Rfc30/number (#8)

* formatting: run pre-commit on all files (smithy-lang#2236)

* formatting: run pre-commit on all files

* fix: test broken by string indent

* Remove old service builder machinery (smithy-lang#2161)

* Remove HandlerGenerator and RegistryGenerator

* Shrink RequestRejection

* Remove inlineable

* Remove Router and RequestParts

* Remove old service builder tests

* Add missing test dependency

* Add missing dev dependency

* Remove unused test

* Move Router types

* Switch AllowUnused to AllowUnusedVariables

* Add changelog entry for "Remove old service builder machinery" (smithy-lang#2242)

* Dense maps cannot deserialize null values (smithy-lang#2239)

* Dense maps cannot deserialize null values

Signed-off-by: Daniele Ahmed <[email protected]>

* Dense lists cannot deserialize null (smithy-lang#2240)

* Dense lists cannot deserialize null

Signed-off-by: Daniele Ahmed <[email protected]>

* Update changelog

* Add changelog entry about smithy-lang#2200 (smithy-lang#2250)

Co-authored-by: Julian Antonielli <[email protected]>

* Fix `OperationExtensionFuture` poll order (smithy-lang#2247)

* Fix `OperationExtensionFuture` poll order

* Add CHANGELOG.next.toml entry

Co-authored-by: AWS SDK Rust Bot <[email protected]>

* Bump version to 0.54.1 in `gradle.properties` (smithy-lang#2249)

Co-authored-by: Julian Antonielli <[email protected]>
Co-authored-by: AWS SDK Rust Bot <[email protected]>

* Update changelog

* Add CI action to test aws-sdk-services (smithy-lang#2251)

* run cargo test --all-features instead

* Add check-only option, change check to test

* Support nested APIs in operation input tests

* Newtype FromRequest::Future (smithy-lang#2244)

* Add RFC: Providing fallback credentials on timeout (smithy-lang#2218)

* Add RFC: providing fallback credentials on timeout

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: Zelda Hessler <[email protected]>

* Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md

Co-authored-by: John DiSanti <[email protected]>

* Incorporate review feedback into RFC

This commit addresses the review feedback:
smithy-lang#2218 (comment)
smithy-lang#2218 (comment)
smithy-lang#2218 (comment)

In addition, we have renamed the proposed method `on_timeout` to
`fallback_on_interrupt` to make it more descriptive.

* Update rfc0031_providing_fallback_credentials_on_timeout.md

* Update RFC

This commit updates RFC and leaves to discussion how `fallback_on_interrupt`
should be implemented, i.e., either as a synchronous primitive or an
asynchronous primitive.

* Update rfc0031_providing_fallback_credentials_on_timeout.md

* Update rfc0031_providing_fallback_credentials_on_timeout.md

* Update rfc0031_providing_fallback_credentials_on_timeout.md

---------

Co-authored-by: Yuki Saito <[email protected]>
Co-authored-by: Zelda Hessler <[email protected]>
Co-authored-by: John DiSanti <[email protected]>
Co-authored-by: Luca Palmieri <[email protected]>

* Replace PR bot's diff tool with one that supports pagination (smithy-lang#2245)

* Implement paginated diff to html tool
* Wire up the new diff tool to PR bot

* Add fallback_on_interrupt to the ProvideCredentials trait (smithy-lang#2246)

* Implement RFC for providing fallback credentials

This commit implements the changes checklist in the RFC for providing
fallback credentials.

* Remove needless lifetime parameter

* Update CHANGELOG.next.toml

---------

Co-authored-by: Yuki Saito <[email protected]>

* Copy non-service integration tests into SDK root tests directory (smithy-lang#2255)

* Copy non-service integration tests into SDK root tests directory

For tests in `aws/sdk/integration-tests` that are not named after a
service module, copy them into the SDK's root `tests/` directory so that
they are run as part of CI on the entire SDK.

* Add missing fields to integration test manifests
* Remove tests from root workspace
* Explicitly exclude the root tests from the root workspace

* Update the event stream section in RFC30 (smithy-lang#2243)

* Python: Support `document` type (smithy-lang#2188)

* Add Python wrapper for `aws_smithy_types::Document`

* Remove unused type

* Make sure Python SSDKs uses Python specific `Document` type

* Allow Python specific `Document` type to be used in serialization and deserialization

* Make `pyo3/extension-module` a default feature

* Add `PythonServerTypesTest`

* Fix linting issues

* Add `Data limit exceeded` to build image throttle messages (smithy-lang#2260)

* Update smoketest models (smithy-lang#2252)

* Make minor fixes to the crate claim workflow (smithy-lang#2259)

* Add support for `@uniqueItems` (smithy-lang#2232)

This commit adds support for the `@uniqueItems` trait on `list` shapes
in server SDKs. Requests with duplicate values for `list` shapes
constrained with `@uniqueItems` will be rejected by servers.

* Update mentions to codegen configuration key in changelog (smithy-lang#2166)

As well as in one error message.

The key is `codegen`, not `codegenConfig`.

* Change the release flow to use release branches (smithy-lang#2253)

* What happens if we comment out the runtime crate version from gradle.properties?

* Allow running the release and the CI workflows from an arbitrary commit.

* Does a fake version work?

* Pass `git_ref` from the release workflow.

* It needs to be a valid semver version.

* Sketch new command to upgrade version in gradle.properties

* Command implementation

* Plug the new publisher command into the `release` action.

* Plumb end-to-end

* Fix copyright header.

* Fix lint.

* Temporarily comment out the sanity check.

* Ignore sanity check

* Add a command that prints out the template for CHANGELOG.next.toml

* Add branch check + empty TOML generation.

* Add copyright headers.

* Fix imports.

* Remove sanity check.

* Move script to a file.

* Add a check to validate the tag.

* Remove second build step.

* Move to .github/scripts folder.

* Make the script easier to run locally

* Fail if anything fails.

* Add comment.

* Update .github/scripts/get-or-create-release-branch.sh

Co-authored-by: david-perez <[email protected]>

* Update .github/scripts/get-or-create-release-branch.sh

Co-authored-by: david-perez <[email protected]>

* Update .github/scripts/get-or-create-release-branch.sh

Co-authored-by: david-perez <[email protected]>

* Update .github/workflows/ci.yml

Co-authored-by: david-perez <[email protected]>

* Remove touch.

* Fix indentation and branch name.

* Update .github/workflows/ci.yml

Co-authored-by: david-perez <[email protected]>

* Update .github/workflows/release.yml

Co-authored-by: david-perez <[email protected]>

* Update .github/workflows/release.yml

Co-authored-by: david-perez <[email protected]>

* Explicit flags.

* Use the path that was provided.

* Format

---------

Co-authored-by: david-perez <[email protected]>

* Reduce Docker image rebuilds (smithy-lang#2269)

* Move `acquire-build-image` into `.github`
* Move the `tools-hash` script into `.github`
* Upload to ECR from PRs as well
* Move build tools into `tools/ci-build/`
* Move CI scripts out of `ci-build`
* Split CI for forks/non-forks
* Remove `fetch-depth: 0` from PR workflows

* Remove teams from `publisher` ownership list (smithy-lang#2257)

* Add static stability support to IMDS credentials provider (smithy-lang#2258)

* Add static stability support to ImdsCredentialsProvider

This commit adds static stability support to `ImdsCredentialsProvider`.
Static stability refers to continued availability of a service in the
face of impaired dependencies. In case IMDS is not available, we still
allow requests to be dispatched with expired credentials. This, in turn,
allows the target service to makes the ultimate decision as to whether
requests sent are valid or not instead of the client SDK determining
their validity.

The way it is implemented is `ImdsCredentialsProvider` now stores a last
retrieved credentials which will later be served when IMDS is unreachable.

* Add tests to IMDS credentials provider

This commit adds tests to IMDS credentials providers for static stability
support. These tests are prescribed in smithy-lang#2117.
From an IMDS credentials provider' perspective, however, some of the tests
are considered to fall under the same equivalence class with others.
Therefore, a single test can cover multiple test cases.

* Update CHANGELOG.next.toml

* Update CHANGELOG.next.toml

Co-authored-by: John DiSanti <[email protected]>

---------

Co-authored-by: Yuki Saito <[email protected]>
Co-authored-by: John DiSanti <[email protected]>

* Increase build image backoff time and attempts (smithy-lang#2267)

* Must set a member in unions (smithy-lang#2241)

* Must set a member in unions

Signed-off-by: Daniele Ahmed <[email protected]>

* Add `runs-on` (smithy-lang#2273)

* Add `runs-on` (smithy-lang#2275)

* Fix job trigger. Clarify that short SHAs won't work. (smithy-lang#2278)

* Clarify what type of reference we are trying to push. (smithy-lang#2279)

* Update gradle properties for dry runs as well. (smithy-lang#2280)

* Get verbose logging from the branch script. (smithy-lang#2281)

* Fix trigger for following jobs. (smithy-lang#2282)

* Fix action paths. (smithy-lang#2283)

* We need to checkout in the `smithy-rs` folder because that's an assumption baked into the definition of the docker-build action. (smithy-lang#2284)

* Use action-arguments for arguments. (smithy-lang#2285)

* Fix if condition. (smithy-lang#2286)

* Persist the modified gradle.properties outside of the Docker context (smithy-lang#2287)

* Fix if condition.

* Make sure that the changes are visible to the push step after the Docker action has executed by persisting the modified repository as an artifact.

* Give a name to the argument.

* Use larger machines for the slowest CI jobs. (smithy-lang#2263)

* Use larger machines for the slowest CI jobs.

* Fix invocation.

* Fix paths. (smithy-lang#2288)

* Commit if modified (smithy-lang#2289)

* Fix paths.

* Fix commit logic - it should commit when there were changes.

* Set user name and email when committing (smithy-lang#2290)

* `git push origin` fails if there is nothing to push. (smithy-lang#2291)

* Use curly braces to group together the commit and push action (smithy-lang#2292)

* Fix syntax error when grouping commands. (smithy-lang#2293)

* [release-branches] Fix the reference that gets checked out (smithy-lang#2294)

* Fix the reference that gets checked out

* Fix

* Fix broken doc link to `tokio_stream::Stream` (smithy-lang#2271)

* Fix broken doc link to `Stream`

This commit fixes broken doc link to `Stream` in codegen clients. That
target is `tokio_stream::Stream`, which in turn is a re-export of
`futures_core::Stream`. Since we do not have a good way to link to the
re-export, we remove a hyper link and just put `Stream`.

* Update CHANGELOG.next.toml

---------

Co-authored-by: Yuki Saito <[email protected]>

* Use docker login when possible (smithy-lang#2265)

Login to ECR when credentials are available to improve CI performance

* Simplify `AdHocSection` (smithy-lang#2272)

Co-authored-by: Russell Cohen <[email protected]>

* Fix CI on main and don't acquire Docker login for forks (smithy-lang#2295)

* Fix CI on main and don't acquire Docker login for forks

* Convert empty env vars into `None`

* Optimize base image acquisition on main

* Collect more diagnostics. (smithy-lang#2297)

* [release-branches] Fix working directory (smithy-lang#2298)

* Fix working directory.

* Build the Docker image using the latest commit on the invocation branch.

* We need a Docker image with the same SHA later in the process.

* Clone does not preserve uncommitted changes. This was leading to the gradle.properties update being lost. (smithy-lang#2299)

* Make `OperationExtension` store the absolute shape ID (smithy-lang#2276)

* Do not alter Operation shape ID

* Add OperationExtensionExt test

* Add CHANGELOG.next.toml entry

* Apply suggestions from code review

Co-authored-by: Luca Palmieri <[email protected]>

---------

Co-authored-by: Luca Palmieri <[email protected]>

* Retrieve the output from outside the Docker context (smithy-lang#2300)

Co-authored-by: AWS SDK Rust Bot <[email protected]>

* Fix image tagging in CI on main (smithy-lang#2301)

* Fix handling of repeated headers in AWS request canonicalization (smithy-lang#2261)

* Remove usage of always empty writable in `JsonParserGenerator` (smithy-lang#2192)

The writable calculates a string that it never writes.

This was added in smithy-lang#2131.

* fix

---------

Signed-off-by: Daniele Ahmed <[email protected]>
Co-authored-by: Zelda Hessler <[email protected]>
Co-authored-by: Harry Barber <[email protected]>
Co-authored-by: 82marbag <[email protected]>
Co-authored-by: AWS SDK Rust Bot <[email protected]>
Co-authored-by: Julian Antonielli <[email protected]>
Co-authored-by: Julian Antonielli <[email protected]>
Co-authored-by: AWS SDK Rust Bot <[email protected]>
Co-authored-by: Russell Cohen <[email protected]>
Co-authored-by: ysaito1001 <[email protected]>
Co-authored-by: Yuki Saito <[email protected]>
Co-authored-by: John DiSanti <[email protected]>
Co-authored-by: Luca Palmieri <[email protected]>
Co-authored-by: Burak <[email protected]>
Co-authored-by: david-perez <[email protected]>
Co-authored-by: Nipunn Koorapati <[email protected]>

.github/actions/docker-build/action.yml

@@ -1,11 +1,11 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# Use this action to execute the action scripts in tools/ci-build/scripts within the Docker build image.
+# Use this action to execute the action scripts in tools/ci-scripts.
 name: smithy-rs Docker Build
 description: Run Docker build command for smithy-rs
 inputs:
-  # The name of the script in tools/ci-build/scripts to run
+  # The name of the script in tools/ci-scripts to run
   action:
     description: What action to run in the Docker build
     required: true
@@ -43,7 +43,7 @@ runs:
       # from attempting to download an image from ECR since it will already exist,
       # which enables testing build image modifications as part of the pull request.
       if [[ -d smithy-rs-base-image ]]; then
-        IMAGE_TAG="$(./smithy-rs/tools/ci-build/tools-hash)"
+        IMAGE_TAG="$(./smithy-rs/.github/scripts/docker-image-hash)"
         docker load -i smithy-rs-base-image/smithy-rs-base-image
         docker tag "smithy-rs-base-image:${IMAGE_TAG}" "smithy-rs-base-image:local"
       fi
@@ -52,7 +52,7 @@ runs:
       # or from ECR. We disable building the image from scratch so that any mistakes in the CI
       # configuration won't cause each individual action to build its own image, which would
       # drastically increase the total CI time. Fail fast!
-      ALLOW_LOCAL_BUILD=false ./smithy-rs/tools/ci-build/acquire-build-image
+      ALLOW_LOCAL_BUILD=false ./smithy-rs/.github/scripts/acquire-build-image
     # This runs the commands from the matrix strategy
   - name: Run ${{ inputs.action }}
     shell: bash

tools/ci-build/acquire-build-image → .github/scripts/acquire-build-image

@@ -11,6 +11,7 @@ import subprocess
 import sys
 import time
 import unittest
+import base64
 
 REMOTE_BASE_IMAGE_NAME = "public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci"
 LOCAL_BASE_IMAGE_NAME = "smithy-rs-base-image"
@@ -41,33 +42,48 @@ class Platform(Enum):
 
 # Script context
 class Context:
-    def __init__(self, start_path, script_path, tools_path, user_id, image_tag, allow_local_build, github_actions):
+    def __init__(self, start_path, script_path, tools_path, user_id, image_tag, allow_local_build, github_actions,
+                 encrypted_docker_password, docker_passphrase):
         self.start_path = start_path
         self.script_path = script_path
         self.tools_path = tools_path
+        self.docker_image_path = tools_path + "/ci-build"
         self.user_id = user_id
         self.image_tag = image_tag
         self.allow_local_build = allow_local_build
         self.github_actions = github_actions
+        self.encrypted_docker_password = encrypted_docker_password
+        self.docker_passphrase = docker_passphrase
 
     @staticmethod
     def default():
         start_path = os.path.realpath(os.curdir)
         script_path = os.path.dirname(os.path.realpath(__file__))
         tools_path = get_cmd_output("git rev-parse --show-toplevel", cwd=script_path)[1] + "/tools"
         user_id = get_cmd_output("id -u")[1]
-        image_tag = get_cmd_output("./ci-build/tools-hash", cwd=tools_path)[1]
+        image_tag = get_cmd_output("./docker-image-hash", cwd=script_path)[1]
         allow_local_build = os.getenv("ALLOW_LOCAL_BUILD") != "false"
         github_actions = os.getenv("GITHUB_ACTIONS") == "true"
+        encrypted_docker_password = os.getenv("ENCRYPTED_DOCKER_PASSWORD") or None
+        docker_passphrase = os.getenv("DOCKER_LOGIN_TOKEN_PASSPHRASE") or None
+
         print(f"Start path: {start_path}")
         print(f"Script path: {script_path}")
         print(f"Tools path: {tools_path}")
         print(f"User ID: {user_id}")
         print(f"Required base image tag: {image_tag}")
         print(f"Allow local build: {allow_local_build}")
         print(f"Running in GitHub Actions: {github_actions}")
-        return Context(start_path, script_path, tools_path, user_id, image_tag, allow_local_build, github_actions)
+        return Context(start_path=start_path, script_path=script_path, tools_path=tools_path, user_id=user_id,
+                       image_tag=image_tag, allow_local_build=allow_local_build, github_actions=github_actions,
+                       encrypted_docker_password=encrypted_docker_password, docker_passphrase=docker_passphrase)
+
 
+def output_contains_any(stdout, stderr, messages):
+    for message in messages:
+        if message in stdout or message in stderr:
+            return True
+    return False
 
 # Mockable shell commands
 class Shell:
@@ -83,6 +99,9 @@ class Shell:
         (status, _, _) = get_cmd_output(f"docker inspect \"{image_name}:{image_tag}\"", check=False)
         return status == 0
 
+    def docker_login(self, password):
+        get_cmd_output("docker login --username AWS --password-stdin public.ecr.aws", input=password.encode('utf-8'))
+
     # Pulls the requested `image_name` with `image_tag`. Returns `DockerPullResult`.
     def docker_pull(self, image_name, image_tag):
         (status, stdout, stderr) = get_cmd_output(f"docker pull \"{image_name}:{image_tag}\"", check=False)
@@ -93,30 +112,28 @@ class Shell:
         print(stderr)
         print("-------------------")
 
-        not_found_message = "not found: manifest unknown"
-        throttle_message = "toomanyrequests: Rate exceeded"
+        not_found_messages = ["not found: manifest unknown"]
+        throttle_messages = ["toomanyrequests:"]
         retryable_messages = ["net/http: TLS handshake timeout"]
         if status == 0:
             return DockerPullResult.SUCCESS
-        elif throttle_message in stdout or throttle_message in stderr:
+        elif output_contains_any(stdout, stderr, throttle_messages):
             return DockerPullResult.ERROR_THROTTLED
-        elif not_found_message in stdout or not_found_message in stderr:
+        elif output_contains_any(stdout, stderr, not_found_messages):
             return DockerPullResult.NOT_FOUND
-        else:
-            for message in retryable_messages:
-                if message in stdout or message in stderr:
-                    return DockerPullResult.RETRYABLE_ERROR
+        elif output_contains_any(stdout, stderr, retryable_messages):
+            return DockerPullResult.RETRYABLE_ERROR
         return DockerPullResult.UNKNOWN_ERROR
 
     # Builds the base image with the Dockerfile in `path` and tags with with `image_tag`
     def docker_build_base_image(self, image_tag, path):
         run(f"docker build -t \"smithy-rs-base-image:{image_tag}\" .", cwd=path)
 
     # Builds the local build image
-    def docker_build_build_image(self, user_id, script_path):
+    def docker_build_build_image(self, user_id, docker_image_path):
         run(
             f"docker build -t smithy-rs-build-image --file add-local-user.dockerfile --build-arg=USER_ID={user_id} .",
-            cwd=script_path
+            cwd=docker_image_path
         )
 
     # Saves the Docker image named `image_name` with `image_tag` to `output_path`
@@ -129,10 +146,10 @@ class Shell:
 
 
 # Pulls a Docker image and retries if it gets throttled
-def docker_pull_with_retry(shell, image_name, image_tag, throttle_sleep_time=45, retryable_error_sleep_time=1):
+def docker_pull_with_retry(shell, image_name, image_tag, throttle_sleep_time=120, retryable_error_sleep_time=1):
     if shell.platform() == Platform.ARM_64:
         return DockerPullResult.REMOTE_ARCHITECTURE_MISMATCH
-    for attempt in range(1, 5):
+    for attempt in range(1, 6):
         announce(f"Attempting to pull remote image {image_name}:{image_tag} (attempt {attempt})...")
         result = shell.docker_pull(image_name, image_tag)
         if result == DockerPullResult.ERROR_THROTTLED:
@@ -154,17 +171,39 @@ def run(command, cwd=None):
 
 
 # Returns (status, output) from a shell command
-def get_cmd_output(command, cwd=None, check=True):
+def get_cmd_output(command, cwd=None, check=True, **kwargs):
+    if isinstance(command, str):
+        command = shlex.split(command)
+
     result = subprocess.run(
-        shlex.split(command),
+        command,
         capture_output=True,
-        check=check,
-        cwd=cwd
+        check=False,
+        cwd=cwd,
+        **kwargs
     )
-    return (result.returncode, result.stdout.decode("utf-8").strip(), result.stderr.decode("utf-8").strip())
+    stdout = result.stdout.decode("utf-8").strip()
+    stderr = result.stderr.decode("utf-8").strip()
+    if check and result.returncode != 0:
+        raise Exception(f"failed to run '{command}.\n{stdout}\n{stderr}")
+
+    return result.returncode, stdout, stderr
+
+
+def decrypt_and_login(shell, secret, passphrase):
+    decoded = base64.b64decode(secret, validate=True)
+    if not passphrase:
+        raise Exception("a secret was set but no passphrase was set (or it was empty)")
+    (code, password, err) = get_cmd_output(
+        ["gpg", "--decrypt", "--batch", "--quiet", "--passphrase", passphrase, "--output", "-"],
+        input=decoded)
+    shell.docker_login(password)
+    print("Docker login success!")
 
 
 def acquire_build_image(context=Context.default(), shell=Shell()):
+    if context.encrypted_docker_password is not None:
+        decrypt_and_login(shell, context.encrypted_docker_password, context.docker_passphrase)
     # If the image doesn't already exist locally, then look remotely
     if not shell.docker_image_exists_locally(LOCAL_BASE_IMAGE_NAME, context.image_tag):
         announce("Base image not found locally.")
@@ -183,7 +222,7 @@ def acquire_build_image(context=Context.default(), shell=Shell()):
                 return 1
 
             announce("Building a new image locally.")
-            shell.docker_build_base_image(context.image_tag, context.tools_path)
+            shell.docker_build_base_image(context.image_tag, context.docker_image_path)
 
             if context.github_actions:
                 announce("Saving base image for use in later jobs...")
@@ -200,20 +239,23 @@ def acquire_build_image(context=Context.default(), shell=Shell()):
 
     announce("Creating local build image...")
     shell.docker_tag(LOCAL_BASE_IMAGE_NAME, context.image_tag, LOCAL_BASE_IMAGE_NAME, LOCAL_TAG)
-    shell.docker_build_build_image(context.user_id, context.script_path)
+    shell.docker_build_build_image(context.user_id, context.docker_image_path)
     return 0
 
 
 class SelfTest(unittest.TestCase):
-    def test_context(self, allow_local_build=False, github_actions=False):
+    def test_context(self, github_actions=False, allow_local_build=False, encrypted_docker_password=None,
+                     docker_passphrase=None):
         return Context(
             start_path="/tmp/test/start-path",
             script_path="/tmp/test/script-path",
             tools_path="/tmp/test/tools-path",
             user_id="123",
             image_tag="someimagetag",
+            encrypted_docker_password=encrypted_docker_password,
+            docker_passphrase=docker_passphrase,
+            github_actions=github_actions,
             allow_local_build=allow_local_build,
-            github_actions=github_actions
         )
 
     def mock_shell(self):
@@ -225,6 +267,7 @@ class SelfTest(unittest.TestCase):
         shell.docker_pull = MagicMock()
         shell.docker_save = MagicMock()
         shell.docker_tag = MagicMock()
+        shell.docker_login = MagicMock()
         return shell
 
     def test_retry_architecture_mismatch(self):
@@ -241,6 +284,13 @@ class SelfTest(unittest.TestCase):
             )
         )
 
+    def test_docker_login(self):
+        shell = self.mock_shell()
+        acquire_build_image(self.test_context(
+            encrypted_docker_password="jA0ECQMCvYU/JxsX3g/70j0BxbLLW8QaFWWb/DqY9gPhTuEN/xdYVxaoDnV6Fha+lAWdT7xN0qZr5DHPBalLfVvvM1SEXRBI8qnfXyGI",
+            docker_passphrase="secret"), shell)
+        shell.docker_login.assert_called_with("payload")
+
     def test_retry_immediate_success(self):
         shell = self.mock_shell()
         shell.docker_pull.side_effect = [DockerPullResult.SUCCESS]
@@ -368,7 +418,7 @@ class SelfTest(unittest.TestCase):
 
         shell.docker_image_exists_locally.assert_called_once()
         shell.docker_tag.assert_called_with(LOCAL_BASE_IMAGE_NAME, "someimagetag", LOCAL_BASE_IMAGE_NAME, LOCAL_TAG)
-        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/script-path")
+        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/tools-path/ci-build")
 
     # When:
     #  - the base image doesn't exist locally
@@ -385,10 +435,10 @@ class SelfTest(unittest.TestCase):
 
         self.assertEqual(0, acquire_build_image(context, shell))
         shell.docker_image_exists_locally.assert_called_once()
-        shell.docker_build_base_image.assert_called_with("someimagetag", "/tmp/test/tools-path")
+        shell.docker_build_base_image.assert_called_with("someimagetag", "/tmp/test/tools-path/ci-build")
         shell.docker_save.assert_not_called()
         shell.docker_tag.assert_called_with(LOCAL_BASE_IMAGE_NAME, "someimagetag", LOCAL_BASE_IMAGE_NAME, LOCAL_TAG)
-        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/script-path")
+        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/tools-path/ci-build")
 
     # When:
     #  - the base image doesn't exist locally
@@ -405,10 +455,10 @@ class SelfTest(unittest.TestCase):
 
         self.assertEqual(0, acquire_build_image(context, shell))
         shell.docker_image_exists_locally.assert_called_once()
-        shell.docker_build_base_image.assert_called_with("someimagetag", "/tmp/test/tools-path")
+        shell.docker_build_base_image.assert_called_with("someimagetag", "/tmp/test/tools-path/ci-build")
         shell.docker_save.assert_not_called()
         shell.docker_tag.assert_called_with(LOCAL_BASE_IMAGE_NAME, "someimagetag", LOCAL_BASE_IMAGE_NAME, LOCAL_TAG)
-        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/script-path")
+        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/tools-path/ci-build")
 
     # When:
     #  - the base image doesn't exist locally
@@ -425,14 +475,14 @@ class SelfTest(unittest.TestCase):
 
         self.assertEqual(0, acquire_build_image(context, shell))
         shell.docker_image_exists_locally.assert_called_once()
-        shell.docker_build_base_image.assert_called_with("someimagetag", "/tmp/test/tools-path")
+        shell.docker_build_base_image.assert_called_with("someimagetag", "/tmp/test/tools-path/ci-build")
         shell.docker_save.assert_called_with(
             LOCAL_BASE_IMAGE_NAME,
             "someimagetag",
             "/tmp/test/start-path/smithy-rs-base-image"
         )
         shell.docker_tag.assert_called_with(LOCAL_BASE_IMAGE_NAME, "someimagetag", LOCAL_BASE_IMAGE_NAME, LOCAL_TAG)
-        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/script-path")
+        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/tools-path/ci-build")
 
     # When:
     #  - the base image doesn't exist locally
@@ -472,7 +522,7 @@ class SelfTest(unittest.TestCase):
             call(REMOTE_BASE_IMAGE_NAME, "someimagetag", LOCAL_BASE_IMAGE_NAME, "someimagetag"),
             call(LOCAL_BASE_IMAGE_NAME, "someimagetag", LOCAL_BASE_IMAGE_NAME, LOCAL_TAG)
         ])
-        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/script-path")
+        shell.docker_build_build_image.assert_called_with("123", "/tmp/test/tools-path/ci-build")
 
 
 def main():