PLT-1616 : aws-params-env-action GHA to use node 20 and updated packages

.github/workflows/aws-params-env-action-check-dist.yml

@@ -4,6 +4,7 @@
 # For our project, we generate this file through a build process from other source files.
 # We need to make sure the checked-in `index.js` actually matches what we expect it to be.
 name: Check dist/ for aws-params-env-action
+description: 'Builds the artifact for aws-params-env-action and checks it against what is checked in to source control.' 
 
 on:
   pull_request:
@@ -19,15 +20,15 @@ defaults:
 
 jobs:
   check-dist:
-    runs-on: ubuntu-latest
+    runs-on: codebuild-cdap-${{ github.ref_name =='main' && 'prod' || 'non-prod' }}-${{github.run_id}}-${{github.run_attempt}}
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - name: Set Node.js 16.x
-        uses: actions/setup-node@v3.6.0
+      - name: Set Node.js 20.x
+        uses: actions/setup-node@v4
         with:
-          node-version: 16.x
+          node-version: 20.x
 
       - name: Install dependencies
         run: npm ci
@@ -51,4 +52,5 @@ jobs:
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist
-          path: dist/
+          path: actions/aws-params-env-action/dist/
+

.github/workflows/aws-params-env-action-test.yml

@@ -1,20 +1,46 @@
-name: Test aws-params-env-action
+name: aws-params-env-action-test.yml
+description: 'Tests that github actions roles can pull SSM parameters using the aws-params-env-action.'
 
 on:
+  workflow_dispatch:
   pull_request:
     paths:
       - 'actions/aws-params-env-action/**'
-      - '!actions/aws-params-env-action/**.md'
-  workflow_dispatch:
+      - 'services/github-actions-role/data.tf'
 
-defaults:
-  run:
-    working-directory: actions/aws-params-env-action
+permissions:
+  contents: read
+  id-token: write
 
 jobs:
-  test-and-check-build:
-    runs-on: ubuntu-latest
+  test-get-params:
+    runs-on: codebuild-cdap-${{ contains(fromJSON('["prod", "sandbox"]'), matrix.env) && 'prod' || 'non-prod'}}-${{github.run_id}}-${{github.run_attempt}}
+    strategy:
+      fail-fast: false
+      matrix:
+        app: [ab2d, bcda, dpc]
+        env: [dev, test, sandbox, prod]
+        include:
+          - app: cdap
+            env: test
     steps:
-      - uses: actions/checkout@v3
-      - run: npm ci
-      - run: npm run all
+      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+        with:
+          role-to-assume: arn:aws:iam::${{ contains(fromJSON('["dev", "test"]'), matrix.env) && secrets.NON_PROD_ACCOUNT || secrets.PROD_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - uses: cmsgov/cdap/actions/aws-params-env-action@main
+        env:
+          AWS_REGION: ${{ vars.AWS_REGION }}
+        with:
+          params: |
+            SONAR_HOST_URL=/sonarqube/url
+
+      - name: Verify env vars were set
+        run: |
+          if [ -z "$SONAR_HOST_URL" ]; then
+            echo "❌ SONAR_HOST_URL was not set"
+            exit 1
+          else
+            echo "✅ SONAR_HOST_URL is set"
+          fi

actions/aws-params-env-action/README.md

@@ -5,6 +5,7 @@ The `aws-params-env-action` sets workflow environment variables from values in A
 ## Prerequisites
 
 To use this action, you must have AWS credentials and region configured in the action environment. This can be done by using the [configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) step, for example, or by running the action on a self-hosted runner in AWS with an instance profile.
+This action requires @aws-sdk/client-ssm to be available in the runner environment. It is pre-installed on the project's CodeBuild runners. If using on standard GitHub-hosted runners, remove the --external flag from the package script to produce a fully self-contained bundle.
 
 ## Usage
 
@@ -38,3 +39,11 @@ All steps in the workflow following this will have VAR1, ENV_VAR2, and SECRET_X
     echo "::add-mask::$secret_x"
     echo "SECRET_X=$secret_x" >> "$GITHUB_ENV"
 ```
+
+## Building
+When making changes to this action, rebuild with 
+```
+rm -rf dist/ &&
+docker run --rm -v $(pwd):/app -w /app/actions/aws-params-env-action node:20-alpine sh -c "npm ci && npm run build && npm run package"
+```
+

actions/aws-params-env-action/__tests__/main.test.ts

@@ -1,5 +1,5 @@
 import {SSMClient, GetParametersCommand} from '@aws-sdk/client-ssm'
-import {expect, test, jest} from '@jest/globals'
+import {expect, test, jest, beforeEach} from '@jest/globals'
 import {getValues} from '../src/get-values'
 import {mockClient} from 'aws-sdk-client-mock'
 import {parseParams} from '../src/parse-params'
@@ -11,6 +11,11 @@ const mockedExportVariable = jest.mocked(exportVariable)
 const mockedSetFailed = jest.mocked(setFailed)
 const mockedSetSecret = jest.mocked(setSecret)
 
+beforeEach(() => {
+  client.reset()
+  jest.clearAllMocks()
+})
+
 test('parse input params', () => {
   const params = `
     VARIABLE1=/good/variable

actions/aws-params-env-action/action.yml

@@ -6,7 +6,7 @@ inputs:
     required: true
     description: 'Whitespace-separated parameters of the form ENV_VAR=/aws/parameter/name'
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'dist/index.js'
 branding:
   icon: dollar-sign