Update SECURITY.md #1487
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PL/Rust | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| pull_request: | |
| branches: | |
| - main | |
| - develop | |
| workflow_dispatch: | |
| env: | |
| RUST_BACKTRACE: 1 | |
| SCCACHE_VER: 0.5.4 # Change this to bump the sccache version across all jobs | |
| # CARGO_LOG: cargo::core::compiler::fingerprint=info # Uncomment this to output compiler fingerprint info | |
| jobs: | |
| # This job runs all tasks within an Ubuntu 22.04 image launched in AWS. | |
| # A few things to note about the environment in which these run: | |
| # * Ubuntu AMIs in AWS require extra storage to be mounted via EBS. As such, EBS volumes are pre-mounted | |
| # in these images under /workdir | |
| # * /workdir is the root directory for almost all things CI-build related, such as: | |
| # - The "ubuntu" user's home directory is relocated to /workdir/ubuntu | |
| # - TMPDIR is now set to /workdir/tmp so that Rust builds won't run out of drive space | |
| # - rustup/cargo/etc are now located under various subdirectories of /workdir/ubuntu | |
| # - sccache directory is located under /workdir/sccache | |
| # - Any artifacts that need to be produces (like cache archives) need to be put under /workdir/ubuntu/artifacts | |
| # - Github Actions runner is downloaded and installed to /workdir/ubuntu/actions-runner -- this is also where | |
| # the runner application will be configured and launched | |
| # * Caches are stored to and pulled from private S3 buckets | |
| plrust_arm64_ubuntu: | |
| name: arm64 tests on Ubuntu | |
| runs-on: [self-hosted, linux, ARM64, launch_template_id__lt-0726d9ff7411af069] | |
| defaults: | |
| run: | |
| shell: bash | |
| strategy: | |
| matrix: | |
| version: ["pg13", "pg14", "pg15", "pg16"] | |
| target: ["host", "postgrestd"] | |
| fail-fast: false | |
| env: | |
| ARTIFACTS_DIR: /workdir/ubuntu/artifacts | |
| AWS_CACHE_BUCKET: tcdi-ci-plrust-build-cache.private | |
| CACHE_KEY_VERSION: v0 | |
| CI: true | |
| PLRUST_TRUSTED_PGRX_OVERRIDE: "pgrx = { path = '/workdir/ubuntu/actions-runner/_work/plrust/plrust/plrust-trusted-pgrx', package='plrust-trusted-pgrx' }" | |
| RUSTUP_HOME: /workdir/ubuntu/.rustup | |
| RUSTC_WRAPPER: sccache | |
| RUSTFLAGS: -Copt-level=0 -Dwarnings | |
| SCCACHE_BIN_DIR: /workdir/ubuntu/.local/bin | |
| SCCACHE_CACHE_SIZE: 20G | |
| SCCACHE_DIR: /workdir/sccache | |
| SCCACHE_IDLE_TIMEOUT: 0 | |
| WORK_DIR: /workdir/ubuntu/actions-runner/_work/plrust/plrust | |
| TMPDIR: /workdir/tmp | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Generate cache filenames | |
| run: | | |
| cd $WORK_DIR | |
| shopt -s globstar | |
| checksum=$(cat **/Cargo.lock **/rust-toolchain.toml .github/workflows/ci.yml .cargo/config | sha256sum | awk '{print $1}') | |
| echo "CACHE_KEY_CHECKSUM=$checksum" >> $GITHUB_ENV | |
| echo "CARGO_CACHE_KEY=plrust-arm64-ubuntu-cargo-cache-$CACHE_KEY_VERSION-$checksum.tar.lz4" >> $GITHUB_ENV | |
| echo "SCCACHE_CACHE_KEY=plrust-arm64-ubuntu-sccache-cache-$CACHE_KEY_VERSION-$checksum.tar.lz4" >> $GITHUB_ENV | |
| mkdir -p $ARTIFACTS_DIR | |
| - name: Set up (Linux) prerequisites and environment | |
| run: | | |
| echo "" | |
| echo "----- Set up dynamic variables -----" | |
| export PG_VER=$(echo ${{ matrix.version }} | cut -c 3-) | |
| echo "PG_VER=$PG_VER" >> $GITHUB_ENV | |
| echo "MAKEFLAGS=$MAKEFLAGS -j $(grep -c ^processor /proc/cpuinfo)" >> $GITHUB_ENV | |
| cat $GITHUB_ENV | |
| echo "" | |
| echo "----- Install sccache -----" | |
| mkdir -p $SCCACHE_BIN_DIR | |
| curl -L "https://github.com/mozilla/sccache/releases/download/v$SCCACHE_VER/sccache-v$SCCACHE_VER-aarch64-unknown-linux-musl.tar.gz" | tar xz | |
| mv -f "sccache-v$SCCACHE_VER-aarch64-unknown-linux-musl/sccache" "$SCCACHE_BIN_DIR/sccache" | |
| chmod +x "$SCCACHE_BIN_DIR/sccache" | |
| echo "$SCCACHE_BIN_DIR" >> "$GITHUB_PATH" | |
| mkdir -p "$SCCACHE_DIR" | |
| echo "" | |
| echo "----- Remove old postgres and libraries -----" | |
| sudo apt remove -y '^postgres.*' '^libpq.*' '^clang.*' '^llvm.*' '^libclang.*' '^libllvm.*' # '^mono-llvm.*' | |
| echo "" | |
| echo "----- Set up PostgreSQL Apt repository -----" | |
| sudo apt-get install -y wget gnupg | |
| sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' | |
| wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg >/dev/null | |
| sudo apt-get update -y -qq --fix-missing | |
| echo "" | |
| echo "----- Install system dependencies and PostgreSQL version $PG_VER -----" | |
| sudo apt-get install -y \ | |
| build-essential \ | |
| clang-14 \ | |
| gcc \ | |
| libclang-14-dev \ | |
| libssl-dev \ | |
| libz-dev \ | |
| llvm-14-dev \ | |
| lz4 \ | |
| make \ | |
| pkg-config \ | |
| strace \ | |
| zlib1g-dev | |
| echo "" | |
| echo "----- Install rustup -----" | |
| curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y | |
| echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
| source "$HOME/.cargo/env" | |
| cargo --version | |
| echo "" | |
| echo "----- Print env -----" | |
| env | |
| echo "" | |
| - name: Load Cargo and sccache caches if available | |
| run: | | |
| # See <plrust-root>/.github/scripts/load_cache.sh for more details | |
| . $WORK_DIR/.github/scripts/load_cache.sh | |
| loadcache $CARGO_CACHE_KEY | |
| loadcache $SCCACHE_CACHE_KEY | |
| - name: Start sccache server | |
| run: sccache --start-server && sccache --show-stats | |
| - name: Create protected files | |
| run: | | |
| sudo mkdir -p /var/ci-stuff/secret_rust_files | |
| sudo echo "const FOO:i32 = 7;" /var/ci-stuff/secret_rust_files/const_foo.rs | |
| sudo echo "const BAR:i32 = 8;" /var/ci-stuff/const_bar.rs | |
| sudo chmod -R 600 /var/ci-stuff/secret_rust_files | |
| if: matrix.target == 'postgrestd' | |
| - name: Install release version of PostgreSQL | |
| run: | | |
| sudo apt-get install -y \ | |
| postgresql-"$PG_VER" \ | |
| postgresql-server-dev-"$PG_VER" | |
| echo "---- pg_config info ----" | |
| /usr/lib/postgresql/"$PG_VER"/bin/pg_config | |
| - name: Set up Postgres permissions | |
| run: sudo chmod a+rwx "$(/usr/lib/postgresql/"$PG_VER"/bin/pg_config --pkglibdir)" "$(/usr/lib/postgresql/"$PG_VER"/bin/pg_config --sharedir)"/extension /var/run/postgresql/ | |
| # See <plrust-root>/.github/scripts/install_cargo_pgrx.sh for more details | |
| - name: Install cargo-pgrx defined in plrust/Cargo.toml | |
| run: | | |
| . $GITHUB_WORKSPACE/.github/scripts/install_cargo_pgrx.sh | |
| install_cargo_pgrx | |
| - name: Print sccache stats | |
| run: sccache --show-stats | |
| - name: Install llvm-tools-preview | |
| run: rustup component add llvm-tools-preview rustc-dev | |
| - name: Create protected files | |
| run: | | |
| sudo mkdir -p /var/ci-stuff/secret_rust_files | |
| sudo echo "const FOO:i32 = 7;" /var/ci-stuff/secret_rust_files/const_foo.rs | |
| sudo echo "const BAR:i32 = 8;" /var/ci-stuff/const_bar.rs | |
| sudo chmod -R 600 /var/ci-stuff/secret_rust_files | |
| if: matrix.target == 'postgrestd' | |
| - name: Test plrustc | |
| run: cd plrustc && cargo test -p plrustc | |
| - name: Print sccache stats | |
| run: sccache --show-stats | |
| - name: Test plrustc | |
| run: cd plrustc && cargo test | |
| - name: Print sccache stats | |
| run: sccache --show-stats | |
| - name: Install plrustc | |
| run: cd plrustc && ./build.sh && cp ../build/bin/plrustc ~/.cargo/bin | |
| - name: Print sccache stats | |
| run: sccache --show-stats | |
| - name: Run 'cargo pgrx init' against system-level ${{ matrix.version }} | |
| run: cargo pgrx init --pg$PG_VER $(which pg_config) | |
| - name: Install PL/Rust as "trusted" | |
| if: matrix.target == 'postgrestd' | |
| run: cd plrust && STD_TARGETS="aarch64-postgres-linux-gnu" ./build && echo "\q" | cargo pgrx run "pg$PG_VER" --features "trusted" | |
| - name: Test PL/Rust package as "trusted" | |
| if: matrix.target == 'postgrestd' | |
| run: cd plrust && cargo test --no-default-features --features "pg$PG_VER trusted" | |
| - name: Run PL/Rust integration tests as "trusted" | |
| if: matrix.target == 'postgrestd' | |
| run: cd plrust && echo "\q" | cargo pgrx run "pg$PG_VER" --features "trusted" && cd ../plrust-tests && cargo test --no-default-features --features "pg$PG_VER trusted" | |
| - name: Install PL/Rust as "untrusted" | |
| if: matrix.target == 'host' | |
| run: cd plrust && STD_TARGETS="aarch64-postgres-linux-gnu" ./build && echo "\q" | cargo pgrx run "pg$PG_VER" | |
| - name: Test PL/Rust package as "untrusted" | |
| if: matrix.target == 'host' | |
| run: cd plrust && cargo test --no-default-features --features "pg$PG_VER" | |
| - name: Run PL/Rust integration tests as "untrusted" | |
| if: matrix.target == 'host' | |
| run: cd plrust && echo "\q" | cargo pgrx run "pg$PG_VER" && cd ../plrust-tests && cargo test --no-default-features --features "pg$PG_VER" | |
| - name: Print sccache stats | |
| run: sccache --show-stats | |
| - name: Stop sccache server | |
| run: sccache --stop-server || true | |
| - name: Store Cargo and sccache caches if applicable | |
| run: | | |
| . $WORK_DIR/.github/scripts/save_cache.sh | |
| # See <plrust-root>/.github/scripts/save_cache.sh for more details | |
| cargo_dirs=( \ | |
| $HOME/.cargo/ \ | |
| ) | |
| savecache $CARGO_CACHE_KEY "${cargo_dirs[@]}" | |
| sccache_dirs=($SCCACHE_DIR) | |
| savecache $SCCACHE_CACHE_KEY "${sccache_dirs[@]}" | |
| plrust_x86_64: | |
| name: x86_64 tests | |
| runs-on: ${{ matrix.os }} | |
| if: "!contains(github.event.head_commit.message, 'nogha')" | |
| env: | |
| PLRUST_TRUSTED_PGRX_OVERRIDE: "pgrx = { path = '/home/runner/work/plrust/plrust/plrust-trusted-pgrx', package='plrust-trusted-pgrx' }" | |
| RUSTC_WRAPPER: sccache | |
| RUSTFLAGS: -Copt-level=0 -Dwarnings | |
| SCCACHE_BIN_DIR: /home/runner/.local/bin | |
| SCCACHE_CACHE_SIZE: 20G | |
| SCCACHE_DIR: /home/runner/.cache/sccache | |
| SCCACHE_IDLE_TIMEOUT: 0 | |
| strategy: | |
| matrix: | |
| version: ["pg13", "pg14", "pg15", "pg16"] | |
| os: ["ubuntu-latest"] | |
| # it would be nice to other contributors to return "macos-11" to the above array | |
| target: ["host", "postgrestd"] | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up (Linux) prerequisites and environment | |
| run: | | |
| echo "" | |
| echo "----- Set up dynamic variables -----" | |
| export PG_VER=$(echo ${{ matrix.version }} | cut -c 3-) | |
| echo "PG_VER=$PG_VER" >> $GITHUB_ENV | |
| echo "MAKEFLAGS=$MAKEFLAGS -j $(grep -c ^processor /proc/cpuinfo)" >> $GITHUB_ENV | |
| cat $GITHUB_ENV | |
| echo "" | |
| echo "----- Install sccache -----" | |
| mkdir -p "$SCCACHE_BIN_DIR" | |
| curl -L "https://github.com/mozilla/sccache/releases/download/v$SCCACHE_VER/sccache-v$SCCACHE_VER-x86_64-unknown-linux-musl.tar.gz" | tar xz | |
| mv -f "sccache-v$SCCACHE_VER-x86_64-unknown-linux-musl/sccache" "$SCCACHE_BIN_DIR/sccache" | |
| chmod +x "$SCCACHE_BIN_DIR/sccache" | |
| echo "$SCCACHE_BIN_DIR" >> $GITHUB_PATH | |
| mkdir -p "$SCCACHE_DIR" | |
| echo "" | |
| echo "----- Remove old postgres -----" | |
| sudo apt remove -y '^postgres.*' '^libpq.*' '^clang.*' '^llvm.*' '^libclang.*' '^libllvm.*' '^mono-llvm.*' | |
| echo "" | |
| echo "----- Set up PostgreSQL Apt repository -----" | |
| sudo apt-get install -y wget gnupg | |
| sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' && \ | |
| wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg >/dev/null && \ | |
| sudo apt-get update -y -qq --fix-missing | |
| echo "" | |
| echo "----- Install system dependencies and PostgreSQL version $PG_VER -----" | |
| sudo apt-get install -y \ | |
| build-essential \ | |
| llvm-14-dev libclang-14-dev clang-14 \ | |
| gcc \ | |
| libssl-dev \ | |
| libz-dev \ | |
| make \ | |
| pkg-config \ | |
| strace \ | |
| zlib1g-dev | |
| echo "" | |
| echo "----- Installed Packages -----" | |
| sudo apt list --installed | |
| echo "" | |
| echo "----- Print env -----" | |
| env | |
| echo "" | |
| echo "----- Get cargo version -----" | |
| cargo --version | |
| echo "" | |
| - name: Install release version of PostgreSQL | |
| run: | | |
| echo "----- Set up PostgreSQL Apt repository -----" | |
| sudo apt-get install -y wget gnupg | |
| sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' | |
| wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add - | |
| sudo apt-get update -y -qq --fix-missing | |
| echo "" | |
| sudo apt-get install -y \ | |
| postgresql-"$PG_VER" \ | |
| postgresql-server-dev-"$PG_VER" | |
| echo "---- pg_config info ----" | |
| /usr/lib/postgresql/"$PG_VER"/bin/pg_config | |
| - name: Set up Postgres permissions | |
| run: sudo chmod a+rwx "$(/usr/lib/postgresql/"$PG_VER"/bin/pg_config --pkglibdir)" "$(/usr/lib/postgresql/"$PG_VER"/bin/pg_config --sharedir)"/extension /var/run/postgresql/ | |
| - name: Cache cargo registry | |
| uses: actions/cache@v3 | |
| continue-on-error: false | |
| with: | |
| path: | | |
| /home/runner/.cargo | |
| key: v0-plrust-x86_64-cargo-${{ runner.os }}-${{ hashFiles('**/Cargo.lock', '**/rust-toolchain.toml', 'plrustc/.cargo/config.toml', '.github/workflows/ci.yml', '.cargo/config') }} | |
| - name: Cache sccache directory | |
| uses: actions/cache@v3 | |
| continue-on-error: false | |
| with: | |
| path: | | |
| /home/runner/.cache/sccache | |
| key: v0-plrust-x86_64-sccache-${{ matrix.target }}-${{ runner.os }}-${{ hashFiles('**/Cargo.lock', '**/rust-toolchain.toml', 'plrustc/.cargo/config.toml', '.github/workflows/ci.yml', '.cargo/config') }} | |
| - name: Start sccache server | |
| run: sccache --start-server && sccache --show-stats | |
| - name: sccache dir | |
| run: ls -lath /home/runner/.cache/sccache | |
| # See <plrust-root>/.github/scripts/install_cargo_pgrx.sh for more details | |
| - name: Install cargo-pgrx defined in plrust/Cargo.toml | |
| run: | | |
| . $GITHUB_WORKSPACE/.github/scripts/install_cargo_pgrx.sh | |
| install_cargo_pgrx | |
| - name: Print sccache stats | |
| run: sccache --show-stats | |
| - name: Install llvm-tools-preview | |
| run: rustup component add llvm-tools-preview rustc-dev | |
| - name: Create protected files | |
| run: | | |
| sudo mkdir -p /var/ci-stuff/secret_rust_files | |
| sudo echo "const FOO:i32 = 7;" /var/ci-stuff/secret_rust_files/const_foo.rs | |
| sudo echo "const BAR:i32 = 8;" /var/ci-stuff/const_bar.rs | |
| sudo chmod -R 600 /var/ci-stuff/secret_rust_files | |
| if: matrix.target == 'postgrestd' | |
| - name: Test plrustc | |
| run: cd plrustc && cargo test -p plrustc | |
| - name: Print sccache stats | |
| run: sccache --show-stats | |
| - name: Test plrustc | |
| run: cd plrustc && cargo test | |
| - name: Install plrustc | |
| run: cd plrustc && ./build.sh && cp ../build/bin/plrustc ~/.cargo/bin | |
| - name: Print sccache stats | |
| run: sccache --show-stats | |
| - name: Run 'cargo pgrx init' against system-level ${{ matrix.version }} | |
| run: cargo pgrx init --pg$PG_VER $(which pg_config) | |
| - name: Install PL/Rust as "trusted" | |
| if: matrix.target == 'postgrestd' | |
| run: cd plrust && STD_TARGETS="x86_64-postgres-linux-gnu" ./build && echo "\q" | cargo pgrx run "pg$PG_VER" --features "trusted" | |
| - name: Test PL/Rust package as "trusted" | |
| if: matrix.target == 'postgrestd' | |
| run: cd plrust && cargo test --no-default-features --features "pg$PG_VER trusted" | |
| - name: Run PL/Rust integration tests as "trusted" | |
| if: matrix.target == 'postgrestd' | |
| run: cd plrust && echo "\q" | cargo pgrx run "pg$PG_VER" --features "trusted" && cd ../plrust-tests && cargo test --no-default-features --features "pg$PG_VER trusted" | |
| - name: Install PL/Rust as "untrusted" | |
| if: matrix.target == 'host' | |
| run: cd plrust && STD_TARGETS="x86_64-postgres-linux-gnu" ./build && echo "\q" | cargo pgrx run "pg$PG_VER" | |
| - name: Test PL/Rust package as "untrusted" | |
| if: matrix.target == 'host' | |
| run: cd plrust && cargo test --no-default-features --features "pg$PG_VER" | |
| - name: Run PL/Rust integration tests as "untrusted" | |
| if: matrix.target == 'host' | |
| run: cd plrust && echo "\q" | cargo pgrx run "pg$PG_VER" && cd ../plrust-tests && cargo test --no-default-features --features "pg$PG_VER" | |
| - name: Print sccache stats | |
| run: sccache --show-stats | |
| - name: sccache dir | |
| run: ls -lath /home/runner/.cache/sccache | |
| - name: Stop sccache server | |
| run: sccache --stop-server || true |