IDX GitHub Automation

dfinity · Feb 25, 2025 · 0c36050 · 0c36050
1 parent 91a4fa8
commit 0c36050
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 48 deletions.
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
@@ -40,7 +40,7 @@ jobs:
       group: zh1
       labels: dind-large
     env:
-      CLOUD_CREDENTIALS_CONTENT: ${{ secrets.CLOUD_CREDENTIALS_CONTENT }}
+      #CLOUD_CREDENTIALS_CONTENT: ${{ secrets.CLOUD_CREDENTIALS_CONTENT }}
       # Only run ci/bazel-scripts/diff.sh on PRs that are not labeled with "CI_ALL_BAZEL_TARGETS".
       OVERRIDE_DIDC_CHECK: ${{ contains(github.event.pull_request.labels.*.name, 'CI_OVERRIDE_DIDC_CHECK') }}
       CI_OVERRIDE_BUF_BREAKING: ${{ contains(github.event.pull_request.labels.*.name, 'CI_OVERRIDE_BUF_BREAKING') }}
@@ -101,6 +101,11 @@ jobs:
           BAZEL_TARGETS: //...
           BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+      - name: Upload SHA256SUMS (cache)
+        uses: actions/upload-artifact@v4
+        with:
+          name: shasums-cache
+          path: SHA256SUMS
       - name: Upload bazel-bep
         # runs only if previous step succeeded or failed;
         # we avoid collecting artifacts of jobs that were cancelled
@@ -138,8 +143,8 @@ jobs:
       - name: Run Bazel Test Darwin x86-64
         id: bazel-test-darwin-x86-64
         uses: ./.github/actions/bazel-test-all/
-        env:
-          CLOUD_CREDENTIALS_CONTENT: ${{ secrets.CLOUD_CREDENTIALS_CONTENT }}
+        #env:
+        #CLOUD_CREDENTIALS_CONTENT: ${{ secrets.CLOUD_CREDENTIALS_CONTENT }}
         with:
           BAZEL_COMMAND: >-
             test --config=ci --config=macos_ci --test_tag_filters=test_macos
@@ -291,77 +296,66 @@ jobs:
         id: build-ic
         shell: bash
         run: |
-          set -eExuo pipefail
-          [ -n "${NODE_NAME:-}" ] && echo "Run on node: $NODE_NAME" >>$GITHUB_STEP_SUMMARY
+          set -euo pipefail
           REPO_NAME="${GITHUB_REPOSITORY##*/}"
           rm -rf "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}"
           mkdir -p "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}/artifacts"
           ln -s "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}/artifacts" /__w/$REPO_NAME/$REPO_NAME/artifacts
           "$CI_PROJECT_DIR"/ci/scripts/run-build-ic.sh
           rm -rf "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}"
+
+          find -L bazel-out -name SHA256SUMS | xargs cat | sort | uniq > SHA256SUMS
         env:
           BAZEL_COMMAND: build --config=ci
           BAZEL_TARGETS: //...
           MERGE_BASE_SHA: ${{ github.event.pull_request.base.sha }}
           BRANCH_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
           RUN_ON_DIFF_ONLY: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'CI_ALL_BAZEL_TARGETS') }}
-      - name: Upload build-ic.tar
+      - name: Upload SHA256SUMS (nocache)
         uses: actions/upload-artifact@v4
         with:
-          name: build-ic
-          retention-days: 1
-          if-no-files-found: error
-          path: |
-            build-ic.tar
+          name: shasums-nocache
+          path: SHA256SUMS
   build-determinism:
     name: Build Determinism
     runs-on: ubuntu-latest
     timeout-minutes: 30
     # NOTE: this expects "build-ic" to have built the same set of targets
     # as "bazel-test-all"
     needs: [build-ic, bazel-test-all]
-    strategy:
-      matrix:
-        include:
-          - TARGET: "//publish/binaries:upload"
-            PATH0: "release"
-            PATH1: "build-ic/release"
-            SETUPOS_FLAG: "false"
-          - TARGET: "//publish/canisters:upload"
-            PATH0: "canisters"
-            PATH1: "build-ic/canisters"
-            SETUPOS_FLAG: "false"
-          - TARGET: "//ic-os/guestos/envs/prod:upload_disk-img"
-            PATH0: "guest-os/update-img"
-            PATH1: "build-ic/icos/guestos"
-            SETUPOS_FLAG: "false"
-          - TARGET: "//ic-os/hostos/envs/prod:upload_update-img"
-            PATH0: "host-os/update-img"
-            PATH1: "build-ic/icos/hostos"
-            SETUPOS_FLAG: "false"
-          - TARGET: "//ic-os/setupos/envs/prod:upload_disk-img"
-            PATH0: "setup-os/disk-img"
-            PATH1: "build-ic/icos/setupos"
-            SETUPOS_FLAG: "true"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: ${{ github.event_name == 'pull_request' && 256 || 0 }}
-      - name: Download build-ic.tar [build-ic]
+      - name: Download SHA256SUMS (cache)
         uses: actions/download-artifact@v4
         with:
-          name: build-ic
+          name: shasums-cache
+          paths: shasums-cache
+      - name: Download SHA256SUMS (nocache)
+        uses: actions/download-artifact@v4
+        with:
+          name: shasums-nocache
+          paths: shasums-nocache
       - name: Build Determinism Test
-        id: build-determinism
         run: |
-          tar -xf build-ic.tar # build-determinism.sh expects ./build-ic/
-          "$CI_PROJECT_DIR"/ci/scripts/build-determinism.sh
-        env:
-          TARGET: ${{ matrix.TARGET }}
-          PATH0: ${{ matrix.PATH0 }}
-          PATH1: ${{ matrix.PATH1 }}
-          SETUPOS_FLAG: ${{ matrix.SETUPOS_FLAG }}
+          n_lines=$(cat shasums-nocache/SHA256SUMS | wc -l)
+          echo "comparing $n_lines lines"
+          if [ "$n_lines" == 0 ]; then
+            echo "No lines to compare, this is unexpected"
+            exit 1
+          fi
+
+          difference=$(comm -23 <(sort shasums-nocache/SHA256SUMS | uniq) <(sort shasums-cache/SHA256SUMS | uniq))
+          if [ -n "$difference" ]; then
+            echo "Build Determinism Check Failed! Please contact IDX."
+            echo "The following artifacts were different:"
+            echo "$difference"
+            exit 1
+          fi
+
+          echo "Build Determinism Check Successful"
   cargo-clippy-linux:
     name: Cargo Clippy Linux
     container:

diff --git a/.github/workflows/schedule-hourly.yml b/.github/workflows/schedule-hourly.yml
@@ -33,13 +33,13 @@ jobs:
         env:
           CLOUD_CREDENTIALS_CONTENT: ${{ secrets.CLOUD_CREDENTIALS_CONTENT }}
         with:
-          # --config=stamped is required for the BNs as they rely for both dev and prod deployment
+          # --config=release is required for the BNs as they rely for both dev and prod deployment
           # on images being uploaded to the S3 bucket
           BAZEL_COMMAND: >-
             build
 
 
-              --config=ci --config=stamped
+              --config=ci --config=release
               --repository_cache= --disk_cache= --noremote_accept_cached --remote_instance_name=${CI_COMMIT_SHA} --@rules_rust//rust/settings:pipelined_compilation=True
           BAZEL_TARGETS: //...
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
@@ -78,10 +78,10 @@ jobs:
         id: bazel-test-all
         uses: ./.github/actions/bazel-test-all/
         with:
-          # --config=stamped is required for the BNs as they rely for both dev and prod deployment
+          # --config=release is required for the BNs as they rely for both dev and prod deployment
           # on images being uploaded to the S3 bucket
           BAZEL_COMMAND: >-
-            test --config=ci --config=stamped --keep_going --test_tag_filters=system_test_hourly
+            test --config=ci --config=release --keep_going --test_tag_filters=system_test_hourly
           BAZEL_TARGETS: //rs/...
           BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}