Skip to content

chore(deps): bump dorny/paths-filter from 4.0.1 to 4.0.2 #4510

chore(deps): bump dorny/paths-filter from 4.0.1 to 4.0.2

chore(deps): bump dorny/paths-filter from 4.0.1 to 4.0.2 #4510

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Validate Pull Request
on:
pull_request:
branches: [main, "release/**"]
merge_group:
# Cancels old running job if a new one is triggered (e.g. by a push onto the same branch).
# This will cancel dependent jobs as well, such as dep_rust and dep_fuzzing
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: write
pull-requests: read
jobs:
docs-pr:
runs-on: ubuntu-latest
outputs:
docs-only: ${{ steps.docs-only.outputs.result }}
steps:
- uses: dorny/paths-filter@7b450fff21473bca461d4b92ce414b9d0420d706 # v4.0.2
id: changes
with:
filters: |
docs:
- '**/*.md'
- '**/*.txt'
all:
- '**/*'
- uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
id: docs-only
with:
script: |
let docs_file_count = ${{steps.changes.outputs.docs_count}};
let all_file_count = ${{steps.changes.outputs.all_count}};
return all_file_count === docs_file_count;
result-encoding: string
# Update guest Cargo.lock for Dependabot PRs.
# Dependabot only updates the root Cargo.lock, leaving the guest workspace
# Cargo.lock stale. This job updates it before code-checks runs
# `cargo fetch --locked` so that the first CI run succeeds.
update-guest-locks:
if: github.event.pull_request.user.login == 'dependabot[bot]'
uses: ./.github/workflows/dep_update_guest_locks.yml
secrets: inherit
# Build guests once, upload as artifacts for other jobs to download
build-guests:
needs: [docs-pr, update-guest-locks]
# Required because update-guest-locks is skipped on non-dependabot PRs,
# and a skipped dependency transitively skips all downstream jobs.
# See: https://github.com/actions/runner/issues/2205
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: true
matrix:
arch: [X64, arm64]
config: [debug, release]
uses: ./.github/workflows/dep_build_guests.yml
secrets: inherit
with:
docs_only: ${{ needs.docs-pr.outputs.docs-only }}
arch: ${{ matrix.arch }}
config: ${{ matrix.config }}
# Code checks (fmt, clippy, MSRV) - runs in parallel with build-guests
code-checks:
needs: [docs-pr, update-guest-locks]
# Required because update-guest-locks is skipped on non-dependabot PRs,
# and a skipped dependency transitively skips all downstream jobs.
# See: https://github.com/actions/runner/issues/2205
if: ${{ !cancelled() && !failure() }}
uses: ./.github/workflows/dep_code_checks.yml
secrets: inherit
with:
docs_only: ${{ needs.docs-pr.outputs.docs-only }}
# Pick the goldens mode. The `regen-goldens` label means regenerate. No label means pull.
# Also validate the label against the goldens state so a stale or missing label fails fast.
check-golden-label:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
packages: read
outputs:
should_regen_goldens: ${{ steps.check.outputs.should_regen_goldens || 'false' }}
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: hyperlight-dev/ci-setup-workflow@f6bd9cc86d0737976d2128c8b8ced8edc017cbb4 # v1.9.0
with:
rust-toolchain: "1.94"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install oras
uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3 # v2.0.0
with:
version: 1.3.1
- name: Log in to GHCR
env:
GHCR_USER: ${{ github.actor }}
GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# login technically not needed for reading public packages, but might avoid potential rate limiting
echo "${GHCR_TOKEN}" | oras login ghcr.io -u "${GHCR_USER}" --password-stdin
- id: check
if: github.event_name == 'pull_request'
env:
GH_TOKEN: ${{ github.token }}
run: |
labels="$(gh pr view ${{ github.event.pull_request.number }} \
--repo ${{ github.repository }} --json labels -q '.labels[].name')"
if grep -qx regen-goldens <<<"$labels"; then
echo "should_regen_goldens=true" >> "$GITHUB_OUTPUT"
else
echo "should_regen_goldens=false" >> "$GITHUB_OUTPUT"
fi
- name: Validate regen-goldens label
if: github.event_name == 'pull_request'
env:
BASE_REF: ${{ github.event.pull_request.base.ref }}
run: |
git fetch --no-tags --depth=1 origin "${BASE_REF}"
just snapshot-goldens-check-label "${{ steps.check.outputs.should_regen_goldens }}" FETCH_HEAD
# Build and test - needs guest artifacts
build-test:
needs:
- docs-pr
- build-guests
- check-golden-label
# Required because update-guest-locks is skipped on non-dependabot PRs,
# and a skipped dependency transitively skips all downstream jobs.
# See: https://github.com/actions/runner/issues/2205
if: ${{ !cancelled() && !failure() }}
permissions:
# checkout in the called workflow
contents: read
# pull goldens from GHCR in the called workflow
packages: read
strategy:
fail-fast: true
matrix:
hypervisor: ['hyperv-ws2025', mshv3, kvm]
cpu_vendor: [amd, intel, apple]
arch: [X64, arm64]
config: [debug, release]
exclude:
- cpu_vendor: apple
hypervisor: hyperv-ws2025
- cpu_vendor: apple
hypervisor: mshv3
- cpu_vendor: amd
arch: arm64
- cpu_vendor: intel
arch: arm64
- cpu_vendor: apple
arch: X64
uses: ./.github/workflows/dep_build_test.yml
secrets: inherit
with:
docs_only: ${{ needs.docs-pr.outputs.docs-only }}
hypervisor: ${{ matrix.hypervisor }}
cpu_vendor: ${{ matrix.cpu_vendor }}
arch: ${{ matrix.arch }}
config: ${{ matrix.config }}
should_regen_goldens: ${{ needs.check-golden-label.outputs.should_regen_goldens }}
# Run examples - needs guest artifacts, runs in parallel with build-test
run-examples:
needs:
- docs-pr
- build-guests
# Required because update-guest-locks is skipped on non-dependabot PRs,
# and a skipped dependency transitively skips all downstream jobs.
# See: https://github.com/actions/runner/issues/2205
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: true
matrix:
# aarch64 examples are exercised by the daily schedule (DailyArm64.yml)
# only, to keep the limited arm64 runners free on PRs.
hypervisor: ['hyperv-ws2025', mshv3, kvm]
cpu_vendor: [amd, intel]
arch: [X64]
config: [debug, release]
uses: ./.github/workflows/dep_run_examples.yml
secrets: inherit
with:
docs_only: ${{ needs.docs-pr.outputs.docs-only }}
hypervisor: ${{ matrix.hypervisor }}
cpu_vendor: ${{ matrix.cpu_vendor }}
arch: ${{ matrix.arch }}
config: ${{ matrix.config }}
fuzzing:
needs:
- docs-pr
- build-guests
# Required because update-guest-locks is skipped on non-dependabot PRs,
# and a skipped dependency transitively skips all downstream jobs.
# See: https://github.com/actions/runner/issues/2205
if: ${{ !cancelled() && !failure() }}
strategy:
matrix:
target: ['fuzz_host_print', 'fuzz_guest_call', 'fuzz_host_call', 'fuzz_guest_estimate_trace_event', 'fuzz_guest_trace']
arch:
- X64
# arm64 fuzzing runs on the daily schedule (DailyArm64.yml) instead of on
# PRs, to conserve the limited arm64 runners.
uses: ./.github/workflows/dep_fuzzing.yml
secrets: inherit
with:
docs_only: ${{ needs.docs-pr.outputs.docs-only }}
max_total_time: 300 # 5 minutes in seconds
arch: ${{ matrix.arch }}
target: ${{ matrix.target }}
spelling:
name: spell check with typos
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Spell Check Repo
uses: crate-ci/typos@37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1.47.2
license-headers:
name: check license headers
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Check License Headers
run: ./dev/check-license-headers.sh
# Gate PR merges on this specific "join-job" which requires all other
# jobs to run first.
report-ci-status:
needs:
- docs-pr
- update-guest-locks
- build-guests
- code-checks
- check-golden-label
- build-test
- run-examples
- fuzzing
- spelling
- license-headers
if: always()
runs-on: ubuntu-latest
steps:
- name: calculate the correct exit status
run: jq --exit-status 'all(.result == "success" or .result == "skipped")' <<< '${{ toJson(needs) }}'