-
Notifications
You must be signed in to change notification settings - Fork 41
454 lines (441 loc) · 17.4 KB
/
soundness.yml
File metadata and controls
454 lines (441 loc) · 17.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
name: Soundness
on:
workflow_call:
inputs:
api_breakage_check_enabled:
type: boolean
description: "Boolean to enable the API breakage check job. Defaults to true."
default: true
api_breakage_check_allowlist_path:
type: string
description: "Path to a file that will be passed as --breakage-allowlist-path to swift package diagnose-api-breaking-changes"
default: ""
api_breakage_check_baseline:
type: string
description: "The tag against which API breakages that should be used as the baseline for the API breakage check. By default the PR base is used."
default: ""
api_breakage_check_container_image:
type: string
description: "Container image for the API breakage check job. Defaults to latest Swift Ubuntu image."
default: "swift:6.2-noble"
docs_check_enabled:
type: boolean
description: "Boolean to enable the docs check job. Defaults to true."
default: true
docs_check_container_image:
type: string
description: "Container image for the docs check job. Defaults to latest Swift Ubuntu image."
default: "swift:6.2-noble"
docs_check_additional_arguments:
type: string
description: "Additional arguments that should be passed to docc"
default: ""
docs_check_macos_enabled:
type: boolean
description: "Boolean to enable the macOS docs check job. Defaults to false."
default: false
docs_check_macos_version:
type: string
description: "macOS version for the macOS docs check job."
default: "tahoe"
docs_check_macos_arch:
type: string
description: "macOS arch for the macOS docs check job."
default: "ARM64"
docs_check_macos_xcode_version:
type: string
description: "Xcode version for the macOS docs check job."
default: "26.0"
docs_check_macos_additional_arguments:
type: string
description: "Additional arguments that should be passed to docc for the macOS docs check job."
default: ""
unacceptable_language_check_enabled:
type: boolean
description: "Boolean to enable the acceptable language check job. Defaults to true."
default: true
unacceptable_language_check_word_list:
type: string
description: "List of unacceptable words. Defaults to a sensible list of words."
default: "blacklist whitelist slave master sane sanity insane insanity kill killed killing hang hung hanged hanging" # ignore-unacceptable-language
license_header_check_enabled:
type: boolean
description: "Boolean to enable the license header check job. Defaults to true."
default: true
license_header_check_project_name:
type: string
description: "Name of the project called out in the license header. Required unless `license_header_check_enabled` is false or a `.license_header_template` file is present."
default: ""
broken_symlink_check_enabled:
type: boolean
description: "Boolean to enable the broken symlink check job. Defaults to true."
default: true
format_check_enabled:
type: boolean
description: "Boolean to enable the format check job. Defaults to true."
default: true
format_check_container_image:
type: string
description: "Container image for the format check job. Defaults to latest Swift Ubuntu image."
default: "swift:6.2-noble"
shell_check_enabled:
type: boolean
description: "Boolean to enable the shell check job. Defaults to true."
default: true
shell_check_container_image:
type: string
description: "Container image for the shell check job. Defaults to latest Ubuntu 24.04 Noble image."
default: "ubuntu:noble"
yamllint_check_enabled:
type: boolean
description: "Boolean to enable the YAML lint check job. Defaults to true."
default: true
python_lint_check_enabled:
type: boolean
description: "Boolean to enable the Python lint check job. Defaults to true."
default: true
linux_pre_build_command:
type: string
description: "Linux command to execute before building the Swift package"
default: ""
permissions:
contents: read
## We are cancelling previously triggered workflow runs
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-soundness
cancel-in-progress: true
jobs:
api-breakage-check:
name: API breakage check
if: ${{ inputs.api_breakage_check_enabled }}
runs-on: ubuntu-latest
container:
image: ${{ inputs.api_breakage_check_container_image }}
timeout-minutes: 40
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
# This is set to true since swift package diagnose-api-breaking-changes is
# cloning the repo again and without it being set to true this job won't work for
# private repos.
persist-credentials: true
submodules: true
fetch-tags: true
fetch-depth: 0 # Fetching tags requires fetch-depth: 0 (https://github.com/actions/checkout/issues/1471)
- name: Mark the workspace as safe
# https://github.com/actions/checkout/issues/766
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
- name: Pre-build
if: ${{ inputs.linux_pre_build_command }}
# zizmor: ignore[template-injection]
run: ${{ inputs.linux_pre_build_command }}
- name: Run API breakage check
shell: bash
env:
API_BREAKAGE_CHECK_BASELINE: ${{ inputs.api_breakage_check_baseline }}
API_BREAKAGE_CHECK_ALLOWLIST_PATH: ${{ inputs.api_breakage_check_allowlist_path }}
run: |
if [[ -z "${API_BREAKAGE_CHECK_BASELINE}" ]]; then
git fetch ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY} ${GITHUB_BASE_REF}:pull-base-ref
BASELINE_REF='pull-base-ref'
else
BASELINE_REF="${API_BREAKAGE_CHECK_BASELINE}"
fi
echo "Using baseline: $BASELINE_REF"
if [[ -z "${API_BREAKAGE_CHECK_ALLOWLIST_PATH}" ]]; then
swift package diagnose-api-breaking-changes "$BASELINE_REF"
else
swift package diagnose-api-breaking-changes "$BASELINE_REF" --breakage-allowlist-path "${API_BREAKAGE_CHECK_ALLOWLIST_PATH}"
fi
docs-check:
name: Documentation check
if: ${{ inputs.docs_check_enabled }}
runs-on: ubuntu-latest
container:
image: ${{ inputs.docs_check_container_image }}
timeout-minutes: 20
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
- name: Checkout swiftlang/github-workflows repository
if: ${{ github.repository != 'swiftlang/github-workflows' }}
uses: actions/checkout@v4
with:
repository: swiftlang/github-workflows
path: github-workflows
- name: Determine script-root path
id: script_path
run: |
if [ "${{ github.repository }}" = "swiftlang/github-workflows" ]; then
echo "root=$GITHUB_WORKSPACE" >> $GITHUB_OUTPUT
else
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
fi
- name: Pre-build
if: ${{ inputs.linux_pre_build_command }}
# zizmor: ignore[template-injection]
run: ${{ inputs.linux_pre_build_command }}
- name: Run documentation check
env:
ADDITIONAL_DOCC_ARGUMENTS: ${{ inputs.docs_check_additional_arguments }}
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-docs.sh
docs-check-macos:
name: Documentation check (macOS)
if: ${{ inputs.docs_check_macos_enabled }}
runs-on: [self-hosted, macos, "${{ inputs.docs_check_macos_version }}", "${{ inputs.docs_check_macos_arch }}"]
timeout-minutes: 20
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
- name: Checkout swiftlang/github-workflows repository
if: ${{ github.repository != 'swiftlang/github-workflows' }}
uses: actions/checkout@v4
with:
repository: swiftlang/github-workflows
path: github-workflows
- name: Determine script-root path
id: script_path
run: |
if [ "${{ github.repository }}" = "swiftlang/github-workflows" ]; then
echo "root=$GITHUB_WORKSPACE" >> $GITHUB_OUTPUT
else
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
fi
- name: Select Xcode
env:
XCODE_VERSION: ${{ inputs.docs_check_macos_xcode_version }}
run: echo "DEVELOPER_DIR=/Applications/Xcode_${XCODE_VERSION}.app" >> $GITHUB_ENV
- name: Swift version
run: xcrun swift --version
- name: Clang version
run: xcrun clang --version
- name: Run documentation check
env:
ADDITIONAL_DOCC_ARGUMENTS: ${{ inputs.docs_check_macos_additional_arguments }}
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-docs.sh
unacceptable-language-check:
name: Unacceptable language check
if: ${{ inputs.unacceptable_language_check_enabled }}
runs-on: ubuntu-latest
timeout-minutes: 1
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
- name: Checkout swiftlang/github-workflows repository
if: ${{ github.repository != 'swiftlang/github-workflows' }}
uses: actions/checkout@v4
with:
repository: swiftlang/github-workflows
path: github-workflows
- name: Determine script-root path
id: script_path
run: |
if [ "${{ github.repository }}" = "swiftlang/github-workflows" ]; then
echo "root=$GITHUB_WORKSPACE" >> $GITHUB_OUTPUT
else
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
fi
- name: Run unacceptable language check
env:
UNACCEPTABLE_WORD_LIST: ${{ inputs.unacceptable_language_check_word_list}}
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-unacceptable-language.sh
license-header-check:
name: License headers check
if: ${{ inputs.license_header_check_enabled }}
runs-on: ubuntu-latest
timeout-minutes: 1
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
- name: Checkout swiftlang/github-workflows repository
if: ${{ github.repository != 'swiftlang/github-workflows' }}
uses: actions/checkout@v4
with:
repository: swiftlang/github-workflows
path: github-workflows
- name: Determine script-root path
id: script_path
run: |
if [ "${{ github.repository }}" = "swiftlang/github-workflows" ]; then
echo "root=$GITHUB_WORKSPACE" >> $GITHUB_OUTPUT
else
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
fi
- name: Run license header check
env:
PROJECT_NAME: ${{ inputs.license_header_check_project_name }}
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-license-header.sh
broken-symlink-check:
name: Broken symlinks check
if: ${{ inputs.broken_symlink_check_enabled }}
runs-on: ubuntu-latest
timeout-minutes: 1
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
- name: Checkout swiftlang/github-workflows repository
if: ${{ github.repository != 'swiftlang/github-workflows' }}
uses: actions/checkout@v4
with:
repository: swiftlang/github-workflows
path: github-workflows
- name: Determine script-root path
id: script_path
run: |
if [ "${{ github.repository }}" = "swiftlang/github-workflows" ]; then
echo "root=$GITHUB_WORKSPACE" >> $GITHUB_OUTPUT
else
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
fi
- name: Run broken symlinks check
env:
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-broken-symlinks.sh
format-check:
name: Format check
if: ${{ inputs.format_check_enabled }}
runs-on: ubuntu-latest
container:
image: ${{ inputs.format_check_container_image }}
timeout-minutes: 20
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
- name: Checkout swiftlang/github-workflows repository
if: ${{ github.repository != 'swiftlang/github-workflows' }}
uses: actions/checkout@v4
with:
repository: swiftlang/github-workflows
path: github-workflows
- name: Determine script-root path
id: script_path
run: |
if [ "${{ github.repository }}" = "swiftlang/github-workflows" ]; then
echo "root=$GITHUB_WORKSPACE" >> $GITHUB_OUTPUT
else
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
fi
- name: Mark the workspace as safe
# https://github.com/actions/checkout/issues/766
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
- name: Run format check
env:
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-swift-format.sh
shell-check:
name: Shell check
if: ${{ inputs.shell_check_enabled }}
runs-on: ubuntu-latest
container:
image: ${{ inputs.shell_check_container_image }}
timeout-minutes: 5
steps:
- name: Install git
run: which git || (apt -q update && apt -yq install git)
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
- name: Mark the workspace as safe
# https://github.com/actions/checkout/issues/766
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
- name: Run shellcheck
run: |
which shellcheck || (apt -q update && apt -yq install shellcheck)
git ls-files -z '*.sh' | xargs -0 --no-run-if-empty shellcheck
yaml-lint-check:
name: YAML lint check
if: ${{ inputs.yamllint_check_enabled }}
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
- name: Checkout swiftlang/github-workflows repository
if: ${{ github.repository != 'swiftlang/github-workflows' }}
uses: actions/checkout@v4
with:
repository: swiftlang/github-workflows
path: github-workflows
- name: Determine script-root path
id: script_path
run: |
if [ "${{ github.repository }}" = "swiftlang/github-workflows" ]; then
echo "root=$GITHUB_WORKSPACE" >> $GITHUB_OUTPUT
else
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
fi
- name: Run yamllint
env:
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
run: |
which yamllint || (apt -q update && apt install -yq yamllint)
cd ${GITHUB_WORKSPACE}
if [ ! -f ".yamllint.yml" ]; then
echo "Downloading default yamllint config file"
cat "${SCRIPT_ROOT}/.github/workflows/configs/yamllint.yml" > .yamllint.yml
fi
yamllint --strict --config-file .yamllint.yml .
python-lint-check:
name: Python lint check
if: ${{ inputs.python_lint_check_enabled }}
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
submodules: true
- name: Checkout swiftlang/github-workflows repository
if: ${{ github.repository != 'swiftlang/github-workflows' }}
uses: actions/checkout@v4
with:
repository: swiftlang/github-workflows
path: github-workflows
- name: Determine script-root path
id: script_path
run: |
if [ "${{ github.repository }}" = "swiftlang/github-workflows" ]; then
echo "root=$GITHUB_WORKSPACE" >> $GITHUB_OUTPUT
else
echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
fi
- name: Run flake8
env:
SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
run: |
pip3 install flake8 flake8-import-order
cd ${GITHUB_WORKSPACE}
if [ ! -f ".flake8" ]; then
echo "Downloading default flake8 config file"
cat "${SCRIPT_ROOT}/.github/workflows/configs/.flake8" > .flake8
fi
flake8