[engine] Prohibit forking without locking #218
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2023 The Shac Authors | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
on: [push, pull_request] | |
name: Run tests | |
jobs: | |
# Runs go test both with code coverage sent to codecov, race detector and | |
# benchmarks. At the end do a quick check to ensure the tests to not leave | |
# files in the tree. | |
test: | |
name: "test: go${{matrix.gover}}.x/${{matrix.os}}" | |
runs-on: "${{matrix.os}}" | |
continue-on-error: true | |
defaults: | |
run: | |
shell: bash | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
# Do not forget to bump every 6 months! | |
gover: ["1.21"] | |
env: | |
PYTHONDONTWRITEBYTECODE: x | |
steps: | |
- name: Turn off git core.autocrlf | |
if: matrix.os == 'windows-latest' | |
run: git config --global core.autocrlf false | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 2 | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: "~${{matrix.gover}}.0" | |
- name: 'go install necessary tools' | |
if: always() | |
run: | | |
go install github.com/maruel/pat/cmd/ba@latest | |
- name: 'Check: go test -cover' | |
if: always() | |
run: go test -timeout=5m -covermode=count -coverprofile coverage.txt -bench=. -benchtime=1x ./... | |
# Don't send code coverage if anything failed to reduce spam. | |
- uses: codecov/codecov-action@v3 | |
- name: 'Cleanup' | |
if: always() | |
run: rm coverage.txt | |
- name: 'Check: go test -race' | |
run: go test -timeout=5m -race -bench=. -benchtime=1x ./... | |
- name: 'Check: benchmark 📈' | |
run: ba -against HEAD~1 | |
- name: 'Check: go test -short (CGO_ENABLED=0)' | |
env: | |
CGO_ENABLED: 0 | |
run: go test -timeout=5m -short -bench=. -benchtime=1x ./... | |
- name: 'Check: go test -short (32 bits)' | |
if: matrix.os != 'macos-latest' | |
env: | |
GOARCH: 386 | |
run: go test -timeout=5m -short -bench=. -benchtime=1x ./... | |
- name: 'Install shac' | |
if: always() | |
run: go install . | |
- name: 'Check: shac check' | |
if: always() | |
run: shac check | |
- name: "Check: tree is clean" | |
if: always() | |
run: | | |
# Nothing should have changed in the tree up to that point and no | |
# unsuspected file was created. | |
# TODO(olivernewman): Add --ignored flag once go tools are installed | |
# outside the checkout instead of in the .tools directory. | |
TOUCHED=$(git status --porcelain) | |
if ! test -z "$TOUCHED"; then | |
echo "Oops, something touched these files, please cleanup:" | |
echo "$TOUCHED" | |
git diff | |
false | |
fi | |
# Run linters. This workflow can be merged with the test_all one if desired | |
# to cut on runtime, at the cost of latency. I dislike waiting for results | |
# so I prefer to run them in parallel. | |
lint: | |
name: "lint: go${{matrix.gover}}.x/${{matrix.os}}" | |
runs-on: "${{matrix.os}}" | |
continue-on-error: true | |
defaults: | |
run: | |
shell: bash | |
strategy: | |
fail-fast: false | |
matrix: | |
# You may want to run only on linux to save on cost. Projects with | |
# OS-specific code benefits from explicitly linting on macOS and | |
# Windows. | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
# Do not forget to bump every 6 months! | |
gover: ["1.21"] | |
env: | |
PYTHONDONTWRITEBYTECODE: x | |
steps: | |
- name: Turn off git core.autocrlf | |
if: matrix.os == 'windows-latest' | |
run: git config --global core.autocrlf false | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: "~${{matrix.gover}}.0" | |
- name: "Debug" | |
run: | | |
echo HOME = $HOME | |
echo GITHUB_WORKSPACE = $GITHUB_WORKSPACE | |
echo PATH = $PATH | |
echo "" | |
echo $ ls -l $HOME/go/bin | |
ls -la $HOME/go/bin | |
- name: Install protoc | |
# See https://github.com/arduino/setup-protoc/issues/33 | |
if: ${{ false }} | |
uses: arduino/setup-protoc@v1 | |
with: | |
version: '21.12' | |
- name: 'go install necessary tools (ubuntu)' | |
if: always() && matrix.os == 'ubuntu-latest' | |
run: | | |
go install github.com/client9/misspell/cmd/misspell@latest | |
go install github.com/google/addlicense@latest | |
- name: 'Check: go vet' | |
if: always() | |
run: go vet -unsafeptr=false ./... | |
# run them on ubuntu-latest since it's the fastest one. | |
- name: 'Check: no executable was committed (ubuntu)' | |
if: always() && matrix.os == 'ubuntu-latest' | |
run: | | |
if find . -path '*.sh' -prune -o \ | |
-path ./.git -prune -o \ | |
-path './internal/sandbox/nsjail-linux-*' -prune -o \ | |
-type f -executable -print | grep -e . ; then | |
echo 'Do not commit executables beside shell scripts' | |
false | |
fi | |
- name: 'Check: addlicense; all sources have a license header (ubuntu)' | |
if: always() && matrix.os == 'ubuntu-latest' | |
run: addlicense -check -ignore 'vendor/**' . | |
- name: "Check: misspelling; code doesn't contain misspelling (ubuntu)" | |
if: always() && matrix.os == 'ubuntu-latest' | |
run: | | |
ERR=$(find . -type f | grep -v vendor/ | xargs misspell) | |
if ! test -z "$ERR"; then | |
echo "$ERR" | |
echo "## ⚠ misspell Failed" >> ../_comments.txt | |
echo "" >> ../_comments.txt | |
echo "$ERR" >> ../_comments.txt | |
echo "" >> ../_comments.txt | |
false | |
fi | |
- name: 'Send comments' | |
if: failure() | |
run: | | |
if [ -f ../_comments.txt ]; then | |
URL="${{github.event.issue.pull_request.url}}" | |
if test -z "$URL"; then | |
URL="${{github.api_url}}/repos/${{github.repository}}/commits/${{github.sha}}/comments" | |
fi | |
echo "Sending $(cat ../_comments.txt|wc -l) lines of comments to ${URL}" | |
curl -sS --request POST \ | |
--header "Authorization: Bearer ${{secrets.GITHUB_TOKEN}}" \ | |
--header "Content-Type: application/json" \ | |
--data "$(cat ../_comments.txt | jq -R --slurp '{body: .}')" \ | |
"${URL}" > /dev/null | |
rm ../_comments.txt | |
fi | |
- name: "Check: go generate doesn't modify files" | |
# See https://github.com/arduino/setup-protoc/issues/33 | |
if: ${{ false }} | |
#if: always() | |
run: | | |
go generate ./... | |
# Also test for untracked files. go generate should not generate ignored | |
# files either. | |
TOUCHED=$(git status --porcelain --ignored) | |
if ! test -z "$TOUCHED"; then | |
echo "go generate created these files, please fix:" | |
echo "$TOUCHED" | |
false | |
fi | |
- name: "Check: go mod tidy doesn't modify files" | |
if: always() | |
run: | | |
go mod tidy | |
TOUCHED=$(git status --porcelain --ignored) | |
if ! test -z "$TOUCHED"; then | |
echo "go mod tidy was not clean, please update:" | |
git diff | |
false | |
fi | |
codeql: | |
name: "codeql: go${{matrix.gover}}.x/${{matrix.os}}" | |
runs-on: "${{matrix.os}}" | |
continue-on-error: true | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest] | |
# Do not forget to bump every 6 months! | |
gover: ["1.21"] | |
permissions: | |
security-events: write | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: "~${{matrix.gover}}.0" | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: go | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@v2 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 |