Running Checks for 299/merge #613
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "✅ PR Checks" | |
| run-name: "Running Checks for ${{ github.ref_name }}" | |
| on: | |
| pull_request: | |
| branches: | |
| - movement | |
| - l1-migration | |
| - m1 | |
| types: [labeled, opened, synchronize, reopened, auto_merge_enabled] | |
| env: | |
| GIT_SHA: ${{ github.sha }} | |
| GIT_BRANCH: ${{ github.ref_name }} | |
| BUILD_DATE: ${{ github.event.head_commit.timestamp }} | |
| BUILT_VIA_BUILDKIT: "true" | |
| FEATURES: "" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| check-license-compliance: | |
| name: "Check for post-license-change commits" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Need full history to check commits | |
| - name: Check for commits from aptos-labs after license change | |
| run: | | |
| set -e | |
| # The cutoff commit - last commit before aptos-labs changed to permissioned license | |
| CUTOFF_COMMIT="54418cb44d0da652bff0167509ff5bac84fb010a" | |
| echo "==========================================" | |
| echo "License Compliance Check" | |
| echo "==========================================" | |
| echo "Checking for commits from aptos-labs/aptos-core" | |
| echo "Cutoff commit: $CUTOFF_COMMIT (inclusive - this and all after are forbidden)" | |
| echo "" | |
| # Add aptos-labs as a remote if it doesn't exist | |
| if ! git remote | grep -q "^aptos-labs$"; then | |
| git remote add aptos-labs https://github.com/aptos-labs/aptos-core.git | |
| fi | |
| # Fetch from aptos-labs (suppress .gitmodules warnings) | |
| git fetch aptos-labs --quiet 2>&1 | grep -v "\.gitmodules" || true | |
| # Get the main/master branch from aptos-labs | |
| APTOS_BRANCH="" | |
| for branch in main master; do | |
| if git show-ref --verify --quiet refs/remotes/aptos-labs/$branch; then | |
| APTOS_BRANCH=$branch | |
| break | |
| fi | |
| done | |
| if [ -z "$APTOS_BRANCH" ]; then | |
| echo "❌ ERROR: Could not find main or master branch in aptos-labs remote" | |
| exit 1 | |
| fi | |
| # Verify the cutoff commit exists in aptos-labs (but should NOT be in our repo) | |
| if ! git cat-file -e "$CUTOFF_COMMIT" 2>/dev/null; then | |
| echo "❌ ERROR: Cutoff commit $CUTOFF_COMMIT not found in aptos-labs remote" | |
| exit 1 | |
| fi | |
| # Get commits from cutoff onwards, including the cutoff itself (suppress .gitmodules warnings) | |
| CUTOFF_ONLY=$(git log --format=%H "$CUTOFF_COMMIT^..$CUTOFF_COMMIT" 2>/dev/null || echo "") | |
| AFTER_CUTOFF=$(git log --format=%H "$CUTOFF_COMMIT..aptos-labs/$APTOS_BRANCH" 2>/dev/null || echo "") | |
| FORBIDDEN_COMMITS=$(printf "%s\n%s" "$CUTOFF_ONLY" "$AFTER_CUTOFF" | grep -v '^$') | |
| FORBIDDEN_COUNT=$(echo "$FORBIDDEN_COMMITS" | wc -l | tr -d ' ') | |
| echo "Found $FORBIDDEN_COUNT forbidden commit(s) in aptos-labs history to check against" | |
| echo "" | |
| echo "Checking these commits against PR branch HEAD..." | |
| # Check if any of these commits are in our current branch | |
| VIOLATIONS_FOUND=0 | |
| if [ -n "$FORBIDDEN_COMMITS" ]; then | |
| for commit in $FORBIDDEN_COMMITS; do | |
| # Check if this commit is an ancestor of HEAD | |
| if git merge-base --is-ancestor "$commit" HEAD 2>/dev/null; then | |
| if [ $VIOLATIONS_FOUND -eq 0 ]; then | |
| echo "" | |
| echo "❌ LICENSE VIOLATION DETECTED!" | |
| echo "==========================================" | |
| echo "The following commits from aptos-labs/aptos-core" | |
| echo "after the license change were found:" | |
| echo "" | |
| fi | |
| # Get commit details | |
| COMMIT_DATE=$(git show -s --format=%ci "$commit") | |
| COMMIT_SUBJECT=$(git show -s --format=%s "$commit") | |
| COMMIT_AUTHOR=$(git show -s --format="%an <%ae>" "$commit") | |
| echo "Commit: $commit" | |
| echo "Date: $COMMIT_DATE" | |
| echo "Author: $COMMIT_AUTHOR" | |
| echo "Title: $COMMIT_SUBJECT" | |
| echo "" | |
| VIOLATIONS_FOUND=$((VIOLATIONS_FOUND + 1)) | |
| fi | |
| done | |
| fi | |
| if [ $VIOLATIONS_FOUND -gt 0 ]; then | |
| echo "==========================================" | |
| echo "❌ FAILURE: Found $VIOLATIONS_FOUND commit(s) from aptos-labs" | |
| echo "after the license change (commit $CUTOFF_COMMIT)" | |
| echo "" | |
| echo "These commits are under a permissioned license and" | |
| echo "cannot be included in this repository." | |
| echo "" | |
| echo "Please rebase your branch to remove these commits." | |
| echo "==========================================" | |
| exit 1 | |
| fi | |
| echo "" | |
| echo "✅ No license violations detected" | |
| echo "Checked $FORBIDDEN_COUNT commits from aptos-labs against this PR branch" | |
| check-dynamic-deps: | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| if: ${{ !inputs.SKIP_JOB }} | |
| with: | |
| ref: ${{ inputs.GIT_SHA }} | |
| # This will exit with failure if any of the banned dynamic deps are found. | |
| - run: ./crates/aptos/scripts/check_dynamic_deps.sh | |
| semgrep: | |
| name: semgrep/ci | |
| runs-on: ubuntu-latest | |
| container: | |
| image: returntocorp/semgrep | |
| options: --user root | |
| # Skip any PR created by dependabot to avoid permission issues: | |
| if: (github.actor != 'dependabot[bot]') | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: semgrep ci | |
| env: | |
| SEMGREP_RULES: >- | |
| ./.github/linters/semgrep/pull-request-target-code-checkout.yaml | |
| build-checks: | |
| runs-on: k8s-movement-labs | |
| outputs: | |
| members_changed: ${{ steps.members_check.outputs.changed }} | |
| docker_changed: ${{ steps.docker_check.outputs.changed }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check if Cargo Members Changed | |
| id: members_check | |
| uses: ./.github/actions/cargo-members-changed | |
| with: | |
| base-ref: ${{ github.event.pull_request.base.ref || 'l1-migration' }} | |
| - name: Check if Docker Files Changed | |
| id: docker_check | |
| uses: ./.github/actions/docker-files-changed | |
| with: | |
| base-ref: ${{ github.event.pull_request.base.ref || 'l1-migration' }} | |
| build-binaries: | |
| needs: build-checks | |
| if: needs.build-checks.outputs.members_changed == 'true' || needs.build-checks.outputs.docker_changed == 'true' | |
| runs-on: k8s-movement-labs | |
| name: "Build Binaries with Nix" | |
| strategy: | |
| matrix: | |
| binary: | |
| - name: "aptos-node" | |
| package: "aptos-node" | |
| profile: "dev" | |
| - name: "aptos-cli" | |
| package: "movement" | |
| profile: "dev" | |
| - name: "l1-migration" | |
| package: "l1-migration" | |
| profile: "dev" | |
| env: | |
| TARGET_FOLDER: target/debug | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install packages | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y xz-utils | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@v27 | |
| with: | |
| github_access_token: ${{ secrets.GITHUB_TOKEN }} | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| # - name: Cache Rust dependencies | |
| # uses: actions/cache@v4 | |
| # with: | |
| # path: | | |
| # ~/.cargo/registry/index/ | |
| # ~/.cargo/registry/cache/ | |
| # ~/.cargo/git/db/ | |
| # target/ | |
| # key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('nix/flake.lock') }} | |
| # restore-keys: | | |
| # ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}- | |
| # ${{ runner.os }}-cargo- | |
| # - name: Cache Nix store | |
| # uses: actions/cache@v4 | |
| # with: | |
| # path: /nix/store | |
| # key: ${{ runner.os }}-nix-${{ hashFiles('nix/flake.lock') }} | |
| # restore-keys: | | |
| # ${{ runner.os }}-nix- | |
| - name: Build ${{ matrix.binary.package }} | |
| run: | | |
| echo "Building ${{ matrix.binary.package }} with Nix development shell..." | |
| nix develop -c cargo build -p ${{ matrix.binary.package }} --profile ${{ matrix.binary.profile }} --features "${{ env.FEATURES }}" | |
| echo "Binary available at ${{ env.TARGET_FOLDER }}/${{ matrix.binary.package }}" | |
| - name: Verify binary | |
| run: | | |
| if [ -f "${{ env.TARGET_FOLDER }}/${{ matrix.binary.package }}" ]; then | |
| echo "✅ Binary ${{ matrix.binary.package }} built successfully" | |
| ls -la "${{ env.TARGET_FOLDER }}/${{ matrix.binary.package }}" | |
| else | |
| echo "❌ Binary ${{ matrix.binary.package }} not found" | |
| exit 1 | |
| fi | |
| - name: Upload binary artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.binary.package }}-${{ github.sha }} | |
| path: ${{ env.TARGET_FOLDER }}/${{ matrix.binary.package }} | |
| retention-days: 7 | |
| # Test CLI release build to verify the release workflow will work | |
| test-cli-release-build: | |
| name: "Test CLI Release Build (${{ matrix.os }})" | |
| strategy: | |
| matrix: | |
| include: | |
| - os: macos-latest | |
| platform: "macOS" | |
| - os: macos-14-large | |
| platform: "macOS" | |
| - os: ubuntu-22.04 | |
| platform: "Linux" | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/cli-rust-setup | |
| - name: Test CLI release build | |
| run: | | |
| # Build with skip_checks=true since we're just testing the build | |
| scripts/cli/build_cli_release.sh "${{ matrix.platform }}" "0.0.0-test" "true" "false" | |
| - name: Verify artifact | |
| run: | | |
| ls -la movement-cli-*.zip | |
| echo "✅ CLI release build successful on ${{ matrix.os }}" |