Merge main into mldsa-native-import - Keep deletion of ml_dsa_ref/sign.c as it's replaced by native implementation

Author: jakemas

.github/actions/check-authorization/action.yml

@@ -0,0 +1,43 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+name: 'check-authorization'
+description: 'A helper action to determine the authorization level of a pull request for running CI'
+outputs:
+  approval-env:
+    description: 'The target environment to use for the workflow'
+    value: ${{ steps.collab-check.outputs.result }}
+runs:
+  using: 'composite'
+  steps:
+    - name: Collaborator Check
+      uses: actions/github-script@v8
+      id: collab-check
+      with:
+        result-encoding: string
+        script: |
+          // Skip authorization check if event is not pull_request_target
+          if (context.eventName !== 'pull_request_target') {
+            console.log(`Event type is ${context.eventName}, skipping authorization check`);
+            return null;
+          }
+          
+          try {
+            const permissionResponse = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: context.payload.pull_request.user.login,
+            });
+            const permission = permissionResponse.data.permission;
+            const hasWriteAccess = ['write', 'admin'].includes(permission);
+            if (!hasWriteAccess) {
+              console.log(`User ${context.payload.pull_request.user.login} does not have write access to the repository (permission: ${permission})`);
+              return "manual-approval"
+            } else {
+              console.log(`Verifed ${context.payload.pull_request.user.login} has write access. Auto Approving PR Checks.`)
+              return "auto-approve"
+            }
+          } catch (error) {
+            console.log(`${context.payload.pull_request.user.login} does not have write access. Requiring Manual Approval to run PR Checks.`)
+            return "manual-approval"
+          }

.github/actions/codebuild-docker-run/action.yml

@@ -24,11 +24,11 @@ inputs:
   ipv6:
     description: 'Enables IPv6 networking in the container. Implies --privileged'
     required: false
-    default: false
+    default: 'false'
   withCredentials:
     description: 'Whether to passthru the CodeBuild credentials'
     required: false
-    default: false
+    default: 'false'
   user:
     description: 'Run the docker container as a non-root user'
     required: false

.github/actions/codebuild-docker-run/codebuild-docker-run.sh

@@ -50,7 +50,7 @@ fi
 
 PASSTHRU_ENV_VARS=("GOPROXY" "AWS_DEFAULT_REGION" "AWS_REGION")
 
-if [[ "${INPUT_WITH_CREDENTIALS}" == true ]] &&
+if [[ "${INPUT_WITH_CREDENTIALS}" == "true" ]] &&
     [[ ! "${ENV_FLAGS}" =~ ECS_CONTAINER_METADATA_URI_V4 ]] && 
     [[ ! "${ENV_FLAGS}" =~ AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ]]; then
     PASSTHRU_ENV_VARS+=(ECS_CONTAINER_METADATA_URI_V4 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)

.github/actions/configure-aws-credentials/action.yml

@@ -0,0 +1,29 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+name: 'configure-aws-credentials'
+description: 'A helper for configure AWS credentials for AWS-LC GitHub actions'
+inputs:
+  roleName:
+    description: "The target IAM role to assume using the OIDC role credentials"
+    required: true
+    default: 'AwsLcGitHubActionStandardRole'
+runs:
+  using: 'composite'
+  steps:
+    - name: Query Environment
+      id: env
+      shell: bash
+      run: |
+        echo aws_account_id=${AWS_ACCOUNT_ID} >> "$GITHUB_OUTPUT"
+    - name: Retrieve OIDC Role Credentials
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/AwsLcGitHubActionsOidcRole
+        role-session-name: ${{ github.run_id }}-${{ github.run_attempt }}
+    - name: Retrieve GitHub Actions Role Credentials
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        role-to-assume: arn:aws:iam::${{ steps.env.outputs.aws_account_id }}:role/${{ inputs.roleName }}
+        role-session-name: ${{ github.run_id }}-${{ github.run_attempt }}
+        role-chaining: true

.github/docker_images/aws-lc/android/Dockerfile

@@ -0,0 +1,94 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+FROM public.ecr.aws/ubuntu/ubuntu:24.04 AS base
+
+SHELL ["/bin/bash", "-c"]
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+
+ENV ANDROID_SDK_URL=commandlinetools-linux-13114758_latest
+ENV ANDROID_HOME=/opt/sdk
+ENV ANDROID_SDK_ROOT=/opt/sdk
+ENV GRADLE_VERSION=gradle-7.6.4
+ENV GOROOT=/usr/local/go
+ENV PATH="$GOROOT/bin:/opt/sdk/cmdline-tools/latest/bin:$PATH"
+# ------------------------------------------------------
+# --- Android SDK
+
+RUN <<EOF
+set -ex
+apt-get update -y
+apt-get -y --no-install-recommends upgrade
+apt-get -y --no-install-recommends install \
+    git \
+    libunwind-dev \
+    openjdk-17-jdk \
+    perl \
+    python3.12 \
+    python3.12-venv \
+    python3-pip \
+    unzip \
+    wget
+EOF
+
+# Setup Android SDK
+RUN <<EOF
+# Set Java 17 as default
+export JAVA17_ALT=$(update-alternatives --list java | grep java-17 | head -1)
+update-alternatives --set java $JAVA17_ALT
+
+# Set Java 17 for SDK manager compatibility
+export JAVA_HOME=$(find /usr/lib/jvm -name "*java-17*" -type d | head -1)
+export PATH=$JAVA_HOME/bin:$PATH
+
+# install android-sdk from url source
+mkdir /opt/sdk
+mkdir /opt/sdk/cmdline-tools
+mkdir /opt/cmdline-tools-tmp
+cd /opt/cmdline-tools-tmp
+wget -q https://dl.google.com/android/repository/${ANDROID_SDK_URL}.zip
+unzip ${ANDROID_SDK_URL}.zip
+
+# move to its final location and export path
+mv ./cmdline-tools ${ANDROID_HOME}/cmdline-tools/latest
+cd $ANDROID_HOME/cmdline-tools/latest/bin
+./sdkmanager --update
+yes | ./sdkmanager --licenses
+
+# Preinstall AWSLCAndroidTestRunner android dependencies, so they don't need to be
+# rebuilt for each new gradle build run.
+./sdkmanager "ndk;28.2.13676358" \
+    "build-tools;33.0.3" \
+    "cmake;3.18.1" \
+    "platforms;android-30"
+
+cd /opt
+wget -q https://services.gradle.org/distributions/${GRADLE_VERSION}-all.zip
+rm -rf /opt/cmdline-tools-tmp
+rm -rf /tmp/*
+EOF
+
+# Preinstall gradle dependencies, so they don't need to be redownloaded in the CI.
+COPY . /tmp/triggerGradleDownloads/
+
+RUN <<EOF
+cd /tmp/triggerGradleDownloads
+echo "JAVA_HOME=$JAVA_HOME"
+java -version
+echo "PATH=$PATH"
+./gradlew --no-daemon --refresh-dependencies androidDependencies lint
+EOF
+
+# Install Go
+ENV GOENV_ROOT="/.goenv"
+ENV PATH="${GOENV_ROOT}/shims:${GOENV_ROOT}/bin:/go/bin:$PATH"
+
+COPY --from=scripts setup-go-compiler.sh /tmp
+RUN <<EOF
+setup_script="/tmp/setup-go-compiler.sh"
+${setup_script}
+EOF
+
+RUN rm -rf /tmp/*