Skip to content

workflows: Nudge maintainers to knight new contributors #6823

workflows: Nudge maintainers to knight new contributors

workflows: Nudge maintainers to knight new contributors #6823

Workflow file for this run

name: ci
on:
pull_request:
merge_group:
concurrency:
group: >-
${{ github.workflow }}-${{
github.event.pull_request.number
|| github.event.merge_group.head_ref
}}
cancel-in-progress: true
permissions: {}
jobs:
test:
strategy:
fail-fast: ${{ github.event_name == 'merge_group' }}
matrix:
build: [linux-x86_64-gnu, linux-aarch64-gnu, macos-x86_64, macos-aarch64, windows-x86_64, windows-aarch64]
include:
- build: linux-x86_64-gnu
os: ubuntu-24.04
cargo_flags: "--all-features"
- build: linux-aarch64-gnu
os: ubuntu-24.04-arm
cargo_flags: "--all-features"
- build: macos-x86_64
os: macos-15
cargo_flags: ""
- build: macos-aarch64
os: macos-15
cargo_flags: ""
- build: windows-x86_64
os: windows-2022
cargo_flags: ""
- build: windows-aarch64
os: windows-11-arm
cargo_flags: ""
runs-on: ${{ matrix.os }}
# TODO FIXME (aseipp): keep the timeout limit to ~20 minutes. this is long
# enough to give us runway for the future, but also once we hit it, we're at
# the "builds are taking too long" stage and we should start looking at ways
# to optimize the CI, or the CI is flaking out on some weird spiked machine
#
# at the same time, this avoids some issues where some flaky, bugged tests
# seem to be causing multi-hour runs on Windows (GPG signing issues), which
# is a problem we should fix. in the mean time, this will make these flakes
# less harmful, as it won't cause builds to spin for multiple hours, requiring
# manual cancellation.
#
# keep a log of updates (along with committed date) below:
#
# 2025-03-20 (aseipp): peak p99 builds seemed to be long, bump 15m -> 20m
# 2025-10-06 (aseipp): x86 macos runners consistently slower, bump 20m -> 25m
timeout-minutes: 25
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- name: Set up Windows Builders
if: startswith(matrix.os, 'windows-x86_64') # FIXME: aarch64 doesn't have D:\ yet
uses: ./.github/actions/setup-windows
- name: Install Rust
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
toolchain: 1.88
- uses: taiki-e/install-action@e43a5023a747770bfcb71ae048541a681714b951
with:
tool: nextest
- name: Install mold
uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878
with:
make-default: false
- name: Build
run: >-
cargo build
--config .cargo/config-ci.toml
--workspace
--all-targets
--verbose
${{ matrix.cargo_flags }}
- name: Test
run: >-
cargo nextest run
--config .cargo/config-ci.toml
--workspace
--all-targets
--verbose
--profile ci
${{ matrix.cargo_flags }}
env:
RUST_BACKTRACE: 1
CARGO_TERM_COLOR: always
no-git:
name: build (no git)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- name: Install Rust
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
toolchain: 1.88
- name: Build
run: cargo build -p jj-cli --no-default-features --verbose
build-nix:
name: nix flake
strategy:
fail-fast: ${{ github.event_name == 'merge_group' }}
matrix:
os: [ubuntu-24.04, ubuntu-24.04-arm, macos-14]
runs-on: ${{ matrix.os }}
timeout-minutes: 15
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
fetch-depth: 0
persist-credentials: false
- uses: cachix/install-nix-action@fd24c48048070c1be9acd18c9d369a83f0fe94d7
- run: nix flake check -L --show-trace
check-protos:
name: check (protos)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
toolchain: stable
- run: sudo apt update && sudo apt-get -y install protobuf-compiler
- name: Generate Rust code from .proto files
run: cargo run -p gen-protos
- name: Check for uncommitted changes
run: git diff --exit-code
check-rustfmt:
name: check (rustfmt)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
toolchain: nightly
components: rustfmt
- run: cargo +nightly fmt --all -- --check
check-clippy:
name: check (clippy)
permissions:
checks: write
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
toolchain: stable
components: clippy
- run: cargo +stable clippy --all-features --workspace --all-targets -- -D warnings
check-cargo-deny:
runs-on: ubuntu-24.04
strategy:
matrix:
checks:
- advisories
- bans
- licenses
- sources
# Prevent sudden announcement of a new advisory from failing ci:
continue-on-error: ${{ matrix.checks == 'advisories' }}
name: check (cargo-deny, ${{ matrix.checks }})
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- uses: EmbarkStudios/cargo-deny-action@f2ba7abc2abebaf185c833c3961145a3c275caad
with:
command: check ${{ matrix.checks }}
check-codespell:
name: check (codespell)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
with:
python-version: 3.11
- name: Install uv
uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24
with:
# If you bump the version, also update docs/contributing.md
# and all other workflows that install uv
version: "0.5.1"
- name: Run Codespell
run: uv run -- codespell && echo Codespell exited successfully
check-doctests:
name: check (doctests)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
toolchain: 1.88
# NOTE: We need to run `cargo test --doc` separately from normal tests:
# - `cargo build --all-targets` specifies: "Build all targets"
# - `cargo test --all-targets` specifies: "Test all targets (does not include doctests)"
- name: Run doctests
run: cargo test --workspace --doc
env:
RUST_BACKTRACE: 1
- name: Check `cargo doc` for lint issues
env:
RUSTDOCFLAGS: "--deny warnings"
run: cargo doc --workspace --no-deps
check-mkdocs:
name: check (mkdocs)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
with:
python-version: 3.11
- name: Install uv
uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24
with:
# If you bump the version, also update docs/contributing.md
# and all other workflows that install uv
version: "0.5.1"
- name: Check that `mkdocs` can build the docs
run: uv run -- mkdocs build --strict
# An optional job to alert us when uv updates break the build
check-mkdocs-latest:
name: check (latest mkdocs, optional)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- name: Install uv
uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24
# 'only-managed' means that uv will always download Python, even
# if the runner happens to provide a compatible version
- name: Check that `mkdocs` can build the docs
run: uv run --python-preference=only-managed -- mkdocs build --strict
check-zizmor:
name: check (zizmor)
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24
- name: Run zizmor
run: uvx zizmor --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047
with:
sarif_file: results.sarif
category: zizmor
# Count the (very approximate) number of dependencies in Cargo.lock and bail at a certain limit.
check-cargo-lock-bloat:
name: check (Cargo.lock dependency count)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- name: Check total dependency count in Cargo.lock
run: |
total_deps=$(./.github/scripts/count-cargo-lock-packages)
if [ "$total_deps" -gt "${TOTAL_DEP_LIMIT}" ]; then
./.github/scripts/dragon-bureaucrat \
"Cargo.lock has too many dependencies ($total_deps > ${TOTAL_DEP_LIMIT}). The Dragon banishes thee!
You can raise the limit in \`.github/workflows/ci.yml\` if necessary, but
consider whether it’s possible to trim things down first."
else
echo "Counted $total_deps Cargo.lock dependencies." \
"This is within the allowed limit of ${TOTAL_DEP_LIMIT}."
fi
env:
# This limit *can* be raised, we just want to be aware if we exceed it
TOTAL_DEP_LIMIT: 550
# Block the merge if required checks fail, but only in the merge
# queue. See also `required-checks-hack.yml`.
required-checks:
name: required checks (merge queue)
if: ${{ always() && github.event_name == 'merge_group' }}
needs:
- test
- no-git
- build-nix
- check-protos
- check-rustfmt
- check-clippy
- check-cargo-deny
- check-codespell
- check-doctests
- check-mkdocs
# - check-mkdocs-latest
# - check-zizmor
- check-cargo-lock-bloat
runs-on: ubuntu-latest
steps:
- name: Block merge if required checks fail
if: >-
${{
contains(needs.*.result, 'failure')
|| contains(needs.*.result, 'cancelled')
}}
run: exit 1