feat: Secure document encryption key exchange #2613
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2022 Democratized Data Foundation | |
# | |
# Use of this software is governed by the Business Source License | |
# included in the file licenses/BSL.txt. | |
# | |
# As of the Change Date specified in that file, in accordance with | |
# the Business Source License, use of this software will be governed | |
# by the Apache License, Version 2.0, included in the file | |
# licenses/APL.txt. | |
name: Test And Upload Coverage Workflow | |
on: | |
pull_request: | |
branches: | |
- master | |
- develop | |
push: | |
tags: | |
- 'v[0-9]+.[0-9]+.[0-9]+' | |
branches: | |
- master | |
- develop | |
jobs: | |
run-tests: | |
name: Run tests matrix job | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest] | |
client-type: [go, http, cli] | |
database-type: [badger-file, badger-memory] | |
mutation-type: [gql, collection-named, collection-save] | |
lens-type: [wasm-time] | |
acp-type: [local] | |
database-encryption: [false] | |
view-type: [cacheless] | |
include: | |
- os: ubuntu-latest | |
client-type: go | |
database-type: badger-memory | |
mutation-type: collection-save | |
lens-type: wasm-time | |
acp-type: local | |
database-encryption: true | |
view-type: cacheless | |
- os: ubuntu-latest | |
client-type: go | |
database-type: badger-memory | |
mutation-type: collection-save | |
lens-type: wazero | |
acp-type: local | |
database-encryption: false | |
view-type: cacheless | |
- os: ubuntu-latest | |
client-type: go | |
database-type: badger-memory | |
mutation-type: collection-save | |
lens-type: wasmer | |
acp-type: local | |
database-encryption: false | |
view-type: cacheless | |
- os: ubuntu-latest | |
client-type: go | |
database-type: badger-memory | |
mutation-type: collection-save | |
lens-type: wasm-time | |
acp-type: source-hub | |
database-encryption: false | |
view-type: cacheless | |
- os: ubuntu-latest | |
client-type: http | |
database-type: badger-memory | |
mutation-type: collection-save | |
lens-type: wasm-time | |
acp-type: source-hub | |
database-encryption: false | |
view-type: cacheless | |
- os: ubuntu-latest | |
client-type: cli | |
database-type: badger-memory | |
mutation-type: collection-save | |
lens-type: wasm-time | |
acp-type: source-hub | |
database-encryption: false | |
view-type: cacheless | |
- os: ubuntu-latest | |
client-type: go | |
database-type: badger-memory | |
mutation-type: collection-save | |
lens-type: wasm-time | |
acp-type: local | |
database-encryption: false | |
view-type: materialized | |
- os: macos-latest | |
client-type: go | |
database-type: badger-memory | |
mutation-type: collection-save | |
lens-type: wasm-time | |
acp-type: local | |
database-encryption: false | |
view-type: cacheless | |
## TODO: https://github.com/sourcenetwork/defradb/issues/2080 | |
## Uncomment the lines below to Re-enable the windows build once this todo is resolved. | |
## - os: windows-latest | |
## client-type: go | |
## database-type: badger-memory | |
## mutation-type: collection-save | |
## lens-type: wasm-time | |
## acp-type: local | |
## database-encryption: false | |
## view-type: cacheless | |
runs-on: ${{ matrix.os }} | |
# We run all runners via the bash shell to provide us with a consistent set of env variables and commands | |
defaults: | |
run: | |
shell: bash | |
env: | |
CGO_ENABLED: 1 | |
DEFRA_CLIENT_GO: ${{ matrix.client-type == 'go' }} | |
DEFRA_CLIENT_HTTP: ${{ matrix.client-type == 'http' }} | |
DEFRA_CLIENT_CLI: ${{ matrix.client-type == 'cli' }} | |
DEFRA_BADGER_MEMORY: ${{ matrix.database-type == 'badger-memory' }} | |
DEFRA_BADGER_FILE: ${{ matrix.database-type == 'badger-file' }} | |
DEFRA_BADGER_ENCRYPTION: ${{ matrix.database-encryption }} | |
DEFRA_MUTATION_TYPE: ${{ matrix.mutation-type }} | |
DEFRA_LENS_TYPE: ${{ matrix.lens-type }} | |
DEFRA_ACP_TYPE: ${{ matrix.acp-type }} | |
DEFRA_VIEW_TYPE: ${{ matrix.view-type }} | |
steps: | |
- name: Checkout code into the directory | |
uses: actions/checkout@v4 | |
- name: Setup Go environment explicitly | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
cache: false | |
- name: Set cache paths | |
id: cache-paths | |
shell: bash | |
run: | | |
echo "GO_CACHE=$(go env GOCACHE)" >> "${GITHUB_OUTPUT}" | |
echo "GO_MODCACHE=$(go env GOMODCACHE)" >> "${GITHUB_OUTPUT}" | |
echo "CARGO_CACHE=~/.cargo" >> "${GITHUB_OUTPUT}" | |
- name: Go cache/restore | |
uses: actions/cache@v4 | |
with: | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.mod') }} | |
path: | | |
${{ steps.cache-paths.outputs.GO_CACHE }} | |
${{ steps.cache-paths.outputs.GO_MODCACHE }} | |
- name: Cargo cache/restore | |
# A very cool post: https://blog.arriven.wtf/posts/rust-ci-cache | |
uses: actions/cache@v4 | |
with: | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} | |
# Here are some directories we shouldn't forget about: | |
# ~/.cargo/.* | |
# ~/.cargo/bin/ | |
# ~/.cargo/git/db/ | |
# ~/.cargo/registry/cache/ | |
# ~/.cargo/registry/index/ | |
# **/target/*/*.d | |
# **/target/*/*.rlib | |
# **/target/*/.fingerprint | |
# **/target/*/build | |
# **/target/*/deps | |
path: | | |
${{ steps.cache-paths.outputs.CARGO_CACHE }} | |
**/target/ | |
- name: Restore modified time | |
uses: chetan/git-restore-mtime-action@v2 | |
- name: Build dependencies | |
run: | | |
make deps:modules | |
make deps:test | |
# We have to checkout the source-hub repo and install it ourselves because it | |
# contains replace commands in its go.mod file. | |
- name: Checkout sourcehub code into the directory | |
if: ${{ matrix.acp-type == 'source-hub' }} | |
uses: actions/checkout@v4 | |
with: | |
repository: sourcenetwork/sourcehub | |
path: _sourceHub | |
# Lock the sourcehub version until the dev branch is stable | |
# remove this when closed https://github.com/sourcenetwork/defradb/issues/2865 | |
ref: c232133c35c96924509a4d955a7b450eb3624a15 | |
- name: Install SourceHub CLI | |
if: ${{ matrix.acp-type == 'source-hub' }} | |
working-directory: _sourceHub | |
run: make install | |
- name: Run integration tests | |
run: make test:coverage | |
- name: Upload coverage artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
# Make sure the name is always unique per job as artifacts are now immutable. | |
# Note Issue: https://github.com/actions/upload-artifact/issues/478 | |
# Solve: https://github.com/actions/upload-artifact/issues/478#issuecomment-1885470013 | |
name: "coverage\ | |
_${{ matrix.os }}\ | |
_${{ matrix.client-type }}\ | |
_${{ matrix.database-type }}\ | |
_${{ matrix.mutation-type }}\ | |
_${{ matrix.lens-type }}\ | |
_${{ matrix.acp-type }}\ | |
_${{ matrix.view-type }}\ | |
_${{ matrix.database-encryption }}\ | |
" | |
path: coverage.txt | |
if-no-files-found: error | |
retention-days: 7 | |
upload-coverage: | |
name: Upload test code coverage job | |
needs: run-tests | |
# Important to know: | |
# - We didn't use `if: always()` here, so this job doesn't run if we manually canceled. | |
# - `if: success()` is always implied unless `always()` or `failure()` is specified. | |
if: success() || failure() | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code into the directory | |
uses: actions/checkout@v4 | |
- name: Download coverage reports | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: coverage_* | |
# Note: https://github.com/actions/download-artifact/blob/main/docs/MIGRATION.md | |
merge-multiple: false | |
path: coverage_reports | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
name: defradb-codecov | |
files: coverage_reports/**/*.txt | |
flags: all-tests | |
os: 'linux' | |
fail_ci_if_error: true | |
verbose: true |