113 lines
3.2 KiB
YAML
113 lines
3.2 KiB
YAML
# Copyright 2021 Proofcraft Pty Ltd
|
|
#
|
|
# SPDX-License-Identifier: BSD-2-Clause
|
|
|
|
# On push to master only: run proofs and deploy manifest update.
|
|
|
|
name: Proofs
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
repository_dispatch:
|
|
types:
|
|
- manifest-update
|
|
|
|
jobs:
|
|
code:
|
|
name: Freeze Code
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
xml: ${{ steps.repo.outputs.xml }}
|
|
steps:
|
|
- id: repo
|
|
uses: seL4/ci-actions/repo-checkout@master
|
|
with:
|
|
manifest_repo: verification-manifest
|
|
manifest: devel.xml
|
|
|
|
proofs:
|
|
name: Proof
|
|
needs: code
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
arch: [ARM, ARM_HYP, AARCH64, RISCV64, X64]
|
|
# test only most recent push:
|
|
concurrency: l4v-regression-${{ github.ref }}-${{ strategy.job-index }}
|
|
steps:
|
|
- name: Proofs
|
|
uses: seL4/ci-actions/aws-proofs@master
|
|
with:
|
|
L4V_ARCH: ${{ matrix.arch }}
|
|
xml: ${{ needs.code.outputs.xml }}
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
AWS_SSH: ${{ secrets.AWS_SSH }}
|
|
- name: Upload C graph-lang
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: c-graph-lang
|
|
path: artifacts/simpl-export
|
|
if-no-files-found: ignore
|
|
- name: Upload logs
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: logs-${{ matrix.arch }}
|
|
path: logs.tar.xz
|
|
|
|
deploy:
|
|
name: Deploy manifest
|
|
runs-on: ubuntu-latest
|
|
needs: [code, proofs]
|
|
steps:
|
|
- uses: seL4/ci-actions/l4v-deploy@master
|
|
with:
|
|
xml: ${{ needs.code.outputs.xml }}
|
|
env:
|
|
GH_SSH: ${{ secrets.CI_SSH }}
|
|
|
|
binary-verification:
|
|
name: Trigger binary verification
|
|
runs-on: ubuntu-latest
|
|
needs: [code, proofs]
|
|
steps:
|
|
# download-artifact doesn't have an option to ignore missing artifacts,
|
|
# so we download them all to test if c-graph-lang exists.
|
|
- name: Fetch artifacts
|
|
uses: actions/download-artifact@v3
|
|
with:
|
|
path: artifacts
|
|
- name: Check for C graph-lang artifacts
|
|
id: enabled
|
|
env:
|
|
MANIFEST: ${{ needs.code.outputs.xml }}
|
|
run: |
|
|
# Check if there are any C graph-lang artifacts
|
|
if [ -e artifacts/c-graph-lang ]; then
|
|
echo "C graph-lang artifacts found, will trigger binary verification"
|
|
echo -n "${MANIFEST}" > verification-manifest.xml
|
|
echo "::set-output name=enabled::true"
|
|
else
|
|
echo "No C graph-lang artifacts found, will not trigger binary verification"
|
|
fi
|
|
- name: Upload manifest
|
|
if: steps.enabled.outputs.enabled
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: manifest
|
|
path: verification-manifest.xml
|
|
- name: Trigger binary verification
|
|
if: steps.enabled.outputs.enabled
|
|
uses: peter-evans/repository-dispatch@v2
|
|
with:
|
|
token: ${{ secrets.PRIV_REPO_TOKEN }}
|
|
repository: ${{ github.repository }}
|
|
event-type: binary-verification
|
|
# binary-verification uses the run_id to retrieve this workflow's artifacts.
|
|
client-payload: |
|
|
{ "repo": "${{ github.repository }}", "run_id": "${{ github.run_id }}" }
|