CI/CD: Cache C client build #764
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## dev #764 +/- ##
==========================================
+ Coverage 82.35% 82.37% +0.02%
==========================================
Files 99 99
Lines 14379 14509 +130
==========================================
+ Hits 11842 11952 +110
- Misses 2537 2557 +20 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-22.04 | ||
| strategy: | ||
| matrix: | ||
| py-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"] | ||
| # Make sure we can build and run tests on an instrumented build that uses libasan | ||
| # We aren't necessarily checking for memory errors / leaks in this test | ||
| sanitizer: [false] | ||
| include: | ||
| - py-version: 3.9 | ||
| sanitizer: true | ||
| fail-fast: false | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| with: | ||
| submodules: recursive | ||
| fetch-depth: 0 | ||
|
|
||
| - run: echo C_CLIENT_REVISION=$(git submodule status | awk '{print $1}') >> $GITHUB_ENV | ||
|
|
||
| - uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.py-version }} | ||
| architecture: 'x64' | ||
| allow-prereleases: true | ||
|
|
||
| - run: sudo apt update | ||
| - name: Install build dependencies (apt packages) | ||
| run: sudo apt install python3-dev libssl-dev -y | ||
| - name: Install build dependencies (pip packages) | ||
| run: python3 -m pip install -r requirements.txt | ||
|
|
||
| - if: ${{ matrix.sanitizer }} | ||
| run: echo SANITIZER=1 >> $GITHUB_ENV | ||
|
|
||
| - uses: actions/download-artifact@v4 | ||
| id: get-c-client | ||
| with: | ||
| name: c-client-${{ env.C_CLIENT_REVISION }} | ||
|
|
||
| - run: ls -R | ||
|
|
||
| - name: Build client | ||
| run: python3 -m build | ||
| env: | ||
| CFLAGS: '-Werror' | ||
| C_CLIENT_SHARED_PATH: 1 | ||
|
|
||
| - run: echo WHEEL_GH_ARTIFACT_NAME=wheel-${{ matrix.py-version }} >> $GITHUB_ENV | ||
|
|
||
| - if: ${{ matrix.sanitizer }} | ||
| run: echo WHEEL_GH_ARTIFACT_NAME=${{ env.WHEEL_GH_ARTIFACT_NAME }}-sanitizer >> $GITHUB_ENV | ||
|
|
||
| - name: Send wheel to test jobs | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: ${{ env.WHEEL_GH_ARTIFACT_NAME }} | ||
| path: ./dist/*.whl |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
To fix the problem, you should add a permissions block to the workflow file, specifying the minimum set of permissions needed for the job to operate. Since this workflow only checks out code and interacts with artifacts, the minimal required permission is typically contents: read. If the workflow also uses actions that require managing workflow metadata, adding actions: read is recommended, but contents: read is the absolutely necessary minimum for code checkout. You can place the permissions block either at the workflow root (to apply to all jobs by default) or within the specific job (to scope it only to that job). In this case, placing it at the root is both concise and clear. There is no need to change any imports or other job steps.
Specifically, insert the following block near the top of .github/workflows/build-python-client.yml:
permissions:
contents: readThis should be placed after the on: block and before the jobs: block.
| @@ -1,6 +1,9 @@ | ||
| on: | ||
| workflow_call: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build-python-client: | ||
| runs-on: ubuntu-22.04 |
| uses: ./.github/workflows/build-c-client.yml | ||
|
|
||
| build-python-client: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 16 days ago
To fix this issue, set an explicit permissions block at the root of .github/workflows/build.yml, to minimize the GITHUB_TOKEN's privileges for all jobs unless specifically overridden. If neither job needs to make any changes to code, releases, issues, etc., the strictest permission is contents: read, which allows jobs to clone code but not write to the repository. Add the following block to the top-level of the workflow (just beneath the workflow name: if present, or beneath the on: block, before jobs:), so that all jobs inherit these permissions unless overridden in reusable workflows.
Steps:
- Insert a
permissions:block at the top level of.github/workflows/build.yml(betweenon:andjobs:). - Set
contents: read(minimal permission for most build/test workflows). - If jobs require additional write permissions (e.g., to PRs or issues), amend as needed, but from the code shown, only read is necessary.
| @@ -5,6 +5,9 @@ | ||
| # - src/** | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build-c-client: | ||
| uses: ./.github/workflows/build-c-client.yml |
| needs: build-c-client | ||
| uses: ./.github/workflows/build-python-client.yml |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 16 days ago
To fix the problem, you should add a permissions block to .github/workflows/build.yml, either at the root level (so it applies to all jobs unless overridden) or at the job level for each job. Since both jobs are included via uses (i.e., "reusable" workflows), and as the workflow itself should set a minimal permissions block unless stronger job-specific permissions are required, you should add a root-level permissions key specifying the least privilege needed. If unsure, you can start with the minimal recommended permissions: contents: read, which allows read-only access to repository contents, and further permissions can be added later if features break or more privilege is required. This change should be made near the top of the workflow file, immediately after the on: block.
| @@ -5,6 +5,9 @@ | ||
| # - src/** | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build-c-client: | ||
| uses: ./.github/workflows/build-c-client.yml |
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
| sparse-checkout: | | ||
| aerospike-client-c | ||
|
|
||
| - run: echo C_CLIENT_REVISION=$(git rev-parse HEAD) >> $GITHUB_ENV | ||
| working-directory: aerospike-client-c | ||
|
|
||
| - uses: actions/download-artifact@v4 | ||
| id: download-c-client | ||
| with: | ||
| name: c-client-${{ env.C_CLIENT_REVISION }} | ||
| continue-on-error: true | ||
|
|
||
| - name: Install C client build dependencies | ||
| if: ${{ steps.download-c-client.outcome == 'failure' }} | ||
| run: | | ||
| sudo apt update && | ||
| sudo apt-get install -y libc6-dev libssl-dev autoconf automake libtool g++ zlib1g-dev ncurses-dev | ||
|
|
||
| - run: make build | ||
| if: ${{ steps.download-c-client.outcome == 'failure' }} | ||
| working-directory: aerospike-client-c | ||
|
|
||
| - name: Send C client static library to job that builds Python client | ||
| uses: actions/upload-artifact@v4 | ||
| if: ${{ steps.download-c-client.outcome == 'failure' }} | ||
| with: | ||
| name: c-client-${{ env.C_CLIENT_REVISION }} | ||
| # TODO: not the precise folder | ||
| path: ./aerospike-client-c/target/Linux-x86_64/lib/libaerospike.a | ||
| if-no-files-found: error |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 16 days ago
To fix this issue without changing the existing workflow functionality, add a permissions: block at the top/root of the workflow file (just after on: and before jobs:). The minimal set required here is likely contents: read since the workflow only reads repository content, checks out code, and uploads/downloads artifacts. None of the steps require elevated write privileges. Thus, set permissions: contents: read at the root, which will apply to all jobs (unless overridden at job level). No imports or method definitions are necessary.
Changes to make:
- Insert the following block after the
on:section and beforejobs:(i.e., between lines 3 and 4):
permissions:
contents: read| @@ -1,6 +1,9 @@ | ||
| on: | ||
| workflow_call: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| # TODO: define a var for the same OS used in the other build job | ||
| build-c-client: |
… same as target folder's include folder...
Build C client in a separate job, then save shared library as Github artifact
Then pass artifact to job that builds Python client