Skip to content

Clean up asset_util interface #10241

Clean up asset_util interface

Clean up asset_util interface #10241

Workflow file for this run

# This describes all the tests we run on the canister code (various builds,
# integration tests, selenium tests). The canister code is built in docker and the
# wasm is then reused by subsequent build steps. We build various flavors of
# the code, see `docker-build-...` for more info.
name: Canister tests
on:
push:
jobs:
#####################
# The docker builds #
#####################
# The image shared by all builds, containing pre-built rust deps
docker-build-base:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# We use buildx and its GitHub Actions caching support `type=gha`. For
# more information, see
# https://github.com/docker/build-push-action/issues/539
- name: Set up docker buildx
uses: docker/setup-buildx-action@v2
- name: Build base Docker image
uses: docker/build-push-action@v3
with:
context: .
file: Dockerfile
cache-from: type=gha,scope=cached-stage
cache-to: type=gha,scope=cached-stage,mode=max
outputs: type=cacheonly
target: deps
docker-build-ii:
runs-on: ubuntu-latest
needs: docker-build-base
strategy:
# NOTE: the 'name' in the matrix should match the asset filename, because it is used in
# .github/actions/release to figure out the job ID.
#
# NOTE: if you modify the flavors, update the #flavors table in README.md
matrix:
include:
# The production build is built later because it has a dependency on the dev build (for dfx deps)
# See job: docker-build-internet_identity_production
# No captcha and fetching the root key, used in (our) tests, backend and
# selenium.
- name: internet_identity_test.wasm.gz
II_FETCH_ROOT_KEY: 1
II_DUMMY_CAPTCHA: 1
II_DUMMY_AUTH: 0
II_INSECURE_REQUESTS: 0
# Everything disabled, used by third party developers who only care
# about the login flow
- name: internet_identity_dev.wasm.gz
II_FETCH_ROOT_KEY: 1
II_DUMMY_CAPTCHA: 1
II_DUMMY_AUTH: 1
II_INSECURE_REQUESTS: 1
steps:
- uses: actions/checkout@v3
- name: Infer version
id: version
run: |
version="$(./scripts/version)"
echo "Inferred version: '$version'"
echo "version=$version" >> "$GITHUB_OUTPUT"
- name: "Create dfx metadata for the dfx deps feature"
id: dfx-metadata
run: |
dfx_metadata_json="$(./scripts/dfx-metadata --asset-name ${{ matrix.name }} )"
echo "using dfx metadata $dfx_metadata_json"
echo "metadata=$dfx_metadata_json" >> "$GITHUB_OUTPUT"
- name: Set up docker buildx
uses: docker/setup-buildx-action@v2
- name: Build ${{ matrix.name }}
uses: docker/build-push-action@v3
with:
context: .
file: Dockerfile
build-args: |
II_FETCH_ROOT_KEY=${{ matrix.II_FETCH_ROOT_KEY }}
II_DUMMY_AUTH=${{ matrix.II_DUMMY_AUTH }}
II_DUMMY_CAPTCHA=${{ matrix.II_DUMMY_CAPTCHA }}
II_INSECURE_REQUESTS=${{ matrix.II_INSECURE_REQUESTS }}
II_VERSION=${{ steps.version.outputs.version }}
DFX_METADATA=${{ steps.dfx-metadata.outputs.metadata }}
cache-from: type=gha,scope=cached-stage
# Exports the artefacts from the final stage
outputs: ./out
target: scratch_internet_identity
- run: mv out/internet_identity.wasm.gz ${{ matrix.name }}
- run: sha256sum ${{ matrix.name }}
- name: 'Upload ${{ matrix.name }}'
uses: actions/upload-artifact@v3
with:
# name is the name used to display and retrieve the artifact
name: ${{ matrix.name }}
# path is the name used as the file to upload and the name of the
# file when downloaded
path: ${{ matrix.name }}
# Build the production version of internet identity.
# The production build is separately because it has a dependency on the dev build (for dfx deps)
#
# Note: do not rename this job as it needs to contain the file name of the produced asset (without extension)
# in order for the release script action to work correctly.
docker-build-internet_identity_production:
runs-on: ubuntu-latest
needs: docker-build-ii
steps:
- uses: actions/checkout@v3
- name: Infer version
id: version
run: |
version="$(./scripts/version)"
echo "Inferred version: '$version'"
echo "version=$version" >> "$GITHUB_OUTPUT"
- name: 'Download dev build II wasm.gz'
uses: actions/download-artifact@v3
with:
name: internet_identity_dev.wasm.gz
path: .
- name: "Create dfx metadata for the dfx deps feature"
id: dfx-metadata
run: |
sha256="$(shasum -a 256 ./internet_identity_dev.wasm.gz | cut -d ' ' -f1)"
dfx_metadata_json="$(./scripts/dfx-metadata --asset-name internet_identity_dev.wasm.gz --wasm-hash $sha256)"
echo "using dfx metadata $dfx_metadata_json"
echo "metadata=$dfx_metadata_json" >> "$GITHUB_OUTPUT"
- name: Set up docker buildx
uses: docker/setup-buildx-action@v2
- name: Build internet_identity_production.wasm.gz
uses: docker/build-push-action@v3
with:
context: .
file: Dockerfile
build-args: |
II_VERSION=${{ steps.version.outputs.version }}
DFX_METADATA=${{ steps.dfx-metadata.outputs.metadata }}
cache-from: type=gha,scope=cached-stage
# Exports the artefacts from the final stage
outputs: ./out
target: scratch_internet_identity
- run: mv out/internet_identity.wasm.gz internet_identity_production.wasm.gz
- run: sha256sum internet_identity_production.wasm.gz
- name: 'Upload internet_identity_production.wasm.gz'
uses: actions/upload-artifact@v3
with:
# name is the name used to display and retrieve the artifact
name: internet_identity_production.wasm.gz
# path is the name used as the file to upload and the name of the
# file when downloaded
path: internet_identity_production.wasm.gz
docker-build-archive:
runs-on: ubuntu-latest
needs: docker-build-base
steps:
- uses: actions/checkout@v3
- name: Set up docker buildx
uses: docker/setup-buildx-action@v2
- name: Build Archive Canister
uses: docker/build-push-action@v3
with:
context: .
file: Dockerfile
cache-from: type=gha,scope=cached-stage
# Exports the artefacts from the final stage
outputs: ./out
target: scratch_archive
- run: mv out/archive.wasm.gz archive.wasm.gz
- run: sha256sum archive.wasm.gz
- name: 'Upload archive.wasm.gz'
uses: actions/upload-artifact@v3
with:
# name is the name used to display and retrieve the artifact
name: archive.wasm.gz
# path is the name used as the file to upload and the name of the
# downloaded file
path: archive.wasm.gz
wasm-size:
runs-on: ubuntu-latest
needs: docker-build-internet_identity_production
steps:
- uses: actions/checkout@v3
- name: 'Download wasm'
uses: actions/download-artifact@v3
with:
name: internet_identity_production.wasm.gz
path: .
- id: record-size
uses: ./.github/actions/file-size
with:
file: internet_identity_production.wasm.gz
save: ${{ github.ref == 'refs/heads/main' }}
- name: "Check canister size"
run: |
max_size=2097152 # maximum canister size, in bytes
actual_size=${{ steps.record-size.outputs.size }}
if (( actual_size > max_size ))
then
echo "Canister size too big"
echo "($actual_size > $max_size)"
exit 1
fi
vc-issuer-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: |
~/.cargo/registry
~/.cargo/git
demos/vc_issuer/target
key: ${{ runner.os }}-cargo-${{ hashFiles('demos/vc_issuer/Cargo.lock', 'rust-toolchain.toml') }}
- uses: ./.github/actions/bootstrap
- uses: ./.github/actions/setup-node
- name: "Build VC issuer canister"
working-directory: demos/vc_issuer
run: |
npm ci
./build.sh
- run: sha256sum vc_issuer.wasm.gz
working-directory: demos/vc_issuer
- name: 'Upload VC issuer'
uses: actions/upload-artifact@v3
with:
# name is the name used to display and retrieve the artifact
name: vc_issuer.wasm.gz
# path is the name used as the file to upload and the name of the
# downloaded file
path: ./demos/vc_issuer/vc_issuer.wasm.gz
test-app-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: |
~/.cargo/registry
~/.cargo/git
demos/test-app/target
key: ${{ runner.os }}-cargo-${{ hashFiles('demos/test-app/Cargo.lock', 'rust-toolchain.toml') }}
- uses: ./.github/actions/bootstrap
- uses: ./.github/actions/setup-node
- name: "Build test app canister"
working-directory: demos/test-app
run: |
npm ci
./build.sh
- name: 'Upload test app'
uses: actions/upload-artifact@v3
with:
# name is the name used to display and retrieve the artifact
name: test_app.wasm
# path is the name used as the file to upload and the name of the
# downloaded file
path: ./demos/test-app/test_app.wasm
#####################################
# The Rust vc issuer canister tests #
#####################################
vc-issuer-test:
runs-on: ubuntu-latest
needs: [docker-build-ii, vc-issuer-build]
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: |
~/.cargo/registry
~/.cargo/git
demos/vc_issuer/target
key: ${{ runner.os }}-cargo-vc-tests-${{ hashFiles('demos/vc_issuer/Cargo.lock', 'rust-toolchain.toml') }}
- uses: ./.github/actions/bootstrap
- name: 'Download VC issuer wasm'
uses: actions/download-artifact@v3
with:
name: vc_issuer.wasm.gz
path: demos/vc_issuer
- name: 'Download II wasm'
uses: actions/download-artifact@v3
with:
name: internet_identity_test.wasm.gz
path: .
- run: mv internet_identity_test.wasm.gz internet_identity.wasm.gz
- name: Download ic-test-state-machine binary
run: |
uname_sys=$(uname -s | tr '[:upper:]' '[:lower:]')
echo "uname_sys: $uname_sys"
commit_sha=$(sed <.ic-commit 's/#.*$//' | sed '/^$/d')
echo "commit sha: $commit_sha"
curl -sLO "https://download.dfinity.systems/ic/$commit_sha/binaries/x86_64-$uname_sys/ic-test-state-machine.gz"
gzip -d ic-test-state-machine.gz
chmod a+x ic-test-state-machine
./ic-test-state-machine --version
- name: "Run VC issuer canister tests"
working-directory: demos/vc_issuer
run: |
# create dummy assets
mkdir dist
touch dist/index.{html,css,js}
touch dist/index2.js
cargo test
###########################
# The Rust canister tests #
###########################
# Run the tests, user the output of the docker build as Wasm module
# (note: this runs _all_ cargo tests)
canister-tests-build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ ubuntu-latest, macos-latest ]
steps:
- uses: actions/checkout@v3
# Attempt to restore the pre-built test binaries from cache.
# The test binaries are only dependent on rust code, because the front-end code is bundled in the `wasm` file
# that is loaded by the test binaries.
# If the binary can be restored from cache, we skip the build step, including even setting up the toolchain etc.
- uses: actions/cache@v3
id: cache-test-archive
with:
path: /tmp/test-archive
key: ${{ runner.os }}-rust-test-archive-${{ hashFiles('src/**/*.rs', 'Cargo.*', 'src/*/*.toml', 'rust-toolchain.toml') }}
- uses: ./.github/actions/bootstrap
if: steps.cache-test-archive.outputs.cache-hit != 'true'
- uses: actions/cache@v3
if: steps.cache-test-archive.outputs.cache-hit != 'true'
with:
path: |
~/.cargo
target
key: ${{ runner.os }}-rust-test-cache-${{ hashFiles('Cargo.toml', 'rust-toolchain.toml', 'Cargo.lock') }}
- name: Install nextest
if: steps.cache-test-archive.outputs.cache-hit != 'true'
run: |
curl -LsSf https://get.nexte.st/latest/${{ matrix.os == 'macos-latest' && 'mac' || 'linux' }} | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin
# Rustup only installs cargo on the first call, so we use a dedicated step to get a good idea of how
# time is spent in each step separately
- if: steps.cache-test-archive.outputs.cache-hit != 'true'
run: cargo check --help
- name: Create dummy assets
if: steps.cache-test-archive.outputs.cache-hit != 'true'
run: |
mkdir dist
touch dist/index.html
touch dist/index.js.gz
# Build the tests
- name: Build test archive
if: steps.cache-test-archive.outputs.cache-hit != 'true'
run: |
git checkout ${{ steps.git_info.outputs.commit_now }}
cargo nextest archive --archive-file canister-tests-${{ matrix.os }}.tar.zst --release
mkdir -p /tmp/test-archive/
cp canister-tests-${{ matrix.os }}.tar.zst /tmp/test-archive
- name: Restore test archive
if: steps.cache-test-archive.outputs.cache-hit == 'true'
run: |
mv /tmp/test-archive/canister-tests-${{ matrix.os }}.tar.zst .
- name: 'Upload canister test archive'
uses: actions/upload-artifact@v3
with:
# name is the name used to display and retrieve the artifact
name: canister-tests-${{ matrix.os }}.tar.zst
# path is the name used as the file to upload and the name of the
# downloaded file
path: ./canister-tests-${{ matrix.os }}.tar.zst
canister-tests-run:
runs-on: ${{ matrix.os }}
needs: [canister-tests-build, docker-build-ii, docker-build-archive]
strategy:
matrix:
os: [ ubuntu-latest, macos-latest ]
partition: ['1/3', '2/3', '3/3']
steps:
- uses: actions/checkout@v3
- name: Download nextest
run: |
set -euo pipefail
curl -LsSf https://get.nexte.st/latest/${{ matrix.os == 'macos-latest' && 'mac' || 'linux' }} | tar zxf -
- name: 'Download nextest test archive'
uses: actions/download-artifact@v3
with:
name: canister-tests-${{ matrix.os }}.tar.zst
path: .
- name: Download ic-test-state-machine binary
run: |
uname_sys=$(uname -s | tr '[:upper:]' '[:lower:]')
echo "uname_sys: $uname_sys"
commit_sha=$(sed <.ic-commit 's/#.*$//' | sed '/^$/d')
echo "commit sha: $commit_sha"
curl -sLO "https://download.dfinity.systems/ic/$commit_sha/binaries/x86_64-$uname_sys/ic-test-state-machine.gz"
gzip -d ic-test-state-machine.gz
chmod a+x ic-test-state-machine
./ic-test-state-machine --version
- name: 'Download II wasm'
uses: actions/download-artifact@v3
with:
name: internet_identity_test.wasm.gz
path: .
- name: 'Download archive wasm'
uses: actions/download-artifact@v3
with:
name: archive.wasm.gz
path: .
- name: Run Tests
run: |
mv internet_identity_test.wasm.gz internet_identity.wasm.gz
# NOTE: Here we download changing assets (i.e. the latest release) meaning that in some rare cases (after a new release)
# PRs that used to be green may become red (if the new release broke something). While this is not CI best practice, it's
# a relatively small price to pay to make sure PRs are always tested against the latest release.
curl -sSL https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_test.wasm.gz -o internet_identity_previous.wasm.gz
curl -sSL https://github.com/dfinity/internet-identity/releases/latest/download/archive.wasm.gz -o archive_previous.wasm.gz
# We are using --partition hash instead of count, because it makes sure that the tests partition is stable across runs
# even if tests are added or removed. The tradeoff is that the balancing might be slightly worse, but we have enough
# tests that it should not be a big issue.
./cargo-nextest nextest run --archive-file canister-tests-${{ matrix.os }}.tar.zst --partition hash:${{ matrix.partition }}
env:
RUST_BACKTRACE: 1
######################
# The selenium tests #
######################
selenium:
runs-on: ubuntu-latest
needs: [docker-build-ii, test-app-build, vc-issuer-build]
strategy:
matrix:
device: [ 'desktop', 'mobile' ]
# We run the integration tests on both the official and legacy domains, to make sure
# the webapp (routes, csp, etc) works on both.
domain: [ 'https://identity.internetcomputer.org', 'https://identity.ic0.app' ]
# Specify some shards for jest (a jest instance will only run a subset of files
# based on the shard assigned to it)
# The jest parameter is actually 1/N, 2/N etc but we use a artifact-friendly
# version here (with underscore).
shard: [ '1_4', '2_4', '3_4', '4_4' ]
# Make sure that one failing test does not cancel all other matrix jobs
fail-fast: false
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/setup-node
- uses: ./.github/actions/setup-dfx
# Helps with debugging
- name: Show versions
run: |
echo dfx --version
dfx --version
echo node --version
node --version
# Setup npm and run fast tests early
- run: npm ci
- run: npm test
- name: 'Run dfx'
run: dfx start --background
- name: 'Download II wasm'
uses: actions/download-artifact@v3
with:
name: internet_identity_test.wasm.gz
path: .
- name: 'Download test app wasm'
uses: actions/download-artifact@v3
with:
name: test_app.wasm
path: demos/test-app
- name: 'Download VC issuer wasm'
uses: actions/download-artifact@v3
with:
name: vc_issuer.wasm.gz
path: demos/vc_issuer
- name: Create Canisters
run: dfx canister create --all
- name: Deploy canisters
run: |
dfx canister install internet_identity --wasm internet_identity_test.wasm.gz
dfx canister install test_app --wasm demos/test-app/test_app.wasm
dfx canister install issuer --wasm demos/vc_issuer/vc_issuer.wasm.gz
- name: Provision issuer canister
run: ./demos/vc_issuer/provision
- name: Run dev server
id: dev-server-start
run: |
TLS_DEV_SERVER=1 NO_HOT_RELOAD=1 npm run dev&
dev_server_pid=$!
echo "dev_server_pid=$dev_server_pid" >> "$GITHUB_OUTPUT"
# NOTE: we run chrome in headless mode because that's the only thing that works in GHA
# NOTE: the last bit (tr) replaces 1_N with 1/N
- run: |
II_URL=${{ matrix.domain }} \
SCREEN=${{ matrix.device }} \
II_E2E_CHROME_OPTS="--headless" \
npm run test:e2e -- --shard=$(tr <<<'${{ matrix.shard }}' -s _ /)
- name: Stop dfx
if: ${{ always() }}
run: dfx stop
- name: Stop dev server
if: ${{ always() }}
run: kill ${{ steps.dev-server-start.outputs.dev_server_pid }}
- name: Archive test failures
if: ${{ always() }}
uses: actions/upload-artifact@v3
with:
name: e2e-test-failures-${{ matrix.device }}-${{ matrix.shard }}
path: test-failures/*
if-no-files-found: ignore
# Aggregate all selenium matrix jobs, used in branch protection
selenium-all:
runs-on: ubuntu-latest
needs: selenium
steps:
- run: echo selenium ok
using-dev-build:
runs-on: ubuntu-latest
needs: docker-build-ii
steps:
- uses: actions/checkout@v3
- run: |
sudo apt-get update
sudo apt-get --only-upgrade install google-chrome-stable
google-chrome --version
- uses: ./.github/actions/setup-node
- uses: ./.github/actions/setup-dfx
# Helps with debugging
- name: Show versions
run: |
echo dfx --version
dfx --version
- name: Start replica
run: |
dfx start --background
- name: 'Download wasm'
uses: actions/download-artifact@v3
with:
name: internet_identity_dev.wasm.gz
path: .
- name: Deploy II and run tests
run: |
set -euo pipefail
# Copy example to make sure it does not rely on living inside the II repo
builddir=$(mktemp -d)
cp -r ./demos/using-dev-build/. "$builddir"
ii_wasm="$PWD/internet_identity_dev.wasm.gz"
ii_did="$PWD/src/internet_identity/internet_identity.did"
pushd "$builddir"
# Install npm deps
npm ci
sed -i "s;https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_dev.wasm.gz;$ii_wasm;" ./dfx.json
sed -i "s;https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity.did;$ii_did;" ./dfx.json
dfx deploy --no-wallet
npm run test
popd
rm -rf "$builddir"
- name: Stop replica
run: |
dfx stop
# This deploys the production build to mainnet, to a canister that we use for release testing.
deploy:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/release-')
needs: [docker-build-internet_identity_production, docker-build-archive]
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/setup-dfx
- name: 'Download II wasm'
uses: actions/download-artifact@v3
with:
name: internet_identity_production.wasm.gz
path: .
- name: 'Download archive wasm'
uses: actions/download-artifact@v3
with:
name: archive.wasm.gz
path: .
- name: 'Install key'
env:
DFX_DEPLOY_KEY: ${{ secrets.DFX_DEPLOY_KEY }}
run: |
key_pem=$(mktemp)
printenv "DFX_DEPLOY_KEY" > "$key_pem"
dfx identity import --disable-encryption --force default "$key_pem"
rm "$key_pem"
- name: "Deploy II"
run: |
wallet="cvthj-wyaaa-aaaad-aaaaq-cai"
sha=$(shasum -a 256 ./archive.wasm.gz | cut -d ' ' -f1 | sed 's/../\\&/g')
dfx canister --network ic --wallet "$wallet" install --mode upgrade \
--argument "(opt record {archive_config = record { module_hash = blob \"$sha\"; entries_buffer_limit = 10000:nat64; entries_fetch_limit = 1000:nat16; polling_interval_ns = 60000000000:nat64}; canister_creation_cycles_cost = opt (1000000000000:nat64); })" \
--wasm internet_identity_production.wasm.gz \
fgte5-ciaaa-aaaad-aaatq-cai
- name: "Deploy archive"
run: scripts/deploy-archive --wasm archive.wasm.gz --canister-id fgte5-ciaaa-aaaad-aaatq-cai --network ic
# This ... releases
release:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/release-')
needs: [docker-build-internet_identity_production, docker-build-archive]
steps:
- uses: actions/checkout@v3
- name: 'Download wasm.gz'
uses: actions/download-artifact@v3
with:
name: internet_identity_test.wasm.gz
path: .
- name: 'Download wasm.gz'
uses: actions/download-artifact@v3
with:
name: internet_identity_dev.wasm.gz
path: .
- name: 'Download wasm.gz'
uses: actions/download-artifact@v3
with:
name: internet_identity_production.wasm.gz
path: .
- name: 'Download wasm.gz'
uses: actions/download-artifact@v3
with:
name: archive.wasm.gz
path: .
- name: 'Download wasm.gz'
uses: actions/download-artifact@v3
with:
name: vc_issuer.wasm.gz
path: .
- uses: actions/github-script@v6
id: pipeline-jobs
with:
script: return github.paginate("GET /repos/dfinity/internet-identity/actions/runs/${{ github.run_id }}/jobs");
- uses: actions/github-script@v6
id: latest-release-tag
with:
result-encoding: string
script: return (await github.rest.repos.getLatestRelease({owner:"dfinity", repo:"internet-identity"})).data.tag_name;
# NOTE: we create the release notes ourselves, instead of letting GitHub do it with
# 'generate_release_notes: true', here we can actually specify the release range. When doing
# it on its own, GitHub is really bad at figuring which tag to use as the previous tag (for
# listing contributions since).
# https://github.com/github/feedback/discussions/5975
- uses: actions/github-script@v6
id: changelog
with:
result-encoding: string
script: |
return (await github.rest.repos.generateReleaseNotes({
owner: "dfinity",
repo: "internet-identity",
tag_name: "${{ github.ref }}",
previous_tag_name: "${{ steps.latest-release-tag.outputs.result }}",
})).data.body;
- name: Print prepare-release-inputs
env:
# use an env variable so that the GitHub templating does not cause issues with string escaping
# see: https://github.com/orgs/community/discussions/32012
CHANGELOG: ${{ steps.changelog.outputs.result }}
run: |
echo -e 'pipeline jobs:\n${{ steps.pipeline-jobs.outputs.result }}'
echo "latest-release-tag: ${{ steps.latest-release-tag.outputs.result }}"
echo -e "changelog:\n$CHANGELOG"
- name: Prepare release
uses: ./.github/actions/release
id: prepare-release
with:
assets: |
internet_identity_production.wasm.gz
internet_identity_dev.wasm.gz
internet_identity_test.wasm.gz
archive.wasm.gz
vc_issuer.wasm.gz
production_asset: internet_identity_production.wasm.gz
changelog: ${{ steps.changelog.outputs.result }}
workflow_jobs: ${{ steps.pipeline-jobs.outputs.result }}
- name: Publish release
run: |
./scripts/release \
--tag ${{ github.ref }} \
--notes-file ${{ steps.prepare-release.outputs.notes-file }} \
-- \
internet_identity_production.wasm.gz \
internet_identity_dev.wasm.gz \
internet_identity_test.wasm.gz \
src/internet_identity/internet_identity.did \
archive.wasm.gz
env:
# populated by GitHub Actions
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
clean-build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
# On main, we run the checks across all platforms. On other branches, in order to speed up checks (on PRs) we skip most platforms
# (in particular the slow macos builds). A single ubuntu build is not long and gives us some signal.
# XXX: GHA does not support proper if/else so we implement a workaround: https://github.com/actions/runner/issues/409
# XXX: GHA fails if we return the matrix object directly, so we have to pretend it's JSON
os: ${{ github.ref == 'refs/heads/main' && fromJson('[ "ubuntu-22.04", "ubuntu-20.04", "macos-11", "macos-12" ]') || fromJson('[ "ubuntu-22.04" ]') }}
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/check-build
- run: mv internet_identity.wasm.gz internet_identity_clean_build_${{ matrix.os }}.wasm.gz
- name: 'Upload ${{ matrix.name }}'
uses: actions/upload-artifact@v3
with:
# name is the name used to display and retrieve the artifact
name: internet_identity_clean_build_${{ matrix.os }}.wasm.gz
# path is the name used as the file to upload and the name of the
# file when downloaded
path: internet_identity_clean_build_${{ matrix.os }}.wasm.gz
verify-clean-build-hash:
needs: ['clean-build', 'docker-build-internet_identity_production']
runs-on: ${{ matrix.os }}
strategy:
matrix:
# On main, we run the hash check across all platforms where the non-dockerized build is reproducible (i.e. not mac-os).
# On other branches, in order to speed up checks (on PRs) we skip most platforms. A single ubuntu build is not long and gives us some signal.
# XXX: GHA does not support proper if/else so we implement a workaround: https://github.com/actions/runner/issues/409
# XXX: GHA fails if we return the matrix object directly, so we have to pretend it's JSON
os: ${{ github.ref == 'refs/heads/main' && fromJson('[ "ubuntu-22.04", "ubuntu-20.04"]') || fromJson('[ "ubuntu-22.04" ]') }}
steps:
- name: Download internet_identity_clean_build_${{ matrix.os }}.wasm.gz
uses: actions/download-artifact@v3
with:
name: internet_identity_clean_build_${{ matrix.os }}.wasm.gz
path: .
- name: Download internet_identity_production.wasm.gz
uses: actions/download-artifact@v3
with:
name: internet_identity_production.wasm.gz
path: .
- name: Check hashes
run: |
clean_build_sha256=$(shasum -a 256 ./internet_identity_clean_build_${{ matrix.os }}.wasm.gz | cut -d ' ' -f1)
echo got clean build sha "$clean_build_sha256"
prod_build_sha256=$(shasum -a 256 ./internet_identity_production.wasm.gz | cut -d ' ' -f1)
echo got prod build sha "$prod_build_sha256"
if [ "$clean_build_sha256" == "$prod_build_sha256" ]
then
echo output clean build sha256 matches prod build sha256
else
echo "sha mismatch: clean build '$clean_build_sha256' /= prod build '$prod_build_sha256'"
exit 1
fi
interface-compatibility:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/setup-didc
- name: "Check canister interface compatibility"
run: |
curl -sSL https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity.did -o internet_identity_previous.did
didc check src/internet_identity/internet_identity.did internet_identity_previous.did