v0.2.5: split BPF datapath into fast_path + finalize via bpf_tail_call #178
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: short | |
| # Pins for tools the Rust project itself publishes — GitHub runners | |
| # come with rustup pre-installed, so we manage toolchains and targets | |
| # via direct `rustup` commands rather than a third-party action. | |
| RUST_STABLE: "1.95.0" | |
| RUST_NIGHTLY: "nightly-2026-04-14" | |
| # bpf-linker pin — bump via reviewed PR. SPEC.md §7.1 calls out pinning | |
| # the BPF toolchain tight because aya/bpf-linker versions move together. | |
| BPF_LINKER_VERSION: "0.10.3" | |
| jobs: | |
| check: | |
| name: fmt + clippy + test | |
| runs-on: ubuntu-latest | |
| env: | |
| # Refuse to stub-fallback on BPF build failure. Without this, a | |
| # broken BPF build silently produces an empty ELF and every | |
| # verifier/attach integration test early-returns "BPF stub in | |
| # effect" + reports `ok`, masking real regressions. | |
| PACKETFRAME_BPF_REQUIRED: "1" | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install Rust (stable + nightly for BPF) | |
| # `bpfel-unknown-none` is a tier-3 target with no prebuilt | |
| # `rust-std`; we build `core` from source via `build-std` (set | |
| # in `crates/modules/fast-path/bpf/.cargo/config.toml`), which | |
| # only needs `rust-src`. Do not run `rustup target add | |
| # bpfel-unknown-none` — rustup would try to download a | |
| # nonexistent std component. | |
| run: | | |
| rustup toolchain install ${{ env.RUST_STABLE }} \ | |
| --profile minimal --component rustfmt,clippy | |
| rustup default ${{ env.RUST_STABLE }} | |
| rustup toolchain install ${{ env.RUST_NIGHTLY }} \ | |
| --profile minimal --component rust-src,llvm-tools-preview | |
| - uses: actions/cache@v5 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| crates/modules/fast-path/bpf/target/ | |
| crates/modules/probe/bpf/target/ | |
| key: ${{ runner.os }}-cargo-check-${{ hashFiles('**/Cargo.lock', 'crates/modules/fast-path/bpf/Cargo.toml', 'crates/modules/probe/bpf/Cargo.toml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-check- | |
| - name: Install bpf-linker | |
| run: | | |
| if ! command -v bpf-linker >/dev/null 2>&1 || \ | |
| [ "$(bpf-linker --version 2>/dev/null | awk '{print $2}')" != "${{ env.BPF_LINKER_VERSION }}" ]; then | |
| cargo install --locked --force bpf-linker \ | |
| --version ${{ env.BPF_LINKER_VERSION }} | |
| fi | |
| - name: cargo fmt --check | |
| run: cargo fmt --all --check | |
| - name: cargo clippy | |
| run: cargo clippy --workspace --all-targets --all-features -- -D warnings | |
| - name: cargo test | |
| run: cargo test --workspace | |
| - name: cargo test (BPF verifier + attach, sudo) | |
| # Integration tests that load the BPF ELF into the kernel or | |
| # attach it to an interface need CAP_BPF + CAP_NET_ADMIN. Run | |
| # them all under sudo; `-E` preserves the cargo env so they | |
| # reuse the prior step's build. All such tests are marked | |
| # `#[ignore]` so the non-sudo `cargo test` above skips them. | |
| # | |
| # Both the fast-path and probe modules have sudo-gated | |
| # integration tests; list each so a future module without | |
| # such tests doesn't fail this step with "no test matches". | |
| run: | | |
| sudo -E $(which cargo) test -p packetframe-fast-path --tests -- --ignored --nocapture | |
| sudo -E $(which cargo) test -p packetframe-probe --tests -- --ignored --nocapture | |
| cross-build: | |
| name: cross-build ${{ matrix.target }} | |
| runs-on: ubuntu-latest | |
| # Cross-build jobs are userspace-only smoke tests for each release | |
| # target triple. BPF bytecode is architecture-independent (it's BPF, | |
| # not native machine code), so building it four times inside `cross` | |
| # containers would be wasted work. The `check` job above builds it | |
| # once; these jobs stub it out via PACKETFRAME_SKIP_BPF_BUILD=1. | |
| env: | |
| PACKETFRAME_SKIP_BPF_BUILD: "1" | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: | |
| - aarch64-unknown-linux-musl | |
| - x86_64-unknown-linux-musl | |
| - aarch64-unknown-linux-gnu | |
| - x86_64-unknown-linux-gnu | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install Rust (stable + target) | |
| run: | | |
| rustup toolchain install ${{ env.RUST_STABLE }} --profile minimal | |
| rustup default ${{ env.RUST_STABLE }} | |
| rustup target add ${{ matrix.target }} | |
| - uses: actions/cache@v5 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: ${{ runner.os }}-cargo-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-${{ matrix.target }}- | |
| - name: Install cross | |
| run: | | |
| if ! command -v cross >/dev/null 2>&1; then | |
| cargo install --locked cross | |
| fi | |
| - name: cross build --release | |
| run: cross build --release --workspace --target ${{ matrix.target }} |