hyperlight-dev
diff --git a/‎.editorconfig‎
Lines changed: 23 additions & 0 deletions b/‎.editorconfig‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/release.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/release.yml‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎.github/workflows/Benchmarks.yml‎
Lines changed: 93 additions & 0 deletions b/‎.github/workflows/Benchmarks.yml‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎.github/workflows/CargoAudit.yml‎
Lines changed: 26 additions & 0 deletions b/‎.github/workflows/CargoAudit.yml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎.github/workflows/CargoPublish.yml‎
Lines changed: 79 additions & 0 deletions b/‎.github/workflows/CargoPublish.yml‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎.github/workflows/CleanUpReleasesAndPackages.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/workflows/CleanUpReleasesAndPackages.yml‎
Lines changed: 36 additions & 0 deletions
@@ -0,0 +1,23 @@
+# Reference: https://github.com/dotnet/roslyn/blob/main/.editorconfig
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+[*]
+indent_style = space
+indent_size = 4
+insert_final_newline = true
+charset = utf-8
+
+# JSON files
+[*.json]
+indent_size = 2
+
+# Powershell files
+[*.ps1]
+indent_size = 2
+
+# Shell script files
+[*.sh]
+end_of_line = lf
+indent_size = 2
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
@@ -0,0 +1,36 @@
+# .github/release.yml
+
+changelog:
+  exclude:
+    labels:
+      - chore
+      - ignore
+  categories:
+    - title: 🛠 Breaking Changes 
+      labels:
+        - breaking-change
+    - title: 🎉 New Features 
+      labels:
+        - enhancement
+        - feature
+    - title: 🐛 Bug Fixes
+      labels:
+        - bug
+    - title: 🔒 Security Fixes
+      labels:
+        - security
+    - title: 🚀 Performance Improvements
+      labels:
+        - performance
+    - title: 👒 Dependencies
+      labels:
+        - dependencies
+    - title: 📚 Documentation
+      labels:
+        - documentation
+    - title: 🔬 Testing
+      labels:
+        - testing
+    - title: 📝 Other Changes
+      labels:
+        - "*"
@@ -0,0 +1,93 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Benchmarks
+
+on:
+  workflow_call: # This is called from CreateRelease.yml
+    secrets:
+      ADO_HYPERLIGHT_CARGO_RO_AZURE_CLIENT_ID:
+        required: true
+      AZURE_TENANT_ID:
+        required: true
+    inputs:
+      environment:
+        required: false
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  # this job requires the build-guest-binaries job be complete prior to
+  # its execution. this dependency should be expressed in the dependent
+  # workflow
+  benchmark:
+    environment: ${{ inputs.environment }}
+    strategy:
+      fail-fast: true
+      matrix:
+        build: [windows-2022-release, linux-kvm-release, linux-hyperv-release]
+        include:
+          - build: windows-2022-release
+            os: [self-hosted, Windows, X64, "1ES.Pool=HL-win-2022-amd"]
+            hypervisor: none
+          - build: linux-kvm-release
+            os: [self-hosted, Linux, X64, "1ES.Pool=HL-Ubuntu-22.04-KVM"]
+            hypervisor: kvm
+          - build: linux-hyperv-release
+            os: [self-hosted, Linux, X64, "1ES.Pool=HL-mshv-dev"]
+            hypervisor: hyperv
+
+    runs-on: ${{ matrix.os }}
+    steps:
+      ### Setup ###
+
+      - uses: actions/checkout@v4
+
+      - uses: hyperlight-dev/[email protected]
+        with:
+          rust-toolchain: "1.81.0"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Download Guest Binaries
+        uses: actions/download-artifact@v3
+        with:
+          name: guest-binaries-release
+          path: ./downloaded-guest-binaries-release
+
+      - name: Copy Guest Binaries
+        run: |
+          cp ./downloaded-guest-binaries-release/callbackguest ./src/tests/rust_guests/bin/release/callbackguest
+          cp ./downloaded-guest-binaries-release/callbackguest.exe ./src/tests/rust_guests/bin/release/callbackguest.exe
+          cp ./downloaded-guest-binaries-release/simpleguest ./src/tests/rust_guests/bin/release/simpleguest
+          cp ./downloaded-guest-binaries-release/simpleguest.exe ./src/tests/rust_guests/bin/release/simpleguest.exe
+          cp ./downloaded-guest-binaries-release/dummyguest ./src/tests/rust_guests/bin/release/dummyguest
+
+      ### Benchmarks ###
+      - name: Install github-cli (Linux mariner)
+        if: runner.os == 'Linux' && matrix.hypervisor == 'hyperv'
+        run: sudo dnf install gh -y
+
+      - name: Install github-cli (Linux ubuntu)
+        if: runner.os == 'Linux' && matrix.hypervisor == 'kvm'
+        run: sudo apt install gh -y
+
+      - name: Fetch tags
+        run: git fetch --tags origin
+
+      - name: Download benchmarks from most recent release
+        run: just bench-download ${{ runner.os }} ${{ matrix.hypervisor }} # skip tag parameter to compare to latest stable release
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Benchmarks
+        run: just bench-ci dev release
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: benchmarks_${{runner.os}}_${{matrix.hypervisor}}
+          path: ./target/criterion/
+          if-no-files-found: error
@@ -0,0 +1,26 @@
+name: Audit cargo dependencies for security vulnerabilities
+on:
+  schedule:
+    - cron: "0 9 * * 1" # run at 9am every Monday
+  workflow_dispatch: # allow manual triggering
+
+permissions:
+    issues: write # Creates issues for any vulnerabilities found
+    contents: read 
+    checks: write # Needs to create check
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # We are not using the common workflow here because it installs a bunch of tools we don't need.
+      # TODO: Once the runner image is updated to include the necessary tools (without downloading), we can switch to the common workflow.
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: "1.81.0"
+                 
+      - uses: rustsec/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,79 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Publish crates to intenral cargo registry
+
+on:
+  workflow_dispatch:
+  workflow_call:
+    secrets:
+        ADO_HYPERLIGHT_CARGO_RW_AZURE_CLIENT_ID:
+          required: true
+        AZURE_TENANT_ID:
+          required: true
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish-hyperlight-packages:
+    environment: release
+    runs-on: [self-hosted, Linux, X64, "1ES.Pool=HL-Ubuntu-22.04-KVM"]
+
+    # We should only publish from dev if minver contains `-preview`
+    if: ${{ contains(github.ref, 'refs/heads/release/') }} || ${{ github.ref=='refs/heads/dev' }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - uses: hyperlight-dev/[email protected]
+        with:
+          rust-toolchain: "1.81.0"
+
+      - name: Set up cargo workspaces version
+        run: |
+          cargo install cargo-workspaces
+          cargo install minver_rs
+          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
+          git config --global user.Name "${{ github.actor }}"
+
+      - name: Set crate versions
+        run: |
+          git fetch --tags || true
+          version=$(MINVER_TAG_PREFIX=v MINVER_AUTO_INCREMENT_LEVEL=Minor MINVER_PRERELEASE_IDENTIFIER=preview minver)
+          echo "Setting version to $version"
+          cargo ws version --force=hyperlight_* --no-git-commit --yes custom $version
+          echo "HYPERLIGHT_VERSION=$version" >> "$GITHUB_ENV"
+
+      - name: Determine if we should publish crates
+        run: |
+          echo "github.ref=${{ github.ref }}"
+          echo "HYPERLIGHT_VERSION=$HYPERLIGHT_VERSION"
+          if [[ ${{ github.ref }} =~ 'refs/heads/release/' || ( ${{ github.ref }} == 'refs/heads/dev' &&  $HYPERLIGHT_VERSION =~ '-preview' ) ]]
+          then
+            echo "Setting SHOULD_PUBLISH in GITHUB_ENV"
+            echo "SHOULD_PUBLISH=true" >> "$GITHUB_ENV"
+          fi
+      # `allow-dirty` is needed in the publish below because we are using the `--no-git-commit`
+      # option above to cover the case where no changes are made by cargo ws version because the version
+      # is already correct
+      - name: Publish hyperlight-flatbuffers
+        if: ${{ env.SHOULD_PUBLISH == 'true' }}
+        run: cargo publish --manifest-path ./src/hyperlight_common/Cargo.toml --registry hyperlight_packages --allow-dirty
+
+      - name: Publish hyperlight-guest
+        if: ${{ env.SHOULD_PUBLISH == 'true' }}
+        run: cargo publish --manifest-path ./src/hyperlight_guest/Cargo.toml --registry hyperlight_packages --allow-dirty
+
+      - name: Publish hyperlight-host
+        if: ${{ env.SHOULD_PUBLISH == 'true' }}
+        run: cargo publish --manifest-path ./src/hyperlight_host/Cargo.toml --registry hyperlight_packages --allow-dirty
+
+        # `--no-verify` is needed because build.rs writes to "include/hyperlight_guest.h", but since we exclude that directory in Cargo.toml, it should be fine.
+        # Cargo does not want you to modify files outside of OUT_DIR
+      - name: Publish hyperlight-guest-capi
+        if: ${{ env.SHOULD_PUBLISH == 'true' }}
+        run: cd ./src/hyperlight_guest_capi && cargo publish --registry hyperlight_packages --no-verify --allow-dirty # cd is required because of https://github.com/rust-lang/cargo/issues/10302
@@ -0,0 +1,36 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+# This job cleans up old pre-releases and pre-releases packages retaining the last 40 versions
+
+name: Clean up old pre-releases and packages and artifacts
+on:
+  schedule:
+    - cron: "0 8 * * 1" # run at 8am every Monday
+  workflow_dispatch: # allow manual triggering
+
+jobs:
+  cleanup:
+    name: Clean up old pre-releases and packages
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write  # required for reading & deleting github actions artifacts
+      contents: write  # required for reading and deleting releases
+
+    steps:
+
+      - name: Delete old 'Hyperlight' releases
+        uses: sgpublic/[email protected]
+        with:
+          pre-release-drop: true
+          pre-release-keep-count: 5
+          pre-release-drop-tag: true
+          draft-drop: false
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - uses: actions/checkout@v4
+
+      - name: Delete old Github Actions Artifacts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./dev/clean-github-artifacts.sh