CI: added basic set of workflows.

bavshin-f5 · bavshin-f5 · commit e6c8528ebe16 · 2025-07-21T11:22:34.000-07:00
diff --git a/.github/workflows/cargo-deny.yaml b/.github/workflows/cargo-deny.yaml
@@ -0,0 +1,24 @@
+name: cargo-deny
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    # Prevent sudden announcement of a new advisory from failing ci:
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: EmbarkStudios/cargo-deny-action@34899fc7ba81ca6268d5947a7a16b4649013fea1 # v2.0.11
+        with:
+          command: check ${{ matrix.checks }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,77 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: 'always'
+  RUST_BACKTRACE: '1'
+  NGINX_SOURCE_DIR: nginx
+
+jobs:
+  linux:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        nginx-ref:
+          - master
+          - stable-1.28
+        build:
+          - debug 
+          - debug-static
+          - release
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ matrix.nginx-ref }}
+          repository: 'nginx/nginx'
+          path: 'nginx'
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: 'nginx/nginx-tests'
+          path: 'nginx/tests'
+          sparse-checkout: |
+            lib
+
+      - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
+        with:
+          toolchain: stable
+
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            nginx/objs/**/CACHEDIR.TAG
+            nginx/objs/**/ngx-debug
+            nginx/objs/**/ngx-release
+          key: ${{ runner.os }}-nginx-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-nginx-
+
+      - name: build
+        id: build
+        run: make BUILD=${{ matrix.build }} -j $(nproc) build
+
+      - name: check
+        # always run if build succeeds
+        if: ${{ !cancelled() && steps.build.outcome == 'success' }}
+        run: make BUILD=${{ matrix.build }} check
+
+      - name: run unit-tests 
+        # always run if build succeeds
+        if: ${{ !cancelled() && steps.build.outcome == 'success' }}
+        run: make BUILD=${{ matrix.build }} unittest
+
+      - name: run tests 
+        # always run if build succeeds
+        if: ${{ !cancelled() && steps.build.outcome == 'success' }}
+        run: make BUILD=${{ matrix.build }} TEST_PREREQ= test
diff --git a/.github/workflows/sanitizers.yaml b/.github/workflows/sanitizers.yaml
@@ -0,0 +1,78 @@
+name: sanitizers
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: 'always'
+  RUST_BACKTRACE: '1'
+  NGINX_SOURCE_DIR: nginx
+  BUILDREQUIRES: >-
+    openssl-devel pcre2-devel zlib-devel
+    cargo rust-src rustfmt
+    clang compiler-rt llvm
+    git-core
+    make patch
+    perl-FindBin
+    perl-IO-Socket-SSL
+    perl-Test-Harness
+    perl-Test-Simple
+    perl-lib
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    container: ghcr.io/almalinux/almalinux:10
+
+    strategy:
+      fail-fast: false
+      matrix:
+        nginx-ref:
+          # master
+          - stable-1.28
+
+    steps:
+      - name: Install dependencies
+        run:  dnf install -y ${BUILDREQUIRES}
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ matrix.nginx-ref }}
+          repository: 'nginx/nginx'
+          path: 'nginx'
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: 'nginx/nginx-tests'
+          path: 'nginx/tests'
+
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            nginx/objs/**/CACHEDIR.TAG
+            nginx/objs/**/ngx-debug
+            nginx/objs/**/ngx-release
+          key: ${{ runner.os }}-cargo-asan-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-asan-
+
+      - name: Configure and build nginx
+        run: |
+          make -j$(nproc) BUILD=sanitize build
+
+      - name: Run tests
+        env:
+          # `container` job steps are running as root, and thus all the files
+          # created by the test scripts are owned by root.
+          # But the worker processes are spawned as "nobody" by default,
+          # resulting in permission errors.
+          TEST_NGINX_GLOBALS: >-
+              user root;
+        run: |
+          make -j$(nproc) BUILD=sanitize test
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,22 @@
+[bans]
+multiple-versions = "warn"
+
+[graph]
+all-features = true
+
+[licenses]
+allow = [
+    "Apache-2.0",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "Unicode-3.0",
+]
+confidence-threshold = 0.8
+
+[[licenses.clarify]]
+crate = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
