ci: add samcli tests directly against finch-daemon (runfinch#329)

This is an implementation of automated tests for SAMcli directly against finch-daemon in an Ubuntu environment. It runs on every PR and takes about 20 minutes to complete. Thorough testing has been done to ensure the consistency of these tests.

---------

Signed-off-by: ayush-panta <ayushkp@amazon.com>

Author: ayush-panta

.github/workflows/samcli-direct.yaml

@@ -0,0 +1,145 @@
+name: samcli-direct
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  GO_VERSION: '1.24.x'
+  CONTAINERD_VERSION: '2.0.x'
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  samcli-direct-test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30 # start-api is the longest at ~ 20 minutes
+    strategy:
+      fail-fast: false
+      matrix:
+        test_step:
+          - name: unit
+          - name: package
+          - name: start-lambda
+          - name: invoke
+          - name: start-api
+    env:
+      AWS_DEFAULT_REGION: "${{ secrets.REGION }}"
+      DOCKER_HOST: unix:///run/finch.sock
+      DOCKER_CONFIG: $HOME/.finch
+      BY_CANARY: true # allows full testing
+      SAM_CLI_DEV: 1
+      SAM_CLI_TELEMETRY: 0
+    steps:
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+        with:
+          role-to-assume: ${{secrets.SAMCLI_DIRECT_ROLE_BASE}}
+          role-session-name: samcli-${{ matrix.test_step.name }}-tests
+          aws-region: ${{ secrets.REGION }}
+          role-duration-seconds: 2000
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+       # from aws/aws-sam-cli/setup.py: python_requires=">=3.9, <=4.0, !=4.0
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Checkout finch-daemon repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Stop pre-existing services
+        run: |
+          sudo systemctl stop docker
+          sudo systemctl stop containerd
+
+      - name: Remove default podman network config
+        run: |
+          sudo rm -f /etc/cni/net.d/87-podman-bridge.conflist
+
+      - name: Clean up Daemon socket
+        run: |
+          sudo rm -f /run/finch.sock
+          sudo rm -f /run/finch.pid
+          sudo rm -f /run/finch-credential.sock
+
+      - name: Install finch-daemon dependencies
+        run: |
+          ./setup-test-env.sh
+          sleep 10
+
+      - name: Build and start finch-daemon
+        run: |
+          make build
+          sudo bin/finch-daemon --debug --socket-owner $UID 2>&1 | tee finch-daemon.log &
+          sleep 10
+
+      - name: Checkout SAM CLI
+        uses: actions/checkout@v4
+        with:
+          repository: aws/aws-sam-cli
+          submodules: recursive
+          path: aws-sam-cli
+
+      - name: Set up SAM CLI from source
+        working-directory: aws-sam-cli
+        run: |
+          python -m pip install --upgrade pip
+          make init
+          samdev --version
+
+      - name: Run unit tests
+        if: matrix.test_step.name == 'unit'
+        run: ./scripts/samcli-direct/run-unit-tests.sh
+
+      - name: Run package tests
+        if: matrix.test_step.name == 'package'
+        run: ./scripts/samcli-direct/run-package-tests.sh
+
+      - name: Run invoke tests
+        if: matrix.test_step.name == 'invoke'
+        run: ./scripts/samcli-direct/run-invoke-tests.sh
+
+      - name: Run start-lambda tests
+        if: matrix.test_step.name == 'start-lambda'
+        run: ./scripts/samcli-direct/run-start-lambda-tests.sh
+
+      - name: Run start-api tests
+        if: matrix.test_step.name == 'start-api'
+        run: ./scripts/samcli-direct/run-start-api-tests.sh
+
+      - name: Show finch-daemon logs
+        if: always()
+        run: |
+          echo "=== FINCH-DAEMON OUTPUT ==="
+          cat finch-daemon.log
+
+  # ensuring resources are clean post-test
+  cleanup:
+    runs-on: ubuntu-latest
+    needs: samcli-direct-test
+    if: always()
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df
+        with:
+          role-to-assume: ${{ secrets.SAMCLI_DIRECT_ROLE_BASE }}
+          role-session-name: cleanup-samcli-direct
+          aws-region: ${{ secrets.REGION }}
+
+      - name: Comprehensive AWS resource cleanup
+        timeout-minutes: 10
+        run: ./scripts/cleanup-aws-resources.sh

scripts/cleanup-aws-resources.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+set +e  # Continue on failures
+
+echo "=== AWS Resource Cleanup ==="
+
+# Function to safely run AWS commands with retries
+safe_aws_command() {
+  local max_attempts=3
+  local attempt=1
+  local command="$@"
+  while [ $attempt -le $max_attempts ]; do
+    if eval "$command"; then
+      return 0
+    fi
+    echo "Retry $attempt/$max_attempts failed: $command"
+    sleep 5
+    attempt=$((attempt + 1))
+  done
+  echo "Command failed after $max_attempts attempts: $command"
+  return 1
+}
+
+# Clean up S3 buckets from SAM CLI test stacks
+echo "=== Cleaning S3 buckets ==="
+TEST_PATTERNS=("sam-app" "test-" "integration-test" "samcli" "aws-sam-cli-managed")
+
+for pattern in "${TEST_PATTERNS[@]}"; do
+  STACKS=$(aws cloudformation list-stacks --region $AWS_DEFAULT_REGION --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE ROLLBACK_COMPLETE UPDATE_ROLLBACK_COMPLETE --query "StackSummaries[?contains(StackName, '$pattern')].[StackName]" --output text 2>/dev/null || true)
+
+  for stack in $STACKS; do
+    echo "Processing stack: $stack"
+    
+    # Get S3 buckets from stack
+    BUCKET_NAMES=$(aws cloudformation describe-stacks --stack-name "$stack" --region $AWS_DEFAULT_REGION --query 'Stacks[0].Outputs[?contains(OutputKey, `Bucket`) || contains(OutputKey, `bucket`)].OutputValue' --output text 2>/dev/null || true)
+    RESOURCE_BUCKETS=$(aws cloudformation describe-stack-resources --stack-name "$stack" --region $AWS_DEFAULT_REGION --query 'StackResources[?ResourceType==`AWS::S3::Bucket`].PhysicalResourceId' --output text 2>/dev/null || true)
+
+    # Empty buckets (don't delete them)
+    for bucket in $BUCKET_NAMES $RESOURCE_BUCKETS; do
+      if [ -n "$bucket" ] && [ "$bucket" != "None" ]; then
+        echo "Emptying S3 bucket: $bucket"
+        if aws s3api head-bucket --bucket "$bucket" 2>/dev/null; then
+          safe_aws_command "aws s3 rm s3://$bucket --recursive --quiet" || true
+          echo "✅ Emptied bucket: $bucket"
+        fi
+      fi
+    done
+  done
+done
+
+# Clean up ECR repositories
+echo "=== Cleaning ECR repositories ==="
+ECR_PATTERNS=("sam-app" "test-" "integration-test")
+for pattern in "${ECR_PATTERNS[@]}"; do
+  REPOS=$(aws ecr describe-repositories --region $AWS_DEFAULT_REGION --query "repositories[?contains(repositoryName, '$pattern')].repositoryName" --output text 2>/dev/null || true)
+  for repo in $REPOS; do
+    echo "Deleting ECR repository: $repo"
+    safe_aws_command "aws ecr delete-repository --repository-name '$repo' --force --region $AWS_DEFAULT_REGION" || true
+  done
+done
+
+echo "✅ Cleanup completed"

scripts/samcli-direct/run-invoke-tests.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -e
+
+cd aws-sam-cli
+
+python -m pytest tests/integration/local/invoke -k 'not Terraform' -v --tb=short > invoke_output.txt 2>&1 || true
+
+echo ""
+echo "=== PASSES ==="
+grep "PASSED" invoke_output.txt || echo "No passes found"
+
+echo ""
+echo "=== FAILURES ==="
+grep "FAILED" invoke_output.txt || echo "No failures found"
+
+# test_invoke_with_error_during_image_build: Build error message differs from expected.
+# test_invoke_with_timeout_set_X_TimeoutFunction: Returns timeout message instead of empty string,
+#         but matches actual Lambda service behavior.
+# test_building_new_rapid_image_removes_old_rapid_images: Cannot remove images with same digest,
+#         Docker creates different IDs for each.
+cat > expected_invoke_failures.txt << 'EOF'
+test_invoke_with_error_during_image_build
+test_invoke_with_timeout_set_0_TimeoutFunction
+test_invoke_with_timeout_set_1_TimeoutFunctionWithParameter
+test_invoke_with_timeout_set_2_TimeoutFunctionWithStringParameter
+test_building_new_rapid_image_removes_old_rapid_images
+EOF
+
+# Extract actual failures
+grep "FAILED" invoke_output.txt | grep -o "test_[^[:space:]]*" > actual_invoke_failures.txt || true
+
+# Find unexpected failures
+UNEXPECTED=$(grep -v -f expected_invoke_failures.txt actual_invoke_failures.txt 2>/dev/null || true)
+
+if [ -n "$UNEXPECTED" ]; then
+  echo "❌ Unexpected failures found:"
+  echo "$UNEXPECTED"
+  echo ""
+  echo "=== FULL OUTPUT FOR DEBUGGING ==="
+  cat invoke_output.txt || echo "No output file found"
+  exit 1
+else
+  echo "✅ All failures were expected."
+fi
+
+echo ""
+echo "=== PYTEST SUMMARY ==="
+grep -E "=+ .*(failed|passed|skipped|deselected).* =+$" invoke_output.txt | tail -1 || echo "No pytest summary found"

scripts/samcli-direct/run-package-tests.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -e
+
+cd aws-sam-cli
+
+python -m pytest tests/integration/package/test_package_command_image.py -v --tb=short > package_output.txt 2>&1 || true
+
+echo ""
+echo "=== PASSES ==="
+grep "PASSED" package_output.txt || echo "No passes found"
+
+echo ""
+echo "=== FAILURES ==="
+grep "FAILED" package_output.txt || echo "No failures found"
+
+# test_package_with_deep_nested_template_image: Expects Docker-specific push stream pattern.
+# test_package_template_with_image_repositories_nested_stack_x: Push API stream differs from Docker.
+# test_package_with_loadable_image_archive_0_template_image_load_yaml: Docker imports by digest,
+#         Finch imports as "overlayfs:" tag causing image info lookup to fail.
+cat > expected_package_failures.txt << 'EOF'
+test_package_with_deep_nested_template_image
+test_package_template_with_image_repositories_nested_stack
+test_package_with_loadable_image_archive_0_template_image_load_yaml
+EOF
+
+# Extract actual failures
+grep "FAILED" package_output.txt | grep -o "test_[^[:space:]]*" > actual_package_failures.txt || true
+
+# Also check for nested stack failures (pattern match)
+grep "FAILED.*test_package_template_with_image_repositories_nested_stack" package_output.txt >> actual_package_failures.txt || true
+
+# Find unexpected failures (exclude nested stack pattern)
+UNEXPECTED=$(grep -v -f expected_package_failures.txt actual_package_failures.txt | grep -v "test_package_template_with_image_repositories_nested_stack" || true)
+
+if [ -n "$UNEXPECTED" ]; then
+  echo "❌ Unexpected failures found:"
+  echo "$UNEXPECTED"
+  echo ""
+  echo "=== FULL OUTPUT FOR DEBUGGING ==="
+  cat package_output.txt || echo "No output file found"
+  exit 1
+else
+  echo "✅ All failures were expected."
+fi
+
+echo ""
+echo "=== PYTEST SUMMARY ==="
+grep -E "=+ .*(failed|passed|skipped|deselected).* =+$" package_output.txt | tail -1 || echo "No pytest summary found"

scripts/samcli-direct/run-start-api-tests.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+set -e
+
+cd aws-sam-cli
+
+ulimit -n 65536
+python -m pytest tests/integration/local/start_api -k 'not Terraform' -v --tb=short > start_api_output.txt 2>&1 || true
+
+echo ""
+echo "=== PASSES ==="
+grep "PASSED" start_api_output.txt || echo "No passes found"
+
+echo ""
+echo "=== FAILURES ==="
+grep "FAILED" start_api_output.txt || echo "No failures found"
+
+# test_can_invoke_lambda_layer_successfully: Uses random port, fails occasionally.
+#         Only 1 test of 386 total, acceptable failure rate.
+cat > expected_start_api_failures.txt << 'EOF'
+test_can_invoke_lambda_layer_successfully
+EOF
+
+# Extract actual failures - find test names in FAILED lines
+grep "FAILED" start_api_output.txt | grep -o "test_[^[:space:]]*" > actual_start_api_failures.txt || true
+
+# Find unexpected failures
+UNEXPECTED=$(grep -v -f expected_start_api_failures.txt actual_start_api_failures.txt 2>/dev/null || true)
+
+if [ -n "$UNEXPECTED" ]; then
+  echo "❌ Unexpected start-api failures found:"
+  echo "$UNEXPECTED"
+  echo ""
+  echo "=== FULL OUTPUT FOR DEBUGGING ==="
+  cat start_api_output.txt || echo "No output file found"
+  exit 1
+else
+  echo "✅ All start-api failures (if any) were expected."
+fi
+
+echo ""
+echo "=== PYTEST SUMMARY ==="
+grep -E "=+ .*(failed|passed|skipped|deselected).* =+$" start_api_output.txt | tail -1 || echo "No pytest summary found"

scripts/samcli-direct/run-start-lambda-tests.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+cd aws-sam-cli
+
+python -m pytest tests/integration/local/start_lambda -k 'not Terraform' -v --tb=short > start_lambda_output.txt 2>&1 || true
+
+echo ""
+echo "=== PASSES ==="
+grep "PASSED" start_lambda_output.txt || echo "No passes found"
+
+echo ""
+echo "=== FAILURES ==="
+grep "FAILED" start_lambda_output.txt || echo "No failures found"
+
+# Should pass completely per test guide
+if grep -q "FAILED" start_lambda_output.txt; then
+  echo "❌ Start-lambda tests failed (should pass completely)"
+  grep "FAILED" start_lambda_output.txt
+  echo ""
+  echo "=== FULL OUTPUT FOR DEBUGGING ==="
+  cat start_lambda_output.txt || echo "No output file found"
+  exit 1
+else
+  echo "✅ All start-lambda tests passed as expected"
+fi
+
+echo ""
+echo "=== PYTEST SUMMARY ==="
+grep -E "=+ .*(failed|passed|skipped|deselected).* =+$" start_lambda_output.txt | tail -1 || echo "No pytest summary found"