diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 000000000000..215994d46347 --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,87 @@ +Documents the various GitHub Actions workflows, the role they fulfil and 3rd party dependencies if any. + +# Backport + +Attempts to auto-open backport PRs from main to LTS branch(es) whenever possible. This works well in the absence of conflicts, typically early on during the life of an LTS, and less well later. The alternatives are running the backport tool manually, or cherry picking commits. +Triggered when the label `auto-backport` is applied to a PR, along with the `X.*-todo` label to set the target branch. + +File: `backport.yml` +3rd party dependencies: `sorenlouv/backport-github-action@main` + +# Bencher + +Builds and runs CCF performance tests, both end to end and micro-benchmarks. Results are posted to bencher.dev, and [plotted to make regressions obvious](https://bencher.dev/console/projects/ccf/plots). +Triggered on every commit on `main`, but not on PR builds because the setup required to build from forks is complex and fragile in terms of security, and the increase in pool usage would be substantial. + +File: `bencher.yml` +3rd party dependencies: `bencherdev/bencher@main` + +# CI Containers GHCR + +Produces the build images used by nearly all other actions, particularly CI and release from 5.0.0-rc0 onwards. Complete images are attested and published to GHCR. +Triggered on label creation (`build/*`). + +File: `ci-containers-ghcr.yml` +3rd party dependencies: + +- `docker/login-action@v3` +- `docker/metadata-action@v5` +- `docker/build-push-action@v6` + +# CI + +Main continuous integration job. Builds CCF for all target platforms, runs unit, end to end and partition tests for SGX and Virtual. Run on every commit, including PRs from forks, gates merging. + +File: `ci.yml` +3rd party dependencies: None + +# CodeQL analysis + +Builds CCF with CodeQL, and runs the security-extended checks. Triggered on every commit on main, plus PRs that affect ".github/workflows/codeql-analysis.yml". + +File: `codeql-analysis.yml` +3rd party dependencies: None + +# Release + +Produces CCF release artefacts from 5.0.0-rc0 onwards, for all languages and platforms. Triggered on tag matching "ccf-5.\*". The output of the job is a draft release, which needs to be published manually. Publishing triggers the downstream jobs listed below. + +File: `release.yml` +3rd party dependencies: None + +# Containers GHCR + +Produces reference release images from 5.0.0-rc0 onwards. Complete images are attested and published to GHCR. Triggered on release publishing. + +File: `containers-ghcr.yml` +3rd party dependencies: + +- `docker/login-action@v3` +- `docker/metadata-action@v5` +- `docker/build-push-action@v6` + +# NPM + +Publishes ccf-app TS package from a GitHub release to NPM. Triggered on release publishing. + +File: `npm.yml` +3rd party dependencies: None + +# PyPI + +Publishes ccf Python package from a GitHub release to PyPI. Triggered on release publishing. + +File: `pypi.yml` +3rd party dependencies: None + +# Deprecated + +The following pipelines are still here to support 4.x, but will be removed when it reaches EOL. + +## CI containers ACR/MCR + +File: `ci-containers.yml` + +## Release containers ACR/MCR + +File: `containers.yml` diff --git a/.github/workflows/ci-checks.yml b/.github/workflows/ci-checks.yml deleted file mode 100644 index 10c322b4851d..000000000000 --- a/.github/workflows/ci-checks.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: "Format and License Checks" - -on: - push: - branches: [main] - pull_request: - branches: [main] - workflow_dispatch: - -permissions: read-all - -jobs: - checks: - runs-on: ubuntu-latest - container: ccfmsrc.azurecr.io/ccf/ci:2024-06-26-virtual-clang15 - - steps: - - run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - - name: Checkout repository - uses: actions/checkout@v4 - - - run: ./scripts/ci-checks.sh diff --git a/.github/workflows/build.yml b/.github/workflows/ci.yml similarity index 90% rename from .github/workflows/build.yml rename to .github/workflows/ci.yml index faf05ad0e4bc..b8ae4aba3bf2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/ci.yml @@ -13,8 +13,20 @@ permissions: checks: write jobs: + checks: + name: "Format and License Checks" + runs-on: ubuntu-latest + container: ghcr.io/microsoft/ccf/ci/default:build-26-06-2024 + + steps: + - run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Checkout repository + uses: actions/checkout@v4 + - run: ./scripts/ci-checks.sh + build_and_test: name: CI + needs: checks strategy: matrix: platform: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 53b2a077c54c..b3ecc8a9f747 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -22,7 +22,7 @@ jobs: # Insufficient space to run on public runner, so use custom pool runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub] container: - image: ccfmsrc.azurecr.io/ccf/ci:2024-06-26-virtual-clang15 + image: ghcr.io/microsoft/ccf/ci/default:build-26-06-2024 options: --user root permissions: diff --git a/.github/workflows/daily-check.yml b/.github/workflows/daily-check.yml deleted file mode 100644 index a48d4ed215eb..000000000000 --- a/.github/workflows/daily-check.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: "Daily Build Status" - -on: - push: - branches: [main] - pull_request: - workflow_dispatch: - merge_group: - -permissions: read-all - -jobs: - daily: - name: Check Daily Build status - runs-on: ubuntu-latest - - steps: - - run: | - curl -s https://dev.azure.com/MSRC-CCF/CCF/_apis/build/status/CCF%20GitHub%20Daily?branchName=main | grep succeeded