fix(ci): ensure C toolchain for self-hosted rust jobs
This commit is contained in:
xj
parent
05b14f56f6
commit
dd0e504db2
6
.github/workflows/ci-reproducible-build.yml
vendored
6
.github/workflows/ci-reproducible-build.yml
vendored
@ -8,6 +8,7 @@ on:
|
||||
- "Cargo.lock"
|
||||
- "src/**"
|
||||
- "crates/**"
|
||||
- "scripts/ci/ensure_c_toolchain.sh"
|
||||
- "scripts/ci/ensure_cargo_component.sh"
|
||||
- "scripts/ci/reproducible_build_check.sh"
|
||||
- ".github/workflows/ci-reproducible-build.yml"
|
||||
@ -18,6 +19,7 @@ on:
|
||||
- "Cargo.lock"
|
||||
- "src/**"
|
||||
- "crates/**"
|
||||
- "scripts/ci/ensure_c_toolchain.sh"
|
||||
- "scripts/ci/ensure_cargo_component.sh"
|
||||
- "scripts/ci/reproducible_build_check.sh"
|
||||
- ".github/workflows/ci-reproducible-build.yml"
|
||||
@ -62,6 +64,10 @@ jobs:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
||||
|
||||
- name: Ensure C toolchain
|
||||
shell: bash
|
||||
run: bash ./scripts/ci/ensure_c_toolchain.sh
|
||||
|
||||
- name: Setup Rust
|
||||
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
|
||||
with:
|
||||
|
||||
9
.github/workflows/ci-run.yml
vendored
9
.github/workflows/ci-run.yml
vendored
@ -60,6 +60,9 @@ jobs:
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Ensure C toolchain
|
||||
shell: bash
|
||||
run: bash ./scripts/ci/ensure_c_toolchain.sh
|
||||
- uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
|
||||
with:
|
||||
toolchain: 1.92.0
|
||||
@ -89,6 +92,9 @@ jobs:
|
||||
CARGO_TARGET_DIR: ${{ github.workspace }}/.ci-rust/${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}/target
|
||||
steps:
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
||||
- name: Ensure C toolchain
|
||||
shell: bash
|
||||
run: bash ./scripts/ci/ensure_c_toolchain.sh
|
||||
- uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
|
||||
with:
|
||||
toolchain: 1.92.0
|
||||
@ -160,6 +166,9 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
||||
- name: Ensure C toolchain
|
||||
shell: bash
|
||||
run: bash ./scripts/ci/ensure_c_toolchain.sh
|
||||
- uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
|
||||
with:
|
||||
toolchain: 1.92.0
|
||||
|
||||
20
.github/workflows/sec-audit.yml
vendored
20
.github/workflows/sec-audit.yml
vendored
@ -15,6 +15,7 @@ on:
|
||||
- ".github/security/unsafe-audit-governance.json"
|
||||
- "scripts/ci/install_gitleaks.sh"
|
||||
- "scripts/ci/install_syft.sh"
|
||||
- "scripts/ci/ensure_c_toolchain.sh"
|
||||
- "scripts/ci/ensure_cargo_component.sh"
|
||||
- "scripts/ci/deny_policy_guard.py"
|
||||
- "scripts/ci/secrets_governance_guard.py"
|
||||
@ -38,6 +39,7 @@ on:
|
||||
- ".github/security/unsafe-audit-governance.json"
|
||||
- "scripts/ci/install_gitleaks.sh"
|
||||
- "scripts/ci/install_syft.sh"
|
||||
- "scripts/ci/ensure_c_toolchain.sh"
|
||||
- "scripts/ci/ensure_cargo_component.sh"
|
||||
- "scripts/ci/deny_policy_guard.py"
|
||||
- "scripts/ci/secrets_governance_guard.py"
|
||||
@ -97,6 +99,10 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
||||
|
||||
- name: Ensure C toolchain
|
||||
shell: bash
|
||||
run: bash ./scripts/ci/ensure_c_toolchain.sh
|
||||
|
||||
- uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
|
||||
with:
|
||||
toolchain: 1.92.0
|
||||
@ -119,6 +125,11 @@ jobs:
|
||||
CARGO_TARGET_DIR: ${{ github.workspace }}/.ci-rust/${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}/target
|
||||
steps:
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
||||
|
||||
- name: Ensure C toolchain
|
||||
shell: bash
|
||||
run: bash ./scripts/ci/ensure_c_toolchain.sh
|
||||
|
||||
- uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
|
||||
with:
|
||||
toolchain: 1.92.0
|
||||
@ -206,6 +217,11 @@ jobs:
|
||||
CARGO_TARGET_DIR: ${{ github.workspace }}/.ci-rust/${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}/target
|
||||
steps:
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
||||
|
||||
- name: Ensure C toolchain
|
||||
shell: bash
|
||||
run: bash ./scripts/ci/ensure_c_toolchain.sh
|
||||
|
||||
- uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
|
||||
with:
|
||||
toolchain: 1.92.0
|
||||
@ -481,7 +497,7 @@ jobs:
|
||||
|
||||
unsafe-debt:
|
||||
name: Unsafe Debt Audit
|
||||
runs-on: [self-hosted, aws-india, Linux]
|
||||
runs-on: ubuntu-22.04
|
||||
timeout-minutes: 20
|
||||
steps:
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
||||
@ -620,7 +636,7 @@ jobs:
|
||||
name: Security Required Gate
|
||||
if: always() && (github.event_name == 'pull_request' || github.event_name == 'push' || github.event_name == 'merge_group')
|
||||
needs: [audit, deny, security-regressions, secrets, sbom, unsafe-debt]
|
||||
runs-on: [self-hosted, aws-india, Linux]
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Enforce security gate
|
||||
shell: bash
|
||||
|
||||
6
.github/workflows/sec-codeql.yml
vendored
6
.github/workflows/sec-codeql.yml
vendored
@ -8,6 +8,7 @@ on:
|
||||
- "Cargo.lock"
|
||||
- "src/**"
|
||||
- "crates/**"
|
||||
- "scripts/ci/ensure_c_toolchain.sh"
|
||||
- "scripts/ci/ensure_cargo_component.sh"
|
||||
- ".github/codeql/**"
|
||||
- ".github/workflows/sec-codeql.yml"
|
||||
@ -18,6 +19,7 @@ on:
|
||||
- "Cargo.lock"
|
||||
- "src/**"
|
||||
- "crates/**"
|
||||
- "scripts/ci/ensure_c_toolchain.sh"
|
||||
- "scripts/ci/ensure_cargo_component.sh"
|
||||
- ".github/codeql/**"
|
||||
- ".github/workflows/sec-codeql.yml"
|
||||
@ -57,6 +59,10 @@ jobs:
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Ensure C toolchain
|
||||
shell: bash
|
||||
run: bash ./scripts/ci/ensure_c_toolchain.sh
|
||||
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
|
||||
with:
|
||||
|
||||
58
scripts/ci/ensure_c_toolchain.sh
Executable file
58
scripts/ci/ensure_c_toolchain.sh
Executable file
@ -0,0 +1,58 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
set_env_var() {
|
||||
local key="$1"
|
||||
local value="$2"
|
||||
if [ -n "${GITHUB_ENV:-}" ]; then
|
||||
echo "${key}=${value}" >>"${GITHUB_ENV}"
|
||||
fi
|
||||
}
|
||||
|
||||
configure_linker() {
|
||||
local linker="$1"
|
||||
if [ ! -x "${linker}" ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
set_env_var "CC" "${linker}"
|
||||
set_env_var "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER" "${linker}"
|
||||
|
||||
if command -v g++ >/dev/null 2>&1; then
|
||||
set_env_var "CXX" "$(command -v g++)"
|
||||
elif command -v clang++ >/dev/null 2>&1; then
|
||||
set_env_var "CXX" "$(command -v clang++)"
|
||||
fi
|
||||
|
||||
echo "Using C linker: ${linker}"
|
||||
"${linker}" --version | head -n 1 || true
|
||||
return 0
|
||||
}
|
||||
|
||||
echo "Ensuring C toolchain is available for Rust native dependencies"
|
||||
|
||||
if command -v cc >/dev/null 2>&1; then
|
||||
configure_linker "$(command -v cc)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if command -v gcc >/dev/null 2>&1; then
|
||||
configure_linker "$(command -v gcc)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if command -v clang >/dev/null 2>&1; then
|
||||
configure_linker "$(command -v clang)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if command -v sudo >/dev/null 2>&1 && command -v apt-get >/dev/null 2>&1; then
|
||||
echo "C compiler not found. Installing build-essential via apt..."
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y build-essential
|
||||
configure_linker "$(command -v cc)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "No usable C compiler found (cc/gcc/clang)." >&2
|
||||
exit 1
|
||||
Loading…
Reference in New Issue
Block a user