release #44
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- main | |
- gha_release | |
tags: | |
- "ccf-0.*" | |
workflow_dispatch: | |
permissions: | |
contents: write | |
actions: read | |
checks: write | |
jobs: | |
release_notes: | |
name: Release Notes | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
- name: "Check Release Notes" | |
run: | | |
set -ex | |
python scripts/extract-release-notes.py --target-git-version | |
shell: bash | |
- name: "Produce Release Notes" | |
run: | | |
set -ex | |
set -o pipefail | |
python ./scripts/extract-release-notes.py --target-git-version --describe-path-changes "./samples/constitution" | tee rel-notes.md | |
- name: "Upload .deb Package" | |
uses: actions/upload-artifact@v4 | |
with: | |
name: relnotes | |
path: rel-notes.md | |
build_release: | |
needs: release_notes | |
name: Build Release | |
strategy: | |
matrix: | |
platform: | |
- name: virtual | |
image: default | |
nodes: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub] | |
- name: snp | |
image: default | |
nodes: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub] | |
- name: sgx | |
image: sgx | |
nodes: [self-hosted, 1ES.Pool=gha-sgx-ccf-sub] | |
container_options: --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx | |
cmake_options: -DLVI_MITIGATIONS=ON | |
runs-on: ${{ matrix.platform.nodes }} | |
container: | |
image: ghcr.io/microsoft/ccf/ci/${{ matrix.platform.image }}:build-26-06-2024 | |
options: "--user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro ${{ matrix.platform.container_options }}" | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: "Build Release ${{ matrix.platform.name }}" | |
run: | | |
set -ex | |
git config --global --add safe.directory /__w/CCF/CCF | |
mkdir build | |
cd build | |
cmake -GNinja -DCOMPILE_TARGET=${{ matrix.platform.name }} ${{ matrix.platform.cmake_options }} -DCLIENT_PROTOCOLS_TEST=ON .. | |
ninja -v | tee build.log | |
shell: bash | |
- name: "Check Mitigation Flags" | |
run: | | |
cd build | |
python3 ../scripts/build-check.py < build.log SNPCC | |
shell: bash | |
if: ${{ matrix.platform.name == 'snp' }} | |
- name: "Install Extended Testing Tools" | |
run: | | |
set -ex | |
sudo apt-get -y update | |
sudo apt install ansible -y | |
cd getting_started/setup_vm | |
ansible-playbook ccf-extended-testing.yml | |
shell: bash | |
if: ${{ matrix.platform.name != 'snp' }} | |
- name: "Test ${{ matrix.platform.name }}" | |
run: | | |
set -ex | |
cd build | |
rm -rf /github/home/.cache | |
mkdir -p /github/home/.cache | |
export ASAN_SYMBOLIZER_PATH=$(realpath /usr/bin/llvm-symbolizer-15) | |
# Unit tests | |
./tests.sh --output-on-failure -L unit -j$(nproc --all) | |
./tests.sh --timeout 360 --output-on-failure -LE "benchmark|perf|unit" | |
shell: bash | |
if: "${{ matrix.platform.name != 'snp' }}" | |
- name: "Make .deb Package" | |
id: make_deb | |
run: | | |
set -ex | |
set -o pipefail | |
cd build | |
cmake -L .. 2>/dev/null | grep CMAKE_INSTALL_PREFIX: | cut -d = -f 2 > /tmp/install_prefix | |
cpack -V -G DEB | |
INITIAL_PKG=`ls *.deb` | |
CCF_GITHUB_PKG=${INITIAL_PKG//\~/_} | |
if [[ "$INITIAL_PKG" != "$CCF_GITHUB_PKG" ]]; then | |
mv $INITIAL_PKG $CCF_GITHUB_PKG | |
fi | |
echo "name=$CCF_GITHUB_PKG" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: "Install CCF Debian package" | |
run: | | |
set -ex | |
cd build | |
sudo apt -y install ./${{ steps.make_deb.outputs.name }} | |
shell: bash | |
- name: "Test Installed CCF" | |
run: | | |
set -ex | |
set -o pipefail | |
cd build | |
cat /tmp/install_prefix | xargs -i bash -c "PYTHON_PACKAGE_PATH=../python ./test_install.sh {}" | |
shell: bash | |
if: "${{ matrix.platform.name != 'snp' }}" | |
- name: "Recovery Benchmark for Installed CCF" | |
run: | | |
set -ex | |
set -o pipefail | |
cd build | |
cat /tmp/install_prefix | xargs -i bash -c "PYTHON_PACKAGE_PATH=../python ./recovery_benchmark.sh {}" | |
shell: bash | |
if: "${{ matrix.platform.name != 'snp' }}" | |
- name: "Test Building a Sample Against Installed CCF" | |
run: | | |
set -ex | |
./tests/test_install_build.sh -DCOMPILE_TARGET=${{ matrix.platform.name }} | |
shell: bash | |
- name: "Upload .deb Package" | |
uses: actions/upload-artifact@v4 | |
with: | |
name: pkg-${{ matrix.platform.name }} | |
path: build/${{ steps.make_deb.outputs.name }} | |
- name: "Upload Compatibility Report" | |
uses: actions/upload-artifact@v4 | |
with: | |
name: compatibility | |
path: build/compatibility_report.json | |
if: "${{ matrix.platform.name == 'sgx' }}" | |
- name: "Upload TLS Report" | |
uses: actions/upload-artifact@v4 | |
with: | |
name: tls | |
path: build/tls_report.html | |
if: "${{ matrix.platform.name == 'sgx' }}" | |
create_release: | |
needs: build_release | |
name: Create Release | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
- name: Download Packages | |
uses: actions/download-artifact@v4 | |
with: | |
path: pkg | |
pattern: pkg-* | |
merge-multiple: true | |
- name: Download Release Notes | |
uses: actions/download-artifact@v4 | |
with: | |
name: relnotes | |
- name: Download Compatibility Report | |
uses: actions/download-artifact@v4 | |
with: | |
name: compatibility | |
path: pkg | |
merge-multiple: true | |
- name: Download TLS Report | |
uses: actions/download-artifact@v4 | |
with: | |
name: tls | |
path: pkg | |
merge-multiple: true | |
- run: | | |
set -ex | |
CCF_VERSION=${{ github.ref_name }} | |
CCF_VERSION=${CCF_VERSION#ccf-} | |
gh release create --title $CCF_VERSION --draft --notes-file rel-notes.md pkg/* | |
shell: bash | |
env: | |
GH_TOKEN: ${{ github.token }} |