chore: CI improvements #1174
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Hipcheck | |
| # Run on both PRs and pushes to the main branch. | |
| # It may seem redundant to run tests on main, since we disallow pushing directly | |
| # to main and all PRs get tested before merging. | |
| # | |
| # But due to how GitHub Actions isolates caches, we need to run the tests on | |
| # main so that caches are available to new PRs. The caches created when testing | |
| # PR code cannot be re-used outside of testing that PR. | |
| # | |
| # See the GitHub Actions documentation here: | |
| # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - "config/**" | |
| - "hipcheck/**" | |
| - "plugins/**" | |
| - "xtask/**" | |
| - "sdk/rust/**" | |
| - "hipcheck-common/**" | |
| - "hipcheck-macros/**" | |
| - "hipcheck-sdk-macros/**" | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - "config/**" | |
| - "hipcheck/**" | |
| - "plugins/**" | |
| - "xtask/**" | |
| - "sdk/rust/**" | |
| - "hipcheck-common/**" | |
| - "hipcheck-macros/**" | |
| - "hipcheck-sdk-macros/**" | |
| permissions: | |
| contents: read | |
| env: | |
| RUSTFLAGS: -Dwarnings | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| plan: | |
| runs-on: "ubuntu-20.04" | |
| outputs: | |
| val: ${{ steps.plan.outputs.manifest }} | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Install dist | |
| # we specify bash to get pipefail; it guards against the `curl` command | |
| # failing. otherwise `sh` won't catch that `curl` returned non-0 | |
| shell: bash | |
| run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.28.0/cargo-dist-installer.sh | sh" | |
| - name: Cache dist | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cargo-dist-cache | |
| path: ~/.cargo/bin/dist | |
| # sure would be cool if github gave us proper conditionals... | |
| # so here's a doubly-nested ternary-via-truthiness to try to provide the best possible | |
| # functionality based on whether this is a pull_request, and whether it's from a fork. | |
| # (PRs run on the *source* but secrets are usually on the *target* -- that's *good* | |
| # but also really annoying to build CI around when it needs secrets to work right.) | |
| - id: plan | |
| run: | | |
| dist ${{ (!github.event.pull_request && format('host --steps=create --tag={0}', github.ref_name)) || 'plan' }} --output-format=json > plan-dist-manifest.json | |
| echo "dist ran successfully" | |
| cat plan-dist-manifest.json | |
| echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT" | |
| - name: "Upload dist-manifest.json" | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: artifacts-plan-dist-manifest | |
| path: plan-dist-manifest.json | |
| test: | |
| needs: | |
| - plan | |
| strategy: | |
| matrix: ${{ fromJson(needs.plan.outputs.val).ci.github.artifacts_matrix }} | |
| name: "Test (${{ join(matrix.targets, ', ') }})" | |
| runs-on: ${{ matrix.runner }} | |
| container: ${{ matrix.container && matrix.container.image || null }} | |
| timeout-minutes: 15 | |
| steps: | |
| # Get the repo, get Rust, get `cargo-nextest`, setup caching. | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: taiki-e/install-action@nextest | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ matrix.runner }} | |
| # Install the protobuf compiler | |
| - if: runner.os == 'Linux' | |
| run: sudo apt-get install -y protobuf-compiler | |
| - if: runner.os == 'macOS' | |
| run: brew install protobuf | |
| - if: runner.os == 'Windows' | |
| run: choco install protoc | |
| # Print dependency info (useful for debugging) | |
| - name: Dependency Tree | |
| run: cargo tree | |
| # Try building every crate in the workspace. | |
| # Note that this actually runs "cargo check" and doesn't attempt | |
| # to link the resulting artifacts together. | |
| - name: Build | |
| run: cargo build --verbose --workspace | |
| # Test the code. | |
| - name: Test | |
| run: cargo nextest r --verbose --workspace | |
| # Run the linter. | |
| - name: Lint | |
| run: cargo clippy --verbose --workspace | |
| # Run our own checks for licensing and other info. | |
| - name: Check | |
| run: cargo xtask check | |
| # Generate a GitHub API Token for doing Hipcheck runs | |
| - name: Generate a token | |
| id: generate-token | |
| uses: actions/create-github-app-token@v1 | |
| with: | |
| app-id: ${{ vars.HIPCHECK_CI_APP_ID }} | |
| private-key: ${{ secrets.HIPCHECK_CI_APP_PRIV_KEY }} | |
| # Run a few variants of Hipcheck | |
| - name: Run with Policy | |
| env: | |
| HC_GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} | |
| run: ./target/debug/hc --policy ./config/Hipcheck.kdl check https://github.com/mitre/hipcheck | |
| - name: Run with Local Policy | |
| env: | |
| HC_GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} | |
| run: ./target/debug/hc --policy ./config/local-Hipcheck.kdl check https://github.com/mitre/hipcheck | |
| - name: Run with Config | |
| env: | |
| HC_GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} | |
| run: ./target/debug/hc --config ./config check https://github.com/mitre/hipcheck |