From 1676a300435a6a267f79e7d49781f32f426c3178 Mon Sep 17 00:00:00 2001
From: Erick Benitez-Ramos <benieric@amazon.com>
Date: Mon, 29 Jul 2024 23:50:57 -0700
Subject: [PATCH] Manually run extra tests & emit metric if token expired

---
 .github/workflows/codebuild-ci.yml         | 21 ++++++++++---
 .github/workflows/run-local-mode-tests.yml | 35 ++++++++++++++++++++++
 .github/workflows/run-slow-tests.yml       | 35 ++++++++++++++++++++++
 3 files changed, 87 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/run-local-mode-tests.yml
 create mode 100644 .github/workflows/run-slow-tests.yml

diff --git a/.github/workflows/codebuild-ci.yml b/.github/workflows/codebuild-ci.yml
index 8c6bd6b337..44f34f2fd9 100644
--- a/.github/workflows/codebuild-ci.yml
+++ b/.github/workflows/codebuild-ci.yml
@@ -17,9 +17,16 @@ jobs:
     outputs: 
       approval-env: ${{ steps.collab-check.outputs.result }}
     steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+            role-to-assume: ${{ secrets.MONITORING_AWS_ROLE_ARN }}
+            aws-region: us-west-2
       - name: Collaborator Check
         uses: actions/github-script@v7
         id: collab-check
+        env:
+            PR_USER_LOGIN: ${{ github.event.pull_request.user.login }}
         with:
           github-token: ${{ secrets.COLLAB_CHECK_TOKEN }}
           result-encoding: string
@@ -28,13 +35,19 @@ jobs:
               const res = await github.rest.repos.checkCollaborator({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
-                username: "${{ github.event.pull_request.user.login }}",
+                username: "${{ env.PR_USER_LOGIN }}",
               });
-              console.log("Verifed ${{ github.event.pull_request.user.login }} is a repo collaborator. Auto Approving PR Checks.")
+              console.log("Verifed user is a repo collaborator. Auto Approving PR Checks.")
               return res.status == "204" ? "auto-approve" : "manual-approval"
             } catch (error) {
-              console.log("${{ github.event.pull_request.user.login }} is not a collaborator. Requiring Manual Approval to run PR Checks.")
-              return "manual-approval"
+              if (error.message == "Bad credentials") {
+                console.log("Token Expired. Please update the COLLAB_CHECK_TOKEN secret. Requiring Manual Approval to run PR Checks becuase the collaborator status could not be verified.")
+                const { execSync } = require('child_process')
+                execSync('aws cloudwatch put-metric-data --namespace "GitHubActions" --metric-name "BadCredentials" --value 1')
+              } else {
+                console.log("User is not a collaborator. Requiring Manual Approval to run PR Checks.")
+              }
+                return "manual-approval"
             }
   wait-for-approval:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-local-mode-tests.yml b/.github/workflows/run-local-mode-tests.yml
new file mode 100644
index 0000000000..79073e3948
--- /dev/null
+++ b/.github/workflows/run-local-mode-tests.yml
@@ -0,0 +1,35 @@
+name: Run Local Mode Tests
+
+on:
+  workflow_dispatch:
+    inputs:
+      prNumber:
+        description: 'Pull Request Number'
+        required: true
+      commitSha:
+        description: 'Commit SHA'
+        required: true
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.inputs.prNumber }}
+    cancel-in-progress: true
+
+permissions:
+    id-token: write # This is required for requesting the JWT
+
+jobs:
+    local-mode-tests:
+        runs-on: ubuntu-latest
+        steps:
+        - name: Configure AWS Credentials
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+              role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+              aws-region: us-west-2
+              role-duration-seconds: 10800
+        - name: Run Slow Tests
+          uses: aws-actions/aws-codebuild-run-build@v1
+          with:
+              project-name: ${{ github.event.repository.name }}-ci-localmode-tests
+              source-version-override: 'refs/pull/${{ github.event.inputs.prNumber}}/head^{${{ github.event.inputs.commitSha }}}'
+      
diff --git a/.github/workflows/run-slow-tests.yml b/.github/workflows/run-slow-tests.yml
new file mode 100644
index 0000000000..bb31a04ed6
--- /dev/null
+++ b/.github/workflows/run-slow-tests.yml
@@ -0,0 +1,35 @@
+name: Run Slow Tests
+
+on:
+  workflow_dispatch:
+    inputs:
+      prNumber:
+        description: 'Pull Request Number'
+        required: true
+      commitSha:
+        description: 'Commit SHA'
+        required: true
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.inputs.prNumber }}
+    cancel-in-progress: true
+
+permissions:
+    id-token: write # This is required for requesting the JWT
+
+jobs:
+    slow-tests:
+        runs-on: ubuntu-latest
+        steps:
+        - name: Configure AWS Credentials
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+              role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+              aws-region: us-west-2
+              role-duration-seconds: 10800
+        - name: Run Slow Tests
+          uses: aws-actions/aws-codebuild-run-build@v1
+          with:
+              project-name: ${{ github.event.repository.name }}-ci-slow-tests
+              source-version-override: 'refs/pull/${{ github.event.inputs.prNumber}}/head^{${{ github.event.inputs.commitSha }}}'
+