f9e80f8bdf
Some checks failed
CI with Native Libraries / Build and Test Native Libraries (push) Blocked by required conditions
CI with Native Libraries / Build Release Libraries (push) Blocked by required conditions
Documentation / build-and-publish (push) Waiting to run
Security Scan / Security Analysis (push) Waiting to run
Security Scan / Native Library Security (push) Waiting to run
Checkout test / test (push) Successful in 6s
CI with Native Libraries / Check Build Environment (push) Successful in 12s
CI/CD Pipeline / Test (push) Failing after 21s
CI/CD Pipeline / Dev Compose Smoke Test (push) Has been skipped
CI/CD Pipeline / Build (push) Has been skipped
CI/CD Pipeline / Test Scripts (push) Has been skipped
CI/CD Pipeline / Security Scan (push) Has been cancelled
CI/CD Pipeline / Docker Build (push) Has been cancelled
Cache infrastructure is not implemented in the Forgejo instance, causing timeouts Removed: - actions/cache steps for Go modules, Zig build, native libs, apt packages - Docker buildx layer caching (cache-from/cache-to)
302 lines
8.7 KiB
YAML
302 lines
8.7 KiB
YAML
name: CI/CD Pipeline
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
paths-ignore:
|
|
- 'docs/**'
|
|
- 'README.md'
|
|
- 'CHANGELOG.md'
|
|
- '.forgejo/ISSUE_TEMPLATE/**'
|
|
- '**/*.md'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
actions: read
|
|
packages: write
|
|
|
|
env:
|
|
GO_VERSION: '1.25.0'
|
|
ZIG_VERSION: '0.15.2'
|
|
RSYNC_VERSION: '3.3.0'
|
|
|
|
jobs:
|
|
test:
|
|
name: Test
|
|
runs-on: self-hosted
|
|
timeout-minutes: 30
|
|
|
|
services:
|
|
redis:
|
|
image: redis:7
|
|
ports:
|
|
- 6379:6379
|
|
options: >-
|
|
--health-cmd "redis-cli ping"
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Set up Go
|
|
run: |
|
|
REQUIRED_GO="1.25.0"
|
|
if command -v go &> /dev/null && go version | grep -q "go${REQUIRED_GO}"; then
|
|
echo "Go ${REQUIRED_GO} already installed - skipping download"
|
|
else
|
|
echo "Installing Go ${REQUIRED_GO}..."
|
|
curl -sL "https://go.dev/dl/go${REQUIRED_GO}.linux-amd64.tar.gz" | sudo tar -C /usr/local -xzf -
|
|
export PATH="/usr/local/go/bin:$PATH"
|
|
echo "/usr/local/go/bin" >> $GITHUB_PATH
|
|
echo "Go ${REQUIRED_GO} installed"
|
|
fi
|
|
go version
|
|
|
|
- name: Set up Zig
|
|
run: |
|
|
ZIG_VERSION="${{ env.ZIG_VERSION }}"
|
|
if command -v zig &> /dev/null && zig version | grep -q "${ZIG_VERSION}"; then
|
|
echo "Zig ${ZIG_VERSION} already installed - skipping download"
|
|
else
|
|
echo "Installing Zig ${ZIG_VERSION}..."
|
|
ZIG_DIR="/usr/local/zig-${ZIG_VERSION}"
|
|
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
|
|
curl -fsSL --retry 3 "https://github.com/ziglang/zig/releases/download/${ZIG_VERSION}/zig-linux-x86_64-${ZIG_VERSION}.tar.xz" -o /tmp/zig.tar.xz
|
|
sudo mkdir -p "${ZIG_DIR}"
|
|
sudo tar -C "${ZIG_DIR}" --strip-components=1 -xJf /tmp/zig.tar.xz
|
|
sudo ln -sf "${ZIG_DIR}/zig" /usr/local/bin/zig
|
|
elif [[ "$OSTYPE" == "darwin"* ]]; then
|
|
curl -fsSL --retry 3 "https://github.com/ziglang/zig/releases/download/${ZIG_VERSION}/zig-macos-x86_64-${ZIG_VERSION}.tar.xz" -o /tmp/zig.tar.xz
|
|
sudo mkdir -p "${ZIG_DIR}"
|
|
sudo tar -C "${ZIG_DIR}" --strip-components=1 -xJf /tmp/zig.tar.xz
|
|
sudo ln -sf "${ZIG_DIR}/zig" /usr/local/bin/zig
|
|
fi
|
|
rm -f /tmp/zig.tar.xz
|
|
echo "Zig ${ZIG_VERSION} installed"
|
|
fi
|
|
zig version
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
go mod download
|
|
sudo apt-get update
|
|
sudo apt-get install -y podman redis-tools build-essential autoconf automake libtool pkg-config musl-tools
|
|
|
|
- name: Build pinned rsync from official source (for CLI tests)
|
|
run: |
|
|
make -C cli build-rsync RSYNC_VERSION=${{ env.RSYNC_VERSION }}
|
|
|
|
- name: Verify dependencies
|
|
run: go mod verify
|
|
|
|
- name: Run tests
|
|
run: make test
|
|
|
|
- name: Test internal/queue package
|
|
run: go test -v -race -coverprofile=queue-coverage.out ./internal/queue/...
|
|
|
|
- name: Run comprehensive tests
|
|
run: make test-full
|
|
|
|
- name: Run linters
|
|
run: make lint
|
|
|
|
- name: Generate coverage report
|
|
run: make test-coverage
|
|
|
|
dev-smoke:
|
|
name: Dev Compose Smoke Test
|
|
runs-on: self-hosted
|
|
needs: test
|
|
timeout-minutes: 20
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Run dev smoke test
|
|
run: make dev-smoke
|
|
|
|
build:
|
|
name: Build
|
|
runs-on: self-hosted
|
|
needs: test
|
|
timeout-minutes: 15
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Set up Go
|
|
run: |
|
|
REQUIRED_GO="1.25.0"
|
|
if command -v go &> /dev/null && go version | grep -q "go${REQUIRED_GO}"; then
|
|
echo "Go ${REQUIRED_GO} already installed - skipping download"
|
|
else
|
|
echo "Installing Go ${REQUIRED_GO}..."
|
|
curl -sL "https://go.dev/dl/go${REQUIRED_GO}.linux-amd64.tar.gz" | sudo tar -C /usr/local -xzf -
|
|
export PATH="/usr/local/go/bin:$PATH"
|
|
echo "/usr/local/go/bin" >> $GITHUB_PATH
|
|
echo "Go ${REQUIRED_GO} installed"
|
|
fi
|
|
go version
|
|
|
|
- name: Set up Zig
|
|
run: |
|
|
ZIG_VERSION="${{ env.ZIG_VERSION }}"
|
|
if command -v zig &> /dev/null && zig version | grep -q "${ZIG_VERSION}"; then
|
|
echo "Zig ${ZIG_VERSION} already installed - skipping download"
|
|
else
|
|
echo "Installing Zig ${ZIG_VERSION}..."
|
|
ZIG_DIR="/usr/local/zig-${ZIG_VERSION}"
|
|
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
|
|
curl -fsSL --retry 3 "https://github.com/ziglang/zig/releases/download/${ZIG_VERSION}/zig-linux-x86_64-${ZIG_VERSION}.tar.xz" -o /tmp/zig.tar.xz
|
|
sudo mkdir -p "${ZIG_DIR}"
|
|
sudo tar -C "${ZIG_DIR}" --strip-components=1 -xJf /tmp/zig.tar.xz
|
|
sudo ln -sf "${ZIG_DIR}/zig" /usr/local/bin/zig
|
|
elif [[ "$OSTYPE" == "darwin"* ]]; then
|
|
curl -fsSL --retry 3 "https://github.com/ziglang/zig/releases/download/${ZIG_VERSION}/zig-macos-x86_64-${ZIG_VERSION}.tar.xz" -o /tmp/zig.tar.xz
|
|
sudo mkdir -p "${ZIG_DIR}"
|
|
sudo tar -C "${ZIG_DIR}" --strip-components=1 -xJf /tmp/zig.tar.xz
|
|
sudo ln -sf "${ZIG_DIR}/zig" /usr/local/bin/zig
|
|
fi
|
|
rm -f /tmp/zig.tar.xz
|
|
echo "Zig ${ZIG_VERSION} installed"
|
|
fi
|
|
zig version
|
|
|
|
- name: Install build dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y podman build-essential autoconf automake libtool pkg-config musl-tools
|
|
|
|
- name: Build pinned rsync from official source
|
|
run: |
|
|
make -C cli build-rsync RSYNC_VERSION=${{ env.RSYNC_VERSION }}
|
|
|
|
- name: Build binaries
|
|
run: |
|
|
make build
|
|
|
|
- name: Test binaries
|
|
run: |
|
|
./bin/user_manager --help
|
|
./bin/worker --help
|
|
./bin/tui --help
|
|
./bin/data_manager --help
|
|
./cli/zig-out/bin/ml --help
|
|
ls -lh ./cli/zig-out/bin/ml
|
|
|
|
- name: Upload build artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: fetch_ml_binaries
|
|
path: |
|
|
bin/
|
|
cli/zig-out/
|
|
dist/
|
|
retention-days: 30
|
|
|
|
test-scripts:
|
|
name: Test Scripts
|
|
runs-on: self-hosted
|
|
needs: test
|
|
timeout-minutes: 15
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y podman redis-tools bats
|
|
|
|
- name: Test scripts
|
|
run: |
|
|
chmod +x scripts/*.sh || true
|
|
chmod +x scripts/maintenance/*.sh || true
|
|
|
|
./scripts/verify_release.sh --help
|
|
./scripts/manage-artifacts.sh help
|
|
./scripts/track_performance.sh --help
|
|
./scripts/smoke-test.sh --help
|
|
|
|
security-scan:
|
|
name: Security Scan
|
|
runs-on: self-hosted
|
|
timeout-minutes: 20
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
|
|
- name: Upload Trivy scan results
|
|
uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: trivy-results
|
|
path: trivy-results.sarif
|
|
retention-days: 30
|
|
|
|
- name: Gosec Security Scanner
|
|
run: |
|
|
go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest
|
|
gosec ./...
|
|
|
|
docker-build:
|
|
name: Docker Build
|
|
runs-on: self-hosted
|
|
needs: [test, build, test-scripts]
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
timeout-minutes: 30
|
|
|
|
steps:
|
|
- name: Check Docker registry secret
|
|
run: |
|
|
if [ -z "${{ secrets.GHCR_TOKEN }}" ]; then
|
|
echo "GHCR_TOKEN not set, skipping Docker build"
|
|
exit 0
|
|
fi
|
|
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
driver-opts: |
|
|
image=moby/buildkit:master
|
|
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ secrets.GHCR_USERNAME }}
|
|
password: ${{ secrets.GHCR_TOKEN }}
|
|
|
|
- name: Build and push Docker image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm64
|
|
push: true
|
|
tags: |
|
|
ghcr.io/${{ github.repository }}:latest
|
|
ghcr.io/${{ github.repository }}:${{ github.sha }}
|