From 77bb0de043194b35cec407c0f4048833ac47c11c Mon Sep 17 00:00:00 2001 From: "Thing-han, Lim" <15379156+potsrevennil@users.noreply.github.com> Date: Wed, 16 Oct 2024 15:22:04 +0800 Subject: [PATCH] ci: Propagate github token to actinos to avoid nix reaching GH rate limit easily Guard against GH rate limit, wait until limit is reset if limit is nearly reached. The GH rate limit can be reached after installing Nix when fetching the nixpkgs channel. Therefore, propagating the GH token to nix.conf ensures that Nix operations have a higher GH rate limit. Signed-off-by: Thing-han, Lim <15379156+potsrevennil@users.noreply.github.com> --- .github/actions/bench/action.yml | 1 + .github/actions/cbmc/action.yml | 4 ++++ .github/actions/functest/action.yml | 4 ++++ .github/actions/lint/action.yml | 4 ++++ .github/actions/multi-functest/action.yml | 12 ++++++++++++ .github/actions/setup-nix/action.yml | 8 +++++++- .github/actions/setup-shell/action.yml | 4 ++++ .github/workflows/ci.yml | 7 ++++++- .github/workflows/ci_ec2_reusable.yml | 3 +++ 9 files changed, 45 insertions(+), 2 deletions(-) diff --git a/.github/actions/bench/action.yml b/.github/actions/bench/action.yml index cc68000dc..01080754d 100644 --- a/.github/actions/bench/action.yml +++ b/.github/actions/bench/action.yml @@ -52,6 +52,7 @@ runs: nix-shell: ${{ inputs.nix-shell }} nix-cache: ${{ inputs.nix-cache }} nix-verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} custom_shell: ${{ inputs.custom_shell }} script: | ARCH=$(uname -m) diff --git a/.github/actions/cbmc/action.yml b/.github/actions/cbmc/action.yml index c00069eba..2f71abdc7 100644 --- a/.github/actions/cbmc/action.yml +++ b/.github/actions/cbmc/action.yml @@ -16,6 +16,9 @@ inputs: custom_shell: description: The shell to use. Only relevant if use-nix is 'false' default: "bash" + gh_token: + description: Github access token to use + required: true runs: using: composite steps: @@ -25,6 +28,7 @@ runs: nix-shell: ${{ inputs.nix-shell }} nix-cache: ${{ inputs.nix-cache }} nix-verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} custom_shell: ${{ inputs.custom_shell }} script: | cat >> $GITHUB_STEP_SUMMARY << EOF diff --git a/.github/actions/functest/action.yml b/.github/actions/functest/action.yml index 6ad1e6bf9..cc803da76 100644 --- a/.github/actions/functest/action.yml +++ b/.github/actions/functest/action.yml @@ -16,6 +16,9 @@ inputs: custom_shell: description: The shell to use. Only relevant if no nix-shell specified default: "bash" + gh_token: + description: Github access token to use + required: true cflags: description: CFLAGS to pass to compilation default: "" @@ -66,6 +69,7 @@ runs: nix-shell: ${{ inputs.nix-shell }} nix-cache: ${{ inputs.nix-cache }} nix-verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} custom_shell: ${{ inputs.custom_shell }} script: | # only summary on the first time diff --git a/.github/actions/lint/action.yml b/.github/actions/lint/action.yml index 65cff1b50..c1e87e178 100644 --- a/.github/actions/lint/action.yml +++ b/.github/actions/lint/action.yml @@ -19,6 +19,9 @@ inputs: cross-prefix: description: Binary prefix for cross compilation default: "" + gh_token: + description: Github access token to use + required: true runs: using: composite steps: @@ -28,6 +31,7 @@ runs: custom_shell: ${{ inputs.custom_shell }} nix-cache: ${{ inputs.nix-cache }} nix-verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} script: | cat >> $GITHUB_STEP_SUMMARY << EOF ## Setup diff --git a/.github/actions/multi-functest/action.yml b/.github/actions/multi-functest/action.yml index 8f5ee5fc1..27f1d535d 100644 --- a/.github/actions/multi-functest/action.yml +++ b/.github/actions/multi-functest/action.yml @@ -16,6 +16,9 @@ inputs: nix-verbose: description: Determine wether to suppress nix log or not default: 'false' + gh_token: + description: Github access token to use + required: true cflags: description: CFLAGS to pass to compilation default: "" @@ -44,6 +47,7 @@ runs: nix-shell: ${{ inputs.nix-shell }} nix-cache: ${{ inputs.nix-cache }} nix-verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} custom_shell: ${{ inputs.custom_shell }} cflags: ${{ inputs.cflags }} mode: native @@ -57,6 +61,8 @@ runs: with: nix-shell: ${{ inputs.nix-shell }} nix-cache: ${{ inputs.nix-cache }} + nix-verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} custom_shell: ${{ inputs.custom_shell }} cflags: ${{ inputs.cflags }} mode: native @@ -69,6 +75,9 @@ runs: uses: ./.github/actions/functest with: nix-shell: ${{ inputs.nix-shell }} + nix-cache: ${{ inputs.nix-cache }} + nix-verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} custom_shell: ${{ inputs.custom_shell }} cflags: ${{ inputs.cflags }} mode: cross @@ -81,6 +90,9 @@ runs: uses: ./.github/actions/functest with: nix-shell: ${{ inputs.nix-shell }} + nix-cache: ${{ inputs.nix-cache }} + nix-verbose: ${{ inputs.nix-verbose }} + gh_token: ${{ inputs.gh_token }} custom_shell: ${{ inputs.custom_shell }} cflags: ${{ inputs.cflags }} mode: cross diff --git a/.github/actions/setup-nix/action.yml b/.github/actions/setup-nix/action.yml index 004fbf836..68d94b849 100644 --- a/.github/actions/setup-nix/action.yml +++ b/.github/actions/setup-nix/action.yml @@ -23,6 +23,9 @@ inputs: description: Determine whether to purge cache with primary key or not required: false default: 'true' + gh_token: + description: Github access token to use + required: true runs: using: composite @@ -55,6 +58,8 @@ runs: - name: Install Nix shell: bash if: ${{ steps.nix-pre-check.outputs.installed == 'false' }} + env: + GH_TOKEN: ${{ inputs.gh_token }} run: | echo "::group::Nix installation" mkdir -p ~/.config/nix @@ -78,7 +83,7 @@ runs: if [[ ! -z $GH_TOKEN ]]; then mkdir -p ~/.config/nix - echo "access-tokens = github.com=$GH_TOKEN" > ~/.config/nix/nix.conf + echo "access-tokens = github.com=$GH_TOKEN" >> ~/.config/nix/nix.conf fi if command -v gh >/dev/null 2>&1; then @@ -136,6 +141,7 @@ runs: purge-prefixes: cache-${{ steps.nix-post-check.outputs.cache_prefix }} purge-created: 0 purge-primary-key: ${{ inputs.purge_cache == 'true' && 'always' || 'never' }} + token: ${{ inputs.gh_token }} - name: Set Shell shell: bash -lo pipefail {0} run: | diff --git a/.github/actions/setup-shell/action.yml b/.github/actions/setup-shell/action.yml index 68d9382f3..bb36a3802 100644 --- a/.github/actions/setup-shell/action.yml +++ b/.github/actions/setup-shell/action.yml @@ -19,6 +19,9 @@ inputs: script: description: The script to be run in the nix shell required: false + gh_token: + description: Github access token to use + required: true runs: using: composite @@ -28,6 +31,7 @@ runs: if: ${{ inputs.nix-shell != '' }} with: devShell: ${{ inputs.nix-shell }} + gh_token: ${{ inputs.gh_token }} verbose: ${{ inputs.nix-verbose }} cache: ${{ inputs.nix-cache }} script: ${{ inputs.script }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d4149caf1..1b2dfbc4e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -77,13 +77,15 @@ jobs: - name: native build uses: ./.github/actions/multi-functest with: - compile_mode: native + gh_token: ${{ secrets.GITHUB_TOKEN }} + compile_mode: nativ func: false nistkat: false kat: falst - name: native tests (+debug) uses: ./.github/actions/multi-functest with: + gh_token: ${{ secrets.GITHUB_TOKEN }} compile_mode: native cflags: "-DMLKEM_DEBUG" - name: cross tests (opt only) @@ -92,6 +94,7 @@ jobs: with: nix-shell: ci-cross nix-cache: true + gh_token: ${{ secrets.GITHUB_TOKEN }} compile_mode: cross func: false nistkat: false @@ -107,7 +110,9 @@ jobs: - uses: ./.github/actions/lint with: nix-shell: ci-linter + gh_token: ${{ secrets.GITHUB_TOKEN }} cross-prefix: "aarch64-unknown-linux-gnu-" + ec2_all: needs: quickcheck strategy: diff --git a/.github/workflows/ci_ec2_reusable.yml b/.github/workflows/ci_ec2_reusable.yml index 7936f35dc..f2b083ec6 100644 --- a/.github/workflows/ci_ec2_reusable.yml +++ b/.github/workflows/ci_ec2_reusable.yml @@ -117,6 +117,7 @@ jobs: nix-shell: ${{ steps.preprocess.outputs.nix-shell }} nix-cache: ${{ inputs.cbmc || inputs.compile_mode == 'cross' }} nix-verbose: ${{ inputs.verbose }} + gh_token: ${{ secrets.AWS_GITHUB_TOKEN }} cflags: ${{ inputs.cflags }} compile_mode: ${{ inputs.compile_mode }} opt: ${{ inputs.opt }} @@ -129,12 +130,14 @@ jobs: with: nix-shell: ci-linter nix-verbose: ${{ inputs.verbose }} + gh_token: ${{ secrets.AWS_GITHUB_TOKEN }} - name: CBMC if: ${{ inputs.cbmc && (success() || failure()) }} uses: ./.github/actions/cbmc with: nix-shell: ${{ steps.preprocess.outputs.nix-shell }} nix-verbose: ${{ inputs.verbose }} + gh_token: ${{ secrets.AWS_GITHUB_TOKEN }} stop-ec2-runner: name: Stop ${{ inputs.name }} (${{ inputs.ec2_instance_type }}) permissions: