Skip to content

Add OpenSSF Scorecard Badge to readme #944

Add OpenSSF Scorecard Badge to readme

Add OpenSSF Scorecard Badge to readme #944

Workflow file for this run

name: "Aries-Askar"
env:
RUST_VERSION: "1.81.0"
CROSS_VERSION: "0.2.4"
TEST_FEATURES: ""
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
actions: write
contents: write
on:
push:
branches: [main]
pull_request:
branches: [main]
release:
types: [created]
workflow_dispatch:
inputs:
publish-binaries:
description: "Publish Binaries to Release (will create a release if no release exists for branch or tag)"
required: true
default: false
type: boolean
publish-python-wrapper:
description: "Publish Python Wrapper to Registries"
required: true
default: false
type: boolean
jobs:
checks:
name: Run checks
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.RUST_VERSION }}
components: clippy, rustfmt
- name: Cache cargo resources
uses: Swatinem/rust-cache@v2
with:
shared-key: deps
cache-on-failure: true
- name: Cargo fmt
run: cargo fmt --all -- --check
- name: Cargo check
run: cargo check --workspace
- if: ${{ runner.os == 'Linux' }}
name: Pre-install cross
run: |
cargo install --bins --git https://github.com/rust-embedded/cross --locked --tag v${{ env.CROSS_VERSION }} cross
tests:
name: Run tests
needs: [checks]
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.RUST_VERSION }}
- name: Cache cargo resources
uses: Swatinem/rust-cache@v2
with:
shared-key: deps
save-if: false
- name: Debug build
run: cargo build --all-targets
- if: ${{ runner.os == 'Linux' }}
name: Start postgres (Linux)
run: |
sudo systemctl start postgresql.service
pg_isready
sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD 'postgres'"
echo "POSTGRES_URL=postgres://postgres:postgres@localhost:5432/test-db" >> $GITHUB_ENV
echo "TEST_FEATURES=pg_test" >> $GITHUB_ENV
- name: Run tests
run: cargo test --workspace --features "${{ env.TEST_FEATURES || 'default' }}" -- --nocapture --test-threads 1 --skip contention
env:
RUST_BACKTRACE: full
# RUST_LOG: debug
- name: Test askar-crypto no default features
run: cargo test --manifest-path ./askar-crypto/Cargo.toml --no-default-features
build-release:
name: Build library
needs: [checks]
strategy:
matrix:
include:
- architecture: linux-aarch64
os: ubuntu-latest
lib: libaries_askar.so
target: aarch64-unknown-linux-gnu
use_cross: true
- architecture: linux-x86_64
os: ubuntu-latest
lib: libaries_askar.so
target: x86_64-unknown-linux-gnu
use_cross: true
- architecture: darwin-universal
os: macos-latest
lib: libaries_askar.dylib
target: darwin-universal
# beta or nightly required for aarch64-apple-darwin target
toolchain: beta
- architecture: windows-x86_64
os: windows-latest
lib: aries_askar.dll
target: x86_64-pc-windows-msvc
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ matrix.toolchain || env.RUST_VERSION }}
- name: Cache cargo resources
uses: Swatinem/rust-cache@v2
with:
shared-key: deps
save-if: false
- name: Build
shell: sh
run: |
if [ -n "${{ matrix.use_cross }}" ]; then
cargo install --bins --git https://github.com/rust-embedded/cross --locked --tag v${{ env.CROSS_VERSION }} cross
# Required for compatibility with manylinux2014.
# https://github.com/briansmith/ring/issues/1728
if [ "${{ matrix.architecture }}" = "linux-aarch64" ]; then
export CFLAGS="-D__ARM_ARCH=8"
fi
cross build --lib --release --target ${{ matrix.target }}
elif [ "${{ matrix.architecture }}" == "darwin-universal" ]; then
./build-universal.sh
else
cargo build --lib --release --target ${{ matrix.target }}
fi
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: library-${{ matrix.architecture }}
path: target/${{ matrix.target }}/release/${{ matrix.lib }}
- name: Create artifacts directory
if: |
github.event_name == 'release' ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish-binaries == 'true')
run: |
mkdir release-artifacts
cp target/${{ matrix.target }}/release/${{ matrix.lib }} release-artifacts/
- uses: a7ul/tar-action@v1.2.0
if: |
github.event_name == 'release' ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish-binaries == 'true')
with:
command: c
cwd: release-artifacts
files: .
outPath: "library-${{ matrix.architecture }}.tar.gz"
- name: Add artifacts to release
if: |
github.event_name == 'release' ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.publish-binaries == 'true')
uses: svenstaro/upload-release-action@v2
with:
file: library-${{ matrix.architecture }}.tar.gz
asset_name: "library-${{ matrix.architecture }}.tar.gz"
build-py:
name: Build and test Python wrapper
needs: [build-release]
strategy:
matrix:
architecture:
[linux-aarch64, linux-x86_64, darwin-universal, windows-x86_64]
python-version: ["3.8"]
include:
- os: ubuntu-latest
architecture: linux-aarch64
plat-name: manylinux2014_aarch64
- os: ubuntu-latest
architecture: linux-x86_64
plat-name: manylinux2014_x86_64
- os: macos-latest
architecture: darwin-universal
plat-name: macosx_10_9_universal2 # macosx_10_9_x86_64
- os: windows-latest
architecture: windows-x86_64
plat-name: win_amd64
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install setuptools wheel twine auditwheel
- name: Fetch library artifacts
uses: actions/download-artifact@v4
with:
name: library-${{ matrix.architecture }}
path: wrappers/python/aries_askar/
- if: ${{ runner.os == 'Linux' }}
name: Start postgres (Linux)
run: |
sudo systemctl start postgresql.service
pg_isready
sudo -u postgres psql -c "ALTER USER postgres WITH PASSWORD 'postgres'"
echo "POSTGRES_URL=postgres://postgres:postgres@localhost:5432/test-db" >> $GITHUB_ENV
- name: Build wheel package
shell: sh
run: |
python setup.py bdist_wheel --python-tag=py3 --plat-name=${{ matrix.plat-name }}
working-directory: wrappers/python
- name: Run tests
# FIXME cross platform test the python package
# maybe use the cross docker image?
if: ${{ matrix.architecture != 'linux-aarch64' }}
shell: sh
run: |
pip install pytest pytest-asyncio dist/*
echo "-- Test SQLite in-memory --"
python -m pytest --log-cli-level=WARNING -k "not contention"
echo "-- Test SQLite file DB --"
TEST_STORE_URI=sqlite://test.db python -m pytest --log-cli-level=WARNING -k "not contention"
if [ -n "$POSTGRES_URL" ]; then
echo "-- Test Postgres DB --"
TEST_STORE_URI="$POSTGRES_URL" python -m pytest --log-cli-level=WARNING -k "not contention"
fi
working-directory: wrappers/python
env:
no_proxy: "*" # python issue 30385
RUST_BACKTRACE: full
# RUST_LOG: debug
- if: ${{ runner.os == 'Linux' }}
name: Audit wheel
run: |
auditwheel show wrappers/python/dist/* | tee auditwheel.log
grep -q manylinux_2_17_ auditwheel.log
- name: Upload Built Python Package
if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish-python-wrapper == 'true')
uses: actions/upload-artifact@v4
with:
name: python_package-${{ matrix.plat-name }}
path: wrappers/python/dist
publish-py:
name: Publish Python package
needs: [build-py]
if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish-python-wrapper == 'true')
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/aries-askar
steps:
- name: Fetch Python package
uses: actions/download-artifact@v4
with:
path: wrappers/python/dist
pattern: "python_package-*"
merge-multiple: true
- run: ls -R wrappers/python/dist
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: wrappers/python/dist
build-ios:
name: Build library (iOS)
needs: [checks]
runs-on: macos-latest
env:
FEATURES: "mobile_secure_element"
strategy:
matrix:
target: [aarch64-apple-ios, aarch64-apple-ios-sim, x86_64-apple-ios]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.RUST_VERSION }}
targets: ${{ matrix.target }}
- name: Build
run: |
cargo build --lib --release --target ${{matrix.target}} --features ${{ env.FEATURES }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: library-${{ matrix.target }}
path: target/${{ matrix.target }}/release/libaries_askar.a
build-android:
name: Build library (Android)
needs: [checks]
env:
FEATURES: "mobile_secure_element"
runs-on: ubuntu-latest
strategy:
matrix:
target:
[
aarch64-linux-android,
armv7-linux-androideabi,
i686-linux-android,
x86_64-linux-android,
]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.RUST_VERSION }}
- name: Cache cargo resources
uses: Swatinem/rust-cache@v2
with:
shared-key: deps
save-if: false
- name: Build
run: |
# Using a fixed pre-release tag with a fix for NDK 25 support
cargo install --git https://github.com/cross-rs/cross.git --rev 085092c cross
# Required for compatibility with manylinux2014:
# https://github.com/briansmith/ring/issues/1728
if [ "${{ matrix.target }}" = "aarch64-linux-android" ]; then
export CFLAGS="-D__ARM_ARCH=8"
fi
cross build --lib --release --target ${{matrix.target}} --features ${{ env.FEATURES }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: library-${{ matrix.target }}
path: target/${{ matrix.target }}/release/libaries_askar.so
create-ios-xcframework:
name: Create iOS xcframework
runs-on: macos-latest
needs: [build-ios]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Fetch static libraries
uses: actions/download-artifact@v4
- run: >
./build-xcframework.sh library-aarch64-apple-ios \
library-aarch64-apple-ios-sim \
library-x86_64-apple-ios \
include
- name: Save xcframework
uses: actions/upload-artifact@v4
with:
name: aries_askar.xcframework
path: ./out
- uses: geekyeggo/delete-artifact@v5
with:
name: |
library-aarch64-apple-ios
library-aarch64-apple-ios-sim
library-x86_64-apple-ios
failOnError: false
create-android-library:
name: Create library (Android)
runs-on: ubuntu-latest
needs: [build-android]
steps:
- name: Fetch libraries
uses: actions/download-artifact@v4
- run: |
sudo mkdir ./libs
sudo mv library-aarch64-linux-android ./libs/arm64-v8a
sudo mv library-armv7-linux-androideabi ./libs/armeabi-v7a
sudo mv library-i686-linux-android ./libs/x86
sudo mv library-x86_64-linux-android ./libs/x86_64
- name: Save Android library
uses: actions/upload-artifact@v4
with:
name: android-libraries
path: ./libs
- uses: geekyeggo/delete-artifact@v5
with:
name: |
library-aarch64-linux-android
library-armv7-linux-androideabi
library-i686-linux-android
library-x86_64-linux-android
failOnError: false
create-ios-android-release-asset:
name: Create iOS and Android release assets
runs-on: ubuntu-latest
needs:
- create-ios-xcframework
- create-android-library
if: |
(github.event_name == 'release' ||
(github.event_name == 'workflow_dispatch' &&
github.event.inputs.publish-binaries == 'true'))
steps:
- name: Fetch Android libraries
uses: actions/download-artifact@v4
with:
name: android-libraries
path: mobile/android/
- name: Fetch iOS Framework
uses: actions/download-artifact@v4
with:
name: aries_askar.xcframework
path: mobile/ios/
- uses: a7ul/tar-action@v1.2.0
with:
command: c
files: ./mobile
outPath: "library-ios-android.tar.gz"
- name: Add library artifacts to release
uses: svenstaro/upload-release-action@v2
with:
file: library-ios-android.tar.gz
asset_name: "library-ios-android.tar.gz"
build-success:
# see https://github.community/t/status-check-for-a-matrix-jobs/127354/7
name: Successful build
needs: [tests, build-release, build-py]
if: ${{ always() }}
runs-on: ubuntu-latest
steps:
- name: Check all job status
# see https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#needs-context
# see https://stackoverflow.com/a/67532120/4907315
if: >-
${{
contains(needs.*.result, 'failure')
|| contains(needs.*.result, 'cancelled')
|| contains(needs.*.result, 'skipped')
}}
run: exit 1