Security + Codecov CI updates #694
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: 'Version of Kotlin binary to publish to TBD Artifactory. For example "1.0.0" will result in "1.0.0-SNAPSHOT". If not supplied, will default to "commit-$shortSHA-SNAPSHOT" where $shortSHA is the shortform commit SHA.' | |
required: false | |
default: "0.0.0-SNAPSHOT" | |
workflow_call: | |
inputs: | |
version: | |
description: 'Version of Kotlin binary to publish to TBD Artifactory. For example "1.0.0" will result in "1.0.0-SNAPSHOT". If not supplied, will default to "commit-$shortSHA-SNAPSHOT" where $shortSHA is the shortform commit SHA.' | |
required: true | |
type: string | |
push: | |
branches: | |
- main | |
pull_request: | |
env: | |
CARGO_TERM_COLOR: always | |
# Make sure CI fails on all warnings, including Clippy lints | |
RUSTFLAGS: "-Dwarnings" | |
WEB5_SDK_LOG_LEVEL: debug | |
jobs: | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Init Hermit | |
uses: cashapp/activate-hermit@v1 | |
with: | |
cache: true | |
- name: Lint | |
run: just lint | |
msrv: | |
strategy: | |
matrix: | |
os: [ubuntu-latest] | |
rust: [stable] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Init Hermit | |
uses: cashapp/activate-hermit@v1 | |
with: | |
cache: true | |
- name: Setup | |
run: just setup | |
- name: Install MSRV | |
run: cargo install cargo-msrv | |
- name: MSRV | |
run: cargo msrv --path crates/web5/ verify | |
test: | |
strategy: | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Install Rust 1.74.0 | |
run: rustup toolchain install 1.74.0 | |
- name: Set Rust 1.74.0 as default | |
run: rustup default 1.74.0 | |
- name: Test | |
run: | | |
rustup component add llvm-tools-preview | |
cargo install grcov | |
cargo test --package web5 | |
env: | |
RUSTFLAGS: -Cinstrument-coverage | |
LLVM_PROFILE_FILE: web5-rs-%p-%m.profraw | |
- name: Upload test coverage to Codecov | |
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 #v4.5.0 | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
build_aarch64_apple_darwin: | |
runs-on: macos-latest | |
name: Build aarch64-apple-darwin target | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Install Rust 1.74.0 | |
run: rustup toolchain install 1.74.0 | |
- name: Set Rust 1.74.0 as default | |
run: rustup default 1.74.0 | |
- name: Run Build Script | |
run: | | |
cd bindings/web5_uniffi/libtargets/aarch64_apple_darwin | |
./build | |
- name: Upload .dylib | |
uses: actions/[email protected] | |
with: | |
name: aarch64-apple-darwin-dylib | |
path: bound/kt/src/main/resources/libweb5_uniffi_aarch64_apple_darwin.dylib | |
build_x86_64_apple_darwin: | |
runs-on: macos-12 | |
name: Build x86_64-apple-darwin target | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Install Rust 1.74.0 | |
run: rustup toolchain install 1.74.0 | |
- name: Set Rust 1.74.0 as default | |
run: rustup default 1.74.0 | |
- name: Run Build Script | |
run: | | |
cd bindings/web5_uniffi/libtargets/x86_64_apple_darwin | |
./build | |
- name: Upload .dylib | |
uses: actions/[email protected] | |
with: | |
name: x86_64-apple-darwin-dylib | |
path: bound/kt/src/main/resources/libweb5_uniffi_x86_64_apple_darwin.dylib | |
build_x86_64_unknown_linux_gnu: | |
runs-on: ubuntu-latest | |
name: Build x86_64-unknown-linux-gnu target | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Run Build Script | |
run: | | |
cd bindings/web5_uniffi/libtargets/x86_64_unknown_linux_gnu | |
./build | |
- name: Upload .so | |
uses: actions/[email protected] | |
with: | |
name: x86_64-unknown-linux-gnu-so | |
path: bound/kt/src/main/resources/libweb5_uniffi_x86_64_unknown_linux_gnu.so | |
build_x86_64_unknown_linux_musl: | |
runs-on: ubuntu-latest | |
name: Build x86_64-unknown-linux-musl target | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Run Build Script | |
run: | | |
cd bindings/web5_uniffi/libtargets/x86_64_unknown_linux_musl | |
./build | |
- name: Upload .so | |
uses: actions/[email protected] | |
with: | |
name: x86_64-unknown-linux-musl-so | |
path: bound/kt/src/main/resources/libweb5_uniffi_x86_64_unknown_linux_musl.so | |
build_x86_64_pc_windows_msvc: | |
runs-on: windows-latest | |
name: Build x86_64-pc-windows-msvc target | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Install Rust 1.74.0 | |
run: rustup toolchain install 1.74.0 | |
- name: Set Rust 1.74.0 as default | |
run: rustup default 1.74.0 | |
- name: Add MSVC target | |
run: rustup target add x86_64-pc-windows-msvc | |
- name: Build the library | |
run: | | |
cargo build --target x86_64-pc-windows-msvc --release --package web5_uniffi | |
mkdir -p bound/kt/src/main/resources/ | |
cp target/x86_64-pc-windows-msvc/release/web5_uniffi.dll bound/kt/src/main/resources/web5_uniffi_x86_64_pc_windows_msvc.dll | |
- name: Upload .dll | |
uses: actions/[email protected] | |
with: | |
name: x86_64-pc-windows-msvc-dll | |
path: bound/kt/src/main/resources/web5_uniffi_x86_64_pc_windows_msvc.dll | |
kotlin-acceptance-testing: | |
needs: | |
- build_aarch64_apple_darwin | |
- build_x86_64_apple_darwin | |
- build_x86_64_unknown_linux_gnu | |
- build_x86_64_unknown_linux_musl | |
- build_x86_64_pc_windows_msvc | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-latest, macos-latest, macos-12, windows-latest] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Set up JDK 11 | |
uses: actions/setup-java@v3 | |
with: | |
distribution: "adopt" | |
java-version: "11" | |
# Cache Maven repo | |
- uses: actions/cache@v3 | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
${{ runner.os }}-maven- | |
# Package up the native binaries | |
#TODO Centralize this block as we re-use it via copy/paste right now | |
- name: Download MacOS aarch64 Native Library | |
uses: actions/[email protected] | |
with: | |
name: aarch64-apple-darwin-dylib | |
path: bound/kt/src/main/resources/ | |
- name: Download MacOS x86_64 Native Library | |
uses: actions/[email protected] | |
with: | |
name: x86_64-apple-darwin-dylib | |
path: bound/kt/src/main/resources/ | |
- name: Download Linux x86_64 GNU Native Library | |
uses: actions/[email protected] | |
with: | |
name: x86_64-unknown-linux-gnu-so | |
path: bound/kt/src/main/resources/ | |
- name: Download Linux x86_64 MUSL Native Library | |
uses: actions/[email protected] | |
with: | |
name: x86_64-unknown-linux-musl-so | |
path: bound/kt/src/main/resources/ | |
- name: Download Windows x86_64 MSVC Native Library | |
uses: actions/[email protected] | |
with: | |
name: x86_64-pc-windows-msvc-dll | |
path: bound/kt/src/main/resources/ | |
- name: Run Maven Tests | |
run: | | |
cd bound/kt/ | |
mvn test --batch-mode | |
- name: Upload test coverage to Codecov | |
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 #v4.5.0 | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
kotlin-deploy-snapshot: | |
needs: | |
- kotlin-acceptance-testing | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Set up JDK 11 | |
uses: actions/setup-java@v3 | |
with: | |
distribution: "adopt" | |
java-version: "11" | |
# Cache Maven repo | |
- uses: actions/cache@v3 | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
${{ runner.os }}-maven- | |
- name: Resolve Snapshot Version | |
id: resolve_version | |
run: | | |
# Version resolution: use provided | |
if [ -n "${{ github.event.inputs.version }}" ]; then | |
if [[ "${{ github.event.inputs.version }}" != *-SNAPSHOT ]]; then | |
resolvedVersion="${{ github.event.inputs.version }}-SNAPSHOT" | |
else | |
resolvedVersion="${{ github.event.inputs.version }}" | |
fi | |
# Otherwise, construct a version for deployment in form X.Y.Z-commit-$shortSHA-SNAPSHOT | |
else | |
longSHA=$(git rev-parse --verify HEAD) | |
shortSHA=$(echo "${longSHA:0:7}") | |
resolvedVersion="commit-$shortSHA-SNAPSHOT" | |
echo "Requesting deployment as version: $resolvedVersion" | |
fi | |
echo "Resolved SNAPSHOT Version: $resolvedVersion" | |
echo "resolved_version=$resolvedVersion" >> $GITHUB_OUTPUT | |
# Package up the native binaries | |
#TODO Centralize this block as we re-use it via copy/paste right now | |
- name: Download MacOS aarch64 Native Library | |
uses: actions/[email protected] | |
with: | |
name: aarch64-apple-darwin-dylib | |
path: bound/kt/src/main/resources/ | |
- name: Download MacOS x86_64 Native Library | |
uses: actions/[email protected] | |
with: | |
name: x86_64-apple-darwin-dylib | |
path: bound/kt/src/main/resources/ | |
- name: Download Linux x86_64 GNU Native Library | |
uses: actions/[email protected] | |
with: | |
name: x86_64-unknown-linux-gnu-so | |
path: bound/kt/src/main/resources/ | |
- name: Download Linux x86_64 MUSL Native Library | |
uses: actions/[email protected] | |
with: | |
name: x86_64-unknown-linux-musl-so | |
path: bound/kt/src/main/resources/ | |
- name: Download Windows x86_64 MSVC Native Library | |
uses: actions/[email protected] | |
with: | |
name: x86_64-pc-windows-msvc-dll | |
path: bound/kt/src/main/resources/ | |
- name: Deploy Snapshot / Verify | |
run: | | |
# cd into the Kotlin project | |
cd bound/kt/ | |
# Set newly resolved version in POM config | |
mvn \ | |
versions:set \ | |
--batch-mode \ | |
-DnewVersion=${{ steps.resolve_version.outputs.resolved_version }} | |
# Only attempt to publish artifact if we have credentials | |
if [ -n "${{ secrets.ARTIFACTORY_PASSWORD }}" ]; then | |
# Maven deploy lifecycle will build, run tests, verify, sign, and deploy | |
mvn deploy --batch-mode --settings .maven_settings.xml -P sign-artifacts | |
else | |
# Otherwise, Maven verify lifecycle will build, run tests, and verify | |
mvn verify --batch-mode | |
fi | |
env: | |
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
SIGN_KEY_PASS: ${{ secrets.GPG_SECRET_PASSPHRASE }} | |
SIGN_KEY: ${{ secrets.GPG_SECRET_KEY }} | |
- name: Upload Kotlin Test Vector Results | |
uses: actions/[email protected] | |
with: | |
name: kotlin-test-results | |
path: bound/kt/target/surefire-reports/*.xml | |
rust-test-vectors: | |
runs-on: macos-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Install Rust 1.75.0 | |
run: rustup toolchain install 1.75.0 | |
- name: Set Rust 1.75.0 as default | |
run: rustup default 1.75.0 | |
- name: Install Nextest | |
run: cargo install cargo-nextest | |
- name: Create nextest.toml | |
run: | | |
echo '[profile.ci.junit]' > nextest.toml | |
echo 'path = "junit.xml"' >> nextest.toml | |
echo 'store-success-output = true' >> nextest.toml | |
echo 'store-failure-output = true' >> nextest.toml | |
- name: Run Rust Tests | |
run: | | |
mkdir -p test-results | |
cargo nextest run --profile ci --config-file ./nextest.toml -E 'test(test_vectors::)' | |
- name: Modify testsuite name in XML for test runner consumption | |
run: | | |
sed -i '' 's/<testsuite name="web5"/<testsuite name="Web5TestVectorsProtocolTest"/' target/nextest/ci/junit.xml | |
- name: Move Test Results | |
run: mv target/nextest/ci/junit.xml test-results/rust-test-results.xml | |
- name: Upload Rust Test Vector Results | |
uses: actions/upload-artifact@v3 | |
with: | |
name: rust-test-results | |
path: test-results/rust-test-results.xml |