chore(deps): update taiki-e/install-action digest to 0dfccb3 #3641
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| merge_group: | |
| types: | |
| - checks_requested | |
| release: | |
| types: | |
| - published | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| OBFSTR_SEED: ${{ secrets.CONST_RANDOM_SEED }} | |
| jobs: | |
| static-analysis: | |
| name: Static analysis | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 15 | |
| # Exclude in-repo PRs from running this job | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork | |
| steps: | |
| - name: 📥 Checkout source | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: 🧰 Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # v1 | |
| with: | |
| toolchain: nightly | |
| components: rustfmt, clippy | |
| - name: 🧰 Install clippy-sarif | |
| uses: taiki-e/install-action@0dfccb316f282b6d57b2993e6363d0f6f6fa53b4 # v2 | |
| with: | |
| tool: clippy-sarif | |
| - name: 🧰 Install sarif-fmt | |
| uses: taiki-e/install-action@0dfccb316f282b6d57b2993e6363d0f6f6fa53b4 # v2 | |
| with: | |
| tool: sarif-fmt | |
| - name: 🧰 Install cargo-deny | |
| uses: taiki-e/install-action@0dfccb316f282b6d57b2993e6363d0f6f6fa53b4 # v2 | |
| with: | |
| tool: cargo-deny | |
| - name: 🔍 Clippy check | |
| shell: bash | |
| run: > | |
| cargo clippy --no-deps --all-targets --message-format=json -- -D warnings | |
| | clippy-sarif | |
| | tee clippy-results.sarif | |
| | sarif-fmt | |
| - name: 🔍 Run cargo-deny | |
| run: cargo deny check | |
| - name: 🔍 Check Rust source code format | |
| run: cargo fmt --all --check | |
| - name: 📤 Upload analysis results to GitHub | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3 | |
| continue-on-error: true | |
| with: | |
| sarif_file: clippy-results.sarif | |
| category: clippy | |
| build: | |
| name: Build | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: | |
| - x86_64-unknown-linux-gnu | |
| - x86_64-unknown-linux-musl | |
| - x86_64-pc-windows-gnu | |
| - aarch64-unknown-linux-gnu | |
| - aarch64-unknown-linux-musl | |
| - universal2-apple-darwin | |
| include: | |
| - target: x86_64-unknown-linux-gnu | |
| host-target: x86_64-unknown-linux-gnu | |
| runner: ubuntu-latest | |
| container: debian:bookworm-slim | |
| apt-arch: amd64 | |
| - target: x86_64-unknown-linux-musl | |
| host-target: x86_64-unknown-linux-gnu | |
| runner: ubuntu-latest | |
| container: debian:bookworm-slim | |
| apt-arch: amd64 | |
| - target: aarch64-unknown-linux-gnu | |
| host-target: x86_64-unknown-linux-gnu | |
| runner: ubuntu-latest | |
| container: debian:bookworm-slim | |
| apt-arch: arm64 | |
| - target: aarch64-unknown-linux-musl | |
| host-target: x86_64-unknown-linux-gnu | |
| runner: ubuntu-latest | |
| container: debian:bookworm-slim | |
| apt-arch: arm64 | |
| - target: x86_64-pc-windows-gnu | |
| host-target: x86_64-pc-windows-gnu | |
| runner: windows-latest | |
| - target: universal2-apple-darwin | |
| host-target: aarch64-apple-darwin | |
| runner: macos-latest | |
| runs-on: ${{ matrix.runner }} | |
| timeout-minutes: 60 | |
| container: ${{ matrix.container }} | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: write | |
| env: | |
| # nextext requires this on Windows to pick the intended GNU toolchain | |
| RUSTUP_TOOLCHAIN: nightly-${{ matrix.host-target }} | |
| # Rust stdlib default backtrace feature doesn't actually work because our | |
| # release executables are stripped, so skipping it shaves off quite some KiB. | |
| # References: | |
| # https://doc.rust-lang.org/cargo/reference/unstable.html#build-std-features | |
| # https://github.com/rust-lang/rust/blob/4c8bb79d9f565115637cc6da739f8389e79f3a29/library/std/Cargo.toml#L54-L79 | |
| OPTIMIZED_RELEASE_BUILD_FLAGS: -Z build-std -Z build-std-features=panic-unwind | |
| # Exclude in-repo PRs from running this job | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork | |
| steps: | |
| - name: 🧰 Install Linux toolchain packages | |
| if: contains(matrix.target, '-linux-') | |
| run: | | |
| if [ "$(dpkg --print-architecture)" != '${{ matrix.apt-arch }}' ]; then | |
| dpkg --add-architecture '${{ matrix.apt-arch }}' | |
| fi | |
| apt-get update | |
| # curl is required by rustup. | |
| # musl-tools is required to build musl binaries for the host architecture, | |
| # and the arch-specific musl-dev package is required to build binaries for | |
| # a target architecture when cross-compiling | |
| # markdown and html2text are required to generate the Debian package only | |
| apt-get install -yq build-essential cmake git curl \ | |
| musl-tools musl-dev:${{ matrix.apt-arch }} \ | |
| markdown html2text | |
| # This must go after the previous step so that a Git repository is checked out | |
| - name: 📥 Checkout source | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 # Keep the commit history for proper version information | |
| - name: 🧰 Install Linux ARM64 cross-compilation toolchain | |
| if: startsWith(matrix.target, 'aarch64-unknown-linux') | |
| run: apt-get install -yq gcc-aarch64-linux-gnu qemu-user libc6:arm64 | |
| - name: 🧰 Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # v1 | |
| with: | |
| toolchain: nightly-${{ matrix.host-target }} | |
| targets: ${{ matrix.target == 'universal2-apple-darwin' && 'x86_64-apple-darwin,aarch64-apple-darwin' || matrix.target }} | |
| components: rust-src | |
| - name: 💨 Set up sccache | |
| if: ${{ !endsWith(matrix.target, '-pc-windows-gnu') }} | |
| uses: mozilla-actions/sccache-action@054db53350805f83040bf3e6e9b8cf5a139aa7c9 # v0.0.7 | |
| - name: ⚙️ Prime sccache cache backend | |
| if: ${{ !endsWith(matrix.target, '-pc-windows-gnu') }} | |
| shell: bash | |
| env: | |
| SCCACHE_REDIS_ENDPOINT: ${{ secrets.SCCACHE_REDIS_ENDPOINT }} | |
| SCCACHE_REDIS_USERNAME: ${{ secrets.SCCACHE_REDIS_USERNAME }} | |
| SCCACHE_REDIS_PASSWORD: ${{ secrets.SCCACHE_REDIS_PASSWORD }} | |
| SCCACHE_REDIS_KEY_PREFIX: ${{ secrets.SCCACHE_REDIS_KEY_PREFIX }} | |
| run: | | |
| sccache --start-server | |
| echo 'RUSTC_WRAPPER=sccache' >> "$GITHUB_ENV" | |
| - name: 💨 Cache Rust artifacts (Windows) | |
| if: endsWith(matrix.target, '-pc-windows-gnu') # sccache with Windows GNU compilers is slower than trivial GHA caching | |
| uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2 | |
| - name: 🧰 Install nextest | |
| uses: taiki-e/install-action@0dfccb316f282b6d57b2993e6363d0f6f6fa53b4 # v2 | |
| with: | |
| tool: nextest | |
| - name: 🧰 Install cargo-deb | |
| if: endsWith(matrix.target, '-linux-gnu') | |
| uses: taiki-e/install-action@0dfccb316f282b6d57b2993e6363d0f6f6fa53b4 # v2 | |
| with: | |
| tool: cargo-deb | |
| # Our build container is minimal, and it doesn't contain any systemd package. | |
| # systemd is responsible for setting up the machine ID files we use for | |
| # testing the system ID retrieval code, so copy a dummy one | |
| - name: 📏 Set up a dummy D-Bus machine ID for tests | |
| if: startsWith(matrix.runner, 'ubuntu') | |
| run: cat /proc/sys/kernel/random/uuid | tr -d '-' > /run/machine-id | |
| # Required for the build script to be able to gather version information from Git | |
| - name: 📏 Allow Git commands to run in the container directory | |
| shell: bash | |
| run: git config --global --add safe.directory "$PWD" | |
| - name: ✔️ Run tests | |
| env: | |
| CARGO_BUILD_TARGET: ${{ matrix.target == 'universal2-apple-darwin' && 'aarch64-apple-darwin' || matrix.target }} | |
| run: | | |
| cargo nextest run --workspace --status-level all --release | |
| cargo test --doc --workspace --release | |
| - name: 🔨 Build with optimized standard library | |
| env: | |
| # Simulate universal2-apple-darwin target through Cargo's native simultaneous multi-target support | |
| TARGET_PARAMS: ${{ matrix.target == 'universal2-apple-darwin' && | |
| '--target x86_64-apple-darwin --target aarch64-apple-darwin' || format('--target {0}', matrix.target) }} | |
| run: cargo build ${{ env.TARGET_PARAMS }} --release ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }} | |
| - name: 🔨 Assemble universal macOS binary | |
| if: matrix.target == 'universal2-apple-darwin' | |
| run: | | |
| mkdir -p target/${{ matrix.target }}/release | |
| lipo -create -output target/${{ matrix.target }}/release/packsquash \ | |
| target/x86_64-apple-darwin/release/packsquash target/aarch64-apple-darwin/release/packsquash | |
| - name: 🔨 Generate CLI Debian package | |
| if: endsWith(matrix.target, '-linux-gnu') | |
| run: scripts/build_deb.sh --target ${{ matrix.target }} -p packsquash_cli -- ${{ env.OPTIMIZED_RELEASE_BUILD_FLAGS }} | |
| - name: 📤 Upload CLI binary | |
| if: ${{ !contains(matrix.target, '-linux-') || endsWith(matrix.target, '-linux-musl') }} | |
| uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4 | |
| with: | |
| name: PackSquash CLI executable (${{ matrix.target }}) | |
| path: | | |
| target/${{ matrix.target }}/release/packsquash* | |
| !target/${{ matrix.target }}/release/packsquash.d | |
| - name: 📤 Upload CLI Debian package | |
| if: endsWith(matrix.target, '-linux-gnu') | |
| uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4 | |
| with: | |
| name: PackSquash CLI Debian package (${{ matrix.apt-arch }}) | |
| path: target/${{ matrix.target }}/debian/packsquash_*.deb | |
| - name: ✒️ Generate SLSA attestation subject data for binaries | |
| uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1 | |
| with: | |
| subject-path: | | |
| target/${{ matrix.target }}/release/packsquash | |
| target/${{ matrix.target }}/release/packsquash.exe | |
| target/${{ matrix.target }}/debian/packsquash_*.deb | |
| - name: 🧰 Install release asset upload dependencies | |
| if: github.event_name == 'release' && matrix.container | |
| continue-on-error: true | |
| run: | | |
| apt-get install -yq npm | |
| npm install archiver@'>=7.0.0 <8.0.0' | |
| - name: 📤 Upload release assets | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 | |
| if: github.event_name == 'release' | |
| continue-on-error: true | |
| with: | |
| retries: 3 | |
| script: | | |
| const { readFile } = require("node:fs/promises"); | |
| const { createWriteStream } = require("node:fs"); | |
| const { basename } = require("node:path"); | |
| const archiver = require("archiver"); | |
| const target = "${{ matrix.target }}"; | |
| const targetAptArch = "${{ matrix.apt-arch }}"; | |
| const firstGlobMatch = async (expr) => | |
| (await (await glob.create(expr)).glob())[0]; | |
| const artifacts = [ | |
| [ | |
| `PackSquash CLI executable (${target})`, | |
| true, | |
| await firstGlobMatch( | |
| [ | |
| `target/${target}/release/packsquash*`, | |
| `!target/${target}/release/packsquash.d`, | |
| ].join("\n") | |
| ), | |
| ], | |
| ].concat([ | |
| [ | |
| `PackSquash CLI Debian package (${targetAptArch})`, | |
| false, | |
| await firstGlobMatch(`target/${target}/debian/packsquash_*.deb`), | |
| ], | |
| ]); | |
| for (const [artifactLabel, wrapInZip, artifactPath] of artifacts) { | |
| if (!artifactPath) { | |
| continue; | |
| } | |
| let assetName, assetPath; | |
| if (wrapInZip) { | |
| assetName = assetPath = `${basename(artifactPath)}-${target}.zip`; | |
| const assetArchive = archiver("zip", { | |
| comment: | |
| "Thank you for downloading PackSquash!\n\nIf you liked it, please consider supporting the project at https://packsquash.aylas.org", | |
| zlib: { level: 9 }, | |
| }); | |
| assetArchive.pipe(createWriteStream(assetName, "binary")); | |
| assetArchive.file(artifactPath, { name: basename(artifactPath) }); | |
| await assetArchive.finalize(); | |
| } else { | |
| assetName = basename(artifactPath); | |
| assetPath = artifactPath; | |
| } | |
| await github.rest.repos.uploadReleaseAsset({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| release_id: ( | |
| await github.rest.repos.getReleaseByTag({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| tag: context.ref.replace(/^refs\/tags\//, ""), | |
| }) | |
| ).data.id, | |
| // The name must be unique among assets within a release, and sets the file name of the asset | |
| // when downloaded (the unique name requirement is why we wrap executables in ZIP files, as | |
| // otherwise we'd have several assets named "packsquash", which is not possible) | |
| name: assetName, | |
| // GitHub displays this as the user-friendly name for the release asset in the web UI. It can | |
| // be non-unique or missing. If missing, GitHub shows the asset name as a label | |
| label: artifactLabel, | |
| // Using a file buffer in here works: https://github.com/octokit/octokit.js/discussions/2087 | |
| data: await readFile(assetPath), | |
| }); | |
| } | |
| build-docker-images: | |
| name: Build Docker images | |
| runs-on: ubuntu-latest | |
| env: | |
| # Defaults to docker.io (Docker Hub) | |
| REGISTRY: ghcr.io | |
| # github.repository as <account>/<repo> | |
| IMAGE_NAME: ${{ github.repository }} | |
| needs: build | |
| steps: | |
| - name: 📥 Checkout source | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: 🧰 Set up Docker Buildx | |
| uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3 | |
| - name: ⚙️ Generate Docker image metadata | |
| id: meta | |
| uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| # Tag the image as "edge" for every commit on master. | |
| # Tag the image by its ref for every commit on non-master branches. | |
| # Maintain the "latest", full and major and minor semver tags for each semver tag push | |
| tags: | | |
| type=edge,branch=master | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=ref,event=branch | |
| labels: | | |
| org.opencontainers.image.description=Docker image for PackSquash, the Minecraft resource and data pack optimizer. | |
| - name: 📥 Download PackSquash CLI x64 musl executable | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| with: | |
| name: PackSquash CLI executable (x86_64-unknown-linux-musl) | |
| - name: 📁 Rename PackSquash CLI x64 musl executable | |
| run: mv packsquash packsquash-amd64 | |
| - name: 📥 Download PackSquash CLI ARM64 musl executable | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| with: | |
| name: PackSquash CLI executable (aarch64-unknown-linux-musl) | |
| - name: 📁 Rename PackSquash CLI ARM64 musl executable | |
| run: mv packsquash packsquash-arm64 | |
| - name: 🔍 Check workflow package write permission | |
| id: check_write_permission | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 | |
| with: | |
| result-encoding: string | |
| script: | | |
| const permission = (await github.rest.repos.getCollaboratorPermissionLevel({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| username: context.actor, | |
| })).data.permission; | |
| return permission == "write" || permission == "admin" ? "1" : ""; | |
| # The GitHub token needs the package:write permission for the push to work. | |
| # This permission is not given to PRs from forked repositories. | |
| # See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| - name: ⚙️ Login to ${{ env.REGISTRY }} | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
| if: steps.check_write_permission.outputs.result | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: 🔨 Build and push Docker image | |
| uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ steps.check_write_permission.outputs.result == '1' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| benchmark: | |
| name: Run and upload benchmarks | |
| runs-on: ubuntu-latest | |
| container: debian:bookworm-slim@sha256:f70dc8d6a8b6a06824c92471a1a258030836b26b043881358b967bf73de7c5ab | |
| # Benchmark failure is not critical enough to fail the whole workflow. | |
| # We will keep an eye on them anyway, though | |
| continue-on-error: true | |
| # Make sure that benchmarks stay quick, and handle them being stuck promptly | |
| timeout-minutes: 30 | |
| # Only benchmark code that passes all the checks | |
| needs: | |
| - static-analysis | |
| - build | |
| # Ignore runs that don't have the secret needed to decrypt packs (this happens for PRs outside | |
| # the repository). First-time would-be contributors need to have their workflows approved | |
| # anyway, but at best it might be confusing to see commits of PRs mixed with the mainline. | |
| # Workflows triggered by PRs don't have access to secrets either. We also ignore temporary | |
| # Renovate branches and merge groups to reduce noise | |
| if: success() && | |
| github.event_name != 'pull_request' && | |
| github.event_name != 'merge_group' && | |
| !startsWith(github.ref_name, 'renovate/') | |
| env: | |
| # Use sccache to speed up Rust compilation | |
| RUSTC_WRAPPER: sccache | |
| steps: | |
| - name: 🧰 Install development packages and benchmark script packages | |
| run: | | |
| apt-get update | |
| # curl is required by rustup | |
| apt-get install -yq build-essential git curl cmake \ | |
| python3-venv gpg | |
| - name: 📥 Checkout source | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| # Necessary for steps that invoke Git commands to work properly on workflows run on containers. | |
| # See: https://github.com/actions/checkout/issues/766 | |
| - name: 📥 Set source ownership to current user | |
| run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE" | |
| - name: 🧰 Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # v1 | |
| with: | |
| toolchain: nightly | |
| - name: 💨 Set up sccache | |
| uses: mozilla-actions/sccache-action@054db53350805f83040bf3e6e9b8cf5a139aa7c9 # v0.0.7 | |
| - name: ⚙️ Prime sccache cache backend | |
| shell: bash | |
| env: | |
| SCCACHE_REDIS_ENDPOINT: ${{ secrets.SCCACHE_REDIS_ENDPOINT }} | |
| SCCACHE_REDIS_USERNAME: ${{ secrets.SCCACHE_REDIS_USERNAME }} | |
| SCCACHE_REDIS_PASSWORD: ${{ secrets.SCCACHE_REDIS_PASSWORD }} | |
| SCCACHE_REDIS_KEY_PREFIX: ${{ secrets.SCCACHE_REDIS_KEY_PREFIX }} | |
| run: sccache --start-server | |
| - name: 📥 Download test packs dataset | |
| run: scripts/test-packs/download.sh | |
| - name: 🔑 Decrypt private test packs in dataset | |
| env: | |
| PRIVATE_TEST_PACKS_PASSWORD: ${{ secrets.PRIVATE_TEST_PACKS_PASSWORD }} | |
| run: scripts/test-packs/decrypt.sh | |
| # GitHub-hosted runners restrict access to the perf_event_open syscall for some event types we | |
| # are interested in, so we can't run benchmarks that measure the troublesome performance counters. | |
| # See: https://github.com/actions/virtual-environments/issues/4974 | |
| - name: 🔍 Run quick benchmarks | |
| run: cargo bench -- --output-format=bencher 'wall_time' | tee /run/bench_results.txt | |
| - name: 📤 Publish quick benchmarks results | |
| uses: benchmark-action/github-action-benchmark@v1 | |
| with: | |
| name: 'PackSquash library quick benchmarks' | |
| tool: cargo | |
| output-file-path: /run/bench_results.txt | |
| benchmark-data-dir-path: dev/benches | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| auto-push: true | |
| comment-on-alert: true | |
| alert-threshold: 150% | |
| fail-on-alert: false | |
| max-items-in-chart: 50 |