Common #6892
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Common | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '14 23 * * *' # every day @ 23:14 | |
| push: | |
| branches: | |
| - 'release/**' | |
| # cancel any previous runs on the same PR | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| crypto_build: | |
| name: Crypto library | |
| runs-on: ubuntu-latest | |
| env: | |
| CC: gcc | |
| ADDRESS_SANITIZER: 1 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - uses: cachix/install-nix-action@v23 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - run: nix-shell --run "poetry install" | |
| - run: cp -r crypto crypto_noasan | |
| - run: nix-shell --run "poetry run make -C crypto" | |
| - run: nix-shell --run "export ADDRESS_SANITIZER=0; poetry run make -C crypto_noasan" | |
| - run: mv crypto_noasan/tests/test_check crypto/tests/test_check_noasan | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: crypto-build | |
| path: | | |
| crypto/tests/aestst | |
| crypto/tests/libtrezor-crypto.so | |
| crypto/tests/test_check | |
| crypto/tests/test_check_noasan | |
| crypto/tests/test_openssl | |
| retention-days: 7 | |
| crypto_test: | |
| name: Crypto test | |
| needs: [crypto_build] | |
| runs-on: ubuntu-latest | |
| env: | |
| ASAN_OPTIONS: "verify_asan_link_order=0" | |
| CK_TIMEOUT_MULTIPLIER: 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - uses: cachix/install-nix-action@v23 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - run: nix-shell --run "poetry install" | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: crypto-build | |
| path: crypto/tests | |
| - run: chmod +x crypto/tests/* | |
| - run: ./crypto/tests/aestst | |
| - run: ./crypto/tests/test_check | |
| - run: ./crypto/tests/test_openssl 1000 | |
| - run: nix-shell --run "cd crypto && ITERS=10 poetry run pytest tests" | |
| - run: nix-shell --run "CK_TIMEOUT_MULTIPLIER=20 valgrind -q --error-exitcode=1 ./crypto/tests/test_check_noasan" | |
| python_test: | |
| name: Python test | |
| runs-on: ubuntu-latest | |
| env: | |
| LC_ALL: C.UTF-8 | |
| LANG: C.UTF-8 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - uses: cachix/install-nix-action@v23 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - run: nix-shell --run "poetry install" | |
| # LD_LIBRARY_PATH workaround: https://discourse.nixos.org/t/nixpkgs-nixos-unstable-many-package-fail-with-glibc-2-38-not-found/35078 https://github.com/NixOS/nixpkgs/issues/287764 | |
| - run: nix-shell --arg fullDeps true --run "unset LD_LIBRARY_PATH && cd python && poetry run tox" | |
| python_support_test: | |
| name: Python support test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - uses: cachix/install-nix-action@v23 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - run: nix-shell --run "poetry install" | |
| - run: nix-shell --run "poetry run make python_support_check" | |
| storage_test: | |
| name: Storage test | |
| # TODO: only for changes in storage/ | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - uses: cachix/install-nix-action@v23 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - run: nix-shell --run "poetry install" | |
| - run: unset PYTEST_TIMEOUT | |
| - run: nix-shell --run "poetry run make -C storage/tests build" | |
| - run: nix-shell --run "poetry run make -C storage/tests tests_all" | |
| docker_build: | |
| name: Firmware docker build | |
| # scheduled, manual runs, push to release branches | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| model: [T1B1, T2T1, T2B1, T3B1, T3T1] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - run: git checkout ${{ github.head_ref || github.ref_name }} | |
| - run: ./build-docker.sh --models ${{ matrix.model }} --targets bootloader,firmware,prodtest ${{ github.head_ref || github.ref_name }} | |
| - name: Show fingerprints | |
| run: | | |
| for file in build/*/*/*.fingerprint; do | |
| if [ -f "$file" ]; then | |
| origfile="${file%.fingerprint}" | |
| fingerprint=$(tr -d '\n' < $file) | |
| echo "\`$fingerprint\` $origfile" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| done | |
| cat $GITHUB_STEP_SUMMARY | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: reproducible-${{ matrix.model }} | |
| path: | | |
| build/*/*/*.bin | |
| retention-days: 7 |