SECURITY.md updates and ownership #27427
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Integration tests | |
on: | |
# Use the following to explicitly start this workflow. | |
# packages/deployment/scripts/start-github-integration-test.sh <BRANCH-OR-TAG> | |
workflow_dispatch: | |
push: | |
branches: | |
- master | |
- 'release-*' | |
- beta | |
tags: | |
- '@agoric/sdk@*' | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
- converted_to_draft | |
- ready_for_review | |
- labeled | |
- unlabeled | |
- auto_merge_enabled | |
- auto_merge_disabled | |
merge_group: | |
schedule: | |
- cron: '17 6 * * *' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
pre_check: | |
uses: ./.github/workflows/pre-check-integration.yml | |
# This job is meant to emulate what developers working with the Agoric platform will experience | |
# It should be kept in sync with https://agoric.com/documentation/getting-started/ | |
getting-started: | |
needs: pre_check | |
if: needs.pre_check.outputs.should_run == 'true' | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
cli: [link-cli/yarn, registry/yarn, registry/npm, registry/npx] | |
timeout-minutes: 40 | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
persist-credentials: false | |
- name: Recreate integration-test-result if needed | |
id: get-pending-integration-result | |
uses: ./.github/actions/get-latest-check | |
with: | |
create-if-needed: true | |
- name: Reconfigure git to use HTTP authentication | |
run: git config --global url."https://github.com/".insteadOf ssh://git@github.com/ | |
shell: bash | |
# Prerequisites | |
- uses: ./.github/actions/restore-node | |
with: | |
node-version: 16.x | |
keep-endo: 'true' | |
# Select a branch on dapp to test against by adding text to the body of the | |
# pull request. For example: #dapp-encouragement-branch: zoe-release-0.7.0 | |
# The default is 'main' | |
- name: Get the appropriate dapp branch | |
id: get-branch | |
uses: actions/github-script@v6 | |
with: | |
result-encoding: string | |
script: | | |
let branch = 'main'; | |
if (context.payload.pull_request) { | |
const { body } = context.payload.pull_request; | |
const regex = /^\#getting-started-branch:\s+(\S+)/m; | |
const result = regex.exec(body); | |
if (result) { | |
branch = result[1]; | |
} | |
} | |
console.log(branch); | |
return branch; | |
- name: Start local NPM registry | |
if: ${{ startsWith(matrix.cli, 'registry') }} | |
run: | | |
set -xe | |
git reset --hard HEAD | |
git config user.email "noreply@agoric.com" | |
REGISTRY_PUBLISH_WORKSPACES="$HOME/endo" scripts/registry.sh bg-publish ${{ matrix.cli }} | |
- name: run agoric-cli integration-test | |
run: scripts/registry.sh test ${{ matrix.cli }} ${{steps.get-branch.outputs.result}} | |
- name: notify on failure | |
if: > | |
failure() && github.event_name != 'pull_request' && | |
github.repository_owner == 'agoric' | |
uses: ./.github/actions/notify-status | |
with: | |
webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
from: ${{ secrets.NOTIFY_EMAIL_FROM }} | |
to: ${{ secrets.NOTIFY_EMAIL_TO }} | |
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }} | |
deployment-test: | |
needs: pre_check | |
if: needs.pre_check.outputs.should_run == 'true' | |
runs-on: ubuntu-22.04 # jammy (LTS) | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: 'true' | |
path: ./agoric-sdk | |
- name: Recreate integration-test-result if needed | |
id: get-pending-integration-result | |
uses: ./agoric-sdk/.github/actions/get-latest-check | |
with: | |
create-if-needed: true | |
- run: sudo packages/deployment/scripts/install-deps.sh | |
working-directory: ./agoric-sdk | |
- uses: ./agoric-sdk/.github/actions/restore-golang | |
with: | |
go-version: '1.20' | |
path: ./agoric-sdk | |
- uses: ./agoric-sdk/.github/actions/restore-node | |
with: | |
node-version: 18.x | |
path: ./agoric-sdk | |
# Forces xsnap to initialize all memory to random data, which increases | |
# the chances the content of snapshots may deviate between validators | |
xsnap-random-init: '1' | |
# Select a branch on loadgen to test against by adding text to the body of the | |
# pull request. For example: #loadgen-branch: user-123-update-foo | |
# The default is 'main' | |
- name: Get the appropriate loadgen branch | |
id: get-loadgen-branch | |
uses: actions/github-script@v6 | |
with: | |
result-encoding: string | |
script: | | |
let branch = 'main'; | |
if (context.payload.pull_request) { | |
const { body } = context.payload.pull_request; | |
const regex = /^\#loadgen-branch:\s+(\S+)/m; | |
const result = regex.exec(body); | |
if (result) { | |
branch = result[1]; | |
} | |
} | |
console.log(branch); | |
return branch; | |
- name: Check out loadgen | |
uses: actions/checkout@v3 | |
with: | |
repository: Agoric/testnet-load-generator | |
path: ./testnet-load-generator | |
ref: ${{steps.get-loadgen-branch.outputs.result}} | |
- name: Build cosmic-swingset dependencies | |
working-directory: ./agoric-sdk | |
run: | | |
set -e | |
cd packages/cosmic-swingset | |
make install | |
- name: Make networks directory | |
run: | | |
set -e | |
mkdir networks | |
- name: Run integration test | |
working-directory: ./networks | |
run: | | |
set -xe | |
DOCKER_VOLUMES="$PWD/../agoric-sdk:/usr/src/agoric-sdk" \ | |
LOADGEN=1 \ | |
../agoric-sdk/packages/deployment/scripts/integration-test.sh | |
timeout-minutes: 90 | |
env: | |
NETWORK_NAME: chaintest | |
- name: capture results | |
if: always() | |
working-directory: ./networks | |
run: | | |
NOW=$(date -u +%Y%m%dT%H%M%S) | |
echo "NOW=$NOW" >> "$GITHUB_ENV" | |
# Stop the chain from running. | |
../agoric-sdk/packages/deployment/scripts/setup.sh play stop || true | |
# Get the results. | |
../agoric-sdk/packages/deployment/scripts/capture-integration-results.sh "${{ job.status == 'failure' }}" | |
# Tear down the nodes. | |
echo yes | ../agoric-sdk/packages/deployment/scripts/setup.sh destroy || true | |
env: | |
NETWORK_NAME: chaintest | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: deployment-test-results-${{ env.NOW }} | |
path: ./networks/chaintest/results | |
- name: notify on failure | |
if: failure() && github.event_name != 'pull_request' | |
uses: ./agoric-sdk/.github/actions/notify-status | |
with: | |
webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
from: ${{ secrets.NOTIFY_EMAIL_FROM }} | |
to: ${{ secrets.NOTIFY_EMAIL_TO }} | |
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }} | |
test-docker-build: | |
needs: pre_check | |
if: needs.pre_check.outputs.should_run == 'true' | |
runs-on: ubuntu-latest | |
timeout-minutes: 60 | |
strategy: | |
matrix: | |
bootstrap-version: ['test', 'main'] | |
# Uncomment to mark a failure of the `test` bootstrap job as a successful result | |
# continue-on-error: ${{ matrix.bootstrap-version == 'test' }} | |
steps: | |
- name: free up disk space | |
run: | | |
# Workaround to provide additional free space for testing. | |
# https://github.com/actions/runner-images/issues/2840#issuecomment-790492173 | |
# If this turns out not to be enough, maybe look instead at | |
# https://github.com/actions/runner-images/issues/2840#issuecomment-1540506686 | |
df -h | |
sudo rm -rf /usr/share/dotnet | |
sudo rm -rf /opt/ghc | |
sudo rm -rf "/usr/local/share/boost" | |
sudo rm -rf "$AGENT_TOOLSDIRECTORY" | |
echo "=== After cleanup:" | |
df -h | |
- uses: actions/checkout@v3 | |
- name: Recreate integration-test-result if needed | |
id: get-pending-integration-result | |
uses: ./.github/actions/get-latest-check | |
with: | |
create-if-needed: true | |
- name: docker build (sdk) | |
# Produces ghcr.io/agoric/agoric-sdk:latest used in the following upgrade test. | |
# TODO: Build this only once, not for every bootstrap-version. | |
run: cd packages/deployment && ./scripts/test-docker-build.sh | $TEST_COLLECT | |
- name: docker build upgrade test | |
run: | | |
cd packages/deployment/upgrade-test && \ | |
docker build \ | |
--build-arg BOOTSTRAP_MODE=${{ matrix.bootstrap-version }} \ | |
--build-arg DEST_IMAGE=ghcr.io/agoric/agoric-sdk:latest \ | |
-t docker-upgrade-test:latest -f Dockerfile upgrade-test-scripts | |
- name: docker run upgrade final stage | |
run: docker run --env "DEST=0" docker-upgrade-test:latest | |
- name: notify on failure | |
if: failure() && github.event_name != 'pull_request' | |
uses: ./.github/actions/notify-status | |
with: | |
webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
from: ${{ secrets.NOTIFY_EMAIL_FROM }} | |
to: ${{ secrets.NOTIFY_EMAIL_TO }} | |
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }} | |
- uses: ./.github/actions/post-test | |
if: (success() || failure()) | |
continue-on-error: true | |
timeout-minutes: 4 | |
with: | |
datadog-token: ${{ secrets.DATADOG_API_KEY }} | |
set-integration-result-in-progress: | |
needs: pre_check | |
if: needs.pre_check.outputs.should_run == 'true' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- id: get-pending-integration-result | |
uses: ./.github/actions/get-latest-check | |
with: | |
create-if-needed: true | |
- name: Update integration-test-result check to in-progress | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const runId = "${{ steps.get-pending-integration-result.outputs.run_id }}"; | |
const res = await github.rest.checks.update({ | |
...context.repo, | |
check_run_id: runId, | |
status: "in_progress", | |
}) | |
core.debug(`Check update response: ${JSON.stringify(res, null, 2)}`) | |
console.log(`Updated check ${runId} to in-progress`) | |
finalize-integration-result: | |
needs: | |
- pre_check | |
- getting-started | |
- deployment-test | |
- test-docker-build | |
if: >- | |
always() && | |
needs.pre_check.result == 'success' && | |
needs.getting-started.result != 'cancelled' && | |
needs.deployment-test.result != 'cancelled' && | |
needs.test-docker-build.result != 'cancelled' && | |
( | |
needs.pre_check.outputs.should_run == 'true' || | |
needs.pre_check.outputs.previous_success == 'true' | |
) | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- id: get-pending-integration-result | |
uses: ./.github/actions/get-latest-check | |
with: | |
create-if-needed: true | |
- name: Publish integration-test-result | |
if: always() | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const runId = "${{ steps.get-pending-integration-result.outputs.run_id }}"; | |
const previousSuccess = ${{ needs.pre_check.outputs.previous_success }}; | |
const gettingStartedTestSuccess = "${{ needs.getting-started.result }}" === "success"; | |
const deploymentTestSuccess = "${{ needs.deployment-test.result }}" === "success"; | |
const testDockerBuildSuccess = "${{ needs.test-docker-build.result }}" === "success"; | |
const conclusion = previousSuccess || (gettingStartedTestSuccess && deploymentTestSuccess && testDockerBuildSuccess) ? | |
'success' : 'failure'; | |
const res = await github.rest.checks.update({ | |
...context.repo, | |
check_run_id: runId, | |
conclusion, | |
}) | |
core.debug(`Check update response: ${JSON.stringify(res, null, 2)}`) | |
console.log(`Updated check ${runId} to ${conclusion}`) |