gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-12 15:49:22 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix: make CI workflows run after pushing excemptions for cargo-vet

Browse Source 
This commits changes the CI for dependabot PRs such that initially, only the exemptions for cargo vet are regenerated and pushed to the PR.
Only after that, all other workflows are triggered. This ensures that the CI result for dependabot PRs is properly presented on github.
This commit is contained in:
David Niehues
2025-05-14 16:51:54 +02:00
parent db9d0b642b
commit 3d724f04d4
9 changed files with 178 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/dependent-issues.yml vendored
View File

@@ -17,6 +17,10 @@ on:
# this action is required to pass before merging. Otherwise, it # this action is required to pass before merging. Otherwise, it
# can be removed. # can be removed.
- synchronize - synchronize
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
# Schedule a daily check. Useful if you reference cross-repository # Schedule a daily check. Useful if you reference cross-repository
# issues or pull requests. Otherwise, it can be removed. # issues or pull requests. Otherwise, it can be removed.
@@ -25,6 +29,8 @@ on:
jobs: jobs:
check: check:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
permissions: permissions:
issues: write issues: write
pull-requests: write pull-requests: write

21
.github/workflows/docker.yaml vendored
View File

@@ -14,6 +14,15 @@ on:
- ".github/workflows/docker.yaml" - ".github/workflows/docker.yaml"
branches: branches:
- "main" - "main"
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
paths:
- "docker/Dockerfile"
- ".github/workflows/docker.yaml"
branches:
- "main"
permissions: permissions:
contents: read contents: read
@@ -24,6 +33,8 @@ jobs:
# 1. BUILD & TEST # 1. BUILD & TEST
# -------------------------------- # --------------------------------
build-and-test-rp: build-and-test-rp:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
strategy: strategy:
matrix: matrix:
arch: [amd64, arm64] arch: [amd64, arm64]
@@ -118,8 +129,8 @@ jobs:
docker-image-rp: docker-image-rp:
needs: needs:
- build-and-test-rp - build-and-test-rp
# Skip if this is not a PR. Then we want to push this image. # Only run this job if it s triggered by by a push to the main branch or a version tag.
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' && github.event_name != 'workflow_run' }}
# Use a matrix to build for both AMD64 and ARM64 # Use a matrix to build for both AMD64 and ARM64
strategy: strategy:
matrix: matrix:
@@ -183,8 +194,8 @@ jobs:
docker-image-rosenpass: docker-image-rosenpass:
needs: needs:
- build-and-test-rp - build-and-test-rp
# Skip if this is not a PR. Then we want to push this image. # Only run this job if it s triggered by by a push to the main branch or a version tag.
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' && github.event_name != 'workflow_run' }}
# Use a matrix to build for both AMD64 and ARM64 # Use a matrix to build for both AMD64 and ARM64
strategy: strategy:
matrix: matrix:
@@ -249,7 +260,7 @@ jobs:
needs: needs:
- docker-image-rosenpass - docker-image-rosenpass
- docker-image-rp - docker-image-rp
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' && github.event_name != 'workflow_run' }}
strategy: strategy:
matrix: matrix:
target: [rp, rosenpass] target: [rp, rosenpass]

12
.github/workflows/nix-mac.yaml vendored
View File

@@ -13,6 +13,8 @@ concurrency:
jobs: jobs:
aarch64-darwin---default: aarch64-darwin---default:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.default name: Build aarch64-darwin.default
runs-on: runs-on:
- warp-macos-13-arm64-6x - warp-macos-13-arm64-6x
@@ -30,6 +32,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.aarch64-darwin.default --print-build-logs run: nix build .#packages.aarch64-darwin.default --print-build-logs
aarch64-darwin---release-package: aarch64-darwin---release-package:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.release-package name: Build aarch64-darwin.release-package
runs-on: runs-on:
- warp-macos-13-arm64-6x - warp-macos-13-arm64-6x
@@ -49,6 +53,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.aarch64-darwin.release-package --print-build-logs run: nix build .#packages.aarch64-darwin.release-package --print-build-logs
aarch64-darwin---rosenpass: aarch64-darwin---rosenpass:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.rosenpass name: Build aarch64-darwin.rosenpass
runs-on: runs-on:
- warp-macos-13-arm64-6x - warp-macos-13-arm64-6x
@@ -65,6 +71,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.aarch64-darwin.rosenpass --print-build-logs run: nix build .#packages.aarch64-darwin.rosenpass --print-build-logs
aarch64-darwin---rp: aarch64-darwin---rp:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.rp name: Build aarch64-darwin.rp
runs-on: runs-on:
- warp-macos-13-arm64-6x - warp-macos-13-arm64-6x
@@ -81,6 +89,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.aarch64-darwin.rp --print-build-logs run: nix build .#packages.aarch64-darwin.rp --print-build-logs
aarch64-darwin---rosenpass-oci-image: aarch64-darwin---rosenpass-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.rosenpass-oci-image name: Build aarch64-darwin.rosenpass-oci-image
runs-on: runs-on:
- warp-macos-13-arm64-6x - warp-macos-13-arm64-6x
@@ -98,6 +108,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.aarch64-darwin.rosenpass-oci-image --print-build-logs run: nix build .#packages.aarch64-darwin.rosenpass-oci-image --print-build-logs
aarch64-darwin---check: aarch64-darwin---check:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Run Nix checks on aarch64-darwin name: Run Nix checks on aarch64-darwin
runs-on: runs-on:
- warp-macos-13-arm64-6x - warp-macos-13-arm64-6x

43
.github/workflows/nix.yaml vendored
View File

@@ -6,6 +6,10 @@ on:
push: push:
branches: branches:
- main - main
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
@@ -13,6 +17,8 @@ concurrency:
jobs: jobs:
i686-linux---default: i686-linux---default:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build i686-linux.default name: Build i686-linux.default
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -30,6 +36,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.i686-linux.default --print-build-logs run: nix build .#packages.i686-linux.default --print-build-logs
i686-linux---rosenpass: i686-linux---rosenpass:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build i686-linux.rosenpass name: Build i686-linux.rosenpass
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -46,6 +54,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.i686-linux.rosenpass --print-build-logs run: nix build .#packages.i686-linux.rosenpass --print-build-logs
i686-linux---rosenpass-oci-image: i686-linux---rosenpass-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build i686-linux.rosenpass-oci-image name: Build i686-linux.rosenpass-oci-image
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -63,6 +73,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.i686-linux.rosenpass-oci-image --print-build-logs run: nix build .#packages.i686-linux.rosenpass-oci-image --print-build-logs
i686-linux---check: i686-linux---check:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Run Nix checks on i686-linux name: Run Nix checks on i686-linux
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -78,6 +90,8 @@ jobs:
- name: Check - name: Check
run: nix flake check . --print-build-logs run: nix flake check . --print-build-logs
x86_64-linux---default: x86_64-linux---default:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.default name: Build x86_64-linux.default
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -95,6 +109,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.x86_64-linux.default --print-build-logs run: nix build .#packages.x86_64-linux.default --print-build-logs
x86_64-linux---proof-proverif: x86_64-linux---proof-proverif:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.proof-proverif name: Build x86_64-linux.proof-proverif
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -112,6 +128,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.x86_64-linux.proof-proverif --print-build-logs run: nix build .#packages.x86_64-linux.proof-proverif --print-build-logs
x86_64-linux---proverif-patched: x86_64-linux---proverif-patched:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.proverif-patched name: Build x86_64-linux.proverif-patched
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -128,6 +146,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.x86_64-linux.proverif-patched --print-build-logs run: nix build .#packages.x86_64-linux.proverif-patched --print-build-logs
x86_64-linux---release-package: x86_64-linux---release-package:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.release-package name: Build x86_64-linux.release-package
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -171,6 +191,8 @@ jobs:
# - name: Build # - name: Build
# run: nix build .#packages.aarch64-linux.release-package --print-build-logs # run: nix build .#packages.aarch64-linux.release-package --print-build-logs
x86_64-linux---rosenpass: x86_64-linux---rosenpass:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rosenpass name: Build x86_64-linux.rosenpass
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -187,6 +209,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.x86_64-linux.rosenpass --print-build-logs run: nix build .#packages.x86_64-linux.rosenpass --print-build-logs
aarch64-linux---rosenpass: aarch64-linux---rosenpass:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build aarch64-linux.rosenpass name: Build aarch64-linux.rosenpass
runs-on: runs-on:
- ubicloud-standard-2-arm-ubuntu-2204 - ubicloud-standard-2-arm-ubuntu-2204
@@ -208,6 +232,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.aarch64-linux.rosenpass --print-build-logs run: nix build .#packages.aarch64-linux.rosenpass --print-build-logs
aarch64-linux---rp: aarch64-linux---rp:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build aarch64-linux.rp name: Build aarch64-linux.rp
runs-on: runs-on:
- ubicloud-standard-2-arm-ubuntu-2204 - ubicloud-standard-2-arm-ubuntu-2204
@@ -229,6 +255,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.aarch64-linux.rp --print-build-logs run: nix build .#packages.aarch64-linux.rp --print-build-logs
x86_64-linux---rosenpass-oci-image: x86_64-linux---rosenpass-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rosenpass-oci-image name: Build x86_64-linux.rosenpass-oci-image
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -246,6 +274,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.x86_64-linux.rosenpass-oci-image --print-build-logs run: nix build .#packages.x86_64-linux.rosenpass-oci-image --print-build-logs
aarch64-linux---rosenpass-oci-image: aarch64-linux---rosenpass-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build aarch64-linux.rosenpass-oci-image name: Build aarch64-linux.rosenpass-oci-image
runs-on: runs-on:
- ubicloud-standard-2-arm-ubuntu-2204 - ubicloud-standard-2-arm-ubuntu-2204
@@ -268,6 +298,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.aarch64-linux.rosenpass-oci-image --print-build-logs run: nix build .#packages.aarch64-linux.rosenpass-oci-image --print-build-logs
x86_64-linux---rosenpass-static: x86_64-linux---rosenpass-static:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rosenpass-static name: Build x86_64-linux.rosenpass-static
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -284,6 +316,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.x86_64-linux.rosenpass-static --print-build-logs run: nix build .#packages.x86_64-linux.rosenpass-static --print-build-logs
x86_64-linux---rp-static: x86_64-linux---rp-static:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rp-static name: Build x86_64-linux.rp-static
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -300,6 +334,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.x86_64-linux.rp-static --print-build-logs run: nix build .#packages.x86_64-linux.rp-static --print-build-logs
x86_64-linux---rosenpass-static-oci-image: x86_64-linux---rosenpass-static-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rosenpass-static-oci-image name: Build x86_64-linux.rosenpass-static-oci-image
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -317,6 +353,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.x86_64-linux.rosenpass-static-oci-image --print-build-logs run: nix build .#packages.x86_64-linux.rosenpass-static-oci-image --print-build-logs
x86_64-linux---whitepaper: x86_64-linux---whitepaper:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.whitepaper name: Build x86_64-linux.whitepaper
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -333,6 +371,8 @@ jobs:
- name: Build - name: Build
run: nix build .#packages.x86_64-linux.whitepaper --print-build-logs run: nix build .#packages.x86_64-linux.whitepaper --print-build-logs
x86_64-linux---check: x86_64-linux---check:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Run Nix checks on x86_64-linux name: Run Nix checks on x86_64-linux
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
@@ -350,7 +390,8 @@ jobs:
x86_64-linux---whitepaper-upload: x86_64-linux---whitepaper-upload:
name: Upload whitepaper x86_64-linux name: Upload whitepaper x86_64-linux
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
if: ${{ github.ref == 'refs/heads/main' }} # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ (github.ref == 'refs/heads/main') && (github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run') }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: cachix/install-nix-action@v30 - uses: cachix/install-nix-action@v30

2
.github/workflows/qc-mac.yaml vendored
View File

@@ -14,6 +14,8 @@ permissions:
jobs: jobs:
cargo-test-mac: cargo-test-mac:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
runs-on: warp-macos-13-arm64-6x runs-on: warp-macos-13-arm64-6x
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4

28
.github/workflows/qc.yaml vendored
View File

@@ -3,6 +3,10 @@ on:
pull_request: pull_request:
push: push:
branches: [main] branches: [main]
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +18,8 @@ permissions:
jobs: jobs:
prettier: prettier:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -22,6 +28,8 @@ jobs:
args: --check . args: --check .
shellcheck: shellcheck:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Shellcheck name: Shellcheck
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
@@ -30,6 +38,8 @@ jobs:
uses: ludeeus/action-shellcheck@master uses: ludeeus/action-shellcheck@master
rustfmt: rustfmt:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Rust Format name: Rust Format
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
@@ -38,6 +48,8 @@ jobs:
run: bash format_rust_code.sh --mode check run: bash format_rust_code.sh --mode check
cargo-bench: cargo-bench:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -56,6 +68,8 @@ jobs:
- run: RUST_MIN_STACK=8388608 cargo bench --workspace --exclude rosenpass-fuzzing - run: RUST_MIN_STACK=8388608 cargo bench --workspace --exclude rosenpass-fuzzing
mandoc: mandoc:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: mandoc name: mandoc
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
@@ -66,6 +80,8 @@ jobs:
run: doc/check.sh doc/rp.1 run: doc/check.sh doc/rp.1
cargo-audit: cargo-audit:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -74,6 +90,8 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
cargo-clippy: cargo-clippy:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -93,6 +111,8 @@ jobs:
args: --all-features args: --all-features
cargo-doc: cargo-doc:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -112,6 +132,8 @@ jobs:
- run: RUSTDOCFLAGS="-D warnings" cargo doc --no-deps --document-private-items - run: RUSTDOCFLAGS="-D warnings" cargo doc --no-deps --document-private-items
cargo-test: cargo-test:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
matrix: matrix:
@@ -135,6 +157,8 @@ jobs:
- run: RUST_MIN_STACK=8388608 cargo test --workspace --all-features - run: RUST_MIN_STACK=8388608 cargo test --workspace --all-features
cargo-test-nix-devshell-x86_64-linux: cargo-test-nix-devshell-x86_64-linux:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: runs-on:
- ubicloud-standard-2-ubuntu-2204 - ubicloud-standard-2-ubuntu-2204
steps: steps:
@@ -158,6 +182,8 @@ jobs:
- run: nix develop --command cargo test --workspace --all-features - run: nix develop --command cargo test --workspace --all-features
cargo-fuzz: cargo-fuzz:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
env: env:
steps: steps:
@@ -192,6 +218,8 @@ jobs:
cargo fuzz run fuzz_vec_secret_alloc_memfdsec_mallocfb -- -max_total_time=5 cargo fuzz run fuzz_vec_secret_alloc_memfdsec_mallocfb -- -max_total_time=5
codecov: codecov:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4

54
.github/workflows/regenerate-cargo-vet-exemptions.yml vendored Normal file
View File

@@ -0,0 +1,54 @@
name: Regenerate cargo-vet exemptions for dependabot-PRs
on:
pull_request:
push:
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
regen-cargo-vet-exemptions:
if: ${{ github.actor == 'dependabot[bot]' }}
name: Regenerate exemptions for cargo-vet for dependabot-PRs
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
key: cargo-vet-cache
- name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
run: |
rustup toolchain install stable
rustup default stable
- uses: actions/cache@v4
with:
path: ${{ runner.tool_cache }}/cargo-vet
key: cargo-vet-bin
- name: Add the tool cache directory to the search path
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
- name: Ensure that the tool cache is populated with the cargo-vet binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
- name: Regenerate vet exemptions for dependabot PRs
run: cargo vet regenerate exemptions
- name: Check for changes in case of dependabot PR
run: git diff --exit-code || echo "Changes detected, committing..."
- name: Commit and push changes for dependabot PRs
if: ${{ success() }}
run: |
git fetch origin ${{ github.head_ref }}
git switch ${{ github.head_ref }}
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions@github.com"
git add supply-chain/*
git commit -m "Regenerate cargo vet exemptions"
git push origin ${{ github.head_ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

8
.github/workflows/regressions.yml vendored
View File

@@ -3,6 +3,10 @@ on:
pull_request: pull_request:
push: push:
branches: [main] branches: [main]
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,6 +18,8 @@ permissions:
jobs: jobs:
multi-peer: multi-peer:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -25,6 +31,8 @@ jobs:
[ $(ls -1 output/ate/out | wc -l) -eq 100 ] [ $(ls -1 output/ate/out | wc -l) -eq 100 ]
boot-race: boot-race:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204 runs-on: ubicloud-standard-2-ubuntu-2204
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4

30
.github/workflows/supply-chain.yml vendored
View File

@@ -3,6 +3,10 @@ on:
pull_request: pull_request:
push: push:
branches: [main] branches: [main]
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
@@ -10,12 +14,16 @@ concurrency:
jobs: jobs:
cargo-deny: cargo-deny:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Deny dependencies with vulnerabilities or incompatible licenses name: Deny dependencies with vulnerabilities or incompatible licenses
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2 - uses: EmbarkStudios/cargo-deny-action@v2
cargo-supply-chain: cargo-supply-chain:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Supply Chain Report name: Supply Chain Report
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@@ -44,10 +52,10 @@ jobs:
run: cargo supply-chain crates run: cargo supply-chain crates
# The setup for cargo-vet follows the recommendations in the cargo-vet documentation: https://mozilla.github.io/cargo-vet/configuring-ci.html # The setup for cargo-vet follows the recommendations in the cargo-vet documentation: https://mozilla.github.io/cargo-vet/configuring-ci.html
cargo-vet: cargo-vet:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Vet Dependencies name: Vet Dependencies
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/cache@v4 - uses: actions/cache@v4
@@ -69,23 +77,5 @@ jobs:
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
- name: Ensure that the tool cache is populated with the cargo-vet binary - name: Ensure that the tool cache is populated with the cargo-vet binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
- name: Regenerate vet exemptions for dependabot PRs
if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
run: cargo vet regenerate exemptions
- name: Check for changes in case of dependabot PR
if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
run: git diff --exit-code || echo "Changes detected, committing..."
- name: Commit and push changes for dependabot PRs
if: success() && github.actor == 'dependabot[bot]'
run: |
git fetch origin ${{ github.head_ref }}
git switch ${{ github.head_ref }}
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions@github.com"
git add supply-chain/*
git commit -m "Regenerate cargo vet exemptions"
git push origin ${{ github.head_ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Invoke cargo-vet - name: Invoke cargo-vet
run: cargo vet --locked run: cargo vet --locked