Files
third_party_rust_regex/.github/workflows/ci.yml
T
Alex 24ee58c399 ci: harden configuration
This makes it so the permissions are locked down by default. The threat
model here is something like, "what happens if an authorized party gains
control of the non-PR CI configuration somehow."

To be honest, I (BurntSushi) don't quite understand how that might
happen without also the ability to set the permissions itself. But
locking permissions down by default does seem like a good and sensible
thing to do.

Closes #932
2022-12-08 14:53:25 -05:00

192 lines
5.9 KiB
YAML

name: ci
on:
pull_request:
push:
branches:
- master
schedule:
- cron: '00 01 * * *'
# The section is needed to drop write-all permissions that are granted on
# `schedule` event. By specifying any permission explicitly all others are set
# to none. By using the principle of least privilege the damage a compromised
# workflow can do (because of an injection or compromised third party tool or
# action) is restricted. Currently the worklow doesn't need any additional
# permission except for pulling the code. Adding labels to issues, commenting
# on pull-requests, etc. may need additional permissions:
#
# Syntax for this section:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
#
# Reference for how to assign permissions on a job-by-job basis:
# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
#
# Reference for available permissions that we can enable if needed:
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
permissions:
# to fetch code (actions/checkout)
contents: read
jobs:
test:
name: test
env:
# For some builds, we use cross to test on 32-bit and big-endian
# systems.
CARGO: cargo
# When CARGO is set to CROSS, TARGET is set to `--target matrix.target`.
TARGET:
runs-on: ${{ matrix.os }}
strategy:
matrix:
build:
- pinned
- stable
- stable-32
- stable-mips
- beta
- nightly
- macos
- win-msvc
- win-gnu
include:
- build: pinned
os: ubuntu-latest
rust: 1.41.1
- build: stable
os: ubuntu-latest
rust: stable
- build: stable-32
os: ubuntu-latest
rust: stable
target: i686-unknown-linux-gnu
- build: stable-mips
os: ubuntu-latest
rust: stable
target: mips64-unknown-linux-gnuabi64
- build: beta
os: ubuntu-latest
rust: beta
- build: nightly
os: ubuntu-latest
rust: nightly
- build: macos
os: macos-latest
rust: stable
- build: win-msvc
os: windows-latest
rust: stable
- build: win-gnu
os: windows-latest
rust: stable-x86_64-gnu
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Rust
uses: dtolnay/rust-toolchain@v1
with:
toolchain: ${{ matrix.rust }}
- name: Install and configure Cross
if: matrix.target != ''
run: |
# We used to install 'cross' from master, but it kept failing. So now
# we build from a known-good version until 'cross' becomes more stable
# or we find an alternative. Notably, between v0.2.1 and current
# master (2022-06-14), the number of Cross's dependencies has doubled.
cargo install --bins --git https://github.com/rust-embedded/cross --tag v0.2.1
echo "CARGO=cross" >> $GITHUB_ENV
echo "TARGET=--target ${{ matrix.target }}" >> $GITHUB_ENV
- name: Show command used for Cargo
run: |
echo "cargo command is: ${{ env.CARGO }}"
echo "target flag is: ${{ env.TARGET }}"
- name: Show CPU info for debugging
if: matrix.os == 'ubuntu-latest'
run: lscpu
- name: Basic build
run: ${{ env.CARGO }} build --verbose $TARGET
- name: Build docs
run: ${{ env.CARGO }} doc --verbose $TARGET
# Our dev dependencies evolve more rapidly than we'd like, so only run
# tests when we aren't pinning the Rust version.
#
# Also, our "full" test suite does quite a lot of work, so we only run it
# on one build. Otherwise, we just run the "default" set of tests.
- name: Run subset of tests
if: matrix.build != 'pinned' && matrix.build != 'stable'
run: ${{ env.CARGO }} test --verbose --test default $TARGET
- name: Run full test suite
if: matrix.build == 'stable'
# 'stable' is Linux only, so we have bash.
run: ./test
- name: Run randomized tests against regexes from the wild
if: matrix.build == 'stable'
run: |
# We run the tests in release mode since it winds up being faster.
RUST_REGEX_RANDOM_TEST=1 ${{ env.CARGO }} test --release --verbose --test crates-regex $TARGET
- name: Build regex-syntax docs
if: matrix.build != 'pinned'
run: |
${{ env.CARGO }} doc --verbose --manifest-path regex-syntax/Cargo.toml $TARGET
- name: Run subset of regex-syntax tests
if: matrix.build != 'pinned' && matrix.build != 'stable'
run: |
${{ env.CARGO }} test --verbose --manifest-path regex-syntax/Cargo.toml $TARGET
- name: Run full regex-syntax test suite
if: matrix.build == 'stable'
run: |
# 'stable' is Linux only, so we have bash.
cd regex-syntax
./test
- name: Run regex-capi tests
if: matrix.build == 'stable'
run: |
# 'stable' is Linux only, so we have bash.
cd regex-capi
./test
- if: matrix.build == 'nightly'
name: Compile regex-debug
run: |
${{ env.CARGO }} build --verbose --manifest-path regex-debug/Cargo.toml $TARGET
- if: matrix.build == 'nightly'
name: Run benchmarks as tests
run: |
cd bench
./run rust --no-run --verbose
- if: matrix.build == 'nightly'
name: Run tests with pattern feature
run: |
cargo test --test default --no-default-features --features 'std pattern unicode-perl'
rustfmt:
name: rustfmt
runs-on: ubuntu-18.04
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Rust
uses: dtolnay/rust-toolchain@v1
with:
toolchain: stable
components: rustfmt
- name: Check formatting
run: |
cargo fmt --all -- --check