.github/workflows/build.yml

name: "build.yml"
on:
  workflow_dispatch:
    inputs:
      debug_enabled:
        type: "boolean"
        description: "Run the build with tmate debugging enabled"
  merge_group:
  pull_request:
  push:
    branches:
      - "main"

#concurrency:
#  group: "${{ github.workflow }}"
#  cancel-in-progress: true

jobs:
  matrix:
    permissions:
      issues: "write"
      pull-requests: "write"
      packages: "write"
      contents: "write"
      id-token: "write"
    name: "matrix"
    runs-on:
      - "lab"
    outputs:
      matrix: "${{ steps.matrix.outputs.matrix }}"
    steps:
      - uses: "actions/checkout@v4"
      - uses: "dtolnay/rust-toolchain@stable"
      - uses: "cargo-bins/cargo-binstall@main"
      - name: "install whyq"
        run: |
          set -euxo pipefail
          sudo apt-get update
          sudo apt-get install --yes --no-install-recommends jq
          cargo binstall --no-confirm whyq
      - name: "generate test matrix"
        id: "matrix"
        run: |
          set -euxo pipefail
          yq \
            --compact-output \
            --raw-output \
            '"matrix=" + (.matrix | tostring)' builds.yml \
          | tee -a "${GITHUB_OUTPUT}"
      - name: "report build plan"
        run: |
          cat >> "${GITHUB_STEP_SUMMARY}" <<EOF
          # Action plan
          
          ## Build matrix
          
          \`\`\`yml
          $(yq --yaml-output '.matrix' builds.yml)
          \`\`\`
          
          ## Raw build flags file
          
          \`\`\`yml
          $(< ./nix/flags.nix)
          \`\`\`
          
          ## Build versions
          
          ### env
          
          \`\`\`yml
          $(yq --yaml-output '.env' builds.yml)
          \`\`\`
          
          <details>
          <summary>

          ## Raw \`builds.yml\` file

          </summary>
          
          \`\`\`yml
          $(< builds.yml)
          \`\`\`
          
          </details>
          
          <details>
          <summary>
          
          ## Raw \`versions.nix\` file
          
          </summary>
          
          \`\`\`nix
          $(< nix/versions.nix)
          \`\`\`
          
          </details>
          
          EOF

  run:
    name: "run"
    needs:
      - matrix
    runs-on:
      - "lab"
    timeout-minutes: 300
    strategy:
      max-parallel: 3
      matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }}
    permissions:
      issues: "write"
      pull-requests: "write"
      packages: "write"
      contents: "write"
      id-token: "write"
    steps:
      - uses: "actions/checkout@v4"
      - name: "install nix"
        uses: "cachix/install-nix-action@v30"
      - name: "login to ghcr.io"
        uses: "docker/login-action@v3"
        with:
          registry: "ghcr.io"
          username: "${{ github.actor }}"
          password: "${{ secrets.GITHUB_TOKEN }}"
      - uses: "dtolnay/rust-toolchain@stable"
      - uses: "cargo-bins/cargo-binstall@main"
      - run: |
          cargo binstall --no-confirm just
      - name: "nix cache"
        uses: "DeterminateSystems/magic-nix-cache-action@main"
      - name: "confirm sources"
        run: |
          ./scripts/confirm-sources.sh
      - name: "build + push"
        run: |
          just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
      - name: "Install SBOM generator dependencies"
        run: |
          for f in /tmp/dpdk-sys/builds/*; do
            [ -h "$f" ] && rm "$f"
          done
          cargo binstall --no-confirm csview
          sudo apt-get update
          sudo apt-get install --yes --no-install-recommends graphviz
      - name: "Generate SBOM"
        run: |
          ./scripts/sbom.sh
      - name: "SBOM upload"
        # if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
        uses: "advanced-security/spdx-dependency-submission-action@v0.1.1"
        with:
          filePattern: '/tmp/dpdk-sys/builds/*.spdx.json'
      - name: "step summary"
        continue-on-error: true # might fail due to $GITHUB_STEP_SUMMARY size limit of 1MB
        run: |
          {
            echo "# Outdated packages (gnu64):";
            echo "";
            cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md;
            echo "";
            echo "# Outdated packages (musl64):";
            echo "";
            cat /tmp/dpdk-sys/builds/env.sysroot.musl64.outdated.md;
            echo "";
            echo "# Vuln scan (gnu64):";
            echo "";
            cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md;
            echo "";
            echo "# Vuln scan (musl64):";
            echo "";
            cat /tmp/dpdk-sys/builds/env.sysroot.musl64.vulns.triage.md;
            echo "";
          } >> $GITHUB_STEP_SUMMARY
      - name: "remove links from /tmp/dpdk-sys/builds"
        run: |
          for f in /tmp/dpdk-sys/builds/*; do
              [ -h "$f" ] && rm "$f"
          done
      - uses: "actions/upload-artifact@v4"
        with:
          name: "builds-${{ matrix.toolchain.key }}"
          path: "/tmp/dpdk-sys/builds"
      - name: "Setup tmate session for debug"
        if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
        uses: "mxschmitt/action-tmate@v3"
        timeout-minutes: 60
        with:
          limit-access-to-actor: true

      - name: "outdated packages (gnu64)"
        uses: "actions/github-script@v7"
        if: ${{ github.event_name == 'pull_request' }}
        continue-on-error: true
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
          script: |
            let fs = require('fs');
            let body = "# Outdated packages (gnu64):\n";
            body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md');
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });

      - name: "outdated packages (musl64)"
        uses: "actions/github-script@v7"
        if: ${{ github.event_name == 'pull_request' }}
        continue-on-error: true
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
          script: |
            let fs = require('fs');
            let body = "# Outdated packages (musl64):\n";
            body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.outdated.md');
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });

      - name: "Vulnerable packages (gnu64)"
        uses: "actions/github-script@v7"
        if: ${{ github.event_name == 'pull_request' }}
        continue-on-error: true
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
          script: |
            let fs = require('fs');
            let body = "# Vulnerable packages (gnu64):\n";
            body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md');
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });

      - name: "Vulnerable packages (musl64)"
        uses: "actions/github-script@v7"
        if: ${{ github.event_name == 'pull_request' }}
        continue-on-error: true
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
          script: |
            let fs = require('fs');
            let body = "# Vulnerable packages (musl64):\n";
            body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.vulns.triage.md');
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: body
            });

  summary:
    name: "summary"
    if: ${{ always() }}
    runs-on:
      - "lab"
    needs:
      - run
    steps:
      - name: "Flag any build matrix failures"
        if: ${{ needs.run.result != 'success' }}
        run: |
          >&2 echo "A critical step failed!"
          exit 1