From 929e1d661abc81ebbeef163c7ab7730d5ae98f5a Mon Sep 17 00:00:00 2001 From: Kiryl Mialeshka <8974488+meskill@users.noreply.github.com> Date: Fri, 2 Feb 2024 11:47:19 +0100 Subject: [PATCH] chore: refactor ci setup to remove insecure features (#964) Co-authored-by: meskill Co-authored-by: Amit Singh --- .github/labels.json | 4 +- .github/workflows/{bot.yml => benchmark.yml} | 111 +++---------------- .github/workflows/ci.yml | 78 +++---------- .github/workflows/comment-commit.yml | 28 +++++ .github/workflows/lint.yml | 41 +++++++ .github/workflows/pr-convention.yml | 18 +-- .github/workflows/release-drafter.yml | 26 +++++ 7 files changed, 139 insertions(+), 167 deletions(-) rename .github/workflows/{bot.yml => benchmark.yml} (55%) create mode 100644 .github/workflows/comment-commit.yml create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/release-drafter.yml diff --git a/.github/labels.json b/.github/labels.json index 8bc076c91b..e98afd58d0 100644 --- a/.github/labels.json +++ b/.github/labels.json @@ -219,7 +219,7 @@ { "name": "ci: benchmark", "color": "F9D0C4", - "description": "Runs macro benchmarks", - "aliases": ["ci:lint"] + "description": "Runs benchmarks", + "aliases": ["ci:benchmark"] } ] diff --git a/.github/workflows/bot.yml b/.github/workflows/benchmark.yml similarity index 55% rename from .github/workflows/bot.yml rename to .github/workflows/benchmark.yml index f77b3bea79..f7d27fc38c 100644 --- a/.github/workflows/bot.yml +++ b/.github/workflows/benchmark.yml @@ -5,21 +5,12 @@ on: paths-ignore: ["docs/**", "**.md"] branches: - main - pull_request_target: + pull_request: paths-ignore: ["docs/**", "**.md"] - types: [opened, synchronize, labeled] - branches: - - main - - workflow_dispatch: - inputs: - branch: - description: "Branch to run benchmark on" - required: true - default: "main" + types: [opened, reopened, synchronize, labeled] jobs: - benchmark: + macro_benchmark: name: Macro Benchmarks if: "contains(github.event.pull_request.labels.*.name, 'ci: benchmark') || github.event_name == 'push'" runs-on: benchmarking-runner @@ -28,30 +19,11 @@ jobs: contents: write steps: - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} - - name: Install Stable Toolchain - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - components: rustfmt, clippy - - - name: Cache Rust Dependencies - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} + uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Run Cargo Build - uses: actions-rs/cargo@v1 - with: - command: build - args: --release + run: cargo build --release - name: Run Tailcall run: | @@ -80,70 +52,21 @@ jobs: name: Convert Output to Markdown working-directory: ci-benchmark run: | - node wrk-output-to-md.js wrk-output.txt > wrk-output.md - + node wrk-output-to-md.js wrk-output.txt > body.md - id: cat_md name: Cat Markdown working-directory: ci-benchmark run: | - cat wrk-output.md + cat body.md - - id: get_comment_body - name: Get Comment Body - working-directory: ci-benchmark - run: | - body="$(cat wrk-output.md)" - delimiter="$(openssl rand -hex 8)" - echo "body<<$delimiter" >> $GITHUB_OUTPUT - echo "$body" >> $GITHUB_OUTPUT - echo "$delimiter" >> $GITHUB_OUTPUT - - - name: Create Commit Comment - uses: peter-evans/commit-comment@v3 + - name: "Upload Artifact" + uses: actions/upload-artifact@v4 with: - sha: ${{github.event.pull_request.head.sha}} - body: ${{steps.get_comment_body.outputs.body}} - - lint: - name: CI:Lint - if: "contains(github.event.pull_request.labels.*.name, 'ci: lint')" - runs-on: ubuntu-latest - permissions: - pull-requests: write - contents: write - steps: - - name: Install Node.js - uses: actions/setup-node@v4 - with: - node-version: "18" - - name: Install Prettier - run: npm install --global prettier - - name: Install Stable Toolchain - uses: actions-rs/toolchain@v1 - with: - toolchain: nightly - components: rustfmt, clippy - - name: Cache Rust Dependencies - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run lint script - run: ./lint.sh --mode=fix - - name: Commit and push if changed - uses: stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: "style: apply lint fixes" + name: body + path: ci-benchmark/body.md Cache_Benchmarks: - name: Micro Benchmarks + name: Cache Micro Benchmarks result if: (github.event_name == 'push' && github.ref == 'refs/heads/main') permissions: pull-requests: write @@ -154,10 +77,7 @@ jobs: uses: actions/checkout@v4 - name: Install Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true + uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Run Benchmarks run: | @@ -186,10 +106,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - name: Install Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true + uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Run Criterion Benchmarks run: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d7671ffd6..d75c15cd15 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,14 +3,13 @@ name: Build on: push: branches: - - "**" + - main pull_request: branches: [main] types: [opened, reopened, synchronize] - pull_request_target: - types: [opened, reopened, synchronize] permissions: contents: read + jobs: check_if_build: name: Check if Build @@ -29,7 +28,6 @@ jobs: test_cf: name: Run Tests (WASM) - if: (github.event_name == 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') runs-on: ubuntu-latest defaults: run: @@ -39,14 +37,13 @@ jobs: - uses: actions/checkout@v4 - name: Install Rust - uses: actions-rs/toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@v1 with: - toolchain: stable - override: true - - - name: Add wasm32 target - run: rustup target add wasm32-unknown-unknown + target: wasm32-unknown-unknown + - name: Build WASM + run: cargo check --lib --target wasm32-unknown-unknown + working-directory: ./cloudflare - name: Install Node.js uses: actions/setup-node@v4 with: @@ -60,33 +57,16 @@ jobs: test: name: Run Tests - if: (github.event_name == 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: taiki-e/install-action@cargo-llvm-cov - name: Install Stable Toolchain - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - default: true - - - name: Cache Rust Dependencies - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: ${{ runner.os }}-cargo- + uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Run Cargo Test - uses: actions-rs/cargo@v1 - with: - command: llvm-cov - args: --all-features --lcov --output-path lcov.info + run: cargo llvm-cov --all-features --lcov --output-path lcov.info - name: Upload Coverage to Codecov uses: codecov/codecov-action@v4 @@ -95,37 +75,9 @@ jobs: files: lcov.info fail_ci_if_error: true - format: - name: Run Formatter and Lint Check - if: (github.event_name == 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') - runs-on: ubuntu-latest - steps: - - name: Install Node.js - uses: actions/setup-node@v4 - with: - node-version: "20.11.0" - - name: Install Prettier - run: npm install --global prettier - - name: Install Nightly Toolchain - uses: actions-rs/toolchain@v1 - with: - toolchain: nightly - components: rustfmt, clippy - - name: Cache Rust Dependencies - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - - uses: actions/checkout@v4 - - name: Run Lint Script - run: ./lint.sh --mode=check - draft_release: name: Draft Release - if: (github.event_name == 'pull_request_target') || (github.event_name == 'push' && github.ref == 'refs/heads/main') + if: github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest permissions: contents: write @@ -136,7 +88,6 @@ jobs: - id: create_release uses: release-drafter/release-drafter@v6 - if: (github.event_name == 'pull_request_target') || (github.event_name == 'push' && github.ref == 'refs/heads/main') env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -151,9 +102,11 @@ jobs: create_release_name: ${{ steps.set_output.outputs.create_release_name }} create_release_id: ${{ steps.set_output.outputs.create_release_id }} + # TODO: move to separate file to separate responsibilities release: name: Release - needs: [test, format, draft_release, check_if_build, test_cf] + needs: [test, draft_release, check_if_build, test_cf] + # TODO: put a condition to separate job that other will depend on to remove duplication? if: github.event_name == 'push' && github.ref == 'refs/heads/main' && (needs.check_if_build.outputs.check_if_build == 'true') runs-on: ${{ matrix.os }} strategy: @@ -275,7 +228,7 @@ jobs: env: APP_VERSION: ${{ needs.draft_release.outputs.create_release_name}} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - uses: actions-rs/cargo@v1 + uses: ClementTsang/cargo-action@v0.0.6 with: use-cross: ${{ matrix.cross }} command: build @@ -343,6 +296,7 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} tag-name: ${{needs.draft_release.outputs.create_release_name }} + publish_npm_root: name: Publish NPM main package needs: [draft_release, release] @@ -378,6 +332,7 @@ jobs: env: APP_VERSION: ${{needs.draft_release.outputs.create_release_name }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + build-and-push-image: env: REGISTRY: ghcr.io @@ -416,6 +371,7 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + homebrew-release: name: Homebrew Release needs: [draft_release, release, semantic_release] diff --git a/.github/workflows/comment-commit.yml b/.github/workflows/comment-commit.yml new file mode 100644 index 0000000000..f6b68459d2 --- /dev/null +++ b/.github/workflows/comment-commit.yml @@ -0,0 +1,28 @@ +name: Comment on commit + +on: + workflow_run: + workflows: ["Benchmark"] + types: + - completed + +jobs: + comment: + name: Comment on commit + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: Download artifact with body message + uses: actions/download-artifact@v4 + with: + name: body + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + + - name: Create Commit Comment + uses: peter-evans/commit-comment@v3 + with: + sha: ${{ github.event.workflow_run.head_sha }} + body-path: body.md diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000000..cf87b00d88 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,41 @@ +name: autofix.ci + +on: + push: + branches: + - main + pull_request: + branches: [main] + types: [opened, reopened, synchronize, labeled] +permissions: + contents: read + +jobs: + lint: + name: Run Formatter and Lint Check + runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: write + env: + LINT_MODE: "${{ contains(github.event.pull_request.labels.*.name, 'ci: lint') && 'fix' || 'check' }}" + steps: + - name: Install Node.js + uses: actions/setup-node@v4 + with: + node-version: "20.11.0" + - name: Install Prettier + run: npm install --global prettier + - name: Install Nightly Toolchain + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: nightly + components: rustfmt, clippy + - uses: actions/checkout@v4 + with: + ref: ${{ (env.LINT_MODE == 'fix' && github.event.pull_request.head.sha) || '' }} + - name: Run Lint Script + run: ./lint.sh --mode=$LINT_MODE + - name: Commit and push if changed + if: env.LINT_MODE == 'fix' + uses: autofix-ci/action@ea32e3a12414e6d3183163c3424a7d7a8631ad84 diff --git a/.github/workflows/pr-convention.yml b/.github/workflows/pr-convention.yml index 16fbbf2739..6591e099c6 100644 --- a/.github/workflows/pr-convention.yml +++ b/.github/workflows/pr-convention.yml @@ -1,15 +1,19 @@ name: PR Title Validation + on: - pull_request: - types: [opened, edited, synchronize, reopened] + # pull_request_target is ok until we do not checkout and build external code + # TODO: maybe it is not required after all https://github.com/amannn/action-semantic-pull-request/issues/219 + pull_request_target: + types: [opened, edited] + +permissions: + pull-requests: read jobs: title-check: name: Check PR Title runs-on: ubuntu-latest steps: - - uses: naveenk1223/action-pr-title@master - with: - regex: '^[a-zA-Z]+(\([a-zA-Z/]+\))?!?: .+' - allowed_prefixes: "feat,fix,docs,style,refactor,test,chore,ci,perf,revert" - prefix_case_sensitive: false + - uses: amannn/action-semantic-pull-request@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml new file mode 100644 index 0000000000..72316cc476 --- /dev/null +++ b/.github/workflows/release-drafter.yml @@ -0,0 +1,26 @@ +name: Release Drafter + +on: + push: + branches: + - main + # pull_request_target event is required for autolabeler to support PRs from forks + # it's ok to do so until we do not checkout and build any external code + pull_request_target: + types: [opened, reopened, synchronize] + +permissions: + contents: read + +jobs: + update_release_draft: + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: release-drafter/release-drafter@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + config-name: release-drafter.yml