Skip to content

chore(deps): update ci dependencies #3545

chore(deps): update ci dependencies

chore(deps): update ci dependencies #3545

Workflow file for this run

name: CI
on:
push:
pull_request:
types:
- opened
- synchronize
merge_group:
types:
- checks_requested
release:
types:
- published
env:
DEBIAN_FRONTEND: noninteractive
OBFSTR_SEED: ${{ secrets.CONST_RANDOM_SEED }}
jobs:
static-analysis:
name: Static analysis
runs-on: ubuntu-24.04
timeout-minutes: 15
# Exclude in-repo PRs from running this job
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork
steps:
- name: 📥 Checkout source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: 🧰 Install Rust toolchain
uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # v1
with:
toolchain: nightly
components: rustfmt, clippy
- name: 🧰 Install clippy-sarif
uses: taiki-e/install-action@e37f44cf370f5ab2495787a3f6f30f092bc9a53e # v2
with:
tool: clippy-sarif
- name: 🧰 Install sarif-fmt
uses: taiki-e/install-action@e37f44cf370f5ab2495787a3f6f30f092bc9a53e # v2
with:
tool: sarif-fmt
- name: 🧰 Install cargo-deny
uses: taiki-e/install-action@e37f44cf370f5ab2495787a3f6f30f092bc9a53e # v2
with:
tool: cargo-deny
- name: 🔍 Clippy check
shell: bash
run: >
cargo clippy --no-deps --all-targets --message-format=json -- -D warnings
| clippy-sarif
| tee clippy-results.sarif
| sarif-fmt
- name: 🔍 Run cargo-deny
run: cargo deny check
- name: 🔍 Check Rust source code format
run: cargo fmt --all --check
- name: 📤 Upload analysis results to GitHub
if: always()
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3
continue-on-error: true
with:
sarif_file: clippy-results.sarif
category: clippy
build:
name: Build
strategy:
fail-fast: false
matrix:
target:
- x86_64-unknown-linux-gnu
- x86_64-unknown-linux-musl
- x86_64-pc-windows-gnu
- aarch64-unknown-linux-gnu
- aarch64-unknown-linux-musl
- x86_64-apple-darwin
- aarch64-apple-darwin
include:
- target: x86_64-unknown-linux-gnu
host-target: x86_64-unknown-linux-gnu
runner: ubuntu-latest
container: debian:bookworm-slim
apt-arch: amd64
- target: x86_64-unknown-linux-musl
host-target: x86_64-unknown-linux-gnu
runner: ubuntu-latest
container: debian:bookworm-slim
apt-arch: amd64
- target: aarch64-unknown-linux-gnu
host-target: x86_64-unknown-linux-gnu
runner: ubuntu-latest
container: debian:bookworm-slim
apt-arch: arm64
- target: aarch64-unknown-linux-musl
host-target: x86_64-unknown-linux-gnu
runner: ubuntu-latest
container: debian:bookworm-slim
apt-arch: arm64
- target: x86_64-pc-windows-gnu
host-target: x86_64-pc-windows-gnu
runner: windows-latest
- target: x86_64-apple-darwin
host-target: x86_64-apple-darwin
runner: macos-latest
- target: aarch64-apple-darwin
host-target: aarch64-apple-darwin
runner: macos-latest
runs-on: ${{ matrix.runner }}
timeout-minutes: 60
container: ${{ matrix.container }}
permissions:
id-token: write
attestations: write
env:
CARGO_BUILD_TARGET: ${{ matrix.target }}
# nextext requires this on Windows to pick the intended GNU toolchain
RUSTUP_TOOLCHAIN: nightly-${{ matrix.host-target }}
# Rust stdlib default backtrace feature doesn't actually work because our
# release executables are stripped, so skipping it shaves off quite some KiB.
# References:
# https://doc.rust-lang.org/cargo/reference/unstable.html#build-std-features
# https://github.com/rust-lang/rust/blob/4c8bb79d9f565115637cc6da739f8389e79f3a29/library/std/Cargo.toml#L54-L79
OPTIMIZED_RELEASE_BUILD_FLAGS: -Z build-std -Z build-std-features=panic-unwind
# Exclude in-repo PRs from running this job
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork
steps:
- name: 🧰 Install Linux toolchain packages
if: contains(matrix.target, '-linux-')
run: |
if [ "$(dpkg --print-architecture)" != '${{ matrix.apt-arch }}' ]; then
dpkg --add-architecture '${{ matrix.apt-arch }}'
fi
apt-get update
# curl is required by rustup.
# musl-tools is required to build musl binaries for the host architecture,
# and the arch-specific musl-dev package is required to build binaries for
# a target architecture when cross-compiling
# markdown and html2text are required to generate the Debian package only
apt-get install -yq build-essential git curl \
musl-tools musl-dev:${{ matrix.apt-arch }} \
markdown html2text
# This must go after the previous step so that a Git repository is checked out
- name: 📥 Checkout source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0 # Keep the commit history for proper version information
- name: 🧰 Install Linux ARM64 cross-compilation toolchain
if: startsWith(matrix.target, 'aarch64-unknown-linux')
run: apt-get install -yq gcc-aarch64-linux-gnu qemu-user libc6:arm64
- name: 🧰 Install Rust toolchain
uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # v1
with:
toolchain: nightly-${{ matrix.host-target }}
targets: ${{ env.CARGO_BUILD_TARGET }}
components: rust-src
- name: 💨 Set up sccache
if: ${{ !endsWith(matrix.target, '-pc-windows-gnu') }}
uses: mozilla-actions/sccache-action@054db53350805f83040bf3e6e9b8cf5a139aa7c9 # v0.0.7
- name: ⚙️ Prime sccache cache backend
if: ${{ !endsWith(matrix.target, '-pc-windows-gnu') }}
shell: bash
env:
SCCACHE_REDIS_ENDPOINT: ${{ secrets.SCCACHE_REDIS_ENDPOINT }}
SCCACHE_REDIS_USERNAME: ${{ secrets.SCCACHE_REDIS_USERNAME }}
SCCACHE_REDIS_PASSWORD: ${{ secrets.SCCACHE_REDIS_PASSWORD }}
SCCACHE_REDIS_KEY_PREFIX: ${{ secrets.SCCACHE_REDIS_KEY_PREFIX }}
run: |
sccache --start-server
echo 'RUSTC_WRAPPER=sccache' >> "$GITHUB_ENV"
- name: 💨 Cache Rust artifacts (Windows)
if: endsWith(matrix.target, '-pc-windows-gnu') # sccache with Windows GNU compilers is slower than trivial GHA caching
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2
- name: 🧰 Install nextest
uses: taiki-e/install-action@e37f44cf370f5ab2495787a3f6f30f092bc9a53e # v2
env:
CARGO_BUILD_TARGET: ${{ matrix.host-target }}
with:
tool: nextest
- name: 🧰 Install cargo-deb
if: endsWith(matrix.target, '-linux-gnu')
uses: taiki-e/install-action@e37f44cf370f5ab2495787a3f6f30f092bc9a53e # v2
env:
CARGO_BUILD_TARGET: ${{ matrix.host-target }}
with:
tool: cargo-deb
# Our build container is minimal, and it doesn't contain any systemd package.
# systemd is responsible for setting up the machine ID files we use for
# testing the system ID retrieval code, so copy a dummy one
- name: 📏 Set up a dummy D-Bus machine ID for tests
if: startsWith(matrix.runner, 'ubuntu')
run: cat /proc/sys/kernel/random/uuid | tr -d '-' > /run/machine-id
- name: ✔️ Run tests
run: |
cargo nextest run --workspace --status-level all --release
cargo test --doc --workspace --release
- name: 🔨 Build with optimized standard library
run: cargo build --target ${{ env.CARGO_BUILD_TARGET }} --release ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }}
- name: 🔨 Generate CLI Debian package
if: endsWith(matrix.target, '-linux-gnu')
run: scripts/build_deb.sh --target ${{ env.CARGO_BUILD_TARGET }} -p packsquash_cli -- ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }}
- name: 📤 Upload CLI binary
if: ${{ !contains(matrix.target, '-linux-') || endsWith(matrix.target, '-linux-musl') }}
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
with:
name: PackSquash CLI executable (${{ matrix.target }})
path: |
target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash*
!target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash.d
- name: 📤 Upload CLI Debian package
if: endsWith(matrix.target, '-linux-gnu')
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
with:
name: PackSquash CLI Debian package (${{ matrix.apt-arch }})
path: target/${{ env.CARGO_BUILD_TARGET }}/debian/packsquash_*.deb
- name: ✒️ Generate SLSA attestation subject data for binaries
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1
with:
subject-path: |
target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash
target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash.exe
target/${{ env.CARGO_BUILD_TARGET }}/debian/packsquash_*.deb
build-universal-macos-binaries:
name: Build universal macOS binaries
runs-on: macos-latest
needs: build
permissions:
id-token: write
attestations: write
steps:
- name: 📥 Download PackSquash CLI x64 macOS executable
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: PackSquash CLI executable (x86_64-apple-darwin)
path: packsquash-x64
- name: 📥 Download PackSquash CLI ARM64 macOS executable
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: PackSquash CLI executable (aarch64-apple-darwin)
path: packsquash-aarch64
- name: 🔨 Generate universal CLI binary
run: lipo -create -output packsquash packsquash-x64/packsquash packsquash-aarch64/packsquash
- name: 📤 Upload universal CLI binary
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
with:
name: PackSquash CLI executable (universal-apple-darwin)
path: packsquash
- name: ✒️ Generate SLSA attestation subject data for binary
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1
with:
subject-path: packsquash
build-docker-images:
name: Build Docker images
runs-on: ubuntu-latest
env:
# Defaults to docker.io (Docker Hub)
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
needs: build
steps:
- name: 📥 Checkout source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: 🧰 Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
- name: ⚙️ Generate Docker image metadata
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# Tag the image as "edge" for every commit on master.
# Tag the image by its ref for every commit on non-master branches.
# Maintain the "latest", full and major and minor semver tags for each semver tag push
tags: |
type=edge,branch=master
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=ref,event=branch
labels: |
org.opencontainers.image.description=Docker image for PackSquash, the Minecraft resource and data pack optimizer.
- name: 📥 Download PackSquash CLI x64 musl executable
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: PackSquash CLI executable (x86_64-unknown-linux-musl)
- name: 📁 Rename PackSquash CLI x64 musl executable
run: mv packsquash packsquash-amd64
- name: 📥 Download PackSquash CLI ARM64 musl executable
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: PackSquash CLI executable (aarch64-unknown-linux-musl)
- name: 📁 Rename PackSquash CLI ARM64 musl executable
run: mv packsquash packsquash-arm64
- name: 🔍 Check workflow package write permission
id: check_write_permission
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
with:
result-encoding: string
script: |
const permission = (await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: context.actor,
})).data.permission;
return permission == "write" || permission == "admin" ? "1" : "";
# The GitHub token needs the package:write permission for the push to work.
# This permission is not given to PRs from forked repositories.
# See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
- name: ⚙️ Login to ${{ env.REGISTRY }}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
if: steps.check_write_permission.outputs.result
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: 🔨 Build and push Docker image
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ steps.check_write_permission.outputs.result == '1' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
benchmark:
name: Run and upload benchmarks
runs-on: ubuntu-latest
container: debian:bookworm-slim@sha256:1537a6a1cbc4b4fd401da800ee9480207e7dc1f23560c21259f681db56768f63
# Benchmark failure is not critical enough to fail the whole workflow.
# We will keep an eye on them anyway, though
continue-on-error: true
# Make sure that benchmarks stay quick, and handle them being stuck promptly
timeout-minutes: 30
# Only benchmark code that passes all the checks
needs:
- static-analysis
- build
# Ignore runs that don't have the secret needed to decrypt packs (this happens for PRs outside
# the repository). First-time would-be contributors need to have their workflows approved
# anyway, but at best it might be confusing to see commits of PRs mixed with the mainline.
# Workflows triggered by PRs don't have access to secrets either. We also ignore temporary
# Renovate branches and merge groups to reduce noise
if: success() &&
github.event_name != 'pull_request' &&
github.event_name != 'merge_group' &&
!startsWith(github.ref_name, 'renovate/')
env:
# Use sccache to speed up Rust compilation
RUSTC_WRAPPER: sccache
steps:
- name: 🧰 Install development packages and benchmark script packages
run: |
apt-get update
# curl is required by rustup
apt-get install -yq build-essential git curl \
python3-venv gpg
- name: 📥 Checkout source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
# Necessary for steps that invoke Git commands to work properly on workflows run on containers.
# See: https://github.com/actions/checkout/issues/766
- name: 📥 Set source ownership to current user
run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE"
- name: 🧰 Install Rust toolchain
uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # v1
with:
toolchain: nightly
- name: 💨 Set up sccache
uses: mozilla-actions/sccache-action@054db53350805f83040bf3e6e9b8cf5a139aa7c9 # v0.0.7
- name: ⚙️ Prime sccache cache backend
shell: bash
env:
SCCACHE_REDIS_ENDPOINT: ${{ secrets.SCCACHE_REDIS_ENDPOINT }}
SCCACHE_REDIS_USERNAME: ${{ secrets.SCCACHE_REDIS_USERNAME }}
SCCACHE_REDIS_PASSWORD: ${{ secrets.SCCACHE_REDIS_PASSWORD }}
SCCACHE_REDIS_KEY_PREFIX: ${{ secrets.SCCACHE_REDIS_KEY_PREFIX }}
run: sccache --start-server
- name: 📥 Download test packs dataset
run: scripts/test-packs/download.sh
- name: 🔑 Decrypt private test packs in dataset
env:
PRIVATE_TEST_PACKS_PASSWORD: ${{ secrets.PRIVATE_TEST_PACKS_PASSWORD }}
run: scripts/test-packs/decrypt.sh
# GitHub-hosted runners restrict access to the perf_event_open syscall for some event types we
# are interested in, so we can't run benchmarks that measure the troublesome performance counters.
# See: https://github.com/actions/virtual-environments/issues/4974
- name: 🔍 Run quick benchmarks
run: cargo bench -- --output-format=bencher 'wall_time' | tee /run/bench_results.txt
- name: 📤 Publish quick benchmarks results
uses: benchmark-action/github-action-benchmark@v1
with:
name: 'PackSquash library quick benchmarks'
tool: cargo
output-file-path: /run/bench_results.txt
benchmark-data-dir-path: dev/benches
github-token: ${{ secrets.GITHUB_TOKEN }}
auto-push: true
comment-on-alert: true
alert-threshold: 150%
fail-on-alert: false
max-items-in-chart: 50