Minor CI improvements

.github/workflows/build.yml

@@ -11,9 +11,9 @@ on:
     branches:
       - "main"
 
-#concurrency:
-#  group: "${{ github.workflow }}"
-#  cancel-in-progress: true
+concurrency:
+  group: "${{ github.workflow }}:${{ github.ref }}"
+  cancel-in-progress: true
 
 jobs:
   matrix:
@@ -49,57 +49,7 @@ jobs:
           | tee -a "${GITHUB_OUTPUT}"
       - name: "report build plan"
         run: |
-          cat >> "${GITHUB_STEP_SUMMARY}" <<EOF
-          # Action plan
-          
-          ## Build matrix
-          
-          \`\`\`yml
-          $(yq --yaml-output '.matrix' builds.yml)
-          \`\`\`
-          
-          ## Raw build flags file
-          
-          \`\`\`yml
-          $(< ./nix/flags.nix)
-          \`\`\`
-          
-          ## Build versions
-          
-          ### env
-          
-          \`\`\`yml
-          $(yq --yaml-output '.env' builds.yml)
-          \`\`\`
-          
-          <details>
-          <summary>
-
-          ## Raw \`builds.yml\` file
-
-          </summary>
-          
-          \`\`\`yml
-          $(< builds.yml)
-          \`\`\`
-          
-          </details>
-          
-          <details>
-          <summary>
-          
-          ## Raw \`versions.nix\` file
-          
-          </summary>
-          
-          \`\`\`nix
-          $(< nix/versions.nix)
-          \`\`\`
-          
-          </details>
-          
-          EOF
-
+          ./scripts/plan.sh "${GITHUB_STEP_SUMMARY}"
   run:
     name: "run"
     needs:
@@ -108,13 +58,13 @@ jobs:
       - "lab"
     timeout-minutes: 300
     strategy:
-      max-parallel: 3
+      max-parallel: 2
       matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }}
     permissions:
       issues: "write"
       pull-requests: "write"
       packages: "write"
-      contents: "write"
+      contents: "read"
       id-token: "write"
     steps:
       - uses: "actions/checkout@v4"
@@ -145,7 +95,7 @@ jobs:
 
       - name: "build + push"
         run: |
-          just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
+          just --yes debug=true max_nix_builds=1 rust="${{ matrix.toolchain.key }}" push
 
       - name: "Install SBOM generator dependencies"
         run: |
@@ -156,7 +106,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install --yes --no-install-recommends graphviz
 
-      - name: "Generate SBOM"
+      - name: "generate SBOM"
         run: |
           ./scripts/sbom.sh
 
@@ -179,7 +129,6 @@ jobs:
       - name: "outdated packages (gnu64)"
         uses: "actions/github-script@v7"
         if: ${{ github.event_name == 'pull_request' }}
-        continue-on-error: true
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
@@ -190,6 +139,11 @@ jobs:
             body += "</summary>\n\n";
             body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md');
             body += "\n</details>\n";
+            const maxLength = 65535;
+            if (body.length > maxLength) {
+              const warning = "\n...output truncated due to length limits...\n";
+              body = body.slice(0, maxLength - warning.length) + warning;
+            }
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -200,7 +154,6 @@ jobs:
       - name: "outdated packages (musl64)"
         uses: "actions/github-script@v7"
         if: ${{ github.event_name == 'pull_request' }}
-        continue-on-error: true
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
@@ -211,6 +164,11 @@ jobs:
             body += "</summary>\n\n";
             body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.outdated.md');
             body += "\n</details>\n";
+            const maxLength = 65535;
+            if (body.length > maxLength) {
+              const warning = "\n...output truncated due to length limits...\n";
+              body = body.slice(0, maxLength - warning.length) + warning;
+            }
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -221,7 +179,6 @@ jobs:
       - name: "Vulnerable packages (gnu64)"
         uses: "actions/github-script@v7"
         if: ${{ github.event_name == 'pull_request' }}
-        continue-on-error: true
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
@@ -232,6 +189,11 @@ jobs:
             body += "</summary>\n\n";
             body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md');
             body += "\n</details>\n";
+            const maxLength = 65535;
+            if (body.length > maxLength) {
+              const warning = "\n...output truncated due to length limits...\n";
+              body = body.slice(0, maxLength - warning.length) + warning;
+            }
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -242,7 +204,6 @@ jobs:
       - name: "Vulnerable packages (musl64)"
         uses: "actions/github-script@v7"
         if: ${{ github.event_name == 'pull_request' }}
-        continue-on-error: true
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
@@ -253,6 +214,11 @@ jobs:
             body += "</summary>\n\n";
             body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.vulns.triage.md');
             body += "\n</details>\n";
+            const maxLength = 65535;
+            if (body.length > maxLength) {
+              const warning = "\n...output truncated due to length limits...\n";
+              body = body.slice(0, maxLength - warning.length) + warning;
+            }
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,

plan.template.md

@@ -0,0 +1,49 @@
+# Build Plan
+
+## Build matrix
+
+\`\`\`yml
+$(yq --yaml-output '.matrix' builds.yml)
+\`\`\`
+
+## Raw build flags file
+
+\`\`\`yml
+$(< ./nix/flags.nix)
+\`\`\`
+
+## Build versions
+
+### env
+
+\`\`\`yml
+$(yq --yaml-output '.env' builds.yml)
+\`\`\`
+
+<details>
+<summary>
+
+## Raw \`builds.yml\` file
+
+</summary>
+
+\`\`\`yml
+$(< builds.yml)
+\`\`\`
+
+</details>
+
+<details>
+<summary>
+
+## Raw \`versions.nix\` file
+
+</summary>
+
+\`\`\`nix
+$(< nix/versions.nix)
+\`\`\`
+
+</details>
+
+EOF

scripts/bump.sh

@@ -74,6 +74,7 @@ nix_multi_hash() {
   declare -n dict="${1}"
   declare -r file="${2}"
   declare -r source_url="${3}"
+  declare hash
   for hash in "${!hash_algos[@]}"; do
     dict["openssl_${hash}"]="$(hash_file "${hash_algos[${hash}]}" "${file}")"
     declare -rxg "${1}_openssl_${hash}"="${dict["openssl_${hash}"]}"
@@ -90,6 +91,7 @@ nix_multi_hash() {
   done
 }
 
+# shellcheck disable=SC2034
 declare -A NIXPKGS_ARCHIVE
 nix_multi_hash NIXPKGS_ARCHIVE "${nixpkgs_repo}/${NIXPKGS_COMMIT}.tar.gz" "${NIXPKGS_SOURCE_URL}"
 
@@ -115,5 +117,5 @@ JUST_STABLE_PIN="$(just --version | grep '^just ' | awk '{print $NF}')"
 declare -rx JUST_STABLE_PIN
 
 declare -rx WARNING="WARNING: This file is generated by the bump.sh script. Do not edit it manually."
-envsubst < "./builds.template.yml" > "./builds.yml"
+envsubst < "${project_dir}/builds.template.yml" > "${project_dir}/builds.yml"
 envsubst < "${project_dir}/nix/versions.nix.template" > "${project_dir}/nix/versions.nix"

scripts/plan.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+# usage: apply_template /path/to/template.txt
+apply_template() {
+  trap 'rm -f ${tempfile}' RETURN
+  declare tempfile;
+  tempfile="$(mktemp)";
+  declare -r tempfile;
+  {
+    echo 'cat <<END_TEMPLATE';
+    cat "${1}";
+    echo 'END_TEMPLATE';
+  } > "${tempfile}";
+  source "${tempfile}"
+}
+
+apply_template ./plan.template.md >> "${1:-/proc/self/fd/1}"
+