packetframe/.github/workflows/ci.yml at 59efc294767ff5162d2be0af8bc6da43e58930c7 · unredacted/packetframe · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: CI

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: short
  # Pins for tools the Rust project itself publishes — GitHub runners
  # come with rustup pre-installed, so we manage toolchains and targets
  # via direct `rustup` commands rather than a third-party action.
  RUST_STABLE: "1.95.0"
  RUST_NIGHTLY: "nightly-2026-04-14"
  # bpf-linker pin — bump via reviewed PR. SPEC.md §7.1 calls out pinning
  # the BPF toolchain tight because aya/bpf-linker versions move together.
  BPF_LINKER_VERSION: "0.10.3"

jobs:
  check:
    name: fmt + clippy + test
    runs-on: ubuntu-latest
    env:
      # Refuse to stub-fallback on BPF build failure. Without this, a
      # broken BPF build silently produces an empty ELF and every
      # verifier/attach integration test early-returns "BPF stub in
      # effect" + reports `ok`, masking real regressions.
      PACKETFRAME_BPF_REQUIRED: "1"
    steps:
      - uses: actions/checkout@v6

      - name: Install Rust (stable + nightly for BPF)
        # `bpfel-unknown-none` is a tier-3 target with no prebuilt
        # `rust-std`; we build `core` from source via `build-std` (set
        # in `crates/modules/fast-path/bpf/.cargo/config.toml`), which
        # only needs `rust-src`. Do not run `rustup target add
        # bpfel-unknown-none` — rustup would try to download a
        # nonexistent std component.
        run: |
          rustup toolchain install ${{ env.RUST_STABLE }} \
            --profile minimal --component rustfmt,clippy
          rustup default ${{ env.RUST_STABLE }}
          rustup toolchain install ${{ env.RUST_NIGHTLY }} \
            --profile minimal --component rust-src,llvm-tools-preview

      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
            crates/modules/fast-path/bpf/target/
            crates/modules/probe/bpf/target/
          key: ${{ runner.os }}-cargo-check-${{ hashFiles('**/Cargo.lock', 'crates/modules/fast-path/bpf/Cargo.toml', 'crates/modules/probe/bpf/Cargo.toml') }}
          restore-keys: |
            ${{ runner.os }}-cargo-check-

      - name: Install bpf-linker
        run: |
          if ! command -v bpf-linker >/dev/null 2>&1 || \
             [ "$(bpf-linker --version 2>/dev/null | awk '{print $2}')" != "${{ env.BPF_LINKER_VERSION }}" ]; then
            cargo install --locked --force bpf-linker \
              --version ${{ env.BPF_LINKER_VERSION }}
          fi

      - name: cargo fmt --check
        run: cargo fmt --all --check

      - name: cargo clippy
        run: cargo clippy --workspace --all-targets --all-features -- -D warnings

      - name: cargo test
        run: cargo test --workspace

      - name: cargo test (BPF verifier + attach, sudo)
        # Integration tests that load the BPF ELF into the kernel or
        # attach it to an interface need CAP_BPF + CAP_NET_ADMIN. Run
        # them all under sudo; `-E` preserves the cargo env so they
        # reuse the prior step's build. All such tests are marked
        # `#[ignore]` so the non-sudo `cargo test` above skips them.
        #
        # Both the fast-path and probe modules have sudo-gated
        # integration tests; list each so a future module without
        # such tests doesn't fail this step with "no test matches".
        run: |
          sudo -E $(which cargo) test -p packetframe-fast-path --tests -- --ignored --nocapture
          sudo -E $(which cargo) test -p packetframe-probe --tests -- --ignored --nocapture

  cross-build:
    name: cross-build ${{ matrix.target }}
    runs-on: ubuntu-latest
    # Cross-build jobs are userspace-only smoke tests for each release
    # target triple. BPF bytecode is architecture-independent (it's BPF,
    # not native machine code), so building it four times inside `cross`
    # containers would be wasted work. The `check` job above builds it
    # once; these jobs stub it out via PACKETFRAME_SKIP_BPF_BUILD=1.
    env:
      PACKETFRAME_SKIP_BPF_BUILD: "1"
    strategy:
      fail-fast: false
      matrix:
        target:
          - aarch64-unknown-linux-musl
          - x86_64-unknown-linux-musl
          - aarch64-unknown-linux-gnu
          - x86_64-unknown-linux-gnu
    steps:
      - uses: actions/checkout@v6

      - name: Install Rust (stable + target)
        run: |
          rustup toolchain install ${{ env.RUST_STABLE }} --profile minimal
          rustup default ${{ env.RUST_STABLE }}
          rustup target add ${{ matrix.target }}

      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-${{ matrix.target }}-

      - name: Install cross
        run: |
          if ! command -v cross >/dev/null 2>&1; then
            cargo install --locked cross
          fi

      - name: cross build --release
        run: cross build --release --workspace --target ${{ matrix.target }}