andrew
0921d8fedf
hardening-check tests both CET (x86-only) and branch protection (arm64-only), so pass the ignore flag for whichever doesn't apply to the build arch. The release upload step runs with if: always() so test results are uploaded even when an earlier step fails, but in that case cpack never ran and mc errored on the unmatched package globs. Skip missing packages instead.
249 lines
8.2 KiB
YAML
249 lines
8.2 KiB
YAML
name: CI
|
|
|
|
on: [push, pull_request]
|
|
|
|
jobs:
|
|
build-image:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- runner: ubuntu-latest-amd64
|
|
arch: amd64
|
|
- runner: ubuntu-latest-arm64
|
|
arch: arm64
|
|
runs-on: ${{ matrix.runner }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Log in to registry
|
|
env:
|
|
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
|
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
|
run: |
|
|
echo "$REGISTRY_TOKEN" \
|
|
| docker login -u "$REGISTRY_USER" --password-stdin git.weaselab.dev
|
|
|
|
- name: Build and push image if changed
|
|
run: |
|
|
image=git.weaselab.dev/weaselab/conflict-set-ci
|
|
hash="$(sha256sum Dockerfile .pre-commit-config.yaml | sha256sum | cut -c 1-16)"
|
|
latest="$image:latest-${{ matrix.arch }}"
|
|
current="$(docker buildx imagetools inspect "$latest" \
|
|
--format '{{index .Image.Config.Labels "dev.weaselab.ci-hash"}}' 2> /dev/null || true)"
|
|
if [ "$current" = "$hash" ]; then
|
|
echo "$latest is up to date"
|
|
else
|
|
docker build --push --label "dev.weaselab.ci-hash=$hash" -t "$latest" .
|
|
fi
|
|
|
|
pre-commit:
|
|
needs: build-image
|
|
runs-on: ubuntu-latest-amd64
|
|
container:
|
|
image: git.weaselab.dev/weaselab/conflict-set-ci:latest-amd64
|
|
credentials:
|
|
username: ${{ secrets.REGISTRY_USER }}
|
|
password: ${{ secrets.REGISTRY_TOKEN }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Run pre-commit
|
|
env:
|
|
# use the hooks pre-installed in the image
|
|
HOME: /tmp
|
|
run: |
|
|
git config --global --add safe.directory "$PWD"
|
|
pre-commit run --all-files --show-diff-on-failure
|
|
|
|
test:
|
|
needs: build-image
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- name: 64-bit-versions
|
|
cmake_args: -DCMAKE_CXX_FLAGS=-DUSE_64_BIT=1
|
|
- name: debug
|
|
cmake_args: -DCMAKE_BUILD_TYPE=Debug
|
|
- name: simd-fallback
|
|
cmake_args: -DUSE_SIMD_FALLBACK=ON
|
|
- name: gcc
|
|
cmake_args: -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++
|
|
runs-on: ubuntu-latest-amd64
|
|
container:
|
|
image: git.weaselab.dev/weaselab/conflict-set-ci:latest-amd64
|
|
credentials:
|
|
username: ${{ secrets.REGISTRY_USER }}
|
|
password: ${{ secrets.REGISTRY_TOKEN }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: .ccache
|
|
key: ccache-${{ matrix.name }}-${{ gitea.sha }}
|
|
restore-keys: |
|
|
ccache-${{ matrix.name }}-
|
|
|
|
- name: Build
|
|
run: |
|
|
export CCACHE_DIR="$GITHUB_WORKSPACE/.ccache"
|
|
rm -rf build
|
|
cmake -S . -B build -G Ninja -DCMAKE_CXX_COMPILER_LAUNCHER=ccache ${{ matrix.cmake_args }}
|
|
ninja -C build
|
|
ccache -s
|
|
|
|
- name: Test
|
|
run: |
|
|
cd build
|
|
ctest --no-compress-output --test-output-size-passed 100000 --test-output-size-failed 100000 -T Test -j "$(nproc)" --timeout 90 > /dev/null
|
|
|
|
- name: Upload test results to MinIO
|
|
if: always()
|
|
env:
|
|
MINIO_ACCESS_KEY: ${{ secrets.MINIO_ACCESS_KEY }}
|
|
MC_HOST_minio: https://${{ secrets.MINIO_ACCESS_KEY }}:${{ secrets.MINIO_SECRET_KEY }}@minio.weaselab.dev
|
|
run: |
|
|
if [ -z "$MINIO_ACCESS_KEY" ]; then
|
|
echo "MinIO credentials not configured; skipping upload"
|
|
exit 0
|
|
fi
|
|
zstd build/Testing/*/Test.xml
|
|
mc cp build/Testing/*/Test.xml.zst "minio/jenkins/conflict-set/${{ gitea.run_number }}/${{ matrix.name }}/"
|
|
|
|
release:
|
|
needs: build-image
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- runner: ubuntu-latest-amd64
|
|
arch: amd64
|
|
- runner: ubuntu-latest-arm64
|
|
arch: arm64
|
|
runs-on: ${{ matrix.runner }}
|
|
container:
|
|
image: git.weaselab.dev/weaselab/conflict-set-ci:latest-${{ matrix.arch }}
|
|
credentials:
|
|
username: ${{ secrets.REGISTRY_USER }}
|
|
password: ${{ secrets.REGISTRY_TOKEN }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: .ccache
|
|
key: ccache-release-${{ matrix.arch }}-${{ gitea.sha }}
|
|
restore-keys: |
|
|
ccache-release-${{ matrix.arch }}-
|
|
|
|
- name: Build
|
|
run: |
|
|
export CCACHE_DIR="$GITHUB_WORKSPACE/.ccache"
|
|
rm -rf build
|
|
cmake -S . -B build -G Ninja -DCMAKE_CXX_COMPILER_LAUNCHER=ccache -DCMAKE_CXX_FLAGS=-DNVALGRIND
|
|
ninja -C build
|
|
ccache -s
|
|
|
|
- name: Test
|
|
run: |
|
|
cd build
|
|
ctest --no-compress-output --test-output-size-passed 100000 --test-output-size-failed 100000 -T Test -j "$(nproc)" --timeout 90 > /dev/null
|
|
|
|
- name: Package
|
|
run: |
|
|
cd build
|
|
cpack -G DEB
|
|
cpack -G RPM
|
|
|
|
- name: Build paper
|
|
if: matrix.arch == 'amd64'
|
|
run: |
|
|
cd paper
|
|
make
|
|
|
|
- name: Upload artifacts to MinIO
|
|
if: always()
|
|
env:
|
|
MINIO_ACCESS_KEY: ${{ secrets.MINIO_ACCESS_KEY }}
|
|
MC_HOST_minio: https://${{ secrets.MINIO_ACCESS_KEY }}:${{ secrets.MINIO_SECRET_KEY }}@minio.weaselab.dev
|
|
run: |
|
|
if [ -z "$MINIO_ACCESS_KEY" ]; then
|
|
echo "MinIO credentials not configured; skipping upload"
|
|
exit 0
|
|
fi
|
|
dest="minio/jenkins/conflict-set/${{ gitea.run_number }}/release-${{ matrix.arch }}/"
|
|
zstd build/Testing/*/Test.xml
|
|
mc cp build/Testing/*/Test.xml.zst "$dest"
|
|
# This step runs even when a previous step failed, to upload test
|
|
# results. The packages may never have been built though, so skip
|
|
# them if they're missing.
|
|
if compgen -G "build/*.deb" > /dev/null; then
|
|
mc cp build/*.deb "$dest"
|
|
fi
|
|
if compgen -G "build/*.rpm" > /dev/null; then
|
|
mc cp build/*.rpm "$dest"
|
|
fi
|
|
if compgen -G "paper/*.pdf" > /dev/null; then
|
|
mc cp paper/*.pdf "$dest"
|
|
fi
|
|
|
|
coverage:
|
|
needs: build-image
|
|
runs-on: ubuntu-latest-amd64
|
|
container:
|
|
image: git.weaselab.dev/weaselab/conflict-set-ci:latest-amd64
|
|
credentials:
|
|
username: ${{ secrets.REGISTRY_USER }}
|
|
password: ${{ secrets.REGISTRY_TOKEN }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: .ccache
|
|
key: ccache-coverage-${{ gitea.sha }}
|
|
restore-keys: |
|
|
ccache-coverage-
|
|
|
|
- name: Build
|
|
run: |
|
|
export CCACHE_DIR="$GITHUB_WORKSPACE/.ccache"
|
|
rm -rf build
|
|
cmake -S . -B build -G Ninja -DCMAKE_CXX_COMPILER_LAUNCHER=ccache \
|
|
-DCMAKE_C_FLAGS=--coverage -DCMAKE_CXX_FLAGS=--coverage \
|
|
-DCMAKE_BUILD_TYPE=Debug -DDISABLE_TSAN=ON
|
|
ninja -C build
|
|
ccache -s
|
|
|
|
- name: Test
|
|
run: |
|
|
cd build
|
|
ctest --no-compress-output --test-output-size-passed 100000 --test-output-size-failed 100000 -T Test -j "$(nproc)" --timeout 90 > /dev/null
|
|
|
|
- name: Coverage report
|
|
run: |
|
|
gcov_args=(-f ConflictSet.cpp -f LongestCommonPrefix.h -f Metrics.h
|
|
--gcov-executable "llvm-cov gcov" --exclude-noncode-lines)
|
|
gcovr "${gcov_args[@]}" --cobertura > build/coverage.xml
|
|
gcovr "${gcov_args[@]}"
|
|
gcovr "${gcov_args[@]}" --fail-under-line 100 > /dev/null
|
|
|
|
- name: Upload results to MinIO
|
|
if: always()
|
|
env:
|
|
MINIO_ACCESS_KEY: ${{ secrets.MINIO_ACCESS_KEY }}
|
|
MC_HOST_minio: https://${{ secrets.MINIO_ACCESS_KEY }}:${{ secrets.MINIO_SECRET_KEY }}@minio.weaselab.dev
|
|
run: |
|
|
if [ -z "$MINIO_ACCESS_KEY" ]; then
|
|
echo "MinIO credentials not configured; skipping upload"
|
|
exit 0
|
|
fi
|
|
dest="minio/jenkins/conflict-set/${{ gitea.run_number }}/coverage/"
|
|
zstd build/Testing/*/Test.xml
|
|
mc cp build/Testing/*/Test.xml.zst "$dest"
|
|
if [ -e build/coverage.xml ]; then
|
|
mc cp build/coverage.xml "$dest"
|
|
fi
|