Initial import of AWS Cloud Labs kernel testing framework

Cloud-based kernel CI testing on AWS EC2 instances using SSM for
test execution. Supports UnixBench regression detection, kernel
reboot tests, and basic boot validation.

Co-authored-by: Max Hubmann <mxhbm@amazon.de>
Co-authored-by: Norbert Manthey <nmanthey@amazon.de>
Signed-off-by: Ben Copeland <ben.copeland@linaro.org>

Author: 3 people

.dockerignore

@@ -0,0 +1,40 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+.venv/
+venv/
+ENV/
+env/
+
+# Git
+.git/
+.gitignore
+.gitattributes
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Tests
+tests/
+*.pytest_cache/
+.coverage
+htmlcov/
+
+# Documentation
+*.md
+docs/
+
+# CI/CD
+.github/
+.pre-commit-config.yaml
+
+# Build artifacts
+*.egg-info/
+dist/
+build/

.flake8

@@ -0,0 +1,10 @@
+[flake8]
+max-line-length = 120
+extend-ignore = E203, W503
+exclude =
+    .git,
+    .venv*,
+    build,
+    dist,
+    __pycache__,
+    *.egg-info

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/basic-ci.yml

@@ -0,0 +1,59 @@
+name: Basic CI
+
+on:
+  push:
+    branches: [ mainline ]
+  pull_request:
+    branches: [ mainline ]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v4
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -e ".[dev]"
+
+    - name: Lint with flake8 and pylint
+      run: |
+        make lint
+
+    - name: Test with pytest
+      run: |
+        make test
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.12"
+
+    - name: Build package
+      run: |
+        python -m pip install --upgrade pip build twine
+        python -m build
+
+    - name: Check package
+      run: |
+        python -m twine check dist/*

.github/workflows/codeql.yml

@@ -0,0 +1,22 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ mainline ]
+  pull_request:
+    branches: [ mainline ]
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    steps:
+    - uses: actions/checkout@v4
+    - uses: github/codeql-action/init@v3
+      with:
+        languages: python
+    - uses: github/codeql-action/analyze@v3

.github/workflows/coverage-check.yml

@@ -0,0 +1,70 @@
+name: Coverage Check
+
+on:
+  pull_request:
+    branches: [ "**" ]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  coverage-check:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.12"
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -e ".[dev]"
+
+    - name: Get base branch coverage
+      run: |
+        git checkout origin/mainline
+        pip install -e ".[dev]"
+        python -m pytest tests/ -m "not integration" --cov=src --cov-report=json:coverage-base.json --tb=no -q || true
+        BASE_COVERAGE=$(python -c "import json; print(json.load(open('coverage-base.json'))['totals']['percent_covered'])")
+        echo "BASE_COVERAGE=$BASE_COVERAGE" >> $GITHUB_ENV
+        echo "Base branch coverage: $BASE_COVERAGE%"
+
+    - name: Get PR coverage
+      run: |
+        git checkout ${{ github.event.pull_request.head.sha }}
+        pip install -e ".[dev]"
+        python -m pytest tests/ -m "not integration" --cov=src --cov-report=json:coverage-pr.json --tb=no -q || true
+        PR_COVERAGE=$(python -c "import json; print(json.load(open('coverage-pr.json'))['totals']['percent_covered'])")
+        echo "PR_COVERAGE=$PR_COVERAGE" >> $GITHUB_ENV
+        echo "PR branch coverage: $PR_COVERAGE%"
+
+    - name: Compare coverage and enforce increase
+      run: |
+        python -c "
+        import sys
+        base = float('${{ env.BASE_COVERAGE }}')
+        pr = float('${{ env.PR_COVERAGE }}')
+        diff = pr - base
+
+        print(f'Coverage Report')
+        print(f'Base coverage: {base:.2f}%')
+        print(f'PR coverage: {pr:.2f}%')
+        print(f'Coverage change: {diff:+.2f}%')
+        print()
+
+        if diff < -0.01:  # Allow small floating point differences
+            print('❌ Coverage decreased! This PR reduces test coverage.')
+            print('Please add tests to maintain or improve coverage.')
+            sys.exit(1)
+        elif diff > 0.01:
+            print('✅ Coverage increased! Great job improving test coverage.')
+        else:
+            print('➡️ Coverage unchanged (within tolerance).')
+        "

.github/workflows/trufflehog.yml

@@ -0,0 +1,31 @@
+name: TruffleHog to Scan for Secrets
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  TruffleHog:
+    name: TruffleHog
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog OSS
+        id: trufflehog
+        uses: trufflesecurity/trufflehog@main
+        continue-on-error: true
+        with:
+          path: ./
+          base: "${{ github.event.repository.default_branch }}"
+          head: HEAD
+          extra_args: --only-verified
+      - name: Scan Results Status
+        if: steps.trufflehog.outcome == 'failure'
+        run: exit 1

.gitignore

@@ -0,0 +1,61 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+*.egg
+.Python
+build/
+dist/
+*.so
+
+# Virtual environments
+.venv/
+.venv-testing/
+pyvenv.cfg
+
+# Testing & Coverage
+.coverage
+.coverage.*
+.pytest_cache/
+htmlcov/
+coverage.xml
+nosetests.xml
+
+# Editor / IDE
+*~
+*#
+*.swp
+.DS_Store
+.vscode/
+.idea/
+.kiro/
+
+# Logs
+logs/
+*.log
+
+# AWS credentials and sensitive files
+.env
+.aws/
+*.pem
+*.key
+examples/aws/credentials.json
+
+# Project-specific config (generated by setup configure)
+run-config.json
+demo-config.json
+
+# Test kernel RPMs (large binary files)
+setup/test-kernel-rpms/
+
+# Local planning files
+FAQ.md
+upstream-prep.protocol.md
+kernel-ci-cloud-labs.zip
+
+# Analysis output data
+analysis/data/
+
+# Distribution archives
+share/

.pre-commit-config.yaml

@@ -0,0 +1,29 @@
+repos:
+  - repo: https://github.com/psf/black
+    rev: 22.12.0
+    hooks:
+      - id: black
+        language_version: python3
+
+  - repo: local
+    hooks:
+      - id: pylint
+        name: pylint
+        entry: pylint
+        language: system
+        types: [python]
+        args: [--max-line-length=120]
+
+      - id: clean-logs
+        name: clean-logs
+        entry: bash -c 'find logs -type d -name "run_*" -exec rm -rf {} + 2>/dev/null || true; echo "✓ Cleaned up log directories"'
+        language: system
+        pass_filenames: false
+        always_run: true
+
+      - id: clean-integration-test-logs
+        name: clean-integration-test-logs
+        entry: bash -c 'find logs tests/integration/logs -type d -name "run_*" -exec rm -rf {} + 2>/dev/null || true; echo "✓ Cleaned up log directories"'
+        language: system
+        pass_filenames: false
+        always_run: true