.github/workflows/ci.yml

name: CI

on:
  push:
  pull_request:
    types:
      - opened
      - synchronize
  merge_group:
    types:
      - checks_requested
  release:
    types:
      - published

env:
  DEBIAN_FRONTEND: noninteractive

  CONST_RANDOM_SEED: ${{ secrets.CONST_RANDOM_SEED }}

  # Disable quickinstall telemetry reporting to cut down on external HTTP requests
  # a little. See: https://github.com/cargo-bins/cargo-binstall/issues/1884
  BINSTALL_DISABLE_TELEMETRY: true

jobs:
  static-analysis:
    name: Static analysis

    runs-on: ubuntu-latest
    timeout-minutes: 15

    # Exclude in-repo PRs from running this job
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork

    steps:
      - name: 📥 Checkout source
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: 🧰 Install Rust toolchain
        uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1
        with:
          toolchain: nightly
          components: rustfmt, clippy

      - name: 🧰 Install clippy-sarif
        uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # v2
        with:
          tool: clippy-sarif

      - name: 🧰 Install sarif-fmt
        uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # v2
        with:
          tool: sarif-fmt

      - name: 🧰 Install cargo-deny
        uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # v2
        with:
          tool: cargo-deny

      - name: 🔍 Clippy check
        shell: bash
        run: >
          cargo clippy --no-deps --all-targets --message-format=json -- -D warnings
          | clippy-sarif
          | tee clippy-results.sarif
          | sarif-fmt

      - name: 🔍 Run cargo-deny
        run: cargo deny check

      - name: 🔍 Check Rust source code format
        run: cargo fmt --all --check

      - name: 📤 Upload analysis results to GitHub
        if: always()
        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3
        continue-on-error: true
        with:
          sarif_file: clippy-results.sarif
          category: clippy

  build:
    name: Build

    strategy:
      fail-fast: false
      matrix:
        target:
          - x86_64-unknown-linux-gnu
          - x86_64-unknown-linux-musl
          - x86_64-pc-windows-gnu
          - aarch64-unknown-linux-gnu
          - aarch64-unknown-linux-musl
          - x86_64-apple-darwin
          - aarch64-apple-darwin

        include:
          - target: x86_64-unknown-linux-gnu
            host-target: x86_64-unknown-linux-gnu
            runner: ubuntu-latest
            container: debian:bullseye-slim
            apt-arch: amd64

          - target: x86_64-unknown-linux-musl
            host-target: x86_64-unknown-linux-gnu
            runner: ubuntu-latest
            container: debian:bookworm-slim
            apt-arch: amd64

          - target: aarch64-unknown-linux-gnu
            host-target: x86_64-unknown-linux-gnu
            runner: ubuntu-latest
            container: debian:bullseye-slim
            apt-arch: arm64

          - target: aarch64-unknown-linux-musl
            host-target: x86_64-unknown-linux-gnu
            runner: ubuntu-latest
            container: debian:bookworm-slim
            apt-arch: arm64

          - target: x86_64-pc-windows-gnu
            host-target: x86_64-pc-windows-gnu
            runner: windows-latest

          - target: x86_64-apple-darwin
            host-target: x86_64-apple-darwin
            runner: macos-latest

          - target: aarch64-apple-darwin
            host-target: aarch64-apple-darwin
            runner: macos-latest

    runs-on: ${{ matrix.runner }}
    timeout-minutes: 60

    container: ${{ matrix.container }}

    permissions:
      id-token: write
      attestations: write

    env:
      CARGO_BUILD_TARGET: ${{ matrix.target }}
      # nextext requires this on Windows to pick the intended GNU toolchain
      RUSTUP_TOOLCHAIN: nightly-${{ matrix.host-target }}

      # Rust stdlib default backtrace feature doesn't actually work because our
      # release executables are stripped, so skipping it shaves off quite some KiB.
      # References:
      # https://doc.rust-lang.org/cargo/reference/unstable.html#build-std-features
      # https://github.com/rust-lang/rust/blob/4c8bb79d9f565115637cc6da739f8389e79f3a29/library/std/Cargo.toml#L54-L79
      OPTIMIZED_RELEASE_BUILD_FLAGS: -Z build-std -Z build-std-features=panic-unwind

    # Exclude in-repo PRs from running this job
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork

    steps:
      - name: 🧰 Install Linux toolchain packages
        if: contains(matrix.target, '-linux-')
        run: |
          if [ "$(dpkg --print-architecture)" != '${{ matrix.apt-arch }}' ]; then
            dpkg --add-architecture '${{ matrix.apt-arch }}'
          fi
          apt-get update
          # curl is required by rustup.
          # musl-tools is required to build musl binaries for the host architecture,
          # and the arch-specific musl-dev package is required to build binaries for
          # a target architecture when cross-compiling
          # markdown and html2text are required to generate the Debian package only
          apt-get install -yq build-essential git curl \
                              musl-tools musl-dev:${{ matrix.apt-arch }} \
                              markdown html2text

      # This must go after the previous step so that a Git repository is checked out
      - name: 📥 Checkout source
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          fetch-depth: 0 # Keep the commit history for proper version information

      - name: 🧰 Install Linux ARM64 cross-compilation toolchain
        if: startsWith(matrix.target, 'aarch64-unknown-linux')
        run: apt-get install -yq gcc-aarch64-linux-gnu qemu-user libc6:arm64

      - name: 🧰 Install Rust toolchain
        uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1
        with:
          toolchain: nightly-${{ matrix.host-target }}
          targets: ${{ env.CARGO_BUILD_TARGET }}
          components: rust-src

      - name: 💨 Set up sccache
        if: ${{ !endsWith(matrix.target, '-pc-windows-gnu') }}
        uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6

      - name: ⚙️ Prime sccache cache backend
        if: ${{ !endsWith(matrix.target, '-pc-windows-gnu') }}
        shell: bash
        env:
          SCCACHE_REDIS_ENDPOINT: ${{ secrets.SCCACHE_REDIS_ENDPOINT }}
          SCCACHE_REDIS_USERNAME: ${{ secrets.SCCACHE_REDIS_USERNAME }}
          SCCACHE_REDIS_PASSWORD: ${{ secrets.SCCACHE_REDIS_PASSWORD }}
          SCCACHE_REDIS_KEY_PREFIX: ${{ secrets.SCCACHE_REDIS_KEY_PREFIX }}
        run: |
          sccache --start-server
          echo 'RUSTC_WRAPPER=sccache' >> "$GITHUB_ENV"

      - name: 💨 Cache Rust artifacts (Windows)
        if: endsWith(matrix.target, '-pc-windows-gnu') # sccache with Windows GNU compilers is slower than trivial GHA caching
        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2

      - name: 🧰 Install nextest
        uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # v2
        env:
          CARGO_BUILD_TARGET: ${{ matrix.host-target }}
        with:
          tool: nextest

      - name: 🧰 Install cargo-deb
        if: endsWith(matrix.target, '-linux-gnu')
        uses: taiki-e/install-action@c6dc131d2c4291552cafb840290190a53b2cd937 # v2
        env:
          CARGO_BUILD_TARGET: ${{ matrix.host-target }}
        with:
          tool: cargo-deb

      # Our build container is minimal, and it doesn't contain any systemd package.
      # systemd is responsible for setting up the machine ID files we use for
      # testing the system ID retrieval code, so copy a dummy one
      - name: 📏 Set up a dummy D-Bus machine ID for tests
        if: startsWith(matrix.runner, 'ubuntu')
        run: cat /proc/sys/kernel/random/uuid | tr -d '-' > /run/machine-id

      - name: 📅 Gather build date and version metadata
        shell: bash
        run: |
          git config --global --add safe.directory "$PWD"
          echo "PACKSQUASH_BUILD_VERSION=$(git describe --tags --dirty=-custom --always)" >> "$GITHUB_ENV"
          echo "PACKSQUASH_BUILD_DATE=$(date -u +%Y-%m-%d)" >> "$GITHUB_ENV"

      - name: ✔️ Run tests
        run: |
          cargo nextest run --workspace --status-level all --release
          cargo test --doc --workspace --release

      - name: 🔨 Build with optimized standard library
        run: cargo build --target ${{ env.CARGO_BUILD_TARGET }} --release ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }}

      - name: 🔨 Generate CLI Debian package
        if: endsWith(matrix.target, '-linux-gnu')
        run: scripts/build_deb.sh --target ${{ env.CARGO_BUILD_TARGET }} -p packsquash_cli -- ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }}

      - name: 📤 Upload CLI binary
        if: ${{ !contains(matrix.target, '-linux-') || endsWith(matrix.target, '-linux-musl') }}
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        with:
          name: PackSquash CLI executable (${{ matrix.target }})
          path: |
            target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash*
            !target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash.d

      - name: 📤 Upload CLI Debian package
        if: endsWith(matrix.target, '-linux-gnu')
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        with:
          name: PackSquash CLI Debian package (${{ matrix.apt-arch }})
          path: target/${{ env.CARGO_BUILD_TARGET }}/debian/packsquash_*.deb

      - name: ✒️ Generate SLSA attestation subject data for binaries
        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1
        with:
          subject-path: |
            target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash
            target/${{ env.CARGO_BUILD_TARGET }}/release/packsquash.exe
            target/${{ env.CARGO_BUILD_TARGET }}/debian/packsquash_*.deb

  build-universal-macos-binaries:

    name: Build universal macOS binaries

    runs-on: macos-latest

    needs: build

    permissions:
      id-token: write
      attestations: write

    steps:
      - name: 📥 Download PackSquash CLI x64 macOS executable
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
          name: PackSquash CLI executable (x86_64-apple-darwin)
          path: packsquash-x64

      - name: 📥 Download PackSquash CLI ARM64 macOS executable
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
          name: PackSquash CLI executable (aarch64-apple-darwin)
          path: packsquash-aarch64

      - name: 🔨 Generate universal CLI binary
        run: lipo -create -output packsquash packsquash-x64/packsquash packsquash-aarch64/packsquash

      - name: 📤 Upload universal CLI binary
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        with:
          name: PackSquash CLI executable (universal-apple-darwin)
          path: packsquash

      - name: ✒️ Generate SLSA attestation subject data for binary
        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1
        with:
          subject-path: packsquash

  build-docker-images:

    name: Build Docker images

    runs-on: ubuntu-latest

    env:
      # Defaults to docker.io (Docker Hub)
      REGISTRY: ghcr.io
      # github.repository as <account>/<repo>
      IMAGE_NAME: ${{ github.repository }}

    needs: build

    steps:
      - name: 📥 Checkout source
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: 🧰 Set up Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3

      - name: ⚙️ Generate Docker image metadata
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          # Tag the image as "edge" for every commit on master.
          # Tag the image by its ref for every commit on non-master branches.
          # Maintain the "latest", full and major and minor semver tags for each semver tag push
          tags: |
            type=edge,branch=master
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=ref,event=branch
          labels: |
            org.opencontainers.image.description=Docker image for PackSquash, the Minecraft resource and data pack optimizer.

      - name: 📥 Download PackSquash CLI x64 musl executable
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
          name: PackSquash CLI executable (x86_64-unknown-linux-musl)

      - name: 📁 Rename PackSquash CLI x64 musl executable
        run: mv packsquash packsquash-amd64

      - name: 📥 Download PackSquash CLI ARM64 musl executable
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
          name: PackSquash CLI executable (aarch64-unknown-linux-musl)

      - name: 📁 Rename PackSquash CLI ARM64 musl executable
        run: mv packsquash packsquash-arm64

      - name: 🔍 Check workflow package write permission
        id: check_write_permission
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
        with:
          result-encoding: string
          script: |
            const permission = (await github.rest.repos.getCollaboratorPermissionLevel({
              owner: context.repo.owner,
              repo: context.repo.repo,
              username: context.actor,
            })).data.permission;
            return permission == "write" || permission == "admin" ? "1" : "";

      # The GitHub token needs the package:write permission for the push to work.
      # This permission is not given to PRs from forked repositories.
      # See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
      - name: ⚙️ Login to ${{ env.REGISTRY }}
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: steps.check_write_permission.outputs.result
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: 🔨 Build and push Docker image
        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: ${{ steps.check_write_permission.outputs.result == '1' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

  benchmark:

    name: Run and upload benchmarks

    runs-on: ubuntu-latest

    container: debian:bullseye-slim@sha256:610b4c7ad241e66f6e2f9791e3abdf0cc107a69238ab21bf9b4695d51fd6366a

    # Benchmark failure is not critical enough to fail the whole workflow.
    # We will keep an eye on them anyway, though
    continue-on-error: true

    # Make sure that benchmarks stay quick, and handle them being stuck promptly
    timeout-minutes: 30

    # Only benchmark code that passes all the checks
    needs:
      - static-analysis
      - build

    # Ignore runs that don't have the secret needed to decrypt packs (this happens for PRs outside
    # the repository). First-time would-be contributors need to have their workflows approved
    # anyway, but at best it might be confusing to see commits of PRs mixed with the mainline.
    # Workflows triggered by PRs don't have access to secrets either. We also ignore temporary
    # Renovate branches and merge groups to reduce noise
    if: success() &&
      github.event_name != 'pull_request' &&
      github.event_name != 'merge_group' &&
      !startsWith(github.ref_name, 'renovate/')

    env:
      # Use sccache to speed up Rust compilation
      RUSTC_WRAPPER: sccache

    steps:
      - name: 🧰 Install development packages and benchmark script packages
        run: |
          apt-get update
          # curl is required by rustup
          apt-get install -yq build-essential git curl \
                              python3-venv gpg

      - name: 📥 Checkout source
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      # Necessary for steps that invoke Git commands to work properly on workflows run on containers.
      # See: https://github.com/actions/checkout/issues/766
      - name: 📥 Set source ownership to current user
        run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE"

      - name: 🧰 Install Rust toolchain
        uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1
        with:
          toolchain: nightly

      - name: 💨 Set up sccache
        uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6

      - name: ⚙️ Prime sccache cache backend
        shell: bash
        env:
          SCCACHE_REDIS_ENDPOINT: ${{ secrets.SCCACHE_REDIS_ENDPOINT }}
          SCCACHE_REDIS_USERNAME: ${{ secrets.SCCACHE_REDIS_USERNAME }}
          SCCACHE_REDIS_PASSWORD: ${{ secrets.SCCACHE_REDIS_PASSWORD }}
          SCCACHE_REDIS_KEY_PREFIX: ${{ secrets.SCCACHE_REDIS_KEY_PREFIX }}
        run: sccache --start-server

      - name: 📥 Download test packs dataset
        run: scripts/test-packs/download.sh

      - name: 🔑 Decrypt private test packs in dataset
        env:
          PRIVATE_TEST_PACKS_PASSWORD: ${{ secrets.PRIVATE_TEST_PACKS_PASSWORD }}
        run: scripts/test-packs/decrypt.sh

      # GitHub-hosted runners restrict access to the perf_event_open syscall for some event types we
      # are interested in, so we can't run benchmarks that measure the troublesome performance counters.
      # See: https://github.com/actions/virtual-environments/issues/4974
      - name: 🔍 Run quick benchmarks
        run: cargo bench -- --output-format=bencher 'wall_time' | tee /run/bench_results.txt

      - name: 📤 Publish quick benchmarks results
        uses: benchmark-action/github-action-benchmark@v1
        with:
          name: 'PackSquash library quick benchmarks'
          tool: cargo
          output-file-path: /run/bench_results.txt
          benchmark-data-dir-path: dev/benches
          github-token: ${{ secrets.GITHUB_TOKEN }}
          auto-push: true
          comment-on-alert: true
          alert-threshold: 150%
          fail-on-alert: false
          max-items-in-chart: 50