Merge branch 'master' into eichhorl/vetkd

dfinity · Mar 3, 2025 · 1296684 · 1296684
2 parents c78d7b4 + b8bca6a
commit 1296684
Show file tree

Hide file tree

Showing 74 changed files with 1,213 additions and 287 deletions.
diff --git a/.github/actions/bazel-test-all/action.yaml b/.github/actions/bazel-test-all/action.yaml
@@ -12,63 +12,71 @@ inputs:
     required: false
   GPG_PASSPHRASE:
     required: false
+    description: "GPG key to encrypt build events. If the key is not set, events won't be uploaded."
 
 runs:
   using: "composite"
   steps:
-      - name: Run Bazel Test All
-        id: bazel-test-all
+      - name: Prepare worker cache
         shell: bash
         run: |
-          set +e # manual error handling to ensure we can run some post-build commands
-
           # freshly deployed k8s machines require ownership correctly set
           if [ -e /cache ]; then
             sudo find /cache \( -not -user 1001 -or -not -group 1001 \) -exec chown 1001:1001 {} +
           fi
 
-          if [ -n "$SSH_PRIVATE_KEY_BACKUP_POD" ]; then
-            # The following adds the SSH private key to the ssh-agent such that CI can SSH into the backup pod.
-            test -z "${SSH_AUTH_SOCK:-}" && { eval "$(ssh-agent -s)"; ssh-add - <<< "${SSH_PRIVATE_KEY_BACKUP_POD}"; }
-            rm -rf ~/.ssh
-            mkdir -p ~/.ssh
-            chmod 0700 ~/.ssh
-            echo -e "Host *\nUser github-runner\n" > ~/.ssh/config
+      - name: Set up backup pod access
+        shell: bash
+        if: inputs.SSH_PRIVATE_KEY_BACKUP_POD != ''
+        run: |
+          # The following adds the SSH private key to the ssh-agent such that CI can SSH into the backup pod.
+          if [ -z "${SSH_AUTH_SOCK:-}" ]; then
+            eval "$(ssh-agent -s)"
+            ssh-add - <<< '${{ inputs.SSH_PRIVATE_KEY_BACKUP_POD }}'
           fi
 
-          # unset honeycomb api key but use it later for exporter
-          # TODO: remove exporter when users can use superset
-          env -u BUILDEVENT_APIKEY ${GITHUB_WORKSPACE}/ci/bazel-scripts/main.sh
-          BAZEL_EXIT_CODE="$?"
+          rm -rf ~/.ssh
+          mkdir -p ~/.ssh
+          chmod 0700 ~/.ssh
+          echo -e "Host *\nUser github-runner\n" > ~/.ssh/config
 
-          if [ -n "$BUILDEVENT_APIKEY" ] && [ -f ./bazel-bep.pb ]; then
+      - name: Run Bazel Test All
+        id: bazel-test-all
+        shell: bash
+        run: |
+          ${GITHUB_WORKSPACE}/ci/bazel-scripts/main.sh
+        env:
+          BAZEL_COMMAND: ${{ inputs.BAZEL_COMMAND }}
+          BAZEL_TARGETS: ${{ inputs.BAZEL_TARGETS }}
+          BRANCH_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          CI_EVENT_NAME: ${{ github.event_name }}
+          CI_JOB_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          MERGE_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+
+      - name: Export bazel build events to honeycomb
+        shell: bash
+        # only upload on success or failure but _not_ on canceled jobs
+        if: (success() || failure()) && inputs.BUILDEVENT_APIKEY != ''
+        run: |
+          if [ -f ./bazel-bep.pb ]; then
               # avoid output unless an error occurs during bes export. This ensures
               # only the (more relevant) output from the main bazel command is shown.
               exportout=$(mktemp)
-              if ! bazel run //bazel/exporter:exporter --build_event_binary_file= -- -f "$(pwd)/bazel-bep.pb" 2> "$exportout" >&2; then
+              if ! BUILDEVENT_APIKEY='${{ inputs.BUILDEVENT_APIKEY }}' bazel run //bazel/exporter:exporter --build_event_binary_file= -- -f "$(pwd)/bazel-bep.pb" 2> "$exportout" >&2; then
                 echo "bes export failed:"
                 cat "$exportout"
               fi
               rm "$exportout"
               echo "BEP events exported to honeycomb!"
           fi
-          if [ -n "$GPG_PASSPHRASE" ] && [ -f ./bazel-bep.pb ]; then
+
+      - name: Encrypt build events
+        shell: bash
+        # only upload on success or failure but _not_ on canceled jobs
+        if: (success() || failure()) && inputs.GPG_PASSPHRASE != ''
+        run: |
+          if [ -f ./bazel-bep.pb ]; then
               gpg --symmetric --cipher-algo AES256 -o bazel-bep.pb.gpg \
-                  --passphrase "$GPG_PASSPHRASE" --batch --yes bazel-bep.pb
+                  --passphrase '${{ inputs.GPG_PASSPHRASE }}' --batch --yes bazel-bep.pb
+              rm -f ./bazel-bep.pb
           fi
-          rm -f bazel-bep.pb
-
-          # output node name to gihub step summary
-          [ -n "${NODE_NAME:-}" ] && echo "Run on node: $NODE_NAME" >>$GITHUB_STEP_SUMMARY
-
-          exit "$BAZEL_EXIT_CODE"
-        env:
-          BAZEL_COMMAND: ${{ inputs.BAZEL_COMMAND }}
-          BAZEL_TARGETS: ${{ inputs.BAZEL_TARGETS }}
-          BRANCH_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          BUILDEVENT_APIKEY: ${{ inputs.BUILDEVENT_APIKEY }}
-          CI_EVENT_NAME: ${{ github.event_name }}
-          CI_JOB_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          MERGE_BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          SSH_PRIVATE_KEY_BACKUP_POD: ${{ inputs.SSH_PRIVATE_KEY_BACKUP_POD }}
-          GPG_PASSPHRASE: ${{ inputs.GPG_PASSPHRASE }}
diff --git a/.github/workflows-source/ci-main.yml b/.github/workflows-source/ci-main.yml
@@ -94,6 +94,7 @@ jobs:
       - <<: *checkout
       - name: Set BAZEL_EXTRA_ARGS
         shell: bash
+        id: bazel-extra-args
         run: |
           set -xeuo pipefail
           # Determine which tests to skip and append 'long_test' for pull requests, merge groups or push on dev-gh-*
@@ -120,21 +121,20 @@ jobs:
           # Prepend tags with '-' and join them with commas for Bazel
           TEST_TAG_FILTERS=$(IFS=,; echo "${EXCLUDED_TEST_TAGS[*]/#/-}")
           # Determine BAZEL_EXTRA_ARGS based on event type or branch name
-          BAZEL_EXTRA_ARGS="--test_tag_filters=$TEST_TAG_FILTERS"
+          BAZEL_EXTRA_ARGS=( "--test_tag_filters=$TEST_TAG_FILTERS" )
           if [[ "$CI_EVENT_NAME" == 'merge_group' ]]; then
-              BAZEL_EXTRA_ARGS+=" --test_timeout_filters=short,moderate --flaky_test_attempts=3"
+              BAZEL_EXTRA_ARGS+=( --test_timeout_filters=short,moderate --flaky_test_attempts=3 )
           elif [[ $BRANCH_NAME =~ ^hotfix-.* ]]; then
-              BAZEL_EXTRA_ARGS+=" --test_timeout_filters=short,moderate"
+              BAZEL_EXTRA_ARGS+=( --test_timeout_filters=short,moderate )
           else
-              BAZEL_EXTRA_ARGS+=" --keep_going"
+              BAZEL_EXTRA_ARGS+=( --keep_going )
           fi
-          # Export BAZEL_EXTRA_ARGS to environment
-          echo "BAZEL_EXTRA_ARGS=$BAZEL_EXTRA_ARGS" >> $GITHUB_ENV
+          echo "BAZEL_EXTRA_ARGS=${BAZEL_EXTRA_ARGS[@]}" >> $GITHUB_OUTPUT
       - name: Run Bazel Test All
         id: bazel-test-all
         uses: ./.github/actions/bazel-test-all/
         with:
-          BAZEL_COMMAND: test --config=ci ${{ env.BAZEL_EXTRA_ARGS }}
+          BAZEL_COMMAND: test --config=ci ${{ steps.bazel-extra-args.outputs.BAZEL_EXTRA_ARGS }}
           BAZEL_TARGETS: //...
           BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
@@ -175,7 +175,6 @@ jobs:
             test --config=ci --config=macos_ci
             --test_tag_filters=test_macos
           BAZEL_TARGETS: //rs/... //publish/binaries/...
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
       - <<: *bazel-bep
       - name: Purge Bazel Output
         if: always()
@@ -258,8 +257,12 @@ jobs:
           "$CI_PROJECT_DIR"/ci/scripts/run-build-ic.sh
           rm -rf "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}"
 
-          # List and aggregate all SHA256SUMS files.
-          find -L bazel-out -name SHA256SUMS | xargs cat | sort | uniq > SHA256SUMS
+          # List and aggregate all SHA256SUMS files (if bazel-out exists)
+          if [ -e bazel-out]; then
+            find -L bazel-out -name SHA256SUMS | xargs cat | sort | uniq > SHA256SUMS
+          else
+            touch SHA256SUMS
+          fi
 
         env:
           BAZEL_COMMAND: build --config=ci
@@ -295,9 +298,13 @@ jobs:
 
       - name: Build Determinism Test
         run: |
-          n_lines=$(cat shasums-nocache/SHA256SUMS | wc -l)
-          echo "comparing $n_lines lines"
-          if [ "$n_lines" -eq 0 ]; then
+          n_lines_cache=$(cat shasums-cache/SHA256SUMS | wc -l)
+          n_lines_nocache=$(cat shasums-nocache/SHA256SUMS | wc -l)
+          echo "comparing $n_lines_cache (cache) and $n_lines_nocache (nocache) lines"
+
+          # running tests may not pull all targets locally. If that's the case,
+          # there will be 0 lines and nothing to compare.
+          if [ "$n_lines_cache" -eq 0 ] || [ "$n_lines_nocache" -eq 0 ]; then
             echo "No lines to compare"
             exit 0
           fi

diff --git a/.github/workflows-source/ci-pr-only.yml b/.github/workflows-source/ci-pr-only.yml
@@ -159,6 +159,12 @@ jobs:
         run: |
           [ -n "${NODE_NAME:-}" ] && echo "Node: $NODE_NAME"
           ./ci/scripts/bazel-coverage.sh
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      - name: Upload bazel-coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: bazel-coverage
+          retention-days: 1
+          if-no-files-found: ignore
+          compression-level: 9
+          path: |
+            cov_html.zip
diff --git a/.github/workflows-source/schedule-daily.yml b/.github/workflows-source/schedule-daily.yml
@@ -218,6 +218,12 @@ jobs:
       - name: Run Bazel Test Coverage
         shell: bash
         run: ./ci/scripts/bazel-coverage.sh
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      - name: Upload bazel-coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: bazel-coverage
+          retention-days: 1
+          if-no-files-found: ignore
+          compression-level: 9
+          path: |
+            cov_html.zip
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
@@ -52,6 +52,7 @@ jobs:
           fetch-depth: ${{ github.event_name == 'pull_request' && 256 || 0 }}
       - name: Set BAZEL_EXTRA_ARGS
         shell: bash
+        id: bazel-extra-args
         run: |
           set -xeuo pipefail
           # Determine which tests to skip and append 'long_test' for pull requests, merge groups or push on dev-gh-*
@@ -78,21 +79,20 @@ jobs:
           # Prepend tags with '-' and join them with commas for Bazel
           TEST_TAG_FILTERS=$(IFS=,; echo "${EXCLUDED_TEST_TAGS[*]/#/-}")
           # Determine BAZEL_EXTRA_ARGS based on event type or branch name
-          BAZEL_EXTRA_ARGS="--test_tag_filters=$TEST_TAG_FILTERS"
+          BAZEL_EXTRA_ARGS=( "--test_tag_filters=$TEST_TAG_FILTERS" )
           if [[ "$CI_EVENT_NAME" == 'merge_group' ]]; then
-              BAZEL_EXTRA_ARGS+=" --test_timeout_filters=short,moderate --flaky_test_attempts=3"
+              BAZEL_EXTRA_ARGS+=( --test_timeout_filters=short,moderate --flaky_test_attempts=3 )
           elif [[ $BRANCH_NAME =~ ^hotfix-.* ]]; then
-              BAZEL_EXTRA_ARGS+=" --test_timeout_filters=short,moderate"
+              BAZEL_EXTRA_ARGS+=( --test_timeout_filters=short,moderate )
           else
-              BAZEL_EXTRA_ARGS+=" --keep_going"
+              BAZEL_EXTRA_ARGS+=( --keep_going )
           fi
-          # Export BAZEL_EXTRA_ARGS to environment
-          echo "BAZEL_EXTRA_ARGS=$BAZEL_EXTRA_ARGS" >> $GITHUB_ENV
+          echo "BAZEL_EXTRA_ARGS=${BAZEL_EXTRA_ARGS[@]}" >> $GITHUB_OUTPUT
       - name: Run Bazel Test All
         id: bazel-test-all
         uses: ./.github/actions/bazel-test-all/
         with:
-          BAZEL_COMMAND: test --config=ci ${{ env.BAZEL_EXTRA_ARGS }}
+          BAZEL_COMMAND: test --config=ci ${{ steps.bazel-extra-args.outputs.BAZEL_EXTRA_ARGS }}
           BAZEL_TARGETS: //...
           BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
@@ -144,7 +144,6 @@ jobs:
           BAZEL_COMMAND: >-
             test --config=ci --config=macos_ci --test_tag_filters=test_macos
           BAZEL_TARGETS: //rs/... //publish/binaries/...
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
       - name: Upload bazel-bep
         # runs only if previous step succeeded or failed;
         # we avoid collecting artifacts of jobs that were cancelled
@@ -294,8 +293,12 @@ jobs:
           "$CI_PROJECT_DIR"/ci/scripts/run-build-ic.sh
           rm -rf "/cache/job/${CI_JOB_NAME}/${CI_RUN_ID}"
 
-          # List and aggregate all SHA256SUMS files.
-          find -L bazel-out -name SHA256SUMS | xargs cat | sort | uniq > SHA256SUMS
+          # List and aggregate all SHA256SUMS files (if bazel-out exists)
+          if [ -e bazel-out]; then
+            find -L bazel-out -name SHA256SUMS | xargs cat | sort | uniq > SHA256SUMS
+          else
+            touch SHA256SUMS
+          fi
         env:
           BAZEL_COMMAND: build --config=ci
           BAZEL_TARGETS: //...
@@ -331,9 +334,13 @@ jobs:
           path: shasums-nocache
       - name: Build Determinism Test
         run: |
-          n_lines=$(cat shasums-nocache/SHA256SUMS | wc -l)
-          echo "comparing $n_lines lines"
-          if [ "$n_lines" -eq 0 ]; then
+          n_lines_cache=$(cat shasums-cache/SHA256SUMS | wc -l)
+          n_lines_nocache=$(cat shasums-nocache/SHA256SUMS | wc -l)
+          echo "comparing $n_lines_cache (cache) and $n_lines_nocache (nocache) lines"
+
+          # running tests may not pull all targets locally. If that's the case,
+          # there will be 0 lines and nothing to compare.
+          if [ "$n_lines_cache" -eq 0 ] || [ "$n_lines_nocache" -eq 0 ]; then
             echo "No lines to compare"
             exit 0
           fi

diff --git a/.github/workflows/ci-pr-only.yml b/.github/workflows/ci-pr-only.yml
@@ -154,6 +154,12 @@ jobs:
         run: |
           [ -n "${NODE_NAME:-}" ] && echo "Node: $NODE_NAME"
           ./ci/scripts/bazel-coverage.sh
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      - name: Upload bazel-coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: bazel-coverage
+          retention-days: 1
+          if-no-files-found: ignore
+          compression-level: 9
+          path: |
+            cov_html.zip
diff --git a/.github/workflows/schedule-daily.yml b/.github/workflows/schedule-daily.yml
@@ -259,6 +259,12 @@ jobs:
       - name: Run Bazel Test Coverage
         shell: bash
         run: ./ci/scripts/bazel-coverage.sh
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      - name: Upload bazel-coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: bazel-coverage
+          retention-days: 1
+          if-no-files-found: ignore
+          compression-level: 9
+          path: |
+            cov_html.zip
diff --git a/Cargo.Bazel.Fuzzing.json.lock b/Cargo.Bazel.Fuzzing.json.lock
@@ -1,5 +1,5 @@
 {
-  "checksum": "1e8bffe24652db11f439e8104fd2a22890550692ac65d2158f6bf76b10cf8a04",
+  "checksum": "08d6ff34bbb2dba9b147373032c8d6016a785821f41dea400d071133689f395b",
   "crates": {
     "abnf 0.12.0": {
       "name": "abnf",
@@ -19968,7 +19968,7 @@
               "target": "ic_http_gateway"
             },
             {
-              "id": "ic-management-canister-types 0.2.0",
+              "id": "ic-management-canister-types 0.2.1",
               "target": "ic_management_canister_types"
             },
             {
@@ -33389,14 +33389,14 @@
       ],
       "license_file": null
     },
-    "ic-management-canister-types 0.2.0": {
+    "ic-management-canister-types 0.2.1": {
       "name": "ic-management-canister-types",
-      "version": "0.2.0",
+      "version": "0.2.1",
       "package_url": "https://github.com/dfinity/cdk-rs",
       "repository": {
         "Http": {
-          "url": "https://static.crates.io/crates/ic-management-canister-types/0.2.0/download",
-          "sha256": "4ce1cdd2b6df9eac37cd2dcf5d40cf9427a24aed9b0751cbe5b09ae116eb4de3"
+          "url": "https://static.crates.io/crates/ic-management-canister-types/0.2.1/download",
+          "sha256": "1a23527ab5e2ede1aae270cdb79ef0491479c8b5c2de9fd393048ca907cac5e1"
         }
       },
       "targets": [
@@ -33440,7 +33440,7 @@
           "selects": {}
         },
         "edition": "2021",
-        "version": "0.2.0"
+        "version": "0.2.1"
       },
       "license": "Apache-2.0",
       "license_ids": [
@@ -91316,7 +91316,7 @@
     "ic-certified-map 0.3.4",
     "ic-http-certification 3.0.3",
     "ic-http-gateway 0.2.0",
-    "ic-management-canister-types 0.2.0",
+    "ic-management-canister-types 0.2.1",
     "ic-metrics-encoder 1.1.1",
     "ic-response-verification 3.0.3",
     "ic-sha3 1.0.0",

diff --git a/Cargo.Bazel.Fuzzing.toml.lock b/Cargo.Bazel.Fuzzing.toml.lock
@@ -5597,9 +5597,9 @@ dependencies = [
 
 [[package]]
 name = "ic-management-canister-types"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ce1cdd2b6df9eac37cd2dcf5d40cf9427a24aed9b0751cbe5b09ae116eb4de3"
+checksum = "1a23527ab5e2ede1aae270cdb79ef0491479c8b5c2de9fd393048ca907cac5e1"
 dependencies = [
  "candid",
  "candid_parser",