feat: add blapi feature to bypass PKCS#11 in RecordProtection
#178
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| merge_group: | |
| workflow_dispatch: | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| RUST_TEST_TIME_UNIT: 10,30 | |
| RUST_TEST_TIME_INTEGRATION: 10,30 | |
| RUST_TEST_TIME_DOCTEST: 10,30 | |
| CARGO_PROFILE_RELEASE_LTO: true | |
| CARGO_PROFILE_RELEASE_CODEGEN_UNITS: 1 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| toolchains: | |
| name: Determine toolchains | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| toolchains: ${{ steps.toolchains.outputs.toolchains }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - id: toolchains | |
| uses: mozilla/actions/toolchains@27cbe8fb5d338c2861b787e5de10410559065db1 # v1.1.3 | |
| check: | |
| name: Run checks | |
| needs: toolchains | |
| # TODO: Restore `environment: codecov` once GitHub supports filtering deployment messages. | |
| # environment: codecov | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-24.04, ubuntu-24.04-arm, macos-15, windows-2025] | |
| rust-toolchain: ${{ fromJSON(needs.toolchains.outputs.toolchains) }} | |
| type: [debug] | |
| # Include some dynamically-linked release builds, to check that that works on all platforms. | |
| include: | |
| - os: ubuntu-24.04 | |
| rust-toolchain: stable | |
| type: release | |
| - os: macos-15 | |
| rust-toolchain: stable | |
| type: release | |
| - os: windows-2025 | |
| rust-toolchain: stable | |
| type: release | |
| # Also do some debug builds on the oldest OS versions. | |
| - os: ubuntu-22.04 | |
| rust-toolchain: stable | |
| type: debug | |
| - os: macos-14 | |
| rust-toolchain: stable | |
| type: debug | |
| - os: windows-2022 | |
| rust-toolchain: stable | |
| type: debug | |
| env: | |
| BUILD_TYPE: ${{ matrix.type == 'release' && '--release' || '' }} | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: mozilla/actions/rust@27cbe8fb5d338c2861b787e5de10410559065db1 # v1.1.3 | |
| with: | |
| version: ${{ matrix.rust-toolchain }} | |
| components: ${{ matrix.rust-toolchain == 'stable' && 'llvm-tools' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'rust-src ' || '' }} | |
| tools: ${{ matrix.rust-toolchain == 'stable' && 'cargo-llvm-cov' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'cargo-careful ' || '' }} cargo-hack | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: mozilla/actions/nss@27cbe8fb5d338c2861b787e5de10410559065db1 # v1.1.3 | |
| with: | |
| version-file: min_version.txt | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check | |
| run: | | |
| # shellcheck disable=SC2086 | |
| cargo check $BUILD_TYPE --locked --all-targets | |
| - name: Check feature powerset | |
| run: | | |
| # shellcheck disable=SC2086 | |
| cargo hack check $BUILD_TYPE --locked --feature-powerset --no-dev-deps --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption | |
| - name: Run tests and determine coverage | |
| env: | |
| RUST_LOG: trace | |
| RUST_BACKTRACE: 1 | |
| RUST_TEST_TIME_UNIT: 10,30 | |
| RUST_TEST_TIME_INTEGRATION: 10,30 | |
| RUST_TEST_TIME_DOCTEST: 10,30 | |
| TOOLCHAIN: ${{ matrix.rust-toolchain }} | |
| # FIXME: cargo-careful at the moment only works on amd64 Ubuntu | |
| CAREFUL: ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'careful' || '' }} | |
| run: | | |
| DUMP_SIMULATION_SEEDS="$(pwd)/simulation-seeds" | |
| export DUMP_SIMULATION_SEEDS | |
| # shellcheck disable=SC2086 | |
| if [ "$TOOLCHAIN" == "stable" ]; then | |
| cargo llvm-cov test $BUILD_TYPE --locked --include-ffi --codecov --output-path codecov.json | |
| else | |
| if [ -n "$CAREFUL" ]; then | |
| TRIPLE="--target $(rustc --print host-tuple)" | |
| fi | |
| cargo $CAREFUL test $BUILD_TYPE --locked $TRIPLE | |
| fi | |
| - name: Test feature powerset | |
| run: | | |
| # shellcheck disable=SC2086 | |
| cargo hack test $BUILD_TYPE --locked --feature-powerset --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption | |
| - name: CodeCov Windows workaround | |
| if: ${{ startsWith(matrix.os, 'windows') && matrix.type == 'debug' && matrix.rust-toolchain == 'stable' }} | |
| run: | | |
| # FIXME: Without this, the codecov/codecov-action fails. No idea why it's looking under C:/msys64 now, it shouldn't. | |
| mkdir -p C:/msys64/home/runneradmin/ | |
| touch C:/msys64/home/runneradmin/.gitconfig | |
| - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 | |
| with: | |
| files: codecov.json | |
| fail_ci_if_error: false | |
| token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] | |
| verbose: true | |
| flags: ${{ startsWith(matrix.os, 'ubuntu') && 'linux' || startsWith(matrix.os, 'macos') && 'macos' || 'windows' }} | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] | |
| if: matrix.type == 'debug' && matrix.rust-toolchain == 'stable' | |
| - name: Save simulation seeds artifact | |
| if: ${{ always() }} | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: simulation-seeds-${{ matrix.os }}-${{ matrix.rust-toolchain }}-${{ matrix.type }} | |
| path: simulation-seeds | |
| compression-level: 9 | |
| check-cargo-lock: | |
| name: Ensure `Cargo.lock` contains all required dependencies | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: mozilla/actions/rust@27cbe8fb5d338c2861b787e5de10410559065db1 # v1.1.3 | |
| with: | |
| version: stable | |
| tools: cargo-hack | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - run: | | |
| cargo update -w --locked | |
| cargo hack update -w --locked | |
| check-android: | |
| name: Check Android | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| target: ["x86_64-linux-android", "aarch64-linux-android"] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - id: nss-version | |
| run: echo "minimum=$(cat min_version.txt)" >> "$GITHUB_OUTPUT" | |
| - uses: ./.github/actions/check-android | |
| with: | |
| target: ${{ matrix.target }} | |
| minimum-nss-version: ${{ steps.nss-version.outputs.minimum }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| check-vm: | |
| name: Run checks for VM-only platforms | |
| runs-on: ubuntu-24.04 | |
| # TODO: Restore `environment: codecov` once GitHub supports filtering deployment messages. | |
| # environment: codecov | |
| # OpenBSD, NetBSD and Solaris often have NSS packages that are too old. | |
| # Allow them to fail without aborting the merge queue. | |
| continue-on-error: ${{ github.event_name == 'merge_group' && matrix.os != 'freebsd' }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # TODO: Re-enable openbsd once OpenBSD > 7.8 ships; nss-3.101 (the version in 7.8) is too old. | |
| # TODO: Re-enable NetBSD once NetBSD > 10.1 ships with NSS >= 3.121. | |
| os: [freebsd] # NSS package on 'solaris' is too old. | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: ./.github/actions/check-vm | |
| with: | |
| platform: ${{ matrix.os }} | |
| codecov-token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] | |