-
Notifications
You must be signed in to change notification settings - Fork 39
328 lines (319 loc) · 13.3 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
name: Veracruz-CI
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the main branch
push:
branches: [ main ]
pull_request:
branches: [ main ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
WASMTIME_VERSION: v9.0.4
jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Install cosign
# https://github.com/sigstore/cosign-installer
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
with:
cosign-release: "v2.2.1"
- name: Check image signature
id: cosign-verify
run: |
COSIGN_EXPERIMENTAL=true cosign verify \
--certificate-identity-regexp 'https://github.com/veracruz-project/veracruz/.github/workflows/docker.yml@refs/heads/dreemkiller_amd_sev' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/veracruz-project/veracruz/ci@sha256:681ceebcae7f23fb60bb6c5b903600e134fd4852f0187539d995ced444f382d6
linux:
runs-on: ubuntu-latest
needs: [check]
outputs:
output: ${{ steps.check-diff.outputs.cargo-lock }}
container:
image: ghcr.io/veracruz-project/veracruz/ci@sha256:681ceebcae7f23fb60bb6c5b903600e134fd4852f0187539d995ced444f382d6
volumes:
- ${{ github.workspace }}:/work/veracruz
steps:
- name: Check out the Veracruz repository
uses: actions/checkout@v3
with:
submodules: recursive
- name: Build Veracruz-Linux
id: linux-build
run: |
make -C /work/veracruz/workspaces linux
- name: Running linux test script
id: linux-build-and-test
run: |
make -C /work/veracruz/workspaces linux-tests
- name: Move back to veracruz root
run: |
cd /work/veracruz
git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Check modification to Cargo.lock
id: check-diff
run: |
# Find if any Cargo.lock changed, pad them into a line and trim leading and trailing whitespace.
file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' | tr '\n' ' ' | xargs)
echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT
if [ -n "$file_changed" ] ; then
echo "::warning::Cargo.lock files modified";
echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}";
fi
- name: Upload Cargo.lock files
id: upload-changed-cargo-lock
if: steps.check-diff.outputs.cargo-lock != ''
uses: actions/upload-artifact@v3
with:
name: linux
path: workspaces/**/Cargo.lock
- name: Prepare deployment artifacts
run: |
# Strip binaries
strip \
workspaces/host/target/debug/freestanding-execution-engine \
workspaces/host/target/debug/generate-policy \
workspaces/linux-host/target/debug/veracruz-client \
workspaces/linux-host/target/debug/linux-veracruz-server \
workspaces/linux-runtime/target/debug/linux-runtime-manager
# Copy artifacts to new directory
mkdir -p artifacts
cp -a \
sdk/proxy_cleanup.sh \
workspaces/ca-cert.conf \
workspaces/cert.conf \
workspaces/host/target/debug/freestanding-execution-engine \
workspaces/host/target/debug/generate-policy \
workspaces/linux-host/target/debug/veracruz-client \
workspaces/linux-host/target/debug/linux-veracruz-server \
workspaces/linux-runtime/target/debug/linux-runtime-manager \
artifacts/
- name: Upload deployment artifacts
id: upload-deployment-artifacts
uses: actions/upload-artifact@v3
with:
name: linux_deployment_artifacts
path: |
artifacts/*
vod-full-deployment:
runs-on: ubuntu-latest
needs: [linux]
container:
image: ghcr.io/veracruz-project/veracruz/ci@sha256:681ceebcae7f23fb60bb6c5b903600e134fd4852f0187539d995ced444f382d6
volumes:
- ${{ github.workspace }}:/work/video-object-detection
steps:
- name: Check out the VOD repository
uses: actions/checkout@v3
with:
repository: 'veracruz-project/video-object-detection'
ref: '20230704'
submodules: recursive
set-safe-directory: true
- name: Build
run: |
# grab every bash code block for this step, remove line continuation,
# and only keep lines that start with '$' (of course removing that '$'
# in the process)
sed -n '/```.*veracruz-ci-build/,/```/{/```/d; p}' README.md \
| sed ':a; /\\$/{N; s/\\\n//; ta}' \
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \
> README.md.veracruz-ci-build.sh
# run the script
bash -euxo pipefail README.md.veracruz-ci-build.sh
# Add current directory to $GITHUB_PATH
echo "$GITHUB_WORKSPACE" >> $GITHUB_PATH
- name: Download artifacts
uses: actions/download-artifact@v3
with:
name: linux_deployment_artifacts
path: artifacts
- name: Post-process artifacts
run: |
chmod -R 755 artifacts
# Add artifacts to $GITHUB_PATH
echo "artifacts" >> $GITHUB_PATH
- name: Download example video
run: |
# grab every bash code block for this step, remove line continuation,
# and only keep lines that start with '$' (of course removing that '$'
# in the process)
sed -n '/```.*veracruz-ci-video/,/```/{/```/d; p}' README.md \
| sed ':a; /\\$/{N; s/\\\n//; ta}' \
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \
> README.md.veracruz-ci-video.sh
# run the script
bash -euxo pipefail README.md.veracruz-ci-video.sh
- name: Replace big YOLO model with small one
run: |
cd program_data
ln -sf yolov3-tiny.cfg yolov3.cfg
ln -sf yolov3-tiny.weights yolov3.weights
- name: Run VOD as standalone native binary
run: |
# grab every bash code block for this step, remove line continuation,
# and only keep lines that start with '$' (of course removing that '$'
# in the process)
sed -n '/```.*veracruz-ci-run-native/,/```/{/```/d; p}' README.md \
| sed ':a; /\\$/{N; s/\\\n//; ta}' \
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \
> README.md.veracruz-ci-run-native.sh
# run the script
bash -euxo pipefail README.md.veracruz-ci-run-native.sh
# Check results
file output/prediction.0.jpg | grep "JPEG image data"
rm -rf output
- name: Run VOD in wasmtime
run: |
# Install wasmtime
curl https://wasmtime.dev/install.sh -sSf | bash -s -- --version $WASMTIME_VERSION && \
. ~/.bashrc
# grab every bash code block for this step, remove line continuation,
# and only keep lines that start with '$' (of course removing that '$'
# in the process)
sed -n '/```.*veracruz-ci-run-wasmtime/,/```/{/```/d; p}' README.md \
| sed ':a; /\\$/{N; s/\\\n//; ta}' \
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \
> README.md.veracruz-ci-run-wasmtime.sh
# run the script
bash -euxo pipefail README.md.veracruz-ci-run-wasmtime.sh
# Check results
file output/prediction.0.jpg | grep "JPEG image data"
rm -rf output
- name: Run VOD in Freestanding Execution Engine
run: |
# grab every bash code block for this step, remove line continuation,
# and only keep lines that start with '$' (of course removing that '$'
# in the process)
sed -n '/```.*veracruz-ci-run-fee/,/```/{/```/d; p}' README.md \
| sed ':a; /\\$/{N; s/\\\n//; ta}' \
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \
> README.md.veracruz-ci-run-fee.sh
# run the script
bash -euxo pipefail README.md.veracruz-ci-run-fee.sh
# Check results
file output/prediction.0.jpg | grep "JPEG image data"
rm -rf output
- name: Run VOD in Veracruz-Linux
run: |
POLICY_GENERATOR_PATH="artifacts/generate-policy" CLIENT_PATH="artifacts/veracruz-client" SERVER_PATH="artifacts/linux-veracruz-server" RUNTIME_MANAGER_PATH="artifacts/linux-runtime-manager" CA_CERT_CONF_PATH="artifacts/ca-cert.conf" CERT_CONF_PATH="artifacts/cert.conf" PROXY_CLEANUP_SCRIPT_PATH="artifacts/proxy_cleanup.sh" SERVER_LOG="server.log" POLICY_PATH="policy.json" ./deploy_linux_wasm.sh
# Check results
file prediction.0.jpg | grep "JPEG image data"
- name: Upload VOD artifacts
id: upload-vod-artifacts
uses: actions/upload-artifact@v3
with:
name: linux-vod
path: |
policy.json
server.log
nitro:
runs-on: ubuntu-latest
needs: [check]
outputs:
output: ${{ steps.check-diff.outputs.cargo-lock }}
container:
image: ghcr.io/veracruz-project/veracruz/ci@sha256:681ceebcae7f23fb60bb6c5b903600e134fd4852f0187539d995ced444f382d6
volumes:
- ${{ github.workspace }}:/work/veracruz
steps:
- name: Check out the Veracruz repository
uses: actions/checkout@v3
with:
submodules: recursive
- name: add the GITHUB_WORKSPACE into git config
run: |
git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Running Nitro test script
id: nitro-build
run: |
make -C /work/veracruz/workspaces nitro
- name: Check modification to Cargo.lock
id: check-diff
run: |
file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' | tr '\n' ' ' | xargs)
echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT
if [ -n "$file_changed" ] ; then
echo "::warning::Cargo.lock files modified";
echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}";
fi
- name: Upload Cargo.lock files
id: upload-changed-cargo-lock
if: steps.check-diff.outputs.cargo-lock != ''
uses: actions/upload-artifact@v3
with:
name: nitro
path: workspaces/**/Cargo.lock
# tests that the docs/CLI_QUICKSTART.md is still up to date
quickstart:
runs-on: ubuntu-latest
needs: [check]
outputs:
output: ${{ steps.check-diff.outputs.cargo-lock }}
container:
image: ghcr.io/veracruz-project/veracruz/ci@sha256:681ceebcae7f23fb60bb6c5b903600e134fd4852f0187539d995ced444f382d6
volumes:
- ${{ github.workspace }}:/work/veracruz
steps:
- name: Check out the Veracruz repository
uses: actions/checkout@v3
with:
submodules: recursive
- name: add the GITHUB_WORKSPACE into git config
run: |
git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Running docs/CLI_QUICKSTART.md
id: quickstart-test
run: |
# grab every bash code block, remove line continuation, and only keep lines
# that start with '$' (of course removing that '$' in the process)
sed -n '/``` bash/,/```/{/```/d; p}' docs/CLI_QUICKSTART.md \
| sed ':a; /\\$/{N; s/\\\n//; ta}' \
| sed -n '/^\$/{s/^\$ \?//; p}' \
> CLI_QUICKSTART.md.sh
# run the quickstart
bash -euxo pipefail CLI_QUICKSTART.md.sh
- name: Running tlstest/README.md
id: tlstest
run: |
# Extract and execute bash code blocks from README.md:
cd crates/tests/tlstest && \
sed -n '/``` bash/,/```/{/```/d; p}' README.md > README.md.sh && \
bash -euxo pipefail README.md.sh
- name: Check modification to Cargo.lock
id: check-diff
run: |
file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' | tr '\n' ' ' | xargs)
echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT
if [ -n "$file_changed" ] ; then
echo "::warning::Cargo.lock files modified";
echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}";
fi
- name: Upload Cargo.lock files
id: upload-changed-cargo-lock
if: steps.check-diff.outputs.cargo-lock != ''
uses: actions/upload-artifact@v3
with:
name: quickstart
path: workspaces/**/Cargo.lock
cargo-lock-check:
needs: [linux, nitro, quickstart]
runs-on: ubuntu-latest
steps:
- name: linux
if: needs.linux.outputs.output != ''
run: |
echo "::warning:: linux Cargo.lock change list: ${{ needs.linux.outputs.output }}"
exit 1
- name: nitro
if: needs.nitro.outputs.output != ''
run: |
echo "::warning:: nitro Cargo.lock change list: ${{ needs.nitro.outputs.output }}"
exit 1
- name: quickstart
if: needs.quickstart.outputs.output != ''
run: |
echo "::warning:: quickstart Cargo.lock change list: ${{ needs.quickstart.outputs.output }}"
exit 1