security: Rate limit GetAddr responses #350
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker Unit Tests | |
# Ensures that only one workflow task will run at a time. Previous builds, if | |
# already in process, will get cancelled. Only the latest commit will be allowed | |
# to run, cancelling any workflows in between | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
on: | |
workflow_dispatch: | |
inputs: | |
network: | |
default: 'Mainnet' | |
description: 'Network to deploy: Mainnet or Testnet' | |
required: true | |
no_cache: | |
description: 'Disable the Docker cache for this build' | |
required: false | |
type: boolean | |
default: false | |
pull_request: | |
paths: | |
# code and tests | |
- '**/*.rs' | |
# hard-coded checkpoints and proptest regressions | |
- '**/*.txt' | |
# test data snapshots | |
- '**/*.snap' | |
# dependencies | |
- '**/Cargo.toml' | |
- '**/Cargo.lock' | |
# configuration files | |
- '.cargo/config.toml' | |
- '**/clippy.toml' | |
# workflow definitions | |
- 'docker/**' | |
- '.github/workflows/ci-unit-tests-docker.yml' | |
- '.github/workflows/sub-deploy-integration-tests-gcp.yml' | |
- '.github/workflows/sub-build-docker-image.yml' | |
- '.github/workflows/sub-find-cached-disks.yml' | |
push: | |
branches: | |
- main | |
paths: | |
# code and tests | |
- '**/*.rs' | |
# hard-coded checkpoints and proptest regressions | |
- '**/*.txt' | |
# test data snapshots | |
- '**/*.snap' | |
# dependencies | |
- '**/Cargo.toml' | |
- '**/Cargo.lock' | |
# configuration files | |
- '.cargo/config.toml' | |
- '**/clippy.toml' | |
# workflow definitions | |
- 'docker/**' | |
- '.dockerignore' | |
- '.github/workflows/ci-unit-tests-docker.yml' | |
- '.github/workflows/sub-deploy-integration-tests-gcp.yml' | |
- '.github/workflows/sub-find-cached-disks.yml' | |
- '.github/workflows/sub-build-docker-image.yml' | |
env: | |
# We need to combine the features manually because some tests don't use the Docker entrypoint | |
TEST_FEATURES: ${{ format('{0} {1}', vars.RUST_PROD_FEATURES, vars.RUST_TEST_FEATURES) }} | |
EXPERIMENTAL_FEATURES: ${{ format('{0} {1} {2}', vars.RUST_PROD_FEATURES, vars.RUST_TEST_FEATURES, vars.RUST_EXPERIMENTAL_FEATURES) }} | |
RUST_LOG: ${{ vars.RUST_LOG }} | |
RUST_BACKTRACE: ${{ vars.RUST_BACKTRACE }} | |
RUST_LIB_BACKTRACE: ${{ vars.RUST_LIB_BACKTRACE }} | |
COLORBT_SHOW_HIDDEN: ${{ vars.COLORBT_SHOW_HIDDEN }} | |
CARGO_INCREMENTAL: ${{ vars.CARGO_INCREMENTAL }} | |
jobs: | |
# Build the docker image used by the tests. | |
# | |
# The default network in the Zebra config in the image is mainnet, unless a manually triggered | |
# workflow or repository variable is configured differently. Testnet jobs change that config to | |
# testnet when running the image. | |
build: | |
name: Build CI Docker | |
uses: ./.github/workflows/sub-build-docker-image.yml | |
with: | |
dockerfile_path: ./docker/Dockerfile | |
dockerfile_target: tests | |
image_name: ${{ vars.CI_IMAGE_NAME }} | |
no_cache: ${{ inputs.no_cache || false }} | |
rust_backtrace: full | |
rust_lib_backtrace: full | |
rust_log: info | |
# Run all the zebra tests, including tests that are ignored by default. | |
# | |
# - We activate the gRPC feature to avoid recompiling `zebrad`, but we don't actually run any gRPC tests. | |
test-all: | |
name: Test all | |
timeout-minutes: 180 | |
runs-on: ubuntu-latest-xl | |
needs: build | |
steps: | |
- uses: r7kamura/[email protected] | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
with: | |
short-length: 7 | |
# Run unit, basic acceptance tests, and ignored tests, only showing command output if the test fails. | |
# | |
# If some tests hang, add "-- --nocapture" for just that test, or for all the tests. | |
# | |
# TODO: move this test command into entrypoint.sh | |
# add a separate experimental workflow job if this job is slow | |
- name: Run zebrad tests | |
run: | | |
docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} | |
docker run -e NETWORK --name zebrad-tests --tty ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} cargo test --locked --release --features "${{ env.TEST_FEATURES }}" --workspace -- --include-ignored | |
# Currently GitHub doesn't allow empty variables | |
if [[ -n "${{ vars.RUST_EXPERIMENTAL_FEATURES }}" && "${{ vars.RUST_EXPERIMENTAL_FEATURES }}" != " " ]]; then | |
docker run -e NETWORK --name zebrad-tests-experimental --tty ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} cargo test --locked --release --features "${{ env.EXPERIMENTAL_FEATURES }} " --workspace -- --include-ignored | |
fi | |
env: | |
NETWORK: ${{ inputs.network || vars.ZCASH_NETWORK }} | |
# Run state tests with fake activation heights. | |
# | |
# This test changes zebra-chain's activation heights, | |
# which can recompile all the Zebra crates, | |
# so we want its build products to be cached separately. | |
# | |
# Also, we don't want to accidentally use the fake heights in other tests. | |
# | |
# (We activate the test features to avoid recompiling dependencies, but we don't actually run any gRPC tests.) | |
test-fake-activation-heights: | |
name: Test with fake activation heights | |
timeout-minutes: 60 | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- uses: r7kamura/[email protected] | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
with: | |
short-length: 7 | |
# TODO: move this test command into entrypoint.sh | |
# make sure that at least one test runs, and that it doesn't skip itself due to the environmental variable | |
- name: Run tests with fake activation heights | |
run: | | |
docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} | |
docker run -e NETWORK -e TEST_FAKE_ACTIVATION_HEIGHTS --name zebrad-tests -t ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} cargo test --locked --release --features "zebra-test" --package zebra-state --lib -- --nocapture --include-ignored with_fake_activation_heights | |
env: | |
TEST_FAKE_ACTIVATION_HEIGHTS: '1' | |
NETWORK: ${{ inputs.network || vars.ZCASH_NETWORK }} | |
# Test that Zebra syncs and checkpoints a few thousand blocks from an empty state. | |
test-empty-sync: | |
name: Test checkpoint sync from empty state | |
timeout-minutes: 60 | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- uses: r7kamura/[email protected] | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
with: | |
short-length: 7 | |
# TODO: move this test command into entrypoint.sh | |
- name: Run zebrad large sync tests | |
run: | | |
docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} | |
docker run -e NETWORK --name zebrad-tests -t ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} cargo test --locked --release --features "${{ env.TEST_FEATURES }}" --package zebrad --test acceptance -- --nocapture --include-ignored sync_large_checkpoints_ | |
env: | |
NETWORK: ${{ inputs.network || vars.ZCASH_NETWORK }} | |
# Test launching lightwalletd with an empty lightwalletd and Zebra state. | |
test-lightwalletd-integration: | |
name: Test integration with lightwalletd | |
timeout-minutes: 60 | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- uses: r7kamura/[email protected] | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
with: | |
short-length: 7 | |
# TODO: move this test command into entrypoint.sh | |
- name: Run tests with empty lightwalletd launch | |
run: | | |
docker pull ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} | |
docker run -e NETWORK -e ZEBRA_TEST_LIGHTWALLETD --name lightwalletd-tests -t ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} cargo test --locked --release --features "${{ env.TEST_FEATURES }}" --package zebrad --test acceptance -- --nocapture --include-ignored lightwalletd_integration | |
env: | |
ZEBRA_TEST_LIGHTWALLETD: '1' | |
NETWORK: ${{ inputs.network || vars.ZCASH_NETWORK }} | |
# Test that Zebra works using the default config with the latest Zebra version. | |
test-configuration-file: | |
name: Test CI default Docker config file | |
needs: build | |
uses: ./.github/workflows/sub-test-zebra-config.yml | |
with: | |
test_id: 'default-conf' | |
docker_image: ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} | |
grep_patterns: '-e "net.*=.*Main.*estimated progress to chain tip.*BeforeOverwinter"' | |
test_variables: '-e NETWORK' | |
network: 'Mainnet' | |
# Test reconfiguring the the docker image for tesnet. | |
test-configuration-file-testnet: | |
name: Test CI testnet Docker config file | |
needs: build | |
# Make sure Zebra can sync the genesis block on testnet | |
uses: ./.github/workflows/sub-test-zebra-config.yml | |
with: | |
test_id: 'testnet-conf' | |
docker_image: ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} | |
grep_patterns: '-e "net.*=.*Test.*estimated progress to chain tip.*Genesis" -e "net.*=.*Test.*estimated progress to chain tip.*BeforeOverwinter"' | |
# TODO: improve the entrypoint to avoid using `ENTRYPOINT_FEATURES=""` | |
test_variables: '-e NETWORK -e ZEBRA_CONF_PATH="/etc/zebrad/zebrad.toml" -e ENTRYPOINT_FEATURES=""' | |
network: 'Testnet' | |
# Test that Zebra works using $ZEBRA_CONF_PATH config | |
test-zebra-conf-path: | |
name: Test CI custom Docker config file | |
needs: build | |
uses: ./.github/workflows/sub-test-zebra-config.yml | |
with: | |
test_id: 'custom-conf' | |
docker_image: ${{ vars.GAR_BASE }}/${{ vars.CI_IMAGE_NAME }}@${{ needs.build.outputs.image_digest }} | |
grep_patterns: '-e "loaded zebrad config.*config_path.*=.*v1.0.0-rc.2.toml"' | |
test_variables: '-e NETWORK -e ZEBRA_CONF_PATH="zebrad/tests/common/configs/v1.0.0-rc.2.toml"' | |
network: ${{ inputs.network || vars.ZCASH_NETWORK }} | |
failure-issue: | |
name: Open or update issues for main branch failures | |
# When a new test is added to this workflow, add it to this list. | |
# | |
# This list is for reliable tests that are run on the `main` branch. | |
# Testnet jobs are not in this list, because we expect testnet to fail occasionally. | |
needs: [ test-all, test-fake-activation-heights, test-empty-sync, test-lightwalletd-integration, test-configuration-file, test-zebra-conf-path ] | |
# Only open tickets for failed scheduled jobs, manual workflow runs, or `main` branch merges. | |
# (PR statuses are already reported in the PR jobs list, and checked by Mergify.) | |
# TODO: if a job times out, we want to create a ticket. Does failure() do that? Or do we need cancelled()? | |
if: failure() && github.event.pull_request == null | |
runs-on: ubuntu-latest | |
steps: | |
- uses: jayqi/failed-build-issue-action@v1 | |
with: | |
title-template: "{{refname}} branch CI failed: {{eventName}} in {{workflow}}" | |
# New failures open an issue with this label. | |
# TODO: do we want a different label for each workflow, or each kind of workflow? | |
label-name: S-ci-fail-auto-issue | |
# If there is already an open issue with this label, any failures become comments on that issue. | |
always-create-new-issue: false | |
github-token: ${{ secrets.GITHUB_TOKEN }} |