Skip to content

SECURITY.md updates and ownership #27427

SECURITY.md updates and ownership

SECURITY.md updates and ownership #27427

Workflow file for this run

name: Integration tests
on:
# Use the following to explicitly start this workflow.
# packages/deployment/scripts/start-github-integration-test.sh <BRANCH-OR-TAG>
workflow_dispatch:
push:
branches:
- master
- 'release-*'
- beta
tags:
- '@agoric/sdk@*'
pull_request:
types:
- opened
- reopened
- synchronize
- converted_to_draft
- ready_for_review
- labeled
- unlabeled
- auto_merge_enabled
- auto_merge_disabled
merge_group:
schedule:
- cron: '17 6 * * *'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
pre_check:
uses: ./.github/workflows/pre-check-integration.yml
# This job is meant to emulate what developers working with the Agoric platform will experience
# It should be kept in sync with https://agoric.com/documentation/getting-started/
getting-started:
needs: pre_check
if: needs.pre_check.outputs.should_run == 'true'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
cli: [link-cli/yarn, registry/yarn, registry/npm, registry/npx]
timeout-minutes: 40
steps:
- uses: actions/checkout@v3
with:
persist-credentials: false
- name: Recreate integration-test-result if needed
id: get-pending-integration-result
uses: ./.github/actions/get-latest-check
with:
create-if-needed: true
- name: Reconfigure git to use HTTP authentication
run: git config --global url."https://github.com/".insteadOf ssh://git@github.com/
shell: bash
# Prerequisites
- uses: ./.github/actions/restore-node
with:
node-version: 16.x
keep-endo: 'true'
# Select a branch on dapp to test against by adding text to the body of the
# pull request. For example: #dapp-encouragement-branch: zoe-release-0.7.0
# The default is 'main'
- name: Get the appropriate dapp branch
id: get-branch
uses: actions/github-script@v6
with:
result-encoding: string
script: |
let branch = 'main';
if (context.payload.pull_request) {
const { body } = context.payload.pull_request;
const regex = /^\#getting-started-branch:\s+(\S+)/m;
const result = regex.exec(body);
if (result) {
branch = result[1];
}
}
console.log(branch);
return branch;
- name: Start local NPM registry
if: ${{ startsWith(matrix.cli, 'registry') }}
run: |
set -xe
git reset --hard HEAD
git config user.email "noreply@agoric.com"
REGISTRY_PUBLISH_WORKSPACES="$HOME/endo" scripts/registry.sh bg-publish ${{ matrix.cli }}
- name: run agoric-cli integration-test
run: scripts/registry.sh test ${{ matrix.cli }} ${{steps.get-branch.outputs.result}}
- name: notify on failure
if: >
failure() && github.event_name != 'pull_request' &&
github.repository_owner == 'agoric'
uses: ./.github/actions/notify-status
with:
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
from: ${{ secrets.NOTIFY_EMAIL_FROM }}
to: ${{ secrets.NOTIFY_EMAIL_TO }}
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }}
deployment-test:
needs: pre_check
if: needs.pre_check.outputs.should_run == 'true'
runs-on: ubuntu-22.04 # jammy (LTS)
steps:
- uses: actions/checkout@v3
with:
submodules: 'true'
path: ./agoric-sdk
- name: Recreate integration-test-result if needed
id: get-pending-integration-result
uses: ./agoric-sdk/.github/actions/get-latest-check
with:
create-if-needed: true
- run: sudo packages/deployment/scripts/install-deps.sh
working-directory: ./agoric-sdk
- uses: ./agoric-sdk/.github/actions/restore-golang
with:
go-version: '1.20'
path: ./agoric-sdk
- uses: ./agoric-sdk/.github/actions/restore-node
with:
node-version: 18.x
path: ./agoric-sdk
# Forces xsnap to initialize all memory to random data, which increases
# the chances the content of snapshots may deviate between validators
xsnap-random-init: '1'
# Select a branch on loadgen to test against by adding text to the body of the
# pull request. For example: #loadgen-branch: user-123-update-foo
# The default is 'main'
- name: Get the appropriate loadgen branch
id: get-loadgen-branch
uses: actions/github-script@v6
with:
result-encoding: string
script: |
let branch = 'main';
if (context.payload.pull_request) {
const { body } = context.payload.pull_request;
const regex = /^\#loadgen-branch:\s+(\S+)/m;
const result = regex.exec(body);
if (result) {
branch = result[1];
}
}
console.log(branch);
return branch;
- name: Check out loadgen
uses: actions/checkout@v3
with:
repository: Agoric/testnet-load-generator
path: ./testnet-load-generator
ref: ${{steps.get-loadgen-branch.outputs.result}}
- name: Build cosmic-swingset dependencies
working-directory: ./agoric-sdk
run: |
set -e
cd packages/cosmic-swingset
make install
- name: Make networks directory
run: |
set -e
mkdir networks
- name: Run integration test
working-directory: ./networks
run: |
set -xe
DOCKER_VOLUMES="$PWD/../agoric-sdk:/usr/src/agoric-sdk" \
LOADGEN=1 \
../agoric-sdk/packages/deployment/scripts/integration-test.sh
timeout-minutes: 90
env:
NETWORK_NAME: chaintest
- name: capture results
if: always()
working-directory: ./networks
run: |
NOW=$(date -u +%Y%m%dT%H%M%S)
echo "NOW=$NOW" >> "$GITHUB_ENV"
# Stop the chain from running.
../agoric-sdk/packages/deployment/scripts/setup.sh play stop || true
# Get the results.
../agoric-sdk/packages/deployment/scripts/capture-integration-results.sh "${{ job.status == 'failure' }}"
# Tear down the nodes.
echo yes | ../agoric-sdk/packages/deployment/scripts/setup.sh destroy || true
env:
NETWORK_NAME: chaintest
- uses: actions/upload-artifact@v3
if: always()
with:
name: deployment-test-results-${{ env.NOW }}
path: ./networks/chaintest/results
- name: notify on failure
if: failure() && github.event_name != 'pull_request'
uses: ./agoric-sdk/.github/actions/notify-status
with:
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
from: ${{ secrets.NOTIFY_EMAIL_FROM }}
to: ${{ secrets.NOTIFY_EMAIL_TO }}
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }}
test-docker-build:
needs: pre_check
if: needs.pre_check.outputs.should_run == 'true'
runs-on: ubuntu-latest
timeout-minutes: 60
strategy:
matrix:
bootstrap-version: ['test', 'main']
# Uncomment to mark a failure of the `test` bootstrap job as a successful result
# continue-on-error: ${{ matrix.bootstrap-version == 'test' }}
steps:
- name: free up disk space
run: |
# Workaround to provide additional free space for testing.
# https://github.com/actions/runner-images/issues/2840#issuecomment-790492173
# If this turns out not to be enough, maybe look instead at
# https://github.com/actions/runner-images/issues/2840#issuecomment-1540506686
df -h
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf "/usr/local/share/boost"
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
echo "=== After cleanup:"
df -h
- uses: actions/checkout@v3
- name: Recreate integration-test-result if needed
id: get-pending-integration-result
uses: ./.github/actions/get-latest-check
with:
create-if-needed: true
- name: docker build (sdk)
# Produces ghcr.io/agoric/agoric-sdk:latest used in the following upgrade test.
# TODO: Build this only once, not for every bootstrap-version.
run: cd packages/deployment && ./scripts/test-docker-build.sh | $TEST_COLLECT
- name: docker build upgrade test
run: |
cd packages/deployment/upgrade-test && \
docker build \
--build-arg BOOTSTRAP_MODE=${{ matrix.bootstrap-version }} \
--build-arg DEST_IMAGE=ghcr.io/agoric/agoric-sdk:latest \
-t docker-upgrade-test:latest -f Dockerfile upgrade-test-scripts
- name: docker run upgrade final stage
run: docker run --env "DEST=0" docker-upgrade-test:latest
- name: notify on failure
if: failure() && github.event_name != 'pull_request'
uses: ./.github/actions/notify-status
with:
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
from: ${{ secrets.NOTIFY_EMAIL_FROM }}
to: ${{ secrets.NOTIFY_EMAIL_TO }}
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }}
- uses: ./.github/actions/post-test
if: (success() || failure())
continue-on-error: true
timeout-minutes: 4
with:
datadog-token: ${{ secrets.DATADOG_API_KEY }}
set-integration-result-in-progress:
needs: pre_check
if: needs.pre_check.outputs.should_run == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: get-pending-integration-result
uses: ./.github/actions/get-latest-check
with:
create-if-needed: true
- name: Update integration-test-result check to in-progress
uses: actions/github-script@v6
with:
script: |
const runId = "${{ steps.get-pending-integration-result.outputs.run_id }}";
const res = await github.rest.checks.update({
...context.repo,
check_run_id: runId,
status: "in_progress",
})
core.debug(`Check update response: ${JSON.stringify(res, null, 2)}`)
console.log(`Updated check ${runId} to in-progress`)
finalize-integration-result:
needs:
- pre_check
- getting-started
- deployment-test
- test-docker-build
if: >-
always() &&
needs.pre_check.result == 'success' &&
needs.getting-started.result != 'cancelled' &&
needs.deployment-test.result != 'cancelled' &&
needs.test-docker-build.result != 'cancelled' &&
(
needs.pre_check.outputs.should_run == 'true' ||
needs.pre_check.outputs.previous_success == 'true'
)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: get-pending-integration-result
uses: ./.github/actions/get-latest-check
with:
create-if-needed: true
- name: Publish integration-test-result
if: always()
uses: actions/github-script@v6
with:
script: |
const runId = "${{ steps.get-pending-integration-result.outputs.run_id }}";
const previousSuccess = ${{ needs.pre_check.outputs.previous_success }};
const gettingStartedTestSuccess = "${{ needs.getting-started.result }}" === "success";
const deploymentTestSuccess = "${{ needs.deployment-test.result }}" === "success";
const testDockerBuildSuccess = "${{ needs.test-docker-build.result }}" === "success";
const conclusion = previousSuccess || (gettingStartedTestSuccess && deploymentTestSuccess && testDockerBuildSuccess) ?
'success' : 'failure';
const res = await github.rest.checks.update({
...context.repo,
check_run_id: runId,
conclusion,
})
core.debug(`Check update response: ${JSON.stringify(res, null, 2)}`)
console.log(`Updated check ${runId} to ${conclusion}`)