build-workflow #6077

Workflow file for this run

.github/workflows/build-workflow.yml at bb8331c

	name: build-workflow

	on:
	push:
	tags:
	- "*"

	merge_group:
	workflow_dispatch:
	inputs:
	include:
	description: Only run tests matching tests with the given tags
	type: string
	required: false
	default: ""
	processes:
	description: Number of processes to run tests
	type: string
	required: false
	default: "10"

	# Use a manual approval process before PR's are given access to
	# the secrets which are required to run the integration tests.
	# The PR code should be manually approved to see if it can be trusted.
	# When in doubt, do not approve the test run.
	# Reference: https://dev.to/petrsvihlik/using-environment-protection-rules-to-secure-secrets-when-building-external-forks-with-pullrequesttarget-hci
	pull_request_target:
	branches: [ main ]

	env:
	CARGO_TERM_COLOR: always

	jobs:
	cargo-test:
	name: Run cargo test
	runs-on: ubuntu-24.04
	steps:
	- name: Check disk space before setting up
	run: df -BM

	- name: Reclaim some disk space
	run: \|
	sudo rm -rf /usr/share/dotnet
	sudo rm -rf /usr/share/swift
	sudo rm -rf /usr/local/lib/android
	sudo rm -rf /opt/ghc
	sudo rm -rf /usr/local/.ghcup
	sudo rm -rf "/usr/local/share/boost"
	sudo rm -rf "$AGENT_TOOLSDIRECTORY"
	sudo rm -rf /opt/hostedtoolcache/
	sudo rm -rf /usr/local/graalvm/
	sudo rm -rf /usr/local/share/powershell
	sudo rm -rf /usr/local/share/chromium
	sudo rm -rf /usr/local/lib/node_modules
	sudo docker image prune --all --force

	APT_PARAMS='sudo apt -y -qq -o=Dpkg::Use-Pty=0'
	$APT_PARAMS remove '^dotnet-.' '^php.' '^mongodb-.' '^llvm-.' '^mysql-.' azure-cli 'google-' google-chrome-stable firefox powershell mono-devel
	$APT_PARAMS autoremove --purge
	$APT_PARAMS autoclean
	$APT_PARAMS clean

	# Make sure /mnt has plenty of empty space,
	# but ignore the error we encounter on /mnt/swapfile
	# since we can't delete that
	sudo rm -rf /mnt/* \|\| true

	- name: Check disk space after freeing
	run: df -BM

	- name: Checkout
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Retrieve MSRV from workspace Cargo.toml
	id: rust_version
	uses: SebRollen/[email protected]
	with:
	file: Cargo.toml
	field: "workspace.package.rust-version"

	- name: Enable toolchain via github action
	uses: dtolnay/rust-toolchain@stable
	with:
	components: llvm-tools-preview

	- name: Enable cache
	uses: Swatinem/rust-cache@v2

	- name: Install latest nextest release
	uses: taiki-e/install-action@nextest

	- name: cargo install cargo-llvm-cov
	uses: taiki-e/install-action@cargo-llvm-cov

	- name: Create dir for temporary files
	run: sudo mkdir /mnt/test-tmp && sudo chmod 777 /mnt/test-tmp

	- name: cargo llvm-cov
	run: cargo llvm-cov nextest --no-fail-fast --locked --all-features --all-targets --codecov --output-path codecov.json
	env:
	TEMP_DIR_ROOT: /mnt/test-tmp

	# https://github.com/rust-lang/cargo/issues/6669
	- name: cargo test --doc
	run: cargo test --locked --all-features --doc

	- name: Upload to codecov.io
	uses: codecov/codecov-action@v5
	with:
	token: ${{ secrets.CODECOV_TOKEN }}
	fail_ci_if_error: false

	- name: Check disk space after completing workflow
	run: df -BM

	build:
	name: Build ${{ matrix.target }}
	runs-on: ${{ matrix.host_os }}
	strategy:
	fail-fast: false
	matrix:
	# Note: Targets which requires a non-default rust_channel
	# then they should not be included in the .target list, but
	# rather in the include section.
	# This is just how Github processes matrix jobs
	target:
	- aarch64-unknown-linux-musl
	- armv7-unknown-linux-musleabihf
	- arm-unknown-linux-musleabihf
	- arm-unknown-linux-musleabi
	- armv5te-unknown-linux-musleabi
	- x86_64-unknown-linux-musl
	- i686-unknown-linux-musl
	- riscv64gc-unknown-linux-gnu
	- aarch64-apple-darwin
	- x86_64-apple-darwin

	rust_channel:
	- "1.85"

	include:
	- target: aarch64-unknown-linux-musl
	build_with: auto
	host_os: ubuntu-24.04
	cargo_options: --no-run

	- target: armv7-unknown-linux-musleabihf
	build_with: auto
	host_os: ubuntu-24.04
	cargo_options: --no-run

	- target: arm-unknown-linux-musleabihf
	build_with: auto
	host_os: ubuntu-24.04
	cargo_options: --no-run

	- target: arm-unknown-linux-musleabi
	build_with: auto
	host_os: ubuntu-24.04
	cargo_options: --no-run

	- target: armv5te-unknown-linux-musleabi
	build_with: clang
	host_os: ubuntu-24.04
	cargo_options: --no-run

	- target: x86_64-unknown-linux-musl
	build_with: auto
	host_os: ubuntu-24.04

	- target: i686-unknown-linux-musl
	build_with: auto
	host_os: ubuntu-24.04
	cargo_options: --no-run

	# Note: riscv64gc-unknown-linux-musl is meant to be supported from 1.82
	# but there are still some build problems which prevent it from being used.
	# So stick to gnu build only
	- target: riscv64gc-unknown-linux-gnu
	build_with: auto
	host_os: ubuntu-24.04
	cargo_options: --no-run

	- target: aarch64-apple-darwin
	build_with: clang
	host_os: macos-14
	cargo_options: --no-run

	- target: x86_64-apple-darwin
	build_with: clang
	host_os: macos-14

	steps:
	- if: ${{ contains(matrix.host_os, 'ubuntu') }}
	run: \|
	sudo apt-get update -y
	- name: Checkout
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha \|\| '' }}
	fetch-depth: 0

	# Install nfpm used to for linux packaging
	- uses: actions/setup-go@v5
	with:
	go-version: 'stable'
	cache: false
	- run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest

	- uses: taiki-e/install-action@just
	- name: build
	run: \|
	just release ${{ matrix.target }} --toolchain ${{ matrix.rust_channel }} --build-with ${{ matrix.build_with }}

	- name: Upload packages as zip
	# https://github.com/marketplace/actions/upload-a-build-artifact
	uses: actions/upload-artifact@v4
	with:
	name: packages-${{ matrix.target }}
	path: target/${{ matrix.target }}/packages/.

	# Note: Validate that all build jobs completed successfully
	# If a Runner fails on the setup, it can leave a job marked as "skipped"
	# and this does not cause the entire job to fail, instead it silently continues
	# leading to downstream problems (e.g. only publishing half of the artifacts!)
	#
	# see https://stackoverflow.com/a/67532120/4907315
	# Fail if any `needs` job was not a success.
	# Along with `if: always()`, this allows this job to act as a single required status check for the entire build job
	#
	check-build:
	runs-on: ubuntu-latest
	needs: [build]
	if: always()
	steps:
	- name: Fail on workflow error
	run: exit 1
	if: >-
	${{
	contains(needs.*.result, 'failure')
	\|\| contains(needs.*.result, 'cancelled')
	\|\| contains(needs.*.result, 'skipped')
	}}

	approve:
	# Note: Use approval as a job so that the downstream jobs are only prompted once (if more than 1 matrix job is defined)
	name: Approve
	environment:
	# For security reasons, all pull requests need to be approved first before granting access to secrets
	# So the environment should be set to have a reviewer/s inspect it before approving it
	name: ${{ github.event_name == 'pull_request_target' && 'Test Pull Request' \|\| 'Test Auto' }}
	runs-on: ubuntu-24.04
	steps:
	- name: Wait for approval
	run: echo "Approved"

	test:
	name: Test ${{ matrix.job.name }}
	# Don't tests on tagging as it has already run in the merge queue
	if: ${{ !startsWith(github.ref, 'refs/tags/') }}
	needs: [approve, check-build]
	environment:
	name: Test Auto
	runs-on: ubuntu-24.04
	strategy:
	matrix:
	job:
	- { name: x86_64, target: x86_64-unknown-linux-musl, output: target/packages }
	steps:
	# Checkout either the PR or the branch
	- name: Checkout
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha \|\| '' }}
	fetch-depth: 0

	- name: Download release artifacts
	uses: actions/download-artifact@v4
	with:
	name: packages-${{ matrix.job.target }}
	path: target/${{ matrix.job.target }}/packages/

	- name: create .env file
	working-directory: tests/RobotFramework
	run: \|
	touch .env
	echo 'C8Y_BASEURL="${{ secrets.C8Y_BASEURL }}"' >> .env
	echo 'C8Y_USER="${{ secrets.C8Y_USER }}"' >> .env
	echo 'C8Y_TENANT="${{ secrets.C8Y_TENANT }}"' >> .env
	echo 'C8Y_PASSWORD="${{ secrets.C8Y_PASSWORD }}"' >> .env
	echo 'CA_KEY="${{ secrets.CA_KEY \|\| '' }}"' >> .env
	echo 'CA_PUB="${{ secrets.CA_PUB \|\| '' }}"' >> .env

	- uses: actions/setup-python@v5
	with:
	python-version: '3.9'
	cache: 'pip'
	cache-dependency-path: \|
	*/requirements/requirements.txt

	- name: Install dependencies
	run: \|
	./bin/setup.sh
	working-directory: tests/RobotFramework

	- name: Build images
	working-directory: tests/RobotFramework
	run: \|
	source .venv/bin/activate
	invoke build --arch "${{ matrix.job.target }}"

	- name: Run tests
	working-directory: tests/RobotFramework
	run: \|
	source .venv/bin/activate
	invoke test \
	--processes "${{ inputs.processes \|\| '' }}" \
	--include "${{ inputs.include \|\| '' }}" \
	--outputdir output

	- name: Upload test results
	uses: actions/upload-artifact@v4
	if: always()
	with:
	name: report-${{ matrix.job.target }}
	path: tests/RobotFramework/output

	- name: Send report to commit
	uses: joonvena/[email protected]
	if: always() && github.event_name == 'pull_request_target'
	with:
	gh_access_token: ${{ secrets.GITHUB_TOKEN }}
	report_path: 'tests/RobotFramework/output'
	show_passed_tests: 'false'

	publish:
	name: Publish ${{ matrix.job.target }}
	if: \|
	always() &&
	github.event_name != 'pull_request_target' &&
	(needs.check-build.result == 'success') &&
	(needs.test.result == 'success' \|\| needs.test.result == 'skipped')
	runs-on: ubuntu-24.04
	needs: [check-build, test, cargo-test]
	strategy:
	fail-fast: false
	matrix:
	job:
	- { target: x86_64-unknown-linux-musl, repo_suffix: '', component: main }
	- { target: aarch64-unknown-linux-musl, repo_suffix: '', component: main }
	# Keep arm-unknown-linux-musleabi in separate repo due to armhf conflict between raspbian and debian
	- { target: arm-unknown-linux-musleabi, repo_suffix: '-armv6', component: main }
	- { target: armv7-unknown-linux-musleabihf, repo_suffix: '', component: main }
	- { target: arm-unknown-linux-musleabi, repo_suffix: '', component: main }
	- { target: i686-unknown-linux-musl, repo_suffix: '', component: main }
	# Debian also calls this "armel" (conflict with arm-unknown-linux-musleabi)
	# - { target: armv5te-unknown-linux-musleabi, repo_suffix: '', component: main }
	- { target: riscv64gc-unknown-linux-gnu, repo_suffix: '', component: main }
	- { target: aarch64-apple-darwin, repo_suffix: '', component: main }
	- { target: x86_64-apple-darwin, repo_suffix: '', component: main }

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	# Setup python required by cloudsmith cli
	- uses: actions/setup-python@v5
	with:
	python-version: '3.11'

	- name: Download release artifacts
	uses: actions/download-artifact@v4
	# https://github.com/marketplace/actions/download-a-build-artifact
	with:
	name: packages-${{ matrix.job.target }}
	path: target/${{ matrix.job.target }}/packages/

	- uses: taiki-e/install-action@just
	- name: Publish packages
	env:
	PUBLISH_REPO: ${{ secrets.PUBLISH_REPO }}${{ matrix.job.repo_suffix }}
	PUBLISH_OWNER: ${{ secrets.PUBLISH_OWNER }}
	PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
	run: \|
	just publish-linux-target "${{ matrix.job.target }}" \
	--repo "${PUBLISH_REPO}" \
	--component "${{ matrix.job.component }}"

	# Wait until all other publishing jobs are finished
	# before publishing the virtual packages (which are architecture agnostic)
	publish-containers:
	name: Publish Containers
	if: \|
	always() &&
	github.event_name != 'pull_request_target' &&
	(needs.check-build.result == 'success') &&
	(needs.test.result == 'success' \|\| needs.test.result == 'skipped')
	runs-on: ubuntu-24.04
	needs: [check-build, test, cargo-test]
	env:
	BUILDX_NO_DEFAULT_ATTESTATIONS: 1
	permissions:
	contents: read
	packages: write
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- uses: taiki-e/install-action@just
	- id: tedge
	name: Get Version
	run: \|
	version=$(just version container)
	echo "Detected version: $version"
	echo "version=$version" >> "$GITHUB_OUTPUT"

	# Download artifacts for all targets
	# The docker build step will select the correct target for the
	# given container target platform
	- name: Download release artifacts
	uses: actions/download-artifact@v4
	with:
	path: containers/tedge/packages/

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	- name: Setup Docker buildx
	uses: docker/setup-buildx-action@v3
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	name=ghcr.io/thin-edge/tedge,enable=${{ startsWith(github.ref, 'refs/tags/') }}
	name=ghcr.io/thin-edge/tedge-main,enable=true
	tags: \|
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=raw,value=${{ steps.tedge.outputs.version }},enable=${{ !startsWith(github.ref, 'refs/tags/') }}
	type=raw,value=latest

	- name: Build and push
	uses: docker/build-push-action@v6
	with:
	context: containers/tedge
	push: ${{ github.event_name != 'pull_request_target' }}
	platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	build-args: \|
	BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
	VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
	REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}

	# Wait until all other publishing jobs are finished
	# before publishing the virtual packages (which are architecture agnostic)
	publish-virtual-packages:
	name: Publish Virtual Packages
	if: \|
	always() &&
	github.event_name != 'pull_request_target' &&
	needs.publish.result == 'success'
	runs-on: ubuntu-24.04
	needs: [publish]
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	# Setup python required by cloudsmith cli
	- uses: actions/setup-python@v5
	with:
	python-version: '3.11'
	# Install nfpm used to for linux packaging
	- uses: actions/setup-go@v5
	with:
	go-version: 'stable'
	cache: false
	- run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest
	- uses: taiki-e/install-action@just
	- name: Build virtual packages
	run: just release-linux-virtual
	- name: Publish packages
	env:
	PUBLISH_REPO: ${{ secrets.PUBLISH_REPO }}
	PUBLISH_OWNER: ${{ secrets.PUBLISH_OWNER }}
	PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
	run: \|
	just publish-linux-virtual --repo "${PUBLISH_REPO}"
	just publish-linux-virtual --repo "${PUBLISH_REPO}-armv6"

	release:
	runs-on: ubuntu-latest
	needs: [publish-virtual-packages, publish-containers]
	if: \|
	always() &&
	startsWith(github.ref, 'refs/tags/') &&
	needs.publish-virtual-packages.result == 'success' &&
	needs.publish-containers.result == 'success'
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	persist-credentials: false
	- uses: taiki-e/install-action@just
	- uses: taiki-e/install-action@git-cliff
	- name: Generate changelog
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	if ! just generate-changelog --from-tags; then
	echo "Warning: Failed to generate changelog, but it should not block a release" > _CHANGELOG.md
	fi
	- name: Release
	uses: softprops/action-gh-release@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	body_path: _CHANGELOG.md
	generate_release_notes: false
	draft: true

	- name: Create tedge-docs snapshot
	run: \|
	gh workflow run snapshot.yml -R thin-edge/tedge-docs -f version=${{github.ref_name}}
	env:
	# Triggering another workflow requires more additional credentials
	GITHUB_TOKEN: ${{ secrets.ACTIONS_PAT }}

	- name: Promote cloudsmith packages
	env:
	VERSION: ${{ github.ref_name }}
	PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
	run: \|
	./ci/admin/cloudsmith_admin.sh promote "$VERSION"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build-workflow #6077

Workflow file

build-workflow #6077

Uh oh!

Jobs

Run details

Workflow file for this run