Skip to content

Bump step-security/harden-runner from 2.7.0 to 2.10.2 #144

Bump step-security/harden-runner from 2.7.0 to 2.10.2

Bump step-security/harden-runner from 2.7.0 to 2.10.2 #144

# Copyright (c) the JPEG XL Project Authors. All rights reserved.
#
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# Workflow for building and running tests.
name: Build/Test WASM
on:
merge_group:
push:
branches:
- main
- v*.*.x
pull_request:
types: [opened, reopened, labeled, unlabeled, synchronize]
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
build_test:
name: WASM wasm32/${{ matrix.variant }}
if: ${{ !contains(github.event.pull_request.labels.*.name, 'CI:none') }}
runs-on: ubuntu-latest
env:
CCACHE_DIR: ${{ github.workspace }}/.ccache
BUILD_TARGET: wasm32
EM_VERSION: 3.1.51
NODE_VERSION: 21
strategy:
matrix:
include:
- variant: scalar
- variant: simd-128
- variant: simd-256
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
submodules: true
fetch-depth: 1
- name: Install build deps
shell: bash
run: |
set -x
sudo rm -f /var/lib/man-db/auto-update
sudo apt update
pkgs=(
# Build dependencies
ccache
cmake
doxygen
graphviz
ninja-build
pkg-config
)
DEBIAN_FRONTEND=noninteractive sudo apt install -y "${pkgs[@]}"
- name: Git environment
id: git-env
run: |
echo "parent=$(git rev-parse ${{ github.sha }}^)" >> $GITHUB_OUTPUT
shell: bash
- name: ccache
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ${{ env.CCACHE_DIR }}
key: build-wasm-${{ runner.os }}-${{ github.sha }}-${{ matrix.variant }}
restore-keys: |
build-wasm-${{ runner.os }}-${{ steps.git-env.outputs.parent }}-${{ matrix.variant }}
- name: Install node
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{env.NODE_VERSION}}
- name: Get non-EMSDK node path
run: which node >> $HOME/.base_node_path
- name: Install emsdk
uses: mymindstorm/setup-emsdk@6ab9eb1bda2574c4ddb79809fc9247783eaf9021 # v14
# TODO(deymo): We could cache this action but it doesn't work when running
# in a matrix.
with:
version: ${{env.EM_VERSION}}
no-cache: true
- name: Set EMSDK node version
run: |
echo "NODE_JS='$(cat $HOME/.base_node_path)'" >> $EMSDK/.emscripten
emsdk construct_env
# TODO(deymo): Build and install other dependencies like libpng, libjpeg,
# etc.
- name: Build
run: |
mkdir -p ${CCACHE_DIR}
echo "max_size = 200M" > ${CCACHE_DIR}/ccache.conf
if [[ "${{ matrix.variant }}" == "simd-128" ]]; then
export ENABLE_WASM_SIMD=1
fi
if [[ "${{ matrix.variant }}" == "simd-256" ]]; then
export ENABLE_WASM_SIMD=2
fi
./ci.sh release \
-DCMAKE_CXX_COMPILER_LAUNCHER=ccache \
-DCMAKE_C_COMPILER_LAUNCHER=ccache \
-DJPEGXL_ENABLE_BENCHMARK=OFF \
-DJPEGXL_ENABLE_DEVTOOLS=OFF \
-DJPEGXL_ENABLE_DOXYGEN=OFF \
-DJPEGXL_ENABLE_EXAMPLES=OFF \
-DJPEGXL_ENABLE_JNI=OFF \
-DJPEGXL_ENABLE_MANPAGES=OFF \
-DJPEGXL_ENABLE_PLUGINS=OFF \
-DJPEGXL_ENABLE_TOOLS=OFF \
-DJPEGXL_ENABLE_VIEWERS=OFF
env:
SKIP_TEST: 1
TARGETS: all
- name: ccache stats
run: ccache --show-stats
- name: Test
if: |
github.event_name == 'push' ||
(github.event_name == 'pull_request' &&
contains(github.event.pull_request.labels.*.name, 'CI:full'))
run: |
./ci.sh test