Add --docker-run feature for Docker container network isolation #321
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tests | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| workflow_call: | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| jobs: | |
| test-macos: | |
| name: macOS Integration Tests | |
| runs-on: macos-15-xlarge | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Install nextest | |
| run: cargo install cargo-nextest --locked | |
| - name: Run all tests | |
| run: cargo nextest run --profile ci | |
| test-linux: | |
| name: Linux Tests | |
| runs-on: [self-hosted, linux] | |
| steps: | |
| - name: Fix permissions from previous runs | |
| run: | | |
| # Clean up any files left from previous sudo runs before checkout | |
| # Use GITHUB_WORKSPACE parent directory or current working directory | |
| WORK_DIR="${GITHUB_WORKSPACE:-$(pwd)}" | |
| if [ -d "$WORK_DIR" ]; then | |
| sudo chown -R ci:ci "$WORK_DIR" || true | |
| fi | |
| # Ensure cargo cache has correct permissions | |
| if [ -d /home/ci/.cargo ]; then | |
| sudo chown -R ci:ci /home/ci/.cargo || true | |
| fi | |
| - uses: actions/checkout@v4 | |
| - name: Fix permissions on current directory | |
| run: | | |
| # Clean up any files left from previous sudo runs | |
| if [ -d target ]; then | |
| sudo chown -R ci:ci target || true | |
| fi | |
| # Fix cargo registry permissions to enable cache reuse | |
| if [ -d /home/ci/.cargo/registry ]; then | |
| sudo chown -R ci:ci /home/ci/.cargo/registry || true | |
| fi | |
| # Ensure git index cache has correct permissions | |
| if [ -d /home/ci/.cargo/git ]; then | |
| sudo chown -R ci:ci /home/ci/.cargo/git || true | |
| fi | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Setup Rust environment and install nextest | |
| run: | | |
| source ~/.cargo/env | |
| rustup default stable | |
| cargo install cargo-nextest || true | |
| - name: Fix target directory permissions from previous runs | |
| run: | | |
| if [ -d target ]; then | |
| sudo chown -R ci:ci target || true | |
| fi | |
| - name: Run all tests (non-root) | |
| run: | | |
| source ~/.cargo/env | |
| cargo nextest run --profile ci --verbose -E 'not (binary(linux_integration) or binary(weak_integration))' | |
| - name: Install dependencies for weak mode (curl) | |
| run: sudo apt-get update && sudo apt-get install -y curl | |
| - name: Run weak mode integration tests (Linux) | |
| run: | | |
| source ~/.cargo/env | |
| cargo nextest run --profile ci --test weak_integration | |
| - name: Run Linux jail integration tests (sudo) | |
| run: | | |
| source ~/.cargo/env | |
| # Run Linux-specific jail tests with sudo to satisfy root requirements | |
| sudo -E $(which cargo) nextest run --profile ci --test linux_integration --verbose | |
| clippy: | |
| name: Clippy (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest-8-cores, macos-latest] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| components: clippy | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Run clippy | |
| run: cargo clippy --all-targets -- -D warnings | |
| fmt: | |
| name: Format | |
| runs-on: ubuntu-latest-8-cores | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| components: rustfmt | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Check formatting | |
| run: cargo fmt -- --check | |
| udeps: | |
| name: Unused dependency check | |
| runs-on: ubuntu-latest-8-cores | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust (nightly for cargo-udeps) | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: nightly | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Install cargo-udeps | |
| uses: taiki-e/install-action@cargo-udeps | |
| - name: Check for unused dependencies | |
| run: | | |
| set -euo pipefail | |
| # Run with nightly; capture output without failing the step | |
| set +e | |
| cargo +nightly udeps --all-targets --all-features 2>&1 | tee udeps_output.txt | |
| STATUS=$? | |
| set -e | |
| cat udeps_output.txt | |
| # If cargo-udeps failed due to nightly requirement or other errors, surface that | |
| if [ $STATUS -ne 0 ]; then | |
| echo "cargo-udeps exited with status $STATUS" | |
| # If unused deps are present, cargo-udeps typically exits non-zero; still explicitly check text | |
| if grep -qi "unused" udeps_output.txt; then | |
| echo "Unused dependencies detected" | |
| exit 1 | |
| fi | |
| exit $STATUS | |
| fi | |
| # Treat any mention of 'unused' as a failure signal | |
| if grep -qi "unused" udeps_output.txt; then | |
| echo "Unused dependencies detected" | |
| exit 1 | |
| fi |