chore(deps): update ci dependencies (#341) #3443
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
merge_group: | |
types: | |
- checks_requested | |
release: | |
types: | |
- published | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
CONST_RANDOM_SEED: ${{ secrets.CONST_RANDOM_SEED }} | |
# Disable quickinstall telemetry reporting to cut down on external HTTP requests | |
# a little. See: https://github.com/cargo-bins/cargo-binstall/issues/1884 | |
BINSTALL_DISABLE_TELEMETRY: true | |
jobs: | |
static-analysis: | |
name: Static analysis | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
# Exclude in-repo PRs from running this job | |
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork | |
steps: | |
- name: 📥 Checkout source | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- name: 🧰 Install Rust toolchain | |
uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1 | |
with: | |
toolchain: nightly | |
components: rustfmt, clippy | |
- name: 🧰 Install clippy-sarif | |
uses: taiki-e/install-action@5d427d86f088a6cedcddb92b3ad038d30721b52f # v2 | |
with: | |
tool: clippy-sarif | |
- name: 🧰 Install sarif-fmt | |
uses: taiki-e/install-action@5d427d86f088a6cedcddb92b3ad038d30721b52f # v2 | |
with: | |
tool: sarif-fmt | |
- name: 🧰 Install cargo-deny | |
uses: taiki-e/install-action@5d427d86f088a6cedcddb92b3ad038d30721b52f # v2 | |
with: | |
tool: cargo-deny | |
- name: 🔍 Clippy check | |
shell: bash | |
run: > | |
cargo clippy --no-deps --all-targets --message-format=json -- -D warnings | |
| clippy-sarif | |
| tee clippy-results.sarif | |
| sarif-fmt | |
- name: 🔍 Run cargo-deny | |
run: cargo deny check | |
- name: 🔍 Check Rust source code format | |
run: cargo fmt --all --check | |
- name: 📤 Upload analysis results to GitHub | |
if: always() | |
uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3 | |
continue-on-error: true | |
with: | |
sarif_file: clippy-results.sarif | |
category: clippy | |
build: | |
name: Build | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- x86_64-unknown-linux-gnu | |
- x86_64-unknown-linux-musl | |
- x86_64-pc-windows-gnu | |
- aarch64-unknown-linux-gnu | |
- aarch64-unknown-linux-musl | |
- x86_64-apple-darwin | |
- aarch64-apple-darwin | |
include: | |
- target: x86_64-unknown-linux-gnu | |
host-target: x86_64-unknown-linux-gnu | |
runner: ubuntu-latest | |
container: debian:bullseye-slim | |
apt-arch: amd64 | |
- target: x86_64-unknown-linux-musl | |
host-target: x86_64-unknown-linux-gnu | |
runner: ubuntu-latest | |
container: debian:bookworm-slim | |
apt-arch: amd64 | |
- target: aarch64-unknown-linux-gnu | |
host-target: x86_64-unknown-linux-gnu | |
runner: ubuntu-latest | |
container: debian:bullseye-slim | |
apt-arch: arm64 | |
- target: aarch64-unknown-linux-musl | |
host-target: x86_64-unknown-linux-gnu | |
runner: ubuntu-latest | |
container: debian:bookworm-slim | |
apt-arch: arm64 | |
- target: x86_64-pc-windows-gnu | |
host-target: x86_64-pc-windows-gnu | |
runner: windows-latest | |
- target: x86_64-apple-darwin | |
host-target: x86_64-apple-darwin | |
runner: macos-latest | |
- target: aarch64-apple-darwin | |
host-target: aarch64-apple-darwin | |
runner: macos-latest | |
runs-on: ${{ matrix.runner }} | |
timeout-minutes: 60 | |
container: ${{ matrix.container }} | |
permissions: | |
id-token: write | |
attestations: write | |
env: | |
CARGO_BUILD_TARGET: ${{ matrix.target }} | |
# nextext requires this on Windows to pick the intended GNU toolchain | |
RUSTUP_TOOLCHAIN: nightly-${{ matrix.host-target }} | |
# Rust stdlib default backtrace feature doesn't actually work because our | |
# release executables are stripped, so skipping it shaves off quite some KiB. | |
# References: | |
# https://doc.rust-lang.org/cargo/reference/unstable.html#build-std-features | |
# https://github.com/rust-lang/rust/blob/4c8bb79d9f565115637cc6da739f8389e79f3a29/library/std/Cargo.toml#L54-L79 | |
OPTIMIZED_RELEASE_BUILD_FLAGS: -Z build-std -Z build-std-features=panic-unwind | |
# Exclude in-repo PRs from running this job | |
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork | |
steps: | |
- name: 🧰 Install Linux toolchain packages | |
if: contains(matrix.target, '-linux-') | |
run: | | |
if [ "$(dpkg --print-architecture)" != '${{ matrix.apt-arch }}' ]; then | |
dpkg --add-architecture '${{ matrix.apt-arch }}' | |
fi | |
apt-get update | |
# curl is required by rustup. | |
# musl-tools is required to build musl binaries for the host architecture, | |
# and the arch-specific musl-dev package is required to build binaries for | |
# a target architecture when cross-compiling | |
# markdown and html2text are required to generate the Debian package only | |
apt-get install -yq build-essential git curl \ | |
musl-tools musl-dev:${{ matrix.apt-arch }} \ | |
markdown html2text | |
# This must go after the previous step so that a Git repository is checked out | |
- name: 📥 Checkout source | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
with: | |
fetch-depth: 0 # Keep the commit history for proper version information | |
- name: 🧰 Install Linux ARM64 cross-compilation toolchain | |
if: startsWith(matrix.target, 'aarch64-unknown-linux') | |
run: apt-get install -yq gcc-aarch64-linux-gnu qemu-user libc6:arm64 | |
- name: 🧰 Install Rust toolchain | |
uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1 | |
with: | |
toolchain: nightly-${{ matrix.host-target }} | |
targets: ${{ env.CARGO_BUILD_TARGET }} | |
components: rust-src | |
- name: 💨 Set up sccache | |
if: ${{ !endsWith(matrix.target, '-pc-windows-gnu') }} | |
uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6 | |
- name: ⚙️ Prime sccache cache backend | |
if: ${{ !endsWith(matrix.target, '-pc-windows-gnu') }} | |
shell: bash | |
env: | |
SCCACHE_REDIS_ENDPOINT: ${{ secrets.SCCACHE_REDIS_ENDPOINT }} | |
SCCACHE_REDIS_USERNAME: ${{ secrets.SCCACHE_REDIS_USERNAME }} | |
SCCACHE_REDIS_PASSWORD: ${{ secrets.SCCACHE_REDIS_PASSWORD }} | |
SCCACHE_REDIS_KEY_PREFIX: ${{ secrets.SCCACHE_REDIS_KEY_PREFIX }} | |
run: | | |
sccache --start-server | |
echo 'RUSTC_WRAPPER=sccache' >> "$GITHUB_ENV" | |
- name: 💨 Cache Rust artifacts (Windows) | |
if: endsWith(matrix.target, '-pc-windows-gnu') # sccache with Windows GNU compilers is slower than trivial GHA caching | |
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2 | |
- name: 🧰 Install nextest | |
uses: taiki-e/install-action@5d427d86f088a6cedcddb92b3ad038d30721b52f # v2 | |
env: | |
CARGO_BUILD_TARGET: ${{ matrix.host-target }} | |
with: | |
tool: nextest | |
- name: 🧰 Install cargo-deb | |
if: endsWith(matrix.target, '-linux-gnu') | |
uses: taiki-e/install-action@5d427d86f088a6cedcddb92b3ad038d30721b52f # v2 | |
env: | |
CARGO_BUILD_TARGET: ${{ matrix.host-target }} | |
with: | |
tool: cargo-deb | |
# Our build container is minimal, and it doesn't contain any systemd package. | |
# systemd is responsible for setting up the machine ID files we use for | |
# testing the system ID retrieval code, so copy a dummy one | |
- name: 📏 Set up a dummy D-Bus machine ID for tests | |
if: startsWith(matrix.runner, 'ubuntu') | |
run: cat /proc/sys/kernel/random/uuid | tr -d '-' > /run/machine-id | |
- name: 📅 Gather build date and version metadata | |
shell: bash | |
run: | | |
git config --global --add safe.directory "$PWD" | |
echo "PACKSQUASH_BUILD_VERSION=$(git describe --tags --dirty=-custom --always)" >> "$GITHUB_ENV" | |
echo "PACKSQUASH_BUILD_DATE=$(date -u +%Y-%m-%d)" >> "$GITHUB_ENV" | |
- name: ✔️ Run tests | |
run: | | |
cargo nextest run --workspace --status-level all --release | |
cargo test --doc --workspace --release | |
- name: 🔨 Build with optimized standard library | |
run: cargo build --target ${{ env.CARGO_BUILD_TARGET }} --release ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }} | |
- name: 🔨 Generate CLI Debian package | |
if: endsWith(matrix.target, '-linux-gnu') | |
run: scripts/build_deb.sh --target ${{ env.CARGO_BUILD_TARGET }} -p packsquash_cli -- ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }} | |
- name: 📤 Upload CLI binary | |
if: ${{ !contains(matrix.target, '-linux-') || endsWith(matrix.target, '-linux-musl') }} | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
with: | |
name: PackSquash CLI executable (${{ matrix.target }}) | |
path: | | |
target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash* | |
!target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash.d | |
- name: 📤 Upload CLI Debian package | |
if: endsWith(matrix.target, '-linux-gnu') | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
with: | |
name: PackSquash CLI Debian package (${{ matrix.apt-arch }}) | |
path: target/${{ env.CARGO_BUILD_TARGET }}/debian/packsquash_*.deb | |
- name: ✒️ Generate SLSA attestation subject data for binaries | |
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1 | |
with: | |
subject-path: | | |
target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash | |
target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash.exe | |
target/${{ env.CARGO_BUILD_TARGET }}/debian/packsquash_*.deb | |
build-universal-macos-binaries: | |
name: Build universal macOS binaries | |
runs-on: macos-latest | |
needs: build | |
permissions: | |
id-token: write | |
attestations: write | |
steps: | |
- name: 📥 Download PackSquash CLI x64 macOS executable | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
with: | |
name: PackSquash CLI executable (x86_64-apple-darwin) | |
path: packsquash-x64 | |
- name: 📥 Download PackSquash CLI ARM64 macOS executable | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
with: | |
name: PackSquash CLI executable (aarch64-apple-darwin) | |
path: packsquash-aarch64 | |
- name: 🔨 Generate universal CLI binary | |
run: lipo -create -output packsquash packsquash-x64/packsquash packsquash-aarch64/packsquash | |
- name: 📤 Upload universal CLI binary | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
with: | |
name: PackSquash CLI executable (universal-apple-darwin) | |
path: packsquash | |
- name: ✒️ Generate SLSA attestation subject data for binary | |
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1 | |
with: | |
subject-path: packsquash | |
build-docker-images: | |
name: Build Docker images | |
runs-on: ubuntu-latest | |
env: | |
# Defaults to docker.io (Docker Hub) | |
REGISTRY: ghcr.io | |
# github.repository as <account>/<repo> | |
IMAGE_NAME: ${{ github.repository }} | |
needs: build | |
steps: | |
- name: 📥 Checkout source | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- name: 🧰 Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 | |
- name: ⚙️ Generate Docker image metadata | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
# Tag the image as "edge" for every commit on master. | |
# Tag the image by its ref for every commit on non-master branches. | |
# Maintain the "latest", full and major and minor semver tags for each semver tag push | |
tags: | | |
type=edge,branch=master | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=ref,event=branch | |
labels: | | |
org.opencontainers.image.description=Docker image for PackSquash, the Minecraft resource and data pack optimizer. | |
- name: 📥 Download PackSquash CLI x64 musl executable | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
with: | |
name: PackSquash CLI executable (x86_64-unknown-linux-musl) | |
- name: 📁 Rename PackSquash CLI x64 musl executable | |
run: mv packsquash packsquash-amd64 | |
- name: 📥 Download PackSquash CLI ARM64 musl executable | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
with: | |
name: PackSquash CLI executable (aarch64-unknown-linux-musl) | |
- name: 📁 Rename PackSquash CLI ARM64 musl executable | |
run: mv packsquash packsquash-arm64 | |
- name: 🔍 Check workflow package write permission | |
id: check_write_permission | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 | |
with: | |
result-encoding: string | |
script: | | |
const permission = (await github.rest.repos.getCollaboratorPermissionLevel({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
username: context.actor, | |
})).data.permission; | |
return permission == "write" || permission == "admin" ? "1" : ""; | |
# The GitHub token needs the package:write permission for the push to work. | |
# This permission is not given to PRs from forked repositories. | |
# See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
- name: ⚙️ Login to ${{ env.REGISTRY }} | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
if: steps.check_write_permission.outputs.result | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: 🔨 Build and push Docker image | |
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 | |
with: | |
context: . | |
platforms: linux/amd64,linux/arm64 | |
push: ${{ steps.check_write_permission.outputs.result == '1' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
benchmark: | |
name: Run and upload benchmarks | |
runs-on: ubuntu-latest | |
container: debian:bullseye-slim@sha256:60a596681410bd31a48e5975806a24cd78328f3fd6b9ee5bc64dca6d46a51f29 | |
# Benchmark failure is not critical enough to fail the whole workflow. | |
# We will keep an eye on them anyway, though | |
continue-on-error: true | |
# Make sure that benchmarks stay quick, and handle them being stuck promptly | |
timeout-minutes: 30 | |
# Only benchmark code that passes all the checks | |
needs: | |
- static-analysis | |
- build | |
# Ignore runs that don't have the secret needed to decrypt packs (this happens for PRs outside | |
# the repository). First-time would-be contributors need to have their workflows approved | |
# anyway, but at best it might be confusing to see commits of PRs mixed with the mainline. | |
# Workflows triggered by PRs don't have access to secrets either. We also ignore temporary | |
# Renovate branches and merge groups to reduce noise | |
if: success() && | |
github.event_name != 'pull_request' && | |
github.event_name != 'merge_group' && | |
!startsWith(github.ref_name, 'renovate/') | |
env: | |
# Use sccache to speed up Rust compilation | |
RUSTC_WRAPPER: sccache | |
steps: | |
- name: 🧰 Install development packages and benchmark script packages | |
run: | | |
apt-get update | |
# curl is required by rustup | |
apt-get install -yq build-essential git curl \ | |
python3-venv gpg | |
- name: 📥 Checkout source | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
# Necessary for steps that invoke Git commands to work properly on workflows run on containers. | |
# See: https://github.com/actions/checkout/issues/766 | |
- name: 📥 Set source ownership to current user | |
run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE" | |
- name: 🧰 Install Rust toolchain | |
uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1 | |
with: | |
toolchain: nightly | |
- name: 💨 Set up sccache | |
uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6 | |
- name: ⚙️ Prime sccache cache backend | |
shell: bash | |
env: | |
SCCACHE_REDIS_ENDPOINT: ${{ secrets.SCCACHE_REDIS_ENDPOINT }} | |
SCCACHE_REDIS_USERNAME: ${{ secrets.SCCACHE_REDIS_USERNAME }} | |
SCCACHE_REDIS_PASSWORD: ${{ secrets.SCCACHE_REDIS_PASSWORD }} | |
SCCACHE_REDIS_KEY_PREFIX: ${{ secrets.SCCACHE_REDIS_KEY_PREFIX }} | |
run: sccache --start-server | |
- name: 📥 Download test packs dataset | |
run: scripts/test-packs/download.sh | |
- name: 🔑 Decrypt private test packs in dataset | |
env: | |
PRIVATE_TEST_PACKS_PASSWORD: ${{ secrets.PRIVATE_TEST_PACKS_PASSWORD }} | |
run: scripts/test-packs/decrypt.sh | |
# GitHub-hosted runners restrict access to the perf_event_open syscall for some event types we | |
# are interested in, so we can't run benchmarks that measure the troublesome performance counters. | |
# See: https://github.com/actions/virtual-environments/issues/4974 | |
- name: 🔍 Run quick benchmarks | |
run: cargo bench -- --output-format=bencher 'wall_time' | tee /run/bench_results.txt | |
- name: 📤 Publish quick benchmarks results | |
uses: benchmark-action/github-action-benchmark@v1 | |
with: | |
name: 'PackSquash library quick benchmarks' | |
tool: cargo | |
output-file-path: /run/bench_results.txt | |
benchmark-data-dir-path: dev/benches | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
auto-push: true | |
comment-on-alert: true | |
alert-threshold: 150% | |
fail-on-alert: false | |
max-items-in-chart: 50 |