This patch has pins several actions dependencies in the premerge
workflow and the Windows/Linux container build workflows to help improve
security in the unlikely event that someone tries to pull off a supply
chain security attack by modifying release asserts for these actions.
Before 19, we had releases from release managers, the bot, and community
members. 19 started to restrict this, with only select community members
uploading releases. The lists of users are written out each time to make
modifying this easier.
If we cannot parse the release number, I've made it raise an issue
saying so. Since this may also be a sign of a malicious action.
This patch removes the workflow-scoped package write permissions in the
libcxx-build-containers workflow. The relevant permissions are already
present in the job, so this raises the potential for new jobs being
added to the workflow that do not need the permissions but having them
anyways. Not having workflow-scoped write permissions is security best
practice.
Fixes#126230.
Prior workflow runs were not being cancelled when the pull request was
closed, and I think this was why. Also, there is no advantage to having
the definitions at the job level.
After the changes in 89001d1de8ecf03c8820594ea03345b99560272a, the
container pushes failed, because it was attempting to push the same
container twice. This fixes the sed expression used to push the :latest
alias for each container.
This also changes the container version numbers in the tag from unix
timestamps to the abbreviated commit hash for the workflow. This ensures
that the amd64 and arm64 containers have the same tag.
For amd64 we now generate 4 tags:
* ghcr.io/llvm/ci-ubuntu-22.04:latest
* ghcr.io/llvm/ci-ubuntu-22.04:$GITHUB_SHA
* ghcr.io/llvm/amd64/ci-ubuntu-22.04:latest
* ghcr.io/llvm/amd64/ci-ubuntu-22.04:$GITHUB_SHA
For arm64 we generate 2 tags:
* ghcr.io/tstellar/arm64v8/ci-ubuntu-22.04:latest
* ghcr.io/tstellar/arm64v8/ci-ubuntu-22.04:$GITHUB_SHA
Using ccache relies on the GitHub Actions Cache, which may be
susceptible to cache poisoning. See
https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/
Even though these attacks may be difficult, it's better to err on the
side of caution and ensure that the build environment for our releases
is as isolated as possible. Additionally, ccache was only being used for
the stage1 build, which is a small part of the overall build, so the
speed up from using it was not that large.
This patch adds a windows premerge job for testing. We plan to enable
this by default soon once we have evaluated stability and have
reasonable reason to believe the system is reliable.
This patch bumps the runner version to v2.322.0 in the CI containers.
Nothing looks suspicious in the change log, and it is important to keep
the runner up to date or we will end up with containers that cannot
connect to Github due to having a version too old.
This reverts commit 106f1056991317af7eaaf19239de93942ac37267.
Everything should be in working order now that the container job has been
updated to work properly. This has been tested on an individual job.
This patch makes the build container job save the agent container image to a
separate tar file rather than bundling it in with the existing tar file. For
some reason, running podman save with two container images and then loading
that single tar file gets rid of the agent image and we end up with two
copies of the original image. This means that premerge jobs will fail with
the agent image because they cannot find the run.sh script.
Trying to switch over to the normal execution mode and running into issues.
Turning this off on main for now while I investigate given my time
availability is a bit sparse today.
This patch removes the container from the premerge job. We are moving
away from the kubernetes executor back to executing everything in the
same container due to reliability issues. This patch updates everything
in the premerge job to work.
This is part of a temp fix to
https://github.com/llvm/llvm-zorg/issues/362.
It appears that introducing docker containers has broken the restarter
job since additional failure messages appear with the preemption
messages.
This should get jobs restarting on preemption again, but may do so
for jobs that also contain unrelated failures
Ahead of GitHub's
[deprecation](https://github.blog/changelog/#artifacts-v3-brownouts) of
v3 versions of both the `upload-artifact` and `download-artifact`
action, I suggest this PR, which bumps the used version of both actions
in all workflows to the newest v4 revision. Additionally, the versions
are hashpinned as suggested in f3524e9aebbfabed0c60d0087b39ce14d8f778da.
This patch fixes a typo impacting functionality and also adds the relevant
variables to the step outputs list so they can actually get picked up by the
push container step.
We have community provided Windows builds that are better than what we
can build on GitHub. For the Linux/X86 builds and Mac/Aarch64 builds we
will use depot runners, for Mac/X86 we will use the larger GitHub
runners.
This patch adds an agent container image on top of the normal CI
container image. They are the exact same except that the agent container
image also contains Github Runner binaries. I've split it into a
separate container as only one user of these images (the new premerge)
needs this binary installed, and it bloats the container image size
significantly (900MB->1.3GB or so).
This patch adds zlib at build time to the CI container. This is needed
to make an lldb test pass that defaults to using the system lld if it is
not explicitly enabled in LLVM_ENABLE_PROJECTS.
Fixes#123479 (by fixing the proximal cause).
This commit promotes the SPIR-V backend from experimental to official
status. As a result, SPIR-V will be built by default, simplifying
integration and increasing accessibility for downstream projects.
Discussion and RFC on Discourse:
https://discourse.llvm.org/t/rfc-promoting-spir-v-to-an-official-target/83614
The current container is on an old version that can no longer recieve
messages from Github, which causes the runner to just be recreated every
couple seconds rather than performing any useful work.
This patch bumps the max ccache size for premerge jobs to 2GB. Doing a manual
invocation against changes in LLVM produces about 1GB of cache. The default
is 500MB, which we feel might be contributing to the very poor cache
utilization.
This adds a workflow for running HLSL tests on PRs that modify HLSL and
DirectX code.
The tests enabled here are the LLVM & Clang tests and the Offload
execution tests: https://github.com/llvm-beanz/offload-test-suite/
This patch fixes the LLVM project tests workflow on Linux. Two changes
were needed. Firstly, some commands need to be performed with sudo now
that the container executes as a non-root user. Second, we needed to
change from `ubuntu-latest` to `ubuntu-22.04` as `ubuntu-latest` not
defaults to `ubuntu-24.04` which causes `setup-python` to install a
python executable linked against a newer version of glibc that is not
found on ubuntu 22.04, which causes failures when CMake cannot execute
the python interpreter that it finds.
