CI/CD: фиксы латентных багов, харденинг supply chain, ускорение матрицы#3313
Closed
DuLL-FoX wants to merge 3 commits into
Closed
CI/CD: фиксы латентных багов, харденинг supply chain, ускорение матрицы#3313DuLL-FoX wants to merge 3 commits into
DuLL-FoX wants to merge 3 commits into
Conversation
P0 - латентные баги: - find_all_maps: ::set-output -> $GITHUB_OUTPUT, checkout@v2 -> v4 - check_grep.sh: чиним битое присваивание st=1 и мёртвый CRLF-паттерн (\r\n -> \r$) - make_changelogs: checkout@v3 -> v4, setup-python@v1 -> v5 P1 - безопасность и supply chain: - install_rust_g/auxmos/spaceman_dmm: проверка SHA256 + ретраи (хэши в dependencies.sh) - сторонние actions запинены на commit SHA (github-push-action, round_linker, repo-sync/pull-request, tgs-dmapi-updater, DreamAnnotate) - least-privilege permissions в ci_suite.yml, предупреждение про pull_request_target в labeler P2 - стоимость и скорость: - build-once: тестовый .dmb собирается один раз и едет артефактом в плечи матрицы (убрано 19x компиляций DM и TGUI) - workflow concurrency + cancel-in-progress, timeout-minutes на job'ах, paths-ignore - кэш ~/.byond/bin, версионные ключи кэша, pip-кэш, dmdoc-крон 6ч -> сутки
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- check_grep.sh: add -I to the CRLF grep so binary assets (.dmi/.ogg/.wav with stray 0x0d bytes) are not flagged as CRLF; only text files are checked - ci_suite.yml: run_all_tests timeout-minutes 30 -> 45; valid slow maps reach ~30 min (icemoon passed at 29m39s), 30 was too tight and false-killed runs
GitHub forces Node 20 actions to Node 24 on 2026-06-16. Bump every first-party action to its first Node 24 major: - checkout v4 -> v5, cache v4 -> v5 - upload-artifact v4 -> v6, download-artifact v4 -> v7 - setup-python v5 -> v6, github-script v6 -> v8, labeler v5 -> v6 DreamAnnotate v2 (Node 16) -> v3, which is a composite action using problem matchers (no Node runtime, immune to the deprecation). It now registers the matcher before the lint step and dreamchecker prints to the console instead of a file; drops the separate annotate step and the no-longer-needed checks:write permission.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Описание
Правки CI/CD по трём приоритетам из аудита:
::set-outputв генераторе матрицы карт (гитхаб его отключит -> матрица тестов обнулится), битоеst = 1в check_grep.sh, древние actions в make_changelogs.Причина изменений
Матрица интеграционных тестов гоняла полную компиляцию DM и TGUI заново на каждой из 19 карт - build-once это убирает. Заодно закрыты latent-баги и дыры supply chain (нативные .so грузились в DreamDaemon без проверки целостности).
Changelog
🆑
code: ускорил и починил CI (build-once сборка тестового сервера, фиксы устаревших GitHub Actions)
server: сборка нативных CI-зависимостей теперь проверяется по SHA256
/:cl: