From 81c14213d67df8db6ec3ca5e845e5cd3236bbb88 Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Fri, 27 Mar 2026 13:02:57 +0800 Subject: [PATCH] release: pin GitHub Actions to specific commits and remove Rust FFI workflow - Pin actions/checkout, actions/setup-go, actions/upload-artifact, actions/download-artifact to specific commit hashes for supply chain security - Remove build-rust-ffi.yml workflow as Rust FFI is no longer used Co-Authored-By: Claude Opus 4.6 --- .github/workflows/build-and-release.yml | 14 +-- .github/workflows/build-rust-ffi.yml | 153 ------------------------ 2 files changed, 7 insertions(+), 160 deletions(-) delete mode 100644 .github/workflows/build-rust-ffi.yml diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml index b159f2a6..0356e906 100644 --- a/.github/workflows/build-and-release.yml +++ b/.github/workflows/build-and-release.yml @@ -49,7 +49,7 @@ jobs: release_notes: ${{ steps.meta.outputs.release_notes }} steps: - name: Checkout source - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: fetch-depth: 0 @@ -73,7 +73,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout source - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Set up Flutter SDK uses: ./.github/actions/setup-flutter-sdk @@ -131,7 +131,7 @@ jobs: ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }} steps: - name: Checkout source - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Set up Flutter SDK uses: ./.github/actions/setup-flutter-sdk @@ -140,7 +140,7 @@ jobs: - name: Install Go if: ${{ matrix.platform == 'macos' }} - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff with: go-version: "1.24.1" @@ -153,7 +153,7 @@ jobs: run: bash ./scripts/ci/build_matrix_artifacts.sh "$PLATFORM" "$ARCH" "$SHOULD_RELEASE" - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: build-${{ matrix.platform }}-${{ matrix.arch }} path: | @@ -177,10 +177,10 @@ jobs: - build steps: - name: Checkout source - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 with: path: release-artifacts diff --git a/.github/workflows/build-rust-ffi.yml b/.github/workflows/build-rust-ffi.yml deleted file mode 100644 index 21d373bc..00000000 --- a/.github/workflows/build-rust-ffi.yml +++ /dev/null @@ -1,153 +0,0 @@ -name: Build Rust FFI - -on: - push: - branches: [main, develop] - paths: - - 'rust/**' - - '.github/workflows/build-rust-ffi.yml' - pull_request: - branches: [main] - paths: - - 'rust/**' - workflow_dispatch: - -env: - CARGO_TERM_COLOR: always - RUST_BACKTRACE: 1 - -jobs: - build-macos: - runs-on: macos-latest - strategy: - matrix: - target: [aarch64-apple-darwin, x86_64-apple-darwin] - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable - with: - targets: ${{ matrix.target }} - - - name: Cache cargo registry - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - rust/target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo- - - - name: Build Rust library - run: | - cd rust - cargo build --release --target ${{ matrix.target }} - - - name: Upload artifact - uses: actions/upload-artifact@v4 - with: - name: libcodex-ffi-${{ matrix.target }} - path: | - rust/target/${{ matrix.target }}/release/libcodex_ffi.dylib - rust/target/${{ matrix.target }}/release/libcodex_ffi.a - - build-universal: - needs: build-macos - runs-on: macos-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Download aarch64 artifact - uses: actions/download-artifact@v4 - with: - name: libcodex-ffi-aarch64-apple-darwin - path: target/aarch64 - - - name: Download x86_64 artifact - uses: actions/download-artifact@v4 - with: - name: libcodex-ffi-x86_64-apple-darwin - path: target/x86_64 - - - name: Create universal binary - run: | - mkdir -p rust/target/universal - lipo -create \ - target/aarch64/libcodex_ffi.dylib \ - target/x86_64/libcodex_ffi.dylib \ - -output rust/target/universal/libcodex_ffi.dylib - lipo -create \ - target/aarch64/libcodex_ffi.a \ - target/x86_64/libcodex_ffi.a \ - -output rust/target/universal/libcodex_ffi.a - - - name: Upload universal artifact - uses: actions/upload-artifact@v4 - with: - name: libcodex-ffi-universal - path: | - rust/target/universal/libcodex_ffi.dylib - rust/target/universal/libcodex_ffi.a - - test: - runs-on: macos-latest - needs: build-universal - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable - - - name: Cache cargo registry - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - rust/target - key: ${{ runner.os }}-cargo-test-${{ hashFiles('**/Cargo.lock') }} - - - name: Run Rust tests - run: | - cd rust - cargo test --release - - integrate-flutter: - runs-on: macos-latest - needs: build-universal - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Download universal artifact - uses: actions/download-artifact@v4 - with: - name: libcodex-ffi-universal - path: rust/target/universal - - - name: Setup Flutter - uses: subosito/flutter-action@v2 - with: - flutter-version: '3.24.3' - channel: 'stable' - - - name: Copy FFI library to Frameworks - run: | - mkdir -p macos/Frameworks - cp rust/target/universal/libcodex_ffi.dylib macos/Frameworks/ - - - name: Analyze Flutter code - run: flutter analyze lib/runtime/ - - - name: Run Flutter tests - run: flutter test test/runtime/