Setup ecosystem CI (#3390)

This PR sets up an "ecosystem" check as an optional part of the CI step for pull requests. The primary piece of this is a new script in `scripts/check_ecosystem.py` which takes two ruff binaries as input and compares their outputs against a corpus of open-source code in parallel. I used ruff's `text` reporting format and stdlib's `difflib` (rather than JSON output and jsondiffs) to avoid adding another dependency. There is a new ecosystem-comment workflow to add a comment to the PR (see [this link](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) which explains why it needs to be done as a new workflow for security reasons).
2026-01-11 00:24:13 -05:00 · 2023-03-10 17:39:07 -05:00
parent a3aeec6377
commit cfa2924664
3 changed files with 279 additions and 0 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -79,6 +79,10 @@ jobs:
        env:
          # Setting RUSTDOCFLAGS because `cargo doc --check` isn't yet implemented (https://github.com/rust-lang/cargo/issues/10025).
          RUSTDOCFLAGS: "-D warnings"
+      - uses: actions/upload-artifact@v3
+        with:
+          name: ruff
+          path: target/debug/ruff


  cargo-test-wasm:
@@ -123,3 +127,39 @@ jobs:
      - uses: crate-ci/typos@master
        with:
          files: .
+
+  ecosystem:
+    name: "ecosystem"
+    runs-on: ubuntu-latest
+    needs: cargo-test
+    # Only runs on pull requests, since that is the only we way we can find the base version for comparison.
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+      - uses: actions/download-artifact@v3
+        id: ruff-target
+        with:
+          name: ruff
+          path: target/debug
+      - uses: dawidd6/action-download-artifact@v2
+        with:
+          name: ruff
+          branch: ${{ github.event.pull_request.base_ref }}
+          check_artifacts: true
+      - name: Run ecosystem check
+        run: |
+          # Make executable, since artifact download doesn't preserve this
+          chmod +x ruff ${{ steps.ruff-target.outputs.download-path }}/ruff
+
+          scripts/check_ecosystem.py ruff ${{ steps.ruff-target.outputs.download-path }}/ruff | tee ecosystem-result
+
+          echo ${{ github.event.number }} > pr-number
+      - uses: actions/upload-artifact@v3
+        with:
+          name: ecosystem-result
+          path: |
+            ecosystem-result
+            pr-number
--- a/.github/workflows/ecosystem-comment.yaml
+++ b/.github/workflows/ecosystem-comment.yaml
@@ -0,0 +1,31 @@
+on:
+  workflow_run:
+    workflows: [CI]
+    types: [completed]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: dawidd6/action-download-artifact@v2
+        id: download-result
+        with:
+          name: ecosystem-result
+          workflow: ci.yaml
+          run_id: ${{ github.event.workflow_run.id }}
+          if_no_artifact_found: ignore
+      - if: steps.download-result.outputs.found_artifact
+        id: result
+        run: |
+          echo "pr-number=$(<pr-number)" >> $GITHUB_OUTPUT
+      - name: Create comment
+        if: steps.download-result.outputs.found_artifact
+        uses: thollander/actions-comment-pull-request@v2
+        with:
+          pr_number: ${{ steps.result.outputs.pr-number }}
+          filePath: ecosystem-result
+          comment_tag: ecosystem-results