clean(docs): Clarify supported MAC Hash Functions for Resource Integrity #3130
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SPDX-License-Identifier: Apache-2.0 | |
# | |
# Copyright 2023-2025 The Enola <https://enola.dev> Authors | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions | |
name: CI | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
# The branches below must be a subset of the branches above | |
branches: [main] | |
# https://github.com/orgs/community/discussions/25722 | |
types: [opened, synchronize, reopened, ready_for_review] | |
# Cancel any in-progress job or run if there is a newer commit | |
concurrency: | |
group: ${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
# https://github.com/orgs/community/discussions/25722 | |
if: | |
(github.repository == 'enola-dev/enola') && | |
(github.event.pull_request.draft == false) | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: "temurin" | |
# NB: Repeated below in push-container-image: job; must keep in sync! | |
java-version: "21" | |
- name: Install graphviz | |
# NB: We unfortunately cannot cache this, see https://github.com/enola-dev/enola/issues/823 | |
run: sudo apt-get install -y graphviz && dot -V | |
shell: bash | |
- name: Cache Bazel | |
uses: bazel-contrib/[email protected] | |
with: | |
# KEEP IN SYNC WITH BELOW! | |
bazelisk-cache: true | |
bazelisk-version: 1.25.0 | |
disk-cache: ${{ github.workflow }} | |
# TODO manifest: npm: package-lock.json ?? | |
external-cache: true | |
repository-cache: true | |
- name: Cache Python | |
uses: actions/cache@v4 | |
with: | |
path: .venv/ | |
key: ${{ runner.os }}-venv-${{ hashFiles('requirements.txt') }} | |
restore-keys: ${{ runner.os }}-venv- | |
- name: Cache Node.js | |
uses: actions/cache@v4 | |
with: | |
path: ~/.npm | |
# -${{ hashFiles('**/package-lock.json') }} | |
key: ${{ runner.os }}-npm | |
restore-keys: ${{ runner.os }}-npm | |
- name: Cache Go | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cache/go-build | |
~/go | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: Cache Pre-Commit | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cache/pre-commit/ | |
key: | |
${{ runner.os }}-cache-${{ hashFiles('.pre-commit-config.yaml') }} | |
restore-keys: ${{ runner.os }}-cache- | |
- name: Cache Demo | |
uses: actions/cache@v4 | |
with: | |
path: .cache/demo/ | |
key: ${{ runner.os }}-demo-${{ hashFiles('tools/demo/*.bash') }} | |
restore-keys: ${{ runner.os }}-demo- | |
# https://asdf-vm.com | |
- name: Setup ASDF itself | |
uses: asdf-vm/actions/setup@v3 | |
- name: Cache ASDF | |
uses: actions/cache@v4 | |
id: asdf-cache | |
with: | |
# https://github.com/asdf-vm/asdf/blob/master/.gitignore | |
path: | | |
~/.asdf/installs | |
~/.asdf/plugins | |
~/.asdf/shims | |
key: ${{ runner.os }}-asdf-tools-${{ hashFiles('.tool-versions') }} | |
restore-keys: ${{ runner.os }}-asdf-tools- | |
- name: Install ASDF plugins | |
uses: asdf-vm/actions/install@v3 | |
# See https://github.com/asdf-vm/actions/issues/445 | |
if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }} | |
with: | |
# Keep this asdf_branch version in sync with //tools/asdf/install.bash | |
asdf_branch: v0.14.0 | |
- name: Reshim installed ASDF tools | |
run: asdf reshim | |
shell: bash | |
- run: ./tools/test-ci/test.bash | |
# Build docs/ into site/ (not just on main branch but also for pull requests, as test) | |
- name: | |
Build Docs Site (but skip [slow] screencast recording, because on PR) | |
if: ${{ github.event_name == 'pull_request' }} | |
run: ./tools/docs/build.bash --without-demo-screencasts | |
- name: Build Docs Site, now with Screencasts (because on branch) | |
if: ${{ github.event_name == 'push' }} | |
run: ./tools/docs/build.bash | |
- name: pre-commit run --all-files | |
run: .venv/bin/pre-commit run --all-files | |
# The following steps deploy site/ (using GitHub Pages) | |
# to https://enola-dev.github.io = https://docs.enola.dev | |
- name: Setup Pages | |
if: ${{ github.event_name == 'push' }} | |
uses: actions/configure-pages@v5 | |
- name: Upload site/ directory as GitHub Pages artifact | |
if: ${{ github.event_name == 'push' }} | |
uses: actions/upload-pages-artifact@v3 | |
with: | |
path: "site/" | |
deploy-website: | |
needs: build | |
if: ${{ github.event_name == 'push' }} | |
runs-on: ubuntu-latest | |
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication | |
# Sets required permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages | |
permissions: | |
pages: write | |
id-token: write | |
environment: | |
name: github-pages | |
url: ${{ steps.deployment.outputs.page_url }} | |
steps: | |
# https://github.com/actions/deploy-pages | |
- name: Deploy to GitHub Pages | |
id: deployment | |
uses: actions/deploy-pages@v4 | |
# https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#publishing-a-package-using-an-action | |
push-container-image: | |
needs: build | |
if: ${{ github.event_name == 'push' }} | |
runs-on: ubuntu-latest | |
# This is a separate job from 'build' only because it needs additional permissions which we don't want 'build' to have: | |
permissions: | |
contents: read | |
packages: write | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
with: | |
distribution: "temurin" | |
# NB: Repeated above in build: job; must keep in sync! | |
java-version: "21" | |
- name: Cache Bazel | |
uses: bazel-contrib/[email protected] | |
with: | |
# KEEP IN SYNC WITH ABOVE! | |
bazelisk-cache: true | |
bazelisk-version: 1.25.0 | |
disk-cache: ${{ github.workflow }} | |
# TODO manifest: npm: package-lock.json ?? | |
external-cache: true | |
repository-cache: true | |
- name: Build Container Image # again, because technically it was already built in the 'build' job, but oh well! | |
run: ./tools/distro/build.bash | |
# Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. | |
- name: Log in to the Container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
# This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. | |
# It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. | |
# It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. | |
- name: Build and push Docker image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} |