From 3a89fe6674905677772d80ae9991b1c609059310 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Jun 2026 11:28:18 -0700 Subject: [PATCH 1/8] chore(ci): bump tox to > 4 --- dev_requirements/ci-requirements.txt | 2 +- tox.ini | 26 ++++++++++++++------------ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/dev_requirements/ci-requirements.txt b/dev_requirements/ci-requirements.txt index 4335988fd..3efb43f3a 100644 --- a/dev_requirements/ci-requirements.txt +++ b/dev_requirements/ci-requirements.txt @@ -1,2 +1,2 @@ setuptools -tox==3.27.1 +tox==4.30.3 diff --git a/tox.ini b/tox.ini index 130737f86..a6666e3b1 100644 --- a/tox.ini +++ b/tox.ini @@ -63,19 +63,21 @@ commands = pytest --basetemp={envtmpdir} -l {posargs} [testenv] passenv = # Identifies AWS KMS key id to use in integration tests - AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID \ + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID # Identifies a second AWS KMS key id to use in integration tests - AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2 \ + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2 # Identifies AWS KMS MRK key id to use in integration tests - AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1 \ + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1 # Identifies a related AWS KMS MRK key id to use in integration tests - AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2 \ + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2 # Pass through AWS credentials - AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \ + AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_SESSION_TOKEN # AWS Role access in CodeBuild is via the contaner URI - AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \ + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI # Pass through AWS profile name (useful for local testing) - AWS_PROFILE \ + AWS_PROFILE # Pass through custom pip config file settings PIP_CONFIG_FILE sitepackages = False @@ -186,8 +188,8 @@ commands = pylint \ --rcfile=src/pylintrc \ --max-module-lines=1500 \ - src/aws_encryption_sdk/ \ - setup.py + src/aws_encryption_sdk/ \ + setup.py \ --ignore-paths=src/aws_encryption_sdk/internal/mpl/ [testenv:pylint-examples] @@ -352,8 +354,8 @@ passenv = # Intentionally omit TWINE_REPOSITORY_URL from the passenv list, # as this overrides other ways of setting the repository and could # unexpectedly result in releasing to the wrong repo - {[testenv]passenv} \ - TWINE_USERNAME \ + {[testenv]passenv} + TWINE_USERNAME TWINE_PASSWORD commands = {[testenv:build]commands} @@ -363,7 +365,7 @@ basepython = python3 skip_install = true deps = {[testenv:release-base]deps} passenv = - {[testenv:release-base]passenv} \ + {[testenv:release-base]passenv} TWINE_REPOSITORY_URL setenv = # Explicitly set the URL as the env variable value, which will cause us to From 43cf972e4e2988e170d67cbf0bcb9ef1063015a9 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Jun 2026 11:33:32 -0700 Subject: [PATCH 2/8] edit --- decrypt_oracle/tox.ini | 20 ++++++++++---------- performance_tests/tox.ini | 6 ++++-- test_vector_handlers/tox.ini | 6 ++++-- 3 files changed, 18 insertions(+), 14 deletions(-) diff --git a/decrypt_oracle/tox.ini b/decrypt_oracle/tox.ini index e13916b1d..0efc4e7fa 100644 --- a/decrypt_oracle/tox.ini +++ b/decrypt_oracle/tox.ini @@ -89,18 +89,18 @@ commands = pytest --basetemp={envtmpdir} -l --cov aws_encryption_sdk_decrypt_ora [testenv] passenv = # Pass through AWS credentials - AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \ + AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_SESSION_TOKEN # Pass through AWS profile name (useful for local testing) - AWS_PROFILE \ - AWS_DEFAULT_REGION \ - # Pass through AWS credentials pointer in ECS/CodeBuild - AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \ - # AWS Role access in CodeBuild is via the contaner URI - AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \ + AWS_PROFILE + AWS_DEFAULT_REGION + # AWS Role access in CodeBuild is via the container URI + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI # Used to manage test generators - AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_GENERATE_TEST_VECTORS \ - AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION \ - AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID \ + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_GENERATE_TEST_VECTORS + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID # Used by Chalice APP_S3_BUCKET sitepackages = False diff --git a/performance_tests/tox.ini b/performance_tests/tox.ini index 5c5cfd99c..e01ca4c7b 100644 --- a/performance_tests/tox.ini +++ b/performance_tests/tox.ini @@ -41,9 +41,11 @@ deps = [testenv] passenv = # Pass through AWS credentials - AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \ + AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_SESSION_TOKEN # AWS Role access in CodeBuild is via the contaner URI - AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \ + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI # Pass through AWS profile name (useful for local testing) AWS_PROFILE sitepackages = False diff --git a/test_vector_handlers/tox.ini b/test_vector_handlers/tox.ini index 41a208a3f..49d45cb3f 100644 --- a/test_vector_handlers/tox.ini +++ b/test_vector_handlers/tox.ini @@ -41,9 +41,11 @@ commands = pytest --basetemp={envtmpdir} -l --cov awses_test_vectors test/ --ign [testenv] passenv = # Pass through AWS credentials - AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \ + AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_SESSION_TOKEN # AWS Role access in CodeBuild is via the contaner URI - AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \ + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI # Pass through AWS profile name (useful for local testing) AWS_PROFILE sitepackages = False From de4ea27e008d4ba405a3774b3b54e2a913504a8e Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Jun 2026 11:37:03 -0700 Subject: [PATCH 3/8] different version --- dev_requirements/ci-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev_requirements/ci-requirements.txt b/dev_requirements/ci-requirements.txt index 3efb43f3a..e62af185e 100644 --- a/dev_requirements/ci-requirements.txt +++ b/dev_requirements/ci-requirements.txt @@ -1,2 +1,2 @@ setuptools -tox==4.30.3 +tox==4.25.0 From 3532263b992d29618c1e9161376d20520e2ac8d7 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Jun 2026 11:45:17 -0700 Subject: [PATCH 4/8] ci: drop windows-latest + Python 3.9 + x86 from test matrix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This job has been failing because `cryptography` no longer publishes a 32-bit Windows wheel for Python 3.9. Pip therefore falls back to building from the sdist, which uses maturin (Rust/PyO3). On the hosted windows-latest runner only the x86_64 Rust target is installed, while the Python 3.9 x86 interpreter reports platform `win32` (i686), so maturin refuses to use it: 'python.EXE' reports a platform 'win32' (architecture 'i686'), while the Rust target is 'x86_64'. Skipping. Couldn't find any python interpreters from '...\python.EXE'. error: metadata-generation-failed local: FAIL code 1 The combination is effectively unbuildable on GitHub-hosted runners without provisioning an i686 Rust toolchain plus a 32-bit OpenSSL on the runner before each install — too brittle to maintain for a configuration that upstream `cryptography` no longer supports with prebuilt wheels. Pinning `cryptography` to an older version would only delay the same break. 64-bit Windows coverage on Python 3.9 is retained via the existing `windows-latest, 3.9, x64` cells. If 32-bit Windows coverage is later required, it should target a Python version for which `cryptography` still ships a `win32` wheel (currently 3.11+ via abi3). --- .github/workflows/ci_tests.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index 5208a7eeb..e8423f910 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -67,6 +67,17 @@ jobs: - os: macos-latest architecture: x86 + # `cryptography` no longer publishes 32-bit Windows wheels for + # Python 3.9, so pip falls back to building from sdist. That build + # is Rust/maturin-based and fails on the hosted runner because the + # installed Rust target is x86_64 while the interpreter reports + # win32 (i686), so maturin refuses to use it. The job is therefore + # unbuildable on GitHub-hosted runners until a host-side toolchain + # workaround exists; drop the combination from the matrix. + - os: windows-latest + python: 3.9 + architecture: x86 + # MPL is not supported on <3.11 - python: 3.7 optional_mpl_dependency: -mpl From a3d42483f6e9e3a429b67a65a34413c65d237592 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Jun 2026 11:50:39 -0700 Subject: [PATCH 5/8] ci: also drop windows-latest + Python 3.8 / 3.10 + x86 from test matrix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up to 3532263. A subsequent CI run failed on `windows-latest, 3.10, x86, accept` with the same root cause as the 3.9 cell: 'python.EXE' reports a platform 'win32' (architecture 'i686'), while the Rust target is 'x86_64'. Skipping. 💥 maturin failed error: metadata-generation-failed accept: FAIL code 1 `cryptography` only publishes a `win32` wheel via abi3 starting at cp311. Every Python below 3.11 on Windows x86 therefore falls back to the Rust/maturin sdist build, which cannot succeed on the hosted runner (x86_64-only Rust target, i686 interpreter, and maturin can't infer the interpreter version from the bare `python.EXE` name). The previous commit dropped only 3.9 because that was the cell shown in the first failing log. With `fail-fast: true` the matrix aborts on the first failure, which is why the 3.10 cell only surfaced once 3.9 was excluded. The same logic applies to 3.8. Drop all three pre-3.11 cells on windows-latest + x86. 3.11+ still gets a `cp311-abi3-win32` wheel from `cryptography`, so those cells remain in the matrix. --- .github/workflows/ci_tests.yaml | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index e8423f910..a9a260550 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -67,16 +67,24 @@ jobs: - os: macos-latest architecture: x86 - # `cryptography` no longer publishes 32-bit Windows wheels for - # Python 3.9, so pip falls back to building from sdist. That build - # is Rust/maturin-based and fails on the hosted runner because the - # installed Rust target is x86_64 while the interpreter reports - # win32 (i686), so maturin refuses to use it. The job is therefore - # unbuildable on GitHub-hosted runners until a host-side toolchain - # workaround exists; drop the combination from the matrix. + # `cryptography` only publishes 32-bit Windows wheels via abi3 + # starting at Python 3.11 (cp311-abi3-win32). For older Pythons, + # pip falls back to building from sdist, which uses maturin + # (Rust/PyO3). That build fails on the hosted windows-latest + # runner because only the x86_64 Rust target is installed while + # the interpreter reports platform `win32` (i686), so maturin + # refuses to use it. The job is therefore unbuildable on + # GitHub-hosted runners until a host-side toolchain workaround + # exists; drop these combinations from the matrix. + - os: windows-latest + python: 3.8 + architecture: x86 - os: windows-latest python: 3.9 architecture: x86 + - os: windows-latest + python: "3.10" + architecture: x86 # MPL is not supported on <3.11 - python: 3.7 From 5ec3877d8a33fa9d3aee09e6f43026b07f01a068 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Jun 2026 11:53:49 -0700 Subject: [PATCH 6/8] ci: express "no x86 for pre-3.11 Python" as a single matrix policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous commit listed three explicit (os, python, architecture) triples to exclude. Since x86 is already excluded on ubuntu-latest and macos-latest by their own (os, architecture) rules, the os qualifier on these entries is redundant. Replace the triples with (python, architecture) pairs so the policy reads as "no x86 testing for Python below 3.11" — which is the actual rule we care about. cp311-abi3-win32 wheels from `cryptography` cover 3.11+, so those cells remain in the matrix. No change in effective coverage. --- .github/workflows/ci_tests.yaml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index a9a260550..83f120f12 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -73,17 +73,13 @@ jobs: # (Rust/PyO3). That build fails on the hosted windows-latest # runner because only the x86_64 Rust target is installed while # the interpreter reports platform `win32` (i686), so maturin - # refuses to use it. The job is therefore unbuildable on - # GitHub-hosted runners until a host-side toolchain workaround - # exists; drop these combinations from the matrix. - - os: windows-latest - python: 3.8 + # refuses to use it. Until a host-side toolchain workaround + # exists, omit pre-3.11 Python from x86 testing entirely. + - python: 3.8 architecture: x86 - - os: windows-latest - python: 3.9 + - python: 3.9 architecture: x86 - - os: windows-latest - python: "3.10" + - python: "3.10" architecture: x86 # MPL is not supported on <3.11 From ae4894923dafab75aec28709cba953e6697bb271 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Jun 2026 11:55:03 -0700 Subject: [PATCH 7/8] ci: scope pre-3.11 x86 exclude to windows-latest only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Partial revert of 5ec3877. The maturin/cryptography sdist-build issue is Windows-specific (no cp38/cp39/cp310 win32 wheel and an x86_64-only host Rust toolchain). On Linux and macOS x86 — if those cells are ever re-enabled — the package would either use a Linux/macOS wheel or a sdist build that doesn't have this architecture-mismatch failure mode. Re-add `os: windows-latest` to each of the three pre-3.11 x86 excludes so the rule expresses what it actually means. Effective coverage today is unchanged (non-Windows x86 is still excluded by the existing (os, architecture) rules above), but the intent is now correct if those blanket excludes are ever lifted. --- .github/workflows/ci_tests.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index 83f120f12..d368f7856 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -73,13 +73,16 @@ jobs: # (Rust/PyO3). That build fails on the hosted windows-latest # runner because only the x86_64 Rust target is installed while # the interpreter reports platform `win32` (i686), so maturin - # refuses to use it. Until a host-side toolchain workaround - # exists, omit pre-3.11 Python from x86 testing entirely. - - python: 3.8 + # refuses to use it. Drop pre-3.11 x86 on Windows only; non- + # Windows x86 (if ever enabled) is unaffected by this issue. + - os: windows-latest + python: 3.8 architecture: x86 - - python: 3.9 + - os: windows-latest + python: 3.9 architecture: x86 - - python: "3.10" + - os: windows-latest + python: "3.10" architecture: x86 # MPL is not supported on <3.11 From 17f4dacbe9f5754a0dc67ab563b22d593fde7004 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Jun 2026 12:02:29 -0700 Subject: [PATCH 8/8] ci: drop x86 on windows-latest from the entire test matrix A subsequent CI run failed on `windows-latest, 3.11, x86, local` with the same maturin/architecture-mismatch failure as the pre-3.11 cells: 'python.EXE' reports a platform 'win32' (architecture 'i686'), while the Rust target is 'x86_64'. Skipping. Preparing metadata (pyproject.toml) did not run successfully. local: FAIL code 1 That contradicts the "cp311-abi3-win32 wheels cover 3.11+" reasoning in 5ec3877 / ae48949. The currently-resolved `cryptography` (49.0.0) has no `win32` wheel for any CPython version, so every 32-bit Windows row falls back to the same Rust/maturin sdist build, and they all fail the same way on GitHub-hosted runners. Collapse the three (os, python, architecture) excludes into a single (os: windows-latest, architecture: x86) blanket exclude. Removes x86 from CI on Windows entirely. Non-Windows x86 is still gated by the existing per-OS excludes above, so net coverage is "no x86 anywhere", which matches the empirical reality of what can actually be built. The only path back to x86 Windows coverage would be host-side toolchain provisioning per cell (i686 Rust target + 32-bit OpenSSL + maturin interpreter rename), which isn't worth the maintenance cost for a configuration upstream no longer ships wheels for. --- .github/workflows/ci_tests.yaml | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index d368f7856..607b5c9e1 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -67,22 +67,17 @@ jobs: - os: macos-latest architecture: x86 - # `cryptography` only publishes 32-bit Windows wheels via abi3 - # starting at Python 3.11 (cp311-abi3-win32). For older Pythons, - # pip falls back to building from sdist, which uses maturin - # (Rust/PyO3). That build fails on the hosted windows-latest - # runner because only the x86_64 Rust target is installed while - # the interpreter reports platform `win32` (i686), so maturin - # refuses to use it. Drop pre-3.11 x86 on Windows only; non- - # Windows x86 (if ever enabled) is unaffected by this issue. + # `cryptography` no longer publishes 32-bit Windows wheels for + # any CPython version, so pip falls back to building from sdist. + # That build is Rust/maturin-based and fails on the hosted + # windows-latest runner because only the x86_64 Rust target is + # installed while the interpreter reports platform `win32` + # (i686), so maturin refuses to use it. Drop x86 on Windows + # entirely; the only path back would be host-side toolchain + # provisioning (i686 Rust target + 32-bit OpenSSL) per cell, + # which isn't worth it for a configuration upstream no longer + # supports. - os: windows-latest - python: 3.8 - architecture: x86 - - os: windows-latest - python: 3.9 - architecture: x86 - - os: windows-latest - python: "3.10" architecture: x86 # MPL is not supported on <3.11