Renames to distinguish Tx and Store flag enums (#7098) #153

Workflow file for this run

.github/workflows/release.yml at 7efffaa

	name: Release

	on:
	push:
	tags:
	- "ccf-[56].*"
	workflow_dispatch:

	permissions:
	contents: write
	actions: read
	checks: write

	env:
	IMAGE: mcr.microsoft.com/azurelinux/base/core:3.0

	jobs:
	make_sbom:
	name: SBOM Generation
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: "Install SBOM tool"
	run: \|
	set -ex
	curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 > sbom-tool
	chmod +x sbom-tool
	shell: bash
	- name: "Produce SBOM"
	run: \|
	set -ex
	CCF_VERSION=${{ github.ref_name }}
	CCF_VERSION=${CCF_VERSION#ccf-}
	./sbom-tool generate -b . -bc . -pn CCF -ps Microsoft -nsb https://sbom.microsoft -pv $CCF_VERSION -V Error
	shell: bash
	- name: "Upload SBOM"
	uses: actions/upload-artifact@v4
	with:
	name: sbom
	path: _manifest/spdx_2.2/*

	release_notes:
	name: Release Notes
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: "Check Release Notes"
	run: \|
	set -ex
	python scripts/extract-release-notes.py --target-git-version
	shell: bash
	- name: "Produce Release Notes"
	run: \|
	set -ex
	set -o pipefail
	python ./scripts/extract-release-notes.py --target-git-version --describe-path-changes "./samples/constitution" \| tee rel-notes.md
	- name: "Upload Release Notes"
	uses: actions/upload-artifact@v4
	with:
	name: relnotes
	path: rel-notes.md

	image_digest:
	runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
	outputs:
	image_digest: ${{ steps.digest.outputs.digest }}
	steps:
	- id: digest
	run: \|
	set -ex
	docker pull $IMAGE
	echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE)" >> "$GITHUB_OUTPUT"

	build_release:
	name: Build Release
	needs: [release_notes, image_digest]
	outputs:
	SOURCE_DATE_EPOCH: ${{ steps.set_epoch.outputs.SOURCE_DATE_EPOCH }}
	strategy:
	matrix:
	platform:
	- name: virtual
	os: azure-linux
	test_filter: "benchmark\|unit"
	- name: snp
	os: azure-linux

	runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
	container:
	image: ${{ needs.image_digest.outputs.image_digest }}
	options: "--user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE"

	steps:
	- name: Set SOURCE_DATE_EPOCH env variable
	id: set_epoch
	run: \|
	set -ex
	epoch=$(date +%s)
	echo "SOURCE_DATE_EPOCH=$epoch" >> $GITHUB_ENV
	echo "SOURCE_DATE_EPOCH=$epoch" >> $GITHUB_OUTPUT
	echo "$epoch"

	- name: "Checkout dependencies"
	shell: bash
	run: \|
	set -ex
	gpg --import /etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
	tdnf --snapshottime=$SOURCE_DATE_EPOCH -y update
	tdnf --snapshottime=$SOURCE_DATE_EPOCH -y install ca-certificates git

	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: "Install dependencies"
	shell: bash
	run: \|
	set -ex
	./scripts/setup-ci.sh

	- name: "Build Release ${{ matrix.platform.name }}"
	shell: bash
	run: \|
	set -ex
	git config --global --add safe.directory /__w/CCF/CCF
	mkdir build
	cd build
	cmake -GNinja -DCOMPILE_TARGET=${{ matrix.platform.name }} -DCLIENT_PROTOCOLS_TEST=ON -DCMAKE_BUILD_TYPE=Release ..
	ninja -v \| tee build.log

	- name: "Test ${{ matrix.platform.name }}"
	if: "${{ matrix.platform.name == 'virtual' }}"
	run: \|
	set -ex
	cd build
	rm -rf /github/home/.cache
	mkdir -p /github/home/.cache
	# Unit tests
	./tests.sh --output-on-failure -L unit -j$(nproc --all)
	# Suite tests
	./tests.sh --timeout 600 --output-on-failure -L "suite"
	# Most tests
	./tests.sh --timeout 360 --output-on-failure -LE "suite\|${{ matrix.platform.test_filter }}"
	shell: bash

	- name: "Upload logs for ${{ matrix.platform.name }}"
	if: success() \|\| failure()
	uses: actions/upload-artifact@v4
	with:
	name: logs-${{ matrix.platform.name }}
	path: \|
	build/workspace//.config.json
	build/workspace/*/out
	build/workspace/*/err
	build/workspace//.ledger/*
	if-no-files-found: ignore

	- name: "Make .rpm (devel) Package"
	id: make_rpm_devel
	run: \|
	set -ex
	set -o pipefail
	cd build
	cmake -L .. 2>/dev/null \| grep CMAKE_INSTALL_PREFIX: \| cut -d = -f 2 > /tmp/install_prefix
	cpack -V -G RPM
	INITIAL_PKG=`ls devel.rpm`
	CCF_GITHUB_PKG=${INITIAL_PKG//\~/_}
	if [[ "$INITIAL_PKG" != "$CCF_GITHUB_PKG" ]]; then
	mv $INITIAL_PKG $CCF_GITHUB_PKG
	fi
	echo "name=$CCF_GITHUB_PKG" >> $GITHUB_OUTPUT
	shell: bash

	- name: "Make .rpm (run) Package"
	id: make_rpm_run
	run: \|
	set -ex
	set -o pipefail
	cd build

	# Reset cmake config to affect cpack settings
	rm CMakeCache.txt
	cmake -GNinja -DCOMPILE_TARGET=${{ matrix.platform.name }} -DCMAKE_BUILD_TYPE=Release -DCCF_DEVEL=OFF ..

	cmake -L .. 2>/dev/null \| grep CMAKE_INSTALL_PREFIX: \| cut -d = -f 2 > /tmp/install_prefix
	cpack -V -G RPM
	INITIAL_PKG=`ls *.rpm \| grep -v devel`
	CCF_GITHUB_PKG=${INITIAL_PKG//\~/_}
	if [[ "$INITIAL_PKG" != "$CCF_GITHUB_PKG" ]]; then
	mv $INITIAL_PKG $CCF_GITHUB_PKG
	fi
	echo "name=$CCF_GITHUB_PKG" >> $GITHUB_OUTPUT
	shell: bash

	- name: "Install CCF package"
	run: \|
	set -ex
	cd build
	tdnf -y install ./${{ steps.make_rpm_devel.outputs.name }}
	shell: bash

	- name: "Test Installed CCF"
	if: "${{ matrix.platform.name == 'virtual' }}"
	run: \|
	set -ex
	set -o pipefail
	cd build
	cat /tmp/install_prefix \| xargs -i bash -c "PYTHON_PACKAGE_PATH=../python ./test_install.sh {}"
	shell: bash

	- name: "Recovery Benchmark for Installed CCF"
	if: "${{ matrix.platform.name == 'virtual' }}"
	run: \|
	set -ex
	set -o pipefail
	cd build
	cat /tmp/install_prefix \| xargs -i bash -c "PYTHON_PACKAGE_PATH=../python ./recovery_benchmark.sh {}"
	shell: bash

	- name: "Test Building a Sample Against Installed CCF"
	run: \|
	set -ex
	./tests/test_install_build.sh -DCOMPILE_TARGET=${{ matrix.platform.name }}
	shell: bash

	- name: "Upload .rpm Package"
	uses: actions/upload-artifact@v4
	with:
	name: pkg-${{ matrix.platform.name }}
	path: build/${{ steps.make_rpm_run.outputs.name }}

	- name: "Upload -devel.rpm Package"
	uses: actions/upload-artifact@v4
	with:
	name: pkg-${{ matrix.platform.name }}-devel
	path: build/${{ steps.make_rpm_devel.outputs.name }}

	- name: "Upload Compatibility Report"
	if: "${{ matrix.platform.name == 'virtual' }}"
	uses: actions/upload-artifact@v4
	with:
	name: compatibility
	path: build/compatibility_report.json

	- name: "Upload TLS Report"
	if: "${{ matrix.platform.name == 'virtual' }}"
	uses: actions/upload-artifact@v4
	with:
	name: tls
	path: build/tls_report.html

	- name: "Build Python Wheel"
	if: "${{ matrix.platform.name == 'virtual' }}"
	id: build_wheel
	run: \|
	set -ex
	cd python
	python3 -m venv env
	source ./env/bin/activate
	pip install wheel build
	python -m build --wheel
	WHL=`ls dist/*.whl`
	echo "name=$WHL" >> $GITHUB_OUTPUT
	shell: bash

	- name: "Upload Python Wheel"
	if: "${{ matrix.platform.name == 'virtual' }}"
	uses: actions/upload-artifact@v4
	with:
	name: wheel
	path: python/${{ steps.build_wheel.outputs.name }}

	- name: "Build TS Package"
	if: "${{ matrix.platform.name == 'virtual' }}"
	id: build_tstgz
	run: \|
	set -ex
	cd js/ccf-app
	CCF_VERSION=$(<../../build/VERSION_LONG)
	CCF_VERSION=${CCF_VERSION#ccf-}
	echo "Setting npm package version to ${CCF_VERSION}"
	npm version $CCF_VERSION
	npm pack
	PKG=`ls *.tgz`
	echo "name=$PKG" >> $GITHUB_OUTPUT
	shell: bash

	- name: "Upload TS Package"
	if: "${{ matrix.platform.name == 'virtual' }}"
	uses: actions/upload-artifact@v4
	with:
	name: tstgz
	path: js/ccf-app/${{ steps.build_tstgz.outputs.name }}

	- name: "Generate Reproducibility Metadata"
	id: metadata
	shell: bash
	run: \|
	set -ex
	commit_id=$(git rev-parse HEAD)
	echo "commit_sha=$commit_id" >> $GITHUB_OUTPUT
	filename=reproduce-${{ matrix.platform.name }}.json

	cat <<EOF > $filename
	{
	"platform_name": "${{ matrix.platform.name }}",
	"build_container_image": "${{needs.image_digest.outputs.image_digest}}",
	"tdnf_snapshottime": $SOURCE_DATE_EPOCH,
	"commit_sha": "$commit_id"
	}
	EOF
	cat $filename

	- name: "Upload Reproducibility Metadata"
	uses: actions/upload-artifact@v4
	with:
	name: reproduce-${{ matrix.platform.name }}-metadata
	path: reproduce-${{ matrix.platform.name }}.json

	reproduce_rpm:
	name: Test Reproducibility
	needs:
	- build_release
	- image_digest
	strategy:
	matrix:
	platform:
	- name: virtual
	os: azure-linux
	- name: snp
	os: azure-linux
	runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
	env:
	REPRO_DIR: /tmp/reproduced
	container:
	image: ${{ needs.image_digest.outputs.image_digest }}
	options: "--user root"
	steps:
	- name: "Checkout dependencies"
	shell: bash
	run: \|
	set -ex
	gpg --import /etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
	tdnf --snapshottime=${{ needs.build_release.outputs.SOURCE_DATE_EPOCH }} -y update
	tdnf --snapshottime=${{ needs.build_release.outputs.SOURCE_DATE_EPOCH }} -y install ca-certificates git
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Download Prebuilt Packages
	uses: actions/download-artifact@v4
	with:
	path: DOWNLOAD_DIR
	pattern: pkg-*
	merge-multiple: true
	- name: Download Reproducibility Metadata
	uses: actions/download-artifact@v4
	with:
	path: repro
	pattern: reproduce-${{ matrix.platform.name }}-metadata
	merge-multiple: true
	- name: Reproduce RPMs
	id: reproduce
	shell: bash
	run: \|
	set -ex
	tdnf install --snapshottime=${{ needs.build_release.outputs.SOURCE_DATE_EPOCH }} -y jq
	git config --global --add safe.directory /__w/CCF/CCF
	./reproduce/reproduce_rpm.sh repro/reproduce-${{ matrix.platform.name }}.json
	RPM_NAMES=$(ls "$REPRO_DIR" \|\| true)
	if [ -z "$RPM_NAMES" ]; then
	echo "ERROR: No reproduced package found in $REPRO_DIR"
	exit 1
	fi
	- name: Verify reproducibility
	id: verify
	shell: bash
	run: \|
	set -ex
	for pkg in "$REPRO_DIR"/*; do
	cmp "$pkg" "DOWNLOAD_DIR/$(basename "$pkg")"
	done
	- name: Upload Non-Reproduced Package
	if: failure()
	uses: actions/upload-artifact@v4
	with:
	name: not-reproduced
	path: ${{ env.REPRO_DIR }}

	create_release:
	needs:
	- reproduce_rpm
	- build_release
	- make_sbom
	name: Create Release
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 1
	- name: Download Packages
	uses: actions/download-artifact@v4
	with:
	path: pkg
	pattern: pkg-*
	merge-multiple: true
	- name: Download Release Notes
	uses: actions/download-artifact@v4
	with:
	name: relnotes
	- name: Download Compatibility Report
	uses: actions/download-artifact@v4
	with:
	name: compatibility
	- name: Download TLS Report
	uses: actions/download-artifact@v4
	with:
	name: tls
	- name: Download Python Wheel
	uses: actions/download-artifact@v4
	with:
	path: wheel
	name: wheel
	- name: Download TS Package
	uses: actions/download-artifact@v4
	with:
	path: tstgz
	name: tstgz
	- name: Download SBOM
	uses: actions/download-artifact@v4
	with:
	path: sbom
	name: sbom
	- name: Download Reproducibility Metadata
	uses: actions/download-artifact@v4
	with:
	path: repro
	pattern: reproduce-*
	merge-multiple: true
	- run: \|
	set -ex
	CCF_VERSION=${{ github.ref_name }}
	CCF_VERSION=${CCF_VERSION#ccf-}
	gh release create --title $CCF_VERSION --draft --notes-file rel-notes.md ${{ github.ref_name }} pkg/* wheel/.whl tstgz/.tgz sbom/* tls_report.html compatibility_report.json repro/* ./reproduce/start_container_and_reproduce_rpm.sh
	shell: bash
	env:
	GH_TOKEN: ${{ github.token }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Renames to distinguish Tx and Store flag enums (#7098) #153

Workflow file

Renames to distinguish Tx and Store flag enums (#7098) #153

Uh oh!

Jobs

Run details

Workflow file for this run