name: CI on: push: branches: [ main ] pull_request: branches: [ main ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: CARGO_TERM_COLOR: always CARGO_NET_GIT_FETCH_WITH_CLI: "true" jobs: opa-lint: name: Lint and test OPA policies runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@v3 - name: Setup OPA uses: open-policy-agent/setup-opa@v2.0.1 with: version: 0.45.0 - name: Lint policies working-directory: ./policies run: make lint - name: Run OPA tests working-directory: ./policies run: make test - name: Run OPA tests with coverage working-directory: ./policies run: make coverage - name: Upload to codecov.io uses: codecov/codecov-action@v3 with: files: policies/coverage.json flags: policies frontend-lint: name: Check frontend style runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@v3 - name: Install Node uses: actions/setup-node@v3 with: node-version: 16 cache: 'npm' cache-dependency-path: frontend/package-lock.json - name: Install Node dependencies working-directory: ./frontend run: npm ci - name: Lint working-directory: ./frontend run: npm run lint frontend-test: name: Run the frontend test suite runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@v3 - name: Install Node uses: actions/setup-node@v3 with: node-version: 16 cache: 'npm' cache-dependency-path: frontend/package-lock.json - name: Install Node dependencies working-directory: ./frontend run: npm ci - name: Test working-directory: ./frontend run: npm test - name: Upload to codecov.io uses: codecov/codecov-action@v3 with: directory: frontend/coverage/ flags: frontend rustfmt: name: Check Rust style runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@v3 - name: Install toolchain run: | rustup toolchain install nightly rustup default nightly rustup component add rustfmt - name: Check style run: cargo fmt --all -- --check check-schema: name: Check schema runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@v3 - name: Install Rust toolchain run: | rustup toolchain install stable rustup default stable - name: Setup Rust cache uses: Swatinem/rust-cache@v2 - name: Install Node uses: actions/setup-node@v3 with: node-version: 16 cache: 'npm' cache-dependency-path: frontend/package-lock.json - name: Install Node dependencies working-directory: ./frontend run: npm ci - name: Update the schemas run: sh ./misc/update.sh - name: Check that the workspace is clean run: | [[ -z $(git status -s) ]] clippy: name: Run Clippy needs: [rustfmt, opa-lint] runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout the code uses: actions/checkout@v3 - name: Install toolchain run: | rustup toolchain install 1.65.0 rustup default 1.65.0 rustup component add clippy - name: Setup OPA uses: open-policy-agent/setup-opa@v2.0.1 with: version: 0.45.0 - name: Compile OPA policies working-directory: ./policies run: make - name: Setup Rust cache uses: Swatinem/rust-cache@v2 - name: Run clippy run: | cargo clippy --workspace -- -D warnings test: name: Run test suite with Rust ${{ matrix.toolchain }} needs: [rustfmt, opa-lint] runs-on: ubuntu-latest permissions: contents: read strategy: fail-fast: false # Continue other jobs if one fails to help filling the cache matrix: toolchain: - stable - beta - nightly services: postgres: image: docker.io/library/postgres:14.4 env: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres POSTGRES_DB: postgres options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 ports: - "5432:5432" steps: - name: Checkout the code uses: actions/checkout@v3 - name: Install toolchain run: | rustup toolchain install ${{ matrix.toolchain }} rustup default ${{ matrix.toolchain }} - name: Setup OPA uses: open-policy-agent/setup-opa@v2.0.1 with: version: 0.45.0 - name: Compile OPA policies working-directory: ./policies run: make - name: Setup Rust cache uses: Swatinem/rust-cache@v2 - name: Test id: test env: DATABASE_URL: postgresql://postgres:postgres@localhost/postgres SQLX_OFFLINE: '1' run: | cargo test --workspace # Ignore errors on the nightly toolchain continue-on-error: "${{ matrix.toolchain == 'nightly' }}" - name: Emit error annotation on failures if: steps.test.outcome == 'failure' run: | echo "::error ::Test suite failed on ${{ matrix.toolchain }} toolchain" coverage: name: Code coverage needs: [rustfmt, opa-lint] runs-on: ubuntu-latest permissions: contents: read services: postgres: image: docker.io/library/postgres:14.4 env: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres POSTGRES_DB: postgres options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 ports: - "5432:5432" steps: - name: Checkout the code uses: actions/checkout@v3 - name: Install toolchain run: | rustup toolchain install stable rustup default stable rustup component add llvm-tools-preview - name: Setup OPA uses: open-policy-agent/setup-opa@v2.0.1 with: version: 0.45.0 - name: Compile OPA policies working-directory: ./policies run: make - name: Setup Rust cache uses: Swatinem/rust-cache@v2 - name: Download grcov run: | mkdir -p "${HOME}/.local/bin" curl -sL https://github.com/mozilla/grcov/releases/download/v0.8.13/grcov-x86_64-unknown-linux-gnu.tar.bz2 | tar jxf - -C "${HOME}/.local/bin" echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Run test suite with profiling enabled run: | cargo test --no-fail-fast --workspace env: RUSTFLAGS: '-Cinstrument-coverage' LLVM_PROFILE_FILE: "cargo-test-%p-%m.profraw" DATABASE_URL: postgresql://postgres:postgres@localhost/postgres SQLX_OFFLINE: '1' - name: Build grcov report run: | mkdir -p target/coverage grcov . --binary-path ./target/debug/deps/ -s . -t lcov --branch --ignore-not-existing --ignore '../*' --ignore "/*" -o target/coverage/tests.lcov - name: Upload to codecov.io uses: codecov/codecov-action@v3 with: files: target/coverage/*.lcov flags: unit build-image: name: Build and push Docker image needs: [rustfmt, opa-lint] runs-on: ubuntu-latest env: IMAGE: ghcr.io/matrix-org/matrix-authentication-service permissions: contents: read packages: write id-token: write steps: - name: Checkout the code uses: actions/checkout@v3 - name: Docker meta id: meta uses: docker/metadata-action@v4 with: images: "${{ env.IMAGE }}" bake-target: docker-metadata-action tags: | type=ref,event=branch type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha - name: Docker meta (debug variant) id: meta-debug uses: docker/metadata-action@v4 with: images: "${{ env.IMAGE }}" bake-target: docker-metadata-action-debug tags: | type=ref,event=branch,suffix=-debug type=semver,pattern={{version}},suffix=-debug type=semver,pattern={{major}}.{{minor}},suffix=-debug type=semver,pattern={{major}},suffix=-debug type=sha,suffix=-debug - name: Setup Cosign uses: sigstore/cosign-installer@v2.8.1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 with: config-inline: | [registry."docker.io"] mirrors = ["mirror.gcr.io"] - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} # For pull-requests, only read from the cache, do not try to push to the # cache or the image itself # We only build for the amd64 platform in pull-requests to speed-up CI - name: Build uses: docker/bake-action@v2 if: github.event_name == 'pull_request' with: files: | docker-bake.hcl ${{ steps.meta.outputs.bake-file }} ${{ steps.meta-debug.outputs.bake-file }} set: | base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }} base.platform=linux/amd64 base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache - name: Build and push uses: docker/bake-action@v2 if: github.event_name != 'pull_request' with: files: | docker-bake.hcl ${{ steps.meta.outputs.bake-file }} ${{ steps.meta-debug.outputs.bake-file }} set: | base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }} base.output=type=image,push=true base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache base.cache-to=type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max - name: Sign the images with GitHub Actions provided token # Only sign on tags and on commits on main branch if: | github.event_name != 'pull_request' && (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main') run: cosign sign ${TAGS} env: TAGS: "${{ steps.meta.outputs.tags }} ${{ steps.meta-debug.outputs.tags }}" COSIGN_EXPERIMENTAL: 1 tests-done: name: Tests done if: ${{ always() }} needs: - opa-lint - frontend-lint - frontend-test - rustfmt - clippy - check-schema - test - coverage - build-image runs-on: ubuntu-latest steps: - uses: matrix-org/done-action@v2 with: needs: ${{ toJSON(needs) }}