Skip to content

build(deps): Bump rustls from 0.21.10 to 0.21.11 #2112

build(deps): Bump rustls from 0.21.10 to 0.21.11

build(deps): Bump rustls from 0.21.10 to 0.21.11 #2112

Workflow file for this run

name: build-workflow
on:
push:
tags:
- "*"
merge_group:
workflow_dispatch:
inputs:
include:
description: Only run tests matching tests with the given tags
type: string
required: false
default: ""
processes:
description: Number of processes to run tests
type: string
required: false
default: "10"
run_rust_tests:
description: Run Rust tests (generally this is not required as the PR check will run full Rust tests)
type: boolean
required: false
default: false
# Use a manual approval process before PR's are given access to
# the secrets which are required to run the integration tests.
# The PR code should be manually approved to see if it can be trusted.
# When in doubt, do not approve the test run.
# Reference: https://dev.to/petrsvihlik/using-environment-protection-rules-to-secure-secrets-when-building-external-forks-with-pullrequesttarget-hci
pull_request_target:
branches: [ main ]
env:
CARGO_TERM_COLOR: always
jobs:
build:
name: Build ${{ matrix.target }}
runs-on: ${{ matrix.host_os }}
strategy:
fail-fast: false
matrix:
# Note: Targets which requires a non-default rust_channel
# then they should not be included in the .target list, but
# rather in the include section.
# This is just how Github processes matrix jobs
target:
- aarch64-unknown-linux-musl
- armv7-unknown-linux-musleabihf
- arm-unknown-linux-musleabihf
- arm-unknown-linux-musleabi
- armv5te-unknown-linux-musleabi
- x86_64-unknown-linux-musl
- i686-unknown-linux-musl
- x86_64-apple-darwin
mode:
- --release
rust_channel:
- "1.70"
include:
- target: aarch64-unknown-linux-musl
host_os: ubuntu-22.04
cargo_options: --no-run
- target: armv7-unknown-linux-musleabihf
host_os: ubuntu-22.04
cargo_options: --no-run
- target: arm-unknown-linux-musleabihf
host_os: ubuntu-22.04
cargo_options: --no-run
- target: arm-unknown-linux-musleabi
host_os: ubuntu-22.04
cargo_options: --no-run
- target: armv5te-unknown-linux-musleabi
host_os: ubuntu-22.04
cargo_options: --no-run
- target: x86_64-unknown-linux-musl
host_os: ubuntu-22.04
- target: i686-unknown-linux-musl
host_os: ubuntu-22.04
cargo_options: --no-run
- target: riscv64gc-unknown-linux-gnu
mode: '--release'
# Using < 1.73 causes a segmentation fault when running a binary built with the --release flag
# Rust 1.73 includes both an updated llvm version and updated binutils which is like to have improved compatibility
# See: https://github.com/rust-lang/rust/blob/master/RELEASES.md#version-1730-2023-10-05
# There is a comment in the https://github.com/rust-lang/rust/pull/114048/ which refers to riscv64 support:
# * "Updated dist-riscv64-linux to use binutils 2.36 in order to recognize the zicsr feature, which is no longer part of the base ISA."
rust_channel: "1.73"
host_os: ubuntu-22.04
cargo_options: --no-run
- target: aarch64-apple-darwin
mode: --release
rust_channel: "1.72" # ahash uses "stdsimd" feature which was stabilized in 1.72, https://github.com/tkaitchuck/aHash/issues/195
host_os: macos-14
cargo_options: --no-run
- target: x86_64-apple-darwin
host_os: macos-14
steps:
- if: ${{ contains(matrix.host_os, 'ubuntu') }}
run: sudo apt-get update -y
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
fetch-depth: 0
- run: mk/install-build-tools.sh +${{ matrix.rust_channel }} --target=${{ matrix.target }}
shell: sh
- name: Build
run: |
. ./ci/build_scripts/version.sh
mk/cargo.sh +${{ matrix.rust_channel }} build --target=${{ matrix.target }} ${{ matrix.mode }}
- if: ${{ inputs.run_rust_tests && !contains(matrix.host_os, 'windows') }}
name: Test
run: |
mk/cargo.sh +${{ matrix.rust_channel }} test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.mode }} --no-fail-fast --locked --all-features --all-targets
# Install nfpm used to for linux packaging
- uses: actions/setup-go@v5
with:
go-version: 'stable'
cache: false
- run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest
- name: Package
run: |
./ci/build_scripts/build.sh ${{ matrix.target }} --skip-build --skip-deprecated-packages
- name: Upload packages as zip
# https://github.com/marketplace/actions/upload-a-build-artifact
uses: actions/upload-artifact@v4
with:
name: packages-${{ matrix.target }}
path: target/${{ matrix.target }}/packages/*.*
approve:
# Note: Use approval as a job so that the downstream jobs are only prompted once (if more than 1 matrix job is defined)
name: Approve
environment:
# For security reasons, all pull requests need to be approved first before granting access to secrets
# So the environment should be set to have a reviewer/s inspect it before approving it
name: ${{ github.event_name == 'pull_request_target' && 'Test Pull Request' || 'Test Auto' }}
runs-on: ubuntu-22.04
steps:
- name: Wait for approval
run: echo "Approved"
test:
name: Test ${{ matrix.job.name }}
# Don't tests on tagging as it has already run in the merge queue
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
needs: [approve, build]
environment:
name: Test Auto
runs-on: ubuntu-20.04
strategy:
matrix:
job:
- { name: x86_64, target: x86_64-unknown-linux-musl, output: target/packages }
steps:
# Checkout either the PR or the branch
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
fetch-depth: 0
- name: Download release artifacts
uses: actions/download-artifact@v4
with:
name: packages-${{ matrix.job.target }}
path: tests/images/debian-systemd/files/packages/
- name: create .env file
working-directory: tests/RobotFramework
run: |
touch .env
echo 'C8Y_BASEURL="${{ secrets.C8Y_BASEURL }}"' >> .env
echo 'C8Y_USER="${{ secrets.C8Y_USER }}"' >> .env
echo 'C8Y_TENANT="${{ secrets.C8Y_TENANT }}"' >> .env
echo 'C8Y_PASSWORD="${{ secrets.C8Y_PASSWORD }}"' >> .env
echo 'CA_KEY="${{ secrets.CA_KEY || '' }}"' >> .env
echo 'CA_PUB="${{ secrets.CA_PUB || '' }}"' >> .env
- uses: actions/setup-python@v5
with:
python-version: '3.9'
cache: 'pip'
cache-dependency-path: |
**/requirements/requirements*.txt
- name: Install dependencies
run: |
./bin/setup.sh
working-directory: tests/RobotFramework
- name: Build images
working-directory: tests/RobotFramework
run: |
source .venv/bin/activate
invoke build
- name: Run tests
working-directory: tests/RobotFramework
run: |
source .venv/bin/activate
invoke test \
--processes "${{ inputs.processes || '' }}" \
--include "${{ inputs.include || '' }}" \
--exclude "test:on_demand OR theme:benchmarks" \
--outputdir output
- name: Upload test results
uses: actions/upload-artifact@v4
if: always()
with:
name: report-${{ matrix.job.target }}
path: tests/RobotFramework/output
- name: Send report to commit
uses: joonvena/[email protected]
if: always() && github.event_name == 'pull_request_target'
with:
gh_access_token: ${{ secrets.GITHUB_TOKEN }}
report_path: 'tests/RobotFramework/output'
show_passed_tests: 'false'
publish:
name: Publish ${{ matrix.job.target }}
if: |
always() &&
github.event_name != 'pull_request_target' &&
(needs.test.result == 'success' || needs.test.result == 'skipped')
runs-on: ubuntu-20.04
needs: [test]
strategy:
fail-fast: false
matrix:
job:
- { target: x86_64-unknown-linux-musl, repo: tedge-main, component: main }
- { target: aarch64-unknown-linux-musl, repo: tedge-main, component: main }
# Keep arm-unknown-linux-musleabihf in separate repo due to armhf conflict between raspbian and debian
- { target: arm-unknown-linux-musleabihf, repo: tedge-main-armv6, component: main }
- { target: armv7-unknown-linux-musleabihf, repo: tedge-main, component: main }
- { target: arm-unknown-linux-musleabi, repo: tedge-main, component: main }
- { target: i686-unknown-linux-musl, repo: tedge-main, component: main }
# Debian also calls this "armel" (conflict with arm-unknown-linux-musleabi)
# - { target: armv5te-unknown-linux-musleabi, repo: tedge-main, component: main }
- { target: riscv64gc-unknown-linux-gnu, repo: tedge-main, component: main }
- { target: aarch64-apple-darwin, repo: tedge-main, component: main }
- { target: x86_64-apple-darwin, repo: tedge-main, component: main }
steps:
- name: Checkout
uses: actions/checkout@v4
# Setup python required by cloudsmith cli
- uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Download release artifacts
uses: actions/download-artifact@v4
# https://github.com/marketplace/actions/download-a-build-artifact
with:
name: packages-${{ matrix.job.target }}
path: target/${{ matrix.job.target }}/packages/
- uses: taiki-e/install-action@just
- name: Publish packages
env:
PUBLISH_OWNER: ${{ secrets.PUBLISH_OWNER }}
PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
run: |
just publish-linux-target "${{ matrix.job.target }}" \
--repo "${{ matrix.job.repo }}" \
--component "${{ matrix.job.component }}"
# Wait until all other publishing jobs are finished
# before publishing the virtual packages (which are architecture agnostic)
publish-containers:
name: Publish Containers
if: |
always() &&
github.event_name != 'pull_request_target' &&
(needs.test.result == 'success' || needs.test.result == 'skipped')
runs-on: ubuntu-20.04
needs: [test]
env:
BUILDX_NO_DEFAULT_ATTESTATIONS: 1
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: taiki-e/install-action@just
- id: tedge
name: Get Version
run: |
version=$(just version container)
echo "Detected version: $version"
echo "version=$version" >> "$GITHUB_OUTPUT"
# Download artifacts for all targets
# The docker build step will select the correct target for the
# given container target platform
- name: Download release artifacts
uses: actions/download-artifact@v4
with:
path: containers/tedge/packages/
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
name=ghcr.io/thin-edge/tedge,enable=${{ startsWith(github.ref, 'refs/tags/') }}
name=ghcr.io/thin-edge/tedge-main,enable=true
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=${{ steps.tedge.outputs.version }},enable=${{ !startsWith(github.ref, 'refs/tags/') }}
type=raw,value=latest
- name: Build and push
uses: docker/build-push-action@v5
with:
context: containers/tedge
push: ${{ github.event_name != 'pull_request_target' }}
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
# Wait until all other publishing jobs are finished
# before publishing the virtual packages (which are architecture agnostic)
publish-virtual-packages:
name: Publish Virtual Packages
if: |
always() &&
github.event_name != 'pull_request_target' &&
needs.publish.result == 'success'
runs-on: ubuntu-20.04
needs: [publish]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
# Setup python required by cloudsmith cli
- uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
# Install nfpm used to for linux packaging
- uses: actions/setup-go@v5
with:
go-version: 'stable'
cache: false
- run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest
- uses: taiki-e/install-action@just
- name: Build virtual packages
run: just release-linux-virtual
- name: Publish packages
env:
PUBLISH_OWNER: ${{ secrets.PUBLISH_OWNER }}
PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
run: |
just publish-linux-virtual --repo tedge-main
just publish-linux-virtual --repo tedge-main-armv6
release:
runs-on: ubuntu-latest
needs: [publish-virtual-packages, publish-containers]
if: |
always() &&
startsWith(github.ref, 'refs/tags/') &&
needs.publish-virtual-packages.result == 'success' &&
needs.publish-containers.result == 'success'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Release
uses: softprops/action-gh-release@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
generate_release_notes: true
draft: true
- name: Create tedge-docs snapshot
run: |
gh workflow run snapshot.yml -R thin-edge/tedge-docs -f version=${{github.ref_name}}
env:
# Triggering another workflow requires more additional credentials
GITHUB_TOKEN: ${{ secrets.ACTIONS_PAT }}
- name: Promote cloudsmith packages
env:
VERSION: ${{ github.ref_name }}
PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
run: |
./ci/admin/cloudsmith_admin.sh promote "$VERSION"