-
Notifications
You must be signed in to change notification settings - Fork 1
152 lines (138 loc) · 5.38 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: CI
on:
pull_request:
push:
branches:
- master
# Workflows run on a PR should cancel previous workflows run on the same PR, but
# this rule should NOT apply to workflows running anywhere else (e.g. master)
# `head_ref` is only defined for PRs, and `run_id` is unique per run, QED.
# https://docs.github.com/en/actions/using-jobs/using-concurrency
# https://docs.github.com/en/actions/learn-github-actions/contexts#github-context
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
# TODO(phlip9): read-all?
# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
permissions:
contents: read
env:
# Fail CI even on rustc "warning" lints
RUSTFLAGS: -D warnings
RUSTDOCFLAGS: -D warnings
RUST_BACKTRACE: 1
CARGO_TERM_COLOR: always
# less wasteful caching w/ non-incremental builds
CARGO_INCREMENTAL: 0
LEXE_RUST_VERSION: nightly-2024-05-03
LEXE_CI: 1
jobs:
# FIXME: Cargo is not picking up .cargo/config.toml, hence RUSTFLAGS is used
# whenever the target is SGX
# --- Linting the whole workspace --- #
clippy:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.LEXE_RUST_VERSION }}
targets: x86_64-fortanix-unknown-sgx
- uses: Swatinem/rust-cache@v2
- uses: arduino/setup-protoc@v3
# Native
- run: cargo clippy --locked --workspace
# Native + tests
- run: cargo clippy --locked --workspace --tests
clippy-sgx:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.LEXE_RUST_VERSION }}
targets: x86_64-fortanix-unknown-sgx
- uses: Swatinem/rust-cache@v2
- uses: arduino/setup-protoc@v3
# SGX
- run: RUSTFLAGS="-C target-feature=+aes,+ssse3 -D warnings" cargo clippy --locked -p node -p common -p lexe-ln -p sgx-test --target=x86_64-fortanix-unknown-sgx
# SGX + tests
- run: RUSTFLAGS="-C target-feature=+aes,+ssse3 -D warnings" cargo clippy --locked -p node -p common -p lexe-ln -p sgx-test --target=x86_64-fortanix-unknown-sgx --tests
# --- Check the production binaries, which don't use feature unification --- #
check-release:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.LEXE_RUST_VERSION }}
targets: x86_64-fortanix-unknown-sgx
- uses: Swatinem/rust-cache@v2
- uses: arduino/setup-protoc@v3
# Utils
- run: cargo check --release --locked -p run-sgx
# Node
- run: RUSTFLAGS="-C target-feature=+aes,+ssse3 -D warnings" cargo check --release --locked -p node --target=x86_64-fortanix-unknown-sgx
test:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.LEXE_RUST_VERSION }}
- uses: Swatinem/rust-cache@v2
- uses: arduino/setup-protoc@v3
- run: cargo test --locked -- -Zunstable-options --report-time
# TODO(max): Enable once we are approved so we don't need to constantly reauth
# test-gdrive:
# runs-on: ubuntu-22.04
# env:
# # These secrets originate from a random Google account owned by Max.
# # Don't remove this account from the Lexe project test users in Google
# # Cloud, otherwise this CI workflow will break,
# GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
# GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
# GOOGLE_REFRESH_TOKEN: ${{ secrets.GOOGLE_REFRESH_TOKEN }}
# GOOGLE_ACCESS_TOKEN: ${{ secrets.GOOGLE_ACCESS_TOKEN }}
# GOOGLE_ACCESS_TOKEN_EXPIRY: 0
# SKIP_GDRIVE_TOKEN_PRINT: 1
# steps:
# - uses: actions/checkout@v4
# - uses: dtolnay/rust-toolchain@master
# with:
# toolchain: ${{ env.LEXE_RUST_VERSION }}
# - uses: Swatinem/rust-cache@v2
# - uses: arduino/setup-protoc@v3
# with: # Authenticate to prevent rate limit error
# repo-token: ${{ secrets.GITHUB_TOKEN }}
# # Run only the `#[ignore]`d gdrive tests, and do it on one thread to
# # prevent the tests (which create and delete the regtest VFS root) from
# # interfering with each other
# - run: cargo test --locked -p gdrive -- --ignored --test-threads=1 -Zunstable-options --report-time
fmt:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.LEXE_RUST_VERSION }}
- run: cargo fmt --all -- --check
doc:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.LEXE_RUST_VERSION }}
- uses: Swatinem/rust-cache@v2
- uses: arduino/setup-protoc@v3
- run: cargo doc --locked --no-deps --document-private-items
# don't cache built docs, they take up a lot of space and rebuild quickly
- run: rm -rf target/doc/
nix-reproducible-sgx-build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- run: nix build -L .#node-release-sgx