Slang PR #11258: Limit zip uncompressed file size to mitigate decompression bombs (jkwak-work) #3833
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci-latest-slang | |
| run-name: "${{ github.event_name == 'repository_dispatch' && (github.event.client_payload.slang_pr_number && format('Slang PR #{0}: {1} ({2})', github.event.client_payload.slang_pr_number, github.event.client_payload.slang_pr_title || '?', github.event.client_payload.slang_pr_author || '?') || format('Slang ref: {0}', github.event.client_payload.slang_ref || github.event.client_payload.slang_commit_sha)) || format('Slang branch: {0}', github.event.inputs.slang_branch || 'master') }}" | |
| on: | |
| schedule: | |
| - cron: '0 1 * * *' # run at 1 AM UTC | |
| workflow_dispatch: | |
| inputs: | |
| slang_branch: | |
| description: 'Slang branch' | |
| required: true | |
| default: 'master' | |
| repository_dispatch: | |
| types: [slang-pr-test] | |
| permissions: | |
| contents: read | |
| checks: write | |
| id-token: write | |
| statuses: write | |
| concurrency: | |
| group: ${{ github.event_name == 'repository_dispatch' && format('slang-{0}', github.event.client_payload.slang_pr_number || github.event.client_payload.slang_commit_sha) || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| # Full matrix for nightly and manual runs. | |
| build: | |
| if: github.event_name != 'repository_dispatch' | |
| runs-on: ${{ matrix.runs-on }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [windows, linux, macos] | |
| config: [Debug, Release] | |
| python: ["3.10"] | |
| include: | |
| - { os: windows, platform: x86_64, compiler: msvc, config: Debug, flags: "unit-test,header-validation,crashpad", runs-on: { group: nvrgfx, labels: [Windows, X64] } } | |
| - { os: windows, platform: x86_64, compiler: msvc, config: Release, flags: "unit-test,test-examples,crashpad", runs-on: { group: nvrgfx, labels: [Windows, X64] } } | |
| - { os: linux, platform: x86_64, compiler: gcc, config: Debug, flags: "unit-test,header-validation,coverage,crashpad", runs-on: { group: nvrgfx, labels: [Linux, X64] } } | |
| - { os: linux, platform: x86_64, compiler: gcc, config: Release, flags: "unit-test,test-examples,crashpad", runs-on: { group: nvrgfx, labels: [Linux, X64] } } | |
| - { os: macos, platform: aarch64, compiler: clang, config: Debug, flags: "unit-test,header-validation,crashpad", runs-on: macos-latest } | |
| - { os: macos, platform: aarch64, compiler: clang, config: Release, flags: "unit-test,test-examples,crashpad", runs-on: macos-latest } | |
| env: | |
| CI_OS: ${{ matrix.os }} | |
| CI_PLATFORM: ${{ matrix.platform }} | |
| CI_COMPILER: ${{ matrix.compiler }} | |
| CI_CONFIG: ${{ matrix.config }} | |
| CI_PYTHON: ${{ matrix.python }} | |
| CI_FLAGS: ${{ matrix.flags }} | |
| SLANG_PATH: ${{ github.workspace }}/slang/build/${{ matrix.config }}/bin | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| submodules: recursive | |
| lfs: true | |
| - uses: ./.github/actions/build-and-test-with-slang | |
| with: | |
| os: ${{ matrix.os }} | |
| platform: ${{ matrix.platform }} | |
| compiler: ${{ matrix.compiler }} | |
| config: ${{ matrix.config }} | |
| python: ${{ matrix.python }} | |
| flags: ${{ matrix.flags }} | |
| shell: ${{ matrix.os == 'windows' && 'pwsh' || 'bash' }} | |
| slang-checkout-mode: branch | |
| slang-branch: ${{ github.event.inputs.slang_branch || 'master' }} | |
| # Reduced matrix for Slang PR testing (repository_dispatch). | |
| # Only Linux and Windows Release — Debug and macOS covered by nightly. | |
| build-pr: | |
| if: github.event_name == 'repository_dispatch' | |
| runs-on: ${{ matrix.runs-on }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - { os: windows, platform: x86_64, compiler: msvc, config: Release, python: "3.10", flags: "unit-test,test-examples,crashpad", runs-on: { group: nvrgfx, labels: [Windows, X64] } } | |
| - { os: linux, platform: x86_64, compiler: gcc, config: Release, python: "3.10", flags: "unit-test,test-examples,crashpad", runs-on: { group: nvrgfx, labels: [Linux, X64] } } | |
| env: | |
| CI_OS: ${{ matrix.os }} | |
| CI_PLATFORM: ${{ matrix.platform }} | |
| CI_COMPILER: ${{ matrix.compiler }} | |
| CI_CONFIG: ${{ matrix.config }} | |
| CI_PYTHON: ${{ matrix.python }} | |
| CI_FLAGS: ${{ matrix.flags }} | |
| SLANG_PATH: ${{ github.workspace }}/slang/build/${{ matrix.config }}/bin | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| submodules: recursive | |
| lfs: true | |
| - uses: ./.github/actions/build-and-test-with-slang | |
| with: | |
| os: ${{ matrix.os }} | |
| platform: ${{ matrix.platform }} | |
| compiler: ${{ matrix.compiler }} | |
| config: ${{ matrix.config }} | |
| python: ${{ matrix.python }} | |
| flags: ${{ matrix.flags }} | |
| shell: ${{ matrix.os == 'windows' && 'pwsh' || 'bash' }} | |
| slang-checkout-mode: ${{ github.event.client_payload.slang_checkout_mode || 'pr' }} | |
| slang-pr-number: ${{ github.event.client_payload.slang_pr_number }} | |
| slang-ref: ${{ github.event.client_payload.slang_ref }} | |
| slang-repo: ${{ github.event.client_payload.slang_checkout_repo || 'shader-slang/slang' }} | |
| # Post aggregate status to Slang PR after all matrix jobs complete | |
| report-status: | |
| runs-on: ubuntu-latest | |
| needs: build-pr | |
| if: always() && github.event_name == 'repository_dispatch' | |
| steps: | |
| - name: Post status to Slang PR | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.SLANG_STATUS_TOKEN }} | |
| script: | | |
| const result = '${{ needs.build-pr.result }}'; | |
| const state = result === 'success' ? 'success' : 'failure'; | |
| const description = result === 'success' | |
| ? 'All SlangPy tests passed' | |
| : `SlangPy tests ${result}`; | |
| await github.rest.repos.createCommitStatus({ | |
| owner: 'shader-slang', | |
| repo: 'slang', | |
| sha: '${{ github.event.client_payload.slang_commit_sha }}', | |
| state, | |
| context: 'SlangPy Tests', | |
| description, | |
| target_url: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}' | |
| }); | |
| # Notify Slack after all matrix jobs complete | |
| notify: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: always() && github.event_name == 'schedule' | |
| steps: | |
| # Success Notification | |
| - name: Success Notification | |
| if: ${{ needs.build.result == 'success' }} | |
| uses: slackapi/slack-github-action@v2.1.1 | |
| with: | |
| webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| webhook-type: incoming-webhook | |
| payload: | | |
| text: ":green-check-mark: SlangPy nightly status: success\n" | |
| # Failure Notification | |
| - name: Failure Notification | |
| if: ${{ needs.build.result != 'success' }} | |
| uses: slackapi/slack-github-action@v2.1.1 | |
| with: | |
| webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| webhook-type: incoming-webhook | |
| payload: | | |
| text: ":alert: :alert: :alert: :alert: :alert: :alert:\nSlangPy nightly status: ${{ needs.build.result }}: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" |