Skip to content

chore(deps): update ci dependencies #2010

chore(deps): update ci dependencies

chore(deps): update ci dependencies #2010

Workflow file for this run

name: CI
on:
push:
pull_request:
types:
- opened
- synchronize
release:
types:
- published
env:
DEBIAN_FRONTEND: noninteractive
CONST_RANDOM_SEED: ${{ secrets.CONST_RANDOM_SEED }}
jobs:
static-analysis:
name: Static analysis
runs-on: ubuntu-latest
timeout-minutes: 15
# Exclude in-repo PRs from running this job
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork
steps:
- name: 📥 Checkout source
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: 🧰 Install Rust toolchain
uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1
with:
toolchain: nightly
components: rustfmt, clippy
- name: 🔍 Clippy check
uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1
with:
clippy_flags: --all-targets -D warnings
reporter: github-check
fail_on_error: true
- name: 🔍 Cargo deny check
uses: EmbarkStudios/cargo-deny-action@1e59595bed8fc55c969333d08d7817b36888f0c5 # v1
- name: 🔍 Check Rust source code format
run: cargo fmt --all --check
build:
name: Build
strategy:
fail-fast: false
matrix:
target:
- x86_64-unknown-linux-gnu
- x86_64-unknown-linux-musl
- x86_64-pc-windows-gnu
- aarch64-unknown-linux-gnu
- aarch64-unknown-linux-musl
- x86_64-apple-darwin
- aarch64-apple-darwin
include:
- target: x86_64-unknown-linux-gnu
host-target: x86_64-unknown-linux-gnu
runner: ubuntu-latest
container: debian:bullseye-slim
apt-arch: amd64
- target: x86_64-unknown-linux-musl
host-target: x86_64-unknown-linux-gnu
runner: ubuntu-latest
container: debian:testing-slim
apt-arch: amd64
- target: aarch64-unknown-linux-gnu
host-target: x86_64-unknown-linux-gnu
runner: ubuntu-latest
container: debian:bullseye-slim
apt-arch: arm64
- target: aarch64-unknown-linux-musl
host-target: x86_64-unknown-linux-gnu
runner: ubuntu-latest
container: debian:testing-slim
apt-arch: arm64
- target: x86_64-pc-windows-gnu
host-target: x86_64-pc-windows-gnu
runner: windows-latest
- target: x86_64-apple-darwin
host-target: x86_64-apple-darwin
runner: macos-latest
- target: aarch64-apple-darwin
host-target: x86_64-apple-darwin
runner: macos-latest
runs-on: ${{ matrix.runner }}
timeout-minutes: 60
container: ${{ matrix.container }}
env:
CARGO_BUILD_TARGET: ${{ matrix.target }}
# nextext requires this on Windows to pick the intended GNU toolchain
RUSTUP_TOOLCHAIN: nightly-${{ matrix.host-target }}
# Rust stdlib default backtrace feature doesn't actually work because our
# release executables are stripped, so skipping it shaves off quite some KiB.
# References:
# https://doc.rust-lang.org/cargo/reference/unstable.html#build-std-features
# https://github.com/rust-lang/rust/blob/4c8bb79d9f565115637cc6da739f8389e79f3a29/library/std/Cargo.toml#L54-L79
OPTIMIZED_RELEASE_BUILD_FLAGS: -Z build-std -Z build-std-features=panic-unwind
outputs:
# Uglier than it needs to be because GitHub laid off the team whose
# responsibility was to deploy a better alternative. Talk about increased
# productivity... See:
# https://github.com/orgs/community/discussions/17245
# https://stackoverflow.com/questions/70287603/github-actions-dynamic-outputs-for-job-with-strategy-matrix
slsa-attestation-subject-hashes-x86_64-unknown-linux-gnu: ${{ steps.slsa-attestation-subjects.outputs.hashes-x86_64-unknown-linux-gnu }}
slsa-attestation-subject-hashes-x86_64-unknown-linux-musl: ${{ steps.slsa-attestation-subjects.outputs.hashes-x86_64-unknown-linux-musl }}
slsa-attestation-subject-hashes-aarch64-unknown-linux-gnu: ${{ steps.slsa-attestation-subjects.outputs.hashes-aarch64-unknown-linux-gnu }}
slsa-attestation-subject-hashes-aarch64-unknown-linux-musl: ${{ steps.slsa-attestation-subjects.outputs.hashes-aarch64-unknown-linux-musl }}
slsa-attestation-subject-hashes-x86_64-pc-windows-gnu: ${{ steps.slsa-attestation-subjects.outputs.hashes-x86_64-pc-windows-gnu }}
slsa-attestation-subject-hashes-x86_64-apple-darwin: ${{ steps.slsa-attestation-subjects.outputs.hashes-x86_64-apple-darwin }}
slsa-attestation-subject-hashes-aarch64-apple-darwin: ${{ steps.slsa-attestation-subjects.outputs.hashes-aarch64-apple-darwin }}
slsa-attestation-subject-hashes-universal-apple-darwin: ${{ steps.slsa-attestation-subjects.outputs.hashes-universal-apple-darwin }}
# Exclude in-repo PRs from running this job
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork
steps:
- name: 🧰 Install Linux toolchain packages
if: contains(matrix.target, '-linux-')
run: |
if [ "$(dpkg --print-architecture)" != '${{ matrix.apt-arch }}' ]; then
dpkg --add-architecture '${{ matrix.apt-arch }}'
fi
apt-get update
# curl is required by rustup.
# musl-tools is required to build musl binaries for the host architecture,
# and the arch-specific musl-dev package is required to build binaries for
# a target architecture when cross-compiling
# markdown and html2text are required to generate the Debian package only
apt-get install -yq build-essential git curl \
musl-tools musl-dev:${{ matrix.apt-arch }} \
markdown html2text
- name: 🧰 Install Linux ARM64 cross-compilation toolchain
if: startsWith(matrix.target, 'aarch64-unknown-linux')
run: apt-get install -yq gcc-aarch64-linux-gnu qemu-user libc6:arm64
- name: 🧰 Install Rust toolchain
uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1
with:
toolchain: nightly-${{ matrix.host-target }}
targets: ${{ env.CARGO_BUILD_TARGET }}
components: rust-src
- name: 💨 Cache Rust artifacts
uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2
- name: 🧰 Install nextest
if: startsWith(matrix.target, 'x86_64-') || contains(matrix.target, '-linux-')
uses: taiki-e/install-action@05ff4d48eb41d03d3dd88c735b6ad20c1a69b580 # v2
with:
tool: nextest
- name: 🧰 Install cargo-deb
if: endsWith(matrix.target, '-linux-gnu')
uses: taiki-e/install-action@05ff4d48eb41d03d3dd88c735b6ad20c1a69b580 # v2
with:
tool: cargo-deb
- name: 📥 Checkout source
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 0 # Keep the commit history for proper version information
# Our build container is minimal, and it doesn't contain any systemd package.
# systemd is responsible for setting up the machine ID files we use for
# testing the system ID retrieval code, so copy a dummy one
- name: 📏 Set up a dummy D-Bus machine ID for tests
if: startsWith(matrix.runner, 'ubuntu')
run: cat /proc/sys/kernel/random/uuid | tr -d '-' > /run/machine-id
- name: 📅 Gather build date and version metadata
shell: bash
run: |
git config --global --add safe.directory "$PWD"
echo "PACKSQUASH_BUILD_VERSION=$(git describe --tags --dirty=-custom --always)" >> "$GITHUB_ENV"
echo "PACKSQUASH_BUILD_DATE=$(date -u +%Y-%m-%d)" >> "$GITHUB_ENV"
- name: ✔️ Run tests
if: startsWith(matrix.target, 'x86_64-') || contains(matrix.target, '-linux-')
run: |
cargo nextest run --release --workspace --status-level all
cargo test --doc --release --workspace
- name: 🔨 Build with optimized standard library
run: cargo build --target ${{ env.CARGO_BUILD_TARGET }} --release ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }}
- name: 🔨 Generate CLI Debian package
if: endsWith(matrix.target, '-linux-gnu')
run: scripts/build_deb.sh --target ${{ env.CARGO_BUILD_TARGET }} -p packsquash_cli -- ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }}
- name: 📤 Upload CLI binary
if: ${{ !contains(matrix.target, '-linux-') || endsWith(matrix.target, '-linux-musl') }}
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
with:
name: PackSquash CLI executable (${{ matrix.target }})
path: |
target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash*
!target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash.d
- name: 📤 Upload CLI Debian package
if: endsWith(matrix.target, '-linux-gnu')
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
with:
name: PackSquash CLI Debian package (${{ matrix.apt-arch }})
path: target/${{ env.CARGO_BUILD_TARGET }}/debian/packsquash_*.deb
- name: ✒️ Generate SLSA attestation subject data for binaries
id: slsa-attestation-subjects
shell: bash
run: echo "hashes-${{ matrix.target }}=$(shasum -b -a 256 target/${{ env.CARGO_BUILD_TARGET }}/{release,debian}/packsquash{,.exe,_*.deb} | sed -E 's/ \*(.*)$/ \1/' | tr '\n' '|')" >> "$GITHUB_OUTPUT"
build-universal-macos-binaries:
name: Build universal macOS binaries
runs-on: macos-latest
needs: build
outputs:
slsa-attestation-subjects-hashes: ${{ steps.slsa-attestation-subjects.outputs.hashes }}
steps:
- name: 📥 Download PackSquash CLI x64 macOS executable
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: PackSquash CLI executable (x86_64-apple-darwin)
path: packsquash-x64
- name: 📥 Download PackSquash CLI ARM64 macOS executable
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: PackSquash CLI executable (aarch64-apple-darwin)
path: packsquash-aarch64
- name: 🔨 Generate universal CLI binary
run: lipo -create -output packsquash packsquash-x64/packsquash packsquash-aarch64/packsquash
- name: 📤 Upload universal CLI binary
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
with:
name: PackSquash CLI executable (universal-apple-darwin)
path: packsquash
- name: ✒️ Generate SLSA attestation subject data for binary
id: slsa-attestation-subjects
shell: bash
run: echo "hashes-universal-apple-darwin=$(shasum -b -a 256 packsquash | sed -E 's/ \*(.*)$/ \1/' | tr '\n' '|')" >> "$GITHUB_OUTPUT"
build-docker-images:
name: Build Docker images
runs-on: ubuntu-latest
env:
# Defaults to docker.io (Docker Hub)
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
needs: build
steps:
- name: 📥 Checkout source
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: 🧰 Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
- name: ⚙️ Generate Docker image metadata
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# Tag the image as "edge" for every commit on master.
# Tag the image by its ref for every commit on non-master branches.
# Maintain the "latest", full and major and minor semver tags for each semver tag push
tags: |
type=edge,branch=master
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=ref,event=branch
labels: |
org.opencontainers.image.description=Docker image for PackSquash, the Minecraft resource and data pack optimizer.
- name: 📥 Download PackSquash CLI x64 musl executable
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: PackSquash CLI executable (x86_64-unknown-linux-musl)
- name: 📁 Rename PackSquash CLI x64 musl executable
run: mv packsquash packsquash-amd64
- name: 📥 Download PackSquash CLI ARM64 musl executable
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: PackSquash CLI executable (aarch64-unknown-linux-musl)
- name: 📁 Rename PackSquash CLI ARM64 musl executable
run: mv packsquash packsquash-arm64
- name: 🔍 Check workflow package write permission
id: check_write_permission
uses: assaferan/action-has-permission@3d96069159254de543039461dc5a9c20fadbd6e6
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# The GitHub token needs the package:write permission for the push to work.
# This permission is not given to PRs from forked repositories.
# See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
- name: ⚙️ Login to ${{ env.REGISTRY }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
if: steps.check_write_permission.outputs.has-permission
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: 🔨 Build and push Docker image
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ steps.check_write_permission.outputs.has-permission == '1' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
benchmark:
runs-on: ubuntu-latest
container: debian:bullseye-slim@sha256:9bec46ecd98ce4bf8305840b021dda9b3e1f8494a0768c407e2b233180fa1466
# Benchmark failure is not critical enough to fail the whole workflow.
# We will keep an eye on them anyway, though
continue-on-error: true
# Make sure that benchmarks stay quick, and handle them being stuck promptly
timeout-minutes: 30
# Only benchmark code that passes all the checks
needs:
- static-analysis
- build
# Ignore runs that don't have the secret needed to decrypt packs (this happens for PRs outside
# the repository). First-time would-be contributors need to have their workflows approved
# anyway, but at best it might be confusing to see commits of PRs mixed with the mainline.
# Workflows triggered by PRs don't have access to secrets either. We also ignore temporary
# Renovate branches to reduce noise
if: success() && github.event_name != 'pull_request' && !startsWith(github.ref_name, 'renovate/')
steps:
- name: 🧰 Install development packages and benchmark script packages
run: |
apt-get update
# curl is required by rustup
apt-get install -yq build-essential git curl \
python3-venv gpg
- name: 📥 Checkout source
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
# Necessary for steps that invoke Git commands to work properly on workflows run on containers.
# See: https://github.com/actions/checkout/issues/766
- name: 📥 Set source ownership to current user
run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE"
- name: 🧰 Install Rust toolchain
uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1
with:
toolchain: nightly
- name: 💨 Cache Rust artifacts
uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2
- name: 📥 Download test packs dataset
run: scripts/test-packs/download.sh
- name: 🔑 Decrypt private test packs in dataset
env:
PRIVATE_TEST_PACKS_PASSWORD: ${{ secrets.PRIVATE_TEST_PACKS_PASSWORD }}
run: scripts/test-packs/decrypt.sh
# GitHub-hosted runners restrict access to the perf_event_open syscall for some event types we
# are interested in, so we can't run benchmarks that measure the troublesome performance counters.
# See: https://github.com/actions/virtual-environments/issues/4974
- name: 🔍 Run quick benchmarks
run: cargo bench -- --output-format=bencher 'wall_time' | tee /run/bench_results.txt
- name: 📤 Publish quick benchmarks results
uses: benchmark-action/github-action-benchmark@v1
with:
name: 'PackSquash library quick benchmarks'
tool: cargo
output-file-path: /run/bench_results.txt
benchmark-data-dir-path: dev/benches
github-token: ${{ secrets.GITHUB_TOKEN }}
auto-push: true
comment-on-alert: true
alert-threshold: 150%
fail-on-alert: false
max-items-in-chart: 50
merge-slsa-attestation-subjects-data:
name: Merge SLSA attestation subjects data
runs-on: ubuntu-latest
needs:
- build
- build-universal-macos-binaries
timeout-minutes: 5
continue-on-error: true
outputs:
subject-hashes: ${{ steps.merge-subjects.outputs.merged-subjects }}
steps:
- name: 🔗 Merge and encode attestation subject data
id: merge-subjects
shell: bash
run: |
ATTESTATION_SUBJECTS=$(cat <<'ATTESTATION_SUBJECTS' | tr -d '\n' | tr '|' '\n' | base64 -w0
${{ needs.build.outputs.slsa-attestation-subject-hashes-x86_64-unknown-linux-gnu }}
${{ needs.build.outputs.slsa-attestation-subject-hashes-x86_64-unknown-linux-musl }}
${{ needs.build.outputs.slsa-attestation-subject-hashes-aarch64-unknown-linux-gnu }}
${{ needs.build.outputs.slsa-attestation-subject-hashes-aarch64-unknown-linux-musl }}
${{ needs.build.outputs.slsa-attestation-subject-hashes-x86_64-pc-windows-gnu }}
${{ needs.build.outputs.slsa-attestation-subject-hashes-x86_64-apple-darwin }}
${{ needs.build.outputs.slsa-attestation-subject-hashes-aarch64-apple-darwin }}
${{ needs.build.outputs.slsa-attestation-subject-hashes-universal-apple-darwin }}
ATTESTATION_SUBJECTS
)
echo "$ATTESTATION_SUBJECTS"
echo "merged-subjects=$ATTESTATION_SUBJECTS" >> "$GITHUB_OUTPUT"
build-slsa-provenance:
name: Generate SLSA v1.0 build L3 provenance data
needs: merge-slsa-attestation-subjects-data
permissions:
contents: write
actions: read
id-token: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: ${{ needs.merge-slsa-attestation-subjects-data.outputs.subject-hashes }}
provenance-name: binary_provenance.intoto.jsonl