diff --git a/.github/actions/check-android/action.yml b/.github/actions/check-android/action.yml index a1d3e2c..b8d7b9a 100644 --- a/.github/actions/check-android/action.yml +++ b/.github/actions/check-android/action.yml @@ -27,7 +27,7 @@ inputs: runs: using: composite steps: - - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: zulu java-version: 23 @@ -63,7 +63,11 @@ runs: WD: ${{ inputs.working-directory }} run: cd "$WD" && cargo ndk --platform "$API_LEVEL" --target "$TARGET" test --no-run + # FIXME: Enable emulator testing for aarch64 once Google ships Android + # emulator binaries for ARM64 Linux hosts. + # See https://issuetracker.google.com/issues/242699119 - shell: bash + if: ${{ !startsWith(inputs.target, 'aarch64') }} env: TARGET: ${{ inputs.target }} API_LEVEL: ${{ inputs.api-level }} @@ -92,6 +96,7 @@ runs: chmod a+x /tmp/rust-android-run-tests-on-emulator.sh - uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0 + if: ${{ !startsWith(inputs.target, 'aarch64') }} with: api-level: ${{ inputs.api-level }} arch: ${{ startsWith(inputs.target, 'x86_64') && 'x86_64' || (startsWith(inputs.target, 'i686') && 'x86' || (startsWith(inputs.target, 'aarch64') && 'arm64-v8a')) }} diff --git a/.github/actions/check-vm/action.yml b/.github/actions/check-vm/action.yml index 4252cb6..5f9d443 100644 --- a/.github/actions/check-vm/action.yml +++ b/.github/actions/check-vm/action.yml @@ -27,14 +27,14 @@ runs: set -ex pwd case "$PLATFORM" in - freebsd) pkg install -y curl llvm nss pkgconf + freebsd) pkg update -f && pkg install -y curl llvm nss pkgconf ;; openbsd) # TODO: Is there a way to not pin the version of llvm? -z to pkg_add does not work. pkg_add rust rust-clippy rust-rustfmt llvm-21.1.2p0 nss # rustup does not support OpenBSD at all ;; - netbsd) /usr/sbin/pkg_add pkgin && pkgin -y install curl clang nss pkgconf + netbsd) /usr/sbin/pkg_add pkgin && pkgin -y update && pkgin -y install curl clang nss pkgconf ;; - solaris) pkg install clang-libs nss pkg-config + solaris) pkg refresh && pkg install clang-libs nss pkg-config ;; *) echo "Unsupported OS: $PLATFORM" exit 1 @@ -53,30 +53,28 @@ runs: cd "$WD" pwd case "$PLATFORM" in - freebsd) sh rustup.sh --default-toolchain stable --profile minimal --component clippy,llvm-tools,rustfmt -y - . "\$HOME/.cargo/env" - ;; openbsd) export LIBCLANG_PATH=/usr/local/llvm21/lib export LLVM_COV=/usr/local/llvm21/bin/llvm-cov export LLVM_PROFDATA=/usr/local/llvm21/bin/llvm-profdata - [ "$WORKSPACE" ] && EXCLUDE="--exclude fuzz" # Fuzzing not supported on OpenBSD ;; - netbsd) sh rustup.sh --default-toolchain stable --profile minimal --component clippy,llvm-tools,rustfmt -y + *) sh rustup.sh --default-toolchain stable --profile minimal --component clippy,llvm-tools,rustfmt -y . "\$HOME/.cargo/env" - # FIXME: Why do we need to set this on NetBSD? + ;; + esac + case "$PLATFORM" in + netbsd) # FIXME: Why do we need to set this on NetBSD? export LD_LIBRARY_PATH=/usr/pkg/lib/nss:/usr/pkg/lib/nspr - [ "$WORKSPACE" ] && EXCLUDE="--exclude fuzz" # Fuzzing not supported on NetBSD ;; - solaris) curl --output rust.sh -s https://raw.githubusercontent.com/psumbera/solaris-rust/refs/heads/main/sh.rust-web-install - chmod a+x rust.sh - ls -lt - source ./rust.sh || true # This does not exit with zero on success - export LIBCLANG_PATH="/usr/lib/amd64" - [ "$WORKSPACE" ] && EXCLUDE="--exclude fuzz" # Fuzzing not supported on Solaris + solaris) export LIBCLANG_PATH="/usr/lib/amd64" + ;; + esac + case "$PLATFORM" in + freebsd) ;; + *) [ "$WORKSPACE" ] && EXCLUDE="--exclude fuzz" # Fuzzing not supported on this platform ;; esac cargo version - cargo check --locked --all-targets $WORKSPACE \$EXCLUDE + cargo check --locked --all-targets $WORKSPACE \${EXCLUDE:-} case "$PLATFORM" in openbsd) # clippy fails on OpenBSD, because libfuzzer-sys is not supported. ;; @@ -105,7 +103,7 @@ runs: echo "envs=CARGO_TERM_COLOR RUST_BACKTRACE RUST_LOG RUST_TEST_TIME_UNIT RUST_TEST_TIME_INTEGRATION RUST_TEST_TIME_DOCTEST WD" >> "$GITHUB_OUTPUT" - if: ${{ inputs.platform == 'freebsd' }} - uses: vmactions/freebsd-vm@ba6bedee4a4884da2b782a41a64329a1c8e42ffb # v1.3.8 + uses: vmactions/freebsd-vm@4807432c7cab1c3f97688665332c0b932062d31f # v1.4.3 with: usesh: true disable-cache: true @@ -114,7 +112,7 @@ runs: run: ${{ steps.prep.outputs.run }} - if: ${{ inputs.platform == 'openbsd' }} - uses: vmactions/openbsd-vm@f5b9bc1261c3d4eed9639fcae0cf5dcc5374ca0c # v1.3.2 + uses: vmactions/openbsd-vm@3fafb45f2e2e696249c583835939323fe1c3448c # v1.3.7 with: usesh: true disable-cache: true @@ -123,7 +121,7 @@ runs: run: ${{ steps.prep.outputs.run }} - if: ${{ inputs.platform == 'netbsd' }} - uses: vmactions/netbsd-vm@37b614756f0b44b02f5dab4fd9ecb27545d1785e # v1.3.2 + uses: vmactions/netbsd-vm@e04aec09540429f9cebb0e7941f7cd0c0fc3b44f # v1.3.6 with: usesh: true disable-cache: true @@ -132,7 +130,7 @@ runs: run: ${{ steps.prep.outputs.run }} - if: ${{ inputs.platform == 'solaris' }} - uses: vmactions/solaris-vm@37d40b6627e80434541454b42841caa4cc77d0cf # v1.2.7 + uses: vmactions/solaris-vm@69d382b4a775b25ea5955e6c1730e9d05047ca0d # v1.3.1 with: release: "11.4-gcc" usesh: true diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 532d994..683d6f4 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -11,6 +11,8 @@ env: RUST_TEST_TIME_UNIT: 10,30 RUST_TEST_TIME_INTEGRATION: 10,30 RUST_TEST_TIME_DOCTEST: 10,30 + CARGO_PROFILE_RELEASE_LTO: "true" + CARGO_PROFILE_RELEASE_CODEGEN_UNITS: 1 concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -35,7 +37,7 @@ jobs: persist-credentials: false - id: toolchains - uses: ./.github/actions/toolchains + uses: mozilla/actions/toolchains@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4 check: name: Run checks @@ -76,19 +78,17 @@ jobs: with: persist-credentials: false - - uses: ./.github/actions/rust + - uses: mozilla/actions/rust@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4 with: version: ${{ matrix.rust-toolchain }} components: ${{ matrix.rust-toolchain == 'stable' && 'llvm-tools' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'rust-src ' || '' }} - tools: ${{ matrix.rust-toolchain == 'stable' && 'cargo-llvm-cov' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'cargo-careful ' || '' }} + tools: ${{ matrix.rust-toolchain == 'stable' && 'cargo-llvm-cov' || '' }},${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'cargo-careful' || '' }} token: ${{ secrets.GITHUB_TOKEN }} - - id: nss-version - run: echo "minimum=$(cat min_version.txt)" >> "$GITHUB_OUTPUT" - - - uses: ./.github/actions/nss + - uses: mozilla/actions/nss@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4 with: - minimum-version: ${{ steps.nss-version.outputs.minimum }} + version-file: min_version.txt + token: ${{ secrets.GITHUB_TOKEN }} - name: Check run: | @@ -129,16 +129,16 @@ jobs: with: files: codecov.json fail_ci_if_error: false - token: ${{ secrets.CODECOV_TOKEN }} + token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] verbose: true flags: ${{ startsWith(matrix.os, 'ubuntu') && 'linux' || startsWith(matrix.os, 'macos') && 'macos' || 'windows' }} env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] if: matrix.type == 'debug' && matrix.rust-toolchain == 'stable' - name: Save simulation seeds artifact if: ${{ always() }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: simulation-seeds-${{ matrix.os }}-${{ matrix.rust-toolchain }}-${{ matrix.type }} path: simulation-seeds @@ -151,7 +151,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: ./.github/actions/rust + - uses: mozilla/actions/rust@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4 with: version: stable tools: cargo-hack @@ -165,26 +165,28 @@ jobs: runs-on: ubuntu-24.04 strategy: matrix: - target: ['x86_64-linux-android', 'i686-linux-android'] # 'aarch64-linux-android' not currently working + target: ["x86_64-linux-android", "aarch64-linux-android"] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - id: nss-version - run: echo "minimum=$(cat min_version.txt)" >> "$GITHUB_OUTPUT" - uses: ./.github/actions/check-android with: target: ${{ matrix.target }} - minimum-nss-version: ${{ steps.nss-version.outputs.minimum }} github-token: ${{ secrets.GITHUB_TOKEN }} check-vm: name: Run checks for VM-only platforms runs-on: ubuntu-24.04 + # OpenBSD and NetBSD have NSS packages that are too old. + # Allow them to fail without aborting the merge queue. + continue-on-error: ${{ github.event_name == 'merge_group' && matrix.os != 'freebsd' }} strategy: fail-fast: false matrix: - os: [ freebsd, openbsd, netbsd ] # NSS package on 'solaris' is too old. + # TODO: Re-enable openbsd once OpenBSD > 7.8 ships; nss-3.101 (the version in 7.8) is too old. + # TODO: Re-enable netbsd once NetBSD > 10.1 ships with NSS >= 3.121. + os: [freebsd] # NSS package on 'solaris' is too old. steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -192,5 +194,4 @@ jobs: - uses: ./.github/actions/check-vm with: platform: ${{ matrix.os }} - codecov-token: ${{ secrets.CODECOV_TOKEN }} - + codecov-token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] diff --git a/.github/workflows/mutants.yml b/.github/workflows/mutants.yml index 35cb0f5..3f78d2b 100644 --- a/.github/workflows/mutants.yml +++ b/.github/workflows/mutants.yml @@ -93,7 +93,7 @@ jobs: # This seems to be a GitHub-internal protection feature that we can't control: # https://github.com/actions/runner-images/issues/6680 - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: always() with: name: mutants.out-${{ matrix.shard }} @@ -106,7 +106,7 @@ jobs: needs: mutants runs-on: ubuntu-24.04 steps: - - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: mutants.out-* path: shards @@ -124,7 +124,7 @@ jobs: rm -f mutants.out/shard-*/"$category.txt" done - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 id: upload with: name: mutants.out diff --git a/.github/workflows/sanitize.yml b/.github/workflows/sanitize.yml index 01842f5..ab549c6 100644 --- a/.github/workflows/sanitize.yml +++ b/.github/workflows/sanitize.yml @@ -84,7 +84,7 @@ jobs: - name: Save simulation seeds artifact if: ${{ env.DUMP_SIMULATION_SEEDS }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: simulation-seeds-${{ matrix.os }}-sanitizer-${{ matrix.sanitizer }} path: ${{ env.DUMP_SIMULATION_SEEDS }}