ci: fix download artifact vulnerability #1822
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: testing | |
on: | |
push: | |
pull_request: | |
pull_request_target: | |
types: [labeled] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
run_tests_ce_linux: | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
tarantool: | |
- '1.10' | |
- '2.8' | |
- '2.10' | |
- '2.11' | |
- 'master' | |
python: | |
- '3.6' | |
- '3.7' | |
- '3.8' | |
- '3.9' | |
- '3.10' | |
- '3.11' | |
msgpack-deps: | |
# latest msgpack will be installed as a part of requirements.txt | |
- '' | |
# Adding too many elements to three-dimentional matrix results in | |
# too many test cases. It causes GitHub webpages to fail with | |
# "This page is taking too long to load." error. Thus we use | |
# pairwise testing. | |
include: | |
- tarantool: '2.11' | |
python: '3.11' | |
msgpack-deps: 'msgpack==0.5.0' | |
- tarantool: '2.11' | |
python: '3.11' | |
msgpack-deps: 'msgpack==0.6.2' | |
- tarantool: '2.11' | |
python: '3.11' | |
msgpack-deps: 'msgpack==1.0.4' | |
steps: | |
- name: Clone the connector | |
uses: actions/checkout@v3 | |
- name: Setup tt | |
run: | | |
curl -L https://tarantool.io/release/2/installer.sh | sudo bash | |
sudo apt install -y tt | |
tt version | |
tt init | |
- name: Install tarantool ${{ matrix.tarantool }} | |
if: matrix.tarantool != 'master' | |
uses: tarantool/setup-tarantool@v2 | |
with: | |
tarantool-version: ${{ matrix.tarantool }} | |
- name: Get Tarantool master latest commit | |
if: matrix.tarantool == 'master' | |
run: | | |
commit_hash=$(git ls-remote https://github.com/tarantool/tarantool.git --branch master | head -c 8) | |
echo "LATEST_COMMIT=${commit_hash}" >> $GITHUB_ENV | |
shell: bash | |
- name: Cache Tarantool master | |
if: matrix.tarantool == 'master' | |
id: cache-latest | |
uses: actions/cache@v3 | |
with: | |
path: | | |
${{ github.workspace }}/bin | |
${{ github.workspace }}/include | |
key: cache-latest-${{ env.LATEST_COMMIT }} | |
- name: Setup Tarantool master | |
if: matrix.tarantool == 'master' && steps.cache-latest.outputs.cache-hit != 'true' | |
run: | | |
tt install tarantool master | |
- name: Add Tarantool master to PATH | |
if: matrix.tarantool == 'master' | |
run: echo "${GITHUB_WORKSPACE}/bin" >> $GITHUB_PATH | |
- name: Setup Python for tests | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python }} | |
- name: Install specific version of msgpack package | |
# We want to enforce using modern msgpack since it has | |
# various vulnerability fixes. But the code is compatible | |
# with older msgpack versions and msgpack-python package. | |
# To this test compatibility we must ignore requirements.txt | |
# install of the newer msgpack package by overwriting it with sed. | |
if: matrix.msgpack-deps != '' | |
run: | | |
pip3 install ${{ matrix.msgpack-deps }} | |
sed -i -e "s/^msgpack.*$/${{ matrix.msgpack-deps }}/" requirements.txt | |
- name: Install package requirements | |
run: pip3 install -r requirements.txt | |
- name: Install test requirements | |
run: pip3 install -r requirements-test.txt | |
- name: Install the crud module for testing purposes | |
run: | | |
tt rocks install crud | |
- name: Run tests | |
run: make test | |
run_tests_ee_linux: | |
# The same as for run_tests_ce_linux, but it does not run on pull requests | |
# from forks by default. Tests will run only when the pull request is | |
# labeled with `full-ci`. To avoid security problems, the label must be | |
# reset manually for every run. | |
# | |
# We need to use `pull_request_target` because it has access to base | |
# repository secrets unlike `pull_request`. | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request_target' && | |
github.event.pull_request.head.repo.full_name != github.repository && | |
github.event.label.name == 'full-ci') | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
tarantool: | |
- bundle: 'sdk-1.10.15-0-r563' | |
path: 'release/linux/x86_64/1.10/' | |
- bundle: 'sdk-2.8.4-0-r563' | |
path: 'release/linux/x86_64/2.8/' | |
- bundle: 'sdk-gc64-2.10.7-0-r563.linux.x86_64' | |
path: 'release/linux/x86_64/2.10/' | |
- bundle: 'sdk-gc64-2.11.0-0-r563.linux.x86_64' | |
path: 'release/linux/x86_64/2.11/' | |
python: ['3.6', '3.11'] | |
steps: | |
- name: Clone the connector | |
# `ref` as merge request is needed for pull_request_target because this | |
# target runs in the context of the base commit of the pull request. | |
uses: actions/checkout@v3 | |
if: github.event_name == 'pull_request_target' | |
with: | |
ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
- name: Clone the connector | |
if: github.event_name != 'pull_request_target' | |
uses: actions/checkout@v3 | |
- name: Install Tarantool EE SDK | |
run: | | |
ARCHIVE_NAME=tarantool-enterprise-${{ matrix.tarantool.bundle }}.tar.gz | |
curl -O -L https://${{ secrets.SDK_DOWNLOAD_TOKEN }}@download.tarantool.io/enterprise/${{ matrix.tarantool.path }}${ARCHIVE_NAME} | |
tar -xzf ${ARCHIVE_NAME} | |
rm -f ${ARCHIVE_NAME} | |
- name: Setup Python for tests | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python }} | |
- name: Install package requirements | |
run: pip3 install -r requirements.txt | |
- name: Install test requirements | |
run: pip3 install -r requirements-test.txt | |
- name: Install the crud module for testing purposes | |
# This is a workaround with TARANTOOL_DIR and should be reworked later. | |
# See more here: https://github.com/tarantool/tt/issues/282 | |
run: | | |
source tarantool-enterprise/env.sh | |
curl -L https://tarantool.io/release/2/installer.sh | bash | |
sudo apt install -y tt | |
tt rocks install crud TARANTOOL_DIR=$PWD/tarantool-enterprise | |
- name: Run tests | |
run: | | |
source tarantool-enterprise/env.sh | |
make test | |
env: | |
TEST_TNT_SSL: ${{ matrix.tarantool.bundle == 'sdk-gc64-2.10.7-0-r563.linux.x86_64' || | |
matrix.tarantool.bundle == 'sdk-gc64-2.11.0-0-r563.linux.x86_64'}} | |
run_tests_pip_branch_install_linux: | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
tarantool: | |
- '2.11' | |
python: | |
- '3.6' | |
- '3.11' | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
- name: Install tarantool ${{ matrix.tarantool }} | |
uses: tarantool/setup-tarantool@v2 | |
with: | |
tarantool-version: ${{ matrix.tarantool }} | |
- name: Setup Python for tests | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python }} | |
- name: Remove connector source code | |
run: python3 .github/scripts/remove_source_code.py | |
- name: Install the package with pip | |
run: pip3 install git+$GITHUB_SERVER_URL/$GITHUB_REPOSITORY@$GITHUB_REF | |
- name: Install test requirements | |
run: pip3 install -r requirements-test.txt | |
- name: Install the crud module for testing purposes | |
run: | | |
curl -L https://tarantool.io/release/2/installer.sh | bash | |
sudo apt install -y tt | |
tt rocks install crud | |
- name: Run tests | |
run: make test-pure-install | |
run_tests_ce_windows: | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: github.event_name == 'push' || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: windows-2022 | |
strategy: | |
fail-fast: false | |
matrix: | |
# Use reduced test matrix cause Windows pipelines are long. | |
tarantool: | |
- '2.11.0.g247a9a418-1' | |
python: | |
- '3.6' | |
- '3.11' | |
steps: | |
- name: Clone the connector | |
uses: actions/checkout@v3 | |
- name: Setup Python for tests | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python }} | |
- name: Install connector requirements | |
run: pip3 install -r requirements.txt | |
- name: Install test requirements | |
run: pip3 install -r requirements-test.txt | |
- name: Setup WSL for tarantool | |
uses: Vampire/setup-wsl@v2 | |
with: | |
distribution: Ubuntu-22.04 | |
- name: Install tarantool ${{ matrix.tarantool }} for WSL (2.10 and newer) | |
shell: wsl-bash_Ubuntu-22.04 {0} | |
run: | | |
curl -L https://tarantool.io/release/2/installer.sh | bash -s | |
sudo apt install -y tarantool=${{ matrix.tarantool }} tarantool-dev=${{ matrix.tarantool }} | |
- name: Setup test tarantool instance | |
shell: wsl-bash_Ubuntu-22.04 {0} | |
run: | | |
rm -f ./tarantool.pid ./tarantool.log | |
TNT_PID=$(tarantool ./test/suites/lib/tarantool_python_ci.lua > tarantool.log 2>&1 & echo $!) | |
touch tarantool.pid | |
echo $TNT_PID > ./tarantool.pid | |
- name: Run tests | |
env: | |
REMOTE_TARANTOOL_HOST: localhost | |
REMOTE_TARANTOOL_CONSOLE_PORT: 3302 | |
run: make test | |
- name: Stop test tarantool instance | |
if: ${{ always() }} | |
shell: wsl-bash_Ubuntu-22.04 {0} | |
run: | | |
cat tarantool.log || true | |
kill $(cat tarantool.pid) || true | |
run_tests_pip_branch_install_windows: | |
# We want to run on external PRs, but not on our own internal | |
# PRs as they'll be run by the push to the branch. | |
# | |
# The main trick is described here: | |
# https://github.com/Dart-Code/Dart-Code/pull/2375 | |
if: (github.event_name == 'push') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name != github.repository) | |
runs-on: windows-2022 | |
strategy: | |
fail-fast: false | |
matrix: | |
# Use reduced test matrix cause Windows pipelines are long. | |
tarantool: | |
- '2.11.0.g247a9a418-1' | |
python: | |
- '3.6' | |
- '3.11' | |
steps: | |
- name: Clone the connector repo | |
uses: actions/checkout@v3 | |
- name: Setup Python for tests | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python }} | |
- name: Remove connector source code | |
run: python3 .github/scripts/remove_source_code.py | |
- name: Install the package with pip | |
run: pip3 install git+$env:GITHUB_SERVER_URL/$env:GITHUB_REPOSITORY@$env:GITHUB_REF | |
- name: Install test requirements | |
run: pip3 install -r requirements-test.txt | |
- name: Setup WSL for tarantool | |
uses: Vampire/setup-wsl@v2 | |
with: | |
distribution: Ubuntu-22.04 | |
- name: Install tarantool ${{ matrix.tarantool }} for WSL | |
shell: wsl-bash_Ubuntu-22.04 {0} | |
run: | | |
curl -L https://tarantool.io/release/2/installer.sh | bash -s | |
sudo apt install -y tarantool=${{ matrix.tarantool }} tarantool-dev=${{ matrix.tarantool }} | |
- name: Setup test tarantool instance | |
shell: wsl-bash_Ubuntu-22.04 {0} | |
run: | | |
rm -f ./tarantool.pid ./tarantool.log | |
TNT_PID=$(tarantool ./test/suites/lib/tarantool_python_ci.lua > tarantool.log 2>&1 & echo $!) | |
touch tarantool.pid | |
echo $TNT_PID > ./tarantool.pid | |
- name: Run tests | |
env: | |
REMOTE_TARANTOOL_HOST: localhost | |
REMOTE_TARANTOOL_CONSOLE_PORT: 3302 | |
run: make test-pure-install | |
- name: Stop test tarantool instance | |
if: ${{ always() }} | |
shell: wsl-bash_Ubuntu-22.04 {0} | |
run: | | |
cat tarantool.log || true | |
kill $(cat tarantool.pid) || true |