dev.yml

# The primary point of this workflow is to ensure that the developer experience is good.
# We take a very vanilla ubuntu image, install all necessary dependencies via "normal" means,
# and then run the build and test steps as described in the README.md file.

# The artifacts produced by these builds are not intended to be used for anything other than
# ensuring that the developer experience is good.

# Production artifacts are produced via nix builds (in another CI workflow).

name: "dev.yml"

on:
  pull_request: {}
  push:
    branches:
      - "main"
    tags:
      - "v*"
  merge_group:
    types: ["checks_requested"]
  workflow_dispatch:
    inputs:
      debug_enabled:
        type: "boolean"
        description: "Run with tmate enabled"
        required: false
        default: false
      debug_justfile:
        type: "boolean"
        description: "enable to see debug statements from just recipes"
        required: false
        default: false
      skip_vlab_tests:
        type: "boolean"
        description: "Skip VLAB tests (they run by default)"
        required: false
        default: false
      run_hlab_tests:
        type: "boolean"
        description: "Run hybrid HLAB tests"
        required: false
        default: false
      enable_release_tests:
        type: "boolean"
        description: "Enable release tests for VLAB/HLAB tests"
        required: false
        default: false

concurrency:
  group: "${{ github.workflow }}:${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }}"
  cancel-in-progress: true

permissions:
  contents: "read"
  packages: "write"
  id-token: "write"

jobs:
  check_changes:
    name: "Deduce required tests from code changes"
    permissions:
      contents: "read"
      pull-requests: "read"
    runs-on: "ubuntu-latest"
    outputs:
      devfiles: "${{ steps.changes.outputs.devfiles }}"
    steps:
      - name: "Checkout"
        if: "${{ !github.event.pull_request }}"
        uses: "actions/checkout@v6"
        with:
          persist-credentials: "false"
          fetch-depth: "0"
      - name: "Check code changes"
        uses: "dorny/paths-filter@v4"
        id: "changes"
        with:
          filters: |
            devfiles:
              - '!(README.md|LICENSE|NOTICE|.zed/**|.vscode/**|CLAUDE.md|.rules|development/**|testing.md|workspace-deps.svg|codebook.toml|.markdownlint.json|.gitattributes|.gitignore|.github/**)'
              - '.github/workflows/dev.yml'

  version:
    runs-on: lab

    permissions:
      contents: read

    outputs:
      version: "${{ steps.version-gen.outputs.version }}"
      ref: "${{ steps.version-gen.outputs.ref }}"

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Generate temp artifacts version
        id: version-gen
        env:
          commit_sha: ${{ github.event.pull_request.head.sha || github.sha }}
        run: |
          echo "version=v0-${commit_sha::9}" >> "$GITHUB_OUTPUT"
          echo "ref=${commit_sha}" >> "$GITHUB_OUTPUT"

  build:
    if: >-
      ${{
        needs.check_changes.outputs.devfiles == 'true'
        || startsWith(github.event.ref, 'refs/tags/v')
        || github.event_name == 'workflow_dispatch'
      }}
    name: "${{matrix.nix-target}}/${{matrix.build.name}}"
    continue-on-error: ${{ matrix.build.optional || false }}
    runs-on: lab
    needs:
      - check_changes
      - version
    permissions:
      checks: "write"
      pull-requests: "write"
      contents: "read"
      packages: "write"
      id-token: "write"
    env:
      USER: "runner"
    strategy:
      fail-fast: false
      matrix:
        nix-target:
          - tests.all
          - frr.dataplane
          - dataplane
        build:
          - name: "debug"
            profile: "debug"
            sanitize: ""
            instrument: "none"
          - name: "release"
            profile: "release"
            sanitize: "" # TODO: enable cfi and safe-stack when possible
            instrument: "none"
        debug_justfile:
          - "${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_justfile || false }}"
    steps:
      - name: "login to ghcr.io"
        uses: "docker/login-action@v4"
        with:
          registry: ghcr.io
          username: "${{ github.actor }}"
          password: "${{ secrets.GITHUB_TOKEN }}"

      - name: "login to image cache"
        run: |
          echo "$REGISTRY_PASSWORD" | docker login -u "$REGISTRY_USERNAME" --password-stdin "$REGISTRY_URL"

      # it's temporarily needed to install skopeo
      - name: Setup Go
        uses: actions/setup-go@v6
        with:
          go-version: stable
          cache: true

      - name: "Checkout"
        uses: "actions/checkout@v6"
        with:
          persist-credentials: "false"
          fetch-depth: "0"

      - name: "Install nix"
        uses: cachix/install-nix-action@v31
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}
          nix_path: nixpkgs=channel:nixpkgs-unstable

      - uses: "cachix/cachix-action@v17"
        with:
          name: "hedgehog"
          # prettier-ignore
          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
          # prettier-ignore
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: "run pre-flight checks"
        if: ${{ matrix.nix-target == 'tests.all' }}
        run: |
          nix-shell --run '
            for features in "" "shuttle"; do
              just \
                  docker_sock=/run/docker/docker.sock \
                  debug_justfile=${{matrix.debug_justfile}} \
                  profile="${{matrix.build.profile}}" \
                  sanitize="${{matrix.build.sanitize}}" \
                  instrument="${{matrix.build.instrument}}" \
                  features="${features}" \
                  oci_repo="ghcr.io" \
                  pre-flight
            done
          '

      - name: "push container"
        if: ${{ matrix.nix-target != 'tests.all' }}
        run: |
          nix-shell --run "just \
              debug_justfile=${{matrix.debug_justfile}} \
              check-dependencies"
          for v in "" "version=${{ needs.version.outputs.version }}-${{ matrix.build.profile }}"; do
            nix-shell --run "
                just \
                    docker_sock=/run/docker/docker.sock \
                    debug_justfile=${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_justfile || false }} \
                    profile=${{ matrix.build.profile }} \
                    sanitize=${{ matrix.build.sanitize }} \
                    instrument=${{ matrix.build.instrument }} \
                    oci_repo=ghcr.io \
                    $v \
                    push-container ${{ matrix.nix-target }}
            "
          done

      - name: "Setup tmate session for debug"
        if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
        uses: "mxschmitt/action-tmate@v3"
        timeout-minutes: 60
        with:
          limit-access-to-actor: true

  vlab:
    if: "${{ needs.check_changes.outputs.devfiles == 'true' || (startsWith(github.event.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/tags/v')) && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}"
    needs:
      - check_changes
      - build
      - version

    name: "${{ matrix.hybrid && 'h' || 'v' }}-${{ matrix.upgradefrom && 'up' || '' }}${{ matrix.upgradefrom }}${{ matrix.upgradefrom && '-' || '' }}${{ matrix.mesh && 'mesh-' || '' }}${{ matrix.gateway && 'gw-' || '' }}${{ matrix.includeonie && 'onie-' || '' }}${{ matrix.buildmode }}-${{ matrix.vpcmode }}"

    uses: githedgehog/fabricator/.github/workflows/run-vlab.yaml@master
    with:
      # ci:+hlab is required to enable hybrid lab tests on PR
      # ci:+vlab is required to enable virtual lab tests on PR
      # ci:-upgrade disables upgrade tests on PR
      # hlab is disabled for main and merge_queue till we have gateway tests for it
      skip: >-
        ${{
          github.event_name == 'pull_request'
          && (
            matrix.hybrid && !contains(github.event.pull_request.labels.*.name, 'ci:+hlab')
            || !matrix.hybrid && !contains(github.event.pull_request.labels.*.name, 'ci:+vlab')
            || matrix.upgradefrom != '' && contains(github.event.pull_request.labels.*.name, 'ci:-upgrade')
          )

          || github.event_name == 'workflow_dispatch'
          && (
            matrix.hybrid && inputs.run_hlab_tests != true
            || !matrix.hybrid && inputs.skip_vlab_tests == true
          )

          || (github.event_name == 'push' || github.event_name == 'merge_group')
          && matrix.hybrid
        }}
      fabricatorref: master
      prebuild: |
        just bump dataplane ${{ needs.version.outputs.version }}-release
        just bump frr ${{ needs.version.outputs.version }}-release
      fabricmode: ${{ matrix.fabricmode }}
      gateway: ${{ matrix.gateway }}
      includeonie: ${{ matrix.includeonie }}
      buildmode: ${{ matrix.buildmode }}
      vpcmode: ${{ matrix.vpcmode }}
      releasetest: ${{ contains(github.event.pull_request.labels.*.name, 'ci:+release') || inputs.enable_release_tests == true }}
      hybrid: ${{ matrix.hybrid }}
      upgradefrom: ${{ matrix.upgradefrom }}

    strategy:
      fail-fast: false
      matrix:
        fabricmode:
          - spine-leaf
        gateway:
          - true
        includeonie:
          - false
        buildmode:
          - iso
        vpcmode:
          - l2vni
        hybrid:
          - false
        upgradefrom:
          - ""
        include:
          # gateway l3vni
          - fabricmode: spine-leaf
            gateway: true
            includeonie: false
            buildmode: iso
            vpcmode: l3vni
            hybrid: false
            upgradefrom: ""

          # hlab gateway l2vni
          - fabricmode: spine-leaf
            gateway: true
            includeonie: false
            buildmode: iso
            vpcmode: l2vni
            hybrid: true
            upgradefrom: ""

  summary:
    name: "Summary"
    runs-on: "ubuntu-latest"
    needs:
      - build
      - vlab
    # Run always, except when the "build" job was skipped.
    #
    # When the build job is skipped, summary will be marked as skipped, and
    # it's OK for CI (it's not a failure).
    # Why don't we do the same for build jobs? Because their names depend on
    # matrix values, and if we skip them the names won't be generated and
    # GitHub won't be able to find skipped jobs for required status checks.
    if: ${{ always() }}
    steps:
      - name: "Flag any build matrix failures"
        if: ${{ needs.build.result != 'success' && needs.build.result != 'skipped' }}
        run: |
          echo '::error:: Some build job(s) failed'
          exit 1
      - name: "Flag any vlab matrix failures"
        if: ${{ needs.vlab.result != 'success' && needs.vlab.result != 'skipped' }}
        run: |
          echo '::error:: Some vlab job(s) failed'
          exit 1

  publish:
    runs-on: lab
    if: startsWith(github.event.ref, 'refs/tags/v') && github.event_name == 'push'
    needs:
      - build
      - vlab

    permissions:
      packages: write
      contents: read

    env:
      USER: "runner"

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
          go-version: stable
          cache: true

      - name: Login to ghcr.io
        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: "Install nix"
        uses: cachix/install-nix-action@v31
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}
          nix_path: nixpkgs=channel:nixpkgs-unstable

      - uses: "cachix/cachix-action@v17"
        with:
          name: "hedgehog"
          # prettier-ignore
          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
          # prettier-ignore
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: "push containers"
        run: |
          nix-shell --run "
            just \
              docker_sock=/run/docker/docker.sock \
              oci_repo=ghcr.io \
              version=${{ github.ref_name }} \
              push
          "

      # Bump dataplane in the fabricator repository

      - name: Checkout fabricator repository
        uses: actions/checkout@v6
        with:
          repository: githedgehog/fabricator
          path: fab-repo
          persist-credentials: false

      - name: Bump dataplane+frr in fabricator
        working-directory: fab-repo
        run: |
          sed -i "s/^\tDataplaneVersion.*/\tDataplaneVersion=meta.Version(\"${{ github.ref_name }}\")/" pkg/fab/versions.go
          sed -i "s/^\tFRRVersion.*/\tFRRVersion=meta.Version(\"${{ github.ref_name }}\")/" pkg/fab/versions.go
          go fmt pkg/fab/versions.go

      - name: Generate token for the fabricator repository
        uses: actions/create-github-app-token@v3
        id: fab-app-token
        with:
          app-id: ${{ secrets.FAB_APP_ID }}
          private-key: ${{ secrets.FAB_PRIVATE_KEY }}
          repositories: |
            fabricator

      - name: Create Pull Request for fabricator
        uses: peter-evans/create-pull-request@v8
        id: fab-pr
        with:
          token: ${{ steps.fab-app-token.outputs.token }}
          path: fab-repo
          branch: pr/auto/dataplane-bump
          commit-message: |
            bump: dataplane/frr to ${{ github.ref_name }}

            This is an automated commit created by GitHub Actions workflow,
            in the dataplane repository.
          signoff: true
          title: "bump: dataplane/frr to ${{ github.ref_name }}"
          body: |
            This is an automated Pull Request created by GitHub Actions workflow,
            in the dataplane repository.