# Copyright 2025 New Vector Ltd. # # SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial # Please see LICENSE files in the repository root for full details. name: CI on: push: branches: - main - "release/**" tags: - "v*" pull_request: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: CARGO_TERM_COLOR: always CARGO_NET_GIT_FETCH_WITH_CLI: "true" SCCACHE_GHA_ENABLED: "true" RUSTC_WRAPPER: "sccache" jobs: opa-lint: name: Lint and test OPA policies runs-on: ubuntu-24.04 permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - uses: ./.github/actions/build-policies - name: Setup Regal uses: StyraInc/setup-regal@33a142b1189004e0f14bf42b15972c67eecce776 # v1 with: # Keep in sync with policies/Makefile version: 0.38.1 - name: Lint policies working-directory: ./policies run: make lint - name: Run OPA tests working-directory: ./policies run: make test frontend-lint: name: Check frontend style runs-on: ubuntu-24.04 permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 - name: Install Node dependencies working-directory: ./frontend run: npm ci - name: Lint working-directory: ./frontend run: npm run lint frontend-test: name: Run the frontend test suite runs-on: ubuntu-24.04 permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 - name: Install Node dependencies working-directory: ./frontend run: npm ci - name: Test working-directory: ./frontend run: npm test frontend-knip: name: Check the frontend for unused dependencies runs-on: ubuntu-24.04 permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install Node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 - name: Install Node dependencies working-directory: ./frontend run: npm ci - name: Check for unused dependencies working-directory: ./frontend run: npm run knip rustfmt: name: Check Rust style runs-on: ubuntu-24.04 permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install Rust toolchain # Install the minimal toolchain, which includes rustc, rustdoc, and cargo. # Then install rustfmt for `cargo fmt`. # # --override sets this as the default rust toolchain version in this directory. run: | rustup toolchain install nightly --profile minimal --component rustfmt --override - name: Check style run: cargo fmt --all -- --check cargo-deny: name: Run `cargo deny` checks runs-on: ubuntu-24.04 env: # We need to remove the sccache wrapper because we don't install it in this job RUSTC_WRAPPER: "" permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Run `cargo-deny` uses: EmbarkStudios/cargo-deny-action@175dc7fd4fb85ec8f46948fb98f44db001149081 # v2.0.16 with: rust-version: stable check-schema: name: Check schema runs-on: ubuntu-24.04 permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install Rust toolchain run: | rustup toolchain install stable - name: Setup sccache uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - uses: ./.github/actions/build-frontend - name: Update the schemas run: sh ./misc/update.sh - name: Check that the workspace is clean run: | if ! [[ -z $(git status -s) ]]; then echo "::error title=Workspace is not clean::Please run 'sh ./misc/update.sh' and commit the changes" ( echo '## Diff after running `sh ./misc/update.sh`:' echo echo '```diff' git diff echo '```' ) >> $GITHUB_STEP_SUMMARY exit 1 fi clippy: name: Run Clippy needs: [rustfmt, opa-lint] runs-on: ubuntu-24.04 permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install Rust toolchain # Install the minimal toolchain with clippy, pinned to a version kept in # sync with Dockerfile. # # --override sets this as the default rust toolchain version in this directory. run: rustup toolchain install 1.93.0 --profile minimal --component clippy --override - uses: ./.github/actions/build-policies - name: Setup sccache uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Run clippy run: | cargo clippy --workspace --tests --bins --lib -- -D warnings compile-test-artifacts: name: Compile test artifacts runs-on: ubuntu-24.04 permissions: contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install Rust toolchain # Install the minimal toolchain, which includes rustc, rustdoc, and cargo. run: rustup toolchain install stable --profile minimal - name: Install nextest uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2 with: tool: cargo-nextest - name: Setup sccache uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Build and archive tests run: cargo nextest archive --workspace --archive-file nextest-archive.tar.zst env: SQLX_OFFLINE: "1" - name: Upload archive to workflow uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: nextest-archive path: nextest-archive.tar.zst test: name: Run test suite with Rust stable needs: [rustfmt, opa-lint, compile-test-artifacts] runs-on: ubuntu-24.04 permissions: contents: read strategy: matrix: partition: [1, 2, 3] services: postgres: image: docker.io/library/postgres:15.3 env: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres POSTGRES_DB: postgres options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 ports: - "5432:5432" steps: - name: Checkout the code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install Rust toolchain # Install the minimal toolchain, which includes rustc, rustdoc, and cargo. run: rustup toolchain install stable --profile minimal - name: Install nextest uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2 with: tool: cargo-nextest - uses: ./.github/actions/build-frontend - uses: ./.github/actions/build-policies - name: Download archive uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: nextest-archive - name: Test env: DATABASE_URL: postgresql://postgres:postgres@localhost/postgres run: | ~/.cargo/bin/cargo-nextest nextest run \ --archive-file nextest-archive.tar.zst \ --partition count:${{ matrix.partition }}/3 tests-done: name: Tests done if: ${{ always() }} needs: - opa-lint - frontend-lint - frontend-test - frontend-knip - rustfmt - cargo-deny - clippy - check-schema - test runs-on: ubuntu-24.04 steps: - uses: matrix-org/done-action@3409aa904e8a2aaf2220f09bc954d3d0b0a2ee67 # v3 with: needs: ${{ toJSON(needs) }}