Fixups

githedgehog · Oct 31, 2024 · e85b6c5 · e85b6c5
1 parent 75a07f7
commit e85b6c5
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 38 deletions.
diff --git a/.github/workflows/build-and-push-container.yml b/.github/workflows/build-and-push-container.yml
@@ -1,15 +1,23 @@
-name: Build
+name: build
 on:
   workflow_dispatch:
+    inputs:
+      debug_enabled:
+        type: boolean
+        description: "Run the build with tmate debugging enabled"
   pull_request:
     branches: "*"
   push:
     branches:
       - "main"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
-  build-matrix:
-    name: generate build matrix
+  matrix:
+    name: "matrix"
     runs-on:
       - lab
     outputs:
@@ -86,14 +94,15 @@ jobs:
           
           EOF
 
-  build-and-push:
-    name: build
-    needs: build-matrix
+  run:
+    name: run
+    needs: matrix
     runs-on:
       - lab
     timeout-minutes: 300
     strategy:
-      matrix: ${{ fromJSON(needs.build-matrix.outputs.matrix) }}
+      max-parallel: 1
+      matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }}
     steps:
       - uses: actions/checkout@v4
       - name: install nix
@@ -109,10 +118,6 @@ jobs:
       - uses: "dtolnay/rust-toolchain@stable"
       - uses: "cargo-bins/cargo-binstall@main"
       - run: "cargo binstall --no-confirm just"
-      - run: "cargo binstall --no-confirm csview"
-      - run: |
-          sudo apt-get update
-          sudo apt-get install --yes --no-install-recommends graphviz
       - name: setup nix cache
         id: nix-package-cache
         uses: actions/cache@v4
@@ -121,41 +126,58 @@ jobs:
           key: /nixpkgs/${{ matrix.nixpkgs }}
       - name: build
         run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} build
+      - name: install sbom dependencies
+        run: |
+          for f in /tmp/dpdk-sys/builds/*; do
+            [ -h "$f" ] && rm "$f"
+          done
+          cargo binstall --no-confirm csview
+          sudo apt-get update
+          sudo apt-get install --yes --no-install-recommends graphviz
       - name: Generate SBOM
         run: ./scripts/sbom.sh
       - name: push
         run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
       - name: garbage collect
         run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} nix-garbage-collector
-      - name: clean up symlinks in /tmp/dpdk-sys/builds
-        run: |
-          for f in /tmp/dpdk-sys/builds/*; do
-            [ -h "$f" ] && rm "$f"
-          done
       - name: step summary
+        continue-on-error: true # might fail due to $GITHUB_STEP_SUMMARY size limit of 1MB
         run: |
           echo "# Outdated packages:" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
           cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.outdated.md >> $GITHUB_STEP_SUMMARY
           
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "# Runtime SBOM (gnu64):" >> "$GITHUB_STEP_SUMMARY"
+          echo "# Vuln scan (gnu64):" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.runtime.sbom.md >> $GITHUB_STEP_SUMMARY
+          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.vulns.triage.md >> $GITHUB_STEP_SUMMARY
           
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "# Vuln scan (gnu64):" >> "$GITHUB_STEP_SUMMARY"
+          echo "# Runtime SBOM (gnu64):" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.vulns.triage.md >> $GITHUB_STEP_SUMMARY
+          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.runtime.sbom.md >> $GITHUB_STEP_SUMMARY
           
           echo "" >> "$GITHUB_STEP_SUMMARY"
+
       - uses: actions/upload-artifact@v4
         with:
           name: builds-${{ matrix.toolchain.key }}
           path: /tmp/dpdk-sys/builds
-#      - name: Setup tmate session for debug
-#        if: ${{ failure() }}
-#        uses: mxschmitt/action-tmate@v3
-#        timeout-minutes: 30
-#        with:
-#          limit-access-to-actor: true
+      - name: Setup tmate session for debug
+        if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
+        uses: mxschmitt/action-tmate@v3
+        timeout-minutes: 30
+        with:
+          limit-access-to-actor: true
+
+  summary:
+    name: summary
+    if: ${{ always() }}
+    runs-on:
+      - lab
+    needs:
+      - run
+    steps:
+      - name: Flag any build matrix failures
+        if: ${{ needs.run.result != 'success' }}
+        run: exit 1
diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml
@@ -7,7 +7,7 @@
 
 # Production artifacts are produced in a sterile environment (in another CI workflow).
 
-name: "bump/versions"
+name: "bump"
 on:
   workflow_dispatch:
   schedule:
@@ -21,7 +21,7 @@ permissions:
   pull-requests: "write"
   id-token: "write"
 jobs:
-  update:
+  bump:
     runs-on:
       - "lab"
     steps:
@@ -37,12 +37,8 @@ jobs:
         uses: "peter-evans/create-pull-request@v7"
         with:
           branch: "bump/versions"
-          title: "update version pinning"
+          title: "bump"
           labels: |
             automated
             dependencies
-            bump/versions
-          signoff: "true"
-          commit-message: "bump/versions"
           sign-commits: "true"
-          body: "update version pinning"
diff --git a/builds.template.yml b/builds.template.yml
@@ -15,8 +15,6 @@ env:
     version: &just_version "${JUST_STABLE_PIN}"
 # matrix describes the test structure which I expect to be relatively stable.
 matrix:
-  nixpkgs:
-    - *nixpkgs_unstable
   toolchain:
     - # pinned stable
       &default
@@ -40,3 +38,5 @@ matrix:
       rust:
         channel: "nightly"
         version: *nightly_pin
+  nixpkgs:
+    - *nixpkgs_unstable
diff --git a/scripts/sbom.sh b/scripts/sbom.sh
@@ -12,9 +12,9 @@ declare -r package="env.sysroot"
 
 for libc in "musl64" "gnu64"; do
   # shellcheck disable=SC2043
-  for profile in "release"; do
+  for profile in "debug" "release"; do
     # shellcheck disable=SC2043
-    for dep_type in "runtime"; do
+    for dep_type in "buildtime" "runtime"; do
       # shellcheck disable=SC2046,SC2006
       nix run \
         "${sbomnix}#sbomnix" \
@@ -59,7 +59,7 @@ for libc in "musl64" "gnu64"; do
       "${sbomnix}#nixgraph" \
       -- \
       --out "${builds}/${package}.${libc}.${profile}.${dep_type}.nixgraph.dot" \
-      --depth=10 \
+      --depth=15 \
       --verbose=1 \
       "${builds}/${package}.${libc}.${profile}"
   done
@@ -71,4 +71,5 @@ done
 
 for file in "${builds}/"*.dot; do
   dot -Tsvg "$file" > "${file%.dot}.svg"
+  dot -Gdpi=300 -Tpng "$file" > "${file%.dot}.png"
 done