chore(deps): update ci dependencies #2214
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
release: | |
types: | |
- published | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
CONST_RANDOM_SEED: ${{ secrets.CONST_RANDOM_SEED }} | |
jobs: | |
static-analysis: | |
name: Static analysis | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
# Exclude in-repo PRs from running this job | |
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork | |
steps: | |
- name: 📥 Checkout source | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
- name: 🧰 Install Rust toolchain | |
uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1 | |
with: | |
toolchain: nightly | |
components: rustfmt, clippy | |
- name: 🔍 Clippy check | |
uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1 | |
with: | |
clippy_flags: --all-targets -D warnings | |
reporter: github-check | |
fail_on_error: true | |
- name: 🔍 Cargo deny check | |
uses: EmbarkStudios/cargo-deny-action@1e59595bed8fc55c969333d08d7817b36888f0c5 # v1 | |
- name: 🔍 Check Rust source code format | |
run: cargo fmt --all --check | |
build: | |
name: Build | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- x86_64-unknown-linux-gnu | |
- x86_64-unknown-linux-musl | |
- x86_64-pc-windows-gnu | |
- aarch64-unknown-linux-gnu | |
- aarch64-unknown-linux-musl | |
- x86_64-apple-darwin | |
- aarch64-apple-darwin | |
include: | |
- target: x86_64-unknown-linux-gnu | |
host-target: x86_64-unknown-linux-gnu | |
runner: ubuntu-latest | |
container: debian:bullseye-slim | |
apt-arch: amd64 | |
- target: x86_64-unknown-linux-musl | |
host-target: x86_64-unknown-linux-gnu | |
runner: ubuntu-latest | |
container: debian:testing-slim | |
apt-arch: amd64 | |
- target: aarch64-unknown-linux-gnu | |
host-target: x86_64-unknown-linux-gnu | |
runner: ubuntu-latest | |
container: debian:bullseye-slim | |
apt-arch: arm64 | |
- target: aarch64-unknown-linux-musl | |
host-target: x86_64-unknown-linux-gnu | |
runner: ubuntu-latest | |
container: debian:testing-slim | |
apt-arch: arm64 | |
- target: x86_64-pc-windows-gnu | |
host-target: x86_64-pc-windows-gnu | |
runner: windows-latest | |
- target: x86_64-apple-darwin | |
host-target: x86_64-apple-darwin | |
runner: macos-latest | |
- target: aarch64-apple-darwin | |
host-target: x86_64-apple-darwin | |
runner: macos-latest | |
runs-on: ${{ matrix.runner }} | |
timeout-minutes: 60 | |
container: ${{ matrix.container }} | |
env: | |
CARGO_BUILD_TARGET: ${{ matrix.target }} | |
# nextext requires this on Windows to pick the intended GNU toolchain | |
RUSTUP_TOOLCHAIN: nightly-${{ matrix.host-target }} | |
# Rust stdlib default backtrace feature doesn't actually work because our | |
# release executables are stripped, so skipping it shaves off quite some KiB. | |
# References: | |
# https://doc.rust-lang.org/cargo/reference/unstable.html#build-std-features | |
# https://github.com/rust-lang/rust/blob/4c8bb79d9f565115637cc6da739f8389e79f3a29/library/std/Cargo.toml#L54-L79 | |
OPTIMIZED_RELEASE_BUILD_FLAGS: -Z build-std -Z build-std-features=panic-unwind | |
outputs: | |
# Uglier than it needs to be because GitHub laid off the team whose | |
# responsibility was to deploy a better alternative. Talk about increased | |
# productivity... See: | |
# https://github.com/orgs/community/discussions/17245 | |
# https://stackoverflow.com/questions/70287603/github-actions-dynamic-outputs-for-job-with-strategy-matrix | |
slsa-attestation-subject-hashes-x86_64-unknown-linux-gnu: ${{ steps.slsa-attestation-subjects.outputs.hashes-x86_64-unknown-linux-gnu }} | |
slsa-attestation-subject-hashes-x86_64-unknown-linux-musl: ${{ steps.slsa-attestation-subjects.outputs.hashes-x86_64-unknown-linux-musl }} | |
slsa-attestation-subject-hashes-aarch64-unknown-linux-gnu: ${{ steps.slsa-attestation-subjects.outputs.hashes-aarch64-unknown-linux-gnu }} | |
slsa-attestation-subject-hashes-aarch64-unknown-linux-musl: ${{ steps.slsa-attestation-subjects.outputs.hashes-aarch64-unknown-linux-musl }} | |
slsa-attestation-subject-hashes-x86_64-pc-windows-gnu: ${{ steps.slsa-attestation-subjects.outputs.hashes-x86_64-pc-windows-gnu }} | |
slsa-attestation-subject-hashes-x86_64-apple-darwin: ${{ steps.slsa-attestation-subjects.outputs.hashes-x86_64-apple-darwin }} | |
slsa-attestation-subject-hashes-aarch64-apple-darwin: ${{ steps.slsa-attestation-subjects.outputs.hashes-aarch64-apple-darwin }} | |
slsa-attestation-subject-hashes-universal-apple-darwin: ${{ steps.slsa-attestation-subjects.outputs.hashes-universal-apple-darwin }} | |
# Exclude in-repo PRs from running this job | |
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork | |
steps: | |
- name: 🧰 Install Linux toolchain packages | |
if: contains(matrix.target, '-linux-') | |
run: | | |
if [ "$(dpkg --print-architecture)" != '${{ matrix.apt-arch }}' ]; then | |
dpkg --add-architecture '${{ matrix.apt-arch }}' | |
fi | |
apt-get update | |
# curl is required by rustup. | |
# musl-tools is required to build musl binaries for the host architecture, | |
# and the arch-specific musl-dev package is required to build binaries for | |
# a target architecture when cross-compiling | |
# markdown and html2text are required to generate the Debian package only | |
apt-get install -yq build-essential git curl \ | |
musl-tools musl-dev:${{ matrix.apt-arch }} \ | |
markdown html2text | |
- name: 🧰 Install Linux ARM64 cross-compilation toolchain | |
if: startsWith(matrix.target, 'aarch64-unknown-linux') | |
run: apt-get install -yq gcc-aarch64-linux-gnu qemu-user libc6:arm64 | |
- name: 🧰 Install Rust toolchain | |
uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1 | |
with: | |
toolchain: nightly-${{ matrix.host-target }} | |
targets: ${{ env.CARGO_BUILD_TARGET }} | |
components: rust-src | |
- name: 💨 Cache Rust artifacts | |
uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2 | |
- name: 🧰 Install nextest | |
if: startsWith(matrix.target, 'x86_64-') || contains(matrix.target, '-linux-') | |
uses: taiki-e/install-action@2a505d476c2be89444ffaf18cd840761320cc917 # v2 | |
with: | |
tool: nextest | |
- name: 🧰 Install cargo-deb | |
if: endsWith(matrix.target, '-linux-gnu') | |
uses: taiki-e/install-action@2a505d476c2be89444ffaf18cd840761320cc917 # v2 | |
with: | |
tool: cargo-deb | |
- name: 📥 Checkout source | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
with: | |
fetch-depth: 0 # Keep the commit history for proper version information | |
# Our build container is minimal, and it doesn't contain any systemd package. | |
# systemd is responsible for setting up the machine ID files we use for | |
# testing the system ID retrieval code, so copy a dummy one | |
- name: 📏 Set up a dummy D-Bus machine ID for tests | |
if: startsWith(matrix.runner, 'ubuntu') | |
run: cat /proc/sys/kernel/random/uuid | tr -d '-' > /run/machine-id | |
- name: 📅 Gather build date and version metadata | |
shell: bash | |
run: | | |
git config --global --add safe.directory "$PWD" | |
echo "PACKSQUASH_BUILD_VERSION=$(git describe --tags --dirty=-custom --always)" >> "$GITHUB_ENV" | |
echo "PACKSQUASH_BUILD_DATE=$(date -u +%Y-%m-%d)" >> "$GITHUB_ENV" | |
- name: ✔️ Run tests | |
if: startsWith(matrix.target, 'x86_64-') || contains(matrix.target, '-linux-') | |
run: | | |
cargo nextest run --workspace --status-level all --release | |
cargo test --doc --workspace --release | |
- name: 🔨 Build with optimized standard library | |
run: cargo build --target ${{ env.CARGO_BUILD_TARGET }} --release ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }} | |
- name: 🔨 Generate CLI Debian package | |
if: endsWith(matrix.target, '-linux-gnu') | |
run: scripts/build_deb.sh --target ${{ env.CARGO_BUILD_TARGET }} -p packsquash_cli -- ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }} | |
- name: 📤 Upload CLI binary | |
if: ${{ !contains(matrix.target, '-linux-') || endsWith(matrix.target, '-linux-musl') }} | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3 | |
with: | |
name: PackSquash CLI executable (${{ matrix.target }}) | |
path: | | |
target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash* | |
!target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash.d | |
- name: 📤 Upload CLI Debian package | |
if: endsWith(matrix.target, '-linux-gnu') | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3 | |
with: | |
name: PackSquash CLI Debian package (${{ matrix.apt-arch }}) | |
path: target/${{ env.CARGO_BUILD_TARGET }}/debian/packsquash_*.deb | |
- name: ✒️ Generate SLSA attestation subject data for binaries | |
id: slsa-attestation-subjects | |
shell: bash | |
run: echo "hashes-${{ matrix.target }}=$(shasum -b -a 256 target/${{ env.CARGO_BUILD_TARGET }}/{release,debian}/packsquash{,.exe,_*.deb} | sed -E 's/ \*(.*)$/ \1/' | tr '\n' '|')" >> "$GITHUB_OUTPUT" | |
build-universal-macos-binaries: | |
name: Build universal macOS binaries | |
runs-on: macos-latest | |
needs: build | |
outputs: | |
slsa-attestation-subjects-hashes: ${{ steps.slsa-attestation-subjects.outputs.hashes }} | |
steps: | |
- name: 📥 Download PackSquash CLI x64 macOS executable | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: PackSquash CLI executable (x86_64-apple-darwin) | |
path: packsquash-x64 | |
- name: 📥 Download PackSquash CLI ARM64 macOS executable | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: PackSquash CLI executable (aarch64-apple-darwin) | |
path: packsquash-aarch64 | |
- name: 🔨 Generate universal CLI binary | |
run: lipo -create -output packsquash packsquash-x64/packsquash packsquash-aarch64/packsquash | |
- name: 📤 Upload universal CLI binary | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3 | |
with: | |
name: PackSquash CLI executable (universal-apple-darwin) | |
path: packsquash | |
- name: ✒️ Generate SLSA attestation subject data for binary | |
id: slsa-attestation-subjects | |
shell: bash | |
run: echo "hashes-universal-apple-darwin=$(shasum -b -a 256 packsquash | sed -E 's/ \*(.*)$/ \1/' | tr '\n' '|')" >> "$GITHUB_OUTPUT" | |
build-docker-images: | |
name: Build Docker images | |
runs-on: ubuntu-latest | |
env: | |
# Defaults to docker.io (Docker Hub) | |
REGISTRY: ghcr.io | |
# github.repository as <account>/<repo> | |
IMAGE_NAME: ${{ github.repository }} | |
needs: build | |
steps: | |
- name: 📥 Checkout source | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
- name: 🧰 Set up Docker Buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3 | |
- name: ⚙️ Generate Docker image metadata | |
id: meta | |
uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
# Tag the image as "edge" for every commit on master. | |
# Tag the image by its ref for every commit on non-master branches. | |
# Maintain the "latest", full and major and minor semver tags for each semver tag push | |
tags: | | |
type=edge,branch=master | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=ref,event=branch | |
labels: | | |
org.opencontainers.image.description=Docker image for PackSquash, the Minecraft resource and data pack optimizer. | |
- name: 📥 Download PackSquash CLI x64 musl executable | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: PackSquash CLI executable (x86_64-unknown-linux-musl) | |
- name: 📁 Rename PackSquash CLI x64 musl executable | |
run: mv packsquash packsquash-amd64 | |
- name: 📥 Download PackSquash CLI ARM64 musl executable | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: PackSquash CLI executable (aarch64-unknown-linux-musl) | |
- name: 📁 Rename PackSquash CLI ARM64 musl executable | |
run: mv packsquash packsquash-arm64 | |
- name: 🔍 Check workflow package write permission | |
id: check_write_permission | |
uses: assaferan/action-has-permission@3d96069159254de543039461dc5a9c20fadbd6e6 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# The GitHub token needs the package:write permission for the push to work. | |
# This permission is not given to PRs from forked repositories. | |
# See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
- name: ⚙️ Login to ${{ env.REGISTRY }} | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3 | |
if: steps.check_write_permission.outputs.has-permission | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: 🔨 Build and push Docker image | |
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5 | |
with: | |
context: . | |
platforms: linux/amd64,linux/arm64 | |
push: ${{ steps.check_write_permission.outputs.has-permission == '1' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
benchmark: | |
runs-on: ubuntu-latest | |
container: debian:bullseye-slim@sha256:d3d0d14f49b49a4dd98a436711f5646dc39e1c99203ef223d1b6620061e2c0e5 | |
# Benchmark failure is not critical enough to fail the whole workflow. | |
# We will keep an eye on them anyway, though | |
continue-on-error: true | |
# Make sure that benchmarks stay quick, and handle them being stuck promptly | |
timeout-minutes: 30 | |
# Only benchmark code that passes all the checks | |
needs: | |
- static-analysis | |
- build | |
# Ignore runs that don't have the secret needed to decrypt packs (this happens for PRs outside | |
# the repository). First-time would-be contributors need to have their workflows approved | |
# anyway, but at best it might be confusing to see commits of PRs mixed with the mainline. | |
# Workflows triggered by PRs don't have access to secrets either. We also ignore temporary | |
# Renovate branches to reduce noise | |
if: success() && github.event_name != 'pull_request' && !startsWith(github.ref_name, 'renovate/') | |
steps: | |
- name: 🧰 Install development packages and benchmark script packages | |
run: | | |
apt-get update | |
# curl is required by rustup | |
apt-get install -yq build-essential git curl \ | |
python3-venv gpg | |
- name: 📥 Checkout source | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
# Necessary for steps that invoke Git commands to work properly on workflows run on containers. | |
# See: https://github.com/actions/checkout/issues/766 | |
- name: 📥 Set source ownership to current user | |
run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE" | |
- name: 🧰 Install Rust toolchain | |
uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1 | |
with: | |
toolchain: nightly | |
- name: 💨 Cache Rust artifacts | |
uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2 | |
- name: 📥 Download test packs dataset | |
run: scripts/test-packs/download.sh | |
- name: 🔑 Decrypt private test packs in dataset | |
env: | |
PRIVATE_TEST_PACKS_PASSWORD: ${{ secrets.PRIVATE_TEST_PACKS_PASSWORD }} | |
run: scripts/test-packs/decrypt.sh | |
# GitHub-hosted runners restrict access to the perf_event_open syscall for some event types we | |
# are interested in, so we can't run benchmarks that measure the troublesome performance counters. | |
# See: https://github.com/actions/virtual-environments/issues/4974 | |
- name: 🔍 Run quick benchmarks | |
run: cargo bench -- --output-format=bencher 'wall_time' | tee /run/bench_results.txt | |
- name: 📤 Publish quick benchmarks results | |
uses: benchmark-action/github-action-benchmark@v1 | |
with: | |
name: 'PackSquash library quick benchmarks' | |
tool: cargo | |
output-file-path: /run/bench_results.txt | |
benchmark-data-dir-path: dev/benches | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
auto-push: true | |
comment-on-alert: true | |
alert-threshold: 150% | |
fail-on-alert: false | |
max-items-in-chart: 50 | |
merge-slsa-attestation-subjects-data: | |
name: Merge SLSA attestation subjects data | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
- build-universal-macos-binaries | |
timeout-minutes: 5 | |
continue-on-error: true | |
outputs: | |
subject-hashes: ${{ steps.merge-subjects.outputs.merged-subjects }} | |
steps: | |
- name: 🔗 Merge and encode attestation subject data | |
id: merge-subjects | |
shell: bash | |
run: | | |
ATTESTATION_SUBJECTS=$(cat <<'ATTESTATION_SUBJECTS' | tr -d '\n' | tr '|' '\n' | base64 -w0 | |
${{ needs.build.outputs.slsa-attestation-subject-hashes-x86_64-unknown-linux-gnu }} | |
${{ needs.build.outputs.slsa-attestation-subject-hashes-x86_64-unknown-linux-musl }} | |
${{ needs.build.outputs.slsa-attestation-subject-hashes-aarch64-unknown-linux-gnu }} | |
${{ needs.build.outputs.slsa-attestation-subject-hashes-aarch64-unknown-linux-musl }} | |
${{ needs.build.outputs.slsa-attestation-subject-hashes-x86_64-pc-windows-gnu }} | |
${{ needs.build.outputs.slsa-attestation-subject-hashes-x86_64-apple-darwin }} | |
${{ needs.build.outputs.slsa-attestation-subject-hashes-aarch64-apple-darwin }} | |
${{ needs.build.outputs.slsa-attestation-subject-hashes-universal-apple-darwin }} | |
ATTESTATION_SUBJECTS | |
) | |
echo "$ATTESTATION_SUBJECTS" | |
echo "merged-subjects=$ATTESTATION_SUBJECTS" >> "$GITHUB_OUTPUT" | |
build-slsa-provenance: | |
name: Generate SLSA v1.0 build L3 provenance data | |
needs: merge-slsa-attestation-subjects-data | |
permissions: | |
contents: write | |
actions: read | |
id-token: write | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: ${{ needs.merge-slsa-attestation-subjects-data.outputs.subject-hashes }} | |
provenance-name: binary_provenance.intoto.jsonl |