name: CI on: pull_request: merge_group: workflow_dispatch: env: CARGO_TERM_COLOR: always RUST_BACKTRACE: 1 RUST_TEST_TIME_UNIT: 10,30 RUST_TEST_TIME_INTEGRATION: 10,30 RUST_TEST_TIME_DOCTEST: 10,30 CARGO_PROFILE_RELEASE_LTO: true CARGO_PROFILE_RELEASE_CODEGEN_UNITS: 1 concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true permissions: contents: read defaults: run: shell: bash jobs: toolchains: name: Determine toolchains runs-on: ubuntu-24.04 outputs: toolchains: ${{ steps.toolchains.outputs.toolchains }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - id: toolchains uses: mozilla/actions/toolchains@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7 check: name: Run checks needs: toolchains # TODO: Restore `environment: codecov` once GitHub supports filtering deployment messages. # environment: codecov strategy: fail-fast: false matrix: os: [ubuntu-24.04, ubuntu-24.04-arm, macos-15, windows-2025] rust-toolchain: ${{ fromJSON(needs.toolchains.outputs.toolchains) }} type: [debug] # Include some dynamically-linked release builds, to check that that works on all platforms. include: - os: ubuntu-24.04 rust-toolchain: stable type: release - os: macos-15 rust-toolchain: stable type: release - os: windows-2025 rust-toolchain: stable type: release # Also do some debug builds on the oldest OS versions. - os: ubuntu-22.04 rust-toolchain: stable type: debug - os: macos-14 rust-toolchain: stable type: debug - os: windows-2022 rust-toolchain: stable type: debug env: BUILD_TYPE: ${{ matrix.type == 'release' && '--release' || '' }} runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: mozilla/actions/rust@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7 with: version: ${{ matrix.rust-toolchain }} components: ${{ matrix.rust-toolchain == 'stable' && 'llvm-tools' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'rust-src ' || '' }} tools: ${{ matrix.rust-toolchain == 'stable' && 'cargo-llvm-cov' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'cargo-careful ' || '' }} cargo-hack token: ${{ secrets.GITHUB_TOKEN }} - uses: mozilla/actions/nss@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7 with: version-file: min_version.txt token: ${{ secrets.GITHUB_TOKEN }} - name: Check run: | # shellcheck disable=SC2086 cargo check $BUILD_TYPE --locked --all-targets - name: Check feature powerset run: | # shellcheck disable=SC2086 # --locked is omitted: --no-dev-deps modifies the manifest, which can # require lockfile re-resolution in a workspace. cargo hack check $BUILD_TYPE --feature-powerset --no-dev-deps --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption - name: Run tests and determine coverage env: RUST_LOG: trace RUST_BACKTRACE: 1 RUST_TEST_TIME_UNIT: 10,30 RUST_TEST_TIME_INTEGRATION: 10,30 RUST_TEST_TIME_DOCTEST: 10,30 TOOLCHAIN: ${{ matrix.rust-toolchain }} # FIXME: cargo-careful at the moment only works on amd64 Ubuntu CAREFUL: ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'careful' || '' }} run: | DUMP_SIMULATION_SEEDS="$(pwd)/simulation-seeds" export DUMP_SIMULATION_SEEDS # shellcheck disable=SC2086 if [ "$TOOLCHAIN" == "stable" ]; then cargo llvm-cov test $BUILD_TYPE --locked --include-ffi --codecov --output-path codecov.json else if [ -n "$CAREFUL" ]; then TRIPLE="--target $(rustc --print host-tuple)" fi cargo $CAREFUL test $BUILD_TYPE --locked $TRIPLE fi - name: Test feature powerset run: | # shellcheck disable=SC2086 cargo hack test $BUILD_TYPE --locked --feature-powerset --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption - name: Test blapi in FIPS mode if: runner.os == 'Linux' env: TEST_FIXTURE_DB: ${{ github.workspace }}/test-fixture/db-fips run: | # shellcheck disable=SC2086 cargo test $BUILD_TYPE --locked --features blapi --test aead_fips - name: CodeCov Windows workaround if: ${{ startsWith(matrix.os, 'windows') && matrix.type == 'debug' && matrix.rust-toolchain == 'stable' }} run: | # FIXME: Without this, the codecov/codecov-action fails. No idea why it's looking under C:/msys64 now, it shouldn't. mkdir -p C:/msys64/home/runneradmin/ touch C:/msys64/home/runneradmin/.gitconfig - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: files: codecov.json fail_ci_if_error: false token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] verbose: true flags: ${{ startsWith(matrix.os, 'ubuntu') && 'linux' || startsWith(matrix.os, 'macos') && 'macos' || 'windows' }} env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] if: matrix.type == 'debug' && matrix.rust-toolchain == 'stable' - name: Save simulation seeds artifact if: ${{ always() }} uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: simulation-seeds-${{ matrix.os }}-${{ matrix.rust-toolchain }}-${{ matrix.type }} path: simulation-seeds compression-level: 9 check-cargo-lock: name: Ensure `Cargo.lock` contains all required dependencies runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: mozilla/actions/rust@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7 with: version: stable tools: cargo-hack token: ${{ secrets.GITHUB_TOKEN }} - run: | cargo update -w --locked cargo hack update -w --locked check-android: name: Check Android runs-on: ubuntu-24.04 strategy: matrix: target: ["x86_64-linux-android", "aarch64-linux-android"] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - id: nss-version run: echo "minimum=$(cat min_version.txt)" >> "$GITHUB_OUTPUT" - uses: ./.github/actions/check-android with: target: ${{ matrix.target }} minimum-nss-version: ${{ steps.nss-version.outputs.minimum }} github-token: ${{ secrets.GITHUB_TOKEN }} check-distro: name: Check with system NSS on ${{ matrix.name }} runs-on: ubuntu-24.04 # Tests the pkg-config codepath against distro-packaged NSS. Some distros # omit -L for default library search paths (e.g., /usr/lib64 on Fedora/RHEL), # which the Ubuntu CI runners don't exercise. # Allow failures in merge queue in case distro NSS lags our minimum version. continue-on-error: ${{ github.event_name == 'merge_group' }} strategy: fail-fast: false matrix: include: - name: Fedora container: fedora@sha256:498c452f32a739b61f0ef215bce9924ebc4866cbe44710f58157d77723b7a6d2 install: dnf install -y git nss-devel clang-devel pkgconf-pkg-config gcc curl - name: openSUSE Tumbleweed container: opensuse/tumbleweed@sha256:003da6756e3daced6f62ece3d6dc436d21572fb05e558172fc552b6aa1b044ab install: zypper install -y --no-recommends git mozilla-nss-devel clang-devel pkg-config gcc curl - name: Arch Linux container: archlinux@sha256:1047e6e7878d58e4ee47e1cd6459a32fab41246b0efc4109e11b7ef16f50b14d install: pacman -Syu --noconfirm git nss clang pkgconf gcc curl defaults: run: shell: sh container: image: ${{ matrix.container }} steps: - name: Install system dependencies (${{ matrix.name }}) env: INSTALL: ${{ matrix.install }} run: $INSTALL - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Install Rust run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain stable --profile minimal -y - name: Check run: | . "$HOME/.cargo/env" cargo check --locked --all-targets - name: Check feature powerset run: | . "$HOME/.cargo/env" cargo install cargo-hack --locked # --locked is omitted: --no-dev-deps modifies the manifest, which can # require lockfile re-resolution. cargo hack check --feature-powerset --no-dev-deps --exclude-features gecko --mutually-exclusive-features blapi,disable-encryption check-vm: name: Run checks for VM-only platforms runs-on: ubuntu-24.04 # TODO: Restore `environment: codecov` once GitHub supports filtering deployment messages. # environment: codecov # OpenBSD, NetBSD and Solaris often have NSS packages that are too old. # Allow them to fail without aborting the merge queue. continue-on-error: ${{ github.event_name == 'merge_group' && matrix.os != 'freebsd' }} strategy: fail-fast: false matrix: os: [freebsd, netbsd, openbsd] # NSS package on 'solaris' is too old. steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: ./.github/actions/check-vm with: platform: ${{ matrix.os }} codecov-token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]