feat: request-time data encryption #1259
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| changes: | |
| name: Detect Changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| sdk: ${{ steps.filter.outputs.sdk }} | |
| apply_schema: ${{ steps.filter.outputs.apply_schema }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| sdk: | |
| - 'sdk/**' | |
| apply_schema: | |
| - 'cli/src/cli.rs' | |
| - 'cli/src/main.rs' | |
| - 'lite/src/init.rs' | |
| - 'cli/schema.json' | |
| cli-schema-drift: | |
| name: CLI Schema Drift | |
| needs: [changes] | |
| if: needs.changes.outputs.apply_schema == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Generate apply schema | |
| run: cargo run -q -p s2-cli -- apply --schema > /tmp/apply.schema.json | |
| - name: Check for schema drift | |
| run: diff -u cli/schema.json /tmp/apply.schema.json | |
| fmt: | |
| name: Format | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@nightly | |
| with: | |
| components: rustfmt | |
| - run: cargo +nightly fmt --all --check | |
| lockfile: | |
| name: Lockfile | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Verify Cargo.lock is up-to-date | |
| run: cargo metadata --locked --format-version 1 >/dev/null | |
| sort: | |
| name: Cargo Sort | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: taiki-e/install-action@cargo-sort | |
| - run: cargo sort --workspace --check | |
| deny: | |
| name: Cargo Deny | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: taiki-e/install-action@cargo-deny | |
| - run: cargo deny check | |
| clippy: | |
| name: Clippy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install Protoc | |
| uses: arduino/setup-protoc@v3 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - run: cargo clippy --workspace --all-features --all-targets -- -D warnings --allow deprecated | |
| test: | |
| name: Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - uses: arduino/setup-protoc@v3 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: taiki-e/install-action@nextest | |
| - run: cargo nextest run --workspace --all-features -E 'not (package(s2-cli) & binary(integration)) - package(s2-sdk)' | |
| helm-lint: | |
| name: Helm Chart Lint & Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.14.0 | |
| - name: Lint Helm chart | |
| run: helm lint charts/s2-lite-helm | |
| - name: Test template rendering (default) | |
| run: helm template test-release charts/s2-lite-helm --dry-run > /dev/null | |
| - name: Test with TLS self-signed | |
| run: helm template test-release charts/s2-lite-helm --set tls.enabled=true --set tls.selfSigned=true --dry-run > /dev/null | |
| - name: Test with TLS provided cert | |
| run: helm template test-release charts/s2-lite-helm --set tls.enabled=true --set tls.cert=/etc/tls/tls.crt --set tls.key=/etc/tls/tls.key --dry-run > /dev/null | |
| - name: Test with S3 object storage | |
| run: helm template test-release charts/s2-lite-helm --set objectStorage.enabled=true --set objectStorage.bucket=test-bucket --dry-run > /dev/null | |
| - name: Test with S3 and TLS | |
| run: | | |
| helm template test-release charts/s2-lite-helm \ | |
| --set tls.enabled=true \ | |
| --set tls.selfSigned=true \ | |
| --set objectStorage.enabled=true \ | |
| --set objectStorage.bucket=test-bucket \ | |
| --set objectStorage.endpoint=https://s3.amazonaws.com \ | |
| --set metrics.serviceMonitor.enabled=true \ | |
| --dry-run > /dev/null | |
| - name: Test TLS without cert/key fails but selfSigned and provided cert work | |
| run: | | |
| if helm template test-release charts/s2-lite-helm \ | |
| --set tls.enabled=true \ | |
| --dry-run 2>&1; then | |
| echo "Expected failure but got success" | |
| exit 1 | |
| fi | |
| helm template test-release charts/s2-lite-helm \ | |
| --set tls.enabled=true \ | |
| --set tls.selfSigned=true \ | |
| --dry-run > /dev/null | |
| helm template test-release charts/s2-lite-helm \ | |
| --set tls.enabled=true \ | |
| --set tls.cert=/etc/tls/tls.crt \ | |
| --set tls.key=/etc/tls/tls.key \ | |
| --dry-run > /dev/null | |
| - name: Test objectStorage without bucket fails | |
| run: | | |
| if helm template test-release charts/s2-lite-helm \ | |
| --set objectStorage.enabled=true \ | |
| --dry-run 2>&1; then | |
| echo "Expected failure but got success" | |
| exit 1 | |
| fi | |
| build-server: | |
| name: Build s2-lite | |
| uses: ./.github/workflows/build-s2-lite.yml | |
| with: | |
| ref: ${{ github.sha }} | |
| sdk-integration-tests: | |
| name: SDKs <> s2-lite Integration Tests | |
| needs: [build-server, test, clippy] | |
| uses: ./.github/workflows/sdk-tests.yml | |
| with: | |
| mode: local | |
| server-binary: server | |
| server-args: "--port 8080" | |
| server-port: 8080 | |
| sdks: | | |
| [ | |
| { | |
| "name": "go", | |
| "repo": "s2-streamstore/s2-sdk-go", | |
| "ref": "main", | |
| "lang": "go", | |
| "go-version": "1.24", | |
| "test_cmd": "go test -v -count=1 -skip 'WithScope|AccessToken|Metrics|Client_InvalidToken' ./s2/..." | |
| }, | |
| { | |
| "name": "typescript", | |
| "repo": "s2-streamstore/s2-sdk-typescript", | |
| "ref": "main", | |
| "lang": "bun", | |
| "bun-version": "latest", | |
| "test_cmd": "S2_LITE=1 bun run vitest --run --exclude '**/account-basin*' --exclude '**/accessTokens*' --exclude '**/metrics*'" | |
| }, | |
| { | |
| "name": "rust", | |
| "repo": "${{ github.repository }}", | |
| "ref": "${{ github.sha }}", | |
| "lang": "rust", | |
| "test_cmd": "cargo test -p s2-sdk --all-features -- --skip access_token --skip metrics" | |
| } | |
| ] | |
| rust-sdk: | |
| name: Rust SDK | |
| needs: [test, clippy, changes] | |
| if: needs.changes.outputs.sdk == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Check docs | |
| run: cargo doc -p s2-sdk --all-features --no-deps | |
| env: | |
| RUSTDOCFLAGS: "-D warnings" | |
| - name: Run tests | |
| run: cargo test -p s2-sdk --all-features | |
| env: | |
| S2_ACCESS_TOKEN: ${{ secrets.S2_ACCESS_TOKEN_FOR_RUST_SDK_TESTS }} | |
| cli-integration-tests: | |
| name: CLI <> s2-lite Integration Tests | |
| needs: [build-server, test, clippy] | |
| uses: ./.github/workflows/sdk-tests.yml | |
| with: | |
| mode: local | |
| server-binary: server | |
| server-args: "--port 8080" | |
| server-port: 8080 | |
| sdks: | | |
| [ | |
| { | |
| "name": "cli", | |
| "repo": "${{ github.repository }}", | |
| "ref": "${{ github.sha }}", | |
| "lang": "rust", | |
| "test_cmd": "cargo test -p s2-cli --test integration -j 1" | |
| } | |
| ] |