Clean up CI #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "build.yml" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| debug_enabled: | |
| type: "boolean" | |
| description: "Run the build with tmate debugging enabled" | |
| merge_group: | |
| pull_request: | |
| push: | |
| branches: | |
| - "main" | |
| #concurrency: | |
| # group: "${{ github.workflow }}" | |
| # cancel-in-progress: true | |
| jobs: | |
| matrix: | |
| permissions: | |
| issues: "write" | |
| pull-requests: "write" | |
| packages: "write" | |
| contents: "write" | |
| id-token: "write" | |
| name: "matrix" | |
| runs-on: | |
| - "lab" | |
| outputs: | |
| matrix: "${{ steps.matrix.outputs.matrix }}" | |
| steps: | |
| - uses: "actions/checkout@v4" | |
| - uses: "dtolnay/rust-toolchain@stable" | |
| - uses: "cargo-bins/cargo-binstall@main" | |
| - name: "install whyq" | |
| run: | | |
| set -euxo pipefail | |
| sudo apt-get update | |
| sudo apt-get install --yes --no-install-recommends jq | |
| cargo binstall --no-confirm whyq | |
| - name: "generate test matrix" | |
| id: "matrix" | |
| run: | | |
| set -euxo pipefail | |
| yq \ | |
| --compact-output \ | |
| --raw-output \ | |
| '"matrix=" + (.matrix | tostring)' builds.yml \ | |
| | tee -a "${GITHUB_OUTPUT}" | |
| - name: "report build plan" | |
| run: | | |
| cat >> "${GITHUB_STEP_SUMMARY}" <<EOF | |
| # Action plan | |
| ## Build matrix | |
| \`\`\`yml | |
| $(yq --yaml-output '.matrix' builds.yml) | |
| \`\`\` | |
| ## Raw build flags file | |
| \`\`\`yml | |
| $(< ./nix/flags.nix) | |
| \`\`\` | |
| ## Build versions | |
| ### env | |
| \`\`\`yml | |
| $(yq --yaml-output '.env' builds.yml) | |
| \`\`\` | |
| <details> | |
| <summary> | |
| ## Raw \`builds.yml\` file | |
| </summary> | |
| \`\`\`yml | |
| $(< builds.yml) | |
| \`\`\` | |
| </details> | |
| <details> | |
| <summary> | |
| ## Raw \`versions.nix\` file | |
| </summary> | |
| \`\`\`nix | |
| $(< nix/versions.nix) | |
| \`\`\` | |
| </details> | |
| EOF | |
| run: | |
| name: "run" | |
| needs: | |
| - matrix | |
| runs-on: | |
| - "lab" | |
| timeout-minutes: 300 | |
| strategy: | |
| max-parallel: 3 | |
| matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }} | |
| permissions: | |
| issues: "write" | |
| pull-requests: "write" | |
| packages: "write" | |
| contents: "write" | |
| id-token: "write" | |
| steps: | |
| - uses: "actions/checkout@v4" | |
| - name: "install nix" | |
| uses: "cachix/install-nix-action@v30" | |
| - name: "login to ghcr.io" | |
| uses: "docker/login-action@v3" | |
| with: | |
| registry: "ghcr.io" | |
| username: "${{ github.actor }}" | |
| password: "${{ secrets.GITHUB_TOKEN }}" | |
| - uses: "dtolnay/rust-toolchain@stable" | |
| - uses: "cargo-bins/cargo-binstall@main" | |
| - run: | | |
| cargo binstall --no-confirm just | |
| - name: "nix cache" | |
| uses: "DeterminateSystems/magic-nix-cache-action@main" | |
| - name: "confirm sources" | |
| run: | | |
| ./scripts/confirm-sources.sh | |
| - name: "build + push" | |
| run: | | |
| just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push | |
| - name: "Install SBOM generator dependencies" | |
| run: | | |
| for f in /tmp/dpdk-sys/builds/*; do | |
| [ -h "$f" ] && rm "$f" | |
| done | |
| cargo binstall --no-confirm csview | |
| sudo apt-get update | |
| sudo apt-get install --yes --no-install-recommends graphviz | |
| - name: "Generate SBOM" | |
| run: | | |
| ./scripts/sbom.sh | |
| - name: "SBOM upload" | |
| # if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
| uses: "advanced-security/[email protected]" | |
| with: | |
| filePattern: '/tmp/dpdk-sys/builds/*.spdx.json' | |
| - name: "step summary" | |
| continue-on-error: true # might fail due to $GITHUB_STEP_SUMMARY size limit of 1MB | |
| run: | | |
| { | |
| echo "# Outdated packages (gnu64):"; | |
| echo ""; | |
| cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md; | |
| echo ""; | |
| echo "# Outdated packages (musl64):"; | |
| echo ""; | |
| cat /tmp/dpdk-sys/builds/env.sysroot.musl64.outdated.md; | |
| echo ""; | |
| echo "# Vuln scan (gnu64):"; | |
| echo ""; | |
| cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md; | |
| echo ""; | |
| echo "# Vuln scan (musl64):"; | |
| echo ""; | |
| cat /tmp/dpdk-sys/builds/env.sysroot.musl64.vulns.triage.md; | |
| echo ""; | |
| } >> $GITHUB_STEP_SUMMARY | |
| - name: "remove links from /tmp/dpdk-sys/builds" | |
| run: | | |
| for f in /tmp/dpdk-sys/builds/*; do | |
| [ -h "$f" ] && rm "$f" | |
| done | |
| - uses: "actions/upload-artifact@v4" | |
| with: | |
| name: "builds-${{ matrix.toolchain.key }}" | |
| path: "/tmp/dpdk-sys/builds" | |
| - name: "Setup tmate session for debug" | |
| if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }} | |
| uses: "mxschmitt/action-tmate@v3" | |
| timeout-minutes: 60 | |
| with: | |
| limit-access-to-actor: true | |
| - name: "outdated packages (gnu64)" | |
| uses: "actions/github-script@v7" | |
| if: ${{ github.event_name == 'pull_request' }} | |
| continue-on-error: true | |
| with: | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| script: | | |
| let fs = require('fs'); | |
| let body = "# Outdated packages (gnu64):\n"; | |
| body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md'); | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body | |
| }); | |
| - name: "outdated packages (musl64)" | |
| uses: "actions/github-script@v7" | |
| if: ${{ github.event_name == 'pull_request' }} | |
| continue-on-error: true | |
| with: | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| script: | | |
| let fs = require('fs'); | |
| let body = "# Outdated packages (musl64):\n"; | |
| body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.outdated.md'); | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body | |
| }); | |
| - name: "Vulnerable packages (gnu64)" | |
| uses: "actions/github-script@v7" | |
| if: ${{ github.event_name == 'pull_request' }} | |
| continue-on-error: true | |
| with: | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| script: | | |
| let fs = require('fs'); | |
| let body = "# Vulnerable packages (gnu64):\n"; | |
| body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md'); | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body | |
| }); | |
| - name: "Vulnerable packages (musl64)" | |
| uses: "actions/github-script@v7" | |
| if: ${{ github.event_name == 'pull_request' }} | |
| continue-on-error: true | |
| with: | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| script: | | |
| let fs = require('fs'); | |
| let body = "# Vulnerable packages (musl64):\n"; | |
| body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.vulns.triage.md'); | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body | |
| }); | |
| summary: | |
| name: "summary" | |
| if: ${{ always() }} | |
| runs-on: | |
| - "lab" | |
| needs: | |
| - run | |
| steps: | |
| - name: "Flag any build matrix failures" | |
| if: ${{ needs.run.result != 'success' }} | |
| run: | | |
| >&2 echo "A critical step failed!" | |
| exit 1 |