Migrate zig compiler #413
Draft
Migrate zig compiler #413
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+14
to
+49
| name: test (${{ matrix.os }}) | ||
| runs-on: ${{ matrix.os }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os: [ubuntu-22.04, ubuntu-24.04, ubuntu-24.04-arm, macos-15] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| os: | ||
| - macos-15 # Apple Silicon | ||
| - macos-15-intel # Intel Mac | ||
| - ubuntu-22.04 # Linux x86_64 | ||
| - ubuntu-24.04-arm # Linux ARM64 | ||
| defaults: | ||
| run: | ||
| shell: bash | ||
|
|
||
| - name: Does init() in platform/src/lib.rs contain all roc_fx functions? (Imperfect check) | ||
| run: cat platform/src/lib.rs | grep -oP 'roc_fx_[^(\s]*' | sort | uniq -u | grep -q . && exit 1 || exit 0 | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - uses: roc-lang/setup-roc@39c354a6a838a0089eea9068a0414f49b62c5c08 | ||
| - name: Install Zig | ||
| uses: mlugg/setup-zig@v2 | ||
| with: | ||
| # Note: nightly hashes are not verified because they are updated regularly. | ||
| version: nightly | ||
| version: 0.15.2 | ||
|
|
||
| - run: roc version | ||
| - name: Install Rust | ||
| uses: dtolnay/rust-toolchain@stable | ||
|
|
||
| - name: Install dependencies (Ubuntu) | ||
| - name: Install expect (Ubuntu) | ||
| if: startsWith(matrix.os, 'ubuntu-') | ||
| run: | | ||
| sudo apt install -y expect ncat ripgrep | ||
| run: sudo apt-get install -y expect | ||
|
|
||
| - name: Install dependencies (macOS) | ||
| - name: Install expect (macOS) | ||
| if: startsWith(matrix.os, 'macos-') | ||
| run: | | ||
| brew install expect # expect for testing | ||
| brew install nmap # includes ncat, for tcp-client example | ||
| brew install ripgrep # ripgrep for ci/check_all_exposed_funs_tested.roc | ||
| - run: expect -v | ||
| run: brew install expect | ||
|
|
||
| - name: Run all tests | ||
| run: ROC=roc EXAMPLES_DIR=./examples/ ./ci/all_tests.sh | ||
|
|
||
| - name: Install dependencies for musl build | ||
| if: startsWith(matrix.os, 'ubuntu-') | ||
| run: | | ||
| sudo apt-get install -y musl-tools | ||
| if [[ "${{ matrix.os }}" == *"-arm" ]]; then | ||
| # TODO re-enable once TODO below is done: rustup target add aarch64-unknown-linux-musl | ||
| echo "no-op" | ||
| else | ||
| rustup target add x86_64-unknown-linux-musl | ||
| fi | ||
| - name: Test building with musl target | ||
| if: startsWith(matrix.os, 'ubuntu-') | ||
| env: | ||
| ROC: roc | ||
| run: | | ||
| if [[ "${{ matrix.os}}" == *"-arm" ]]; then | ||
| # TODO debug this: CARGO_BUILD_TARGET=aarch64-unknown-linux-musl $ROC build.roc | ||
| echo "no-op" | ||
| else | ||
| CARGO_BUILD_TARGET=x86_64-unknown-linux-musl $ROC build.roc | ||
| fi | ||
| - name: Test using musl build | ||
| if: startsWith(matrix.os, 'ubuntu-') | ||
| run: | | ||
| # TODO remove `if` when above TODOs are done | ||
| if [[ "${{ matrix.os }}" != *"-arm" ]]; then | ||
| NO_BUILD=1 IS_MUSL=1 ROC=roc EXAMPLES_DIR=./examples/ ./ci/all_tests.sh | ||
| fi | ||
| run: ./ci/all_tests.sh |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 hours ago
To fix this, explicitly declare minimal GITHUB_TOKEN permissions in the workflow. Since the job only checks out code and runs tests, it only needs read access to repository contents. You can set this at the workflow root so it applies to all jobs that don’t override it.
Concretely, in .github/workflows/ci.yml, add a permissions: block after the on: section (around line 6–7), with contents: read. This limits GITHUB_TOKEN to read-only repository contents for all jobs, including build-and-test, without changing any functional behavior of the workflow.
No additional imports, methods, or definitions are needed; this is purely a YAML configuration change within the workflow file.
Suggested changeset
1
.github/workflows/ci.yml
| @@ -4,6 +4,9 @@ | ||
| pull_request: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # this cancels workflows currently in progress if you start a new one | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} |
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.