awslabs
diff --git a/‎.github/actions/generate-deployment-json/action.yml‎
Lines changed: 37 additions & 0 deletions b/‎.github/actions/generate-deployment-json/action.yml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎.github/actions/setup-aws-oidc/action.yml‎
Lines changed: 23 additions & 0 deletions b/‎.github/actions/setup-aws-oidc/action.yml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎.github/actions/setup-cdk/action.yml‎
Lines changed: 22 additions & 0 deletions b/‎.github/actions/setup-cdk/action.yml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎.github/actions/setup-python/action.yml‎
Lines changed: 23 additions & 0 deletions b/‎.github/actions/setup-python/action.yml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎.github/workflows/build-test-destroy.yml‎
Lines changed: 20 additions & 16 deletions b/‎.github/workflows/build-test-destroy.yml‎
Lines changed: 20 additions & 16 deletions
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 5 additions & 1 deletion b/‎.github/workflows/build.yml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎.github/workflows/check-pending-workflow.yml‎
Lines changed: 3 additions & 5 deletions b/‎.github/workflows/check-pending-workflow.yml‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 20 additions & 36 deletions b/‎.github/workflows/deploy.yml‎
Lines changed: 20 additions & 36 deletions
diff --git a/‎.github/workflows/destroy.yml‎
Lines changed: 19 additions & 31 deletions b/‎.github/workflows/destroy.yml‎
Lines changed: 19 additions & 31 deletions
diff --git a/‎.github/workflows/docker.yml‎
Lines changed: 11 additions & 2 deletions b/‎.github/workflows/docker.yml‎
Lines changed: 11 additions & 2 deletions
@@ -0,0 +1,37 @@
+name: 'Generate Deployment JSON'
+description: 'Generate deployment.json from example template'
+inputs:
+  account_id:
+    description: 'AWS account ID'
+    required: true
+  build_from_source:
+    description: 'Whether to build from source'
+    required: false
+    default: 'true'
+runs:
+  using: composite
+  steps:
+    - name: Generate deployment.json
+      working-directory: cdk
+      shell: bash
+      env:
+        ACCOUNT_ID: ${{ inputs.account_id }}
+        BUILD_FROM_SOURCE: ${{ inputs.build_from_source }}
+      run: |
+        python3 << 'EOF'
+        import json
+        import os
+        with open('bin/deployment/deployment.json.example') as f:
+            config = json.load(f)
+        config['account']['id'] = os.environ['ACCOUNT_ID']
+        config['account']['prodLike'] = False
+        build_from_source = os.environ.get('BUILD_FROM_SOURCE', 'true').lower() == 'true'
+        if 'networkConfig' in config:
+            del config['networkConfig']
+        if 'dataplaneConfig' in config:
+            config['dataplaneConfig']['BUILD_FROM_SOURCE'] = build_from_source
+        if 'testModelsConfig' in config:
+            config['testModelsConfig']['BUILD_FROM_SOURCE'] = build_from_source
+        with open('bin/deployment/deployment.json', 'w') as f:
+            json.dump(config, f, indent=2)
+        EOF
@@ -0,0 +1,23 @@
+name: 'Setup AWS OIDC'
+description: 'Configure AWS credentials using OIDC'
+inputs:
+  aws_region:
+    description: 'AWS region'
+    required: true
+  account_id:
+    description: 'AWS account ID'
+    required: true
+  role_duration_seconds:
+    description: 'Role session duration in seconds'
+    required: false
+    default: '7200'
+runs:
+  using: composite
+  steps:
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: ${{ inputs.aws_region }}
+        role-to-assume: arn:aws:iam::${{ inputs.account_id }}:role/GithubAction-AssumeRoleWithAction
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        role-duration-seconds: ${{ inputs.role_duration_seconds }}
@@ -0,0 +1,22 @@
+name: 'Setup CDK'
+description: 'Setup Node.js and install CDK dependencies'
+inputs:
+  node_version:
+    description: 'Node.js version'
+    required: false
+    default: '24'
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node_version }}
+        cache: 'npm'
+        cache-dependency-path: cdk/package-lock.json
+    - name: Install CDK and dependencies
+      working-directory: cdk
+      shell: bash
+      run: |
+        npm install -g aws-cdk
+        npm ci
@@ -0,0 +1,23 @@
+name: 'Setup Python'
+description: 'Setup Python with caching'
+inputs:
+  python_version:
+    description: 'Python version'
+    required: false
+    default: '3.13'
+  cache_dependency_paths:
+    description: 'Glob pattern for dependency files for caching (e.g., **/requirements*.txt or pyproject.toml)'
+    required: false
+    default: '**/requirements*.txt'
+runs:
+  using: composite
+  steps:
+    - name: Setup Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python_version }}
+        cache: 'pip'
+        cache-dependency-path: ${{ inputs.cache_dependency_paths }}
+    - name: Upgrade pip
+      shell: bash
+      run: python -m pip install --upgrade pip
@@ -16,36 +16,40 @@ permissions:
   contents: read
   actions: read
 
+concurrency:
+  group: validate-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
-  'Deploy / CheckPendingWorkflow':
+  check:
     uses: ./.github/workflows/check-pending-workflow.yml
     secrets: inherit
 
-  'Deploy / DeployModelRunner':
-    needs: 'Deploy / CheckPendingWorkflow'
+  deploy:
+    needs: check
     uses: ./.github/workflows/deploy.yml
     with:
       aws_region: ${{ env.AWS_REGION }}
-      account_id: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
       build_from_source: true
-    secrets: inherit
+    secrets:
+      MODEL_RUNNER_ACCOUNT_ID: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
 
-  'Test / RunIntegrationTests':
-    needs: 'Deploy / DeployModelRunner'
+  test:
+    needs: deploy
     uses: ./.github/workflows/run-integration-tests.yml
     with:
       aws_region: ${{ env.AWS_REGION }}
-      account_id: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
-    secrets: inherit
+    secrets:
+      MODEL_RUNNER_ACCOUNT_ID: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
 
-  'Cleanup / DestroyModelRunner':
-    if: ${{ always() }}
+  destroy:
+    if: always()
     needs:
-      - 'Deploy / CheckPendingWorkflow'
-      - 'Deploy / DeployModelRunner'
-      - 'Test / RunIntegrationTests'
+      - check
+      - deploy
+      - test
     uses: ./.github/workflows/destroy.yml
     with:
       aws_region: ${{ env.AWS_REGION }}
-      account_id: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
-    secrets: inherit
+    secrets:
+      MODEL_RUNNER_ACCOUNT_ID: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
@@ -7,8 +7,12 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: build-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  tox:
+  test:
     uses: ./.github/workflows/tox.yml
     secrets: inherit
   docker:
 
@@ -1,18 +1,16 @@
-name: Check Pending Workflow
+name: Check Pending Workflows
 
 permissions:
   contents: read
   actions: read
 
 on:
   workflow_call:
-    secrets:
-      GITHUB_TOKEN:
-        required: false
 
 jobs:
-  check:
+  check-pending-workflows:
     runs-on: ubuntu-latest
+    timeout-minutes: 125  # Slightly more than timeout (7200000ms = 120 minutes)
     steps:
       - name: Check for pending workflows
         uses: ahmadnassri/action-workflow-queue@v1
 
@@ -1,4 +1,4 @@
-name: Deploy
+name: Deploy Infrastructure
 
 permissions:
   id-token: write
@@ -10,60 +10,44 @@ on:
       aws_region:
         required: true
         type: string
-      account_id:
-        required: true
-        type: string
       build_from_source:
         required: false
         type: boolean
         default: true
+    secrets:
+      MODEL_RUNNER_ACCOUNT_ID:
+        required: true
 
 env:
   AWS_REGION: ${{ inputs.aws_region }}
   AWS_PAGER: ""
+  NODE_VERSION: '24'
+  PYTHON_VERSION: '3.13'
 
 jobs:
-  deploy:
+  deploy-infrastructure:
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           lfs: 'true'
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - name: Setup AWS OIDC
+        uses: ./.github/actions/setup-aws-oidc
         with:
-          aws-region: ${{ inputs.aws_region }}
-          role-to-assume: arn:aws:iam::${{ inputs.account_id }}:role/GithubAction-AssumeRoleWithAction
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          role-duration-seconds: 7200
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
+          aws_region: ${{ inputs.aws_region }}
+          account_id: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
+          role_duration_seconds: '7200'
+      - name: Setup CDK
+        uses: ./.github/actions/setup-cdk
         with:
-          node-version: '18'
-      - name: Install CDK and dependencies
-        working-directory: cdk
-        run: |
-          npm install -g aws-cdk
-          npm install
+          node_version: ${{ env.NODE_VERSION }}
       - name: Generate deployment.json
-        working-directory: cdk
-        run: |
-          python3 << 'EOF'
-          import json
-          with open('bin/deployment/deployment.json.example') as f:
-              config = json.load(f)
-          config['account']['id'] = '${{ inputs.account_id }}'
-          config['account']['prodLike'] = False
-          if 'networkConfig' in config:
-              del config['networkConfig']
-          if 'dataplaneConfig' in config:
-              config['dataplaneConfig']['BUILD_FROM_SOURCE'] = ${{ inputs.build_from_source }}
-          if 'testModelsConfig' in config:
-              config['testModelsConfig']['BUILD_FROM_SOURCE'] = ${{ inputs.build_from_source }}
-          with open('bin/deployment/deployment.json', 'w') as f:
-              json.dump(config, f, indent=2)
-          EOF
+        uses: ./.github/actions/generate-deployment-json
+        with:
+          account_id: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
+          build_from_source: ${{ inputs.build_from_source }}
       - name: Build and synthesize CDK
         working-directory: cdk
         run: |
 
@@ -1,4 +1,4 @@
-name: Destroy
+name: Destroy Infrastructure
 
 permissions:
   id-token: write
@@ -10,50 +10,38 @@ on:
       aws_region:
         required: true
         type: string
-      account_id:
+    secrets:
+      MODEL_RUNNER_ACCOUNT_ID:
         required: true
-        type: string
 
 env:
   AWS_REGION: ${{ inputs.aws_region }}
   AWS_PAGER: ""
+  NODE_VERSION: '24'
+  PYTHON_VERSION: '3.13'
 
 jobs:
-  destroy:
+  destroy-infrastructure:
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - name: Setup AWS OIDC
+        uses: ./.github/actions/setup-aws-oidc
         with:
-          aws-region: ${{ inputs.aws_region }}
-          role-to-assume: arn:aws:iam::${{ inputs.account_id }}:role/GithubAction-AssumeRoleWithAction
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          role-duration-seconds: 14400
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
+          aws_region: ${{ inputs.aws_region }}
+          account_id: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
+          role_duration_seconds: '14400'
+      - name: Setup CDK
+        uses: ./.github/actions/setup-cdk
         with:
-          node-version: '18'
-      - name: Install CDK and dependencies
-        working-directory: cdk
-        run: |
-          npm install -g aws-cdk
-          npm install
+          node_version: ${{ env.NODE_VERSION }}
       - name: Generate deployment.json
-        working-directory: cdk
-        run: |
-          python3 << 'EOF'
-          import json
-          with open('bin/deployment/deployment.json.example') as f:
-              config = json.load(f)
-          config['account']['id'] = '${{ inputs.account_id }}'
-          config['account']['prodLike'] = False
-          if 'networkConfig' in config:
-              del config['networkConfig']
-          with open('bin/deployment/deployment.json', 'w') as f:
-              json.dump(config, f, indent=2)
-          EOF
+        uses: ./.github/actions/generate-deployment-json
+        with:
+          account_id: ${{ secrets.MODEL_RUNNER_ACCOUNT_ID }}
+          build_from_source: 'false'
       - name: Build CDK
         working-directory: cdk
         run: npm run build
 
@@ -1,4 +1,4 @@
-name: Docker Build & Publish
+name: Build Docker Image
 
 on:
   workflow_call:
@@ -13,9 +13,14 @@ env:
   REGISTRY: awsosml
   IMAGE_NAME: ${{ github.event.repository.name }}
 
+concurrency:
+  group: docker-build-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  docker:
+  build-docker-image:
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     steps:
       - uses: actions/checkout@v4
         with:
@@ -36,10 +41,14 @@ jobs:
             type=semver,pattern={{raw}},enable=${{ github.event_name == 'release' }}
             type=raw,value=nightly-dev,enable=${{ github.ref == 'refs/heads/main' && github.event_name == 'push' || github.event_name == 'workflow_dispatch'}}
             type=raw,value={{date 'YYYYMMDD-hhmmss' tz='UTC'}},enable=${{ github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - uses: docker/build-push-action@v5
         with:
           context: .
           file: ./docker/Dockerfile.model-runner
           push: ${{ env.push }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max