-
Notifications
You must be signed in to change notification settings - Fork 12
187 lines (185 loc) · 6.25 KB
/
ci_ec2_container.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# SPDX-License-Identifier: Apache-2.0
name: ci-ec2-reusable
permissions:
contents: read
on:
workflow_call:
inputs:
name:
type: string
description: Alternative name of instance
default: Graviton2
ec2_instance_type:
type: string
description: Type if EC2 instance to benchmark on
default: t4g.small
ec2_ami:
type: string
description: Textual description of AMI
default: ubuntu-latest (aarch64)
ec2_ami_id:
type: string
description: AMI ID
default: ami-096ea6a12ea24a797
cflags:
type: string
description: Custom CFLAGS for compilation
default: ""
verbose:
description: Determine for the log verbosity
type: boolean
default: false
compile_mode:
type: string
description: either all, native, cross or none
default: all
opt:
type: string
description: either all, opt or no_opt
default: all
functest:
type: boolean
default: true
kattest:
type: boolean
default: true
nistkattest:
type: boolean
default: true
acvptest:
type: boolean
default: true
lint:
type: boolean
default: true
cbmc:
type: boolean
default: false
cbmc_mlkem_k:
type: string
default: 2
container:
type: string
default: ''
env:
AWS_ROLE: arn:aws:iam::559050233797:role/mlkem-c-aarch64-gh-action
AWS_REGION: us-east-1
AMI_UBUNTU_LATEST_X86_64: ami-0e86e20dae9224db8
AMI_UBUNTU_LATEST_AARCH64: ami-096ea6a12ea24a797
jobs:
start-ec2-runner:
name: Start instance (${{ inputs.ec2_instance_type }})
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
if: ${{ always() }} # The point is to make this step non-cancellable,
# avoiding race conditions where an instance is started,
# but isn't yet done registering as a runner and reporting back.
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Determine AMI ID
id: det_ami_id
run: |
if [[ "${{ inputs.ec2_ami }}" == "ubuntu-latest (x86_64)" ]]; then
AMI_ID=${{ env.AMI_UBUNTU_LATEST_X86_64 }}
elif [[ "${{ inputs.ec2_ami }}" == "ubuntu-latest (aarch64)" ]]; then
AMI_ID=${{ env.AMI_UBUNTU_LATEST_AARCH64 }}
elif [[ "${{ inputs.ec2_ami }}" == "ubuntu-latest (custom AMI)" ]]; then
AMI_ID=${{ inputs.ec2_ami_id }}
fi
echo "Using AMI ID: $AMI_ID"
echo "AMI_ID=$AMI_ID" >> $GITHUB_OUTPUT
- name: Clear nix-installer action cache
uses: ./.github/actions/clear-cache
with:
key_prefix: determinatesystem-nix-installer-
repository: ${{ github.repository }}
gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ env.AWS_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: mkannwischer/ec2-github-runner@d15c8804522523d2bac7119a01ffff83b7795d87
with:
mode: start
github-token: ${{ secrets.AWS_GITHUB_TOKEN }}
ec2-image-id: ${{ steps.det_ami_id.outputs.AMI_ID }}
ec2-instance-type: ${{ inputs.ec2_instance_type }}
subnet-id: subnet-07b2729e5e065962f
security-group-id: sg-0ab2e297196c8c381
tests:
name: Run tests
needs: start-ec2-runner
if: ${{ inputs.container != '' }}
runs-on: ${{ needs.start-ec2-runner.outputs.label }}
container:
localhost:5000/${{ inputs.container }}
steps:
# We're not using the checkout action here because on it's not supported
# on all containers we want to test. Resort to a manual checkout.
#
# We can't hoist this into an action since calling an action can only
# be done after checkout.
- name: Manual checkout
shell: bash
run: |
if /usr/bin/which yum; then
yum install git -y
elif /usr/bin/which apt; then
apt update
apt install git -y
fi
git init
git remote add origin $GITHUB_SERVER_URL/$GITHUB_REPOSITORY
git fetch origin --depth 1 $GITHUB_SHA
git checkout FETCH_HEAD
- uses: ./.github/actions/setup-os
with:
sudo: ""
- name: make quickcheck
run: |
OPT=0 make quickcheck
make clean >/dev/null
OPT=1 make quickcheck
- name: Functional Tests
uses: ./.github/actions/multi-functest
with:
nix-shell: ""
gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
cflags: ${{ inputs.cflags }}
compile_mode: ${{ inputs.compile_mode }}
opt: ${{ inputs.opt }}
func: ${{ inputs.functest }}
kat: ${{ inputs.kattest }}
nistkat: ${{ inputs.nistkattest }}
acvp: ${{ inputs.acvptest }}
stop-ec2-runner:
name: Stop instance (${{ inputs.ec2_instance_type }})
permissions:
contents: 'read'
id-token: 'write'
needs:
- start-ec2-runner
- tests
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ env.AWS_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Stop EC2 runner
uses: mkannwischer/ec2-github-runner@d15c8804522523d2bac7119a01ffff83b7795d87
with:
mode: stop
github-token: ${{ secrets.AWS_GITHUB_TOKEN }}
label: ${{ needs.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-ec2-runner.outputs.ec2-instance-id }}