DragonOS-Community
/
aya
mirror de https://github.com/aya-rs/aya


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362
							name: aya-ci

on:
  push:

  pull_request:

  schedule:
    - cron: 00 4 * * *

env:
  CARGO_TERM_COLOR: always

jobs:
  lint:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v5

      - uses: dtolnay/rust-toolchain@nightly
        with:
          components: clippy,miri,rustfmt,rust-src

      # Installed *after* nightly so it is the default.
      - uses: dtolnay/rust-toolchain@stable

      - uses: Swatinem/rust-cache@v2

      - uses: taiki-e/install-action@v2
        with:
          tool: cargo-hack,taplo-cli

      - run: git ls-files -- '*.c' '*.h' | xargs clang-format --dry-run --Werror

      - uses: DavidAnson/markdownlint-cli2-action@v20

      - run: taplo fmt --check

      - run: cargo +nightly fmt --all -- --check

      - run: ./clippy.sh

      # On the `aya-rs/aya` repository, regenerate the public API on a schedule.
      #
      # On all other events and repositories assert the public API is up to date.
      - run: cargo xtask public-api
        if: ${{ !(github.event_name == 'schedule' && github.repository == 'aya-rs/aya') }}
      - run: cargo xtask public-api --bless
        if: ${{ (github.event_name == 'schedule' && github.repository == 'aya-rs/aya') }}
      - uses: peter-evans/create-pull-request@v7
        if: ${{ (github.event_name == 'schedule' && github.repository == 'aya-rs/aya') }}
        with:
          # GitHub actions aren't allowed to trigger other actions to prevent
          # abuse; the canonical workaround is to use a sufficiently authorized
          # token.
          #
          # See https://github.com/peter-evans/create-pull-request/issues/48.
          token: ${{ secrets.CRABBY_GITHUB_TOKEN }}
          branch: create-pull-request/public-api
          commit-message: 'public-api: regenerate'
          title: 'public-api: regenerate'
          body: |
            **Automated changes**

      - name: Run miri
        run: |
          set -euxo pipefail
          cargo +nightly hack miri test --all-targets --feature-powerset \
            --exclude aya-ebpf \
            --exclude aya-ebpf-bindings \
            --exclude aya-log-ebpf \
            --exclude integration-ebpf \
            --exclude integration-test \
            --workspace

  build-test-aya:
    strategy:
      fail-fast: false
      matrix:
        arch:
          - aarch64-unknown-linux-gnu
          - armv7-unknown-linux-gnueabi
          - loongarch64-unknown-linux-gnu
          - powerpc64le-unknown-linux-gnu
          - riscv64gc-unknown-linux-gnu
          - s390x-unknown-linux-gnu
          - x86_64-unknown-linux-gnu
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.arch }}

      - uses: Swatinem/rust-cache@v2

      - uses: taiki-e/install-action@cargo-hack

      # This is magic, it sets `$CARGO_BUILD_TARGET`.
      - uses: taiki-e/setup-cross-toolchain-action@v1
        with:
          target: ${{ matrix.arch }}

      - name: Build
        run: |
          set -euxo pipefail
          cargo hack build --all-targets --feature-powerset \
            --exclude aya-ebpf \
            --exclude aya-ebpf-bindings \
            --exclude aya-log-ebpf \
            --exclude integration-ebpf \
            --exclude xtask \
            --workspace

      - name: Test
        env:
          RUST_BACKTRACE: full
        run: |
          set -euxo pipefail
          cargo hack test --all-targets --feature-powerset \
            --exclude aya-ebpf \
            --exclude aya-ebpf-bindings \
            --exclude aya-log-ebpf \
            --exclude integration-ebpf \
            --exclude integration-test \
            --exclude xtask \
            --workspace

      - name: Doctests
        env:
          RUST_BACKTRACE: full
        run: |
          set -euxo pipefail
          cargo hack test --doc --feature-powerset \
            --exclude aya-ebpf \
            --exclude aya-ebpf-bindings \
            --exclude aya-log-ebpf \
            --exclude init \
            --exclude integration-ebpf \
            --exclude integration-test \
            --exclude xtask \
            --workspace

  build-test-aya-ebpf:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v5

      - uses: dtolnay/rust-toolchain@nightly
        with:
          components: rust-src

      # Installed *after* nightly so it is the default.
      - uses: dtolnay/rust-toolchain@stable

      - uses: Swatinem/rust-cache@v2

      - run: cargo install --git https://github.com/aya-rs/bpf-linker.git bpf-linker --features llvm-21

      - uses: taiki-e/install-action@cargo-hack

      - name: Build & test for all BPF architectures
        env:
          RUST_BACKTRACE: full
        run: |
          set -euo pipefail

          failures=()

          # NB: this hand-rolled shell script is used instead of a matrix
          # because the time spent doing useful work per target is about equal
          # to the overhead of setting up the job - so this saves a bunch of
          # machine time.
          for arch in aarch64 arm loongarch64 mips powerpc64 riscv64 s390x x86_64; do
            for target in bpfeb-unknown-none bpfel-unknown-none; do
              echo "::group::Build and test for $arch / $target"
              if ! (

                RUSTFLAGS="--cfg bpf_target_arch=\"$arch\"" cargo +nightly hack build \
                  --target "$target" \
                  -Z build-std=core \
                  --package aya-ebpf \
                  --package aya-log-ebpf \
                  --feature-powerset

                cargo hack test \
                  --doc \
                  --package aya-ebpf \
                  --package aya-log-ebpf \
                  --feature-powerset
              ); then
                echo "FAILED: $arch / $target"
                failures+=("$arch/$target")
              fi
              echo "::endgroup::"
            done
          done

          if ((${#failures[@]})); then
            echo "::error::Some builds/tests failed:"
            printf '  %s\n' "${failures[@]}"
            exit 1
          fi
  run-integration-test:
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-apple-darwin
            # macos-15 is arm64[0] which doesn't support nested
            # virtualization[1].
            #
            # [0] https://github.com/actions/runner-images#available-images
            #
            # [1] https://docs.github.com/en/actions/reference/runners/github-hosted-runners#limitations-for-arm64-macos-runners
            os: macos-15-intel

          # We don't use ubuntu-latest because we care about the apt packages available.
          - target: x86_64-unknown-linux-gnu
            os: ubuntu-24.04
          - target: aarch64-unknown-linux-gnu
            os: ubuntu-24.04-arm
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
        with:
          submodules: recursive

      - name: Install prerequisites
        if: runner.os == 'Linux'
        run: |
          set -euxo pipefail
          sudo apt update
          sudo apt -y install \
            liblzma-dev \
            lynx \
            musl-tools \
            qemu-system-{arm,x86}

      - name: Install prerequisites
        if: runner.os == 'macOS'
        # The curl shipped on macOS doesn't contain
        # https://github.com/curl/curl/commit/85efbb92b8e6679705e122cee45ce76c56414a3e which is
        # needed for proper handling of `--etag-{compare,save}`.
        #
        # The tar shipped on macOS doesn't support --wildcards, so we need GNU tar.
        #
        # The clang shipped on macOS doesn't support BPF, so we need LLVM from brew.
        #
        # We need a musl C toolchain to compile our `test-distro` since some of
        # our dependencies have build scripts that compile C code (i.e xz2).
        # This is provided by `brew install filosottile/musl-cross/musl-cross`.
        run: |
          set -euxo pipefail
          # Dependencies are tracked in `Brewfile`.
          brew bundle
          echo $(brew --prefix curl)/bin >> $GITHUB_PATH
          echo $(brew --prefix llvm)/bin >> $GITHUB_PATH

          # https://github.com/actions/setup-python/issues/577
          find /usr/local/bin -type l -exec sh -c 'readlink -f "$1" \
          | grep -q ^/Library/Frameworks/Python.framework/Versions/' _ {} \; -exec rm -v {} \;

      - uses: dtolnay/rust-toolchain@nightly
        with:
          components: rust-src

      # Installed *after* nightly so it is the default.
      - uses: dtolnay/rust-toolchain@stable
        with:
          targets: aarch64-unknown-linux-musl,x86_64-unknown-linux-musl

      - uses: Swatinem/rust-cache@v2

      - name: Install libLLVM
        # Download libLLVM from Rust CI to ensure that the libLLVM version
        # matches exactly with the version used by the current Rust nightly. A
        # mismatch between libLLVM (used by bpf-linker) and Rust's LLVM version
        # can lead to linking issues.
        run: |
          set -euxo pipefail
          # Get the partial SHA from Rust nightly.
          rustc_sha=$(rustc +nightly --version | grep -oE '[a-f0-9]{7,40}')
          # Get the full SHA from GitHub.
          rustc_sha=$(curl -sfSL https://api.github.com/repos/rust-lang/rust/commits/$rustc_sha \
            --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
            --header 'content-type: application/json' \
            | jq -r '.sha')
          mkdir -p /tmp/rustc-llvm
          curl -sfSL https://ci-artifacts.rust-lang.org/rustc-builds/$rustc_sha/rust-dev-nightly-${{ matrix.target }}.tar.xz | \
            tar -xJ --strip-components 2 -C /tmp/rustc-llvm
          echo /tmp/rustc-llvm/bin >> $GITHUB_PATH

      # NB: rustc doesn't ship libLLVM.so on macOS, so disable proxying (default feature). We also
      # --force so that bpf-linker gets always relinked against the latest LLVM downloaded above.
      #
      # Do this on all system (not just macOS) to avoid relying on rustc-provided libLLVM.so.
      - run: cargo install --git https://github.com/aya-rs/bpf-linker.git bpf-linker --no-default-features --features llvm-21 --force

      - uses: actions/cache@v4
        with:
          path: test/.tmp
          key: ${{ runner.arch }}-${{ runner.os }}-test-cache

      - name: Download debian kernels
        if: runner.arch == 'ARM64'
        run: .github/scripts/download_kernel_images.sh test/.tmp/debian-kernels/arm64 arm64 5.10 6.1 6.12

      - name: Download debian kernels
        if: runner.arch == 'X64'
        run: .github/scripts/download_kernel_images.sh test/.tmp/debian-kernels/amd64 amd64 5.10 6.1 6.12

      - name: Cleanup stale kernels and modules
        run: |
          set -euxo pipefail
          rm -rf test/.tmp/boot test/.tmp/lib

      - name: Run local integration tests
        if: runner.os == 'Linux'
        run: cargo xtask integration-test local

      - name: Run virtualized integration tests
        if: runner.os == 'Linux'
        run: |
          set -euxo pipefail

          # https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/
          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
          sudo udevadm control --reload-rules
          sudo udevadm trigger --name-match=kvm || true # kvm is not available on arm64.

          find test/.tmp -name '*.deb' -print0 | sort -Vz | xargs -t -0 \
            cargo xtask integration-test vm --cache-dir test/.tmp \
              --github-api-token ${{ secrets.GITHUB_TOKEN }}

      - name: Run virtualized integration tests
        if: runner.os == 'macOS'
        env:
          # This sets the linker to the one installed by FiloSottile/musl-cross.
          CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER: x86_64-linux-musl-gcc
        run: |
          set -euxo pipefail
          find test/.tmp -name '*.deb' -print0 | sort -Vz | xargs -t -0 \
            cargo xtask integration-test vm --cache-dir test/.tmp \
              --github-api-token ${{ secrets.GITHUB_TOKEN }}

  # Provides a single status check for the entire build workflow.
  # This is used for merge automation, like Mergify, since GH actions
  # has no concept of "when all status checks pass".
  # https://docs.mergify.com/conditions/#validating-all-status-checks
  build-workflow-complete:
    needs:
      - lint
      - build-test-aya
      - build-test-aya-ebpf
      - run-integration-test
    runs-on: ubuntu-latest
    steps:
      - run: echo 'Build Complete'