dandri/matrix-authentication-service
1
0
Fork 0
mirror of https://github.com/element-hq/matrix-authentication-service.git synced 2026-05-12 00:04:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b57fd0078c3467dfd71fcf2c708bbe226c87f0cb
matrix-authentication-service/.github/workflows/ci.yaml
T
Workflow config file is invalid. Please check your config file: invalid jobs: yaml: unmarshal errors: line 294: cannot unmarshal !!str `${{ mat...` into bool
dependabot[bot] b57fd0078c Bump actions/cache from 3.0.8 to 3.0.11 
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.8 to 3.0.11.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.8...v3.0.11)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-18 10:43:34 +02:00

491 lines
13 KiB
YAML
Raw Blame History

name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
jobs:
fetch:
name: Fetch Cargo dependencies
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: "1.61.0" # MSRV
target: x86_64-unknown-linux-musl
profile: minimal
override: true
- name: Setup Cargo cache
uses: actions/cache@v3.0.11
with:
path: |
~/.cargo/registry/index
~/.cargo/registry/cache
~/.cargo/git/db
key: ${{ runner.os }}-cargo-deps-msrv-${{ hashFiles('**/Cargo.lock') }}
- name: Fetch dependencies
id: fetch
uses: actions-rs/cargo@v1
continue-on-error: true
with:
command: fetch
args: --locked
- name: Fetch dependencies (retry)
id: fetch-2
uses: actions-rs/cargo@v1
if: steps.fetch.outcome == 'failure'
continue-on-error: true
with:
command: fetch
args: --locked
- name: Fetch dependencies (second retry)
uses: actions-rs/cargo@v1
if: steps.fetch.outcome == 'failure' && steps.fetch-2.outcome == 'failure'
with:
command: fetch
args: --locked
opa-lint:
name: Lint and test OPA policies
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Setup OPA
uses: open-policy-agent/setup-opa@v1
with:
version: 0.43.0
- name: Lint policies
run: |
cd crates/policy/policies
make lint
- name: Run OPA tests
run: |
cd crates/policy/policies
make test
- name: Run OPA tests with coverage
run: |
cd crates/policy/policies
make coverage
- name: Upload to codecov.io
uses: codecov/codecov-action@v3
with:
files: crates/policy/policies/coverage.json
flags: policies
rustfmt:
name: Check style
needs: [fetch]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install toolchain
id: toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: nightly
target: x86_64-unknown-linux-musl
components: rustfmt
profile: minimal
override: true
- name: Setup Cargo cache
uses: actions/cache@v3.0.11
with:
path: |
~/.cargo/registry/index
~/.cargo/registry/cache
~/.cargo/git/db
key: ${{ runner.os }}-cargo-deps-msrv-${{ hashFiles('**/Cargo.lock') }}
- name: Setup build cache
uses: actions/cache@v3.0.11
with:
path: |
target
key: cargo-fmt-${{ hashFiles('**/Cargo.lock') }}-${{ steps.toolchain.outputs.rustc_hash }}
- name: Check style
uses: actions-rs/cargo@v1
with:
command: fmt
args: --all -- --check
clippy:
name: Run Clippy
needs: [opa-lint, fetch]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install toolchain
id: toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
target: x86_64-unknown-linux-musl
components: clippy
profile: minimal
override: true
- name: Install Protoc
uses: arduino/setup-protoc@v1
- name: Setup OPA
uses: open-policy-agent/setup-opa@v1
with:
version: 0.40.0
- name: Compile OPA policies
run: |
cd crates/policy/policies
make
- name: Setup Cargo cache
uses: actions/cache@v3.0.11
with:
path: |
~/.cargo/registry/index
~/.cargo/registry/cache
~/.cargo/git/db
key: ${{ runner.os }}-cargo-deps-msrv-${{ hashFiles('**/Cargo.lock') }}
- name: Setup build cache
uses: actions/cache@v3.0.11
with:
path: |
target
key: cargo-clippy-${{ hashFiles('**/Cargo.lock') }}-${{ steps.toolchain.outputs.rustc_hash }}
- name: Run Clippy
uses: actions-rs/cargo@v1
with:
command: clippy
args: --workspace -- -D warnings
test:
name: Run test suite with Rust ${{ matrix.toolchain }}
needs: [rustfmt, clippy, opa-lint, fetch]
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false # Continue other jobs if one fails to help filling the cache
matrix:
toolchain:
- "1.61.0" # MSRV
- stable
- beta
- nightly
services:
postgres:
image: docker.io/library/postgres:14.4
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- "5432:5432"
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install toolchain
id: toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: ${{ matrix.toolchain }}
target: x86_64-unknown-linux-musl
profile: minimal
override: true
- name: Install Protoc
uses: arduino/setup-protoc@v1
- name: Setup OPA
uses: open-policy-agent/setup-opa@v1
with:
version: 0.40.0
- name: Compile OPA policies
run: |
cd crates/policy/policies
make
- name: Setup Cargo cache
uses: actions/cache@v3.0.11
with:
path: |
~/.cargo/registry/index
~/.cargo/registry/cache
~/.cargo/git/db
key: ${{ runner.os }}-cargo-deps-msrv-${{ hashFiles('**/Cargo.lock') }}
- name: Setup build cache
uses: actions/cache@v3.0.11
with:
path: |
target
key: ${{ runner.os }}-cargo-build-${{ steps.toolchain.outputs.rustc_hash }}-${{ hashFiles('**/Cargo.lock') }}
- name: Test
id: test
uses: actions-rs/cargo@v1
with:
command: test
args: --offline --workspace
env:
DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
SQLX_OFFLINE: '1'
# Ignore errors on the nightly toolchain
continue-on-error: "${{ matrix.toolchain == 'nightly' }}"
- name: Emit error annotation on failures
if: steps.test.outcome == 'failure'
run: |
echo "::error ::Test suite failed on ${{ matrix.toolchain }} toolchain"
coverage:
name: Code coverage
needs: [rustfmt, clippy, opa-lint, fetch]
runs-on: ubuntu-latest
permissions:
contents: read
services:
postgres:
image: docker.io/library/postgres:14.4
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- "5432:5432"
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install toolchain
id: toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
target: x86_64-unknown-linux-musl
override: true
components: llvm-tools-preview
- name: Install Protoc
uses: arduino/setup-protoc@v1
- name: Setup OPA
uses: open-policy-agent/setup-opa@v1
with:
version: 0.40.0
- name: Compile OPA policies
run: |
cd crates/policy/policies
make
- name: Setup Cargo cache
uses: actions/cache@v3.0.11
with:
path: |
~/.cargo/registry/index
~/.cargo/registry/cache
~/.cargo/git/db
key: ${{ runner.os }}-cargo-deps-msrv-${{ hashFiles('**/Cargo.lock') }}
- name: Setup build cache
uses: actions/cache@v3.0.11
with:
path: |
target
key: ${{ runner.os }}-cargo-coverage-${{ steps.toolchain.outputs.rustc_hash }}-${{ hashFiles('**/Cargo.lock') }}
- name: Download grcov
run: |
mkdir -p "${HOME}/.local/bin"
curl -sL https://github.com/mozilla/grcov/releases/download/v0.8.7/grcov-x86_64-unknown-linux-gnu.tar.bz2 | tar jxf - -C "${HOME}/.local/bin"
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run test suite with profiling enabled
uses: actions-rs/cargo@v1
with:
command: test
args: --no-fail-fast --workspace
env:
CARGO_INCREMENTAL: '0'
RUSTFLAGS: '-Cinstrument-coverage'
LLVM_PROFILE_FILE: "cargo-test-%p-%m.profraw"
DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
SQLX_OFFLINE: '1'
- name: Build grcov report
run: |
mkdir -p target/coverage
grcov . --binary-path ./target/debug/deps/ -s . -t lcov --branch --ignore-not-existing --ignore '../*' --ignore "/*" -o target/coverage/tests.lcov
- name: Upload to codecov.io
uses: codecov/codecov-action@v3
with:
files: target/coverage/*.lcov
flags: unit
build-image:
name: Build and push Docker image
needs: [opa-lint]
runs-on: ubuntu-latest
env:
IMAGE: ghcr.io/matrix-org/matrix-authentication-service
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: "${{ env.IMAGE }}"
bake-target: docker-metadata-action
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
- name: Docker meta (debug variant)
id: meta-debug
uses: docker/metadata-action@v4
with:
images: "${{ env.IMAGE }}"
bake-target: docker-metadata-action-debug
tags: |
type=ref,event=branch,suffix=-debug
type=semver,pattern={{version}},suffix=-debug
type=semver,pattern={{major}}.{{minor}},suffix=-debug
type=semver,pattern={{major}},suffix=-debug
type=sha,suffix=-debug
- name: Merge buildx bake files
run: |
jq -s '.[0] * .[1]' ${{ steps.meta.outputs.bake-file }} ${{ steps.meta-debug.outputs.bake-file }} > docker-bake.override.json
- name: Setup Cosign
uses: sigstore/cosign-installer@v2.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
# For pull-requests, only read from the cache, do not try to push to the
# cache or the image itself
# We only build for the amd64 platform in pul-requests to speed-up CI
- name: Build
uses: docker/bake-action@v2
if: github.event_name == 'pull_request'
with:
set: |
base.platform=linux/amd64
base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
- name: Build and push
uses: docker/bake-action@v2
if: github.event_name != 'pull_request'
with:
set: |
base.output=type=image,push=true
base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
base.cache-to=type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
- name: Sign the images with GitHub Actions provided token
# Only sign on tags and on commits on main branch
if: |
github.event_name != 'pull_request'
&& (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')
run: cosign sign ${TAGS}
env:
TAGS: "${{ steps.meta.outputs.tags }} ${{ steps.meta-debug.outputs.tags }}"
COSIGN_EXPERIMENTAL: 1
Reference in New Issue View Git Blame Copy Permalink