Build a website. #13084
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Part of the Carbon Language project, under the Apache License v2.0 with LLVM | |
# Exceptions. See /LICENSE for license information. | |
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception | |
name: Tests | |
on: | |
push: | |
branches: [trunk, action-test] | |
pull_request: | |
merge_group: | |
permissions: | |
contents: read # For actions/checkout. | |
pull-requests: read # For dorny/paths-filter to read pull requests. | |
# Cancel previous workflows on the PR when there are multiple fast commits. | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#concurrency | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
test: | |
strategy: | |
matrix: | |
# On PRs and in the merge queue test a recent version of each supported | |
# OS. On push (post-submit), also run on `macos-12` to get Intel macOS | |
# coverage. | |
runner: | |
${{ fromJSON(github.event_name != 'push' && '["ubuntu-22.04", | |
"macos-14"]' || '["ubuntu-22.04", "macos-14", "macos-12"]') }} | |
build_mode: [fastbuild, opt] | |
include: | |
# The clang-tidy config doesn't work on macos (missing `truncate`). | |
- runner: ubuntu-22.04 | |
build_mode: clang-tidy | |
runs-on: ${{ matrix.runner }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
with: | |
egress-policy: block | |
# When adding endpoints, see README.md. | |
# prettier-ignore | |
allowed-endpoints: > | |
*.dl.sourceforge.net:443 | |
api.github.com:443 | |
bcr.bazel.build:443 | |
downloads.sourceforge.net:443 | |
github.com:443 | |
mirrors.kernel.org:443 | |
nodejs.org:443 | |
oauth2.googleapis.com:443 | |
objects.githubusercontent.com:443 | |
pypi.org:443 | |
releases.bazel.build:443 | |
sourceforge.net:443 | |
storage.googleapis.com:443 | |
# Checkout the pull request head or the branch. | |
- name: Checkout pull request | |
if: github.event_name == 'pull_request' | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Checkout branch | |
if: github.event_name != 'pull_request' | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
# Tests should only run on applicable paths, but we still need to have an | |
# action run for the merge queue. We filter steps based on the paths here, | |
# and condition steps on the output. | |
- id: filter | |
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
with: | |
filters: | | |
has_code: | |
- '!{**/*.md,LICENSE,CODEOWNERS,.git*}' | |
# Disable uploads when the remote cache is read-only. | |
- name: Set up remote cache access (read-only) | |
if: | |
steps.filter.outputs.has_code == 'true' && github.event_name == | |
'pull_request' | |
run: | | |
echo "remote_cache_upload=--remote_upload_local_results=false" \ | |
>> $GITHUB_ENV | |
# Provide a cache key when the remote cache is read-write. | |
- name: Set up remote cache access (read-write) | |
if: | |
steps.filter.outputs.has_code == 'true' && github.event_name != | |
'pull_request' | |
env: | |
REMOTE_CACHE_KEY: ${{ secrets.CARBON_BUILDS_GITHUB }} | |
run: | | |
echo "$REMOTE_CACHE_KEY" | base64 -d > $HOME/remote_cache_key.json | |
echo "remote_cache_upload=--google_credentials=$HOME/remote_cache_key.json" \ | |
>> $GITHUB_ENV | |
- uses: ./.github/actions/build-setup-common | |
if: steps.filter.outputs.has_code == 'true' | |
with: | |
matrix_runner: ${{ matrix.runner }} | |
remote_cache_upload: ${{ env.remote_cache_upload }} | |
# Just for visibility, print space before and after the build. | |
- name: Disk space before build | |
if: steps.filter.outputs.has_code == 'true' | |
run: df -h | |
- name: Verify MODULE.bazel.lock | |
if: steps.filter.outputs.has_code == 'true' | |
run: | | |
exit_code=0 | |
./scripts/run_bazel.py \ | |
--attempts=5 \ | |
mod deps --lockfile_mode=error || exit_code=$? | |
if (( $exit_code != 0 )); then | |
./scripts/run_bazel.py \ | |
--attempts=5 \ | |
mod deps --lockfile_mode=update | |
echo "MODULE.bazel.lock is out of date! Use below file for update." | |
echo "Platforms may require merging output, for example by applying" | |
echo "an update, re-running triggers, and applying the next update." | |
echo "============================================================" | |
cat MODULE.bazel.lock | |
echo "============================================================" | |
exit 1 | |
fi | |
# Build and run all targets on branch pushes to ensure we always have a | |
# clean tree. We don't expect this to be an interactive path and so don't | |
# optimize the latency of this step. | |
- name: Compute impacted pull request targets (for push) | |
if: | |
steps.filter.outputs.has_code == 'true' && github.event_name == 'push' | |
env: | |
TARGETS_FILE: ${{ runner.temp }}/targets | |
run: | | |
echo "//..." >$TARGETS_FILE | |
# Compute the set of possible rules impacted by this change using | |
# Bazel-based diffing. This lets PRs and the merge queue have a much more | |
# efficient test CI action by avoiding even enumerating (and downloading) | |
# all of the unaffected Bazel targets. | |
- name: Compute impacted pull request targets | |
if: | |
steps.filter.outputs.has_code == 'true' && github.event_name != 'push' | |
env: | |
# Compute the base SHA from the different event structures. | |
GIT_BASE_SHA: | |
${{ github.event_name == 'pull_request' && | |
github.event.pull_request.base.sha || | |
github.event.merge_group.base_sha }} | |
TARGETS_FILE: ${{ runner.temp }}/targets | |
run: | | |
# First fetch the relevant base into the git repository. | |
git fetch --depth=1 origin $GIT_BASE_SHA | |
# Then use `target-determinator` as wrapped by our script. | |
./scripts/target_determinator.py $GIT_BASE_SHA >$TARGETS_FILE | |
# Bazel requires a test target to run the test command. There may be | |
# no targets or there may only be non-test targets that we want to | |
# build, so simply inject an explicit no-op test target. | |
echo "//scripts:no_op_test" >> $TARGETS_FILE | |
# Build and run just the tests impacted by the PR or merge group. | |
- name: Test (${{ matrix.build_mode }}) | |
if: | |
steps.filter.outputs.has_code == 'true' && matrix.build_mode != | |
'clang-tidy' | |
env: | |
# 'libtool_check_unique failed to generate' workaround. | |
# https://github.com/bazelbuild/bazel/issues/14113#issuecomment-999794586 | |
BAZEL_USE_CPP_ONLY_TOOLCHAIN: 1 | |
TARGETS_FILE: ${{ runner.temp }}/targets | |
run: | | |
# Decrease the jobs sharply if we see repeated failures to try to | |
# work around transient network errors even if it makes things | |
# slower. | |
./scripts/run_bazel.py \ | |
--attempts=5 --jobs-on-last-attempt=4 \ | |
test -c ${{ matrix.build_mode }} \ | |
--target_pattern_file=$TARGETS_FILE | |
# Run in the clang-tidy config. This is done as part of tests so that we | |
# aren't duplicating bazel/llvm setup. | |
# | |
# The `-k` flag is used to print all clang-tidy errors. | |
- name: clang-tidy | |
if: | |
steps.filter.outputs.has_code == 'true' && matrix.build_mode == | |
'clang-tidy' | |
env: | |
TARGETS_FILE: ${{ runner.temp }}/targets | |
run: | | |
./scripts/run_bazel.py \ | |
--attempts=5 \ | |
build --config=clang-tidy -k \ | |
--target_pattern_file=$TARGETS_FILE | |
# See "Disk space before build". | |
- name: Disk space after build | |
if: steps.filter.outputs.has_code == 'true' | |
run: df -h |