From d1eeb2edd89de24d604625d653591ec9fe51c097 Mon Sep 17 00:00:00 2001 From: Enola Knezevic Date: Mon, 4 Mar 2024 16:10:11 +0100 Subject: [PATCH] workflows --- .github/dependabot.yml | 12 ++ .github/workflows/dockerhub_readme.yml | 26 +++++ .github/workflows/rust.yml | 148 +++++++++++++++++++++++++ .github/workflows/rust_security.yml | 11 ++ 4 files changed, 197 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dockerhub_readme.yml create mode 100644 .github/workflows/rust.yml create mode 100644 .github/workflows/rust_security.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..6301211 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "cargo" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" + target-branch: "develop" diff --git a/.github/workflows/dockerhub_readme.yml b/.github/workflows/dockerhub_readme.yml new file mode 100644 index 0000000..a5dfb99 --- /dev/null +++ b/.github/workflows/dockerhub_readme.yml @@ -0,0 +1,26 @@ +name: Update Docker Hub Readme +on: + push: + branches: + - main +jobs: + PushContainerReadme: + runs-on: ubuntu-latest + + strategy: + matrix: + component: + - prism + + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Sync Readme + uses: lablans/sync-dockerhub-readme@feature/replace-patterns + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PASSWORD_REQUIRED_FOR_README_SYNC }} + repository: ${{ github.repository }} + readme: "./README.md" + replace_pattern: "](./" + replace_with: "](${{ github.server_url }}/${{ github.repository }}/raw/${{ github.ref_name }}/" diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml new file mode 100644 index 0000000..9c6b08e --- /dev/null +++ b/.github/workflows/rust.yml @@ -0,0 +1,148 @@ +name: Build with rust and docker + +on: + push: + workflow_dispatch: + pull_request: + schedule: + # Fetch new base image updates every night at 1am + - cron: '0 1 * * *' + +env: + CARGO_TERM_COLOR: always + PROFILE: release + +jobs: + pre-check: + name: Security, License Check + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v3 + - uses: EmbarkStudios/cargo-deny-action@v1 + + build-rust: + name: Build (Rust) + runs-on: ubuntu-22.04 + + strategy: + matrix: + arch: + - amd64 + - arm64 + + steps: + - name: Set arch ${{ matrix.arch }} + env: + ARCH: ${{ matrix.arch }} + run: | + if [ "${ARCH}" == "arm64" ]; then + echo "rustarch=aarch64-unknown-linux-gnu" >> $GITHUB_ENV + elif [ "${ARCH}" == "amd64" ]; then + echo "rustarch=x86_64-unknown-linux-gnu" >> $GITHUB_ENV + else + exit 1 + fi + if [ "$(dpkg --print-architecture)" != "${ARCH}" ]; then + echo "Cross-compiling to ${ARCH}." + echo "is_cross=true" >> $GITHUB_ENV + else + echo "Natively compiling to ${ARCH}." + echo "is_cross=false" >> $GITHUB_ENV + fi + - name: Set profile ${{ env.PROFILE }} + env: + PROFILE: ${{ env.PROFILE }} + run: | + if [ "${PROFILE}" == "release" ]; then + echo "profilestr=--release" >> $GITHUB_ENV + elif [ "${PROFILE}" == "debug" ]; then + echo "profilestr=" >> $GITHUB_ENV + else + echo "profilestr=--profile $PROFILE" >> $GITHUB_ENV + fi + - uses: actions/checkout@v3 + - uses: actions-rs/toolchain@v1 + with: + toolchain: stable + override: true + target: ${{ env.rustarch }} + - uses: Swatinem/rust-cache@v2 + with: + key: ${{ matrix.arch }}-${{ env.PROFILE }} + prefix-key: "v1-rust" # Increase to invalidate old caches. + - name: Build (cross to ${{ matrix.arch }}) + if: env.is_cross == 'true' + uses: actions-rs/cargo@v1 + with: + use-cross: ${{ env.is_cross }} + command: build + args: --target ${{ env.rustarch }} ${{ matrix.features && format('--features {0}', matrix.features) }} ${{ env.profilestr }} + - name: Build (native) + if: env.is_cross == 'false' + run: | + BINS=$(cargo build --tests --bins --message-format=json --target ${{ env.rustarch }} ${{ matrix.features && format('--features {0}', matrix.features) }} ${{ env.profilestr }} | jq -r 'select(.profile.test == true) | .executable | select(. != null)') + mkdir -p testbinaries/ + for testbin in $BINS; do + mv -v $testbin testbinaries/ + done + - name: Upload (bins) + uses: actions/upload-artifact@v3 + with: + name: binaries-${{ matrix.arch }} + path: | + target/${{ env.rustarch }}/${{ env.PROFILE }}/prism + - name: Upload (test, native only) + if: matrix.arch == 'amd64' + uses: actions/upload-artifact@v3 + with: + name: testbinaries-${{ matrix.arch }} + path: | + testbinaries/* + + test: + name: Run tests + needs: [ build-rust ] + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v3 + - uses: actions/download-artifact@v3 + with: + name: testbinaries-amd64 + path: testbinaries/ + - run: | + for testbin in testbinaries/*; do + chmod +x $testbin + $testbin + done + + docker-prism: + needs: [ build-rust, pre-check, test ] + if: github.ref_protected == true || github.event_name == 'workflow_dispatch' + + # This workflow defines how a maven package is built, tested and published. + # Visit: https://github.com/samply/github-workflows/blob/develop/.github/workflows/docker-ci.yml, for more information + uses: samply/github-workflows/.github/workflows/docker-ci.yml@main + with: + # The Docker Hub Repository you want eventually push to, e.g samply/share-client + image-name: "samply/prism" + # Define special prefixes for docker tags. They will prefix each images tag. + # image-tag-prefix: "foo" + # Define the build context of your image, typically default '.' will be enough + # build-context: '.' + # Define the Dockerfile of your image, typically default './Dockerfile' will be enough + build-file: './Dockerfile' + # NOTE: This doesn't work currently + # A list of build arguments, passed to the docker build +# build-args: | +# PROFILE=${{ env.PROFILE }} +# COMPONENT=broker + # Define the target platforms of the docker build (default "linux/amd64,linux/arm64/v8") + # build-platforms: "linux/amd64" + # If your actions generate an artifact in a previous build step, you can tell this workflow to download it + artifact-name: '*' + # This passes the secrets from calling workflow to the called workflow + secrets: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/rust_security.yml b/.github/workflows/rust_security.yml new file mode 100644 index 0000000..59f1ff0 --- /dev/null +++ b/.github/workflows/rust_security.yml @@ -0,0 +1,11 @@ +on: + schedule: + - cron: '0 3 * * 1' +jobs: + audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - uses: actions-rs/audit-check@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file