mirror of
https://github.com/element-hq/matrix-authentication-service.git
synced 2026-04-27 15:05:58 +00:00
Quentin Gliech
411 lines
10 KiB
YAML
411 lines
10 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
pull_request:
|
|
branches: [ main ]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
CARGO_NET_GIT_FETCH_WITH_CLI: "true"
|
|
|
|
jobs:
|
|
opa-lint:
|
|
name: Lint and test OPA policies
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2.0.1
|
|
with:
|
|
version: 0.45.0
|
|
|
|
- name: Lint policies
|
|
run: |
|
|
cd crates/policy/policies
|
|
make lint
|
|
|
|
- name: Run OPA tests
|
|
run: |
|
|
cd crates/policy/policies
|
|
make test
|
|
|
|
- name: Run OPA tests with coverage
|
|
run: |
|
|
cd crates/policy/policies
|
|
make coverage
|
|
|
|
- name: Upload to codecov.io
|
|
uses: codecov/codecov-action@v3
|
|
with:
|
|
files: crates/policy/policies/coverage.json
|
|
flags: policies
|
|
|
|
|
|
rustfmt:
|
|
name: Check style
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
rustup toolchain install nightly
|
|
rustup default nightly
|
|
rustup component add rustfmt
|
|
|
|
- name: Check style
|
|
run: cargo fmt --all -- --check
|
|
|
|
|
|
check-schema:
|
|
name: Check schema
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
rustup toolchain install stable
|
|
rustup default stable
|
|
|
|
- name: Setup Rust cache
|
|
uses: Swatinem/rust-cache@v2
|
|
|
|
- name: Update the schemas
|
|
run: sh ./misc/update-schemas.sh
|
|
|
|
- name: Check that the workspace is clean
|
|
run: |
|
|
[[ -z $(git status -s) ]]
|
|
|
|
|
|
clippy:
|
|
name: Run Clippy
|
|
needs: [rustfmt, opa-lint]
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
rustup toolchain install 1.65.0
|
|
rustup default 1.65.0
|
|
rustup component add clippy
|
|
|
|
- name: Install Protoc
|
|
uses: arduino/setup-protoc@v1
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2.0.1
|
|
with:
|
|
version: 0.45.0
|
|
|
|
- name: Compile OPA policies
|
|
run: |
|
|
cd crates/policy/policies
|
|
make
|
|
|
|
- name: Setup Rust cache
|
|
uses: Swatinem/rust-cache@v2
|
|
|
|
- name: Run clippy
|
|
run: |
|
|
cargo clippy --workspace -- -D warnings
|
|
|
|
|
|
test:
|
|
name: Run test suite with Rust ${{ matrix.toolchain }}
|
|
needs: [rustfmt, opa-lint]
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
strategy:
|
|
fail-fast: false # Continue other jobs if one fails to help filling the cache
|
|
matrix:
|
|
toolchain:
|
|
- stable
|
|
- beta
|
|
- nightly
|
|
|
|
services:
|
|
postgres:
|
|
image: docker.io/library/postgres:14.4
|
|
env:
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: postgres
|
|
POSTGRES_DB: postgres
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
- "5432:5432"
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
rustup toolchain install ${{ matrix.toolchain }}
|
|
rustup default ${{ matrix.toolchain }}
|
|
|
|
- name: Install Protoc
|
|
uses: arduino/setup-protoc@v1
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2.0.1
|
|
with:
|
|
version: 0.45.0
|
|
|
|
- name: Compile OPA policies
|
|
run: |
|
|
cd crates/policy/policies
|
|
make
|
|
|
|
- name: Setup Rust cache
|
|
uses: Swatinem/rust-cache@v2
|
|
|
|
- name: Test
|
|
id: test
|
|
env:
|
|
DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
|
|
SQLX_OFFLINE: '1'
|
|
run: |
|
|
cargo test --workspace
|
|
|
|
# Ignore errors on the nightly toolchain
|
|
continue-on-error: "${{ matrix.toolchain == 'nightly' }}"
|
|
|
|
- name: Emit error annotation on failures
|
|
if: steps.test.outcome == 'failure'
|
|
run: |
|
|
echo "::error ::Test suite failed on ${{ matrix.toolchain }} toolchain"
|
|
|
|
|
|
coverage:
|
|
name: Code coverage
|
|
needs: [rustfmt, opa-lint]
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
services:
|
|
postgres:
|
|
image: docker.io/library/postgres:14.4
|
|
env:
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: postgres
|
|
POSTGRES_DB: postgres
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
- "5432:5432"
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
rustup toolchain install stable
|
|
rustup default stable
|
|
rustup component add llvm-tools-preview
|
|
|
|
- name: Install Protoc
|
|
uses: arduino/setup-protoc@v1
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2.0.1
|
|
with:
|
|
version: 0.45.0
|
|
|
|
- name: Compile OPA policies
|
|
run: |
|
|
cd crates/policy/policies
|
|
make
|
|
|
|
- name: Setup Rust cache
|
|
uses: Swatinem/rust-cache@v2
|
|
|
|
- name: Download grcov
|
|
run: |
|
|
mkdir -p "${HOME}/.local/bin"
|
|
curl -sL https://github.com/mozilla/grcov/releases/download/v0.8.13/grcov-x86_64-unknown-linux-gnu.tar.bz2 | tar jxf - -C "${HOME}/.local/bin"
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
- name: Run test suite with profiling enabled
|
|
run: |
|
|
cargo test --no-fail-fast --workspace
|
|
env:
|
|
RUSTFLAGS: '-Cinstrument-coverage'
|
|
LLVM_PROFILE_FILE: "cargo-test-%p-%m.profraw"
|
|
DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
|
|
SQLX_OFFLINE: '1'
|
|
|
|
- name: Build grcov report
|
|
run: |
|
|
mkdir -p target/coverage
|
|
grcov . --binary-path ./target/debug/deps/ -s . -t lcov --branch --ignore-not-existing --ignore '../*' --ignore "/*" -o target/coverage/tests.lcov
|
|
|
|
- name: Upload to codecov.io
|
|
uses: codecov/codecov-action@v3
|
|
with:
|
|
files: target/coverage/*.lcov
|
|
flags: unit
|
|
|
|
|
|
build-image:
|
|
name: Build and push Docker image
|
|
needs: [rustfmt, opa-lint]
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
IMAGE: ghcr.io/matrix-org/matrix-authentication-service
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v4
|
|
with:
|
|
images: "${{ env.IMAGE }}"
|
|
bake-target: docker-metadata-action
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
type=sha
|
|
|
|
- name: Docker meta (debug variant)
|
|
id: meta-debug
|
|
uses: docker/metadata-action@v4
|
|
with:
|
|
images: "${{ env.IMAGE }}"
|
|
bake-target: docker-metadata-action-debug
|
|
tags: |
|
|
type=ref,event=branch,suffix=-debug
|
|
type=semver,pattern={{version}},suffix=-debug
|
|
type=semver,pattern={{major}}.{{minor}},suffix=-debug
|
|
type=semver,pattern={{major}},suffix=-debug
|
|
type=sha,suffix=-debug
|
|
|
|
- name: Setup Cosign
|
|
uses: sigstore/cosign-installer@v2.8.1
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
with:
|
|
config-inline: |
|
|
[registry."docker.io"]
|
|
mirrors = ["mirror.gcr.io"]
|
|
|
|
- name: Login to GitHub Container Registry
|
|
if: github.event_name != 'pull_request'
|
|
uses: docker/login-action@v2
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
# For pull-requests, only read from the cache, do not try to push to the
|
|
# cache or the image itself
|
|
# We only build for the amd64 platform in pull-requests to speed-up CI
|
|
- name: Build
|
|
uses: docker/bake-action@v2
|
|
if: github.event_name == 'pull_request'
|
|
with:
|
|
files: |
|
|
docker-bake.hcl
|
|
${{ steps.meta.outputs.bake-file }}
|
|
${{ steps.meta-debug.outputs.bake-file }}
|
|
set: |
|
|
base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
|
|
base.platform=linux/amd64
|
|
base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
|
|
|
|
- name: Build and push
|
|
uses: docker/bake-action@v2
|
|
if: github.event_name != 'pull_request'
|
|
with:
|
|
files: |
|
|
docker-bake.hcl
|
|
${{ steps.meta.outputs.bake-file }}
|
|
${{ steps.meta-debug.outputs.bake-file }}
|
|
set: |
|
|
base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
|
|
base.output=type=image,push=true
|
|
base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
|
|
base.cache-to=type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
|
|
|
|
- name: Sign the images with GitHub Actions provided token
|
|
# Only sign on tags and on commits on main branch
|
|
if: |
|
|
github.event_name != 'pull_request'
|
|
&& (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')
|
|
|
|
run: cosign sign ${TAGS}
|
|
env:
|
|
TAGS: "${{ steps.meta.outputs.tags }} ${{ steps.meta-debug.outputs.tags }}"
|
|
COSIGN_EXPERIMENTAL: 1
|
|
|
|
|
|
tests-done:
|
|
name: Tests done
|
|
if: ${{ always() }}
|
|
needs:
|
|
- opa-lint
|
|
- rustfmt
|
|
- clippy
|
|
- check-schema
|
|
- test
|
|
- coverage
|
|
- build-image
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- uses: matrix-org/done-action@v2
|
|
with:
|
|
needs: ${{ toJSON(needs) }}
|