check.yml - mozsearch

comm-central/third_party/rust/nss-rs/.github/workflows/check.yml (file symbol)

Enable keyboard shortcuts

Revision control

Copy as Markdown

Other Tools

HG Web

name: CI

on:

  pull_request:

  merge_group:

  workflow_dispatch:

env:

  CARGO_TERM_COLOR: always

  RUST_BACKTRACE: 1

  RUST_TEST_TIME_UNIT: 10,30

  RUST_TEST_TIME_INTEGRATION: 10,30

  RUST_TEST_TIME_DOCTEST: 10,30

  CARGO_PROFILE_RELEASE_LTO: true

  CARGO_PROFILE_RELEASE_CODEGEN_UNITS: 1

concurrency:

  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

  cancel-in-progress: true

permissions:

  contents: read

defaults:

  run:

    shell: bash

jobs:

  toolchains:

    name: Determine toolchains

    runs-on: ubuntu-24.04

    outputs:

      toolchains: ${{ steps.toolchains.outputs.toolchains }}

    steps:

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

        with:

          persist-credentials: false

      - id: toolchains

        uses: mozilla/actions/toolchains@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7

  check:

    name: Run checks

    needs: toolchains

    # TODO: Restore `environment: codecov` once GitHub supports filtering deployment messages.

    # environment: codecov

    strategy:

      fail-fast: false

      matrix:

        os: [ubuntu-24.04, ubuntu-24.04-arm, macos-15, windows-2025]

        rust-toolchain: ${{ fromJSON(needs.toolchains.outputs.toolchains) }}

        type: [debug]

        # Include some dynamically-linked release builds, to check that that works on all platforms.

        include:

          - os: ubuntu-24.04

            rust-toolchain: stable

            type: release

          - os: macos-15

            rust-toolchain: stable

            type: release

          - os: windows-2025

            rust-toolchain: stable

            type: release

          # Also do some debug builds on the oldest OS versions.

          - os: ubuntu-22.04

            rust-toolchain: stable

            type: debug

          - os: macos-14

            rust-toolchain: stable

            type: debug

          - os: windows-2022

            rust-toolchain: stable

            type: debug

    env:

      BUILD_TYPE: ${{ matrix.type == 'release' && '--release' || '' }}

    runs-on: ${{ matrix.os }}

    steps:

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

        with:

          persist-credentials: false

      - uses: mozilla/actions/rust@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7

        with:

          version: ${{ matrix.rust-toolchain }}

          components: ${{ matrix.rust-toolchain == 'stable' && 'llvm-tools' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'rust-src ' || '' }}

          tools: ${{ matrix.rust-toolchain == 'stable' && 'cargo-llvm-cov' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'cargo-careful ' || '' }} cargo-hack

          token: ${{ secrets.GITHUB_TOKEN }}

      - uses: mozilla/actions/nss@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7

        with:

          version-file: min_version.txt

          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Check

        run: |

          # shellcheck disable=SC2086

          cargo check $BUILD_TYPE --locked --all-targets

      - name: Check feature powerset

        run: |

          # shellcheck disable=SC2086

          # --locked is omitted: --no-dev-deps modifies the manifest, which can

          # require lockfile re-resolution in a workspace.

          cargo hack check $BUILD_TYPE --feature-powerset --no-dev-deps --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption

      - name: Run tests and determine coverage

        env:

          RUST_LOG: trace

          RUST_BACKTRACE: 1

          RUST_TEST_TIME_UNIT: 10,30

          RUST_TEST_TIME_INTEGRATION: 10,30

          RUST_TEST_TIME_DOCTEST: 10,30

          TOOLCHAIN: ${{ matrix.rust-toolchain }}

          # FIXME: cargo-careful at the moment only works on amd64 Ubuntu

          CAREFUL: ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'careful' || '' }}

        run: |

          DUMP_SIMULATION_SEEDS="$(pwd)/simulation-seeds"

          export DUMP_SIMULATION_SEEDS

          # shellcheck disable=SC2086

          if [ "$TOOLCHAIN" == "stable" ]; then

            cargo llvm-cov test $BUILD_TYPE --locked --include-ffi --codecov --output-path codecov.json

          else

            if [ -n "$CAREFUL" ]; then

              TRIPLE="--target $(rustc --print host-tuple)"

fi

            cargo $CAREFUL test $BUILD_TYPE --locked $TRIPLE

fi

      - name: Test feature powerset

        run: |

          # shellcheck disable=SC2086

          cargo hack test $BUILD_TYPE --locked --feature-powerset --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption

      - name: Test blapi in FIPS mode

        if: runner.os == 'Linux'

        env:

          TEST_FIXTURE_DB: ${{ github.workspace }}/test-fixture/db-fips

        run: |

          # shellcheck disable=SC2086

          cargo test $BUILD_TYPE --locked --features blapi --test aead_fips

      - name: CodeCov Windows workaround

        if: ${{ startsWith(matrix.os, 'windows') && matrix.type == 'debug' && matrix.rust-toolchain == 'stable' }}

        run: |

          # FIXME: Without this, the codecov/codecov-action fails. No idea why it's looking under C:/msys64 now, it shouldn't.

          mkdir -p C:/msys64/home/runneradmin/

          touch C:/msys64/home/runneradmin/.gitconfig

      - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1

        with:

          files: codecov.json

          fail_ci_if_error: false

          token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]

          verbose: true

          flags: ${{ startsWith(matrix.os, 'ubuntu') && 'linux' || startsWith(matrix.os, 'macos') && 'macos' || 'windows' }}

        env:

          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]

        if: matrix.type == 'debug' && matrix.rust-toolchain == 'stable'

      - name: Save simulation seeds artifact

        if: ${{ always() }}

        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1

        with:

          name: simulation-seeds-${{ matrix.os }}-${{ matrix.rust-toolchain }}-${{ matrix.type }}

          path: simulation-seeds

          compression-level: 9

  check-cargo-lock:

    name: Ensure `Cargo.lock` contains all required dependencies

    runs-on: ubuntu-24.04

    steps:

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

        with:

          persist-credentials: false

      - uses: mozilla/actions/rust@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7

        with:

          version: stable

          tools: cargo-hack

          token: ${{ secrets.GITHUB_TOKEN }}

      - run: |

          cargo update -w --locked

          cargo hack update -w --locked

  check-android:

    name: Check Android

    runs-on: ubuntu-24.04

    strategy:

      matrix:

        target: ["x86_64-linux-android", "aarch64-linux-android"]

    steps:

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

        with:

          persist-credentials: false

      - id: nss-version

        run: echo "minimum=$(cat min_version.txt)" >> "$GITHUB_OUTPUT"

      - uses: ./.github/actions/check-android

        with:

          target: ${{ matrix.target }}

          minimum-nss-version: ${{ steps.nss-version.outputs.minimum }}

          github-token: ${{ secrets.GITHUB_TOKEN }}

  check-distro:

    name: Check with system NSS on ${{ matrix.name }}

    runs-on: ubuntu-24.04

    # Tests the pkg-config codepath against distro-packaged NSS. Some distros

    # omit -L for default library search paths (e.g., /usr/lib64 on Fedora/RHEL),

    # which the Ubuntu CI runners don't exercise.

    # Allow failures in merge queue in case distro NSS lags our minimum version.

    continue-on-error: ${{ github.event_name == 'merge_group' }}

    strategy:

      fail-fast: false

      matrix:

        include:

          - name: Fedora

            container: fedora@sha256:498c452f32a739b61f0ef215bce9924ebc4866cbe44710f58157d77723b7a6d2

            install: dnf install -y git nss-devel clang-devel pkgconf-pkg-config gcc curl

          - name: openSUSE Tumbleweed

            container: opensuse/tumbleweed@sha256:003da6756e3daced6f62ece3d6dc436d21572fb05e558172fc552b6aa1b044ab

            install: zypper install -y --no-recommends git mozilla-nss-devel clang-devel pkg-config gcc curl

          - name: Arch Linux

            container: archlinux@sha256:1047e6e7878d58e4ee47e1cd6459a32fab41246b0efc4109e11b7ef16f50b14d

            install: pacman -Syu --noconfirm git nss clang pkgconf gcc curl

    defaults:

      run:

        shell: sh

    container:

      image: ${{ matrix.container }}

    steps:

      - name: Install system dependencies (${{ matrix.name }})

        env:

          INSTALL: ${{ matrix.install }}

        run: $INSTALL

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

        with:

          persist-credentials: false

      - name: Install Rust

        run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain stable --profile minimal -y

      - name: Check

        run: |

          . "$HOME/.cargo/env"

          cargo check --locked --all-targets

      - name: Check feature powerset

        run: |

          . "$HOME/.cargo/env"

          cargo install cargo-hack --locked

          # --locked is omitted: --no-dev-deps modifies the manifest, which can

          # require lockfile re-resolution.

          cargo hack check --feature-powerset --no-dev-deps --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption

  check-vm:

    name: Run checks for VM-only platforms

    runs-on: ubuntu-24.04

    # TODO: Restore `environment: codecov` once GitHub supports filtering deployment messages.

    # environment: codecov

    # OpenBSD, NetBSD and Solaris often have NSS packages that are too old.

    # Allow them to fail without aborting the merge queue.

    continue-on-error: ${{ github.event_name == 'merge_group' && matrix.os != 'freebsd' }}

    strategy:

      fail-fast: false

      matrix:

        os: [freebsd, netbsd, openbsd] # NSS package on 'solaris' is too old.

    steps:

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

        with:

          persist-credentials: false

      - uses: ./.github/actions/check-vm

        with:

          platform: ${{ matrix.os }}

          codecov-token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]