Harden publishing #6340
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: | |
merge_group: | |
push: | |
branches: | |
- master | |
- prod | |
- testnet | |
- acceptance-test-pass | |
jobs: | |
complete: | |
if: always() | |
needs: [fmt, cargo-deny, rust-check-git-rev-deps, build] | |
runs-on: ubuntu-latest | |
steps: | |
- if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') | |
run: exit 1 | |
fmt: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- run: rustup component add rustfmt | |
- run: rustup update | |
- run: cargo fmt --all --check | |
cargo-deny: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
checks: | |
- advisories | |
- bans licenses sources | |
# Prevent sudden announcement of a new advisory from failing ci: | |
continue-on-error: ${{ matrix.checks == 'advisories' }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 | |
with: | |
command: check ${{ matrix.checks }} | |
# leave arguments empty so we don't test --all-features | |
# which will see conflicting env versions | |
arguments: | |
rust-check-git-rev-deps: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: stellar/actions/rust-check-git-rev-deps@main | |
build: | |
runs-on: ubuntu-latest | |
env: | |
CACHED_PATHS: | | |
~/.ccache | |
~/.cargo | |
target | |
strategy: | |
fail-fast: false | |
matrix: | |
toolchain: [ "gcc", "clang"] | |
protocol: ["current", "next"] | |
scenario: ["", "--check-test-tx-meta"] | |
steps: | |
- name: Fix kernel mmap rnd bits | |
# Asan in llvm provided in ubuntu 22.04 is incompatible with | |
# high-entropy ASLR in much newer kernels that GitHub runners are | |
# using leading to random crashes: https://reviews.llvm.org/D148280 | |
run: sudo sysctl vm.mmap_rnd_bits=28 | |
# We start with as cheap as possible a cache probe to see if we have an exact hit on this | |
# git commit ID (for a given OS/toolchain/protocol). If so we can skip all subsequent | |
# steps: we already tested this exact SHA. | |
# | |
# Unfortunately due to the way github actions control flow works, we have to repeat the | |
# step 'if' condition in each step, and cannot actually "exit early" and skip the job. | |
# There are a lot of duplicate bug reports filed on this aspect of github actions, don't | |
# bother filing another. | |
- name: Probe Cache | |
id: cache | |
uses: actions/cache/[email protected] | |
with: | |
path: ${{ env.CACHED_PATHS }} | |
key: ${{ runner.os }}-${{ matrix.toolchain }}-${{ matrix.protocol }}-${{ github.sha }} | |
lookup-only: true | |
# When we have a cache miss on the exact commit SHA, we restore from the prefix without it. | |
# This will restore the most-recently-written cache (github does this date ordering itself). | |
- name: Restore Cache | |
if: steps.cache.outputs.cache-hit != 'true' | |
uses: actions/cache/[email protected] | |
with: | |
path: ${{ env.CACHED_PATHS }} | |
key: ${{ steps.cache.outputs.cache-primary-key }} | |
restore-keys: | | |
${{ runner.os }}-${{ matrix.toolchain }}-${{ matrix.protocol }} | |
- uses: actions/[email protected] | |
if: steps.cache.outputs.cache-hit != 'true' | |
with: | |
fetch-depth: 200 | |
submodules: true | |
- name: install core packages | |
if: steps.cache.outputs.cache-hit != 'true' | |
run: | | |
sudo apt-get update | |
sudo apt-get -y install --no-install-recommends apt-utils dialog git iproute2 procps lsb-release | |
- name: install tool chain | |
if: steps.cache.outputs.cache-hit != 'true' | |
run: | | |
sudo apt-get -y install libstdc++-10-dev clang-format-12 ccache lldb | |
if test "${{ matrix.toolchain }}" = "gcc" ; then | |
sudo apt-get -y install cpp-10 gcc-10 g++-10 | |
else | |
sudo apt-get -y install clang-12 llvm-12 | |
fi | |
- name: install rustup components | |
if: steps.cache.outputs.cache-hit != 'true' | |
run: rustup component add rustfmt | |
- name: install cargo-cache | |
if: steps.cache.outputs.cache-hit != 'true' | |
run: cargo install --locked cargo-cache --version 0.8.3 | |
- name: install cargo-sweep | |
if: steps.cache.outputs.cache-hit != 'true' | |
run: cargo install --locked cargo-sweep --version 0.7.0 | |
- name: install dependencies | |
if: steps.cache.outputs.cache-hit != 'true' | |
run: sudo apt-get -y install postgresql git build-essential pkg-config autoconf automake libtool bison flex libpq-dev parallel libunwind-dev sed perl | |
- name: Build | |
if: steps.cache.outputs.cache-hit != 'true' | |
run: | | |
if test "${{ matrix.toolchain }}" = "gcc" ; then | |
export CC='gcc' | |
export CXX='g++' | |
else | |
export CC='clang' | |
export CXX='clang++' | |
fi | |
echo Build with $CC and $CXX | |
./ci-build.sh --use-temp-db --protocol ${{ matrix.protocol }} ${{ matrix.scenario }} | |
# We only _save_ to the cache when we had a cache miss, are running on master, and are the non-txmeta scenario. | |
- uses: actions/cache/[email protected] | |
if: ${{ steps.cache.outputs.cache-hit != 'true' && github.ref_name == 'master' && matrix.scenario == ''}} | |
with: | |
path: ${{ env.CACHED_PATHS }} | |
key: ${{ steps.cache.outputs.cache-primary-key }} |