Bump step-security/harden-runner from 2.7.0 to 2.10.2 #144
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) the JPEG XL Project Authors. All rights reserved. | |
# | |
# Use of this source code is governed by a BSD-style | |
# license that can be found in the LICENSE file. | |
# Workflow for building and running tests. | |
name: Build/Test WASM | |
on: | |
merge_group: | |
push: | |
branches: | |
- main | |
- v*.*.x | |
pull_request: | |
types: [opened, reopened, labeled, unlabeled, synchronize] | |
permissions: | |
contents: read | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} | |
cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
jobs: | |
build_test: | |
name: WASM wasm32/${{ matrix.variant }} | |
if: ${{ !contains(github.event.pull_request.labels.*.name, 'CI:none') }} | |
runs-on: ubuntu-latest | |
env: | |
CCACHE_DIR: ${{ github.workspace }}/.ccache | |
BUILD_TARGET: wasm32 | |
EM_VERSION: 3.1.51 | |
NODE_VERSION: 21 | |
strategy: | |
matrix: | |
include: | |
- variant: scalar | |
- variant: simd-128 | |
- variant: simd-256 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
with: | |
submodules: true | |
fetch-depth: 1 | |
- name: Install build deps | |
shell: bash | |
run: | | |
set -x | |
sudo rm -f /var/lib/man-db/auto-update | |
sudo apt update | |
pkgs=( | |
# Build dependencies | |
ccache | |
cmake | |
doxygen | |
graphviz | |
ninja-build | |
pkg-config | |
) | |
DEBIAN_FRONTEND=noninteractive sudo apt install -y "${pkgs[@]}" | |
- name: Git environment | |
id: git-env | |
run: | | |
echo "parent=$(git rev-parse ${{ github.sha }}^)" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: ccache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: ${{ env.CCACHE_DIR }} | |
key: build-wasm-${{ runner.os }}-${{ github.sha }}-${{ matrix.variant }} | |
restore-keys: | | |
build-wasm-${{ runner.os }}-${{ steps.git-env.outputs.parent }}-${{ matrix.variant }} | |
- name: Install node | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version: ${{env.NODE_VERSION}} | |
- name: Get non-EMSDK node path | |
run: which node >> $HOME/.base_node_path | |
- name: Install emsdk | |
uses: mymindstorm/setup-emsdk@6ab9eb1bda2574c4ddb79809fc9247783eaf9021 # v14 | |
# TODO(deymo): We could cache this action but it doesn't work when running | |
# in a matrix. | |
with: | |
version: ${{env.EM_VERSION}} | |
no-cache: true | |
- name: Set EMSDK node version | |
run: | | |
echo "NODE_JS='$(cat $HOME/.base_node_path)'" >> $EMSDK/.emscripten | |
emsdk construct_env | |
# TODO(deymo): Build and install other dependencies like libpng, libjpeg, | |
# etc. | |
- name: Build | |
run: | | |
mkdir -p ${CCACHE_DIR} | |
echo "max_size = 200M" > ${CCACHE_DIR}/ccache.conf | |
if [[ "${{ matrix.variant }}" == "simd-128" ]]; then | |
export ENABLE_WASM_SIMD=1 | |
fi | |
if [[ "${{ matrix.variant }}" == "simd-256" ]]; then | |
export ENABLE_WASM_SIMD=2 | |
fi | |
./ci.sh release \ | |
-DCMAKE_CXX_COMPILER_LAUNCHER=ccache \ | |
-DCMAKE_C_COMPILER_LAUNCHER=ccache \ | |
-DJPEGXL_ENABLE_BENCHMARK=OFF \ | |
-DJPEGXL_ENABLE_DEVTOOLS=OFF \ | |
-DJPEGXL_ENABLE_DOXYGEN=OFF \ | |
-DJPEGXL_ENABLE_EXAMPLES=OFF \ | |
-DJPEGXL_ENABLE_JNI=OFF \ | |
-DJPEGXL_ENABLE_MANPAGES=OFF \ | |
-DJPEGXL_ENABLE_PLUGINS=OFF \ | |
-DJPEGXL_ENABLE_TOOLS=OFF \ | |
-DJPEGXL_ENABLE_VIEWERS=OFF | |
env: | |
SKIP_TEST: 1 | |
TARGETS: all | |
- name: ccache stats | |
run: ccache --show-stats | |
- name: Test | |
if: | | |
github.event_name == 'push' || | |
(github.event_name == 'pull_request' && | |
contains(github.event.pull_request.labels.*.name, 'CI:full')) | |
run: | | |
./ci.sh test |