Update Dependabot config (#346) #816
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - "build/**" | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| env: | |
| # Determine the name of the release channel: | |
| # - `nightly`: Pushes to `main` | |
| # - Otherwise, `wip` | |
| BRIOCHE_RELEASE_CHANNEL: ${{ (github.event_name == 'push' && github.repository == 'brioche-dev/brioche' && github.ref == 'refs/heads/main' && 'nightly') || 'wip' }} | |
| jobs: | |
| check: | |
| name: Run checks | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Install SQLx CLI | |
| run: | | |
| mkdir -p ~/.local/bin | |
| curl -L https://development-content.brioche.dev/tools/sqlx-cli_v0.7.1/sqlx -o ~/.local/bin/sqlx | |
| curl -L https://development-content.brioche.dev/tools/sqlx-cli_v0.7.1/cargo-sqlx -o ~/.local/bin/cargo-sqlx | |
| chmod +x ~/.local/bin/sqlx ~/.local/bin/cargo-sqlx | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Check formatting | |
| run: cargo fmt -- --check | |
| - name: Check database schema | |
| run: make check-db-schema | |
| - name: Check Clippy | |
| run: cargo clippy --all -- -Dwarnings | |
| - name: Install runtime distribution packages | |
| run: | | |
| cd crates/brioche-core/runtime | |
| npm install | |
| - name: Check runtime distribution types | |
| run: | | |
| cd crates/brioche-core/runtime | |
| npm run check | |
| - name: Check runtime distribution is up to date | |
| run: | | |
| cd crates/brioche-core/runtime | |
| npm install | |
| npm run build | |
| if [ -n "$(git status --porcelain)" ]; then | |
| git status | |
| echo "NPM build in crates/brioche/runtime is out of date!" >&2 | |
| echo "Re-run 'npm run build' and commit the results" >&2 | |
| exit 1 | |
| fi | |
| - name: Install Brioche | |
| uses: brioche-dev/setup-brioche@v1 | |
| - name: Check Brioche project | |
| # HACK: Added a workaround for bug fixed by https://github.com/brioche-dev/brioche/pull/216 | |
| # TODO: Update when Brioche >0.1.5 is released | |
| run: | | |
| brioche check || true | |
| brioche check | |
| brioche fmt --check | |
| test: | |
| name: Run tests [${{ matrix.name }}] | |
| strategy: | |
| matrix: | |
| include: | |
| - name: x86-64 Ubuntu 22.04 | |
| runs-on: ubuntu-22.04 | |
| - name: x86-64 Ubuntu 22.04 + PRoot | |
| runs-on: ubuntu-22.04 | |
| setup: | | |
| echo 'BRIOCHE_TEST_SANDBOX=linux_namespace' >> "$GITHUB_ENV" | |
| echo 'BRIOCHE_TEST_SANDBOX_PROOT=true' >> "$GITHUB_ENV" | |
| - name: x86-64 Ubuntu 24.04 | |
| runs-on: ubuntu-24.04 | |
| - name: x86-64 Ubuntu 24.04 + Namespaces | |
| runs-on: ubuntu-24.04 | |
| setup: | | |
| echo 'kernel.apparmor_restrict_unprivileged_userns = 0' | sudo tee /etc/sysctl.d/99-userns.conf | |
| sudo sysctl --system | |
| - name: aarch64 macOS 15 | |
| runs-on: macos-15 | |
| runs-on: ${{ matrix.runs-on }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up runner | |
| if: matrix.setup | |
| run: ${{ matrix.setup }} | |
| # Run tests in release mode. Running tests in debug mode uses a lot | |
| # more disk space, so much so that it can cause the run to fail | |
| - name: Run tests | |
| run: cargo test --all --release | |
| # Extra job that succeeds when all test jobs succeed (useful for PR requirements) | |
| all-tests-passed: | |
| name: All tests passed | |
| needs: [check, test] | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - run: ":" | |
| build-unpacked: | |
| name: Build [${{ matrix.name }}] (Unpacked) | |
| if: github.event_name == 'push' | |
| strategy: | |
| matrix: | |
| include: | |
| - name: x86_64-linux-gnu | |
| runs-on: ubuntu-22.04 | |
| target: x86_64-unknown-linux-gnu | |
| - name: aarch64-linux-gnu | |
| runs-on: ubuntu-22.04-arm | |
| target: aarch64-unknown-linux-gnu | |
| - name: x86_64-macos | |
| runs-on: macos-15 | |
| target: x86_64-apple-darwin | |
| - name: aarch64-macos | |
| runs-on: macos-15 | |
| target: aarch64-apple-darwin | |
| runs-on: ${{ matrix.runs-on }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Install Rust targets | |
| run: rustup target add "$TARGET" | |
| env: | |
| TARGET: ${{ matrix.target }} | |
| - name: Build Brioche | |
| run: | | |
| cargo build \ | |
| --all \ | |
| --bin brioche \ | |
| --release \ | |
| --target="$TARGET" | |
| env: | |
| TARGET: ${{ matrix.target }} | |
| BRIOCHE_SELF_UPDATE_PLATFORM: ${{ matrix.name }} | |
| - name: Prepare artifact | |
| id: prepare-artifact | |
| run: | | |
| artifact_name="brioche-${PLATFORM}" | |
| artifact_path="artifacts/${artifact_name}.tar.xz" | |
| mkdir -p "artifacts/$artifact_name/bin" | |
| cp "target/$TARGET/release/brioche" "artifacts/$artifact_name/bin" | |
| tar -cJvf "$artifact_path" -C artifacts "$artifact_name" | |
| echo "artifact-name=$artifact_name" >> "$GITHUB_OUTPUT" | |
| echo "artifact-path=$artifact_path" >> "$GITHUB_OUTPUT" | |
| ls -lhR artifacts/ | |
| if command -v sha256sum &> /dev/null; then | |
| find artifacts/ -type f | xargs sha256sum | |
| fi | |
| env: | |
| PLATFORM: ${{ matrix.name }} | |
| TARGET: ${{ matrix.target }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ steps.prepare-artifact.outputs.artifact-name }} | |
| path: ${{ steps.prepare-artifact.outputs.artifact-path }} | |
| compression-level: 0 | |
| if-no-files-found: error | |
| build-packed: | |
| name: Build [${{ matrix.name }}] (Packed) | |
| if: github.event_name == 'push' | |
| strategy: | |
| matrix: | |
| include: | |
| - name: x86_64-linux | |
| runs-on: ubuntu-22.04 | |
| brioche-release-channel: "stable" | |
| - name: aarch64-linux | |
| runs-on: ubuntu-22.04-arm | |
| brioche-release-channel: "nightly" | |
| runs-on: ${{ matrix.runs-on }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Install Brioche | |
| uses: brioche-dev/setup-brioche@v1 | |
| with: | |
| version: ${{ matrix.brioche-release-channel }} | |
| - name: Build Brioche | |
| id: build | |
| # HACK: Added a workaround for bug fixed by https://github.com/brioche-dev/brioche/pull/216 | |
| # TODO: Update when Brioche >0.1.5 is released | |
| run: | | |
| artifact_name="brioche-${PLATFORM}" | |
| artifact_path="artifacts/${artifact_name}.tar.xz" | |
| mkdir -p "artifacts" | |
| brioche check || true | |
| brioche build --check -o "artifacts/$artifact_name" | |
| tar -cJvf "$artifact_path" -C artifacts "$artifact_name" | |
| echo "artifact-name=$artifact_name" >> "$GITHUB_OUTPUT" | |
| echo "artifact-path=$artifact_path" >> "$GITHUB_OUTPUT" | |
| ls -lhR artifacts/ | |
| if command -v sha256sum &> /dev/null; then | |
| find artifacts/ -type f | xargs sha256sum | |
| fi | |
| env: | |
| PLATFORM: ${{ matrix.name }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ steps.build.outputs.artifact-name }} | |
| path: ${{ steps.build.outputs.artifact-path }} | |
| compression-level: 0 | |
| if-no-files-found: error | |
| push: | |
| name: Push artifacts | |
| if: github.event_name == 'push' && github.repository == 'brioche-dev/brioche' | |
| needs: [check, all-tests-passed, build-unpacked, build-packed] | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v5 | |
| with: | |
| path: artifacts | |
| merge-multiple: true | |
| - name: Sign artifacts (channel=${{ env.BRIOCHE_RELEASE_CHANNEL }}) | |
| run: | | |
| SIGNING_NAMESPACE="${BRIOCHE_RELEASE_CHANNEL}@brioche.dev" | |
| install -m 0600 <(echo "$BRIOCHE_CODESIGN_PRIVATE_KEY") ./brioche-codesign-key | |
| ssh-keygen -Y sign -n "$SIGNING_NAMESPACE" -f ./brioche-codesign-key artifacts/brioche-*.tar.xz | |
| rm brioche-codesign-key | |
| for artifact in artifacts/brioche-*.tar.xz; do | |
| sha256sum "$artifact" | |
| cat "${artifact}.sig" | |
| echo | |
| done | |
| env: | |
| BRIOCHE_CODESIGN_PRIVATE_KEY: ${{ secrets.BRIOCHE_CODESIGN_PRIVATE_KEY }} | |
| # Upload the Brioche build for the current branch | |
| - name: Upload to S3 | |
| run: | | |
| ls -lhR artifacts/ | |
| aws s3 sync \ | |
| --endpoint "$S3_ENDPOINT" \ | |
| --delete \ | |
| artifacts/ \ | |
| "s3://brioche-dev-development-content/github.com/brioche-dev/brioche/branches/$GITHUB_REF_NAME/" | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.R2_S3_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_S3_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ vars.R2_S3_REGION }} | |
| AWS_REQUEST_CHECKSUM_CALCULATION: WHEN_REQUIRED | |
| AWS_RESPONSE_CHECKSUM_CALCULATION: WHEN_REQUIRED | |
| S3_ENDPOINT: ${{ secrets.R2_S3_ENDPOINT }} |