AbE: explain capability based security #2581
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build, Test & Release | |
# Build, Test & Release (BTR) run for: | |
# - pushes to the main branch | |
# - new tags are pushed | |
# - for pull requests | |
# | |
# Releases are tagged with vX.Y.Z. We determine if we are building for a release | |
# or not by looking if the tag name starts with 'v'. | |
# | |
# To release: | |
# - create new branch using name: release-vX.Y.Z | |
# - update version in common.mk | |
# - update CHANGELOG.md, second entry must equal version in common.mk | |
# - first entry is assumed to be "Unreleased" | |
# - push a tag like vX.Y.Z which is equal to version in common.mk | |
# | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
tags: | |
- v* | |
# NOTE: Jobs for version tagged releases just pattern match on any tag starting | |
# with 'v'. That's probably a version tag, but could be something else. Is there | |
# a better way to match? | |
jobs: | |
test-macos: | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [macos-11, macos-12, macos-13] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: "Show env" | |
run: env | |
- name: "Set BUILD_RELEASE when we are building for a version tag" | |
run: | | |
echo "BUILD_RELEASE=1" >> $GITHUB_ENV | |
if: startsWith(github.ref, 'refs/tags/v') | |
- name: "Enable dumping core files" | |
run: | | |
sudo sysctl kern.corefile=core.%P | |
ulimit -c unlimited | |
- name: "Check out repository code" | |
uses: actions/checkout@v3 | |
- name: "Cache stuff" | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cache/acton/ | |
~/.stack | |
~/zig-cache | |
key: ${{ matrix.os }} | |
- name: "Install build prerequisites" | |
run: brew install haskell-stack | |
- name: "Build Acton" | |
run: | | |
export ZIG_LOCAL_CACHE_DIR=~/zig-cache | |
make -j2 -C ${{ github.workspace }} BUILD_RELEASE=${{ env.BUILD_RELEASE }} | |
- name: "Build a release" | |
run: make -C ${{ github.workspace }} release | |
- name: "Upload artifact" | |
uses: actions/upload-artifact@v3 | |
with: | |
name: acton-${{ matrix.os }} | |
path: ${{ github.workspace }}/acton-darwin-x86_64* | |
if-no-files-found: error | |
- name: "Run tests" | |
run: make -C ${{ github.workspace }} test | |
- name: "Upload core file & binaries as artifacts on test failure" | |
if: failure() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: test-debug-${{ matrix.os }}-${{ github.run_id }}.zip | |
path: | | |
${{ github.workspace }}/test/core* | |
${{ github.workspace }}/test/db*.log | |
${{ github.workspace }}/test/rts/ddb_test_client | |
${{ github.workspace }}/test/rts/ddb_test_server | |
test-linux: | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: "debian" | |
version: "11" | |
- os: "debian" | |
version: "12" | |
- os: "ubuntu" | |
version: "22.04" | |
- os: "ubuntu" | |
version: "22.10" | |
- os: "ubuntu" | |
version: "23.04" | |
runs-on: ubuntu-latest | |
container: | |
image: ${{ matrix.os }}:${{ matrix.version }} | |
steps: | |
- name: "Show platform and environment" | |
run: | | |
env | |
cat /proc/cpuinfo | |
- name: "Set BUILD_RELEASE when we are building for a version tag" | |
if: startsWith(github.ref, 'refs/tags/v') | |
run: | | |
echo "BUILD_RELEASE=1" >> $GITHUB_ENV | |
- name: "Check out repository code" | |
uses: actions/checkout@v3 | |
- name: "Cache stuff" | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cache/acton/ | |
~/.stack | |
~/zig-cache | |
key: ${{ matrix.os }}-${{ matrix.version }} | |
- name: "chown our home dir to avoid stack complaining" | |
run: chown -R root:root /github/home | |
- name: "Install build prerequisites" | |
run: | | |
export DEBIAN_FRONTEND=noninteractive | |
apt-get update | |
apt-get install -qy bzip2 curl haskell-stack make procps zlib1g-dev | |
- name: "Upgrade stack on old distributions" | |
if: ${{ (matrix.os == 'ubuntu') && (matrix.version == '20.04') }} | |
run: | | |
stack upgrade | |
echo "PATH=~/.local/bin:$PATH" >> $GITHUB_ENV | |
- name: "Build Acton" | |
run: | | |
export ZIG_LOCAL_CACHE_DIR=~/zig-cache | |
make -j2 -C ${GITHUB_WORKSPACE} BUILD_RELEASE=${{ env.BUILD_RELEASE }} | |
- name: "Build a release" | |
run: make -C ${GITHUB_WORKSPACE} release | |
- name: "Upload artifact" | |
uses: actions/upload-artifact@v3 | |
with: | |
name: acton-${{ matrix.os }}-${{ matrix.version }} | |
path: ${{ github.workspace }}/acton-linux-x86_64* | |
if-no-files-found: error | |
- name: "Run tests" | |
run: make -C ${GITHUB_WORKSPACE} test | |
build-debs: | |
runs-on: ubuntu-latest | |
container: | |
image: debian:bullseye | |
steps: | |
- name: "Show platform and environment" | |
run: | | |
env | |
cat /proc/cpuinfo | |
- name: "Set BUILD_RELEASE when we are building for a version tag" | |
run: | | |
echo "BUILD_RELEASE=1" >> $GITHUB_ENV | |
if: startsWith(github.ref, 'refs/tags/v') | |
- name: "Check out repository code" | |
uses: actions/checkout@v3 | |
- name: "Cache stuff" | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cache/acton/ | |
~/.stack | |
~/zig-cache | |
key: build-debs | |
- name: "Install build prerequisites" | |
run: | | |
apt-get update | |
apt-get install -qy bzip2 curl haskell-stack make procps zlib1g-dev | |
apt-get install -qy bash-completion build-essential debhelper devscripts | |
- name: "Build Debian packages" | |
run: | | |
export ZIG_LOCAL_CACHE_DIR=~/zig-cache | |
make -C ${GITHUB_WORKSPACE} debs BUILD_RELEASE=${{ env.BUILD_RELEASE }} STATIC_ACTONC=true | |
- name: "Compute variables" | |
id: vars | |
run: | | |
echo "debdir=$(realpath ${GITHUB_WORKSPACE}/../deb)" >> $GITHUB_OUTPUT | |
echo "artifact_dir=$(dirname ${{ github.workspace }})" >> $GITHUB_OUTPUT | |
- name: "Move deb files into place for easy artifact extraction" | |
run: | | |
mkdir -p ${{ steps.vars.outputs.debdir }} | |
ls ${{ steps.vars.outputs.debdir }}/../ | |
mv ${{ steps.vars.outputs.debdir }}/../acton_* ${{ steps.vars.outputs.debdir }}/ | |
- name: "Upload artifact" | |
uses: actions/upload-artifact@v3 | |
with: | |
name: acton-debs | |
# Using a wildcard and then deb here to force the entire directory to | |
# be part of resulting artifact. | |
path: ${{ steps.vars.outputs.artifact_dir }}/*deb/ | |
if-no-files-found: error | |
run-macos: | |
needs: test-macos | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [macos-11, macos-12, macos-13] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: "Download artifacts for Macos, built on macos-11" | |
uses: actions/download-artifact@v3 | |
with: | |
name: acton-macos-11 | |
- name: "Extract acton" | |
run: | | |
tar Jxvf $(ls acton-darwin*.tar.xz | tail -n1) | |
- name: "Compile acton program" | |
run: | | |
echo '#!/usr/bin/env runacton' > test-runtime.act | |
echo 'actor main(env):' >> test-runtime.act | |
echo ' print("Hello, world")' >> test-runtime.act | |
echo ' env.exit(0)' >> test-runtime.act | |
chmod a+x test-runtime.act | |
export PATH=$(pwd)/acton/bin:$PATH | |
./test-runtime.act | |
./test-runtime.act | grep "Hello, world" | |
run-linux: | |
needs: build-debs | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: "debian" | |
version: "10" | |
- os: "debian" | |
version: "11" | |
- os: "debian" | |
version: "12" | |
- os: "ubuntu" | |
version: "18.04" | |
- os: "ubuntu" | |
version: "20.04" | |
- os: "ubuntu" | |
version: "22.04" | |
- os: "ubuntu" | |
version: "22.10" | |
- os: "ubuntu" | |
version: "23.04" | |
runs-on: ubuntu-latest | |
container: | |
image: ${{ matrix.os }}:${{ matrix.version }} | |
options: --privileged --ulimit core=-1 --security-opt seccomp=unconfined | |
steps: | |
- name: "Show platform and environment" | |
run: | | |
env | |
cat /proc/cpuinfo | |
- name: "Download .deb files" | |
uses: actions/download-artifact@v3 | |
with: | |
name: acton-debs | |
- name: "Install acton from .deb" | |
run: | | |
apt update | |
apt install -y ./deb/acton_*.deb | |
actonc --version | |
- name: "Enable dumping core files to /tmp/core..." | |
run: | | |
apt install -qy procps | |
cat /proc/sys/kernel/core_pattern | |
sysctl kernel.core_pattern='/tmp/core.%h.%e.%t' || true | |
cat /proc/sys/kernel/core_pattern | |
ulimit -c unlimited | |
- name: "Compile acton program" | |
run: | | |
echo '#!/usr/bin/env runacton' > test-runtime.act | |
echo 'actor main(env):' >> test-runtime.act | |
echo ' print("Hello, world")' >> test-runtime.act | |
echo ' env.exit(0)' >> test-runtime.act | |
chmod a+x test-runtime.act | |
./test-runtime.act | |
./test-runtime.act | grep "Hello, world" | |
for I in $(seq 50); do ./test-runtime.act || break; done | |
- name: "ls core" | |
if: failure() | |
run: | | |
pwd | |
ls | |
find /tmp | |
mv /tmp/core* . | |
- name: "Upload core file & binaries as artifacts on test failure" | |
if: failure() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: coredumps-${{ matrix.os }}-${{ matrix.version }}-${{ github.run_id }}.zip | |
path: | | |
${{ github.workspace }}/core* | |
# If we are on the main branch, we'll create or update a pre-release called | |
# 'tip' which holds the latest build output from the main branch! We upload | |
# artifacts twice, first with the version number held in the filename and a | |
# second time after being renamed to remove the version number in the | |
# filename, thus providing a stable URL for downloading the tip tar balls. | |
pre-release-tip: | |
# Only run on the main branch | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
needs: [test-macos, test-linux, build-debs] | |
steps: | |
- name: "Delete current tip release & tag" | |
uses: dev-drprasad/[email protected] | |
with: | |
delete_release: true | |
tag_name: tip | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: "Check out repository code" | |
uses: actions/checkout@v3 | |
- name: "Download artifacts for Macos, built on macos-11" | |
uses: actions/download-artifact@v3 | |
with: | |
name: acton-macos-11 | |
- name: "Download artifacts for Linux, built on Debian:11" | |
uses: actions/download-artifact@v3 | |
with: | |
name: acton-debian-11 | |
- name: "Download artifacts for Debian Linux" | |
uses: actions/download-artifact@v3 | |
with: | |
name: acton-debs | |
- name: "List downloaded artifacts" | |
run: | | |
ls | |
ls deb | |
- name: "Workaround for changelog extractor that looks for number versions in headlines, which won't work for 'Unreleased'" | |
run: sed -i -e 's/^## Unreleased/## [999.9] Unreleased\nThis is an unreleased snapshot built from the main branch. Like a nightly but more up to date./' CHANGELOG.md | |
- name: "Extract release notes" | |
id: extract-release-notes | |
uses: ffurrer2/extract-release-notes@v1 | |
- name: "(re-)create 'tip' release notes and upload artifacts as assets" | |
uses: ncipollo/release-action@v1 | |
with: | |
allowUpdates: true | |
artifacts: "acton*.tar*,deb/*deb" | |
body: ${{ steps.extract-release-notes.outputs.release_notes }} | |
draft: false | |
prerelease: true | |
name: "tip" | |
tag: "tip" | |
token: ${{ secrets.GITHUB_TOKEN }} | |
replacesArtifacts: true | |
- name: "Remove version number from darwin tar ball" | |
run: mv $(ls acton-darwin*.tar.xz | tail -n1) acton-darwin-x86_64.tar.xz | |
- name: "Remove version number from linux tar ball" | |
run: mv $(ls acton-linux-x86_64*.tar.xz | tail -n1) acton-linux-x86_64.tar.xz | |
- name: "Remove version number from debian package" | |
run: mv $(ls deb/acton_*.deb | tail -n1) deb/acton_tip_amd64.deb | |
- name: "List files for debug" | |
run: | | |
ls | |
ls deb | |
- name: "Upload artifacts without version number for stable links" | |
uses: ncipollo/release-action@v1 | |
with: | |
allowUpdates: true | |
artifacts: "acton*.tar*,deb/acton_*.deb" | |
body: ${{ steps.extract-release-notes.outputs.release_notes }} | |
draft: false | |
prerelease: true | |
name: "tip" | |
tag: "tip" | |
token: ${{ secrets.GITHUB_TOKEN }} | |
replacesArtifacts: true | |
# Release job, only run for version tagged releases. | |
release: | |
if: startsWith(github.ref, 'refs/tags/v') | |
runs-on: ubuntu-latest | |
needs: [test-macos, test-linux, build-debs] | |
steps: | |
- name: "Check out repository code" | |
uses: actions/checkout@v3 | |
- name: "Download artifacts for Macos, built on macos-11" | |
uses: actions/download-artifact@v3 | |
with: | |
name: acton-macos-11 | |
- name: "Download artifacts for Linux, built on Debian:11" | |
uses: actions/download-artifact@v3 | |
with: | |
name: acton-debian-11 | |
- name: "Download artifacts for Debian Linux" | |
uses: actions/download-artifact@v3 | |
with: | |
name: acton-debs | |
- name: "List downloaded artifacts" | |
run: ls | |
- name: "Extract release notes" | |
id: extract-release-notes | |
uses: ffurrer2/extract-release-notes@v1 | |
- name: "Create release" | |
uses: ncipollo/release-action@v1 | |
with: | |
allowUpdates: true | |
artifacts: "acton*.tar*,deb/*deb" | |
body: ${{ steps.extract-release-notes.outputs.release_notes }} | |
draft: false | |
token: ${{ secrets.GITHUB_TOKEN }} | |
replacesArtifacts: true | |
# Update apt repo | |
update-apt-repo: | |
if: startsWith(github.ref, 'refs/tags/v') | |
runs-on: ubuntu-latest | |
container: | |
image: debian:bullseye | |
needs: [test-macos, test-linux, build-debs] | |
steps: | |
- name: Install build prerequisites | |
run: | | |
apt-get update | |
apt-get install -qy git gnupg reprepro | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@v4 | |
with: | |
gpg_private_key: ${{ secrets.APT_GPG_PRIVATE_KEY }} | |
- name: Check out code of apt.acton-lang.io repo | |
uses: actions/checkout@v3 | |
with: | |
repository: actonlang/apt.acton-lang.io | |
path: apt | |
ssh-key: ${{ secrets.APT_DEPLOY_KEY }} | |
- name: "Download artifacts for Debian Linux" | |
uses: actions/download-artifact@v3 | |
with: | |
name: acton-debs | |
- name: "Include new deb in Apt repository" | |
run: | | |
cd apt | |
reprepro include bullseye ../deb/*.changes | |
- name: "Push updates to git repository for apt.acton-lang.io" | |
run: | | |
cd apt | |
git config user.name "Apt Bot" | |
git config user.email [email protected] | |
git add . | |
git status | |
git diff | |
git commit -a -m "Updated apt package index" | |
git push | |
# Update our homebrew tap | |
update-homebrew: | |
if: startsWith(github.ref, 'refs/tags/v') | |
runs-on: ubuntu-latest | |
# Depend on all test jobs so we don't update brew repo in case anything fails | |
needs: [test-macos, test-linux, build-debs] | |
steps: | |
- name: "Check out code of main acton repo" | |
uses: actions/checkout@v3 | |
- name: "Get the version from common.mk" | |
id: get_version | |
run: echo "version=$(grep VERSION= common.mk | cut -d = -f 2)" >> $GITHUB_OUTPUT | |
- run: wget https://github.com/actonlang/acton/archive/refs/tags/v${{ steps.get_version.outputs.version }}.tar.gz | |
- run: sha256sum v${{ steps.get_version.outputs.version }}.tar.gz | |
- id: shasum | |
run: echo "sum=$(sha256sum v${{ steps.get_version.outputs.version }}.tar.gz | cut -d' ' -f1)" >> $GITHUB_OUTPUT | |
- name: "Check out code of our brew repo" | |
uses: actions/checkout@v3 | |
with: | |
repository: actonlang/homebrew-acton | |
path: homebrew-acton | |
- name: "Update formula in homebrew-acton from acton repo" | |
run: | | |
cp homebrew/Formula/acton.rb homebrew-acton/Formula/acton.rb | |
- name: "Update brew formula for acton with new version" | |
run: | | |
sed -i -e 's,^ url.*, url "https://github.com/actonlang/acton/archive/refs/tags/v${{ steps.get_version.outputs.version }}.tar.gz",' -e 's/^ sha256.*/ sha256 "${{ steps.shasum.outputs.sum }}"/' homebrew-acton/Formula/acton.rb | |
- name: "Create Pull Request" | |
uses: peter-evans/create-pull-request@v3 | |
with: | |
path: homebrew-acton | |
token: ${{ secrets.ACTBOT_PAT }} | |
branch: acton-v${{ steps.get_version.outputs.version }} | |
title: "acton v${{ steps.get_version.outputs.version }}" | |
body: | | |
Automatic update triggered by release on actonlang/acton. | |
committer: Acton Bot <[email protected]> | |
commit-message: "acton v${{ steps.get_version.outputs.version }}" | |
signoff: false |