[CI] Bump actions/dependency-review-action from 4.3.5 to 4.4.0 #5728
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2022 The Fuchsia Authors | |
# | |
# Licensed under a BSD-style license <LICENSE-BSD>, Apache License, Version 2.0 | |
# <LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0>, or the MIT | |
# license <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your option. | |
# This file may not be copied, modified, or distributed except according to | |
# those terms. | |
name: Build & Tests | |
on: | |
pull_request: | |
merge_group: | |
permissions: read-all | |
env: | |
CARGO_TERM_COLOR: always | |
RUST_BACKTRACE: 1 | |
RUSTFLAGS: -Dwarnings | |
RUSTDOCFLAGS: -Dwarnings | |
# `ZC_NIGHTLY_XXX` are flags that we add to `XXX` only on the nightly | |
# toolchain. | |
ZC_NIGHTLY_RUSTFLAGS: -Zrandomize-layout | |
ZC_NIGHTLY_MIRIFLAGS: "-Zmiri-strict-provenance -Zmiri-backtrace=full" | |
jobs: | |
build_test: | |
runs-on: ubuntu-latest | |
# Generate and populate the global Cargo registry and cache first. Each | |
# job in the matrix runs in parallel, so without populating the cache | |
# first, most jobs would duplicate the work of downloading crates from | |
# the internet. Populating the cache first ensures that this work only | |
# happens once. | |
needs: generate_cache | |
strategy: | |
# By default, this is set to `true`, which means that a single CI job | |
# failure will cause all outstanding jobs to be canceled. This slows down | |
# development because it means that errors need to be encountered and | |
# fixed one at a time. | |
fail-fast: false | |
matrix: | |
# See `INTERNAL.md` for an explanation of these pinned toolchain | |
# versions. | |
toolchain: [ | |
"msrv", | |
"stable", | |
"nightly", | |
# These are the names of specific Rust versions detected in | |
# `build.rs`. Each of these represents the minimum Rust version for | |
# which a particular feature is supported. | |
"zerocopy-core-error", | |
"zerocopy-diagnostic-on-unimplemented", | |
] | |
target: [ | |
"i686-unknown-linux-gnu", | |
"x86_64-unknown-linux-gnu", | |
"arm-unknown-linux-gnueabi", | |
"aarch64-unknown-linux-gnu", | |
"powerpc-unknown-linux-gnu", | |
"powerpc64-unknown-linux-gnu", | |
"riscv64gc-unknown-linux-gnu", | |
"s390x-unknown-linux-gnu", | |
"x86_64-pc-windows-msvc", | |
"thumbv6m-none-eabi", | |
"wasm32-wasi" | |
] | |
features: [ | |
"--no-default-features", | |
"", | |
"--features __internal_use_only_features_that_work_on_stable", | |
"--all-features" | |
] | |
crate: [ "zerocopy", "zerocopy-derive" ] | |
event_name: [ "${{ github.event_name }}" ] | |
exclude: | |
# Exclude any combination which uses a non-nightly toolchain but | |
# enables nightly features. | |
- toolchain: "msrv" | |
features: "--all-features" | |
- toolchain: "stable" | |
features: "--all-features" | |
- toolchain: "zerocopy-core-error" | |
features: "--all-features" | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
features: "--all-features" | |
# Exclude any combination for the zerocopy-derive crate which | |
# uses zerocopy features. | |
- crate: "zerocopy-derive" | |
features: "--no-default-features" | |
- crate: "zerocopy-derive" | |
features: "--features __internal_use_only_features_that_work_on_stable" | |
- crate: "zerocopy-derive" | |
features: "--all-features" | |
# Exclue any combination of zerocopy-derive and any toolchain version | |
# other than "msrv", "stable", and "nightly". These other versions | |
# exist to exercise zerocopy behavior which differs by toolchain; | |
# zerocopy-derive doesn't behave different on these toolchains. | |
- crate: "zerocopy-derive" | |
toolchain: "zerocopy-core-error" | |
- crate: "zerocopy-derive" | |
toolchain: "zerocopy-diagnostic-on-unimplemented" | |
# Exclude most targets targets from the `zerocopy-core-error` | |
# toolchain since the `zerocopy-core-error` feature is unrelated to | |
# compilation target. This only leaves i686 and x86_64 targets. | |
- toolchain: "zerocopy-core-error" | |
target: "arm-unknown-linux-gnueabi" | |
- toolchain: "zerocopy-core-error" | |
target: "aarch64-unknown-linux-gnu" | |
- toolchain: "zerocopy-core-error" | |
target: "powerpc-unknown-linux-gnu" | |
- toolchain: "zerocopy-core-error" | |
target: "powerpc64-unknown-linux-gnu" | |
- toolchain: "zerocopy-core-error" | |
target: "riscv64gc-unknown-linux-gnu" | |
- toolchain: "zerocopy-core-error" | |
target: "s390x-unknown-linux-gnu" | |
- toolchain: "zerocopy-core-error" | |
target: "x86_64-pc-windows-msvc" | |
- toolchain: "zerocopy-core-error" | |
target: "thumbv6m-none-eabi" | |
- toolchain: "zerocopy-core-error" | |
target: "wasm32-wasi" | |
# Exclude most targets targets from the | |
# `zerocopy-diagnostic-on-unimplemented` toolchain since the | |
# `zerocopy-diagnostic-on-unimplemented` feature is unrelated to | |
# compilation target. This only leaves i686 and x86_64 targets. | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
target: "arm-unknown-linux-gnueabi" | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
target: "aarch64-unknown-linux-gnu" | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
target: "powerpc-unknown-linux-gnu" | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
target: "powerpc64-unknown-linux-gnu" | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
target: "riscv64gc-unknown-linux-gnu" | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
target: "s390x-unknown-linux-gnu" | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
target: "x86_64-pc-windows-msvc" | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
target: "thumbv6m-none-eabi" | |
- toolchain: "zerocopy-diagnostic-on-unimplemented" | |
target: "wasm32-wasi" | |
# Exclude `thumbv6m-none-eabi` combined with any feature that implies | |
# the `std` feature since `thumbv6m-none-eabi` does not include a | |
# pre-compiled std. | |
- target: "thumbv6m-none-eabi" | |
features: "--features __internal_use_only_features_that_work_on_stable" | |
- target: "thumbv6m-none-eabi" | |
features: "--all-features" | |
# Exclude most targets during PR development, but allow them in the | |
# merge queue. This speeds up our development flow, while still | |
# ensuring that errors on these targets are caught before a PR is | |
# merged to main. | |
- target: "arm-unknown-linux-gnueabi" | |
event_name: "pull_request" | |
- target: "aarch64-unknown-linux-gnu" | |
event_name: "pull_request" | |
- target: "powerpc-unknown-linux-gnu" | |
event_name: "pull_request" | |
- target: "powerpc64-unknown-linux-gnu" | |
event_name: "pull_request" | |
- target: "riscv64gc-unknown-linux-gnu" | |
event_name: "pull_request" | |
- target: "s390x-unknown-linux-gnu" | |
event_name: "pull_request" | |
- target: "thumbv6m-none-eabi" | |
event_name: "pull_request" | |
- target: "wasm32-wasi" | |
event_name: "pull_request" | |
name: Build & Test (${{ matrix.crate }} / ${{ matrix.toolchain }} / ${{ matrix.features }} / ${{ matrix.target }}) | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Populate cache | |
uses: ./.github/actions/cache | |
# Ensure that Cargo resolves the minimum possible syn version so that if we | |
# accidentally make a change which depends upon features added in more | |
# recent versions of syn, we'll catch it in CI. | |
# | |
# TODO(#1595): Debug why this step is still necessary after #1564 and maybe | |
# remove it. | |
- name: Pin syn dependency | |
run: | | |
set -eo pipefail | |
# Override the exising `syn` dependency with one which requires an exact | |
# version. | |
cargo add -p zerocopy-derive 'syn@=2.0.79' | |
- name: Configure environment variables | |
run: | | |
set -eo pipefail | |
# We use toolchain descriptors ("msrv", "stable", "nightly", and values | |
# from the "metadata.build-rs" key in Cargo.toml) in the matrix. This | |
# step converts the current descriptor to a particular toolchain version | |
# by looking up the corresponding key in `Cargo.toml`. It sets the | |
# `ZC_TOOLCHAIN` environment variable for use in the next step | |
# (toolchain installation) because GitHub variable interpolation doesn't | |
# support running arbitrary commands. In other words, we can't rewrite: | |
# | |
# toolchain: $ {{ env.ZC_TOOLCHAIN }} | |
# | |
# ...to: | |
# | |
# toolchain: $ {{ ./cargo.sh --version matrix.toolchain }} # hypothetical syntax | |
ZC_TOOLCHAIN="$(./cargo.sh --version ${{ matrix.toolchain }})" | |
echo "Found that the '${{ matrix.toolchain }}' toolchain is $ZC_TOOLCHAIN" | tee -a $GITHUB_STEP_SUMMARY | |
echo "ZC_TOOLCHAIN=$ZC_TOOLCHAIN" >> $GITHUB_ENV | |
if [[ '${{ matrix.toolchain }}' == 'nightly' ]]; then | |
RUSTFLAGS="$RUSTFLAGS $ZC_NIGHTLY_RUSTFLAGS" | |
MIRIFLAGS="$MIRIFLAGS $ZC_NIGHTLY_MIRIFLAGS" | |
echo "Using nightly toolchain; setting RUSTFLAGS='$RUSTFLAGS' and MIRIFLAGS='$MIRIFLAGS'" | tee -a $GITHUB_STEP_SUMMARY | |
echo "RUSTFLAGS=$RUSTFLAGS" >> $GITHUB_ENV | |
echo "MIRIFLAGS=$MIRIFLAGS" >> $GITHUB_ENV | |
else | |
echo "Using non-nightly toolchain; not modifying RUSTFLAGS='$RUSTFLAGS' or MIRIFLAGS='$MIRIFLAGS'" | tee -a $GITHUB_STEP_SUMMARY | |
fi | |
# On our MSRV, `cargo` does not know about the `rust-version` field. As a | |
# result, in `cargo.sh`, if we use our MSRV toolchain in order to run `cargo | |
# metadata`, we will not be able to extract the `rust-version` field. Thus, | |
# in `cargo.sh`, we explicitly do `cargo +stable metadata`. This requires a | |
# (more recent) stable toolchain to be installed. As of this writing, this | |
# toolchain is not used for anything else. | |
- name: Install stable Rust for use in 'cargo.sh' | |
uses: dtolnay/rust-toolchain@00b49be78f40fba4e87296b2ead62868750bdd83 # stable | |
with: | |
toolchain: stable | |
- name: Install Rust with ${{ matrix.toolchain }} toolchain (${{ env.ZC_TOOLCHAIN }}) and target ${{ matrix.target }} | |
uses: dtolnay/rust-toolchain@00b49be78f40fba4e87296b2ead62868750bdd83 # stable | |
with: | |
toolchain: ${{ env.ZC_TOOLCHAIN }} | |
targets: ${{ matrix.target }} | |
# We require the `rust-src` component to ensure that the compiler | |
# error output generated during UI tests matches that generated on | |
# local developer machines; see | |
# https://github.com/rust-lang/rust/issues/116433. | |
# | |
# Only nightly has a working Miri, so we skip installing on all other | |
# toolchains. This expression is effectively a ternary expression - | |
# see [1] for details. | |
# | |
# [1] https://github.com/actions/runner/issues/409#issuecomment-752775072 | |
components: clippy, rust-src ${{ matrix.toolchain == 'nightly' && ', miri' || '' }} | |
- name: Rust Cache | |
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 | |
with: | |
key: "${{ matrix.target }}" | |
# On the `thumbv6m-none-eabi` target, we can't run `cargo check --tests` due | |
# to the `memchr` crate, so we just do `cargo check` instead. | |
- name: Check | |
run: ./cargo.sh +${{ matrix.toolchain }} check --package ${{ matrix.crate }} --target ${{ matrix.target }} ${{ matrix.features }} --verbose | |
if: matrix.target == 'thumbv6m-none-eabi' | |
- name: Check tests | |
run: ./cargo.sh +${{ matrix.toolchain }} check --tests --package ${{ matrix.crate }} --target ${{ matrix.target }} ${{ matrix.features }} --verbose | |
if: matrix.target != 'thumbv6m-none-eabi' | |
- name: Build | |
run: ./cargo.sh +${{ matrix.toolchain }} build --package ${{ matrix.crate }} --target ${{ matrix.target }} ${{ matrix.features }} --verbose | |
if: matrix.target != 'thumbv6m-none-eabi' | |
# When building tests for the i686 target, we need certain libraries which | |
# are not installed by default; `gcc-multilib` includes these libraries. | |
- name: Install gcc-multilib | |
# Per [1]: | |
# | |
# Note: Always run `sudo apt-get update` before installing a package. In | |
# case the `apt` index is stale, this command fetches and re-indexes any | |
# available packages, which helps prevent package installation failures. | |
# | |
# [1] https://docs.github.com/en/actions/using-github-hosted-runners/customizing-github-hosted-runners | |
run: | | |
sudo apt-get update | |
sudo apt-get install gcc-multilib | |
if: contains(matrix.target, 'i686') | |
- name: Run tests | |
run: | | |
./cargo.sh +${{ matrix.toolchain }} test \ | |
--package ${{ matrix.crate }} \ | |
--target ${{ matrix.target }} \ | |
${{ matrix.features }} \ | |
--verbose \ | |
-- \ | |
--skip ui | |
# Only run tests when targetting Linux x86 (32- or 64-bit) - we're | |
# executing on Linux x86_64, so we can't run tests for any non-x86 target. | |
# | |
# TODO(https://github.com/dtolnay/trybuild/issues/184#issuecomment-1269097742): | |
# Run compile tests when building for other targets. | |
if: contains(matrix.target, 'linux') && (contains(matrix.target, 'x86_64') || contains(matrix.target, 'i686')) | |
- name: Run UI tests | |
run: | | |
# Run UI tests separately, treating warnings as warnings (rather than | |
# as errors, as we do everywhere else in our CI tests). This allows | |
# our UI tests to more accurately reflect what users will see, and | |
# also ensures that we're not spuriously relying on warnings being | |
# errors to ensure compilation failure (if we were, then our code | |
# would be unsound whenever -Dwarnings is not enabled). | |
# | |
# TODO(#560), TODO(#187): Once we migrate to the ui-test crate, we | |
# likely won't have to special-case the UI tests like this. | |
RUSTFLAGS="$RUSTFLAGS -Wwarnings" ./cargo.sh +${{ matrix.toolchain }} test \ | |
--package ${{ matrix.crate }} \ | |
--target ${{ matrix.target }} \ | |
${{ matrix.features }} \ | |
--verbose \ | |
ui | |
# Only run tests when targetting Linux x86 (32- or 64-bit) - we're | |
# executing on Linux x86_64, so we can't run tests for any non-x86 target. | |
# | |
# TODO(https://github.com/dtolnay/trybuild/issues/184#issuecomment-1269097742): | |
# Run compile tests when building for other targets. | |
# | |
# Only run UI tests for zerocopy-derive, or for zerocopy with the derive | |
# feature. | |
# | |
# Only run UI tests for the 'msrv', 'stable', and 'nightly' toolchains. | |
# Other toolchains are tested only because zerocopy has behavior which | |
# differs on those toolchains, but at present, none of that behavior | |
# affects UI tests. If we were to run UI tests on these toolchains, we | |
# would need a new set of UI test files per toolchain, which would be a | |
# maintenance burden not worth the (at present, zero) benefit. | |
if: | | |
(!contains(matrix.target, 'windows')) && | |
(contains(matrix.target, 'x86_64') || contains(matrix.target, 'i686')) && | |
(matrix.crate == 'zerocopy-derive' || | |
(matrix.features != '' && matrix.features != '--no-default-features')) && | |
(matrix.toolchain == 'msrv' || matrix.toolchain == 'stable' || matrix.toolchain == 'nightly') | |
- name: Run tests under Miri | |
run: | | |
set -eo pipefail | |
# Work around https://github.com/rust-lang/miri/issues/3125 | |
[ "${{ matrix.target }}" == "aarch64-unknown-linux-gnu" ] && cargo clean | |
# Spawn twice the number of workers as there are CPU cores. | |
THREADS=$(echo "$(nproc) * 2" | bc) | |
echo "Running Miri tests with $THREADS threads" | tee -a $GITHUB_STEP_SUMMARY | |
cargo install cargo-nextest | |
# Run under both the stacked borrows model (default) and under the tree | |
# borrows model to ensure we're compliant with both. | |
for EXTRA_FLAGS in "" "-Zmiri-tree-borrows"; do | |
MIRIFLAGS="$MIRIFLAGS $EXTRA_FLAGS" ./cargo.sh +${{ matrix.toolchain }} \ | |
miri nextest run \ | |
--test-threads "$THREADS" \ | |
--package ${{ matrix.crate }} \ | |
--target ${{ matrix.target }} \ | |
${{ matrix.features }} | |
done | |
# Only nightly has a working Miri, so we skip installing on all other | |
# toolchains. | |
# | |
# We skip Miri tests on pull request, but run them in the merge queue. | |
# Miri tests are far and away the most expensive aspect of our CI tests, | |
# but they rarely surface issues (ie, tests that pass `cargo test` but | |
# fail `cargo miri test`). Skipping them during PR development | |
# significantly speeds up our development flow, while still ensuring that | |
# Miri can catch any errors before a PR is merged into main. | |
# | |
# TODO(#22): Re-enable testing on riscv64gc-unknown-linux-gnu and/or | |
# wasm32-wasi once those work. | |
if: | | |
matrix.toolchain == 'nightly' && | |
matrix.target != 'riscv64gc-unknown-linux-gnu' && | |
matrix.target != 'thumbv6m-none-eabi' && | |
matrix.target != 'wasm32-wasi' && | |
github.event_name != 'pull_request' | |
# On the `thumbv6m-none-eabi` target, we can't run `cargo clippy --tests` | |
# due to the `memchr` crate, so we just do `cargo clippy` instead. | |
- name: Clippy | |
run: ./cargo.sh +${{ matrix.toolchain }} clippy --package ${{ matrix.crate }} --target ${{ matrix.target }} ${{ matrix.features }} --verbose | |
if: matrix.toolchain == 'nightly' && matrix.target == 'thumbv6m-none-eabi' | |
- name: Clippy tests | |
run: ./cargo.sh +${{ matrix.toolchain }} clippy --package ${{ matrix.crate }} --target ${{ matrix.target }} ${{ matrix.features }} --tests --verbose | |
# Clippy improves the accuracy of lints over time, and fixes bugs. Only | |
# running Clippy on nightly allows us to avoid having to write code which | |
# is compatible with older versions of Clippy, which sometimes requires | |
# hacks to work around limitations that are fixed in more recent versions. | |
if: matrix.toolchain == 'nightly' && matrix.target != 'thumbv6m-none-eabi' | |
- name: Cargo doc | |
# We pass --document-private-items and --document-hidden items to ensure that | |
# documentation always builds even for these items. This makes future changes to | |
# make those items public/non-hidden more painless. Note that | |
# --document-hidden-items is unstable; if a future release breaks or removes it, | |
# we can just update CI to no longer pass that flag. | |
run: | | |
# Include arguments passed during docs.rs deployments to make sure those | |
# work properly. | |
set -eo pipefail | |
METADATA_DOCS_RS_RUSTDOC_ARGS="$(cargo metadata --format-version 1 | \ | |
jq -r ".packages[] | select(.name == \"zerocopy\").metadata.docs.rs.\"rustdoc-args\"[]" | tr '\n' ' ')" | |
export RUSTDOCFLAGS="${{ matrix.toolchain == 'nightly' && '-Z unstable-options --document-hidden-items $METADATA_DOCS_RS_RUSTDOC_ARGS'|| '' }} $RUSTDOCFLAGS" | |
./cargo.sh +${{ matrix.toolchain }} doc --document-private-items --package ${{ matrix.crate }} ${{ matrix.features }} | |
# Check semver compatibility with the most recently-published version on | |
# crates.io. We do this in the matrix rather than in its own job so that it | |
# gets run on different targets. Some of our API is target-specific (e.g., | |
# SIMD type impls), and so we need to run on each target. | |
- name: Check semver compatibility | |
uses: obi1kenobi/cargo-semver-checks-action@7272cc2caa468d3e009a2b0a9cc366839348237b # v2.6 | |
with: | |
# Don't semver check zerocopy-derive; as a proc macro, it doesn't have | |
# an API that cargo-semver-checks can understand. | |
package: zerocopy | |
# Test on the stable toolchain, and thus don't test nightly features. | |
# We previously tested on the nightly toolchain, but this caused problems | |
# [1] because cargo-semver-checks only promises compatibility with the | |
# latest stable toolchain. Testing on the stable toolchain is more | |
# reliable, and doesn't require us to give up anything - we wouldn't want | |
# to test nightly-only features anyway, as we don't make stability | |
# guarantees regarding these features. | |
# | |
# [1] See, for example: https://github.com/google/zerocopy/actions/runs/9466417300/job/26078264384?pr=1413 | |
feature-group: only-explicit-features | |
features: __internal_use_only_features_that_work_on_stable | |
rust-toolchain: ${{ env.ZC_TOOLCHAIN }} | |
rust-target: ${{ matrix.target }} | |
# TODO(#1565): Run on wasm32-wasi. As of this writing, this target fails: | |
# https://github.com/google/zerocopy/actions/runs/9944220377/job/27469879712 | |
if: | | |
matrix.crate == 'zerocopy' && | |
matrix.features == '--features __internal_use_only_features_that_work_on_stable' && | |
matrix.toolchain == 'stable' && | |
matrix.target != 'wasm32-wasi' | |
# TODO(#453): Doing this as a matrix step is a hack that allows us to depend | |
# on the fact that toolchains have already been installed. We currently only | |
# run this on a single matrix combination, but doing it outside of the | |
# matrix would require us to replicate the toolchain resolution and | |
# installation logic. We should either: | |
# - Figure out how to factor out the toolchain resolution and installation | |
# logic (see #1275) for an attempt | |
# - Support multiple matrix combinations (which we intend to do as part of | |
# #453 eventually anyway) so that this location is justified | |
- name: Generate code coverage | |
run: | | |
set -eo pipefail | |
./cargo.sh +nightly install cargo-llvm-cov | |
./cargo.sh +${{ matrix.toolchain }} llvm-cov \ | |
--package ${{ matrix.crate }} \ | |
--target ${{ matrix.target }} \ | |
${{ matrix.features }} \ | |
--lcov \ | |
--output-path lcov.info \ | |
--verbose \ | |
-- \ | |
--skip ui | |
if: | | |
matrix.crate == 'zerocopy' && | |
matrix.features == '--all-features' && | |
matrix.toolchain == 'nightly' && | |
matrix.target == 'x86_64-unknown-linux-gnu' | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: lcov.info | |
if: | | |
matrix.crate == 'zerocopy' && | |
matrix.features == '--all-features' && | |
matrix.toolchain == 'nightly' && | |
matrix.target == 'x86_64-unknown-linux-gnu' | |
kani: | |
runs-on: ubuntu-latest | |
name: 'Run tests under Kani' | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: model-checking/kani-github-action@f838096619a707b0f6b2118cf435eaccfa33e51f # v1.1 | |
with: | |
# Use `--features __internal_use_only_features_that_work_on_stable` | |
# because the Kani GitHub Action uses its own pinned nightly | |
# toolchain. Sometimes, we make changes to our nightly features for | |
# more recent toolchains, and so our nightly features become | |
# incompatible with the toolchain that Kani uses. By only testing | |
# stable features, we ensure that this doesn't cause problems in CI. | |
# | |
# TODO(https://github.com/model-checking/kani-github-action/issues/56): | |
# Go back to testing all features once the Kani GitHub Action supports | |
# specifying a particular toolchain. | |
args: "--package zerocopy --features __internal_use_only_features_that_work_on_stable --output-format=terse --randomize-layout --memory-safety-checks --overflow-checks --undefined-function-checks --unwinding-checks" | |
# This version is automatically rolled by | |
# `roll-pinned-toolchain-versions.yml`. | |
kani-version: 0.55.0 | |
unsafe_fields: | |
runs-on: ubuntu-latest | |
needs: generate_cache | |
strategy: | |
# By default, this is set to `true`, which means that a single CI job | |
# failure will cause all outstanding jobs to be canceled. This slows down | |
# development because it means that errors need to be encountered and | |
# fixed one at a time. | |
fail-fast: false | |
matrix: | |
toolchain: [ | |
"msrv", | |
"stable", | |
"nightly", | |
] | |
features: [ | |
"", | |
"--features zerocopy_0_8", | |
] | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Configure environment variables | |
run: | | |
set -eo pipefail | |
ZC_TOOLCHAIN="$(./cargo.sh --version ${{ matrix.toolchain }})" | |
echo "ZC_TOOLCHAIN=$ZC_TOOLCHAIN" >> $GITHUB_ENV | |
- name: Install stable Rust for use in 'cargo.sh' | |
uses: dtolnay/rust-toolchain@00b49be78f40fba4e87296b2ead62868750bdd83 # stable | |
with: | |
toolchain: stable | |
- name: Install Rust with nightly toolchain (${{ env.ZC_TOOLCHAIN }}) and target aarch64_be-unknown-linux-gnu | |
uses: dtolnay/rust-toolchain@00b49be78f40fba4e87296b2ead62868750bdd83 # stable | |
with: | |
toolchain: ${{ env.ZC_TOOLCHAIN }} | |
components: clippy, rust-src | |
- name: Check | |
run: ./cargo.sh +${{ matrix.toolchain }} check --package unsafe-fields ${{ matrix.features }} --verbose | |
- name: Check tests | |
run: ./cargo.sh +${{ matrix.toolchain }} check --tests --package unsafe-fields ${{ matrix.features }} --verbose | |
- name: Build | |
run: ./cargo.sh +${{ matrix.toolchain }} build --package unsafe-fields ${{ matrix.features }} --verbose | |
- name: Run tests | |
run: ./cargo.sh +${{ matrix.toolchain }} test --package unsafe-fields ${{ matrix.features }} --verbose | |
- name: Clippy | |
run: ./cargo.sh +${{ matrix.toolchain }} clippy --package unsafe-fields ${{ matrix.features }} --verbose | |
# See comment in next step for why we only run on nightly. | |
if: matrix.toolchain == 'nightly' | |
- name: Clippy tests | |
run: ./cargo.sh +${{ matrix.toolchain }} clippy --package unsafe-fields --tests ${{ matrix.features }} --verbose | |
# Clippy improves the accuracy of lints over time, and fixes bugs. Only | |
# running Clippy on nightly allows us to avoid having to write code | |
# which is compatible with older versions of Clippy, which sometimes | |
# requires hacks to work around limitations that are fixed in more | |
# recent versions. | |
if: matrix.toolchain == 'nightly' | |
- name: Cargo doc | |
# We pass --document-private-items and --document-hidden items to ensure | |
# that documentation always builds even for these items. This makes | |
# future changes to make those items public/non-hidden more painless. | |
# Note that --document-hidden-items is unstable; if a future release | |
# breaks or removes it, we can just update CI to no longer pass that | |
# flag. | |
run: | | |
# Include arguments passed during docs.rs deployments to make sure those | |
# work properly. | |
set -eo pipefail | |
METADATA_DOCS_RS_RUSTDOC_ARGS="$(cargo metadata --format-version 1 | \ | |
jq -r ".packages[] | select(.name == \"unsafe-fields\").metadata.docs.rs.\"rustdoc-args\"[]" | tr '\n' ' ')" | |
export RUSTDOCFLAGS="${{ matrix.toolchain == 'nightly' && '-Z unstable-options --document-hidden-items $METADATA_DOCS_RS_RUSTDOC_ARGS'|| '' }} $RUSTDOCFLAGS" | |
./cargo.sh +${{ matrix.toolchain }} doc --document-private-items --package unsafe-fields --all-features | |
# NEON intrinsics are currently broken on big-endian platforms. [1] This test ensures | |
# that we don't accidentally attempt to compile these intrinsics on such platforms. We | |
# can't use this as part of the build matrix because rustup doesn't support the | |
# `aarch64_be-unknown-linux-gnu` target. | |
# | |
# [1] https://github.com/rust-lang/stdarch/issues/1484 | |
check_be_aarch64: | |
runs-on: ubuntu-latest | |
name: Build (zerocopy / nightly / --simd / aarch64_be-unknown-linux-gnu) | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Configure environment variables | |
run: | | |
set -eo pipefail | |
ZC_TOOLCHAIN="$(./cargo.sh --version nightly)" | |
RUSTFLAGS="$RUSTFLAGS $ZC_NIGHTLY_RUSTFLAGS" | |
echo "RUSTFLAGS=$RUSTFLAGS" >> $GITHUB_ENV | |
echo "ZC_TOOLCHAIN=$ZC_TOOLCHAIN" >> $GITHUB_ENV | |
- name: Rust Cache | |
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 | |
with: | |
key: aarch64_be-unknown-linux-gnu | |
- name: Install stable Rust for use in 'cargo.sh' | |
uses: dtolnay/rust-toolchain@00b49be78f40fba4e87296b2ead62868750bdd83 # stable | |
with: | |
toolchain: stable | |
- name: Install Rust with nightly toolchain (${{ env.ZC_TOOLCHAIN }}) and target aarch64_be-unknown-linux-gnu | |
uses: dtolnay/rust-toolchain@00b49be78f40fba4e87296b2ead62868750bdd83 # stable | |
with: | |
toolchain: ${{ env.ZC_TOOLCHAIN }} | |
components: clippy, rust-src | |
- name: Check big endian for aarch64_be-unknown-linux-gnu target | |
run: ./cargo.sh +nightly build --target=aarch64_be-unknown-linux-gnu -Zbuild-std --features simd | |
check_fmt: | |
runs-on: ubuntu-latest | |
name: Check Rust formatting | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Check Rust formatting | |
run: ./ci/check_fmt.sh | |
check_readme: | |
needs: generate_cache | |
runs-on: ubuntu-latest | |
name: Check README.md | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Populate cache | |
uses: ./.github/actions/cache | |
- name: Check README.md | |
run: ./ci/check_readme.sh | |
check_versions: | |
needs: generate_cache | |
runs-on: ubuntu-latest | |
name: Check crate versions match | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Populate cache | |
uses: ./.github/actions/cache | |
# Make sure that both crates are at the same version, and that zerocopy | |
# depends exactly upon the current version of zerocopy-derive. See | |
# `INTERNAL.md` for an explanation of why we do this. | |
- name: Check crate versions match | |
run: ./ci/check_versions.sh | |
generate_cache: | |
runs-on: ubuntu-latest | |
name: Generate cache | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- id: populate-cache | |
uses: ./.github/actions/cache | |
- name: Download dependencies | |
if: steps.populate-cache.outputs.cache-hit != 'true' | |
run: | | |
# Ensure all dependencies are downloaded - both for our crates and for | |
# tools we use in CI. We don't care about these tools succeeding for | |
# two reasons: First, this entire job is best-effort since it's just a | |
# performance optimization. Second, there may be failures due to | |
# issues other than failing to download dependencies (e.g., `cargo | |
# metadata` called with a malformed `Cargo.toml`, build failure in our | |
# own crate or in dependencies, etc). For those reasons, we discard | |
# stderr and ignore status codes. | |
# | |
# For downloading our crates' dependencies in particular, note that | |
# there is no support for doing this directly [1], so we just check | |
# all crates using --tests. | |
# | |
# We background all jobs and then wait for them so that they can run | |
# in parallel. | |
# | |
# [1] https://stackoverflow.com/a/42139535/836390 | |
# See comment on "Pin syn dependency" job for why we do this. It needs | |
# to happen before the subsequent `cargo check`, so we don't | |
# background it. | |
# | |
# TODO(#1595): Debug why this step is still necessary after #1564 and | |
# maybe remove it. | |
cargo add -p zerocopy-derive 'syn@=2.0.79' &> /dev/null | |
cargo check --workspace --tests &> /dev/null & | |
cargo metadata &> /dev/null & | |
cargo install cargo-readme --version 3.2.0 &> /dev/null & | |
cargo install --locked kani-verifier &> /dev/null & | |
cargo install cargo-nextest &> /dev/null & | |
cargo kani setup &> /dev/null & | |
wait | |
check-all-toolchains-tested: | |
runs-on: ubuntu-latest | |
name: Check that all toolchains listed in Cargo.toml are tested in CI | |
steps: | |
- name: Install yq (for YAML parsing) | |
run: go install github.com/mikefarah/yq/v4@latest | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Run check | |
run: ./ci/check_all_toolchains_tested.sh | |
check-job-dependencies: | |
runs-on: ubuntu-latest | |
name: Check all-jobs-succeeded depends on all jobs | |
steps: | |
- name: Install yq (for YAML parsing) | |
run: go install github.com/mikefarah/yq/v4@latest | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Run dependency check | |
run: ./ci/check_job_dependencies.sh | |
run-git-hooks: | |
runs-on: ubuntu-latest | |
name: Run Git hooks | |
steps: | |
- name: Install yq (for YAML parsing) | |
run: go install github.com/mikefarah/yq/v4@latest | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Run dependency check | |
# Ensure that Git hooks execute successfully. | |
# | |
# Note that this runs all hooks. As of this writing, the only Git hook | |
# is `pre-push`. Running all hooks ensures that, if a new hook is added | |
# which can't run in CI (at least not using this naive setup), we'll | |
# notice and it will remind us to update this test. | |
run: set -e; for hook in ./githooks/*; do $hook; done | |
# Used to signal to branch protections that all other jobs have succeeded. | |
all-jobs-succeed: | |
name: All checks succeeded | |
# On failure, we run and unconditionally exit with a failing status code. | |
# On success, this job is skipped. Jobs skipped using `if:` are considered | |
# to have succeeded: | |
# | |
# https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks#handling-skipped-but-required-checks | |
if: failure() | |
runs-on: ubuntu-latest | |
needs: [build_test, kani,check_be_aarch64, check_fmt, check_readme, check_versions, generate_cache, check-all-toolchains-tested, check-job-dependencies, run-git-hooks, unsafe_fields] | |
steps: | |
- name: Mark the job as failed | |
run: exit 1 |