update GitHub actions #11
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is based on | |
# <https://github.com/ongardie/cubicle/blob/b307fe9/.github/workflows/main.yaml> | |
# with Diego's permission. The initial workflow YAML skeleton before that was | |
# based on | |
# <https://github.com/actions-rs/example/blob/master/.github/workflows/quickstart.yml> | |
# and | |
# <https://github.com/ramosbugs/oauth2-rs/blob/main/.github/workflows/main.yml>. | |
# | |
# GitHub Actions workflow syntax documentation is here: | |
# <https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions>. | |
name: CI | |
on: | |
pull_request: {} | |
push: | |
branches: | |
- main | |
workflow_dispatch: {} | |
env: | |
INSTALL_RUST_VERSION: "1.75" | |
jobs: | |
rust_ppc: | |
name: Build PPC | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 20 | |
steps: | |
- name: Check out sources | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Free up some space on image | |
# see https://github.com/actions/runner-images/issues/2840 | |
run: | | |
sudo rm -rf /usr/share/dotnet | |
shell: bash | |
- name: Install Rust with source | |
uses: actions-rs/toolchain@v1 | |
with: | |
components: rust-src | |
default: true | |
profile: minimal | |
toolchain: ${{ env.INSTALL_RUST_VERSION }} | |
- name: Install PowerPC cross-compile dependencies | |
run: sudo apt update && sudo apt install qemu-user qemu-user-binfmt gcc-12-powerpc-linux-gnu | |
- name: Cross Compile PowerPC | |
run: ./build-ppc.sh | |
- name: Run unit tests on PowerPC | |
run: ./test-ppc.sh | |
cross_version_sdk: | |
# runs the latest realm code built with its particular sdk version | |
# with a client built from a specific sdk release. | |
name: SDK Cross version test | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 20 | |
strategy: | |
matrix: | |
sdk_version: ["0.3.0", "main"] | |
steps: | |
- name: Check out hsm sources | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Check out sdk client sources | |
uses: actions/checkout@v4 | |
with: | |
repository: "juicebox-systems/juicebox-sdk" | |
ref: ${{ matrix.sdk_version }} | |
path: "sdk_client" | |
submodules: recursive | |
- name: setup environment | |
uses: ./.github/actions/setup | |
with: | |
rust_version: ${{ env.INSTALL_RUST_VERSION }} | |
- name: build realm | |
uses: actions-rs/cargo@v1 | |
with: | |
command: build | |
- name: Build client | |
uses: actions-rs/cargo@v1 | |
with: | |
command: build | |
args: --manifest-path sdk_client/rust/cli/demo/Cargo.toml | |
- name: Run demo | |
run: | | |
RUST_BACKTRACE=1 target/debug/demo_runner --demo sdk_client/target/debug/demo | |
shell: bash | |
cross_version_hsm: | |
# Runs the latest realm code against an older version of the software HSM | |
# This helps ensure we move the agent code forward without breaking compatability | |
# with the deployed and un-updatable hsm code. | |
name: HSM Cross version test | |
# Use same runner as Lint & Test. See comment there. | |
runs-on: ubuntu-latest | |
timeout-minutes: 20 | |
strategy: | |
matrix: | |
# Cancel Prepared Transfer fix (PR #462). | |
hsm_version: ["19a29d9f7dfd20f210f377d1ff9d22685d238ea1"] | |
steps: | |
- name: Check out sources | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Check out versioned hsm | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ matrix.hsm_version }} | |
path: "versioned_hsm" | |
submodules: recursive | |
- name: Setup environment | |
uses: ./.github/actions/setup | |
with: | |
rust_version: ${{ env.INSTALL_RUST_VERSION }} | |
- name: Build versioned software HSM | |
uses: actions-rs/cargo@v1 | |
with: | |
command: build | |
args: --manifest-path versioned_hsm/Cargo.toml -p software_hsm | |
- name: Build realm | |
uses: actions-rs/cargo@v1 | |
with: | |
command: build | |
- name: Run realm tests with versioned software HSM | |
uses: actions-rs/cargo@v1 | |
with: | |
command: test | |
env: | |
RUST_BACKTRACE: '1' | |
SOFTWARE_HSM_DIR: ${{ github.workspace }}/versioned_hsm/target/debug | |
lint_and_test: | |
name: Lint & Test | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
steps: | |
- name: Check out sources | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: setup environment | |
uses: ./.github/actions/setup | |
with: | |
rust_version: ${{ env.INSTALL_RUST_VERSION }} | |
- name: Run cargo build | |
uses: actions-rs/cargo@v1 | |
with: | |
command: build | |
- name: Print build info | |
run: target/debug/load_balancer --version | |
- name: Run cargo test | |
uses: actions-rs/cargo@v1 | |
with: | |
args: --workspace --exclude 'entrust*' --package entrust_ops | |
command: test | |
env: | |
RUST_BACKTRACE: '1' | |
- name: Run cargo fmt | |
uses: actions-rs/cargo@v1 | |
with: | |
args: --all -- --check | |
command: fmt | |
- name: Run clippy | |
uses: actions-rs/cargo@v1 | |
with: | |
args: --workspace --tests --exclude 'entrust*' --package entrust_ops -- -D warnings | |
command: clippy | |
- name: Install graphviz | |
run: sudo apt install graphviz | |
- name: Delete Merkle tree paper outputs | |
run: | | |
rm -r docs/merkle_tree/ | |
git restore --source HEAD \ | |
docs/merkle_tree/intro/system.dot \ | |
docs/merkle_tree/intro/stacked_box.png \ | |
docs/merkle_tree/storage/base128.dot \ | |
docs/merkle_tree/merkle.typ \ | |
docs/merkle_tree/references.bib \ | |
docs/merkle_tree/template.typ \ | |
docs/merkle_tree/to_tree.py | |
- name: Compile Merkle tree paper | |
uses: actions-rs/cargo@v1 | |
with: | |
command: run | |
args: --package merkle_tree_docgen | |
- name: Check Merkle tree paper outputs | |
run: git diff --exit-code -- docs/merkle_tree | |
- name: Run Merkle tree paper Python | |
run: python3 docs/merkle_tree/to_tree.py | |
- name: Check SDK dependency versions agree | |
run: ./scripts/check-sdk-deps.py | |
# Disabled, as the ncipher-shield-firmware is not proprietary and no longer hosted by us | |
# in a way that Github Actions can access. | |
# entrust: | |
# name: Build Entrust | |
# runs-on: ubuntu-latest | |
# timeout-minutes: 20 | |
# steps: | |
# - name: Check out sources | |
# uses: actions/checkout@v4 | |
# with: | |
# submodules: recursive | |
# - name: Install Rust | |
# uses: actions-rs/toolchain@v1 | |
# with: | |
# components: clippy, rustfmt, rust-src | |
# default: true | |
# profile: minimal | |
# toolchain: ${{ env.INSTALL_RUST_VERSION }} | |
# - name: Use Rust Cache | |
# uses: Swatinem/rust-cache@v2 | |
# - name: Authenticate to Google Cloud | |
# uses: google-github-actions/auth@v1 | |
# with: | |
# credentials_json: '${{ secrets.GCP_SERVICE_ACCOUNT }}' | |
# - name: Download Codesafe from Google Cloud Storage | |
# run: | | |
# gcloud storage cp 'gs://ncipher-nshield-firmware/2023-08 v13.4 codesafe firmware secworld/Codesafe_Lin64-13.4.3.iso.zip' . | |
# echo '7d6eaff0548d90143d35834f1ea1cf092321e9003e10e14895a01a6f412adadb Codesafe_Lin64-13.4.3.iso.zip' | sha256sum -c - | |
# - name: Install Codesafe | |
# run: | | |
# unzip Codesafe_Lin64-13.4.3.iso.zip | |
# 7z e Codesafe_Lin64-13.4.3.iso linux/amd64/csd.tar.gz | |
# sudo tar -C / -xf csd.tar.gz | |
# rm Codesafe_Lin64-13.4.3.iso.zip Codesafe_Lin64-13.4.3.iso csd.tar.gz | |
# - name: Run clippy (entrust* crates) | |
# uses: actions-rs/cargo@v1 | |
# with: | |
# args: --tests --package 'entrust*' -- -D warnings | |
# command: clippy | |
# - name: Run cargo build (entrust* crates) | |
# uses: actions-rs/cargo@v1 | |
# with: | |
# args: --package 'entrust*' | |
# command: build | |
# - name: Run cargo test (entrust* crates) | |
# uses: actions-rs/cargo@v1 | |
# with: | |
# args: --package 'entrust*' | |
# command: test | |
# env: | |
# RUST_BACKTRACE: '1' | |
# - name: Run release build | |
# uses: actions-rs/cargo@v1 | |
# with: | |
# args: --all --release | |
# command: build | |
# - name: Run cargo build (PPC entrust_hsm.elf) | |
# run: ./entrust_hsm/compile_linux.sh --features insecure | |
# - name: Publish build to GCP bucket | |
# if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
# run: | | |
# PROJECT='juicebox-infra' | |
# # bucket is sha1("ci-builds\n") | |
# GSPATH="9c39e3ca5fca69f058b9e673aef193b10d9e8c48/${{github.sha}}/" | |
# gcloud storage cp \ | |
# "target/release/cluster" \ | |
# "target/release/cluster_bench" \ | |
# "target/release/cluster_manager" \ | |
# "target/release/load_balancer" \ | |
# "target/release/service_checker" \ | |
# "target/release/software_agent" \ | |
# "target/release/software_hsm" \ | |
# "target/release/chaos" \ | |
# "target/release/entrust_agent" \ | |
# "target/release/entrust_init" \ | |
# "target/release/entrust_ops" \ | |
# "target/powerpc-unknown-linux-gnu/release/entrust_hsm.elf" \ | |
# "gs://$GSPATH/" |