shared-workflows/.github/workflows/conda-cpp-tests.yaml at main · rapidsai/shared-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
on:
  workflow_call:
    inputs:
      build_type:
        description: "One of: [branch, nightly, pull-request]"
        required: true
        type: string
      matrix_type:
        description: "One of: [auto, nightly, pull-request]. 'auto' means 'choose a value based on what's provided via build_type'."
        required: false
        type: string
        default: "auto"
      branch:
        description: |
          Git branch the workflow run targets.
          This is required even when 'sha' is provided because it is also used for organizing artifacts.
        type: string
      date:
        description: "Date (YYYY-MM-DD) this run is for. Used to organize artifacts produced by nightly builds"
        type: string
      sha:
        description: "Full git commit SHA to check out"
        type: string
      repo:
        description: "Git repo to check out, in '{org}/{repo}' form, e.g. 'rapidsai/cudf'"
        type: string
      script:
        type: string
        required: true
        description: "Shell code to be executed in a step. Ideally this should just invoke a script managed in the repo the workflow runs from, like 'ci/test_cpp.sh'."
      matrix_filter:
        description: |
          jq expression which modifies the matrix.
          For example, 'map(select(.ARCH == "amd64"))' to achieve "only run amd64 jobs".
        type: string
        default: "."
      container-options:
        description: |
          Command-line arguments passed to 'docker run' when starting the container this workflow runs in.
          This should be provided as a single string to be inlined into 'docker run', not an array.
          For example, '--quiet --ulimit nofile=2048'.
        required: false
        type: string
        default: "-e _NOOP"
      build_workflow_name:
        description: |
          Name of a workflow file that produced artifacts to be downloaded in this run.
          If not set (the default), artifact-handling scripts use RAPIDS-conventional defaults (like "build.yaml" when "build_type == nightly").
        required: false
        type: string
      sccache-dist-request-timeout:
        type: string
        default: 7140
        description: |
          The maximum time (in seconds) the sccache client should wait for a distributed compilation to complete.
      sccache-dist-token-secret-name:
        type: string
        required: false
        description: |
          The name of the secret that contains the token used to authenticate with the RAPIDS Build Engineering sccache-dist build cluster.
      alternative-gh-token-secret-name:
        type: string
        required: false
        description: |
          If provided, should contain the name of a secret in the repo which holds a GitHub API token.
          When this is non-empty, that secret's value is used in place of the default repo-level token
          anywhere that environment variable GH_TOKEN is set. This is especially useful for downloading
          artifacts from other private repos, which repo tokens do not have access to.
    secrets:
      script-env-secret-1-key:
        description: |
          Name of an environment variable in the environment where 'inputs.script' is run.
          Variable's value will be set to the value passed as 'secrets.script-env-secret-1-value'.
        required: false
      script-env-secret-1-value:
        description: |
          Secret value.
          Will be available via an environment variable named by 'secrets.script-env-secret-1-key'.
        required: false
      script-env-secret-2-key:
        description: |
          Name of an environment variable in the environment where 'inputs.script' is run.
          Variable's value will be set to the value passed as 'secrets.script-env-secret-2-value'.
        required: false
      script-env-secret-2-value:
        description: |
          Secret value.
          Will be available via an environment variable named by 'secrets.script-env-secret-2-key'.
        required: false
      script-env-secret-3-key:
        description: |
          Name of an environment variable in the environment where 'inputs.script' is run.
          Variable's value will be set to the value passed as 'secrets.script-env-secret-3-value'.
        required: false
      script-env-secret-3-value:
        description: |
          Secret value.
          Will be available via an environment variable named by 'secrets.script-env-secret-3-key'.
        required: false

defaults:
  run:
    shell: bash

permissions:
  actions: read
  checks: none
  contents: read
  deployments: none
  discussions: none
  id-token: write
  issues: none
  packages: read
  pages: none
  pull-requests: read
  repository-projects: none
  security-events: none
  statuses: none

jobs:
  compute-matrix:
    uses: ./.github/workflows/compute-matrix.yaml
    with:
      build_type: ${{ inputs.build_type }}
      matrix_name: conda-cpp-tests
      matrix_type: ${{ inputs.matrix_type }}
      matrix_filter: ${{ inputs.matrix_filter }}
  tests:
    name: ${{ matrix.CUDA_VER }}, ${{ matrix.PY_VER }}, ${{ matrix.ARCH }}, ${{ matrix.LINUX_VER }}, ${{ matrix.GPU }}, ${{ matrix.DRIVER }}-driver, ${{ matrix.DEPENDENCIES }}-deps
    needs: compute-matrix
    strategy:
      fail-fast: false
      matrix: ${{ fromJSON(needs.compute-matrix.outputs.matrix) }}
    runs-on: "linux-${{ matrix.ARCH }}-gpu-${{ matrix.GPU }}-${{ matrix.DRIVER }}-1"
    env:
      RAPIDS_ARTIFACTS_DIR: ${{ github.workspace }}/artifacts
      RAPIDS_DEPENDENCIES: ${{ matrix.DEPENDENCIES }}
      RAPIDS_TESTS_DIR: ${{ github.workspace }}/test-results
    container:
      image: rapidsai/ci-conda:26.06-cuda${{ matrix.CUDA_VER }}-${{ matrix.LINUX_VER }}-py${{ matrix.PY_VER }}
      options: ${{ inputs.container-options }}
      env:
        RAPIDS_BUILD_TYPE: ${{ inputs.build_type }}
        NVIDIA_VISIBLE_DEVICES: ${{ env.NVIDIA_VISIBLE_DEVICES }}
    steps:
      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
        with:
          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
          aws-region: ${{ vars.AWS_REGION }}
          role-duration-seconds: 43200 # 12h

      - uses: actions/checkout@v6
        with:
          repository: ${{ inputs.repo }}
          ref: ${{ inputs.sha }}
          fetch-depth: 0
          persist-credentials: true
      # This has to be AFTER the checkout step. It creates a telemetry-artifacts directory,
      # and the checkout step would destroy it.
      - name: Telemetry setup
        uses: rapidsai/shared-actions/telemetry-dispatch-setup@main
        continue-on-error: true
        if: ${{ vars.TELEMETRY_ENABLED == 'true' }}
        with:
          extra_attributes: "rapids.PACKAGER=conda,rapids.CUDA_VER=${{ matrix.CUDA_VER }},rapids.PY_VER=${{ matrix.PY_VER }},rapids.ARCH=${{ matrix.ARCH }},rapids.LINUX_VER=${{ matrix.LINUX_VER }},rapids.GPU=${{ matrix.GPU }},rapids.DRIVER=${{ matrix.DRIVER }},rapids.DEPENDENCIES=${{ matrix.DEPENDENCIES }}"
        env:
          # DOES NOT NEED alternative-gh-token-secret_name - github.token is enough and more limited
          GH_TOKEN: ${{ github.token }}

      - name: Standardize repository information
        uses: rapidsai/shared-actions/rapids-github-info@main
        with:
          repo: ${{ inputs.repo }}
          branch: ${{ inputs.branch }}
          date: ${{ inputs.date }}
          sha: ${{ inputs.sha }}
          build_workflow_name: ${{ inputs.build_workflow_name }}

      - name: Setup proxy cache
        uses: nv-gha-runners/setup-proxy-cache@main
        continue-on-error: true
        with:
          enable-apt: true

      # Install latest rapidsai/sccache client and configure sccache-dist
      - name: Setup sccache-dist
        uses: rapidsai/shared-actions/setup-sccache-dist@main
        env:
          AWS_REGION: "${{env.AWS_REGION}}"
          AWS_ACCESS_KEY_ID: "${{env.AWS_ACCESS_KEY_ID}}"
          AWS_SECRET_ACCESS_KEY: "${{env.AWS_SECRET_ACCESS_KEY}}"
        with:
          log-file: "${{ env.RAPIDS_ARTIFACTS_DIR }}/sccache.log"
          request-timeout: ${{ inputs.sccache-dist-request-timeout }}
      # Per the docs at https://docs.github.com/en/rest/rate-limit/rate-limit?apiVersion=2022-11-28#get-rate-limit-status-for-the-authenticated-user,
      # checking '/rate_limit | jq .' should not itself count against any rate limits.
      #
      # gh CLI is pre-installed on Github-hosted runners, but may not be on self-hosted runners.
      - name: Check GitHub API rate limits
        run: |
          if ! type gh >/dev/null; then
              echo "'gh' CLI is not installed... skipping rate-limits check"
          else
              gh api /rate_limit | jq .
          fi
        env:
          # NEEDS alternative-gh-token-secret_name - API limits need to be for whatever token is used for upload/download. Repo token may be a different pool for rate limits.
          GH_TOKEN: ${{ inputs.alternative-gh-token-secret-name && secrets[inputs.alternative-gh-token-secret-name] || github.token }} # zizmor: ignore[overprovisioned-secrets]
      # cannot put possibly-null things as keys in the 'env:' mapping, so need to process these in a script
      - name: Set secrets in script env
        run: |
          set_env_var() {
            local input_prefix="script-env-secret-$1"
            local key_str=$2
            local val_str=$3
            if test -n "${val_str}"; then
              if ! test -n "${key_str}"; then
                echo "ERROR: '${input_prefix}-value' non-empty but '${input_prefix}-key' is empty. Set '${input_prefix}-key'."
                exit 1
              fi
              echo "${key_str}=${val_str}" >> "${GITHUB_ENV}"
            fi
          }
          set_env_var '1' '${{ secrets.script-env-secret-1-key }}' '${{ secrets.script-env-secret-1-value }}'
          set_env_var '2' '${{ secrets.script-env-secret-2-key }}' '${{ secrets.script-env-secret-2-value }}'
          set_env_var '3' '${{ secrets.script-env-secret-3-key }}' '${{ secrets.script-env-secret-3-value }}'
      - name: C++ tests
        run: |
          ulimit -n "$(ulimit -Hn)"
          $INPUTS_SCRIPT
        env:
          INPUTS_SCRIPT: "${{ inputs.script }}"
          # NEEDS alternative-gh-token-secret-name - may require a token with more permissions
          GH_TOKEN: ${{ inputs.alternative-gh-token-secret-name && secrets[inputs.alternative-gh-token-secret-name] || github.token }} # zizmor: ignore[overprovisioned-secrets]
      - name: Generate test report
        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
        with:
          paths: "${{ env.RAPIDS_TESTS_DIR }}/*.xml"
        if: always()
      - name: Upload additional artifacts
        if: "!cancelled()"
        run: rapids-upload-artifacts-dir "cuda${RAPIDS_CUDA_VERSION%%.*}_$(arch)"
      - name: Telemetry upload attributes
        uses: rapidsai/shared-actions/telemetry-dispatch-stash-job-artifacts@main
        continue-on-error: true
        if: ${{ vars.TELEMETRY_ENABLED == 'true' }}
        env:
          # DOES NOT NEED alternative-gh-token-secret-name - github.token is enough and more limited
          GH_TOKEN: ${{ github.token }}