Skip to content

Commit f200d47

Browse files
evansimsevansims
committed
ci: improvements
1 parent 03e004d commit f200d47

File tree

22 files changed

+778
-3669
lines changed

22 files changed

+778
-3669
lines changed

.github/workflows/canary.yml

Lines changed: 137 additions & 70 deletions
Large diffs are not rendered by default.

.github/workflows/ci.yml

Lines changed: 43 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -35,17 +35,17 @@ jobs:
3535
if: github.event_name == 'pull_request'
3636
steps:
3737
- name: Harden the runner (Audit all outbound calls)
38-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
38+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
3939
with:
4040
egress-policy: audit
4141

4242
- name: Checkout code
43-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
43+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4444
with:
4545
fetch-depth: 0
4646

4747
- name: Validate PR title
48-
uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
48+
uses: step-security/action-semantic-pull-request@bc0cf74f5be4ce34accdec1ae908dff38dc5def1 # v6.1.1
4949
env:
5050
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
5151
with:
@@ -60,6 +60,10 @@ jobs:
6060
build
6161
ci
6262
chore
63+
revert
64+
dx
65+
ai
66+
imp
6367
requireScope: false
6468
subjectPattern: ^[a-z].*$
6569
subjectPatternError: |
@@ -77,12 +81,12 @@ jobs:
7781
code: ${{ steps.filter.outputs.code }}
7882
steps:
7983
- name: Harden the runner (Audit all outbound calls)
80-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
84+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
8185
with:
8286
egress-policy: audit
8387

8488
- name: Checkout code
85-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
89+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8690

8791
- name: Check for code changes
8892
id: filter
@@ -106,12 +110,12 @@ jobs:
106110
contents: read
107111
steps:
108112
- name: Harden the runner (Audit all outbound calls)
109-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
113+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
110114
with:
111115
egress-policy: audit
112116

113117
- name: Checkout code
114-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
118+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
115119

116120
- name: Install Rust nightly toolchain
117121
uses: dtolnay/rust-toolchain@0b1efabc08b657293548b77fb76cc02d26091c7e # master
@@ -134,12 +138,12 @@ jobs:
134138
RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
135139
steps:
136140
- name: Harden the runner (Audit all outbound calls)
137-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
141+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
138142
with:
139143
egress-policy: audit
140144

141145
- name: Checkout code
142-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
146+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
143147
with:
144148
submodules: true
145149

@@ -161,7 +165,7 @@ jobs:
161165
cache: true
162166

163167
- name: Cache Rust dependencies
164-
uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2
168+
uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
165169
with:
166170
shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
167171
save-if: false
@@ -183,7 +187,7 @@ jobs:
183187
RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
184188
steps:
185189
- name: Harden the runner (Audit all outbound calls)
186-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
190+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
187191
with:
188192
egress-policy: audit
189193

@@ -196,7 +200,7 @@ jobs:
196200
df -h
197201
198202
- name: Checkout code
199-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
203+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
200204
with:
201205
submodules: true
202206

@@ -217,7 +221,7 @@ jobs:
217221
cache: true
218222

219223
- name: Cache Rust dependencies
220-
uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2
224+
uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
221225
with:
222226
shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
223227
save-if: ${{ github.ref == 'refs/heads/main' }}
@@ -229,7 +233,7 @@ jobs:
229233
run: cargo nextest archive --workspace --archive-file nextest-archive.tar.zst
230234

231235
- name: Upload nextest archive
232-
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
236+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
233237
with:
234238
name: nextest-archive
235239
path: nextest-archive.tar.zst
@@ -245,12 +249,12 @@ jobs:
245249
checks: write # For test result publishing
246250
steps:
247251
- name: Harden the runner (Audit all outbound calls)
248-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
252+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
249253
with:
250254
egress-policy: audit
251255

252256
- name: Checkout code
253-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
257+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
254258
with:
255259
submodules: true
256260

@@ -266,7 +270,7 @@ jobs:
266270
cache: true
267271

268272
- name: Download nextest archive
269-
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
273+
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
270274
with:
271275
name: nextest-archive
272276

@@ -339,7 +343,7 @@ jobs:
339343
comment_mode: off
340344

341345
- name: Upload test results
342-
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
346+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
343347
if: always()
344348
with:
345349
name: test-results-ubuntu
@@ -361,12 +365,12 @@ jobs:
361365
RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
362366
steps:
363367
- name: Harden the runner (Audit all outbound calls)
364-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
368+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
365369
with:
366370
egress-policy: audit
367371

368372
- name: Checkout code
369-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
373+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
370374
with:
371375
submodules: true
372376

@@ -387,7 +391,7 @@ jobs:
387391
cache: true
388392

389393
- name: Cache Rust dependencies
390-
uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2
394+
uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
391395
with:
392396
shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
393397
save-if: false
@@ -442,7 +446,7 @@ jobs:
442446
RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
443447
steps:
444448
- name: Harden the runner (Audit all outbound calls)
445-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
449+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
446450
with:
447451
egress-policy: audit
448452

@@ -463,7 +467,7 @@ jobs:
463467
# Only run these steps if inferadb-engine-core was modified
464468
- name: Checkout code
465469
if: steps.check-core.outputs.core == 'true'
466-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
470+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
467471
with:
468472
submodules: true
469473

@@ -488,7 +492,7 @@ jobs:
488492

489493
- name: Restore build cache
490494
if: steps.check-core.outputs.core == 'true'
491-
uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2
495+
uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
492496
with:
493497
shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
494498
save-if: false
@@ -513,7 +517,7 @@ jobs:
513517
RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
514518
steps:
515519
- name: Harden the runner (Audit all outbound calls)
516-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
520+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
517521
with:
518522
egress-policy: audit
519523

@@ -534,7 +538,7 @@ jobs:
534538
# Only run these steps if inferadb-engine-wasm was modified
535539
- name: Checkout code
536540
if: steps.check-wasm.outputs.wasm == 'true'
537-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
541+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
538542
with:
539543
submodules: true
540544

@@ -559,7 +563,7 @@ jobs:
559563

560564
- name: Restore build cache
561565
if: steps.check-wasm.outputs.wasm == 'true'
562-
uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2
566+
uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
563567
with:
564568
shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
565569
save-if: false
@@ -585,7 +589,7 @@ jobs:
585589
RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
586590
steps:
587591
- name: Harden the runner (Audit all outbound calls)
588-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
592+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
589593
with:
590594
egress-policy: audit
591595

@@ -598,7 +602,7 @@ jobs:
598602
df -h
599603
600604
- name: Checkout code
601-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
605+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
602606
with:
603607
submodules: true
604608

@@ -619,7 +623,7 @@ jobs:
619623
cache: true
620624

621625
- name: Restore registry cache
622-
uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2
626+
uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
623627
with:
624628
shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
625629
# Only restore registry cache - llvm-cov uses its own target directory
@@ -633,7 +637,7 @@ jobs:
633637
run: cargo llvm-cov --workspace --lcov --output-path lcov.info
634638

635639
- name: Upload coverage to Codecov
636-
uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
640+
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
637641
with:
638642
files: lcov.info
639643
fail_ci_if_error: false
@@ -655,7 +659,7 @@ jobs:
655659
RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
656660
steps:
657661
- name: Harden the runner (Audit all outbound calls)
658-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
662+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
659663
with:
660664
egress-policy: audit
661665

@@ -668,7 +672,7 @@ jobs:
668672
df -h
669673
670674
- name: Checkout code
671-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
675+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
672676
with:
673677
submodules: true
674678

@@ -689,7 +693,7 @@ jobs:
689693
cache: true
690694

691695
- name: Cache Rust dependencies
692-
uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2
696+
uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
693697
with:
694698
shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
695699
save-if: false
@@ -701,7 +705,7 @@ jobs:
701705
run: cargo nextest run --workspace --profile full --features test-full --run-ignored all
702706

703707
- name: Upload full test results
704-
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
708+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
705709
if: always()
706710
with:
707711
name: test-results-full
@@ -718,12 +722,12 @@ jobs:
718722
contents: read
719723
steps:
720724
- name: Harden the runner (Audit all outbound calls)
721-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
725+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
722726
with:
723727
egress-policy: audit
724728

725729
- name: Checkout code
726-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
730+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
727731
with:
728732
submodules: true
729733

@@ -744,7 +748,7 @@ jobs:
744748
cache: true
745749

746750
- name: Cache Rust dependencies
747-
uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2
751+
uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
748752

749753
- name: Check outdated dependencies
750754
run: cargo outdated --exit-code 1 || echo "::warning::Some dependencies are outdated"
@@ -779,7 +783,7 @@ jobs:
779783
if: always()
780784
steps:
781785
- name: Harden the runner (Audit all outbound calls)
782-
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
786+
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
783787
with:
784788
egress-policy: audit
785789

0 commit comments

Comments
 (0)