-
Notifications
You must be signed in to change notification settings - Fork 2
225 lines (215 loc) · 8.3 KB
/
ci.yaml
File metadata and controls
225 lines (215 loc) · 8.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
name: PR
# Controls when the action will run.
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [ '**' ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions:
id-token: write
contents: read
security-events: write
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
format:
name: Check Lints
runs-on: ubuntu-24.04
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
- name: Install toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: 1.90.0
override: true
components: rustfmt
- name: Check TOML
uses: dprint/check@v2.2
- name: Check Format
run: |
cargo fmt -- --check
security-audit:
name: Security Audit
runs-on: ubuntu-24.04
timeout-minutes: 30
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: 1.90.0
override: true
- name: Rust Cache
uses: Swatinem/rust-cache@v2
- name: Configure Git
run: git config --global url."https://${{ secrets.GH_READ_TOKEN }}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
- name: Basic vulnerability check
run: |
# Use cargo tree to check for known vulnerabilities
cargo tree --duplicates
echo "✅ Basic dependency check completed"
- name: Check for known vulnerable crates (manual)
run: |
echo "🔍 Checking for known vulnerable crate patterns..."
if grep -r "openssl.*0\." Cargo.toml; then
echo "⚠️ Old OpenSSL version detected"
fi
echo "✅ Manual vulnerability patterns check completed"
# Split cargo check into parallel jobs for faster execution
check-runtime:
name: Check Runtime
needs: format
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Install linux dependencies
run: sudo apt update && sudo apt install -y cargo clang libssl-dev llvm libudev-dev protobuf-compiler
- name: Install toolchain and rust-src
uses: actions-rs/toolchain@v1
with:
toolchain: 1.90.0
override: true
target: wasm32-unknown-unknown
components: rust-src
- name: Enhanced Rust Cache
uses: Swatinem/rust-cache@v2
with:
shared-key: "runtime-build"
cache-on-failure: true
- name: Configure Git
run: git config --global url."https://${{ secrets.GH_READ_TOKEN }}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
- name: Check Runtime Build (Optimized)
run: |
# Build with optimizations for speed
CARGO_INCREMENTAL=1 cargo check --release --features try-runtime --package cere-runtime --package cere-dev-runtime
- name: Run dev chain
run: |
cargo build --release --bin cere
timeout --preserve-status 30s ./target/release/cere --dev
check-node:
name: Check Node
needs: format
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
- name: Install linux dependencies
run: sudo apt update && sudo apt install -y cargo clang libssl-dev llvm libudev-dev protobuf-compiler
- name: Install toolchain and rust-src
uses: actions-rs/toolchain@v1
with:
toolchain: 1.90.0
override: true
target: wasm32-unknown-unknown
components: rust-src
- name: Enhanced Rust Cache
uses: Swatinem/rust-cache@v2
with:
shared-key: "node-build"
cache-on-failure: true
- name: Configure Git
run: git config --global url."https://${{ secrets.GH_READ_TOKEN }}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
- name: Check Node Components
run: |
# Check node components in parallel where possible
CARGO_INCREMENTAL=1 cargo check --release --features runtime-benchmarks --workspace --exclude cere-runtime --exclude cere-dev-runtime
check-try-runtime:
name: Try-Runtime Check
needs: format
runs-on: ubuntu-24.04
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install linux dependencies
run: sudo apt update && sudo apt install -y cargo clang libssl-dev llvm libudev-dev protobuf-compiler
- name: Install toolchain and rust-src
uses: actions-rs/toolchain@v1
with:
toolchain: 1.90.0
override: true
target: wasm32-unknown-unknown
components: rust-src
- name: Enhanced Rust Cache
uses: Swatinem/rust-cache@v2
with:
shared-key: "runtime-build"
cache-on-failure: true
- name: Configure Git
run: git config --global url."https://${{ secrets.GH_READ_TOKEN }}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
- name: Install try-runtime
run: cargo install --git https://github.com/paritytech/try-runtime-cli --tag v0.8.0 --locked
- name: Build for try-runtime
run: |
CARGO_INCREMENTAL=1 cargo build --release --features try-runtime
- name: Check Try-Runtime
run: |
try-runtime --runtime ./target/release/wbuild/cere-dev-runtime/cere_dev_runtime.compact.compressed.wasm \
on-runtime-upgrade --disable-idempotency-checks --blocktime 6000 live --uri wss://rpc.devnet.cere.network:443
clippy:
name: Run Clippy
needs: format
runs-on: ubuntu-24.04
timeout-minutes: 45
steps:
- uses: actions/checkout@v4
- name: Install linux dependencies
run: sudo apt update && sudo apt install -y cargo clang libssl-dev llvm libudev-dev protobuf-compiler
- name: Install toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: 1.90.0
override: true
target: wasm32-unknown-unknown
components: rust-src
- name: Enhanced Rust Cache
uses: Swatinem/rust-cache@v2
with:
shared-key: "clippy-build"
cache-on-failure: true
- name: Configure Git
run: git config --global url."https://${{ secrets.GH_READ_TOKEN }}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
- name: Check with Clippy (Optimized)
run: |
# Run clippy with incremental compilation
CARGO_INCREMENTAL=1 cargo clippy --no-deps --all-targets --features runtime-benchmarks,try-runtime --workspace -- --deny warnings
tests:
name: Run tests
needs: format
# The type of runner that the job will run on
runs-on: ["self-hosted", "cere-network-memory-large"]
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
- name: Install linux dependencies
run: sudo apt update && sudo apt install -y cargo clang libssl-dev llvm libudev-dev protobuf-compiler make pkg-config
- name: Install toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: 1.90.0
override: true
target: wasm32-unknown-unknown
components: rust-src
- name: Configure Git
run: git config --global url."https://${{ secrets.GH_READ_TOKEN }}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
- name: Enhanced Rust Cache
uses: Swatinem/rust-cache@v2
with:
shared-key: "test-build"
cache-on-failure: true
- name: Install cargo-tarpaulin
run: |
# Install from source to avoid missing prebuilt binary tarballs on the runner
cargo install cargo-tarpaulin --version 0.30.0 --locked
- name: Run cargo-tarpaulin
run: |
cargo tarpaulin --verbose --locked --no-fail-fast --workspace \
--features runtime-benchmarks --out "Xml" -- \
--skip mock_clusters_gov::__construct_runtime_integrity_test::runtime_integrity_tests \
--skip tests::call_size
- name: Upload coverage report
uses: actions/upload-artifact@v4
with:
name: tarpaulin coverage
path: ./tarpaulin-report.xml