Skip to content

feat(nervous-system): Enable Root to upgrade canisters using chunked Wasms #15472

feat(nervous-system): Enable Root to upgrade canisters using chunked Wasms

feat(nervous-system): Enable Root to upgrade canisters using chunked Wasms #15472

Workflow file for this run

name: CI PR Only
# Jobs that run on PRs, but no other pipelines
on:
merge_group:
pull_request:
types: [opened, synchronize, reopened]
concurrency:
# only triggered on PR, so head_ref will always be set
group: ${{ github.workflow }}-${{ github.head_ref }}
cancel-in-progress: true
env:
CI_PROJECT_DIR: ${{ github.workspace }}
MERGE_BRANCH: ${{ github.event.pull_request.base.ref }}
ORG: ${{ github.repository_owner }}
jobs:
bazel-build-fuzzers-archives:
name: Bazel Build Fuzzers Archives
timeout-minutes: 90
runs-on:
labels: dind-large
container:
image: ghcr.io/dfinity/ic-build@sha256:4fd13b47285e783c3a6f35aadd9559d097c0de162a1cf221ead66ab1598d5d45
options: >-
-e NODE_NAME
if: ${{ github.event_name != 'merge_group' }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Filter Relevant Files
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
id: filter
with:
filters: |
fuzzers:
- '.github/workflows/pr-only.yml'
- 'bin/build-all-fuzzers.sh'
- 'bazel/fuzz_testing.bzl'
- name: Run Bazel Build Fuzzers Archives
id: bazel-build-fuzzers-archives
if: steps.filter.outputs.fuzzers == 'true'
shell: bash
run: |
set -euo pipefail
cd "${GITHUB_WORKSPACE}"/bin
./build-all-fuzzers.sh --zip
- name: Upload bazel-bep
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}-bep
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb
profile.json
lock-generate:
name: Lock Generate
timeout-minutes: 30
runs-on:
labels: dind-small
container:
image: ghcr.io/dfinity/ic-build@sha256:4fd13b47285e783c3a6f35aadd9559d097c0de162a1cf221ead66ab1598d5d45
options: >-
-e NODE_NAME
if: ${{ github.event_name != 'merge_group' }}
env:
CI_EVENT_NAME: ${{ github.event_name }}
steps:
- name: Create GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ steps.app-token.outputs.token }}
- name: Filter Relevant Files
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
id: filter
with:
filters: |
lock-generate:
- '.github/workflows/pr-only.yml'
- '.bazelrc'
- '.bazelversion'
- '**/*.bazel'
- '**/*.bzl'
- '**/*.lock'
- '**/*.rs'
- '**/*.toml'
- name: Run Lock Generate
id: lock-generate
if: steps.filter.outputs.lock-generate == 'true'
run: ./ci/scripts/lock-generate.sh
dependencies-check:
name: Dependency Scan for PR
runs-on:
labels: dind-small
container:
image: ghcr.io/dfinity/ic-build@sha256:4fd13b47285e783c3a6f35aadd9559d097c0de162a1cf221ead66ab1598d5d45
options: >-
-e NODE_NAME
if: ${{ github.event_name != 'merge_group' }}
timeout-minutes: 60
permissions:
contents: read
pull-requests: write
env:
SHELL_WRAPPER: "/usr/bin/time"
CI_MERGE_REQUEST_IID: ${{ github.event.pull_request.number }}
CI_PROJECT_PATH: ${{ github.repository }}
CI_PIPELINE_ID: ${{ github.run_id }}
CI_COMMIT_SHA: ${{ github.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
SLACK_PSEC_BOT_OAUTH_TOKEN: ${{ secrets.SLACK_PSEC_BOT_OAUTH_TOKEN }}
REPO_NAME: ${{ github.repository }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 256
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Setup python deps
id: setup-python-deps
shell: bash
run: |
# Ignore externally-managed-environment pip error, install packages system-wide.
PIP_BREAK_SYSTEM_PACKAGES=1 pip3 install --ignore-installed -r requirements.txt
- name: Dependency Scan for Pull Request
id: dependencies-check
shell: bash
run: |
set -euo pipefail
export PYTHONPATH=$PWD/ci/src:$PWD/ci/src/dependencies
cd ci/src/dependencies/
$SHELL_WRAPPER python3 job/bazel_rust_ic_scanner_merge_job.py
# CI job is also executed in Schedule Hourly
bazel-test-coverage:
name: Bazel Test Coverage
timeout-minutes: 90
runs-on:
labels: dind-large
container:
image: ghcr.io/dfinity/ic-build@sha256:4fd13b47285e783c3a6f35aadd9559d097c0de162a1cf221ead66ab1598d5d45
options: >-
-e NODE_NAME
if: contains(github.event.pull_request.labels.*.name, 'CI_COVERAGE')
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Bazel Test Coverage
shell: bash
run: |
[ -n "${NODE_NAME:-}" ] && echo "Node: $NODE_NAME"
./ci/scripts/bazel-coverage.sh
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}