Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,13 @@ updates:
cooldown:
default-days: 7

- package-ecosystem: "npm"
directory: "/scripts"
schedule:
interval: "daily"
cooldown:
default-days: 7

- package-ecosystem: "docker"
directory: "/"
schedule:
Expand Down
45 changes: 0 additions & 45 deletions .github/workflows/continuous-integration-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,48 +63,3 @@ jobs:
if: steps.guard.outputs.hit != 'true'
with:
key: ${{ steps.guard.outputs.key }}

feature-unification:
name: Feature Unification Check
runs-on: ubuntu-latest
permissions:
contents: read
env:
FORCE_COLOR: 1
steps:
- name: Checkout node repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
with:
submodules: true

- id: guard
uses: ./.github/actions/tree-cache-guard

- name: Login to GHCR
if: steps.guard.outputs.hit != 'true'
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #v4.2.0
with:
registry: ghcr.io
username: MidnightCI
password: ${{ secrets.MIDNIGHTCI_PACKAGES_READ }}

- uses: EarthBuild/actions-setup@cae2d9ab68894d8402751fe42e07c7cca0272f7f
if: steps.guard.outputs.hit != 'true'
with:
version: v0.8.16
github-token: ${{ github.token }}
use-cache: false

- name: Free disk space
if: steps.guard.outputs.hit != 'true'
run: scripts/free-disk-space.sh

- name: Run feature unification check
if: steps.guard.outputs.hit != 'true'
run: |
. ./.envrc && earthly --ci +check-feature-unification

- uses: ./.github/actions/tree-cache-guard/save
if: steps.guard.outputs.hit != 'true'
with:
key: ${{ steps.guard.outputs.key }}
81 changes: 81 additions & 0 deletions .github/workflows/feature-unification.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
name: Feature Unification

# Advisory check (not in the main ruleset's required status checks): verifies
# each crate compiles without dev-deps via `cargo hack check --no-dev-deps`.
# Feature-unification regressions are almost always introduced by manifest
# changes, so this only runs on PRs that touch one, scoped to the
# reverse-dependency closure of the changed crates. Deliberately not run on
# main pushes or merge queues.

on:
pull_request:
branches: ["**"]
paths:
- "**/Cargo.toml"
- "Cargo.lock"
- "rust-toolchain.toml"
- "scripts/feature-unification-scope.ts"
- ".github/workflows/feature-unification.yml"
Comment on lines +13 to +18

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Trigger this workflow for its build inputs

This path allowlist omits inputs that now directly affect +check-feature-unification, notably Earthfile and scripts/package*.json; a PR that changes only the Earthly target or the npm lockfile that npm ci consumes will not start this workflow at all. Since this commit also enables Dependabot for /scripts, those dependency-update PRs can merge without ever exercising the scoper install/runtime path they modify.

Useful? React with 👍 / 👎.


# no top level default permissions for security reasons
permissions: {}
concurrency:
group: ${{ format('{0}-{1}', github.workflow, github.head_ref) }}
cancel-in-progress: true
jobs:
feature-unification:
name: Feature Unification Check
runs-on: ubuntu-latest
permissions:
contents: read
env:
FORCE_COLOR: 1
steps:
- name: Checkout node repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
with:
submodules: true
# The merge commit plus both parents, so HEAD^1 (the base) is
# available for the scope diff below.
fetch-depth: 2

- id: guard
uses: ./.github/actions/tree-cache-guard

# No GHCR login: the build chain only pulls the public
# midnightntwrk/midnight-node-ci image from docker.io.
- uses: EarthBuild/actions-setup@cae2d9ab68894d8402751fe42e07c7cca0272f7f
if: steps.guard.outputs.hit != 'true'
with:
version: v0.8.16
github-token: ${{ github.token }}
use-cache: false

# Uncomment if disk space again becomes an issue.
# - name: Free disk space
# if: steps.guard.outputs.hit != 'true'
# run: scripts/free-disk-space.sh

# The only git-coupled work: git history exists on the host, and `--ci`
# (strict) forbids LOCALLY inside the build, so the scope inputs are
# produced here and COPYed into the container. HEAD^1 is the PR base on a
# merge-commit checkout (fetch-depth: 2 above).
- name: Collect scope inputs
if: steps.guard.outputs.hit != 'true'
run: |
mkdir -p .scope
git diff --name-only HEAD^1 HEAD > .scope/changed.txt
git show HEAD^1:Cargo.lock > .scope/base-lock.txt 2>/dev/null || : > .scope/base-lock.txt
git diff HEAD^1 HEAD -- Cargo.toml > .scope/toml-diff.txt 2>/dev/null || : > .scope/toml-diff.txt

# scripts/feature-unification-scope.ts attributes the diff to crates
# in-container and skips the cargo-hack check when nothing is affected.
- name: Run feature unification check
if: steps.guard.outputs.hit != 'true'
run: |
. ./.envrc && earthly --ci +check-feature-unification

- uses: ./.github/actions/tree-cache-guard/save
if: steps.guard.outputs.hit != 'true'
with:
key: ${{ steps.guard.outputs.key }}
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,6 @@ AGENTS.local.md
# Local-only image bundle for +local-env-ci-localimg (docker save → load); never commit
local-env-images.tar
toolkit-image.tar

# Scratch dir written by the +feature-unification-inputs LOCALLY target
.scope/
36 changes: 34 additions & 2 deletions Earthfile
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@
IF [ "$GENERATE_TEST_TXS" = "true" ]
COPY ledger/test-data/simple-merkle-tree.compact /tmp/simple-merkle-tree.compact
WORKDIR /toolkit-js
RUN npx run-compactc /tmp/simple-merkle-tree.compact /test-static/simple-merkle-tree

Check failure on line 234 in Earthfile

View workflow job for this annotation

GitHub Actions / Check Genesis Rebuild

Error

The command RUN npx run-compactc /tmp/simple-merkle-tree.compact /test-static/simple-merkle-tree did not complete successfully. Exit code 1
WORKDIR /
END

Expand Down Expand Up @@ -856,19 +856,51 @@

# check-feature-unification verifies each crate compiles without dev-deps,
# catching issues where workspace feature unification masks missing dependencies.
# The partner-chains demo crates are excluded: they are upstream examples, not
# shipped artifacts, and cost ~5min of the serial check.
#
# Scope is computed in-container by scripts/feature-unification-scope.ts (the
# reverse-dependency closure of the crates the PR diff touches). It reads three
# git-derived files from .scope/, which must exist before the build -- git
# history only lives on the host, and `--ci` (strict) forbids LOCALLY. The CI
# workflow writes them; for a local run, from the repo root:
# mkdir -p .scope
# git diff --name-only HEAD^1 HEAD > .scope/changed.txt
# git show HEAD^1:Cargo.lock > .scope/base-lock.txt
# git diff HEAD^1 HEAD -- Cargo.toml > .scope/toml-diff.txt
# An empty scope (nothing compile-relevant changed) skips the check entirely.
check-feature-unification:
FROM +check-rust-prepare
CACHE --sharing shared --id cargo-git /usr/local/cargo/git
CACHE --sharing shared --id cargo-reg /usr/local/cargo/registry
# Scope tooling deps (smol-toml) in their own layer so workspace edits don't
# reinstall. node + npm are pinned in the CI base image.
COPY scripts/package.json scripts/package-lock.json scripts/
RUN cd scripts && npm ci --no-audit --no-fund
COPY --keep-ts --dir \
Cargo.lock Cargo.toml .config .sqlx deny.toml docs \
ledger LICENSE node pallets primitives README.md res runtime \
metadata rustfmt.toml util tests relay partner-chains COMPACTC_VERSION .
COPY scripts/feature-unification-scope.ts scripts/feature-unification-scope.ts
# git-derived scope inputs, produced on the host before the build (see above)
COPY .scope/changed.txt .scope/base-lock.txt .scope/toml-diff.txt .scope/

ENV SKIP_WASM_BUILD=1
ENV CARGO_INCREMENTAL=0
RUN cargo binstall --no-confirm cargo-hack
RUN cargo hack check --workspace --no-dev-deps
# Pinned: an unpinned binstall here can drift from the version baked into
# the CI base image and change check behaviour between runs.
# renovate: datasource=crate packageName=cargo-hack
ARG CARGO_HACK_VERSION=0.6.45
RUN cargo binstall --no-confirm --locked cargo-hack@${CARGO_HACK_VERSION}
# node is pinned in the CI base image; the scoper reads the git-derived
# inputs and emits the `-p` selection (empty => nothing to check).
RUN PACKAGES="$(node scripts/feature-unification-scope.ts \
.scope/changed.txt .scope/base-lock.txt .scope/toml-diff.txt)" && \
if [ -z "$PACKAGES" ]; then \
echo "feature-unification: nothing affected — skipping"; exit 0; \
fi && \
echo "feature-unification scope: $PACKAGES" && \
cargo hack check $PACKAGES --no-dev-deps

# check-metadata confirms that metadata in the repo matches a given node image
check-metadata:
Expand Down Expand Up @@ -1335,7 +1367,7 @@
COPY ${DIRECTORY} ${DIRECTORY}
WORKDIR ${DIRECTORY}
RUN mkdir -p /scan_reports
RUN --no-cache npm audit --audit-level high --json > npm-audit-${REPORT_NAME}.json \

Check failure on line 1370 in Earthfile

View workflow job for this annotation

GitHub Actions / audit job npm

Error

The command RUN --no-cache npm audit --audit-level high --json > npm-audit-${REPORT_NAME}.json && npx npm-audit-sarif -o /scan_reports/npm-audit-${REPORT_NAME}.sarif npm-audit-${REPORT_NAME}.json did not complete successfully. Exit code 1
&& npx npm-audit-sarif -o /scan_reports/npm-audit-${REPORT_NAME}.sarif npm-audit-${REPORT_NAME}.json
SAVE ARTIFACT /scan_reports/npm-audit-${REPORT_NAME}.sarif AS LOCAL scan_reports/npm-audit-${REPORT_NAME}.sarif

Expand Down
Loading
Loading