Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
226 changes: 226 additions & 0 deletions .github/workflows/ci-al4.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,226 @@
name: Continuous Integration AL4

on:
schedule:
- cron: "0 0 * * 1-5"
pull_request:
types:
- labeled
- synchronize
- opened
- reopened
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ !contains(github.ref, 'main')}}

permissions: read-all

jobs:
vmss-virtual-a:
if: &check_trigger_conditions ${{ (github.event.action == 'labeled' && github.event.label.name == 'azure-linux-4') || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'azure-linux-4')) || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to me that if the CI passes, we ought to run it every time and not use labels. Happy to discuss.

name: "AL4 VMSS Virtual A" # Debug build, unit tests, e2e (bucket_a)
runs-on:
[
self-hosted,
1ES.Pool=gha-vmss-d16av5-ci,
"JobId=ci_al4_build_test_virtual_a-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}",
]
container:
image: azlpubstagingacroxz2o4gw.azurecr.io/azurelinux/base/core:4.0
options: --user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE

steps:
- name: "Checkout dependencies"
shell: bash
run: |
set -ex
tdnf -y update
tdnf -y install ca-certificates git

- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

- name: "Install dependencies"
shell: bash
run: |
set -ex
./scripts/setup-ci-al4.sh

- name: "Build Debug"
run: |
set -ex
git config --global --add safe.directory /__w/CCF/CCF
mkdir build
cd build
cmake -GNinja -DCMAKE_BUILD_TYPE=Debug "-DCMAKE_CXX_FLAGS=-Wno-error=deprecated-declarations -Wno-error=#warnings" ..
ninja
shell: bash

- name: "Run Unit tests"
run: |
set -ex
cd build
./tests.sh --output-on-failure -L unit -j$(nproc --all)
shell: bash

- name: "Run e2e tests (bucket_a)"
run: |
set -ex
cd build
./tests.sh --timeout 360 --output-on-failure -L bucket_a -LE lts_compatibility
shell: bash

- name: "Upload logs for AL4 virtual A"
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: logs-al4-virtual-a
path: |
build/workspace/*/*.config.json
build/workspace/*/out
build/workspace/*/err
build/workspace/*/*.ledger/*
build/workspace/*/stack_trace
if-no-files-found: ignore
if: success() || failure()

vmss-virtual-b:
if: *check_trigger_conditions
name: "AL4 VMSS Virtual B" # End-to-end tests (bucket_b)
runs-on:
[
self-hosted,
1ES.Pool=gha-vmss-d16av5-ci,
"JobId=ci_al4_build_test_virtual_b-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}",
]
container:
image: azlpubstagingacroxz2o4gw.azurecr.io/azurelinux/base/core:4.0
options: --user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.default.disable_ipv6=0 --sysctl net.ipv6.conf.lo.disable_ipv6=0

steps:
- name: "Checkout dependencies"
shell: bash
run: |
set -ex
tdnf -y update
tdnf -y install ca-certificates git

- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

- name: "cpuinfo"
run: |
cat /proc/cpuinfo
shell: bash

- name: "Install dependencies"
shell: bash
run: |
set -ex
./scripts/setup-ci-al4.sh

- name: "Confirm running on Virtual"
run: |
set -ex
python3 tests/infra/platform_detection.py virtual
shell: bash

- name: "Build Debug"
run: |
set -ex
git config --global --add safe.directory /__w/CCF/CCF
mkdir build
cd build
cmake -GNinja -DCMAKE_BUILD_TYPE=Debug "-DCMAKE_CXX_FLAGS=-Wno-error=deprecated-declarations -Wno-error=#warnings" ..
ninja
shell: bash

- name: "Run e2e tests (bucket_b)"
run: |
set -ex
cd build
rm -rf /github/home/.cache
mkdir -p /github/home/.cache

./tests.sh --timeout 360 --output-on-failure -L bucket_b
shell: bash

- name: "Upload logs for AL4 virtual B"
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: logs-al4-virtual-b
path: |
build/workspace/*/*.config.json
build/workspace/*/out
build/workspace/*/err
build/workspace/*/*.ledger/*
build/workspace/*/stack_trace
if-no-files-found: ignore
if: success() || failure()

vmss-virtual-c:
if: *check_trigger_conditions
name: "AL4 VMSS Virtual C" # End-to-end tests (bucket_c)
runs-on:
[
self-hosted,
1ES.Pool=gha-vmss-d16av5-ci,
"JobId=ci_al4_build_test_virtual_c-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}",
]
container:
image: azlpubstagingacroxz2o4gw.azurecr.io/azurelinux/base/core:4.0
options: --user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.default.disable_ipv6=0 --sysctl net.ipv6.conf.lo.disable_ipv6=0

steps:
- name: "Checkout dependencies"
shell: bash
run: |
set -ex
tdnf -y update
tdnf -y install ca-certificates git

- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

- name: "Install dependencies"
shell: bash
run: |
set -ex
./scripts/setup-ci-al4.sh

- name: "Build Debug"
run: |
set -ex
git config --global --add safe.directory /__w/CCF/CCF
mkdir build
cd build
cmake -GNinja -DCMAKE_BUILD_TYPE=Debug "-DCMAKE_CXX_FLAGS=-Wno-error=deprecated-declarations -Wno-error=#warnings" ..

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like it should be in cmake, maybe gated on compiler version detection, but definitely not inline in the CI, this will make it too easy for local runs to diverge from CI.

ninja
shell: bash

- name: "Run e2e tests (bucket_c)"
run: |
set -ex
cd build
rm -rf /github/home/.cache
mkdir -p /github/home/.cache

./tests.sh --timeout 360 --output-on-failure -L bucket_c
shell: bash

- name: "Upload logs for AL4 virtual C"
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: logs-al4-virtual-c
path: |
build/workspace/*/*.config.json
build/workspace/*/out
build/workspace/*/err
build/workspace/*/*.ledger/*
build/workspace/*/stack_trace
if-no-files-found: ignore
if: success() || failure()
1 change: 0 additions & 1 deletion include/ccf/crypto/openssl/openssl_wrappers.h
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
#include <openssl/asn1.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/engine.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
Expand Down
4 changes: 1 addition & 3 deletions samples/apps/logging/logging.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -387,9 +387,7 @@ namespace loggingapp
return response;
}

if (
const auto* no_ident =
dynamic_cast<const ccf::EmptyAuthnIdentity*>(caller.get()))
if (dynamic_cast<const ccf::EmptyAuthnIdentity*>(caller.get()) != nullptr)
{
return "Unauthenticated";
}
Expand Down
147 changes: 147 additions & 0 deletions scripts/setup-ci-al4.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
#!/bin/bash
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the Apache 2.0 License.

set -exo pipefail

H2SPEC_VERSION="v2.6.0"

retry() {
local description=$1
shift

if [[ -z ${CI+x} ]]; then
"$@"
return
fi

local attempt=1
local delay
while true; do
if "$@"; then
return
fi

if (( attempt == 3 )); then
echo "'$description' failed after 3 attempts"
return 1
fi

if (( attempt == 1 )); then
delay=5
else
delay=30
fi

echo "'$description' failed on attempt $attempt. Retrying in ${delay}s..."
sleep "$delay"
attempt=$(( attempt + 1 ))
done
}

install_source_control() {
# Source control and tools used by this script.
tdnf -y install \

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought azl4 used dnf rather than tdnf? If we are going to split the script anyway, we might as well avoid aliases?

git \
ca-certificates \
curl \
tar \
gzip
}

install_build_dependencies() {
# To build CCF. Azure Linux 4 uses more explicit package names than Azure
# Linux 3: build-essential is not present, and the curl/nghttp2 development
# packages are named libcurl-devel and libnghttp2-devel.
tdnf -y install \
gcc \
gcc-c++ \
make \
binutils \
clang \
cmake \
ninja-build \
which \
openssl \
openssl-devel \
libuv-devel \
libnghttp2-devel \
libcurl-devel \
libarrow-devel \
parquet-libs-devel \
doxygen \
clang-tools-extra-devel \
rust \
cargo \
libstdc++-devel
# Azure Linux 4 beta does not publish libbacktrace-static yet; the Azure
# Linux 3.0 RPM contains only backtrace.h and libbacktrace.a and works here.
tdnf install -y https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/Packages/l/libbacktrace-static-13.2.0-7.azl3.x86_64.rpm

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we request this asap, we've just added this as a dependency, and we do not want to have this hack for an indefinite period of time.

}

install_test_dependencies() {
local packages=(
# To run standard tests
lldb
expect
jq
# Extra-dependency for CDDL schema checker
rubygems
# Release (extended) tests
procps-ng
# protocoltest
bind-utils
strace
)
tdnf -y install "${packages[@]}" &&
gem install cddl
}

install_h2spec() {
if ! curl -L --output h2spec_linux_amd64.tar.gz https://github.com/summerwind/h2spec/releases/download/$H2SPEC_VERSION/h2spec_linux_amd64.tar.gz; then
echo "Failed to download h2spec"
return 1
fi

tar -xvf h2spec_linux_amd64.tar.gz &&
mkdir -p /opt/h2spec &&
mv h2spec /opt/h2spec/h2spec &&
rm h2spec_linux_amd64.tar.gz
}

install_node() {
# The Azure Linux 4 package repositories currently provide Node.js 22. The
# JS packages in this repository require Node.js >= 20.
tdnf -y install \
nodejs \
nodejs-npm

local node_major
node_major="$(node --version | sed -E 's/^v([0-9]+).*/\1/')"
if (( node_major < 20 )); then
echo "Unsupported Node.js version $(node --version); expected >= 20" >&2
return 1
fi
}

install_packaging_and_python() {
local packages=(
# For packaging
rpm-build
# For end to end tests and scripts
python3-pip
python3-devel
)
tdnf -y install "${packages[@]}"

if ! python3 -m pip install uv==0.11.19 --break-system-packages; then
python3 -m pip install uv==0.11.19
fi
}

retry "Source control dependencies" install_source_control
retry "Build dependencies" install_build_dependencies
retry "Test dependencies" install_test_dependencies
retry "Node.js installation" install_node
retry "h2spec installation" install_h2spec
retry "Packaging and Python dependencies" install_packaging_and_python
Loading