fix: validate encryption materials from cmm are compatible with kc policy (#796)

Author: josecorella

.github/workflows/ci_decrypt-oracle.yaml

@@ -1,11 +1,10 @@
 name: Continuous Integration tests for the decrypt oracle
 
 on:
-  pull_request:
-  push:
-  # Run once a day
-  schedule:
-    - cron: '0 0 * * *'
+  workflow_call:
+
+permissions:
+  contents: read
 
 jobs:
   tests:

.github/workflows/ci_static-analysis.yaml

@@ -1,11 +1,10 @@
 name: Static analysis checks
 
 on:
-  pull_request:
-  push:
-  # Run once a day
-  schedule:
-    - cron: '0 0 * * *'
+  workflow_call:
+
+permissions:
+  contents: read
 
 jobs:
   analysis:

.github/workflows/ci_test-vector-handler.yaml

@@ -1,11 +1,13 @@
 name: Continuous Integration tests for the test vector handler
 
 on:
-  pull_request:
-  push:
-  # Run once a day
-  schedule:
-    - cron: '0 0 * * *'
+  workflow_call:
+    # Define any secrets that need to be passed from the caller
+    secrets:
+      INTEG_AWS_ACCESS_KEY_ID:
+        required: true
+      INTEG_AWS_SECRET_ACCESS_KEY:
+        required: true
 
 jobs:
   tests:
@@ -19,10 +21,10 @@ jobs:
         os:
           - ubuntu-latest
           - windows-latest
-          - macos-12
+          - macos-latest
         python:
           - 3.8
-          - 3.x
+          - "3.12"
         architecture:
           - x64
           - x86
@@ -34,8 +36,10 @@ jobs:
           # x86 builds are only meaningful for Windows
           - os: ubuntu-latest
             architecture: x86
-          - os: macos-12
+          - os: macos-latest
             architecture: x86
+          - os: macos-latest
+            python: 3.8
     steps:
       - uses: aws-actions/configure-aws-credentials@v4
         with:

.github/workflows/ci_tests.yaml

@@ -1,11 +1,7 @@
 name: Continuous Integration tests
 
 on:
-  pull_request:
-  push:
-  # Run once a day
-  schedule:
-    - cron: '0 0 * * *'
+  workflow_call:
 
 env:
   AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: |
@@ -26,14 +22,13 @@ jobs:
         os:
           - ubuntu-latest
           - windows-latest
-          - macos-12
+          - macos-latest
         python:
           - 3.8
           - 3.9
           - "3.10"
           - "3.11"
           - "3.12"
-          - 3.x
         architecture:
           - x64
           - x86
@@ -48,8 +43,15 @@ jobs:
           # x86 builds are only meaningful for Windows
           - os: ubuntu-latest
             architecture: x86
-          - os: macos-12
+          - os: macos-latest
             architecture: x86
+          # Skip older Python versions on macOS
+          - os: macos-latest
+            python: 3.8
+          - os: macos-latest
+            python: 3.9
+          - os: macos-latest
+            python: "3.10"
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4

.github/workflows/daily_ci.yml

@@ -0,0 +1,50 @@
+# This workflow runs every weekday at 15:00 UTC (8AM PDT)
+name: Daily CI
+
+on:
+  schedule:
+    - cron: "00 15 * * 1-5"
+  pull_request:
+    paths:
+      .github/workflows/daily_ci.yml
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  decrypt_oracle:
+    # Don't run the cron builds on forks
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/ci_decrypt-oracle.yaml
+  static_analysis:
+    # Don't run the cron builds on forks
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/ci_static-analysis.yaml
+  test_vector_handler:
+    # Don't run the cron builds on forks
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/ci_test-vector-handler.yaml
+    secrets:
+      INTEG_AWS_ACCESS_KEY_ID: ${{ secrets.INTEG_AWS_ACCESS_KEY_ID }}
+      INTEG_AWS_SECRET_ACCESS_KEY: ${{ secrets.INTEG_AWS_SECRET_ACCESS_KEY }}
+  tests:
+    # Don't run the cron builds on forks
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/ci_tests.yaml
+  
+  notify:
+    needs:
+      [
+        decrypt_oracle,
+        static_analysis,
+        test_vector_handler,
+        tests
+      ]
+    if: ${{ failure() }}
+    uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
+    with:
+      message: "Daily CI failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+    secrets:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_CI }}
+

.github/workflows/pull.yml

@@ -0,0 +1,41 @@
+name: Pull Request Workflow
+
+on:
+  pull_request:
+
+# Concurrency control helps avoid CodeBuild throttling.
+# When new commits are pushed, the previous workflow run is cancelled.
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+  
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  # Call each workflow with appropriate parameters
+  decrypt_oracle:
+    uses: ./.github/workflows/ci_decrypt-oracle.yaml
+  static_analysis:
+    uses: ./.github/workflows/ci_static-analysis.yaml
+  test_vector_handler:
+    uses: ./.github/workflows/ci_test-vector-handler.yaml
+    secrets:
+      INTEG_AWS_ACCESS_KEY_ID: ${{ secrets.INTEG_AWS_ACCESS_KEY_ID }}
+      INTEG_AWS_SECRET_ACCESS_KEY: ${{ secrets.INTEG_AWS_SECRET_ACCESS_KEY }}
+  tests:
+    uses: ./.github/workflows/ci_tests.yaml
+  pr-ci-all-required:
+    if: always()
+    needs:
+      - decrypt_oracle
+      - static_analysis
+      - test_vector_handler
+      - tests
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Verify all required jobs passed
+        uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/push.yml

@@ -0,0 +1,25 @@
+name: Push Workflow
+
+on:
+  push:
+    branches: master
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  decrypt_oracle:
+    uses: ./.github/workflows/ci_decrypt-oracle.yaml
+  
+  static_analysis:
+    uses: ./.github/workflows/ci_static-analysis.yaml
+  
+  test_vector_handler:
+    uses: ./.github/workflows/ci_test-vector-handler.yaml
+    secrets:
+      INTEG_AWS_ACCESS_KEY_ID: ${{ secrets.INTEG_AWS_ACCESS_KEY_ID }}
+      INTEG_AWS_SECRET_ACCESS_KEY: ${{ secrets.INTEG_AWS_SECRET_ACCESS_KEY }}
+  
+  tests:
+    uses: ./.github/workflows/ci_tests.yaml

decrypt_oracle/src/pylintrc

@@ -1,6 +1,7 @@
 [MESSAGES CONTROL]
 # Disabling messages that we either don't care about for tests or are necessary to break for tests.
 disable =
+    too-many-positional-arguments, # on 2026-04-17 aws_encryption_sdk_decrypt_oracle started failing because of this
     ungrouped-imports,  # we let isort handle this
     consider-using-f-string # disable until 2022-05-05; 6 months after 3.5 deprecation
 

dev_requirements/linter-requirements.txt

@@ -6,8 +6,9 @@ flake8-bugbear==22.9.11
 flake8-docstrings==1.7.0
 flake8-print==5.0.0
 isort==5.11.4
+pbr>=5.5.0
 pyflakes==2.4.0
 pylint==2.13.5
 readme_renderer==37.3
 seed-isort-config==2.2.0
-vulture==2.9.1
+vulture==2.9.1

dev_requirements/test-requirements.txt

@@ -1,4 +1,4 @@
 mock==4.0.3
 pytest==7.2.1
 pytest-cov==4.0.0
-pytest-mock==3.6.1
+pytest-mock==3.6.1