improve ci speed by using matrix to parallel jobs

.github/workflows/build.yml

@@ -20,9 +20,67 @@ env:
   CXX_x86_64-unknown-linux-gnu: clang-18
 
 jobs:
-  test:
-    name: Build+Test
+  build-test:
+    name: Build+Test (${{ matrix.group }})
     runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - group: stable-tests-all
+            needs_nightly: false
+            needs_sgx: false
+            needs_musl: false
+            commands: |
+              cargo test --verbose --locked --all --exclude sgxs-loaders --exclude async-usercalls && [ "$(echo $(nm -D target/debug/sgx-detect|grep __vdso_sgx_enter_enclave))" = "w __vdso_sgx_enter_enclave" ]
+          - group: stable-tests-separate
+            needs_nightly: false
+            needs_sgx: false
+            needs_musl: false
+            commands: |
+              cargo test --verbose --locked -p dcap-artifact-retrieval --features rustls-tls
+              cargo test --verbose --locked -p dcap-ql --features link
+              cargo test --verbose --locked -p dcap-ql --features verify
+              cargo test --verbose --locked -p ias --features mbedtls
+              cargo test --verbose --locked -p ias --features client,mbedtls
+              cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-10 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib
+          - group: nightly-sgx
+            needs_nightly: true
+            needs_sgx: true
+            needs_musl: false
+            commands: |
+              cargo +nightly test --verbose --locked -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run
+              cargo +nightly test --verbose --locked -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run
+              cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx
+              cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd
+              cargo +nightly test --verbose --locked -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run
+              cargo +nightly test --verbose --locked -p pcs --target x86_64-fortanix-unknown-sgx --no-run
+              cargo +nightly test --verbose --locked -p pcs --features verify
+              cargo +nightly test -p insecure-time --features estimate_crystal_clock_freq
+              cargo +nightly build -p insecure-time --features estimate_crystal_clock_freq --target x86_64-fortanix-unknown-sgx
+              cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-fortanix-unknown-sgx
+          - group: musl-builds
+            needs_nightly: false
+            needs_sgx: false
+            needs_musl: true
+            commands: |
+              mkdir -p /tmp/muslinclude
+              ln -sf /usr/include/x86_64-linux-gnu/openssl /tmp/muslinclude/openssl
+              PKG_CONFIG_ALLOW_CROSS=1 CFLAGS=-I/tmp/muslinclude CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=true cargo build --locked -p fortanix-sgx-tools --target x86_64-unknown-linux-musl
+              cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-unknown-linux-musl
+          - group: docs
+            needs_nightly: true
+            needs_sgx: true
+            needs_musl: false
+            commands: |
+              ./doc/generate-api-docs.sh
+          - group: examples
+            needs_nightly: false
+            needs_sgx: false
+            needs_musl: false
+            commands: |
+              cd ./examples/mem-alloc-test && cargo run
+              cd ../mem-correctness-test && cargo run
 
     env:
       CMAKE_POLICY_VERSION_MINIMUM: 3.5
@@ -42,85 +100,41 @@ jobs:
     - name: Install build dependencies
       run: sudo ./install_build_deps.sh
 
-    - name: Setup Rust toolchain
+    - name: Setup Rust toolchains and targets
       run: |
-        rustup target add x86_64-fortanix-unknown-sgx x86_64-unknown-linux-musl
-        rustup toolchain add nightly
-        rustup target add x86_64-fortanix-unknown-sgx --toolchain nightly
-        rustup update
-
-    - name: Cargo test --all --exclude sgxs-loaders
-      run: cargo test --verbose --locked --all --exclude sgxs-loaders --exclude async-usercalls && [ "$(echo $(nm -D target/debug/sgx-detect|grep __vdso_sgx_enter_enclave))" = "w __vdso_sgx_enter_enclave" ]
-
-    - name: Nightly test -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run
-      run: cargo +nightly test --verbose --locked -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run
-
-    - name: Nightly test -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run
-      run: cargo +nightly test --verbose --locked -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run
-
-    - name: Cargo test -p dcap-artifact-retrieval --features rustls-tls
-      run: cargo test --verbose --locked -p dcap-artifact-retrieval --features rustls-tls
-
-    - name: Cargo test -p dcap-ql --features link
-      run: cargo test --verbose --locked -p dcap-ql --features link
-
-    - name: Cargo test -p dcap-ql --features verify
-      run: cargo test --verbose --locked -p dcap-ql --features verify
-
-    - name: Cargo test -p ias --features mbedtls
-      run: cargo test --verbose --locked -p ias --features mbedtls
-
-    - name: Cargo test -p ias --features client,mbedtls
-      run: cargo test --verbose --locked -p ias --features client,mbedtls
-
-    # uses backtrace, which still requires nightly on SGX
-    - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx
-      run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx
-
-    # uses sgxstd feature
-    - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd
-      run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd
-
-    - name: Nightly test -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run
-      run: cargo +nightly test --verbose --locked -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run
-
-    - name: Nightly test -p pcs --target x86_64-fortanix-unknown-sgx
-      run: cargo +nightly test --verbose --locked -p pcs --target x86_64-fortanix-unknown-sgx --no-run
-
-    - name: Nightly test -p pcs --features verify
-      run: cargo +nightly test --verbose --locked -p pcs --features verify
-
-    # Unfortunately running `faketime '2021-09-10 11:00:00 GMT' cargo test -p nitro-attestation-verify` causes a segmentation
-    #  fault while compiling. We only execute `faketime` during the tests
-    #- run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-08 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib
+        rustup toolchain install stable --profile minimal
+        if [ "${{ matrix.needs_nightly }}" = "true" ]; then
+          rustup toolchain install nightly --profile minimal
+        fi
+        if [ "${{ matrix.needs_sgx }}" = "true" ]; then
+          rustup target add x86_64-fortanix-unknown-sgx
+          if [ "${{ matrix.needs_nightly }}" = "true" ]; then
+            rustup target add x86_64-fortanix-unknown-sgx --toolchain nightly
+          fi
+        fi
+        if [ "${{ matrix.needs_musl }}" = "true" ]; then
+          rustup target add x86_64-unknown-linux-musl
+        fi
 
-    - name: Cargo test nitro-attestation-verify with faketime
-      run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-10 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib
+    - uses: Swatinem/rust-cache@v2
+      with:
+        shared-key: ${{ matrix.group }}
+        cache-all-crates: true
 
-    - name: Build fortanix-sgx-tools for x86_64-unknown-linux-musl
-      # NOTE: Skipping linking with the glibc version of OpenSSL to produce a musl based binary. It is unlikely that this would produce a working binary anyway.
+    - name: Run matrix commands
       run: |
-        mkdir -p /tmp/muslinclude
-        ln -sf /usr/include/x86_64-linux-gnu/openssl /tmp/muslinclude/openssl
-        PKG_CONFIG_ALLOW_CROSS=1 CFLAGS=-I/tmp/muslinclude CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=true cargo build --locked -p fortanix-sgx-tools --target x86_64-unknown-linux-musl
-
-    - name: Build em-app, get-certificate for x86_64-unknown-linux-musl
-      run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-unknown-linux-musl
-
-    - name: Build em-app, get-certificate for x86_64-fortanix-unknown-sgx
-      run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-fortanix-unknown-sgx
-
-    - name: insecure-time test
-      run: cargo +nightly test -p insecure-time --features estimate_crystal_clock_freq
-
-    - name: insecure-time build for SGX platform
-      run: cargo +nightly build -p insecure-time --features estimate_crystal_clock_freq --target x86_64-fortanix-unknown-sgx
+        ${{ matrix.commands }}
 
-    - name: Generate API docs
-      run: ./doc/generate-api-docs.sh
-
-    - name: Run memory allocator stress test
-      run: cd ./examples/mem-alloc-test && cargo run
-
-    - name: snmalloc correntness test
-      run: cd ./examples/mem-correctness-test && cargo run
+  build-test-summary:
+    name: Build+Test
+    runs-on: ubuntu-24.04
+    needs: [build-test]
+    if: ${{ always() }}
+    steps:
+    - name: Summarize Build+Test matrix
+      run: |
+        if [ "${{ needs.build-test.result }}" != "success" ]; then
+          echo "Build+Test matrix failed"
+          exit 1
+        fi
+        echo "Build+Test matrix succeeded"

install_build_deps.sh

@@ -11,6 +11,18 @@ info() {
     echo "[INFO] $*"
 }
 
+apt_get_with_retry() {
+    local -r retries="${APT_GET_RETRIES:-3}"
+    local -r timeout_seconds="${APT_GET_TIMEOUT_SECONDS:-10}"
+
+    run_as_root apt-get \
+        -o Acquire::Retries="$retries" \
+        -o Acquire::http::Timeout="$timeout_seconds" \
+        -o Acquire::https::Timeout="$timeout_seconds" \
+        -o DPkg::Lock::Timeout="$timeout_seconds" \
+        "$@"
+}
+
 require_command() {
     command -v "$1" >/dev/null 2>&1 || error "Required command '$1' not found. Please install it."
 }
@@ -43,8 +55,8 @@ fi
 export DEBIAN_FRONTEND=noninteractive
 
 info "Updating package lists and installing gpg..."
-$SUDO apt-get update -y
-$SUDO apt-get install -y gpg
+apt_get_with_retry update -y
+apt_get_with_retry install -y gpg
 
 info "Adding Intel SGX package repository key..."
 cat intel-sgx-deb.key | gpg --dearmor | $SUDO tee /usr/share/keyrings/intel-sgx-deb.gpg > /dev/null
@@ -54,9 +66,9 @@ ARCH=$(dpkg --print-architecture)
 echo "deb [arch=$ARCH signed-by=/usr/share/keyrings/intel-sgx-deb.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main" | $SUDO tee /etc/apt/sources.list.d/intel-sgx-deb.list > /dev/null
 
 info "Updating package lists..."
-$SUDO apt-get update -y
+apt_get_with_retry update -y
 
 info "Installing build dependencies: faketime protobuf-compiler libsgx-dcap-ql-dev clang-18 musl-tools gcc-multilib"
-$SUDO apt-get install -y faketime protobuf-compiler libsgx-dcap-ql-dev clang-18 musl-tools gcc-multilib
+apt_get_with_retry install -y faketime protobuf-compiler libsgx-dcap-ql-dev clang-18 musl-tools gcc-multilib
 
 info "All dependencies installed successfully."