forked from aws/s2n-tls
-
Notifications
You must be signed in to change notification settings - Fork 0
71 lines (65 loc) · 2.42 KB
/
ci_compliance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
---
name: Compliance
on:
push:
branches: [main]
pull_request:
branches: [main]
merge_group:
types: [checks_requested]
branches: [main]
jobs:
duvet:
runs-on: ubuntu-latest
steps:
- name: Clone s2n-tls
uses: actions/checkout@v3
- name: Clone s2n-quic
uses: actions/checkout@v3
with:
repository: aws/s2n-quic
path: ./s2n-quic
submodules: true
- name: Run duvet action
uses: ./s2n-quic/.github/actions/duvet
with:
s2n-quic-dir: ./s2n-quic
report-script: compliance/generate_report.sh
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-s3-bucket-name: s2n-tls-ci-artifacts
aws-s3-region: us-west-2
cdn: https://d3fqnyekunr9xg.cloudfront.net
# The `duvet report` command generates some artifacts (specs folder) that
# interfere with detecting uncommitted files. This step cleans up those
# artifacts. Since the cleanup runs prior to the “Extract RFC spec data”
# phase, this is a safe operation.
- name: Cleanup intermediate artifacts
run: rm -r specs
shell: bash
- name: Extract RFC spec data
working-directory: ./compliance
run: ./initialize_duvet.sh
shell: bash
- name: Check if there are uncommitted changes
run: |
# If this fails you need to run `cd compliance && ./compliance/initialize_duvet.sh`
#
# FIXME: https://github.com/aws/s2n-tls/issues/4219
# We generate and commit the spec files to avoid re-downloading them each time in
# the CI (avoid flaky network calls). However, this currently doesn't work in
# s2n-tls since duvet assumes that the specs folder live in the project's base
# folder.
#
# Use 'git status --porcelain' instead of 'git diff --exit-code' since git diff
# only detects diffs but fails to detect new files. Ignore the s2n-quic dir
# `(:!s2n-quic)` since we explicitly clone the repo as part of this job.
git_status=$(git status --porcelain -- ':!s2n-quic')
if [ -n "$git_status" ]; then
echo "Found uncommitted changes:"
echo "$git_status"
exit 1
else
echo "Workspace is clean"
fi
shell: bash