Bump cc from 1.0.79 to 1.2.9 in /src/rust #156
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: {} | |
push: | |
branches: | |
- main | |
- '*.*.x' | |
tags: | |
- '*.*' | |
- '*.*.*' | |
permissions: | |
contents: read | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} | |
cancel-in-progress: true | |
env: | |
CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse | |
jobs: | |
linux: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
PYTHON: | |
- {VERSION: "3.11", NOXSESSION: "flake"} | |
- {VERSION: "3.11", NOXSESSION: "rust"} | |
- {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.0"}} | |
- {VERSION: "pypy-3.8", NOXSESSION: "tests-nocoverage"} | |
- {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} | |
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1t"}} | |
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.8"}} | |
- {VERSION: "3.11", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.0"}} | |
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.0", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} | |
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} | |
- {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.0"}} | |
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.2"}} | |
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.2"}} | |
- {VERSION: "3.11", NOXSESSION: "tests-randomorder"} | |
- {VERSION: "3.12-dev", NOXSESSION: "tests"} | |
# Latest commit on the BoringSSL master branch, as of May 03, 2023. | |
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "4c8bcf0da2951cacd8ed8eaa7fd2df4b22fca23b"}} | |
# Latest commit on the OpenSSL master branch, as of May 03, 2023. | |
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "56547da9d3fa24f54b439497d322b12beb004c80"}} | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/[email protected] | |
timeout-minutes: 3 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: set mtimes for rust dirs | |
uses: ./.github/actions/mtime-fix | |
- name: Setup python | |
id: setup-python | |
uses: actions/[email protected] | |
with: | |
python-version: ${{ matrix.PYTHON.VERSION }} | |
- name: Clone wycheproof | |
timeout-minutes: 2 | |
uses: ./.github/actions/wycheproof | |
- name: Compute config hash and set config vars | |
run: | | |
DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3" | |
CONFIG_FLAGS="$DEFAULT_CONFIG_FLAGS $CONFIG_FLAGS" | |
OPENSSL_HASH=$(echo "${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-$CONFIG_FLAGS" | sha1sum | sed 's/ .*$//') | |
echo "CONFIG_FLAGS=${CONFIG_FLAGS}" >> $GITHUB_ENV | |
echo "OPENSSL_HASH=${OPENSSL_HASH}" >> $GITHUB_ENV | |
echo "OSSL_INFO=${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_FLAGS}" >> $GITHUB_ENV | |
echo "OSSL_PATH=${{ github.workspace }}/osslcache/${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${OPENSSL_HASH}" >> $GITHUB_ENV | |
env: | |
CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} | |
if: matrix.PYTHON.OPENSSL | |
- name: Load OpenSSL cache | |
uses: actions/[email protected] | |
id: ossl-cache | |
timeout-minutes: 2 | |
with: | |
path: ${{ github.workspace }}/osslcache | |
# When altering the openssl build process you may need to increment the value on the end of this cache key | |
# so that you can prevent it from fetching the cache and skipping the build step. | |
key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-8 | |
if: matrix.PYTHON.OPENSSL | |
- name: Build custom OpenSSL/LibreSSL | |
run: .github/workflows/build_openssl.sh | |
env: | |
TYPE: ${{ matrix.PYTHON.OPENSSL.TYPE }} | |
VERSION: ${{ matrix.PYTHON.OPENSSL.VERSION }} | |
if: matrix.PYTHON.OPENSSL && steps.ossl-cache.outputs.cache-hit != 'true' | |
- name: Set CFLAGS/LDFLAGS | |
run: | | |
echo "OPENSSL_DIR=${OSSL_PATH}" >> $GITHUB_ENV | |
echo "CFLAGS=${CFLAGS} -Werror=implicit-function-declaration" >> $GITHUB_ENV | |
echo "RUSTFLAGS=-Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib -Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib64" >> $GITHUB_ENV | |
if: matrix.PYTHON.OPENSSL | |
- name: Cache rust and pip | |
uses: ./.github/actions/cache | |
timeout-minutes: 2 | |
with: | |
# We have both the Python version from the matrix and from the | |
# setup-python step because the latter doesn't distinguish | |
# pypy3-3.8 and pypy3-3.9 -- both of them show up as 7.3.11. | |
key: ${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-${{ matrix.PYTHON.NOXSESSION }}-${{ env.OPENSSL_HASH }} | |
- run: python -m pip install -c ci-constraints-requirements.txt 'nox' coverage[toml] | |
- name: Create nox environment | |
run: | | |
nox -v --install-only | |
env: | |
NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
- name: Tests | |
run: | | |
nox --no-install -- --color=yes --wycheproof-root=wycheproof ${{ matrix.PYTHON.NOXARGS }} | |
env: | |
NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} | |
COLUMNS: 80 | |
CRYPTOGRAPHY_OPENSSL_NO_LEGACY: ${{ matrix.PYTHON.OPENSSL.NO_LEGACY }} | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
- uses: ./.github/actions/upload-coverage | |
distros: | |
runs-on: ${{ matrix.IMAGE.RUNNER }} | |
container: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }} | |
strategy: | |
fail-fast: false | |
matrix: | |
IMAGE: | |
- {IMAGE: "rhel8", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "rhel8-fips", RUNNER: "ubuntu-latest", FIPS: true} | |
- {IMAGE: "buster", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "bullseye", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "bookworm", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "sid", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "ubuntu-focal", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "ubuntu-jammy", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "ubuntu-rolling", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "fedora", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "alpine", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "centos-stream9", RUNNER: "ubuntu-latest"} | |
- {IMAGE: "centos-stream9-fips", RUNNER: "ubuntu-latest", FIPS: true} | |
- {IMAGE: "ubuntu-jammy:aarch64", RUNNER: [self-hosted, Linux, ARM64]} | |
- {IMAGE: "alpine:aarch64", RUNNER: [self-hosted, Linux, ARM64]} | |
timeout-minutes: 15 | |
steps: | |
- name: Ridiculous alpine workaround for actions support on arm64 | |
run: | | |
# This modifies /etc/os-release so the JS actions | |
# from GH can't detect that it's on alpine:aarch64. It will | |
# then use a glibc nodejs, which works fine when gcompat | |
# is installed in the container (which it is) | |
sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release | |
if: matrix.IMAGE.IMAGE == 'alpine:aarch64' | |
- uses: actions/[email protected] | |
timeout-minutes: 3 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: git config shenanigans | |
run: | | |
git config --global --add safe.directory $(pwd) # needed for the mtime fix since git doesn't think it owns the files due to being in containers | |
- name: set mtimes for rust dirs | |
uses: ./.github/actions/mtime-fix | |
- name: Cache rust and pip | |
uses: ./.github/actions/cache | |
timeout-minutes: 2 | |
with: | |
key: ${{ matrix.IMAGE.IMAGE }} | |
- name: Clone wycheproof | |
timeout-minutes: 2 | |
uses: ./.github/actions/wycheproof | |
# When run in a docker container the home directory doesn't have the same owner as the | |
# apparent user so pip refuses to create a cache dir | |
- name: create pip cache dir | |
run: mkdir -p "${HOME}/.cache/pip" | |
- run: | | |
echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV | |
if: matrix.IMAGE.FIPS | |
- run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt 'nox' coverage | |
- run: '/venv/bin/nox -v --install-only -s tests' | |
env: | |
RUSTUP_HOME: /root/.rustup | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
# OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream | |
OPENSSL_ENABLE_SHA1_SIGNATURES: 1 | |
- run: '/venv/bin/nox --no-install -s tests -- --color=yes --wycheproof-root="wycheproof"' | |
env: | |
COLUMNS: 80 | |
# OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream | |
OPENSSL_ENABLE_SHA1_SIGNATURES: 1 | |
- uses: ./.github/actions/upload-coverage | |
linux-rust: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
PYTHON: | |
- "3.11" | |
RUST: | |
# Cover MSRV. 1.60+ and beta/nightly are in the linux-rust-coverage section. | |
- 1.56.0 | |
name: "${{ matrix.PYTHON }} with Rust ${{ matrix.RUST }}" | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/[email protected] | |
timeout-minutes: 3 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: set mtimes for rust dirs | |
uses: ./.github/actions/mtime-fix | |
- name: Cache rust and pip | |
uses: ./.github/actions/cache | |
timeout-minutes: 2 | |
- name: Setup python | |
uses: actions/[email protected] | |
with: | |
python-version: ${{ matrix.PYTHON }} | |
- uses: dtolnay/rust-toolchain@52e69531e6f69a396bc9d1226284493a5db969ff | |
with: | |
toolchain: ${{ matrix.RUST }} | |
- name: Clone wycheproof | |
timeout-minutes: 2 | |
uses: ./.github/actions/wycheproof | |
- run: python -m pip install -c ci-constraints-requirements.txt 'nox' coverage[toml] | |
- name: Create nox environment | |
run: nox -v --install-only -s tests | |
env: | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
- name: Tests | |
run: nox --no-install -s tests -- --color=yes --wycheproof-root=wycheproof | |
env: | |
COLUMNS: 80 | |
- uses: ./.github/actions/upload-coverage | |
linux-rust-coverage: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
PYTHON: | |
- "3.11" | |
RUST: | |
# Potential future MSRVs: | |
# 1.60 - pem 2.0.1 | |
- 1.60.0 | |
- beta | |
- nightly | |
name: "Rust Coverage" | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/[email protected] | |
timeout-minutes: 3 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: set mtimes for rust dirs | |
uses: ./.github/actions/mtime-fix | |
- uses: dtolnay/rust-toolchain@52e69531e6f69a396bc9d1226284493a5db969ff | |
id: rust-toolchain | |
with: | |
toolchain: ${{ matrix.RUST }} | |
components: llvm-tools-preview | |
- name: Cache rust and pip | |
id: cargo-cache | |
uses: ./.github/actions/cache | |
timeout-minutes: 2 | |
with: | |
key: coverage | |
additional-paths: | | |
~/.cargo/bin/cargo-cov | |
~/.cargo/bin/cargo-nm | |
~/.cargo/bin/cargo-objcopy | |
~/.cargo/bin/cargo-objdump | |
~/.cargo/bin/cargo-profdata | |
~/.cargo/bin/cargo-readobj | |
~/.cargo/bin/cargo-size | |
~/.cargo/bin/cargo-strip | |
~/.cargo/bin/rust-ar | |
~/.cargo/bin/rust-cov | |
~/.cargo/bin/rust-ld | |
~/.cargo/bin/rust-lld | |
~/.cargo/bin/rust-nm | |
~/.cargo/bin/rust-objcopy | |
~/.cargo/bin/rust-objdump | |
~/.cargo/bin/rust-profdata | |
~/.cargo/bin/rust-readobj | |
~/.cargo/bin/rust-size | |
~/.cargo/bin/rust-strip | |
- name: Setup python | |
uses: actions/[email protected] | |
with: | |
python-version: ${{ matrix.PYTHON }} | |
- run: cargo install cargo-binutils | |
if: steps.cargo-cache.outputs.cache-hit != 'true' | |
- name: Clone wycheproof | |
timeout-minutes: 2 | |
uses: ./.github/actions/wycheproof | |
- run: python -m pip install -c ci-constraints-requirements.txt 'nox' coverage[toml] cffi | |
- name: Create nox environment | |
run: nox -v --install-only -s tests | |
env: | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
RUSTFLAGS: "-Cinstrument-coverage" | |
LLVM_PROFILE_FILE: "rust-cov/cov-%p.profraw" | |
- name: Tests | |
run: nox --no-install -s tests -- --color=yes --wycheproof-root=wycheproof | |
env: | |
COLUMNS: 80 | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
RUSTFLAGS: "-Cinstrument-coverage" | |
LLVM_PROFILE_FILE: "rust-cov/cov-%p.profraw" | |
- name: Rust Tests | |
run: | | |
cd src/rust | |
cargo test --no-default-features --all | |
env: | |
RUSTFLAGS: "-Cinstrument-coverage" | |
LLVM_PROFILE_FILE: "rust-cov/cov-%m-%p.profraw" | |
- name: Process coverage data | |
run: | | |
set -xe | |
cd src/rust/ | |
cargo profdata -- merge -sparse $(find ../.. -iname "*.profraw") -o rust-cov.profdata | |
COV_UUID=$(python3 -c "import uuid; print(uuid.uuid4())") | |
cargo cov -- export \ | |
../../.nox/tests/lib/python${{ matrix.PYTHON }}/site-packages/cryptography/hazmat/bindings/_rust.abi3.so \ | |
$(env RUSTFLAGS="-Cinstrument-coverage" cargo test --no-default-features --all --tests --no-run --message-format=json | jq -r "select(.profile.test == true) | .filenames[]" | awk '{print "-object " $0}') \ | |
-instr-profile=rust-cov.profdata \ | |
--ignore-filename-regex='/.cargo/' \ | |
--ignore-filename-regex='/rustc/' \ | |
--ignore-filename-regex='/.rustup/toolchains/' --format=lcov > "../../${COV_UUID}.lcov" | |
sed -E -i 's/SF:(.*)\/src\/rust\/(.*)/SF:src\/rust\/\2/g' "../../${COV_UUID}.lcov" | |
- uses: ./.github/actions/upload-coverage | |
macos: | |
runs-on: ${{ matrix.RUNNER.OS }} | |
strategy: | |
fail-fast: false | |
matrix: | |
RUNNER: | |
- {OS: 'macos-12', ARCH: 'x86_64'} | |
- {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} | |
PYTHON: | |
- {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} | |
- {VERSION: "3.11", NOXSESSION: "tests"} | |
exclude: | |
# We only test latest Python on arm64. py37 won't work since there's no universal2 binary | |
- PYTHON: {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} | |
RUNNER: {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/[email protected] | |
timeout-minutes: 3 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: set mtimes for rust dirs | |
uses: ./.github/actions/mtime-fix | |
- name: Cache rust and pip | |
uses: ./.github/actions/cache | |
timeout-minutes: 2 | |
with: | |
key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} | |
- name: Setup python | |
uses: actions/[email protected] | |
with: | |
python-version: ${{ matrix.PYTHON.VERSION }} | |
architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 | |
- run: python -m pip install -c ci-constraints-requirements.txt 'nox' coverage[toml] | |
- name: Clone wycheproof | |
timeout-minutes: 2 | |
uses: ./.github/actions/wycheproof | |
- uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 | |
with: | |
repo: pyca/infra | |
workflow: build-macos-openssl.yml | |
branch: main | |
workflow_conclusion: success | |
name: openssl-macos-universal2 | |
path: "../openssl-macos-universal2/" | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build nox environment | |
run: | | |
OPENSSL_DIR=$(readlink -f ../openssl-macos-universal2/) \ | |
OPENSSL_STATIC=1 \ | |
CFLAGS="-Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -mmacosx-version-min=10.12" \ | |
nox -v --install-only | |
env: | |
NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
- name: Tests | |
run: nox --no-install -- --color=yes --wycheproof-root=wycheproof | |
env: | |
NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} | |
COLUMNS: 80 | |
- uses: ./.github/actions/upload-coverage | |
windows: | |
runs-on: windows-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
WINDOWS: | |
- {ARCH: 'x86', WINDOWS: 'win32'} | |
- {ARCH: 'x64', WINDOWS: 'win64'} | |
PYTHON: | |
- {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} | |
- {VERSION: "3.11", NOXSESSION: "tests"} | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/[email protected] | |
timeout-minutes: 3 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: set mtimes for rust dirs | |
uses: ./.github/actions/mtime-fix | |
- name: Setup python | |
id: setup-python | |
uses: actions/[email protected] | |
with: | |
python-version: ${{ matrix.PYTHON.VERSION }} | |
architecture: ${{ matrix.WINDOWS.ARCH }} | |
- name: Cache rust and pip | |
uses: ./.github/actions/cache | |
timeout-minutes: 2 | |
with: | |
key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} | |
- run: python -m pip install -c ci-constraints-requirements.txt "nox" coverage[toml] | |
- uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 | |
with: | |
repo: pyca/infra | |
workflow: build-windows-openssl.yml | |
branch: main | |
workflow_conclusion: success | |
name: "openssl-${{ matrix.WINDOWS.WINDOWS }}" | |
path: "C:/openssl-${{ matrix.WINDOWS.WINDOWS }}/" | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Configure | |
run: | | |
echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV | |
shell: bash | |
- name: Clone wycheproof | |
timeout-minutes: 2 | |
uses: ./.github/actions/wycheproof | |
- name: Build nox environment | |
run: nox -v --install-only | |
env: | |
NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
- name: Tests | |
run: nox --no-install -- --color=yes --wycheproof-root=wycheproof | |
env: | |
NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} | |
COLUMNS: 80 | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
- uses: ./.github/actions/upload-coverage | |
linux-downstream: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
DOWNSTREAM: | |
- paramiko | |
- pyopenssl | |
- pyopenssl-release | |
- twisted | |
- aws-encryption-sdk | |
- dynamodb-encryption-sdk | |
- certbot | |
- certbot-josepy | |
- mitmproxy | |
- scapy | |
PYTHON: | |
- '3.11' | |
name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/[email protected] | |
timeout-minutes: 3 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: set mtimes for rust dirs | |
uses: ./.github/actions/mtime-fix | |
- name: Cache rust and pip | |
uses: ./.github/actions/cache | |
timeout-minutes: 2 | |
- name: Setup python | |
uses: actions/[email protected] | |
with: | |
python-version: ${{ matrix.PYTHON }} | |
- run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install | |
- run: pip install . | |
env: | |
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} | |
# cryptography main has a version of "(X+1).0.0.dev1" where X is the | |
# most recently released major version. A package used by a downstream | |
# may depend on cryptography <=X. If you use entrypoints stuff, this can | |
# lead to runtime errors due to version incompatibilities. Rename the | |
# dist-info directory to pretend to be an older version to "solve" this. | |
- run: | | |
import json | |
import pkg_resources | |
import shutil | |
import urllib.request | |
d = pkg_resources.get_distribution("cryptography") | |
with urllib.request.urlopen("https://pypi.org/pypi/cryptography/json") as r: | |
latest_version = json.load(r)["info"]["version"] | |
new_path = d.egg_info.replace(d.version, latest_version) | |
shutil.move(d.egg_info, new_path) | |
shell: python | |
- run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run | |
all-green: | |
# https://github.community/t/is-it-possible-to-require-all-github-actions-tasks-to-pass-without-enumerating-them/117957/4?u=graingert | |
runs-on: ubuntu-latest | |
needs: [linux, distros, linux-rust, linux-rust-coverage, macos, windows, linux-downstream] | |
if: ${{ always() }} | |
steps: | |
- uses: actions/[email protected] | |
timeout-minutes: 3 | |
with: | |
persist-credentials: false | |
- name: Decide whether the needed jobs succeeded or failed | |
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe | |
with: | |
jobs: ${{ toJSON(needs) }} | |
- name: Setup python | |
if: ${{ always() }} | |
uses: actions/[email protected] | |
with: | |
python-version: '3.11' | |
- run: pip install -c ci-constraints-requirements.txt coverage[toml] | |
if: ${{ always() }} | |
- name: Download coverage data | |
if: ${{ always() }} | |
uses: actions/[email protected] | |
with: | |
name: coverage-data | |
- name: Combine coverage and fail if it's <100%. | |
if: ${{ always() }} | |
id: combinecoverage | |
run: | | |
set +e | |
python -m coverage combine | |
echo "## Python Coverage" >> $GITHUB_STEP_SUMMARY | |
python -m coverage report -m --fail-under=100 > COV_REPORT | |
COV_EXIT_CODE=$? | |
cat COV_REPORT | |
if [ $COV_EXIT_CODE -ne 0 ]; then | |
echo "🚨 Python Coverage failed. Under 100" | tee -a $GITHUB_STEP_SUMMARY | |
fi | |
echo '```' >> $GITHUB_STEP_SUMMARY | |
cat COV_REPORT >> $GITHUB_STEP_SUMMARY | |
echo '```' >> $GITHUB_STEP_SUMMARY | |
exit $COV_EXIT_CODE | |
- name: Combine rust coverage and fail if it's <100%. | |
if: ${{ always() }} | |
id: combinerustcoverage | |
run: | | |
set +e | |
sudo apt-get install -y lcov | |
RUST_COVERAGE_OUTPUT=$(lcov $(for f in *.lcov; do echo --add-tracefile "$f"; done) -o combined.lcov | grep lines) | |
echo "## Rust Coverage" >> $GITHUB_STEP_SUMMARY | |
echo '```' >> $GITHUB_STEP_SUMMARY | |
echo $RUST_COVERAGE_OUTPUT >> $GITHUB_STEP_SUMMARY | |
echo '```' >> $GITHUB_STEP_SUMMARY | |
if ! echo "$RUST_COVERAGE_OUTPUT" | grep "100.0%"; then | |
echo "🚨 Rust Coverage failed. Under 100" | tee -a $GITHUB_STEP_SUMMARY | |
exit 1 | |
fi | |
- name: Create rust coverage HTML | |
run: genhtml combined.lcov -o rust-coverage | |
if: ${{ failure() && steps.combinerustcoverage.outcome == 'failure' }} | |
- name: Create coverage HTML | |
run: python -m coverage html | |
if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} | |
- name: Upload HTML report. | |
uses: actions/[email protected] | |
with: | |
name: _html-report | |
path: htmlcov | |
if-no-files-found: ignore | |
if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} | |
- name: Upload rust HTML report. | |
uses: actions/[email protected] | |
with: | |
name: _html-rust-report | |
path: rust-coverage | |
if-no-files-found: ignore | |
if: ${{ failure() && steps.combinerustcoverage.outcome == 'failure' }} |