Merge branch 'main' into config-test-mode

.cargo-deny-config.toml

@@ -4,10 +4,6 @@
 # More documentation for the licenses section can be found here:
 # https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
 [licenses]
-default = "deny"
-unlicensed = "deny"
-copyleft = "deny"
-allow-osi-fsf-free = "neither"
 allow = [
     # See https://spdx.org/licenses/ for list of possible licenses
     # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
@@ -18,12 +14,17 @@ allow = [
     "MIT",
     "MPL-2.0",
     "Unicode-DFS-2016",
+    "Unicode-3.0",
+    "Zlib",
 ]
 confidence-threshold = 1.0
 exceptions = [
     { allow = ["OpenSSL"], name = "ring", version = "*" },
     { allow = ["OpenSSL"], name = "aws-lc-sys", version = "*" },
     { allow = ["OpenSSL"], name = "aws-lc-fips-sys", version = "*" },
+    { allow = ["BlueOak-1.0.0"], name = "minicbor", version = "<=0.24.2" },
+    # Safe to bump as long as license does not change -------------^
+    # See D105255799.
 ]
 
 [[licenses.clarify]]

.changelog/.example

@@ -0,0 +1,10 @@
+# Example changelog entry, Markdown with YAML front matter
+# ---
+# applies_to: ["client", "server", "aws-sdk-rust"] # "aws-sdk-rust" here duplicates this entry into release notes in `aws-sdk-rust`
+# authors: ["rcoh"]
+# references: ["smithy-rs#920"]
+# breaking: false
+# new_feature: false
+# bug_fix: false
+# ---
+# Fix typos in module documentation for generated crates

.changelog/1729878769.md

@@ -0,0 +1,9 @@
+---
+applies_to: ["server"]
+authors: ["rcoh"]
+references: ["smithy-rs#3890"]
+breaking: false
+new_feature: false
+bug_fix: true
+---
+Fix bug in `serde` decorator that generated non-compiling code on some models

.github/PULL_REQUEST_TEMPLATE.md

@@ -12,8 +12,8 @@
 
 ## Checklist
 <!--- If a checkbox below is not applicable, then please DELETE it rather than leaving it unchecked -->
-- [ ] I have updated `CHANGELOG.next.toml` if I made changes to the smithy-rs codegen or runtime crates
-- [ ] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates
+- [ ] For changes to the smithy-rs codegen or runtime crates, I have created a changelog entry Markdown file in the `.changelog` directory, specifying "client," "server," or both in the `applies_to` key.
+- [ ] For changes to the AWS SDK, generated SDK code, or SDK runtime crates, I have created a changelog entry Markdown file in the `.changelog` directory, specifying "aws-sdk-rust" in the `applies_to` key.
 
 ----
 

.github/workflows/backport-pull-request.yml

@@ -0,0 +1,55 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Open a backport PR to merge the release branch into main
+
+on:
+  # automatically called by release.yml
+  workflow_dispatch:
+  # can also be manually triggered when a patch fix is merged into the release branch and needs to be back-ported
+  workflow_call:
+    secrets:
+      RELEASE_AUTOMATION_BOT_PAT:
+        required: true
+
+env:
+  release_branch: smithy-rs-release-1.x.y
+
+jobs:
+  create-backport-pull-request:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
+
+    - name: Prepare backport branch
+      id: backport-branch
+      run: |
+        # This step assumes the merge runs cleanly without conflicts, which should be the case when
+        # this workflow is called by the release workflow right after a release tag has been created.
+        git config --local user.name "AWS SDK Rust Bot"
+        git config --local user.email "aws-sdk-rust-primary@amazon.com"
+
+        git fetch --unshallow
+        git checkout origin/main
+        backport_branch="merge-${{ env.release_branch }}-to-main-$(date +%s)"
+        git checkout -b "${backport_branch}"
+
+        git merge "origin/${{ env.release_branch }}" -m 'Merge remote-tracking branch "origin/${{ env.release_branch }}" into "merge-${{ env.release_branch }}-to-main"'
+        git push origin HEAD
+
+        echo "branch_name=${backport_branch}" > $GITHUB_OUTPUT
+
+    - name: Create pull request
+      env:
+        GITHUB_TOKEN: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }}
+      run: |
+        gh pr create \
+          --title "Merge ${{ env.release_branch }} into main" \
+          --body "Merge it with \`gh pr merge --admin --merge\` or manually merge it with the merge commit (not squash merge)." \
+          --base main \
+          --head ${{ steps.backport-branch.outputs.branch_name }} \
+          --label "needs-sdk-review" \
+          --draft

.github/workflows/ci-main.yml

@@ -23,6 +23,7 @@ jobs:
   acquire-base-image:
     runs-on: smithy_ubuntu-latest_8-core
     name: Acquire Base Image
+    timeout-minutes: 60
     outputs:
       docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
     permissions:
@@ -68,3 +69,5 @@ jobs:
     secrets:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.acquire-base-image.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}

.github/workflows/ci-merge-queue.yml

@@ -22,6 +22,7 @@ jobs:
   # The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
   save-docker-login-token:
     name: Save a docker login token
+    timeout-minutes: 10
     outputs:
       docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
     permissions:
@@ -51,6 +52,7 @@ jobs:
     name: Acquire Base Image
     needs: save-docker-login-token
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     env:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
@@ -91,3 +93,5 @@ jobs:
     secrets:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}

.github/workflows/ci-pr-forks.yml

@@ -20,6 +20,7 @@ jobs:
     name: Acquire Base Image
     if: ${{ github.event.pull_request.head.repo.full_name != 'smithy-lang/smithy-rs' }}
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     steps:
     - uses: actions/checkout@v4
       with:
@@ -42,4 +43,5 @@ jobs:
     if: ${{ github.event.pull_request.head.repo.full_name != 'smithy-lang/smithy-rs' }}
     uses: ./.github/workflows/ci.yml
     with:
+      run_canary: false
       run_sdk_examples: true

.github/workflows/ci-pr.yml

@@ -21,6 +21,7 @@ jobs:
   # The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
   save-docker-login-token:
     name: Save a docker login token
+    timeout-minutes: 10
     if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
     outputs:
       docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
@@ -50,6 +51,7 @@ jobs:
   # it uploads the image as a build artifact for other jobs to download and use.
   acquire-base-image:
     name: Acquire Base Image
+    timeout-minutes: 60
     needs: save-docker-login-token
     if: ${{ github.event.pull_request.head.repo.full_name == 'smithy-lang/smithy-rs' }}
     runs-on: smithy_ubuntu-latest_8-core
@@ -93,6 +95,8 @@ jobs:
     secrets:
       ENCRYPTED_DOCKER_PASSWORD: ${{ needs.save-docker-login-token.outputs.docker-login-password }}
       DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      CANARY_GITHUB_ACTIONS_ROLE_ARN: ${{ secrets.CANARY_GITHUB_ACTIONS_ROLE_ARN }}
+      CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME: ${{ secrets.CANARY_STACK_CDK_OUTPUTS_BUCKET_NAME }}
 
   # The PR bot requires a Docker build image, so make it depend on the `acquire-base-image` job.
   pr_bot:
@@ -109,8 +113,9 @@ jobs:
       SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN: ${{ secrets.SMITHY_RS_PULL_REQUEST_CDN_ROLE_ARN }}
 
   semver-checks:
-    name: check the semver status of this PR
+    name: Check PR semver compliance
     runs-on: smithy_ubuntu-latest_8-core
+    timeout-minutes: 20
     needs:
     - save-docker-login-token
     - acquire-base-image
@@ -148,6 +153,6 @@ jobs:
       with:
         action: check-semver
         action-arguments: ${{ github.event.pull_request.base.sha }} ${{ fromJSON(steps.check-breaking-label.outputs.result).isBreaking }}
-    - name: print help message
+    - name: Print help message
       if: failure()
-      run: echo "::error::This pull request contains breaking changes. Please add the `breaking-changes` label and a changelog entry"
+      run: echo "::error::This pull request either contains breaking changes, or has cross-crate changes that may be backwards compatible, but that cargo-semver-checks cannot verify. Please scrutinize the change for backwards compatibility."

.github/workflows/ci-tls.yml

@@ -11,6 +11,7 @@ env:
 
 name: Verify client TLS configuration
 on:
+  workflow_dispatch:
   pull_request:
   push:
     branches: [main]
@@ -19,13 +20,19 @@ jobs:
   verify-tls-config:
     name: Verify TLS configuration
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
     - name: Install packages
       shell: bash
       run: |
         sudo apt-get update
-        sudo apt-get -y install gcc make python3-pip nginx git ruby openjdk-17-jre pkg-config libssl-dev faketime
+        sudo apt-get -y install gcc make python3-pip nginx git ruby pkg-config libssl-dev faketime
         pip3 install certbuilder crlbuilder
+    - name: Configure JDK
+      uses: actions/setup-java@v4
+      with:
+        distribution: corretto
+        java-version: 17
     - name: Stop nginx
       run: sudo systemctl stop nginx
     - name: Checkout smithy-rs