Skip to content

Use a rust layer with a full app build #5052

Use a rust layer with a full app build

Use a rust layer with a full app build #5052

Workflow file for this run

name: Unit, integration tests and sonar
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
pull_request:
# Runs on all PRs
push:
branches:
- develop
- main
- release\/*
jobs:
phylum-analyze:
if: ${{ github.event.pull_request }}
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
permissions:
id-token: write
pull-requests: write
contents: read
deployments: write
secrets:
phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}
with:
phylum_pr_number: ${{ github.event.number }}
phylum_pr_name: ${{ github.head_ref }}
phylum_group_name: Protocol
phylum_project_id: 3f5b2c53-46bd-4f68-b050-5898f929002f
github_repository: ${{ github.repository }}
add_report_comment_to_pull_request: true
snyk-scan-deps-licences:
name: Snyk deps/licences scan
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-node'
step_name: 'snyk-scan-deps-licenses'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Run Snyk to check for deps vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical
snyk-scan-code:
name: Snyk code scan
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-node'
step_name: 'snyk-scan-code'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Run Snyk to check for code vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
continue-on-error: true
with:
args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high
command: code test
snyk-sbom:
name: Snyk SBOM
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-node'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
command: sbom
build:
name: Unit tests and sonarqube
runs-on: selfhosted-ubuntu-22.04-16-cores
permissions:
id-token: write
contents: read
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- name: Setup environment
uses: ./.github/actions/setup-env
- name: Cache SonarCloud packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Unit tests
# Theoretically, the lack of `--info` in the Gradle command below should completely suppress
# any (application's) output from the tests. However, our current Rust logging infra writes
# to STDOUT directly (i.e. bypasses the Gradle's hijacked output) and spams the unit test
# results - luckily, it respects the ENV var, and we can set it high enough.
env:
RADIXDLT_LOG_LEVEL: error
run: ./gradlew clean check jacocoTestReport --stacktrace --refresh-dependencies
- name: Install cargo-llvm-cov
uses: RDXWorks-actions/install-action@cargo-llvm-cov
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.COMMON_SECRETS_ROLE_ARN }}
app_name: "babylon-node"
step_name: "codecoverage"
secret_prefix: "CODECOV"
secret_name: ${{ secrets.AWS_SECRET_NAME_CODECOV }}
parse_json: true
- name: Generate Code Coverage
run: cd core-rust && cargo llvm-cov --lcov --output-path lcov.info && cd ..
- name: Upload to codecov.io
uses: RDXWorks-actions/codecov-action@main
with:
fail_ci_if_error: true
file: ./core-rust/lcov.info
name: codecov-rust
flags: rust
- name: DistZip
run: ./gradlew distZip
- name: Publish Java distZip
uses: RDXWorks-actions/upload-artifact@main
with:
path: ./core/build/distributions/core-*.zip
name: distZip
retention-days: 7
- uses: ./.github/actions/fetch-secrets
with:
role_name: "${{ secrets.COMMON_SECRETS_ROLE_ARN }}"
app_name: "babylon-node"
step_name: "build"
secret_prefix: "SONAR"
# SonarCloud access token should be generated from https://sonarcloud.io/account/security/
secret_name: "github-actions/common/sonar-token"
parse_json: true
- name: Sonar analysis
env:
# Needed to get some information about the pull request, if any
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./gradlew sonarqube
local-dev-sm-docker-build:
name: Test core-rust docker build for local development
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- name: Setup environment
uses: ./.github/actions/setup-env
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Run local core-rust docker build
run: ./gradlew :core-rust:buildRustForDocker
steadystate-integration:
name: Steady state integration tests
runs-on: selfhosted-ubuntu-22.04-16-cores
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- name: Setup environment
uses: ./.github/actions/setup-env
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Run steady-state integration tests
env:
# Might be set to warn for debugging purposes. Warning, log file will be huge.
RADIXDLT_LOG_LEVEL: error
run: ./gradlew clean runSteadyStateIntegrationTests --info --refresh-dependencies
targeted-integration:
name: Targeted integration tests
runs-on: selfhosted-ubuntu-22.04-16-cores
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- name: Setup environment
uses: ./.github/actions/setup-env
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Run targeted integration tests
env:
# Might be set to warn for debugging purposes. Warning, log file will be huge.
RADIXDLT_LOG_LEVEL: error
run: ./gradlew clean runTargetedIntegrationTests --info --refresh-dependencies --parallel
cross-xwin:
name: Cross compile to Windows
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 1
- name: Setup environment
uses: ./.github/actions/setup-env
with:
cross-compile-to-windows: "true"
- name: cross compile to windows
run: pushd core-rust; cargo xwin build --release --target x86_64-pc-windows-msvc
- name: Publish corerust.dll
uses: RDXWorks-actions/upload-artifact@main
with:
path: core-rust/target/x86_64-pc-windows-msvc/release/corerust.dll
name: corerust.dll
retention-days: 7