[StepSecurity] ci: Harden GitHub Actions #2382
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: AT2 | |
on: | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
branches: | |
- master | |
- develop | |
workflow_dispatch: | |
# Cancels any in progress 'workflows' associated with this PR | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
# actions: write needed by skip-duplicate-actions (handled below as per OpenSSF scorecard) | |
permissions: | |
contents: read | |
jobs: | |
# Jobs depend on the output of pre-checks to run. | |
# Cancels new workflows if prior runs were successful (same tree hash) | |
pre-checks: | |
runs-on: ubuntu-latest | |
# actions: write needed by skip-duplicate-actions | |
permissions: | |
actions: write | |
outputs: | |
should_skip: ${{ steps.skip_check.outputs.should_skip }} | |
steps: | |
- id: skip_check | |
uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 | |
with: | |
skip_after_successful_duplicate: 'true' | |
gcc10-openmpi416-EXPERIMENTAL: | |
needs: pre-checks | |
runs-on: [self-hosted, gcc-10.3.0_openmpi-4.1.6] | |
if: ${{ needs.pre-checks.outputs.should_skip != 'true' && (github.event.action == 'synchronize' || github.event.action == 'opened' || github.event.review.state == 'APPROVED') }} | |
steps: | |
- name: env | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
env | |
- name: module list | |
shell: bash | |
run: | | |
bash -l -c "module list" | |
printenv PATH | |
- name: Cancel Previous Runs | |
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 | |
with: | |
access_token: ${{ github.token }} | |
- name: make dirs | |
working-directory: / | |
run: | | |
mkdir -p /home/Trilinos/src/Trilinos | |
mkdir -p /home/Trilinos/build | |
- name: Clone trilinos | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- name: Repo status | |
run: | | |
git fetch --all | |
pwd | |
ls -lhat | |
git status | |
git branch -vv | |
git branch -a | |
- name: get dependencies | |
working-directory: ./packages/framework | |
run: | | |
bash -l -c "./get_dependencies.sh" | |
- name: PullRequestLinuxDriverTest.py | |
shell: bash -l {0} | |
working-directory: /home/Trilinos/build | |
run: | | |
# Set up python-is-python3 hackery | |
mkdir bin | |
pushd bin | |
ln -s $(type -p python3) python | |
export PATH=$(pwd):${PATH} | |
popd | |
export TRILINOS_DIR=${GITHUB_WORKSPACE:?} | |
export PYTHONPATH=${PYTHONPATH}:${TRILINOS_DIR}/packages/framework/GenConfig | |
export PYTHONPATH=${PYTHONPATH}:${TRILINOS_DIR}/packages/framework/pr_tools | |
printf "\n\n\n" | |
echo "image: ${AT2_IMAGE_FULLPATH:-${AT2_IMAGE:-unknown}}" | |
python3 ${GITHUB_WORKSPACE}/packages/framework/pr_tools/PullRequestLinuxDriverTest.py \ | |
--target-branch-name ${{ github.event.pull_request.base.ref }} \ | |
--genconfig-build-name rhel8_gcc-openmpi_debug_shared_no-kokkos-arch_no-asan_complex_no-fpic_mpi_no-pt_no-rdc_no-uvm_deprecated-on_no-package-enables \ | |
--pullrequest-number ${{ github.event.pull_request.number }} \ | |
--pullrequest-env-config-file ${GITHUB_WORKSPACE}/packages/framework/pr_tools/trilinos_pr.ini \ | |
--pullrequest-gen-config-file ${GITHUB_WORKSPACE}/packages/framework/GenConfig/src/gen-config.ini \ | |
--workspace-dir /home/runner/_work/Trilinos \ | |
--source-dir ${GITHUB_WORKSPACE} \ | |
--build-dir /home/Trilinos/build \ | |
--dashboard-build-name=PR-${{ github.event.pull_request.number }}_${AT2_IMAGE}_debug_shared \ | |
--ctest-driver /home/runner/_work/Trilinos/Trilinos/cmake/SimpleTesting/cmake/ctest-driver.cmake \ | |
--ctest-drop-site sems-cdash-son.sandia.gov/cdash \ | |
--filename-subprojects ./package_subproject_list.cmake \ | |
--filename-packageenables ./packageEnables.cmake \ | |
--max-cores-allowed=29 \ | |
--num-concurrent-tests=16 | |
- name: Summary | |
if: ${{ !cancelled() }} | |
shell: bash -l {0} | |
working-directory: /home/Trilinos/build | |
run: | | |
echo "## Image" >> $GITHUB_STEP_SUMMARY | |
echo "image: ${AT2_IMAGE_FULLPATH:-${AT2_IMAGE:-unknown}}" >> $GITHUB_STEP_SUMMARY | |
echo "## CDash Links" >> $GITHUB_STEP_SUMMARY | |
echo "### Current Build" >> $GITHUB_STEP_SUMMARY | |
AT2_URL=$(</home/runner/AT2_URL.txt) | |
echo $AT2_URL >> $GITHUB_STEP_SUMMARY | |
echo "### All Builds" >> $GITHUB_STEP_SUMMARY | |
AT2_ALL_BUILDS=$(</home/runner/AT2_ALL_BUILDS.txt) | |
echo $AT2_ALL_BUILDS >> $GITHUB_STEP_SUMMARY | |
echo "## Helpful Links" >> $GITHUB_STEP_SUMMARY | |
echo "https://github.com/trilinos/Trilinos/wiki/Containers" >> $GITHUB_STEP_SUMMARY | |
echo "https://gitlab-ex.sandia.gov/trilinos-project/trilinos-containers/-/wikis/Containers-at-Sandia" >> $GITHUB_STEP_SUMMARY | |
gcc830: | |
needs: pre-checks | |
runs-on: [self-hosted, gcc-8.3.0_serial] | |
if: ${{ needs.pre-checks.outputs.should_skip != 'true' && (github.event.action == 'synchronize' || github.event.action == 'opened' || github.event.review.state == 'APPROVED') }} | |
steps: | |
- name: env | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
env | |
- name: module list | |
shell: bash | |
run: | | |
bash -l -c "module list" | |
printenv PATH | |
- name: Cancel Previous Runs | |
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 | |
with: | |
access_token: ${{ github.token }} | |
- name: make dirs | |
working-directory: / | |
run: | | |
mkdir -p /home/Trilinos/src/Trilinos | |
mkdir -p /home/Trilinos/build | |
- name: Clone trilinos | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- name: Repo status | |
run: | | |
git fetch --all | |
pwd | |
ls -lhat | |
git status | |
git branch -vv | |
git branch -a | |
- name: get dependencies | |
working-directory: ./packages/framework | |
run: | | |
bash -l -c "./get_dependencies.sh" | |
- name: PullRequestLinuxDriverTest.py | |
shell: bash -l {0} | |
working-directory: /home/Trilinos/build | |
run: | | |
# Set up python-is-python3 hackery | |
mkdir bin | |
pushd bin | |
ln -s $(type -p python3) python | |
export PATH=$(pwd):${PATH} | |
popd | |
export TRILINOS_DIR=${GITHUB_WORKSPACE:?} | |
export PYTHONPATH=${PYTHONPATH}:${TRILINOS_DIR}/packages/framework/GenConfig | |
export PYTHONPATH=${PYTHONPATH}:${TRILINOS_DIR}/packages/framework/pr_tools | |
printf "\n\n\n" | |
echo "image: ${AT2_IMAGE_FULLPATH:-${AT2_IMAGE:-unknown}}" | |
python3 ${GITHUB_WORKSPACE}/packages/framework/pr_tools/PullRequestLinuxDriverTest.py \ | |
--target-branch-name ${{ github.event.pull_request.base.ref }} \ | |
--genconfig-build-name rhel8_gcc-serial_release-debug_shared_no-kokkos-arch_no-asan_no-complex_no-fpic_no-mpi_no-pt_no-rdc_no-uvm_deprecated-on_no-package-enables \ | |
--pullrequest-number ${{ github.event.pull_request.number }} \ | |
--pullrequest-env-config-file ${GITHUB_WORKSPACE}/packages/framework/pr_tools/trilinos_pr.ini \ | |
--pullrequest-gen-config-file ${GITHUB_WORKSPACE}/packages/framework/GenConfig/src/gen-config.ini \ | |
--workspace-dir /home/runner/_work/Trilinos \ | |
--source-dir ${GITHUB_WORKSPACE} \ | |
--build-dir /home/Trilinos/build \ | |
--dashboard-build-name=PR-${{ github.event.pull_request.number }}_${AT2_IMAGE}_release-debug_shared \ | |
--ctest-driver /home/runner/_work/Trilinos/Trilinos/cmake/SimpleTesting/cmake/ctest-driver.cmake \ | |
--ctest-drop-site sems-cdash-son.sandia.gov/cdash \ | |
--filename-subprojects ./package_subproject_list.cmake \ | |
--filename-packageenables ./packageEnables.cmake \ | |
--max-cores-allowed=29 \ | |
--num-concurrent-tests=16 | |
- name: Summary | |
if: ${{ !cancelled() }} | |
shell: bash -l {0} | |
working-directory: /home/Trilinos/build | |
run: | | |
echo "## Image" >> $GITHUB_STEP_SUMMARY | |
echo "image: ${AT2_IMAGE_FULLPATH:-${AT2_IMAGE:-unknown}}" >> $GITHUB_STEP_SUMMARY | |
echo "## CDash Links" >> $GITHUB_STEP_SUMMARY | |
echo "### Current Build" >> $GITHUB_STEP_SUMMARY | |
AT2_URL=$(</home/runner/AT2_URL.txt) | |
echo $AT2_URL >> $GITHUB_STEP_SUMMARY | |
echo "### All Builds" >> $GITHUB_STEP_SUMMARY | |
AT2_ALL_BUILDS=$(</home/runner/AT2_ALL_BUILDS.txt) | |
echo $AT2_ALL_BUILDS >> $GITHUB_STEP_SUMMARY | |
echo "## Helpful Links" >> $GITHUB_STEP_SUMMARY | |
echo "https://github.com/trilinos/Trilinos/wiki/Containers" >> $GITHUB_STEP_SUMMARY | |
echo "https://gitlab-ex.sandia.gov/trilinos-project/trilinos-containers/-/wikis/Containers-at-Sandia" >> $GITHUB_STEP_SUMMARY | |
cuda11-EXPERIMENTAL: | |
needs: pre-checks | |
runs-on: [self-hosted, cuda-11.4.2_gcc-10.3.0_openmpi-4.1.6] | |
if: ${{ needs.pre-checks.outputs.should_skip != 'true' && (github.event.action == 'synchronize' || github.event.action == 'opened' || github.event.review.state == 'APPROVED') }} | |
steps: | |
- name: env | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
env | |
- name: module list | |
shell: bash | |
run: | | |
bash -l -c "module list" | |
printenv PATH | |
- name: Cancel Previous Runs | |
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 | |
with: | |
access_token: ${{ github.token }} | |
- name: make dirs | |
working-directory: / | |
run: | | |
mkdir -p /home/Trilinos/src/Trilinos | |
mkdir -p /home/Trilinos/build | |
- name: Clone trilinos | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- name: Repo status | |
run: | | |
git fetch --all | |
pwd | |
ls -lhat | |
git status | |
git branch -vv | |
git branch -a | |
- name: get dependencies | |
working-directory: ./packages/framework | |
run: | | |
bash -l -c "./get_dependencies.sh" | |
- name: PullRequestLinuxDriverTest.py | |
shell: bash -l {0} | |
working-directory: /home/Trilinos/build | |
run: | | |
mkdir bin | |
pushd bin | |
ln -s $(type -p python3) python | |
export PATH=$(pwd):${PATH} | |
popd | |
export TRILINOS_DIR=${GITHUB_WORKSPACE:?} | |
export PYTHONPATH=${PYTHONPATH}:${TRILINOS_DIR}/packages/framework/GenConfig | |
export PYTHONPATH=${PYTHONPATH}:${TRILINOS_DIR}/packages/framework/pr_tools | |
printf "\n\n\n" | |
echo "image: ${AT2_IMAGE_FULLPATH:-${AT2_IMAGE:-unknown}}" | |
type python | |
python3 ${GITHUB_WORKSPACE}/packages/framework/pr_tools/PullRequestLinuxDriverTest.py \ | |
--target-branch-name ${{ github.event.pull_request.base.ref }} \ | |
--genconfig-build-name rhel8_cuda-11-gcc-openmpi_release_static_Ampere80_no-asan_complex_no-fpic_mpi_pt_no-rdc_no-uvm_deprecated-on_no-package-enables \ | |
--pullrequest-number ${{ github.event.pull_request.number }} \ | |
--pullrequest-env-config-file ${GITHUB_WORKSPACE}/packages/framework/pr_tools/trilinos_pr.ini \ | |
--pullrequest-gen-config-file ${GITHUB_WORKSPACE}/packages/framework/GenConfig/src/gen-config.ini \ | |
--workspace-dir /home/runner/_work/Trilinos \ | |
--source-dir ${GITHUB_WORKSPACE} \ | |
--build-dir /home/Trilinos/build \ | |
--dashboard-build-name=PR-${{ github.event.pull_request.number }}_${AT2_IMAGE}_release_static \ | |
--ctest-driver /home/runner/_work/Trilinos/Trilinos/cmake/SimpleTesting/cmake/ctest-driver.cmake \ | |
--ctest-drop-site sems-cdash-son.sandia.gov/cdash \ | |
--filename-subprojects ./package_subproject_list.cmake \ | |
--filename-packageenables ./packageEnables.cmake \ | |
--max-cores-allowed=56 \ | |
--num-concurrent-tests=112 \ | |
--slots-per-gpu=8 | |
- name: Summary | |
if: ${{ !cancelled() }} | |
shell: bash -l {0} | |
working-directory: /home/Trilinos/build | |
run: | | |
echo "## Image" >> $GITHUB_STEP_SUMMARY | |
echo "image: ${AT2_IMAGE_FULLPATH:-${AT2_IMAGE:-unknown}}" >> $GITHUB_STEP_SUMMARY | |
echo "## CDash Links" >> $GITHUB_STEP_SUMMARY | |
echo "### Current Build" >> $GITHUB_STEP_SUMMARY | |
AT2_URL=$(</home/runner/AT2_URL.txt) | |
echo $AT2_URL >> $GITHUB_STEP_SUMMARY | |
echo "### All Builds" >> $GITHUB_STEP_SUMMARY | |
AT2_ALL_BUILDS=$(</home/runner/AT2_ALL_BUILDS.txt) | |
echo $AT2_ALL_BUILDS >> $GITHUB_STEP_SUMMARY | |
echo "## Helpful Links" >> $GITHUB_STEP_SUMMARY | |
echo "https://github.com/trilinos/Trilinos/wiki/Containers" >> $GITHUB_STEP_SUMMARY | |
echo "https://gitlab-ex.sandia.gov/trilinos-project/trilinos-containers/-/wikis/Containers-at-Sandia" >> $GITHUB_STEP_SUMMARY | |
framework-tests: | |
needs: pre-checks | |
runs-on: [self-hosted, python-3.9] | |
if: ${{ needs.pre-checks.outputs.should_skip != 'true' && (github.event.action == 'synchronize' || github.event.action == 'opened' || github.event.review.state == 'APPROVED') }} | |
steps: | |
- name: env | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
env | |
- name: module list | |
shell: bash | |
run: | | |
bash -l -c "module list" | |
printenv PATH | |
- name: Cancel Previous Runs | |
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 | |
with: | |
access_token: ${{ github.token }} | |
- name: make dirs | |
working-directory: / | |
run: | | |
mkdir -p /home/Trilinos/src/Trilinos | |
mkdir -p /home/Trilinos/build | |
- name: Clone trilinos | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- name: Repo status | |
run: | | |
git fetch --all | |
pwd | |
ls -lhat | |
git status | |
git branch -vv | |
git branch -a | |
- name: get dependencies | |
working-directory: ./packages/framework | |
run: | | |
bash -l -c "./get_dependencies.sh" | |
- name: PullRequestLinuxDriverTest.py | |
shell: bash -l {0} | |
working-directory: /home/Trilinos/build | |
run: | | |
mkdir bin | |
pushd bin | |
ln -s $(type -p python3) python | |
export PATH=$(pwd):${PATH} | |
popd | |
export TRILINOS_DIR=${GITHUB_WORKSPACE:?} | |
export PYTHONPATH=${PYTHONPATH}:${TRILINOS_DIR}/packages/framework/GenConfig | |
export PYTHONPATH=${PYTHONPATH}:${TRILINOS_DIR}/packages/framework/pr_tools | |
printf "\n\n\n" | |
echo "image: ${AT2_IMAGE_FULLPATH:-${AT2_IMAGE:-unknown}}" | |
type python | |
python3 ${GITHUB_WORKSPACE}/packages/framework/pr_tools/PullRequestLinuxDriverTest.py \ | |
--target-branch-name ${{ github.event.pull_request.base.ref }} \ | |
--genconfig-build-name rhel8_python_debug_shared_no-kokkos-arch_no-asan_no-complex_no-fpic_no-mpi_no-pt_no-rdc_no-uvm_deprecated-on_pr-framework \ | |
--pullrequest-number ${{ github.event.pull_request.number }} \ | |
--pullrequest-env-config-file ${GITHUB_WORKSPACE}/packages/framework/pr_tools/trilinos_pr.ini \ | |
--pullrequest-gen-config-file ${GITHUB_WORKSPACE}/packages/framework/GenConfig/src/gen-config.ini \ | |
--workspace-dir /home/runner/_work/Trilinos \ | |
--source-dir ${GITHUB_WORKSPACE} \ | |
--build-dir /home/Trilinos/build \ | |
--dashboard-build-name=PR-${{ github.event.pull_request.number }}_${AT2_IMAGE}_framework-tests \ | |
--ctest-driver /home/runner/_work/Trilinos/Trilinos/cmake/SimpleTesting/cmake/ctest-driver.cmake \ | |
--ctest-drop-site sems-cdash-son.sandia.gov/cdash \ | |
--filename-subprojects ./package_subproject_list.cmake \ | |
--skip-create-packageenables \ | |
- name: Summary | |
if: ${{ !cancelled() }} | |
shell: bash -l {0} | |
working-directory: /home/Trilinos/build | |
run: | | |
echo "## Image" >> $GITHUB_STEP_SUMMARY | |
echo "image: ${AT2_IMAGE_FULLPATH:-${AT2_IMAGE:-unknown}}" >> $GITHUB_STEP_SUMMARY | |
echo "## CDash Links" >> $GITHUB_STEP_SUMMARY | |
echo "### Current Build" >> $GITHUB_STEP_SUMMARY | |
AT2_URL=$(</home/runner/AT2_URL.txt) | |
echo $AT2_URL >> $GITHUB_STEP_SUMMARY | |
echo "### All Builds" >> $GITHUB_STEP_SUMMARY | |
AT2_ALL_BUILDS=$(</home/runner/AT2_ALL_BUILDS.txt) | |
echo $AT2_ALL_BUILDS >> $GITHUB_STEP_SUMMARY | |
echo "## Helpful Links" >> $GITHUB_STEP_SUMMARY | |
echo "https://github.com/trilinos/Trilinos/wiki/Containers" >> $GITHUB_STEP_SUMMARY | |
echo "https://gitlab-ex.sandia.gov/trilinos-project/trilinos-containers/-/wikis/Containers-at-Sandia" >> $GITHUB_STEP_SUMMARY |