chore(deps): bump golang.org/x/sys from 0.41.0 to 0.43.0 #190
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| env: | |
| GO_VERSION_STABLE: '1.24.x' | |
| # Keep vulncheck on a patched baseline to avoid stdlib CVE false-fails from older patch toolchains. | |
| GO_VERSION_VULNCHECK: '1.25.8' | |
| GO_VULNCHECK_TOOLCHAIN: 'go1.25.8+auto' | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION_STABLE }} | |
| cache: true | |
| - name: Run gofmt | |
| run: | | |
| if [ "$(gofmt -l . | grep -v '^vendor/' | wc -l)" -gt 0 ]; then | |
| echo "The following files need formatting:" | |
| gofmt -l . | grep -v '^vendor/' | |
| echo "" | |
| echo "To fix locally, run: gofmt -w ." | |
| exit 1 | |
| fi | |
| - name: Run go vet | |
| run: | | |
| go vet -unsafeptr=false ./ort/... | |
| go vet -unsafeptr=false ./examples/basic/... | |
| go vet -unsafeptr=false ./examples/openclip/... | |
| go vet ./embeddings/... | |
| - name: Run golangci-lint (PR new issues) | |
| if: github.event_name == 'pull_request' | |
| uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 | |
| with: | |
| # Pin v2 because .golangci.yml uses v2 formatters config. | |
| version: v2.8.0 | |
| args: --concurrency=8 | |
| only-new-issues: true | |
| verify: false | |
| - name: Run golangci-lint (push informational) | |
| if: github.event_name != 'pull_request' | |
| uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 | |
| with: | |
| # Pin v2 because .golangci.yml uses v2 formatters config. | |
| version: v2.8.0 | |
| args: --concurrency=8 | |
| verify: false | |
| # Main/develop pushes keep lint informational until historical lint debt is cleared. | |
| continue-on-error: true | |
| test: | |
| name: Test | |
| strategy: | |
| matrix: | |
| go-version: ['1.24.x'] | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| cache: true | |
| - name: Get dependencies | |
| run: go mod download | |
| - name: Run tests (Unix) | |
| if: runner.os != 'Windows' | |
| run: go test -v -coverprofile=coverage.out ./... | |
| # Note: -race flag disabled because checkptr is incompatible with purego's | |
| # C string conversion (unsafe.Slice on C allocations). This is a known | |
| # limitation when using purego for CGO-free C interop. | |
| - name: Run tests (Windows) | |
| if: runner.os == 'Windows' | |
| run: go test -v -coverprofile="${PWD}/coverage.out" ./... | |
| - name: Upload coverage to Codecov | |
| if: matrix.os == 'ubuntu-latest' && matrix.go-version == env.GO_VERSION_STABLE | |
| uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5 | |
| with: | |
| file: ./coverage.out | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: false | |
| test-race-ort-concurrency: | |
| name: Test Race (ORT concurrency subset) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION_STABLE }} | |
| cache: true | |
| - name: Get dependencies | |
| run: go mod download | |
| - name: Run race detector on ORT concurrency tests | |
| run: | | |
| go test -race ./ort -run 'TestValuesToHandlesDeduplicatesRepeatedLockableValue|TestValuesToHandlesReleasesPriorLeasesOnError|TestAdvancedSessionRunConcurrent|TestAdvancedSessionRunConcurrentAcrossSessionsSharingTensor|TestAdvancedSessionRunAndDestroyConcurrent|TestTensorDestroyWaitsForInFlightRun|TestTensorDestroyDoesNotBlockUnrelatedRun|TestTensorDestroyConcurrentCallsReleaseOnce' | |
| integration-real-model: | |
| name: Integration (ONNX Runtime + all-MiniLM + SPLADE + OpenCLIP) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 35 | |
| env: | |
| ORT_VERSION: '1.24.1' | |
| # Keep in sync with the release asset digest for onnxruntime-linux-x64-${ORT_VERSION}.tgz. | |
| ORT_ARCHIVE_SHA256: '9142552248b735920f9390027e4512a2cacf8946a1ffcbe9071a5c210531026f' | |
| ONNXRUNTIME_TEST_MODEL_CACHE_DIR: ${{ github.workspace }}/.cache/onnx-model-cache | |
| ONNXRUNTIME_TEST_ALL_MINILM_MODEL_URL: 'https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2/resolve/main/onnx/model.onnx' | |
| ONNXRUNTIME_TEST_ALL_MINILM_MODEL_SHA256: '6fd5d72fe4589f189f8ebc006442dbb529bb7ce38f8082112682524616046452' | |
| ONNXRUNTIME_TEST_ALL_MINILM_TOKENIZER_URL: 'https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2/resolve/main/tokenizer.json' | |
| ONNXRUNTIME_TEST_ALL_MINILM_TOKENIZER_SHA256: 'be50c3628f2bf5bb5e3a7f17b1f74611b2561a3a27eeab05e5aa30f411572037' | |
| ONNXRUNTIME_TEST_SPLADE_MODEL_URL: 'https://huggingface.co/prithivida/Splade_PP_en_v1/resolve/762be6a7206e2f299182705972a65e5c46e62be2/onnx/model.onnx' | |
| ONNXRUNTIME_TEST_SPLADE_MODEL_SHA256: '0934583a27a031a66b2e847cbc260fbbef29689e969f500436460ef5146a43f2' | |
| ONNXRUNTIME_TEST_SPLADE_TOKENIZER_URL: 'https://huggingface.co/prithivida/Splade_PP_en_v1/resolve/762be6a7206e2f299182705972a65e5c46e62be2/tokenizer.json' | |
| ONNXRUNTIME_TEST_SPLADE_TOKENIZER_SHA256: '2fc687b11de0bc1b3d8348f92e3b49ef1089a621506c7661fbf3248fcd54947e' | |
| # Documentation/cache-key marker only; runtime defaults are pinned in embeddings/openclip/bootstrap.go. | |
| ONNXRUNTIME_TEST_OPENCLIP_REPO_ID: 'amikos/openclip-vit-b-32-laion2b-s34b-b79k-onnx' | |
| ONNXRUNTIME_TEST_OPENCLIP_REVISION: '248a2ed76a7189fc080e654e36930171331ef085' | |
| ONNXRUNTIME_TEST_OPENCLIP_TEXT_MODEL_SHA256: '252b86e0ef1fc95b22cfd52fbf647142727fdbecc152556ffe0fba0b10a80370' | |
| ONNXRUNTIME_TEST_OPENCLIP_VISION_MODEL_SHA256: '7e14f76233d0c840c0621b1ef68f5877efe9357850782b1bbaf0c01693f73b43' | |
| ONNXRUNTIME_TEST_OPENCLIP_TOKENIZER_SHA256: 'b556ac8c99757ffb677208af34bc8c6721572114111a6e0aaf5fa69ff0b8d842' | |
| ONNXRUNTIME_TEST_OPENCLIP_PREPROCESSOR_SHA256: '910e70b3956ac9879ebc90b22fb3bc8a75b6a0677814500101a4c072bd7857bd' | |
| # Hosted OpenCLIP golden rows are Python-generated references; allow cross-framework drift. | |
| ONNXRUNTIME_TEST_OPENCLIP_GOLDEN_TOLERANCE: '2' | |
| HF_DATASET_REPO: 'tazarov/pure-onnx' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION_STABLE }} | |
| cache: true | |
| - name: Get dependencies | |
| run: go mod download | |
| - name: Compute embedding cache key | |
| shell: bash | |
| run: | | |
| KEY_INPUT="${ONNXRUNTIME_TEST_ALL_MINILM_MODEL_SHA256}|${ONNXRUNTIME_TEST_ALL_MINILM_TOKENIZER_SHA256}|${ONNXRUNTIME_TEST_SPLADE_MODEL_SHA256}|${ONNXRUNTIME_TEST_SPLADE_TOKENIZER_SHA256}|${ONNXRUNTIME_TEST_OPENCLIP_REPO_ID}|${ONNXRUNTIME_TEST_OPENCLIP_REVISION}|${ONNXRUNTIME_TEST_OPENCLIP_TEXT_MODEL_SHA256}|${ONNXRUNTIME_TEST_OPENCLIP_VISION_MODEL_SHA256}|${ONNXRUNTIME_TEST_OPENCLIP_TOKENIZER_SHA256}|${ONNXRUNTIME_TEST_OPENCLIP_PREPROCESSOR_SHA256}" | |
| KEY_DIGEST="$(printf '%s' "${KEY_INPUT}" | sha256sum | awk '{print $1}')" | |
| echo "EMBEDDING_ASSETS_CACHE_KEY=${KEY_DIGEST}" >> "$GITHUB_ENV" | |
| - name: Cache embedding model assets | |
| uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| with: | |
| path: ${{ env.ONNXRUNTIME_TEST_MODEL_CACHE_DIR }} | |
| key: embedding-assets-v3-${{ runner.os }}-${{ env.EMBEDDING_ASSETS_CACHE_KEY }} | |
| - name: Download ONNX Runtime shared library | |
| timeout-minutes: 10 | |
| run: | | |
| ORT_ARCHIVE="onnxruntime-linux-x64-${ORT_VERSION}" | |
| ORT_URL="https://github.com/microsoft/onnxruntime/releases/download/v${ORT_VERSION}/${ORT_ARCHIVE}.tgz" | |
| curl -L --fail --retry 3 --retry-delay 2 --max-time 180 -o "${RUNNER_TEMP}/onnxruntime.tgz" "${ORT_URL}" | |
| echo "${ORT_ARCHIVE_SHA256} ${RUNNER_TEMP}/onnxruntime.tgz" | sha256sum -c - | |
| mkdir -p "${RUNNER_TEMP}/onnxruntime" | |
| tar -xzf "${RUNNER_TEMP}/onnxruntime.tgz" -C "${RUNNER_TEMP}/onnxruntime" --strip-components=1 | |
| echo "ONNXRUNTIME_LIB_PATH=${RUNNER_TEMP}/onnxruntime/lib/libonnxruntime.so" >> "$GITHUB_ENV" | |
| echo "LD_LIBRARY_PATH=${RUNNER_TEMP}/onnxruntime/lib${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}" >> "$GITHUB_ENV" | |
| - name: Run ort real-model integration tests | |
| env: | |
| ONNXRUNTIME_TEST_ALL_MINILM_SEQUENCE_LENGTH: '8' | |
| ONNXRUNTIME_TEST_LEAK_ITERATIONS: '40' | |
| ONNXRUNTIME_TEST_LEAK_MAX_GROWTH_MB: '96' | |
| run: | | |
| go test -v ./ort/... -run 'TestAdvancedSessionRunWithAllMiniLML6V2|TestAdvancedSessionRunWithAllMiniLML6V2MemoryStability' | |
| - name: Run embeddings real-model integration tests | |
| run: | | |
| go test -v ./embeddings/minilm -run TestEmbedDocumentsWithAllMiniLML6V2 | |
| - name: Run SPLADE real-model integration tests | |
| run: | | |
| go test -v ./embeddings/splade -run 'TestEmbedDocumentsWithSPLADEModel|TestSPLADEGoldenRegressionTopK16WithLabels|TestSPLADERepeatabilityTopK16' | |
| - name: Run SPLADE public golden parity test | |
| run: | | |
| go test -v ./embeddings/splade -run TestSPLADEGoldenDatasetParity -count=1 | |
| - name: Run OpenCLIP real-model integration tests | |
| run: | | |
| go test -v ./embeddings/openclip -run 'TestEmbedTextsAndImagesWithOpenCLIPModel|TestOpenCLIPFailsWithWrongInputOutputNames|TestOpenCLIPFailsWithWrongEmbeddingDimension|TestOpenCLIPFailsWithImageSizeMismatch|TestOpenCLIPErrorsAfterClose|TestOpenCLIPCloseIsIdempotent' | |
| - name: Run OpenCLIP public golden parity test | |
| run: | | |
| go test -v ./embeddings/openclip -run TestOpenCLIPGoldenDatasetParity -count=1 | |
| - name: Run real-model benchmarks | |
| env: | |
| ONNXRUNTIME_TEST_ALL_MINILM_SEQUENCE_LENGTH: '8' | |
| run: | | |
| go test -run '^$' \ | |
| -bench 'BenchmarkAdvancedSessionRunWarmWithAllMiniLML6V2|BenchmarkAdvancedSessionCreateRunDestroyWithAllMiniLML6V2' \ | |
| -benchmem \ | |
| -benchtime=3x \ | |
| ./ort/... | |
| build: | |
| name: Build | |
| strategy: | |
| matrix: | |
| go-version: ['1.24.x'] | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| cache: true | |
| - name: Get dependencies | |
| run: go mod download | |
| - name: Build | |
| run: go build -v ./... | |
| - name: Build examples | |
| run: | | |
| go build -v -o basic-example ./examples/basic | |
| go build -v -o openclip-example ./examples/openclip | |
| go build -v -o experimental-example ./examples/experimental | |
| mod-tidy: | |
| name: Module Tidiness | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION_STABLE }} | |
| cache: true | |
| - name: Check go mod tidy | |
| run: | | |
| go mod tidy | |
| git diff --exit-code go.mod go.sum | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION_STABLE }} | |
| cache: true | |
| - name: Run Gosec Security Scanner | |
| uses: securego/gosec@bb17e422fc34bf4c0a2e5cab9d07dc45a68c040c # v2.24.7 | |
| with: | |
| args: '-no-fail -fmt sarif -out results.sarif -exclude-dir=examples/experimental ./...' | |
| # Allow gosec to continue even if it finds issues. This project uses unsafe operations | |
| # for purego FFI which gosec flags (G103). These are necessary and documented with | |
| # #nosec comments. We continue-on-error to allow the SARIF results to be uploaded | |
| # for review without blocking the build. | |
| continue-on-error: true | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4 | |
| if: always() | |
| with: | |
| sarif_file: results.sarif | |
| # Allow SARIF upload to fail without blocking CI. This can fail if: | |
| # 1. The repository doesn't have GHAS enabled (e.g., forks, private repos) | |
| # 2. Network issues prevent upload | |
| # The security scan still runs and logs locally, upload failure is non-critical. | |
| continue-on-error: true | |
| vulncheck: | |
| name: Vulnerability Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION_VULNCHECK }} | |
| cache: true | |
| - name: Run govulncheck | |
| run: make vulncheck GO_VULNCHECK_TOOLCHAIN=${{ env.GO_VULNCHECK_TOOLCHAIN }} | |
| onnx-runtime-compatibility: | |
| name: ONNX Runtime Compatibility Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION_STABLE }} | |
| cache: true | |
| - name: Check ONNX Runtime versions | |
| run: | | |
| make list-ort-versions || echo "Make target not available" | |
| - name: Verify constants match latest ONNX Runtime | |
| run: | | |
| echo "Checking ORT_API_VERSION constant..." | |
| grep -n "ORT_API_VERSION" ort/constants.go || echo "Constants file structure may have changed" |