wip for yank #5559
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The primary point of this workflow is to ensure that the developer experience is good. | ||
|
Check failure on line 1 in .github/workflows/dev.yml
|
||
| # We take a very vanilla ubuntu image, install all necessary dependencies via "normal" means, | ||
| # and then run the build and test steps as described in the README.md file. | ||
| # The artifacts produced by these builds are not intended to be used for anything other than | ||
| # ensuring that the developer experience is good. | ||
| # Production artifacts are produced in a sterile environment (in another CI workflow). | ||
| name: "dev.yml" | ||
| on: | ||
| pull_request: {} | ||
| push: | ||
| branches: | ||
| - "main" | ||
| tags: | ||
| - "v*" | ||
| merge_group: | ||
| types: ["checks_requested"] | ||
| workflow_dispatch: | ||
| inputs: | ||
| debug_enabled: | ||
| type: "boolean" | ||
| description: "Run with tmate enabled" | ||
| required: false | ||
| default: false | ||
| debug_justfile: | ||
| type: "boolean" | ||
| description: "enable to see debug statements from just recipes" | ||
| required: false | ||
| default: false | ||
| skip_vlab_tests: | ||
| type: "boolean" | ||
| description: "Skip VLAB tests (they run by default)" | ||
| required: false | ||
| default: false | ||
| run_hlab_tests: | ||
| type: "boolean" | ||
| description: "Run hybrid HLAB tests" | ||
| required: false | ||
| default: false | ||
| enable_release_tests: | ||
| type: "boolean" | ||
| description: "Enable release tests for VLAB/HLAB tests" | ||
| required: false | ||
| default: false | ||
| concurrency: | ||
| group: "${{ github.workflow }}:${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }}" | ||
| cancel-in-progress: true | ||
| permissions: | ||
| contents: "read" | ||
| packages: "write" | ||
| id-token: "write" | ||
| jobs: | ||
| check_changes: | ||
| name: "Deduce required tests from code changes" | ||
| permissions: | ||
| contents: "read" | ||
| pull-requests: "read" | ||
| runs-on: "ubuntu-latest" | ||
| outputs: | ||
| devfiles: "${{ steps.changes.outputs.devfiles }}" | ||
| steps: | ||
| - name: "Checkout" | ||
| if: "${{ !github.event.pull_request }}" | ||
| uses: "actions/checkout@v6" | ||
| with: | ||
| persist-credentials: "false" | ||
| fetch-depth: "0" | ||
| - name: "Check code changes" | ||
| uses: "dorny/paths-filter@v3" | ||
| id: "changes" | ||
| with: | ||
| filters: | | ||
| devfiles: | ||
| - '!(README.md|LICENSE|NOTICE|.zed/**|.vscode/**|CLAUDE.md|.rules|development/**|testing.md|workspace-deps.svg|codebook.toml|.markdownlint.json|.gitattributes|.gitignore|.github/**)' | ||
| - '.github/workflows/dev.yml' | ||
| version: | ||
| runs-on: lab | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| version: "${{ steps.version-gen.outputs.version }}" | ||
| ref: "${{ steps.version-gen.outputs.ref }}" | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Generate temp artifacts version | ||
| id: version-gen | ||
| env: | ||
| commit_sha: ${{ github.event.pull_request.head.sha || github.sha }} | ||
| run: | | ||
| echo "version=v0-${commit_sha::9}" >> "$GITHUB_OUTPUT" | ||
| echo "ref=${commit_sha}" >> "$GITHUB_OUTPUT" | ||
| build: | ||
| if: "${{ needs.check_changes.outputs.devfiles == 'true' }}" | ||
| name: "${{matrix.nix-target}}/${{matrix.build.name}}" | ||
| continue-on-error: ${{ matrix.build.optional || false }} | ||
| runs-on: lab | ||
| needs: | ||
| - check_changes | ||
| - version | ||
| permissions: | ||
| checks: "write" | ||
| pull-requests: "write" | ||
| contents: "read" | ||
| packages: "write" | ||
| id-token: "write" | ||
| env: | ||
| CACHE_REGISTRY: "run.h.hhdev.io:30000" | ||
| UPSTREAM_REGISTRY: "ghcr.io" | ||
| USER: "runner" | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| nix-target: | ||
| # - tests.all | ||
| - frr.dataplane | ||
| - frr.host | ||
| - dataplane | ||
| build: | ||
| - name: "debug" | ||
| profile: "debug" | ||
| sanitize: "" | ||
| instrument: "none" | ||
| - name: "release" | ||
| profile: "release" | ||
| sanitize: "" # TODO: enable safe-stack,cfi when possible | ||
| instrument: "none" | ||
| # FIXME: The following commented sections are marked optional | ||
| # and the build continues after they fail, but then summary | ||
| # fails. For now, comment this out, but ideally we'd run them | ||
| # let them fail, but let the summary pass anyway | ||
| - name: "sanitize/address" | ||
| profile: "debug" # FIXME: should be fuzz, but build time explodes for unknown reasons | ||
| sanitize: "address,leak" | ||
| instrument: "none" # FIXME: should be coverage, but build time explodes for unknown reasons | ||
| optional: true # FIXME: Make required once existing bugs are fixed | ||
| - name: "sanitize/thread" | ||
| profile: "fuzz" | ||
| sanitize: "thread" | ||
| instrument: "none" # FIXME: should be coverage, but build time explodes for unknown reasons | ||
| optional: true # FIXME: Make required once existing bugs are fixed | ||
| debug_justfile: | ||
| - "${{ inputs.debug_justfile || false }}" | ||
| steps: | ||
| - name: "login to ghcr.io" | ||
| uses: "docker/login-action@v4" | ||
| with: | ||
| registry: "${{ env.UPSTREAM_REGISTRY }}" | ||
| username: "${{ github.actor }}" | ||
| password: "${{ secrets.GITHUB_TOKEN }}" | ||
| - name: "login to image cache" | ||
| uses: "docker/login-action@v4" | ||
| with: | ||
| registry: "${{ env.CACHE_REGISTRY }}" | ||
| username: "${{ secrets.LAB_REGISTRY_USERNAME }}" | ||
| password: "${{ secrets.LAB_REGISTRY_TOKEN }}" | ||
| # it's temporarily needed to install skopeo | ||
| - name: Setup Go | ||
| uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: stable | ||
| cache: true | ||
| - name: "Checkout" | ||
| uses: "actions/checkout@v6" | ||
| with: | ||
| persist-credentials: "false" | ||
| fetch-depth: "0" | ||
| - name: "Install nix" | ||
| uses: cachix/install-nix-action@v31 | ||
| with: | ||
| github_access_token: ${{ secrets.GITHUB_TOKEN }} | ||
| nix_path: nixpkgs=channel:nixpkgs-unstable | ||
| - uses: "cachix/cachix-action@v14" | ||
| with: | ||
| name: "hedgehog" | ||
| # prettier-ignore | ||
| signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' | ||
| # prettier-ignore | ||
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | ||
| - name: "cargo deny" | ||
| run: | | ||
| nix-shell --run "cargo deny check" | ||
| - name: "run tests" | ||
| if: ${{ matrix.nix-target == 'tests.all' }} | ||
| run: | | ||
| just \ | ||
| docker_sock=/run/docker/docker.sock \ | ||
| debug_justfile="${{matrix.debug_justfile}}" \ | ||
| profile="${{matrix.build.profile}}" \ | ||
| sanitize="${{matrix.build.sanitize}}" \ | ||
| instrument="${{matrix.build.instrument}}" \ | ||
| test | ||
| - name: "push container" | ||
| if: ${{ matrix.nix-target != 'tests.all' }} | ||
| run: | | ||
| just \ | ||
| docker_sock=/run/docker/docker.sock \ | ||
| debug_justfile="${{matrix.debug_justfile}}" \ | ||
| profile="${{matrix.build.profile}}" \ | ||
| sanitize="${{matrix.build.sanitize}}" \ | ||
| instrument="${{matrix.build.instrument}}" \ | ||
| oci_repo="ghcr.io" \ | ||
| push-container "${{matrix.nix-target}}" | ||
| - name: "push container for vlab" | ||
| if: ${{ matrix.nix-target != 'tests.all' && matrix.build.sanitize == "" }} | ||
| run: | | ||
| just \ | ||
| docker_sock=/run/docker/docker.sock \ | ||
| debug_justfile="${{matrix.debug_justfile}}" \ | ||
| profile="${{matrix.build.profile}}" \ | ||
| sanitize="${{matrix.build.sanitize}}" \ | ||
| instrument="${{matrix.build.instrument}}" \ | ||
| version="${{ needs.version.outputs.version }}-${{ matrix.build.profile }}" \ | ||
| oci_repo="ghcr.io" \ | ||
| push-container "${{matrix.nix-target}}" | ||
| - name: "Setup tmate session for debug" | ||
| if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }} | ||
| uses: "mxschmitt/action-tmate@v3" | ||
| timeout-minutes: 60 | ||
| with: | ||
| limit-access-to-actor: true | ||
| vlab: | ||
| if: "${{ needs.check_changes.outputs.devfiles == 'true' || (startsWith(github.event.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/tags/v')) && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}" | ||
| needs: | ||
| - check_changes | ||
| - build | ||
| - version | ||
| name: "${{ matrix.hybrid && 'h' || 'v' }}-${{ matrix.upgradefrom && 'up' || '' }}${{ matrix.upgradefrom }}${{ matrix.upgradefrom && '-' || '' }}${{ matrix.mesh && 'mesh-' || '' }}${{ matrix.gateway && 'gw-' || '' }}${{ matrix.includeonie && 'onie-' || '' }}${{ matrix.buildmode }}-${{ matrix.vpcmode }}" | ||
| uses: githedgehog/fabricator/.github/workflows/run-vlab.yaml@master | ||
| with: | ||
| # ci:+hlab is required to enable hybrid lab tests on PR | ||
| # ci:+vlab is required to enable virtual lab tests on PR | ||
| # ci:-upgrade disables upgrade tests on PR | ||
| # hlab is disabled for main and merge_queue till we have gateway tests for it | ||
| skip: >- | ||
| ${{ | ||
| github.event_name == 'pull_request' | ||
| && ( | ||
| matrix.hybrid && !contains(github.event.pull_request.labels.*.name, 'ci:+hlab') | ||
| || !matrix.hybrid && !contains(github.event.pull_request.labels.*.name, 'ci:+vlab') | ||
| || matrix.upgradefrom != '' && contains(github.event.pull_request.labels.*.name, 'ci:-upgrade') | ||
| ) | ||
| || github.event_name == 'workflow_dispatch' | ||
| && ( | ||
| matrix.hybrid && inputs.run_hlab_tests != true | ||
| || !matrix.hybrid && inputs.skip_vlab_tests == true | ||
| ) | ||
| || (github.event_name == 'push' || github.event_name == 'merge_group') | ||
| && matrix.hybrid | ||
| }} | ||
| fabricatorref: master | ||
| prebuild: "just bump dataplane ${{ needs.version.outputs.version }}-release" | ||
| fabricmode: ${{ matrix.fabricmode }} | ||
| gateway: ${{ matrix.gateway }} | ||
| includeonie: ${{ matrix.includeonie }} | ||
| buildmode: ${{ matrix.buildmode }} | ||
| vpcmode: ${{ matrix.vpcmode }} | ||
| releasetest: ${{ contains(github.event.pull_request.labels.*.name, 'ci:+release') || inputs.enable_release_tests == true }} | ||
| hybrid: ${{ matrix.hybrid }} | ||
| upgradefrom: ${{ matrix.upgradefrom }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| fabricmode: | ||
| - spine-leaf | ||
| gateway: | ||
| - true | ||
| includeonie: | ||
| - false | ||
| buildmode: | ||
| - iso | ||
| vpcmode: | ||
| - l2vni | ||
| hybrid: | ||
| - false | ||
| upgradefrom: | ||
| - "" | ||
| - "25.05" | ||
| include: | ||
| # gateway l3vni | ||
| - fabricmode: spine-leaf | ||
| gateway: true | ||
| includeonie: false | ||
| buildmode: iso | ||
| vpcmode: l3vni | ||
| hybrid: false | ||
| upgradefrom: "" | ||
| # hlab gateway l2vni | ||
| - fabricmode: spine-leaf | ||
| gateway: true | ||
| includeonie: false | ||
| buildmode: iso | ||
| vpcmode: l2vni | ||
| hybrid: true | ||
| upgradefrom: "" | ||
| summary: | ||
| name: "Summary" | ||
| runs-on: "ubuntu-latest" | ||
| needs: | ||
| - build | ||
| - vlab | ||
| # Run always, except when the "build" job was skipped. | ||
| # | ||
| # When the build job is skipped, summary will be marked as skipped, and | ||
| # it's OK for CI (it's not a failure). | ||
| # Why don't we do the same for build jobs? Because their names depend on | ||
| # matrix values, and if we skip them the names won't be generated and | ||
| # GitHub won't be able to find skipped jobs for required status checks. | ||
| if: ${{ always() }} | ||
| steps: | ||
| - name: "Flag any build matrix failures" | ||
| if: ${{ needs.build.result != 'success' && needs.build.result != 'skipped' }} | ||
| run: | | ||
| echo '::error:: Some build job(s) failed' | ||
| exit 1 | ||
| - name: "Flag any vlab matrix failures" | ||
| if: ${{ needs.vlab.result != 'success' && needs.vlab.result != 'skipped' }} | ||
| run: | | ||
| echo '::error:: Some vlab job(s) failed' | ||
| exit 1 | ||
| publish: | ||
| env: | ||
| CACHE_REGISTRY: "run.h.hhdev.io:30000" | ||
| UPSTREAM_REGISTRY: "ghcr.io" | ||
| runs-on: lab | ||
| if: startsWith(github.event.ref, 'refs/tags/v') && github.event_name == 'push' | ||
| needs: | ||
| - build | ||
| - vlab | ||
| permissions: | ||
| packages: write | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go | ||
| uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: stable | ||
| cache: true | ||
| - name: Login to ghcr.io | ||
| uses: docker/login-action@v4 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: "login to image cache" | ||
| uses: "docker/login-action@v4" | ||
| with: | ||
| registry: "${{ env.CACHE_REGISTRY }}" | ||
| username: "${{ secrets.LAB_REGISTRY_USERNAME }}" | ||
| password: "${{ secrets.LAB_REGISTRY_TOKEN }}" | ||
| - name: "set up build environment" | ||
| run: | | ||
| REQUIRED_HUGEPAGES=512 | ||
| HUGEPAGES_PATH=/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages | ||
| OVERCOMMIT_HUGEPAGES_PATH=/sys/kernel/mm/hugepages/hugepages-2048kB/nr_overcommit_hugepages | ||
| docker run --privileged --rm busybox:latest sh -c "echo $((6 * REQUIRED_HUGEPAGES)) > $OVERCOMMIT_HUGEPAGES_PATH" | ||
| docker run --privileged --rm busybox:latest sh -c "echo $((2 * REQUIRED_HUGEPAGES)) > $HUGEPAGES_PATH" | ||
| docker pull "${{env.UPSTREAM_REGISTRY}}/githedgehog/testn/n-vm:v0.0.9" | ||
| just --yes \ | ||
| docker_sock=/run/docker/docker.sock \ | ||
| debug_justfile="${{matrix.debug_justfile}}" \ | ||
| profile=${{matrix.profile}} \ | ||
| dpdp_sys_registry="${{env.CACHE_REGISTRY}}" \ | ||
| refresh-compile-env | ||
| just --yes debug_justfile="${{matrix.debug_justfile}}" fake-nix | ||
| - name: "push container" | ||
| run: | | ||
| just \ | ||
| debug_justfile="${{matrix.debug_justfile}}" \ | ||
| profile=release \ | ||
| oci_repo="ghcr.io" \ | ||
| push-container | ||
| # Bump dataplane in the fabricator repository | ||
| - name: Checkout fabricator repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| repository: githedgehog/fabricator | ||
| path: fab-repo | ||
| persist-credentials: false | ||
| - name: Bump dataplane in fabricator | ||
| working-directory: fab-repo | ||
| run: | | ||
| sed -i "s/^\tDataplaneVersion.*/\tDataplaneVersion=meta.Version(\"${{ github.ref_name }}\")/" pkg/fab/versions.go | ||
| go fmt pkg/fab/versions.go | ||
| - name: Generate token for the fabricator repository | ||
| uses: actions/create-github-app-token@v2 | ||
| id: fab-app-token | ||
| with: | ||
| app-id: ${{ secrets.FAB_APP_ID }} | ||
| private-key: ${{ secrets.FAB_PRIVATE_KEY }} | ||
| repositories: | | ||
| fabricator | ||
| - name: Create Pull Request for fabricator | ||
| uses: peter-evans/create-pull-request@v8 | ||
| id: fab-pr | ||
| with: | ||
| token: ${{ steps.fab-app-token.outputs.token }} | ||
| path: fab-repo | ||
| branch: pr/auto/dataplane-bump | ||
| commit-message: | | ||
| bump: dataplane to ${{ github.ref_name }} | ||
| This is an automated commit created by GitHub Actions workflow, | ||
| in the dataplane repository. | ||
| signoff: true | ||
| title: "bump: dataplane to ${{ github.ref_name }}" | ||
| body: | | ||
| This is an automated Pull Request created by GitHub Actions workflow, | ||
| in the dataplane repository. | ||
