chore(ci): improve security, add build target riscv with best effort …

…support (#6227) Description Improve security for GHA workflows by reducing permissions Improve concurrency selection and cancelation Add targeted testNet builds options and comments to ffi builds Add via branch selection CI build all Add build target ```riscv```, with best effort enabled, so that builds are not blocked, but hopefully somebody will investigate a fix, if possible Motivation and Context Improvements for GHA build workflows Hope to motivate somebody to look at the ```riscv``` build issues with the ring crate How Has This Been Tested? Builds in local fork What process can a PR reviewer use to test or verify this change? ---   Breaking Changes --- - [x] None - [ ] Requires data directory on base node to be deleted - [ ] Requires hard fork - [ ] Other - Please specify
tari-project · Mar 25, 2024 · 6e216a0 · 6e216a0
1 parent e0ad342
commit 6e216a0
Show file tree

Hide file tree

Showing 7 changed files with 57 additions and 19 deletions.
diff --git a/.cargo/config.toml b/.cargo/config.toml
@@ -0,0 +1,5 @@
+[target.aarch64-unknown-linux-gnu]
+linker = "aarch64-linux-gnu-gcc"
+
+[target.riscv64gc-unknown-linux-gnu]
+linker = "riscv64-linux-gnu-gcc"
diff --git a/.github/workflows/base_node_binaries.json b/.github/workflows/base_node_binaries.json
@@ -21,7 +21,8 @@
     "target": "riscv64gc-unknown-linux-gnu",
     "cross": true,
     "flags": "--workspace --exclude minotari_mining_helper_ffi --exclude tari_integration_tests",
-    "build_enabled": false
+    "build_enabled": true,
+    "best-effort": true
   },
   {
     "name": "macos-x86_64",

diff --git a/.github/workflows/base_node_binaries.yml b/.github/workflows/base_node_binaries.yml
@@ -6,7 +6,8 @@ name: Build Matrix of Binaries
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]*'
     branches:
-      - build-*
+      - 'build-all-*'
+      - 'build-bins-*'
   schedule:
     - cron: "05 00 * * *"
   workflow_dispatch:
@@ -34,8 +35,11 @@ env:
   CARGO_CACHE: true
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  # https://docs.github.com/en/actions/examples/using-concurrency-expressions-and-a-test-matrix
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: ${{ !startsWith(github.ref, 'refs/tags/v') || github.ref != 'refs/heads/development' || github.ref != 'refs/heads/nextnet' || github.ref != 'refs/heads/stagenet' }}
+
+permissions: {}
 
 jobs:
   matrix-prep:
@@ -87,6 +91,7 @@ jobs:
   builds:
     name: Building ${{ matrix.builds.name }} on ${{ matrix.builds.runs-on }}
     needs: matrix-prep
+    continue-on-error: ${{ matrix.builds.best-effort || false }}
     outputs:
       TARI_NETWORK_DIR: ${{ steps.set-tari-network.outputs.TARI_NETWORK_DIR }}
       TARI_VERSION: ${{ steps.set-tari-vars.outputs.TARI_VERSION }}
@@ -103,6 +108,7 @@ jobs:
 
       - name: Declare TestNet for tags
         id: set-tari-network
+        # Don't forget to comment out the below if, when force testing with GHA_NETWORK
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
         env:
           GHA_NETWORK: ${{ github.ref_name }}
@@ -154,6 +160,12 @@ jobs:
             TARGET_LIBS+="--package ${LIB_FILE} "
           done
           echo "TARGET_LIBS=${TARGET_LIBS}" >> $GITHUB_ENV
+          TARI_BUILD_ISA_CPU=${{ matrix.builds.target }}
+          # Strip unknown part
+          TARI_BUILD_ISA_CPU=${TARI_BUILD_ISA_CPU//-unknown-linux-gnu}
+          # Strip gc used by rust
+          TARI_BUILD_ISA_CPU=${TARI_BUILD_ISA_CPU//gc}
+          echo "TARI_BUILD_ISA_CPU=${TARI_BUILD_ISA_CPU}" >> $GITHUB_ENV
 
       - name: Scheduled Destination Folder Override
         if: ${{ github.event_name == 'schedule' && github.event.schedule == '05 00 * * *' }}
@@ -174,12 +186,13 @@ jobs:
           sudo apt-get update
           sudo bash scripts/install_ubuntu_dependencies.sh
 
-      - name: Install Linux dependencies - Ubuntu - cross-compile arm64 on x86-64
-        if: ${{ startsWith(runner.os,'Linux') && ( ! matrix.builds.cross ) && matrix.builds.name == 'linux-arm64' }}
+      - name: Install Linux dependencies - Ubuntu - cross-compiled ${{ env.TARI_BUILD_ISA_CPU }} on x86-64
+        if: ${{ startsWith(runner.os,'Linux') && ( ! matrix.builds.cross ) && matrix.builds.name != 'linux-x86_64' }}
         run: |
           sudo apt-get update
-          sudo bash scripts/install_ubuntu_dependencies-arm64.sh
+          sudo bash scripts/install_ubuntu_dependencies-cross_compile.sh ${{ env.TARI_BUILD_ISA_CPU }}
           rustup target add ${{ matrix.builds.target }}
+          echo "PKG_CONFIG_SYSROOT_DIR=/usr/${{ env.TARI_BUILD_ISA_CPU }}-linux-gnu/" >> $GITHUB_ENV
 
       - name: Install macOS dependencies
         if: startsWith(runner.os,'macOS')

diff --git a/.github/workflows/build_dockers.yml b/.github/workflows/build_dockers.yml
@@ -8,7 +8,8 @@ name: Build docker images
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]*'
     branches:
-      - 'build_dockers*'
+      - 'build-all-*'
+      - 'build-dockers-*'
   schedule:
     - cron: '05 00 * * *'
   workflow_dispatch:

diff --git a/.github/workflows/build_libffis.yml b/.github/workflows/build_libffis.yml
@@ -6,6 +6,7 @@ name: Build ffi libraries
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]*'
     branches:
+      - 'build-all-*'
       - 'build-ffis-*'
   schedule:
     - cron: '05 00 * * *'
@@ -24,8 +25,11 @@ env:
   matrix-json-file: '.github/workflows/build_libffis.json'
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  # https://docs.github.com/en/actions/examples/using-concurrency-expressions-and-a-test-matrix
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: ${{ !startsWith(github.ref, 'refs/tags/v') || github.ref != 'refs/heads/development' || github.ref != 'refs/heads/nextnet' || github.ref != 'refs/heads/stagenet' }}
+
+permissions: {}
 
 jobs:
   matrix-prep:
@@ -97,10 +101,14 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Declare TestNet for tags
+        # Don't forget to comment out the below if, when force testing with GHA_NETWORK
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        env:
+          GHA_NETWORK: ${{ github.ref_name }}
+          # GHA_NETWORK: "v1.0.0-rc.4"
         shell: bash
         run: |
-          source buildtools/multinet_envs.sh ${{ github.ref_name }}
+          source buildtools/multinet_envs.sh ${{ env.GHA_NETWORK }}
           echo ${TARI_NETWORK}
           echo ${TARI_TARGET_NETWORK}
           echo ${TARI_NETWORK_CHANGELOG}

diff --git a/scripts/install_ubuntu_dependencies-arm64.sh b/scripts/install_ubuntu_dependencies-arm64.sh
diff --git a/scripts/install_ubuntu_dependencies-cross_compile.sh b/scripts/install_ubuntu_dependencies-cross_compile.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+#
+# Install Ubuntu aarch64(arm64)/riscv64 deb dev/tool packages on x86_64
+#
+USAGE="Usage: $0 ISA_ARCH other packages, ie aarch64"
+
+if [ "$#" == "0" ]; then
+    echo "$USAGE"
+    exit 1
+fi
+
+isa_arch=${1}
+shift
+
+apt-get --assume-yes install $* \
+  pkg-config-${isa_arch}-linux-gnu \
+  gcc-${isa_arch}-linux-gnu \
+  g++-${isa_arch}-linux-gnu