug=${slug%-}
-          echo "dir=$slug" >> "$GITHUB_OUTPUT"
-      - name: Repair the patch
+      - name: Autofix the patch
         env:
-          TARGET: ${{ matrix.target }}
+          INTEGRATION: ${{ matrix.target.integration }}
+          VERSION: ${{ matrix.target.version }}
         run: |
-          set -exo pipefail
-          IFS='|' read -r integration version <<< "$TARGET"
-          "$REPAIR_SCRIPT" reason "$TARGET_RUN_ID" "$integration" "$version"
+          set -x
+          "$AUTOFIX_SCRIPT" reason "$TARGET_RUN_ID" "$INTEGRATION" "$VERSION"
       - uses: actions/upload-artifact@v4
         if: always()
         with:
-          name: patch-repair-${{ steps.slug.outputs.dir }}
-          path: .integration-patch-repair/${{ steps.slug.outputs.dir }}/
+          name: autofix-${{ matrix.target.dir }}
+          path: .autofix/${{ matrix.target.dir }}/
           if-no-files-found: ignore
 
   upload:
-    name: upload (${{ matrix.target }})
-    needs: [get-failing-targets, reason]
-    if: ${{ always() && needs.get-failing-targets.outputs.targets != '[]' && needs.get-failing-targets.outputs.targets != '' }}
+    name: upload (${{ matrix.target.dir }})
+    needs: [get-failing-integrations, reason]
+    if: ${{ always() && needs.get-failing-integrations.outputs.targets != '[]' && needs.get-failing-integrations.outputs.targets != '' }}
     strategy:
       fail-fast: false
       max-parallel: 5
       matrix:
-        target: ${{ fromJSON(needs.get-failing-targets.outputs.targets) }}
+        target: ${{ fromJSON(needs.get-failing-integrations.outputs.targets) }}
     runs-on:
       - codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
         image:linux-5.0
@@ -141,26 +127,19 @@ jobs:
           persist-credentials: false
       - uses: ./.github/actions/configure-aws-credentials
         with:
-          roleName: AwsLcGitHubActionPatchRepairUploadRole
-      - name: Derive target slug
-        id: slug
-        env:
-          TARGET: ${{ matrix.target }}
-        run: |
-          slug=${TARGET//[|\/]/-}
-          slug=${slug%-}
-          echo "dir=$slug" >> "$GITHUB_OUTPUT"
+          roleName: AwsLcGitHubActionAutofixUploadRole
       - name: Download results from reason job
         uses: actions/download-artifact@v4
         with:
-          name: patch-repair-${{ steps.slug.outputs.dir }}
-          path: .integration-patch-repair/${{ steps.slug.outputs.dir }}/
+          name: autofix-${{ matrix.target.dir }}
+          path: .autofix/${{ matrix.target.dir }}/
         continue-on-error: true
       - name: Upload results to S3
         env:
-          TARGET: ${{ matrix.target }}
+          INTEGRATION: ${{ matrix.target.integration }}
+          VERSION: ${{ matrix.target.version }}
         run: |
-          set -exo pipefail
-          export PATCH_REPAIR_BUCKET="${AWS_ACCOUNT_ID}-aws-lc-integration-patch-repair"
-          IFS='|' read -r integration version <<< "$TARGET"
-          "$REPAIR_SCRIPT" upload "$TARGET_RUN_ID" "$integration" "$version"
+          set -x
+          # Suffix must match S3_FOR_AUTOFIX_INTEGRATION_FAILURES in tests/ci/cdk/util/metadata.py
+          export AUTOFIX_BUCKET="${AWS_ACCOUNT_ID}-aws-lc-autofix-integration-failures"
+          "$AUTOFIX_SCRIPT" upload "$TARGET_RUN_ID" "$INTEGRATION" "$VERSION"

.github/workflows/integration_omnibus.yml

@@ -438,10 +438,7 @@ jobs:
       # that are purely informational and breakages are accepted.
       - name: Mark integration failure
         if: always() && steps.integration-test.outcome == 'failure' && github.event_name == 'schedule' && !matrix.allow_failure
-        # Figure out which integration failed. The script filename
-        # (run_postgres_integration.sh -> postgres) is the real name.
-        # matrix.name ("postgresql") is just a label and can differ.
-        # The script's argument is the version: libgit2 -> v1.9.4, openvpn -> release/2.6.
+
         env:
           INTEGRATION_RUNNER_COMMAND: ${{ matrix.run }}
         run: |
@@ -453,7 +450,9 @@ jobs:
 
           # Strip the path, run_ prefix, and _integration.sh suffix to get the
           # bare integration name (e.g. .../run_postgres_integration.sh -> postgres).
-          integration=$(sed -E 's#.*/run_(.+)_integration\.sh#\1#' <<< "$script_path")
+          integration=${script_path##*/}              # .../run_postgres_integration.sh -> run_postgres_integration.sh
+          integration=${integration#run_}             # -> postgres_integration.sh
+          integration=${integration%_integration.sh}  # -> postgres
           version=${version//[\'\"]/}  # strip quotes (e.g. pyopenssl '25.3.0')
           echo -e "${integration}\t${version}" > integration-failure.txt
 

tests/ci/cdk/cdk/aws_lc_github_oidc_stack.py

@@ -7,16 +7,14 @@
     aws_ecr as ecr,
     aws_iam as iam,
     aws_s3 as s3,
-    Duration,
-    RemovalPolicy,
     Stack,
     Environment,
 )
 from cdk.aws_lc_devicefarm_ci_stack import DeviceFarmCiProps
 from constructs import Construct
 
 from util.metadata import (
-    ECR_REPOS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, AWS_LC_METRIC_NS, IMAGE_STAGING_REPO, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_NAME)
+    ECR_REPOS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, AWS_LC_METRIC_NS, IMAGE_STAGING_REPO, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_NAME, S3_FOR_AUTOFIX_INTEGRATION_FAILURES)
 
 
 class AwsLcGitHubOidcStack(Stack):
@@ -77,21 +75,20 @@ def __init__(
         self.docker_image_build_role.grant_assume_role(
             self.minimal_oidc_role)
 
-    
-        self.patch_repair_bucket = s3.Bucket(
-            self, "aws-lc-integration-patch-repair",
-            bucket_name=f"{env.account}-aws-lc-integration-patch-repair",
+        self.autofix_bucket = s3.Bucket(
+            self, "aws-lc-autofix-integration-failures",
+            bucket_name=f"{env.account}-{S3_FOR_AUTOFIX_INTEGRATION_FAILURES}",
             block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
         )
 
-        self.patch_repair_reasoning_role = create_patch_repair_reasoning_role(
-            self, "AwsLcGitHubActionPatchRepairReasoningRole", env, self.minimal_oidc_role)
-        self.patch_repair_reasoning_role.grant_assume_role(self.minimal_oidc_role)
+        self.autofix_reasoning_role = create_autofix_reasoning_role(
+            self, "AwsLcGitHubActionAutofixReasoningRole", env, self.minimal_oidc_role)
+        self.autofix_reasoning_role.grant_assume_role(self.minimal_oidc_role)
 
-        self.patch_repair_upload_role = create_patch_repair_upload_role(
-            self, "AwsLcGitHubActionPatchRepairUploadRole", self.minimal_oidc_role,
-            self.patch_repair_bucket)
-        self.patch_repair_upload_role.grant_assume_role(self.minimal_oidc_role)
+        self.autofix_upload_role = create_autofix_upload_role(
+            self, "AwsLcGitHubActionAutofixUploadRole", self.minimal_oidc_role,
+            self.autofix_bucket)
+        self.autofix_upload_role.grant_assume_role(self.minimal_oidc_role)
 
 
 def create_device_farm_role(scope: Construct, id: str,
@@ -300,11 +297,9 @@ def create_standard_github_actions_role(scope: Construct, id: str,
     return role
 
 
-def create_patch_repair_reasoning_role(scope: Construct, id: str,
+def create_autofix_reasoning_role(scope: Construct, id: str,
                                        env: typing.Union[Environment, typing.Dict[str, typing.Any]],
                                        principal: iam.IPrincipal) -> iam.Role:
-    # The reasoning job runs the sandboxed agent. It needs Bedrock only -- no
-    # write access anywhere, so a prompt-injected agent cannot reach S3 or the repo.
     return iam.Role(scope, id, role_name=id,
                     assumed_by=iam.SessionTagsPrincipal(principal),
                     inline_policies={
@@ -327,11 +322,9 @@ def create_patch_repair_reasoning_role(scope: Construct, id: str,
                     })
 
 
-def create_patch_repair_upload_role(scope: Construct, id: str,
+def create_autofix_upload_role(scope: Construct, id: str,
                                     principal: iam.IPrincipal,
                                     bucket: s3.IBucket) -> iam.Role:
-    # The upload job runs no agent -- it only copies the produced files to S3.
-    # It gets PutObject on this one bucket and nothing else (no Bedrock).
     return iam.Role(scope, id, role_name=id,
                     assumed_by=iam.SessionTagsPrincipal(principal),
                     inline_policies={

tests/ci/cdk/util/metadata.py

@@ -70,5 +70,9 @@
     "S3_FOR_WIN_DOCKER_IMG_BUILD", "aws-lc-windows-docker-image-build-s3"
 )
 
+S3_FOR_AUTOFIX_INTEGRATION_FAILURES = EnvUtil.get(
+    "S3_FOR_AUTOFIX_INTEGRATION_FAILURES", "aws-lc-autofix-integration-failures"
+)
+
 GITHUB_PUSH_CI_BRANCH_TARGETS = r"(main|fips-\d{4}-\d{2}-\d{2}.*)"
 SCRUTINICE_PRINCIPAL_ROLE_ARN = "arn:aws:iam::222961743098:role/scrutini-ecr"