diff --git a/.github/workflows/aws_tfhe_backward_compat_tests.yml b/.github/workflows/aws_tfhe_backward_compat_tests.yml index 93313443d8..fca23afe8f 100644 --- a/.github/workflows/aws_tfhe_backward_compat_tests.yml +++ b/.github/workflows/aws_tfhe_backward_compat_tests.yml @@ -11,15 +11,47 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (backward-compat-tests) + needs: check-user-permission runs-on: ubuntu-latest outputs: runner-name: ${{ steps.start-instance.outputs.label }} @@ -39,7 +71,7 @@ jobs: name: Backward compatibility tests needs: [ setup-instance ] concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -48,6 +80,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -90,7 +123,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Backward compatibility tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Backward compatibility tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (backward-compat-tests) @@ -114,4 +147,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (backward-compat-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (backward-compat-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/aws_tfhe_fast_tests.yml b/.github/workflows/aws_tfhe_fast_tests.yml index 8b2b6dfbbf..46698288ee 100644 --- a/.github/workflows/aws_tfhe_fast_tests.yml +++ b/.github/workflows/aws_tfhe_fast_tests.yml @@ -62,7 +62,6 @@ jobs: user_docs_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.user_docs_any_changed || steps.changed-files.outputs.dependencies_any_changed }} - ci_file_changed: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.ci_any_changed }} any_file_changed: ${{ env.IS_PULL_REQUEST == 'false' || steps.aggregated-changes.outputs.any_changed }} steps: - name: Checkout tfhe-rs @@ -122,13 +121,9 @@ jobs: - '!tfhe/src/c_api/**' - 'tfhe/docs/**/**.md' - README.md - ci: - - .github/** - - ci/** - name: Aggregate file changes id: aggregated-changes - # CI files are not included in this aggregator. if: ( steps.changed-files.outputs.dependencies_any_changed == 'true' || steps.changed-files.outputs.csprng_any_changed == 'true' || steps.changed-files.outputs.zk_pok_any_changed == 'true' || @@ -143,12 +138,19 @@ jobs: run: | echo "any_changed=true" >> "$GITHUB_OUTPUT" + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + # Fail if the triggering actor is not part of Zama organization. # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. check-user-permission: - needs: should-run + needs: check-ci-files if: github.event_name != 'pull_request_target' || - (github.event_name == 'pull_request_target' && needs.should-run.outputs.ci_file_changed == 'false') + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') uses: ./.github/workflows/check_triggering_actor.yml secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/aws_tfhe_integer_tests.yml b/.github/workflows/aws_tfhe_integer_tests.yml index a2ff73d7c7..8245b846f2 100644 --- a/.github/workflows/aws_tfhe_integer_tests.yml +++ b/.github/workflows/aws_tfhe_integer_tests.yml @@ -10,16 +10,31 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} # We clear the cache to reduce memory pressure because of the numerous processes of cargo # nextest TFHE_RS_CLEAR_IN_MEMORY_KEY_CACHE: "1" NO_BIG_PARAMS: FALSE + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [labeled] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' push: branches: - main @@ -28,8 +43,7 @@ jobs: should-run: if: (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'pull_request' && contains(github.event.label.name, 'approved')) || + (github.event_name == 'pull_request_target' && contains(github.event.label.name, 'approved')) || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest permissions: @@ -44,6 +58,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -61,13 +76,30 @@ jobs: - tfhe/src/integer/** - .github/workflows/aws_tfhe_integer_tests.yml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (unsigned-integer-tests) - needs: should-run + needs: [ should-run, check-user-permission ] if: (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs' && needs.should-run.outputs.integer_test == 'true') || (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'pull_request' && contains(github.event.label.name, 'approved')) || + (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.integer_test == 'true') || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest outputs: @@ -88,7 +120,7 @@ jobs: name: Unsigned integer tests needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }}${{ github.ref == 'refs/heads/main' && github.sha || '' }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -97,6 +129,7 @@ jobs: with: persist-credentials: "false" token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -104,7 +137,7 @@ jobs: toolchain: stable - name: Should skip big parameters set - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' run: | echo "NO_BIG_PARAMS=TRUE" >> "${GITHUB_ENV}" @@ -130,7 +163,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Unsigned Integer tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Unsigned Integer tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (unsigned-integer-tests) @@ -154,4 +187,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (unsigned-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (unsigned-integer-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/aws_tfhe_signed_integer_tests.yml b/.github/workflows/aws_tfhe_signed_integer_tests.yml index 8fadafa45d..57705a6e33 100644 --- a/.github/workflows/aws_tfhe_signed_integer_tests.yml +++ b/.github/workflows/aws_tfhe_signed_integer_tests.yml @@ -10,16 +10,31 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} # We clear the cache to reduce memory pressure because of the numerous processes of cargo # nextest TFHE_RS_CLEAR_IN_MEMORY_KEY_CACHE: "1" NO_BIG_PARAMS: FALSE + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [labeled] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' push: branches: - main @@ -29,7 +44,7 @@ jobs: if: (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs') || (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'pull_request' && contains(github.event.label.name, 'approved')) || + ((github.event_name == 'pull_request_target' || github.event_name == 'pull_request_target') && contains(github.event.label.name, 'approved')) || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest permissions: @@ -44,6 +59,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -61,13 +77,30 @@ jobs: - tfhe/src/integer/** - .github/workflows/aws_tfhe_signed_integer_tests.yml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (unsigned-integer-tests) - needs: should-run + needs: [ should-run, check-user-permission ] if: (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs' && needs.should-run.outputs.integer_test == 'true') || (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'pull_request' && contains(github.event.label.name, 'approved')) || + (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.integer_test == 'true') || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest outputs: @@ -88,7 +121,7 @@ jobs: name: Signed integer tests needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }}${{ github.ref == 'refs/heads/main' && github.sha || '' }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -97,6 +130,7 @@ jobs: with: persist-credentials: "false" token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -104,7 +138,7 @@ jobs: toolchain: stable - name: Should skip big parameters set - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' run: | echo "NO_BIG_PARAMS=TRUE" >> "${GITHUB_ENV}" @@ -134,7 +168,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Signed Integer tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Signed Integer tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (signed-integer-tests) @@ -158,4 +192,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (signed-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (signed-integer-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/aws_tfhe_tests.yml b/.github/workflows/aws_tfhe_tests.yml index 9aca6dfa49..92e8a5424b 100644 --- a/.github/workflows/aws_tfhe_tests.yml +++ b/.github/workflows/aws_tfhe_tests.yml @@ -10,13 +10,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" @@ -65,6 +80,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -132,11 +148,28 @@ jobs: run: | echo "any_changed=true" >> "$GITHUB_OUTPUT" + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cpu-tests) - if: github.event_name != 'pull_request' || + if: github.event_name != 'pull_request_target' || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.any_file_changed == 'true') - needs: should-run + needs: [ should-run, check-user-permission ] runs-on: ubuntu-latest outputs: runner-name: ${{ steps.start-instance.outputs.label }} @@ -154,11 +187,11 @@ jobs: cpu-tests: name: CPU tests - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') needs: [ should-run, setup-instance ] concurrency: - group: ${{ github.workflow }}_${{github.event_name}}_${{ github.ref }} + group: ${{ github.workflow }}_${{github.event_name}}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -167,6 +200,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -241,7 +275,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "CPU tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "CPU tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cpu-tests) @@ -265,4 +299,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cpu-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cpu-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/aws_tfhe_wasm_tests.yml b/.github/workflows/aws_tfhe_wasm_tests.yml index ee185e4ac1..505b071a25 100644 --- a/.github/workflows/aws_tfhe_wasm_tests.yml +++ b/.github/workflows/aws_tfhe_wasm_tests.yml @@ -10,16 +10,49 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (wasm-tests) + needs: check-user-permission if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'approved') }} runs-on: ubuntu-latest outputs: @@ -40,7 +73,7 @@ jobs: name: WASM tests needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -49,6 +82,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -109,7 +143,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "WASM tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "WASM tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (wasm-tests) @@ -133,4 +167,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (wasm-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (wasm-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/benchmark_gpu_4090.yml b/.github/workflows/benchmark_gpu_4090.yml index 17d137b3e7..97c9192131 100644 --- a/.github/workflows/benchmark_gpu_4090.yml +++ b/.github/workflows/benchmark_gpu_4090.yml @@ -11,20 +11,53 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} FAST_BENCH: TRUE + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [labeled] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Weekly benchmarks will be triggered each Friday at 9p.m. - cron: "0 21 * * 5" jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + cuda-integer-benchmarks: name: Cuda integer benchmarks (RTX 4090) + needs: check-user-permission if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs' || contains(github.event.label.name, '4090_bench') }} @@ -33,10 +66,6 @@ jobs: cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ["self-hosted", "4090-desktop"] timeout-minutes: 1440 # 24 hours - strategy: - fail-fast: false - max-parallel: 1 - steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 @@ -44,6 +73,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Get benchmark details run: | @@ -101,7 +131,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Integer RTX 4090 full benchmarks finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Integer RTX 4090 full benchmarks finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" cuda-core-crypto-benchmarks: name: Cuda core crypto benchmarks (RTX 4090) @@ -186,11 +216,11 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Core crypto RTX 4090 full benchmarks finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Core crypto RTX 4090 full benchmarks finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" remove_github_label: name: Remove 4090 bench label - if: ${{ always() && github.event_name == 'pull_request' }} + if: ${{ always() && github.event_name == 'pull_request_target' }} needs: [cuda-integer-benchmarks, cuda-core-crypto-benchmarks] runs-on: ubuntu-latest steps: diff --git a/.github/workflows/check_ci_files_change.yml b/.github/workflows/check_ci_files_change.yml new file mode 100644 index 0000000000..58a78fb6d2 --- /dev/null +++ b/.github/workflows/check_ci_files_change.yml @@ -0,0 +1,41 @@ +# Check if there is any change in CI files since last commit +name: Check changes in CI files + +on: + workflow_call: + inputs: + checkout_ref: + type: string + required: true + outputs: + ci_file_changed: + value: ${{ jobs.check-changes.outputs.ci_file_changed }} + secrets: + REPO_CHECKOUT_TOKEN: + required: true + +jobs: + check-changes: + runs-on: ubuntu-latest + permissions: + pull-requests: write + outputs: + ci_file_changed: ${{ steps.changed-files.outputs.ci_any_changed }} + steps: + - name: Checkout tfhe-rs + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + fetch-depth: 0 + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ inputs.checkout_ref }} + + - name: Check for file changes + id: changed-files + uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f + with: + since_last_remote_commit: true + files_yaml: | + ci: + - .github/** + - ci/** diff --git a/.github/workflows/check_commit.yml b/.github/workflows/check_commit.yml index d871c7320b..d21cac7eda 100644 --- a/.github/workflows/check_commit.yml +++ b/.github/workflows/check_commit.yml @@ -2,6 +2,7 @@ name: Check commit and PR compliance on: pull_request: + jobs: check-commit-pr: name: Check commit and PR diff --git a/.github/workflows/check_triggering_actor.yml b/.github/workflows/check_triggering_actor.yml index 0596647428..2a754e21c0 100644 --- a/.github/workflows/check_triggering_actor.yml +++ b/.github/workflows/check_triggering_actor.yml @@ -21,7 +21,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.TOKEN }} - name: Check User Permission - if: steps.check-access.outputs.require-result == 'false' + if: (github.triggering_actor != 'dependabot' || github.triggering_actor != 'cla-bot') && + steps.check-access.outputs.require-result == 'false' run: | echo "${{ github.triggering_actor }} does not have permissions on this repo." echo "Current permission level is ${{ steps.check-access.outputs.user-permission }}" diff --git a/.github/workflows/ci_lint.yml b/.github/workflows/ci_lint.yml index 0cd3b54aa0..c903e2cf58 100644 --- a/.github/workflows/ci_lint.yml +++ b/.github/workflows/ci_lint.yml @@ -14,6 +14,9 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get actionlint run: | diff --git a/.github/workflows/csprng_randomness_tests.yml b/.github/workflows/csprng_randomness_tests.yml index f910742a8f..402b4e9077 100644 --- a/.github/workflows/csprng_randomness_tests.yml +++ b/.github/workflows/csprng_randomness_tests.yml @@ -10,16 +10,49 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (csprng-randomness-tests) + needs: check-user-permission if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'approved') }} runs-on: ubuntu-latest outputs: @@ -40,7 +73,7 @@ jobs: name: CSPRNG randomness tests needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -49,6 +82,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -65,7 +99,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "tfhe-csprng randomness check finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "tfhe-csprng randomness check finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (csprng-randomness-tests) @@ -89,4 +123,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (csprng-randomness-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (csprng-randomness-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/data_pr_close.yml b/.github/workflows/data_pr_close.yml index 7e323f7170..35aefb85cd 100644 --- a/.github/workflows/data_pr_close.yml +++ b/.github/workflows/data_pr_close.yml @@ -8,6 +8,8 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} PR_BRANCH: ${{ github.head_ref || github.ref_name }} CLOSE_TYPE: ${{ github.event.pull_request.merged && 'merge' || 'close' }} @@ -15,6 +17,8 @@ env: on: pull_request: types: [ closed ] + pull_request_target: + types: [ closed ] # The same pattern is used for jobs that use the github api: # - save the result of the API call in the env var "GH_API_RES". Since the var is multiline diff --git a/.github/workflows/gpu_4090_tests.yml b/.github/workflows/gpu_4090_tests.yml index 736e21fc09..dd3291358f 100644 --- a/.github/workflows/gpu_4090_tests.yml +++ b/.github/workflows/gpu_4090_tests.yml @@ -11,24 +11,57 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + cuda-tests-linux: name: CUDA tests (RTX 4090) + needs: check-user-permission if: github.event_name == 'workflow_dispatch' || contains(github.event.label.name, '4090_test') || (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ["self-hosted", "4090-desktop"] @@ -38,6 +71,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -69,7 +103,7 @@ jobs: make test_high_level_api_gpu - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 - if: ${{ always() && github.event_name == 'pull_request' }} + if: ${{ always() && github.event_name == 'pull_request_target' }} with: labels: 4090_test github_token: ${{ secrets.GITHUB_TOKEN }} @@ -80,4 +114,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "CUDA RTX 4090 tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "CUDA RTX 4090 tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_fast_h100_tests.yml b/.github/workflows/gpu_fast_h100_tests.yml index cd6e6812f0..33817a42c3 100644 --- a/.github/workflows/gpu_fast_h100_tests.yml +++ b/.github/workflows/gpu_fast_h100_tests.yml @@ -11,13 +11,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-h100-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name != 'pull_request_target' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA H100 tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -101,6 +134,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -146,7 +180,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Fast H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Fast H100 tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-h100-tests) @@ -170,4 +204,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_fast_tests.yml b/.github/workflows/gpu_fast_tests.yml index 6cde0102d0..f141164e72 100644 --- a/.github/workflows/gpu_fast_tests.yml +++ b/.github/workflows/gpu_fast_tests.yml @@ -11,12 +11,26 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: @@ -32,6 +46,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -56,10 +71,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name == 'workflow_dispatch' || needs.should-run.outputs.gpu_test == 'true' runs-on: ubuntu-latest outputs: @@ -79,10 +111,10 @@ jobs: cuda-tests-linux: name: CUDA tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -99,6 +131,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -144,7 +177,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Base GPU tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Base GPU tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-tests) @@ -168,4 +201,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_full_h100_tests.yml b/.github/workflows/gpu_full_h100_tests.yml index 347ad3bd49..c33cdbe4c3 100644 --- a/.github/workflows/gpu_full_h100_tests.yml +++ b/.github/workflows/gpu_full_h100_tests.yml @@ -11,7 +11,6 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} on: workflow_dispatch: @@ -110,7 +109,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Full H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Full H100 tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-h100-tests) @@ -133,4 +132,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_full_multi_gpu_tests.yml b/.github/workflows/gpu_full_multi_gpu_tests.yml index 430591e022..06bc5942c4 100644 --- a/.github/workflows/gpu_full_multi_gpu_tests.yml +++ b/.github/workflows/gpu_full_multi_gpu_tests.yml @@ -11,13 +11,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-tests-multi-gpu) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name != 'pull_request_target' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA multi-GPU tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -101,6 +134,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -149,7 +183,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Multi-GPU tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Multi-GPU tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-tests-multi-gpu) @@ -173,4 +207,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-tests-multi-gpu) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-tests-multi-gpu) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_pcc.yml b/.github/workflows/gpu_pcc.yml index 52570b6eed..dc5f3a15f1 100644 --- a/.github/workflows/gpu_pcc.yml +++ b/.github/workflows/gpu_pcc.yml @@ -11,13 +11,45 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-pcc) + needs: check-user-permission runs-on: ubuntu-latest outputs: runner-name: ${{ steps.start-instance.outputs.label }} @@ -37,7 +69,7 @@ jobs: name: CUDA post-commit checks needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -57,6 +89,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Set up home run: | @@ -100,7 +133,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "CUDA AWS post-commit checks finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "CUDA AWS post-commit checks finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-pcc) @@ -124,4 +157,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-pcc) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-pcc) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_signed_integer_classic_tests.yml b/.github/workflows/gpu_signed_integer_classic_tests.yml index 9034dc22f6..480633c810 100644 --- a/.github/workflows/gpu_signed_integer_classic_tests.yml +++ b/.github/workflows/gpu_signed_integer_classic_tests.yml @@ -11,13 +11,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-signed-classic-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name != 'pull_request_target' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA signed integer tests with classical PBS needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -98,6 +131,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -129,7 +166,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Integer GPU signed integer tests with classical PBS finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Integer GPU signed integer tests with classical PBS finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-signed-classic-tests) @@ -153,4 +190,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-signed-classic-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-signed-classic-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_signed_integer_h100_tests.yml b/.github/workflows/gpu_signed_integer_h100_tests.yml index 91a6f64d10..9846491b4c 100644 --- a/.github/workflows/gpu_signed_integer_h100_tests.yml +++ b/.github/workflows/gpu_signed_integer_h100_tests.yml @@ -11,13 +11,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-h100-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name != 'pull_request_target' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA H100 signed integer tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -98,6 +131,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -129,7 +166,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Integer GPU H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Integer GPU H100 tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-h100-tests) @@ -153,4 +190,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_signed_integer_tests.yml b/.github/workflows/gpu_signed_integer_tests.yml index 909354e1b6..b0cabfc6af 100644 --- a/.github/workflows/gpu_signed_integer_tests.yml +++ b/.github/workflows/gpu_signed_integer_tests.yml @@ -11,17 +11,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} FAST_TESTS: TRUE NIGHTLY_TESTS: FALSE - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: - - opened - - synchronize + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" @@ -40,6 +51,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -64,10 +76,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-signed-integer-tests) runs-on: ubuntu-latest - needs: should-run + needs: [ should-run, check-user-permission ] if: (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || github.event_name == 'workflow_dispatch' || needs.should-run.outputs.gpu_test == 'true' @@ -88,10 +117,10 @@ jobs: cuda-signed-integer-tests: name: CUDA signed integer tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -108,6 +137,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -147,7 +177,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-signed-integer-tests.result }} - SLACK_MESSAGE: "Base GPU tests finished with status: ${{ needs.cuda-signed-integer-tests.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Base GPU tests finished with status: ${{ needs.cuda-signed-integer-tests.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-tests) @@ -171,4 +201,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-signed-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-signed-integer-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_unsigned_integer_classic_tests.yml b/.github/workflows/gpu_unsigned_integer_classic_tests.yml index c546551457..5d1f6ebdef 100644 --- a/.github/workflows/gpu_unsigned_integer_classic_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_classic_tests.yml @@ -11,13 +11,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-unsigned-classic-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name == 'workflow_dispatch' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA unsigned integer tests with classical PBS needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -98,6 +131,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -129,7 +166,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Unsigned integer GPU classic tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Unsigned integer GPU classic tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-unsigned-classic-tests) @@ -153,4 +190,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-unsigned-classic-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-unsigned-classic-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_unsigned_integer_h100_tests.yml b/.github/workflows/gpu_unsigned_integer_h100_tests.yml index 8157d9f010..347482fdde 100644 --- a/.github/workflows/gpu_unsigned_integer_h100_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_h100_tests.yml @@ -11,13 +11,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-h100-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name == 'workflow_dispatch' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA H100 unsigned integer tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -98,6 +131,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -129,7 +166,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Unsigned integer GPU H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Unsigned integer GPU H100 tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-h100-tests) @@ -153,4 +190,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_unsigned_integer_tests.yml b/.github/workflows/gpu_unsigned_integer_tests.yml index 7fe26491aa..740c8e077a 100644 --- a/.github/workflows/gpu_unsigned_integer_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_tests.yml @@ -11,16 +11,29 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} FAST_TESTS: TRUE NIGHTLY_TESTS: FALSE + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: - - opened - - synchronize + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" @@ -39,6 +52,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -63,9 +77,26 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-unsigned-integer-tests) - needs: should-run + needs: [ should-run, check-user-permission ] if: (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || github.event_name == 'workflow_dispatch' || needs.should-run.outputs.gpu_test == 'true' @@ -87,10 +118,10 @@ jobs: cuda-unsigned-integer-tests: name: CUDA unsigned integer tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -104,6 +135,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -143,7 +178,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-unsigned-integer-tests.result }} - SLACK_MESSAGE: "Unsigned integer GPU tests finished with status: ${{ needs.cuda-unsigned-integer-tests.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Unsigned integer GPU tests finished with status: ${{ needs.cuda-unsigned-integer-tests.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-tests) @@ -167,4 +202,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-unsigned-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-unsigned-integer-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/m1_tests.yml b/.github/workflows/m1_tests.yml index 88138dd452..510de60927 100644 --- a/.github/workflows/m1_tests.yml +++ b/.github/workflows/m1_tests.yml @@ -2,8 +2,20 @@ name: Tests on M1 CPU on: workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [labeled] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' # Have a nightly build for M1 tests schedule: # * is a special character in YAML so you have to quote this string @@ -21,14 +33,35 @@ env: # We clear the cache to reduce memory pressure because of the numerous processes of cargo # nextest TFHE_RS_CLEAR_IN_MEMORY_KEY_CACHE: "1" + REF: ${{ github.event.pull_request.head.sha || github.sha }} concurrency: - group: ${{ github.workflow }}-${{ github.head_ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_triggering_actor.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + cargo-builds-m1: - if: ${{ (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'm1_test') }} + needs: check-user-permission + if: ${{ (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || + github.event_name == 'workflow_dispatch' || + contains(github.event.label.name, 'm1_test') }} runs-on: ["self-hosted", "m1mac"] # 12 hours, default is 6 hours, hopefully this is more than enough timeout-minutes: 720 @@ -37,6 +70,8 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: "false" + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -178,7 +213,7 @@ jobs: if: ${{ always() }} steps: - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 - if: ${{ github.event_name == 'pull_request' }} + if: ${{ github.event_name == 'pull_request_target' }} with: labels: m1_test github_token: ${{ secrets.GITHUB_TOKEN }} @@ -191,6 +226,8 @@ jobs: SLACK_COLOR: ${{ needs.cargo-builds-m1.result }} SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png - SLACK_MESSAGE: "M1 tests finished with status: ${{ needs.cargo-builds-m1.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "M1 tests finished with status: ${{ needs.cargo-builds-m1.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }}