saymrwulf/cryptography
1
0
Fork 0
mirror of https://github.com/saymrwulf/cryptography.git synced 2026-05-14 20:37:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
cryptography/.github/workflows/ci.yml
Paul Kehrer 5e6476a4c6
drop support for openssl < 1.1.1d (#8449) 
This removes the OS random engine, which contained the only CPython PSF
licensed code in the repository. Accordingly, that license has now been
removed.
2023-03-24 08:36:58 -04:00

672 lines
27 KiB
YAML
Raw Blame History

name: CI
on:
pull_request: {}
push:
branches:
- main
- '*.*.x'
tags:
- '*.*'
- '*.*.*'
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
env:
CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse
jobs:
linux:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
PYTHON:
- {VERSION: "3.11", TOXENV: "flake"}
- {VERSION: "3.11", TOXENV: "rust"}
- {VERSION: "3.11", TOXENV: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.0"}}
- {VERSION: "pypy-3.8", TOXENV: "pypy3-nocoverage"}
- {VERSION: "pypy-3.9", TOXENV: "pypy3-nocoverage"}
- {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1t"}}
- {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "openssl", VERSION: "3.0.8"}}
- {VERSION: "3.11", TOXENV: "py311-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.0"}}
- {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "openssl", VERSION: "3.1.0", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}
- {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "openssl", VERSION: "3.1.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}}
- {VERSION: "3.11", TOXENV: "py311", TOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.0"}}
- {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "libressl", VERSION: "3.5.4"}}
- {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "libressl", VERSION: "3.6.2"}}
- {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "libressl", VERSION: "3.7.1"}}
- {VERSION: "3.11", TOXENV: "py311-randomorder"}
- {VERSION: "3.12-dev", TOXENV: "py312"}
# Latest commit on the BoringSSL master branch, as of Mar 23, 2023.
- {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "boringssl", VERSION: "b6a50fd62d1ae44ad211ebe26f803c66db444302"}}
# Latest commit on the OpenSSL master branch, as of Mar 24, 2023.
- {VERSION: "3.11", TOXENV: "py311", OPENSSL: {TYPE: "openssl", VERSION: "908ba3ed9adbb3df90f7684a3111ca916a45202d"}}
name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.TOXARGS }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}"
timeout-minutes: 15
steps:
- uses: actions/checkout@v3.5.0
timeout-minutes: 3
with:
persist-credentials: false
fetch-depth: 0
- name: set mtimes for rust dirs
uses: ./.github/actions/mtime-fix
- name: Setup python
id: setup-python
uses: actions/setup-python@v4.5.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
- name: Cache rust and pip
uses: ./.github/actions/cache
timeout-minutes: 2
with:
key: ${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}
- name: Clone wycheproof
timeout-minutes: 2
uses: ./.github/actions/wycheproof
- run: python -m pip install -c ci-constraints-requirements.txt 'tox>3' coverage[toml]
- name: Compute config hash and set config vars
run: |
DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3"
CONFIG_FLAGS="$DEFAULT_CONFIG_FLAGS $CONFIG_FLAGS"
CONFIG_HASH=$(echo "$CONFIG_FLAGS" | sha1sum | sed 's/ .*$//')
echo "CONFIG_FLAGS=${CONFIG_FLAGS}" >> $GITHUB_ENV
echo "CONFIG_HASH=${CONFIG_HASH}" >> $GITHUB_ENV
echo "OSSL_INFO=${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_FLAGS}" >> $GITHUB_ENV
echo "OSSL_PATH=${{ github.workspace }}/osslcache/${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${CONFIG_HASH}" >> $GITHUB_ENV
env:
CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}
if: matrix.PYTHON.OPENSSL
- name: Load OpenSSL cache
uses: actions/cache@v3.3.1
id: ossl-cache
timeout-minutes: 2
with:
path: ${{ github.workspace }}/osslcache
# When altering the openssl build process you may need to increment the value on the end of this cache key
# so that you can prevent it from fetching the cache and skipping the build step.
key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.CONFIG_HASH }}-8
if: matrix.PYTHON.OPENSSL
- name: Build custom OpenSSL/LibreSSL
run: .github/workflows/build_openssl.sh
env:
TYPE: ${{ matrix.PYTHON.OPENSSL.TYPE }}
VERSION: ${{ matrix.PYTHON.OPENSSL.VERSION }}
if: matrix.PYTHON.OPENSSL && steps.ossl-cache.outputs.cache-hit != 'true'
- name: Set CFLAGS/LDFLAGS
run: |
echo "OPENSSL_DIR=${OSSL_PATH}" >> $GITHUB_ENV
echo "CFLAGS=${CFLAGS} -Werror=implicit-function-declaration" >> $GITHUB_ENV
echo "RUSTFLAGS=-Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib -Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib64" >> $GITHUB_ENV
if: matrix.PYTHON.OPENSSL
- name: Build toxenv
run: |
tox -vvv --notest
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
- name: Tests
run: |
tox --skip-pkg-install -- --color=yes --wycheproof-root=wycheproof ${{ matrix.PYTHON.TOXARGS }}
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
COLUMNS: 80
CRYPTOGRAPHY_OPENSSL_NO_LEGACY: ${{ matrix.PYTHON.OPENSSL.NO_LEGACY }}
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
- uses: ./.github/actions/upload-coverage
distros:
runs-on: ${{ matrix.IMAGE.RUNNER }}
container: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }}
strategy:
fail-fast: false
matrix:
IMAGE:
- {IMAGE: "rhel8", TOXENV: "py36", RUNNER: "ubuntu-latest"}
- {IMAGE: "rhel8-fips", TOXENV: "py36", RUNNER: "ubuntu-latest", FIPS: true}
- {IMAGE: "rhel8", TOXENV: "py38", RUNNER: "ubuntu-latest"}
- {IMAGE: "rhel8-fips", TOXENV: "py38", RUNNER: "ubuntu-latest", FIPS: true}
- {IMAGE: "buster", TOXENV: "py37", RUNNER: "ubuntu-latest"}
- {IMAGE: "bullseye", TOXENV: "py39", RUNNER: "ubuntu-latest"}
- {IMAGE: "bookworm", TOXENV: "py311", RUNNER: "ubuntu-latest"}
- {IMAGE: "sid", TOXENV: "py311", RUNNER: "ubuntu-latest"}
- {IMAGE: "ubuntu-focal", TOXENV: "py38", RUNNER: "ubuntu-latest"}
- {IMAGE: "ubuntu-jammy", TOXENV: "py310", RUNNER: "ubuntu-latest"}
- {IMAGE: "ubuntu-rolling", TOXENV: "py310", RUNNER: "ubuntu-latest"}
- {IMAGE: "fedora", TOXENV: "py311", RUNNER: "ubuntu-latest"}
- {IMAGE: "alpine", TOXENV: "py310", RUNNER: "ubuntu-latest"}
- {IMAGE: "centos-stream9", TOXENV: "py39", RUNNER: "ubuntu-latest"}
- {IMAGE: "centos-stream9-fips", TOXENV: "py39", RUNNER: "ubuntu-latest", FIPS: true}
- {IMAGE: "ubuntu-jammy:aarch64", TOXENV: "py310", RUNNER: [self-hosted, Linux, ARM64]}
- {IMAGE: "alpine:aarch64", TOXENV: "py310", RUNNER: [self-hosted, Linux, ARM64]}
timeout-minutes: 15
steps:
- name: Ridiculous alpine workaround for actions support on arm64
run: |
# This modifies /etc/os-release so the JS actions
# from GH can't detect that it's on alpine:aarch64. It will
# then use a glibc nodejs, which works fine when gcompat
# is installed in the container (which it is)
sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release
if: matrix.IMAGE.IMAGE == 'alpine:aarch64'
- uses: actions/checkout@v3.5.0
timeout-minutes: 3
with:
persist-credentials: false
fetch-depth: 0
- name: git config shenanigans
run: |
git config --global --add safe.directory $(pwd) # needed for the mtime fix since git doesn't think it owns the files due to being in containers
- name: set mtimes for rust dirs
uses: ./.github/actions/mtime-fix
- name: Cache rust and pip
uses: ./.github/actions/cache
timeout-minutes: 2
with:
key: ${{ matrix.IMAGE.IMAGE }}
- name: Clone wycheproof
timeout-minutes: 2
uses: ./.github/actions/wycheproof
# When run in a docker container the home directory doesn't have the same owner as the
# apparent user so pip refuses to create a cache dir
- name: create pip cache dir
run: mkdir -p "${HOME}/.cache/pip"
- run: |
echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV
if: matrix.IMAGE.FIPS
- run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt 'tox>3' coverage
- run: '/venv/bin/tox -vvv --notest'
env:
TOXENV: ${{ matrix.IMAGE.TOXENV }}
RUSTUP_HOME: /root/.rustup
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
# OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream
OPENSSL_ENABLE_SHA1_SIGNATURES: 1
- run: '/venv/bin/tox --skip-pkg-install -- --color=yes --wycheproof-root="wycheproof"'
env:
TOXENV: ${{ matrix.IMAGE.TOXENV }}
COLUMNS: 80
# OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream
OPENSSL_ENABLE_SHA1_SIGNATURES: 1
- uses: ./.github/actions/upload-coverage
linux-rust:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
PYTHON:
- {VERSION: "3.11", TOXENV: "py311"}
RUST:
# Cover MSRV (and likely next MSRV). In-dev versions are below in
# the linux-rust-coverage section. Once our MSRV is 1.60 we can
# remove this section entirely.
- 1.48.0
# 1.49.0 is the MSRV for parking_lot 0.12
# 1.51 - const generics (for rust-asn1)
# 1.56 - new versions of once_cell and bumpalo
- 1.56.0
# Potential future MSRVs
# 1.60 - new version of cxx
name: "${{ matrix.PYTHON.TOXENV }} with Rust ${{ matrix.RUST }}"
timeout-minutes: 15
steps:
- uses: actions/checkout@v3.5.0
timeout-minutes: 3
with:
persist-credentials: false
fetch-depth: 0
- name: set mtimes for rust dirs
uses: ./.github/actions/mtime-fix
- name: Cache rust and pip
uses: ./.github/actions/cache
timeout-minutes: 2
with:
key: ${{ matrix.RUST }}
- name: Setup python
uses: actions/setup-python@v4.5.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
- uses: dtolnay/rust-toolchain@52e69531e6f69a396bc9d1226284493a5db969ff
with:
toolchain: ${{ matrix.RUST }}
- name: Clone wycheproof
timeout-minutes: 2
uses: ./.github/actions/wycheproof
- run: python -m pip install -c ci-constraints-requirements.txt 'tox>3' coverage[toml]
- name: Create toxenv
run: tox -vvv --notest
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
- name: Tests
run: tox --skip-pkg-install -- --color=yes --wycheproof-root=wycheproof
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
COLUMNS: 80
- uses: ./.github/actions/upload-coverage
linux-rust-coverage:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
PYTHON:
- {VERSION: "3.11", TOXENV: "py311"}
RUST:
- beta
- nightly
name: "Rust Coverage"
timeout-minutes: 15
steps:
- uses: actions/checkout@v3.5.0
timeout-minutes: 3
with:
persist-credentials: false
fetch-depth: 0
- name: set mtimes for rust dirs
uses: ./.github/actions/mtime-fix
- uses: dtolnay/rust-toolchain@52e69531e6f69a396bc9d1226284493a5db969ff
id: rust-toolchain
with:
toolchain: ${{ matrix.RUST }}
components: llvm-tools-preview
- name: Cache rust and pip
id: cargo-cache
uses: ./.github/actions/cache
timeout-minutes: 2
with:
key: ${{ steps.rust-toolchain.outputs.cachekey }}-coverage
additional-paths: |
~/.cargo/bin/cargo-cov
~/.cargo/bin/cargo-nm
~/.cargo/bin/cargo-objcopy
~/.cargo/bin/cargo-objdump
~/.cargo/bin/cargo-profdata
~/.cargo/bin/cargo-readobj
~/.cargo/bin/cargo-size
~/.cargo/bin/cargo-strip
~/.cargo/bin/rust-ar
~/.cargo/bin/rust-cov
~/.cargo/bin/rust-ld
~/.cargo/bin/rust-lld
~/.cargo/bin/rust-nm
~/.cargo/bin/rust-objcopy
~/.cargo/bin/rust-objdump
~/.cargo/bin/rust-profdata
~/.cargo/bin/rust-readobj
~/.cargo/bin/rust-size
~/.cargo/bin/rust-strip
- name: Setup python
uses: actions/setup-python@v4.5.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
- run: cargo install cargo-binutils
if: steps.cargo-cache.outputs.cache-hit != 'true'
- name: Clone wycheproof
timeout-minutes: 2
uses: ./.github/actions/wycheproof
- run: python -m pip install -c ci-constraints-requirements.txt 'tox>3' coverage[toml] cffi
- name: Create toxenv
run: tox -vvv --notest
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
RUSTFLAGS: "-Cinstrument-coverage"
LLVM_PROFILE_FILE: "rust-cov/cov-%p.profraw"
- name: Tests
run: tox --skip-pkg-install -- --color=yes --wycheproof-root=wycheproof
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
COLUMNS: 80
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
RUSTFLAGS: "-Cinstrument-coverage"
LLVM_PROFILE_FILE: "rust-cov/cov-%p.profraw"
- name: Rust Tests
run: |
cd src/rust
cargo test --no-default-features
env:
RUSTFLAGS: "-Cinstrument-coverage"
LLVM_PROFILE_FILE: "rust-cov/cov-%m-%p.profraw"
- name: Process coverage data
run: |
set -xe
cd src/rust/
cargo profdata -- merge -sparse ../../rust-cov/*.profraw -o pytest-rust-cov.profdata
cargo profdata -- merge -sparse rust-cov/*.profraw -o cargo-test-rust-cov.profdata
COV_UUID=$(python3 -c "import uuid; print(uuid.uuid4())")
cargo cov -- export \
../../.tox/${{ matrix.PYTHON.TOXENV }}/lib/python${{ matrix.PYTHON.VERSION }}/site-packages/cryptography/hazmat/bindings/_rust.abi3.so \
-instr-profile=pytest-rust-cov.profdata \
--ignore-filename-regex='/.cargo/registry' \
--ignore-filename-regex='/rustc/' \
--ignore-filename-regex='/.rustup/toolchains/' --format=lcov > ../../${COV_UUID}-1.lcov
cargo cov -- export \
$(env RUSTFLAGS="-Cinstrument-coverage" cargo test --no-default-features --tests --no-run --message-format=json | jq -r "select(.profile.test == true) | .filenames[]") \
-instr-profile=cargo-test-rust-cov.profdata \
--ignore-filename-regex='/.cargo/registry' \
--ignore-filename-regex='/rustc/' \
--ignore-filename-regex='/.rustup/toolchains/' --format=lcov > ../../${COV_UUID}-2.lcov
sed -E -i 's/SF:(.*)\/src\/rust\/(.*)/SF:src\/rust\/\2/g' ../../*.lcov
- uses: ./.github/actions/upload-coverage
macos:
runs-on: ${{ matrix.RUNNER.OS }}
strategy:
fail-fast: false
matrix:
RUNNER:
- {OS: 'macos-12', ARCH: 'x86_64'}
- {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'}
PYTHON:
- {VERSION: "3.6", TOXENV: "py36-nocoverage"}
- {VERSION: "3.11", TOXENV: "py311"}
exclude:
# We only test latest Python on arm64. The py36 won't work since there's no universal2 binary
- PYTHON: {VERSION: "3.6", TOXENV: "py36-nocoverage"}
RUNNER: {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'}
name: "${{ matrix.PYTHON.TOXENV }} on macOS ${{ matrix.RUNNER.ARCH }}"
timeout-minutes: 15
steps:
- uses: actions/checkout@v3.5.0
timeout-minutes: 3
with:
persist-credentials: false
fetch-depth: 0
- name: set mtimes for rust dirs
uses: ./.github/actions/mtime-fix
- name: Cache rust and pip
uses: ./.github/actions/cache
timeout-minutes: 2
with:
key: ${{ matrix.PYTHON.VERSION }}
- name: Setup python
uses: actions/setup-python@v4.5.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
architecture: 'x64' # we force this right now so that it will install the universal2 on arm64
- run: python -m pip install -c ci-constraints-requirements.txt 'tox>3' coverage[toml]
- name: Clone wycheproof
timeout-minutes: 2
uses: ./.github/actions/wycheproof
- uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67
with:
repo: pyca/infra
workflow: build-macos-openssl.yml
branch: main
workflow_conclusion: success
name: openssl-macos-universal2
path: "../openssl-macos-universal2/"
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Build toxenv
run: |
OPENSSL_DIR=$(readlink -f ../openssl-macos-universal2/) \
OPENSSL_STATIC=1 \
CFLAGS="-Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -mmacosx-version-min=10.12" \
tox -vvv --notest
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
- name: Tests
run: tox --skip-pkg-install -- --color=yes --wycheproof-root=wycheproof
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
COLUMNS: 80
- uses: ./.github/actions/upload-coverage
windows:
runs-on: windows-latest
strategy:
fail-fast: false
matrix:
WINDOWS:
- {ARCH: 'x86', WINDOWS: 'win32'}
- {ARCH: 'x64', WINDOWS: 'win64'}
PYTHON:
- {VERSION: "3.6", TOXENV: "py36-nocoverage"}
- {VERSION: "3.11", TOXENV: "py311"}
JOB_NUMBER: [0, 1]
name: "${{ matrix.PYTHON.TOXENV }} on ${{ matrix.WINDOWS.WINDOWS }} (part ${{ matrix.JOB_NUMBER }})"
timeout-minutes: 15
steps:
- uses: actions/checkout@v3.5.0
timeout-minutes: 3
with:
persist-credentials: false
fetch-depth: 0
- name: set mtimes for rust dirs
uses: ./.github/actions/mtime-fix
- name: Setup python
id: setup-python
uses: actions/setup-python@v4.5.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
architecture: ${{ matrix.WINDOWS.ARCH }}
- name: Cache rust and pip
uses: ./.github/actions/cache
timeout-minutes: 2
with:
key: ${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }}
- run: python -m pip install -c ci-constraints-requirements.txt "tox>3" coverage[toml]
- uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67
with:
repo: pyca/infra
workflow: build-windows-openssl.yml
branch: main
workflow_conclusion: success
name: "openssl-${{ matrix.WINDOWS.WINDOWS }}"
path: "C:/openssl-${{ matrix.WINDOWS.WINDOWS }}/"
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Configure
run: |
echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV
shell: bash
- name: Clone wycheproof
timeout-minutes: 2
uses: ./.github/actions/wycheproof
- name: Build toxenv
run: tox -vvv --notest
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
- name: Tests
run: tox --skip-pkg-install -- --color=yes --wycheproof-root=wycheproof --num-shards=2 --shard-id=${{ matrix.JOB_NUMBER }}
env:
TOXENV: ${{ matrix.PYTHON.TOXENV }}
COLUMNS: 80
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
- uses: ./.github/actions/upload-coverage
linux-downstream:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
DOWNSTREAM:
- paramiko
- pyopenssl
- pyopenssl-release
- twisted
- aws-encryption-sdk
- dynamodb-encryption-sdk
- certbot
- certbot-josepy
- mitmproxy
- scapy
PYTHON:
- '3.11'
name: "Downstream tests for ${{ matrix.DOWNSTREAM }}"
timeout-minutes: 15
steps:
- uses: actions/checkout@v3.5.0
timeout-minutes: 3
with:
persist-credentials: false
fetch-depth: 0
- name: set mtimes for rust dirs
uses: ./.github/actions/mtime-fix
- name: Cache rust and pip
uses: ./.github/actions/cache
timeout-minutes: 2
- name: Setup python
uses: actions/setup-python@v4.5.0
with:
python-version: ${{ matrix.PYTHON }}
- run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install
- run: pip install .
env:
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
# cryptography main has a version of "(X+1).0.0.dev1" where X is the
# most recently released major version. A package used by a downstream
# may depend on cryptography <=X. If you use entrypoints stuff, this can
# lead to runtime errors due to version incompatibilities. Rename the
# dist-info directory to pretend to be an older version to "solve" this.
- run: |
import json
import pkg_resources
import shutil
import urllib.request
d = pkg_resources.get_distribution("cryptography")
with urllib.request.urlopen("https://pypi.org/pypi/cryptography/json") as r:
latest_version = json.load(r)["info"]["version"]
new_path = d.egg_info.replace(d.version, latest_version)
shutil.move(d.egg_info, new_path)
shell: python
- run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run
docs-linkcheck:
if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'pull_request' && contains(github.event.pull_request.title, 'linkcheck'))
runs-on: ubuntu-latest
name: "linkcheck"
timeout-minutes: 10
steps:
- uses: actions/checkout@v3.5.0
with:
persist-credentials: false
fetch-depth: 0
- name: set mtimes for rust dirs
uses: ./.github/actions/mtime-fix
- name: Setup python
id: setup-python
uses: actions/setup-python@v4.5.0
with:
python-version: 3.11
- name: Cache rust and pip
uses: ./.github/actions/cache
timeout-minutes: 2
with:
# This creates the same key as the docs job (as long as they have the same
# python version)
key: 3.11-${{ steps.setup-python.outputs.python-version }}
- run: python -m pip install -c ci-constraints-requirements.txt tox
- name: Build toxenv
run: |
tox -vvv --notest
env:
TOXENV: docs-linkcheck
CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
- name: linkcheck
run: tox --skip-pkg-install -- --color=yes
env:
TOXENV: docs-linkcheck
all-green:
# https://github.community/t/is-it-possible-to-require-all-github-actions-tasks-to-pass-without-enumerating-them/117957/4?u=graingert
runs-on: ubuntu-latest
needs: [linux, distros, linux-rust, linux-rust-coverage, macos, windows, linux-downstream]
if: ${{ always() }}
steps:
- uses: actions/checkout@v3.5.0
timeout-minutes: 3
with:
persist-credentials: false
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
with:
jobs: ${{ toJSON(needs) }}
- name: Setup python
if: ${{ always() }}
uses: actions/setup-python@v4.5.0
with:
python-version: '3.11'
- run: pip install -c ci-constraints-requirements.txt coverage[toml]
if: ${{ always() }}
- name: Download coverage data
if: ${{ always() }}
uses: actions/download-artifact@v3.0.2
with:
name: coverage-data
- name: Combine coverage and fail if it's <100%.
if: ${{ always() }}
id: combinecoverage
run: |
set +e
python -m coverage combine
echo "## Python Coverage" >> $GITHUB_STEP_SUMMARY
python -m coverage report -m --fail-under=100 > COV_REPORT
COV_EXIT_CODE=$?
cat COV_REPORT
if [ $COV_EXIT_CODE -ne 0 ]; then
echo "🚨 Python Coverage failed. Under 100" | tee -a $GITHUB_STEP_SUMMARY
fi
echo '```' >> $GITHUB_STEP_SUMMARY
cat COV_REPORT >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
exit $COV_EXIT_CODE
- name: Combine rust coverage and fail if it's <100%.
if: ${{ always() }}
id: combinerustcoverage
run: |
set +e
sudo apt-get install -y lcov
RUST_COVERAGE_OUTPUT=$(lcov $(for f in *.lcov; do echo --add-tracefile "$f"; done) -o combined.lcov | grep lines)
echo "## Rust Coverage" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
echo $RUST_COVERAGE_OUTPUT >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
if ! echo "$RUST_COVERAGE_OUTPUT" | grep "100.0%"; then
echo "🚨 Rust Coverage failed. Under 100" | tee -a $GITHUB_STEP_SUMMARY
exit 1
fi
- name: Create rust coverage HTML
run: genhtml combined.lcov -o rust-coverage
if: ${{ failure() && steps.combinerustcoverage.outcome == 'failure' }}
- name: Create coverage HTML
run: python -m coverage html
if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }}
- name: Upload HTML report.
uses: actions/upload-artifact@v3.1.2
with:
name: _html-report
path: htmlcov
if-no-files-found: ignore
if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }}
- name: Upload rust HTML report.
uses: actions/upload-artifact@v3.1.2
with:
name: _html-rust-report
path: rust-coverage
if-no-files-found: ignore
if: ${{ failure() && steps.combinerustcoverage.outcome == 'failure' }}
Reference in a new issue View git blame Copy permalink