diff options
Diffstat (limited to '.github')
| -rw-r--r-- | .github/PULL_REQUEST_TEMPLATE.md | 14 | ||||
| -rw-r--r-- | .github/dependabot.yml | 21 | ||||
| -rw-r--r-- | .github/workflows/build_test.yml | 284 | ||||
| -rw-r--r-- | .github/workflows/build_test_cross.yml | 227 | ||||
| -rw-r--r-- | .github/workflows/build_test_md.yml | 60 | ||||
| -rw-r--r-- | .github/workflows/codeql.yml | 116 | ||||
| -rw-r--r-- | .github/workflows/conformance.yml | 76 | ||||
| -rw-r--r-- | .github/workflows/debug_ci.yml | 149 | ||||
| -rw-r--r-- | .github/workflows/dependency-review.yml | 36 | ||||
| -rw-r--r-- | .github/workflows/fuzz.yml | 19 | ||||
| -rw-r--r-- | .github/workflows/gitlab_mirror.yml | 53 | ||||
| -rw-r--r-- | .github/workflows/highway.patch | 12 | ||||
| -rw-r--r-- | .github/workflows/pages.yml | 69 | ||||
| -rw-r--r-- | .github/workflows/pull_request.yml | 41 | ||||
| -rw-r--r-- | .github/workflows/release.yaml | 122 | ||||
| -rw-r--r-- | .github/workflows/scorecard.yml | 75 | ||||
| -rw-r--r-- | .github/workflows/test_new_highway.yml | 56 |
17 files changed, 1177 insertions, 253 deletions
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..6ccfc33 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,14 @@ +<!-- Thank you for considering a contribution to `libjxl`! --> + +### Description + +<!-- Please provide a brief description of the changes in this PR and any additional context (e.g., why these changes were made, related issues, etc.). --> + +### Pull Request Checklist + +- [ ] **CLA Signed**: Have you signed the [Contributor License Agreement](https://code.google.com/legal/individual-cla-v1.0.html) (individual or corporate, as appropriate)? Only contributions from signed contributors can be accepted. +- [ ] **Authors**: Have you considered adding your name to the [AUTHORS](AUTHORS) file? +- [ ] **Code Style**: Have you ensured your code adheres to the project's coding style guidelines? You can use `./ci.sh lint` for automatic code formatting. + + +Please review the full [contributing guidelines](https://github.com/libjxl/libjxl/blob/main/CONTRIBUTING.md) for more details. diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..9756cee --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,21 @@ +# Copyright (c) the JPEG XL Project Authors. All rights reserved. +# +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: pip + directory: /doc/sphinx + schedule: + interval: daily diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index e8b28b9..88b7dc6 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -7,6 +7,7 @@ name: Build/Test on: + merge_group: push: branches: - main @@ -14,29 +15,40 @@ on: pull_request: types: [opened, reopened, labeled, synchronize] +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: ubuntu_build: - name: Ubuntu Build ${{ matrix.name }} + name: ${{ startsWith(matrix.os, 'macos-') && 'MacOS' || 'Ubuntu' }} Build ${{ matrix.name }} runs-on: ${{ matrix.os || 'ubuntu-latest' }} strategy: + fail-fast: false matrix: # We have one job per "name" in the matrix. Attributes are set on the # specific job names. name: [release, debug, asan, msan, scalar] include: - name: release + mode: release + run_bench: true test_in_pr: true + cmake_args: >- + -DJPEGXL_TEST_TOOLS=ON + -DJPEGLI_LIBJPEG_LIBRARY_VERSION="8.2.2" + -DJPEGLI_LIBJPEG_LIBRARY_SOVERSION="8" # Track static stack size on build and check it doesn't exceed 3 kB. env_stack_size: 1 - max_stack: 3000 + max_stack: 2400 # Conformance tooling test requires numpy. - apt_pkgs: graphviz python3-numpy + apt_pkgs: doxygen graphviz python3-numpy - name: lowprecision mode: release + run_bench: true test_in_pr: true cmake_args: -DCMAKE_CXX_FLAGS=-DJXL_HIGH_PRECISION=0 - name: debug @@ -46,9 +58,10 @@ jobs: # Build scalar-only hwy instructions. - name: scalar mode: release - cxxflags: -DHWY_COMPILE_ONLY_SCALAR + cxxflags: -DHWY_COMPILE_ONLY_SCALAR -DFJXL_ENABLE_AVX2=0 -DFJXL_ENABLE_AVX512=0 # Disabling optional features to speed up msan build a little bit. - name: msan + os: ubuntu-20.04 skip_install: true cmake_args: >- -DJPEGXL_ENABLE_DEVTOOLS=OFF -DJPEGXL_ENABLE_PLUGINS=OFF @@ -56,9 +69,8 @@ jobs: - name: asan skip_install: true - name: coverage - apt_pkgs: gcovr - # Coverage builds require a bit more RAM. env_test_stack_size: 2048 + skip_install: true # Build with support for decoding to JPEG bytes disabled. Produces a # smaller build if only decoding to pixels is needed. - name: release-nojpeg @@ -68,39 +80,81 @@ jobs: -DJPEGXL_ENABLE_TRANSCODE_JPEG=OFF -DJPEGXL_ENABLE_PLUGINS=OFF -DJPEGXL_ENABLE_VIEWERS=OFF + # Build with jxl_cms based on lcms2 library. + - name: release-lcms2 + mode: release + cmake_args: >- + -DJPEGXL_ENABLE_SKCMS=OFF + - name: release-system-lcms2 + mode: release + cmake_args: >- + -DJPEGXL_ENABLE_SKCMS=OFF + -DJPEGXL_FORCE_SYSTEM_LCMS2=ON + apt_pkgs: liblcms2-dev + # static build is impossible + skip_install: true + # Build optimized for binary size, all features not needed for + # reconstructing pixels is disabled. + - name: release:minimal + mode: release + cxxflags: -DJXL_DEBUG_ON_ABORT=0 + cmake_args: >- + -DJPEGXL_ENABLE_TRANSCODE_JPEG=OFF + -DJPEGXL_ENABLE_BOXES=OFF + -DJPEGXL_ENABLE_PLUGINS=OFF + -DJPEGXL_ENABLE_VIEWERS=OFF # Builds with gcc in release mode - name: release:gcc8 + os: ubuntu-20.04 mode: release apt_pkgs: gcc-8 g++-8 cmake_args: >- -DCMAKE_C_COMPILER=gcc-8 -DCMAKE_CXX_COMPILER=g++-8 - # Builds with clang-5 in release mode - - name: release:clang-5 - os: ubuntu-18.04 + # Builds with clang-7 in release mode + - name: release:clang-7 + os: ubuntu-20.04 + mode: release + skip_install: true + apt_pkgs: clang-7 + cc: clang-7 + cxx: clang++-7 + - name: release:osx + os: macos-latest mode: release - # TODO(eustas): investigate, why static brotli library is not found. skip_install: true - apt_pkgs: clang-5.0 cmake_args: >- - -DCMAKE_C_COMPILER=clang-5.0 -DCMAKE_CXX_COMPILER=clang++-5.0 - -DJPEGXL_ENABLE_PLUGINS=OFF + -DCMAKE_FIND_FRAMEWORK=NEVER env: CCACHE_DIR: ${{ github.workspace }}/.ccache # Whether we track the stack size. STACK_SIZE: ${{ matrix.env_stack_size }} TEST_STACK_LIMIT: ${{ matrix.env_test_stack_size }} - WILL_RUN_TESTS: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && (matrix.test_in_pr || contains(github.event.pull_request.labels.*.name, 'CI:full'))) }} + WILL_TEST: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && matrix.name != 'coverage' && (matrix.test_in_pr || contains(github.event.pull_request.labels.*.name, 'CI:full'))) }} + WILL_BUILD: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && matrix.name != 'coverage') }} + WILL_BENCH: ${{ github.event_name != 'merge_group' && matrix.run_bench }} + WILL_DOC: ${{ github.event_name != 'merge_group' && matrix.name == 'release' }} + WILL_COV: ${{ github.event_name == 'push' && matrix.name == 'coverage' }} + JPEGXL_OPT_DBG: true + FASTER_MSAN_BUILD: 1 steps: - - name: Install build deps + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Install build deps Ubuntu + if: startsWith(matrix.os, 'macos-') == false run: | + sudo rm -f /var/lib/man-db/auto-update sudo apt update sudo apt install -y \ ccache \ - clang-7 \ + clang \ cmake \ - doxygen \ + graphviz \ + imagemagick \ libbenchmark-dev \ libbenchmark-tools \ libbrotli-dev \ @@ -109,6 +163,7 @@ jobs: libgtest-dev \ libgtk2.0-dev \ libjpeg-dev \ + libjpeg-turbo-progs \ libopenexr-dev \ libpng-dev \ libwebp-dev \ @@ -117,29 +172,51 @@ jobs: xvfb \ ${{ matrix.apt_pkgs }} \ # - echo "CC=clang-7" >> $GITHUB_ENV - echo "CXX=clang++-7" >> $GITHUB_ENV + echo "CC=${{ matrix.cc || 'clang' }}" >> $GITHUB_ENV + echo "CXX=${{ matrix.cxx || 'clang++' }}" >> $GITHUB_ENV + - name: Install build deps MacOS + if: startsWith(matrix.os, 'macos-') + run: | + # Should be already installed: + # brew install brotli giflib jpeg-turbo libpng zlib + # Not required, since we skip building documentation + # brew install doxygen + brew install binutils ccache coreutils google-benchmark googletest ninja sdl2 + - name: Checkout the source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 2 + - name: Setup the Homebrew prefixes + if: startsWith(matrix.os, 'macos-') + run: | + CMAKE_PREFIX_PATH=`brew --prefix brotli`:`brew --prefix giflib`:`brew --prefix google-benchmark`:`brew --prefix jpeg-turbo`:`brew --prefix libpng`:`brew --prefix sdl2`:`brew --prefix zlib` + echo "CMAKE_PREFIX_PATH=${CMAKE_PREFIX_PATH}" >> $GITHUB_ENV + + - name: Suppress doxygen target + if: matrix.name != 'release' + run: | + echo "TARGETS=all" >> $GITHUB_ENV + - name: Setup the LLVM source path if: matrix.name == 'msan' run: | LLVM_ROOT=${GITHUB_WORKSPACE}/llvm_root mkdir -p ${LLVM_ROOT} echo "LLVM_ROOT=${LLVM_ROOT}" >> $GITHUB_ENV + - name: Cache LLVM sources if: matrix.name == 'msan' - uses: actions/cache@v2 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ${{ env.LLVM_ROOT }} key: llvm + - name: Checkout the LLVM source if: matrix.name == 'msan' - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: false repository: llvm/llvm-project @@ -148,16 +225,22 @@ jobs: - name: Sphinx dependencies # Dependencies for sphinx HTML documentation - if: matrix.name == 'release' + if: env.WILL_DOC == 'true' run: | pip3 install -r doc/sphinx/requirements.txt + + - name: Install gcovr + if: env.WILL_COV == 'true' + run: pip install gcovr + - name: Git environment id: git-env run: | - echo "::set-output name=parent::$(git rev-parse ${{ github.sha }}^)" + echo "parent=$(git rev-parse ${{ github.sha }}^)" >> $GITHUB_OUTPUT shell: bash + - name: ccache - uses: actions/cache@v2 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ${{ env.CCACHE_DIR }} # When the cache hits the key it is not updated, so if this is a rebuild @@ -167,13 +250,14 @@ jobs: key: build-${{ runner.os }}-${{ github.sha }}-${{ matrix.name }} restore-keys: | build-${{ runner.os }}-${{ steps.git-env.outputs.parent }}-${{ matrix.name }} + - name: Build - if: matrix.name != 'coverage' || env.WILL_RUN_TESTS == 'true' + if: env.WILL_BUILD == 'true' run: | mkdir -p ${CCACHE_DIR} echo "max_size = 200M" > ${CCACHE_DIR}/ccache.conf mode="${{ matrix.mode }}" - build_tests=$([ "$WILL_RUN_TESTS" == "true" ] && echo "ON" || echo "OFF") + build_tests=$([ "$WILL_TEST" == "true" ] && echo "ON" || echo "OFF") [[ -n "${mode}" ]] || mode="${{ matrix.name }}" ./ci.sh ${mode} -DJPEGXL_FORCE_SYSTEM_BROTLI=ON \ -DCMAKE_CXX_COMPILER_LAUNCHER=ccache \ @@ -183,81 +267,83 @@ jobs: env: SKIP_TEST: 1 CMAKE_CXX_FLAGS: ${{ matrix.cxxflags }} + - name: Build stats + if: env.WILL_BUILD == 'true' run: | awk '!/^#/ {total[$4]+=($2-$1);cntr[$4]+=1} END {for (key in total) print total[key]/cntr[key] " " key}' build/.ninja_log | sort -n | tail -n 25 + - name: ccache stats run: ccache --show-stats + - name: Build stats ${{ matrix.name }} - if: matrix.mode == 'release' || matrix.name == 'release' + if: env.WILL_BUILD == 'true' && matrix.mode == 'release' run: | - tools/build_stats.py --save build/stats.json \ - --max-stack ${{ matrix.max_stack || '0' }} \ - cjxl djxl libjxl.so libjxl_dec.so + SHARED_LIB_EXT="${{ startsWith(matrix.os, 'macos-') && 'dylib' || 'so' }}" + SELECT_BINUTILS="${{ startsWith(matrix.os, 'macos-') && '--binutils `brew --prefix binutils`/bin/' || '' }}" + tools/scripts/build_stats.py --save build/stats.json \ + --max-stack ${{ matrix.max_stack || '0' }} ${SELECT_BINUTILS} \ + cjxl djxl libjxl.${SHARED_LIB_EXT} libjxl_dec.${SHARED_LIB_EXT} + # Check that we can build the example project against the installed libs. - name: Install and build examples - if: | - (matrix.mode == 'release' || matrix.name == 'release') && - !matrix.skip_install + if: env.WILL_BUILD == 'true' && matrix.mode == 'release' && !matrix.skip_install run: | set -x sudo cmake --build build -- install cmake -Bbuild-example -Hexamples -G Ninja cmake --build build-example - if ldd build-example/decode_oneshot_static | grep libjxl; then - echo "decode_oneshot_static is not using the static lib" >&2 - exit 1 - fi # Test that the built binaries run. echo -e -n "PF\n1 1\n-1.0\n\0\0\x80\x3f\0\0\x80\x3f\0\0\x80\x3f" > test.pfm build-example/encode_oneshot test.pfm test.jxl - build-example/encode_oneshot_static test.pfm test-static.jxl build-example/decode_oneshot test.jxl dec.pfm dec.icc - build-example/decode_oneshot_static test.jxl dec-static.pfm dec-static.icc + # Run the tests on push and when requested in pull_request. - name: Test ${{ matrix.mode }} - if: env.WILL_RUN_TESTS == 'true' + if: env.WILL_TEST == 'true' run: | ./ci.sh test ${{ matrix.ctest_args }} + # Print the running time summary for the slowest tests. - name: Test runtime stats + if: env.WILL_TEST == 'true' run: | sort build/Testing/Temporary/CTestCostData.txt -k 3 -n | tail -n 20 || true + - name: Build HTML documentation (sphinx/readthetdocs) - if: matrix.name == 'release' + if: env.WILL_DOC == 'true' run: | cmake --build build -- rtd-html + - name: Coverage report - if: github.event_name == 'push' && matrix.name == 'coverage' + if: env.WILL_COV == 'true' run: | ./ci.sh coverage_report + - name: Coverage upload to Codecov - if: github.event_name == 'push' && matrix.name == 'coverage' - uses: codecov/codecov-action@v2 + if: env.WILL_COV == 'true' + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 with: flags: unittests files: build/coverage.xml + - name: Fast benchmark ${{ matrix.mode }} - if: | - matrix.name != 'coverage' && (github.event_name == 'push' || - (github.event_name == 'pull_request' && ( - matrix.test_in_pr || - contains(github.event.pull_request.labels.*.name, 'CI:full')))) + if: env.WILL_BENCH == 'true' run: | STORE_IMAGES=0 ./ci.sh fast_benchmark + # Run gbench once, just to make sure it runs, not for actual benchmarking. # This doesn't work on msan because we use gbench library from the system # which is not instrumented by msan. - name: gbench check - if: | - matrix.name == 'release' || ( - github.event_name == 'push' && matrix.name != 'msan') + if: env.WILL_BENCH == 'true' run: | ./ci.sh gbench --benchmark_min_time=0 windows_msys: name: Windows MSYS2 / ${{ matrix.msystem }} runs-on: windows-latest + continue-on-error: ${{ matrix.faulty || false }} strategy: fail-fast: false matrix: @@ -265,22 +351,26 @@ jobs: - msystem: mingw64 - msystem: clang64 - msystem: mingw32 - # TODO(eustas): investigate HWY Mul failures - disable_tests: HwyMulTestGroup/HwyMulTest\.TestAllMulHigh/EMU128|HwyMulTestGroup/HwyMulTest\.TestAllMulFixedPoint15/EMU128 + disable_tests: + - ButteraugliTest.Lossless + - ButteraugliTest.Distmap - msystem: clang32 - # TODO(eustas): investigate HWY Sort and JXL ANS failures - disable_tests: SortTestGroup/SortTest\.TestAllSort/.*|ANSTest\.RandomUnbalancedStreamRoundtrip3|ANSTest\.RandomUnbalancedStreamRoundtripBig defaults: run: shell: msys2 {0} steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Checkout the source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 1 - - uses: msys2/setup-msys2@v2 + - uses: msys2/setup-msys2@07aeda7763550b267746a772dcea5e5ac3340b36 # v2 with: msystem: ${{ matrix.msystem }} update: true @@ -317,7 +407,7 @@ jobs: github.event_name == 'push' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'CI:full')) - run: ctest --test-dir build --parallel 2 --output-on-failure -E "${{ matrix.disable_tests }}" + run: ctest --test-dir build --parallel 2 --output-on-failure -E "${{ join(matrix.disable_tests, '|') }}" wasm32_build: name: WASM wasm32/${{ matrix.variant }} @@ -325,17 +415,23 @@ jobs: env: CCACHE_DIR: ${{ github.workspace }}/.ccache BUILD_TARGET: wasm32 - EM_VERSION: 3.1.1 + EM_VERSION: 3.1.50 NODE_VERSION: 18 strategy: matrix: include: - variant: scalar - - variant: simd + - variant: simd-128 + - variant: simd-256 steps: - - uses: actions/checkout@v2 + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 1 @@ -343,12 +439,14 @@ jobs: shell: bash run: | set -x + sudo rm -f /var/lib/man-db/auto-update sudo apt update pkgs=( # Build dependencies ccache cmake doxygen + graphviz ninja-build pkg-config ) @@ -357,10 +455,10 @@ jobs: - name: Git environment id: git-env run: | - echo "::set-output name=parent::$(git rev-parse ${{ github.sha }}^)" + echo "parent=$(git rev-parse ${{ github.sha }}^)" >> $GITHUB_OUTPUT shell: bash - name: ccache - uses: actions/cache@v2 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ${{ env.CCACHE_DIR }} key: build-wasm-${{ runner.os }}-${{ github.sha }}-${{ matrix.variant }} @@ -368,7 +466,7 @@ jobs: build-wasm-${{ runner.os }}-${{ steps.git-env.outputs.parent }}-${{ matrix.variant }} - name: Install node - uses: actions/setup-node@v3 + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 with: node-version: ${{env.NODE_VERSION}} @@ -376,7 +474,7 @@ jobs: run: which node >> $HOME/.base_node_path - name: Install emsdk - uses: mymindstorm/setup-emsdk@v11 + uses: mymindstorm/setup-emsdk@ab889da2abbcbb280f91ec4c215d3bb4f3a8f775 # v12 # TODO(deymo): We could cache this action but it doesn't work when running # in a matrix. with: @@ -385,7 +483,7 @@ jobs: - name: Set EMSDK node version run: | - echo "NODE_JS='$(cat $HOME/.base_node_path)'" >> $EM_CONFIG + echo "NODE_JS='$(cat $HOME/.base_node_path)'" >> $EMSDK/.emscripten emsdk construct_env # TODO(deymo): Build and install other dependencies like libpng, libjpeg, @@ -394,14 +492,27 @@ jobs: run: | mkdir -p ${CCACHE_DIR} echo "max_size = 200M" > ${CCACHE_DIR}/ccache.conf - if [[ "${{ matrix.variant }}" == "simd" ]]; then + if [[ "${{ matrix.variant }}" == "simd-128" ]]; then export ENABLE_WASM_SIMD=1 fi + if [[ "${{ matrix.variant }}" == "simd-256" ]]; then + export ENABLE_WASM_SIMD=2 + fi ./ci.sh release \ -DCMAKE_CXX_COMPILER_LAUNCHER=ccache \ - -DCMAKE_C_COMPILER_LAUNCHER=ccache + -DCMAKE_C_COMPILER_LAUNCHER=ccache \ + -DJPEGXL_ENABLE_BENCHMARK=OFF \ + -DJPEGXL_ENABLE_DEVTOOLS=OFF \ + -DJPEGXL_ENABLE_DOXYGEN=OFF \ + -DJPEGXL_ENABLE_EXAMPLES=OFF \ + -DJPEGXL_ENABLE_JNI=OFF \ + -DJPEGXL_ENABLE_MANPAGES=OFF \ + -DJPEGXL_ENABLE_PLUGINS=OFF \ + -DJPEGXL_ENABLE_TOOLS=OFF \ + -DJPEGXL_ENABLE_VIEWERS=OFF env: SKIP_TEST: 1 + TARGETS: all - name: ccache stats run: ccache --show-stats @@ -412,3 +523,36 @@ jobs: contains(github.event.pull_request.labels.*.name, 'CI:full')) run: | ./ci.sh test + + bazel: + name: Bazel + runs-on: ubuntu-latest + strategy: + fail-fast: false + + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Checkout the source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: true + fetch-depth: 1 + + - name: Patch + run: | + cd third_party/highway + git fetch origin 31fbbd7ce1e4179a32d86688cd67316556f582bf + git checkout 31fbbd7ce1e4179a32d86688cd67316556f582bf + git apply ${{ github.workspace }}/.github/workflows/highway.patch + - name: Build + run: bazel build -c opt ...:all + - name: Test + if: | + github.event_name == 'push' || + (github.event_name == 'pull_request' && + contains(github.event.pull_request.labels.*.name, 'CI:full')) + run: bazel test -c opt --test_output=errors ...:all diff --git a/.github/workflows/build_test_cross.yml b/.github/workflows/build_test_cross.yml index 5b53720..84e97f5 100644 --- a/.github/workflows/build_test_cross.yml +++ b/.github/workflows/build_test_cross.yml @@ -7,6 +7,7 @@ name: Build/Test Cross on: + merge_group: push: branches: - main @@ -14,84 +15,91 @@ on: pull_request: types: [opened, reopened, labeled, synchronize] +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: - cross_compile_ubuntu: - name: Cross-compiling ${{ matrix.build_target }} ${{ matrix.variant }} + compile: + name: Cross-compiling ${{ matrix.identifier }} runs-on: [ubuntu-22.04] container: - image: debian:bullseye + image: debian:bookworm strategy: fail-fast: false matrix: + identifier: [arm64, arm64-sve, arm64-lowprecision, armhf, i386] include: - arch: arm64 + identifier: arm64 build_target: aarch64-linux-gnu cmake_args: - -DCMAKE_CROSSCOMPILING_EMULATOR=/usr/bin/qemu-aarch64-static - arch: arm64 - variant: SVE + identifier: arm64-sve build_target: aarch64-linux-gnu cmake_args: - -DCMAKE_CROSSCOMPILING_EMULATOR=/usr/bin/qemu-aarch64-static - -DJPEGXL_ENABLE_OPENEXR=off - -DJPEGXL_ENABLE_SIZELESS_VECTORS=on + - -DJPEGXL_WARNINGS_AS_ERRORS=off cmake_flags: -march=armv8-a+sve c_compiler: aarch64-linux-gnu-gcc cxx_compiler: aarch64-linux-gnu-g++ disable_tests: true - arch: arm64 - variant: lowprecision + identifier: arm64-lowprecision build_target: aarch64-linux-gnu cmake_args: - -DCMAKE_CROSSCOMPILING_EMULATOR=/usr/bin/qemu-aarch64-static - -DCMAKE_CXX_FLAGS=-DJXL_HIGH_PRECISION=0 - arch: armhf + identifier: armhf build_target: arm-linux-gnueabihf cmake_args: [-DCMAKE_CROSSCOMPILING_EMULATOR=/usr/bin/qemu-arm-static] - arch: i386 + identifier: i386 test_in_pr: true build_target: i686-linux-gnu env: BUILD_DIR: build - WILL_RUN_TESTS: ${{ (github.event_name == 'push' || (github.event_name == 'pull_request' && (matrix.test_in_pr || contains(github.event.pull_request.labels.*.name, 'CI:full')))) && !matrix.disable_tests }} + WILL_RUN_TESTS: ${{ (github.event_name == 'push' || (github.event_name == 'pull_request' && (matrix.test_in_pr || contains(github.event.pull_request.labels.*.name, 'CI:full')))) }} steps: - - name: Setup apt + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Warmup apt shell: bash run: | set -x + rm -f /var/lib/man-db/auto-update apt-get update -y - apt-get install -y ca-certificates debian-ports-archive-keyring - - dpkg --add-architecture "${{ matrix.arch }}" + apt-get install -y ca-certificates debian-ports-archive-keyring git python3 - # Update the sources.list with the split of supported architectures. - bkplist="/etc/apt/sources.list.bkp" - mv /etc/apt/sources.list "${bkplist}" - - newlist="/etc/apt/sources.list" - rm -f "${newlist}" + - name: Checkout the source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: true + fetch-depth: 1 - main_list="amd64,${{ matrix.arch }}" - port_list="" - if [[ "${{ matrix.arch }}" == "i386" ]]; then - main_list="amd64,i386" - else - port_list="${{ matrix.arch }}" - fi + - name: Setup apt + shell: bash + run: | + set -x + dpkg --add-architecture "${{ matrix.arch }}" - grep -v -E '^#' "${bkplist}" | - sed -E "s;^deb (http[^ ]+) (.*)\$;deb [arch=${main_list}] \\1 \\2\ndeb-src [arch=${main_list}] \\1 \\2;" \ - | tee -a "${newlist}" + python3 ./tools/scripts/transform_sources_list.py "amd64,${{ matrix.arch }}" - name: Install build deps shell: bash @@ -102,20 +110,20 @@ jobs: # Build dependencies cmake doxygen - git graphviz ninja-build pkg-config qemu-user-static + unzip xdg-utils xvfb # Toolchain for cross-compiling. - clang-11 + clang-14 g++-aarch64-linux-gnu libc6-dev-${{ matrix.arch }}-cross - libstdc++-10-dev-${{ matrix.arch }}-cross - libstdc++-10-dev:${{ matrix.arch }} + libstdc++-12-dev-${{ matrix.arch }}-cross + libstdc++-12-dev:${{ matrix.arch }} # Dependencies libbrotli-dev:${{ matrix.arch }} @@ -131,10 +139,6 @@ jobs: # GTK plugins libgdk-pixbuf2.0-dev:${{ matrix.arch }} libgtk2.0-dev:${{ matrix.arch }} - - # QT - libqt5x11extras5-dev:${{ matrix.arch }} - qtbase5-dev:${{ matrix.arch }} ) if [[ "${{ matrix.build_target }}" != "x86_64-linux-gnu" ]]; then pkgs+=( @@ -152,13 +156,9 @@ jobs: ) fi DEBIAN_FRONTEND=noninteractive apt install -y "${pkgs[@]}" - echo "CC=${{ matrix.c_compiler || 'clang-11' }}" >> $GITHUB_ENV - echo "CXX=${{ matrix.cxx_compiler || 'clang++-11' }}" >> $GITHUB_ENV - - name: Checkout the source - uses: actions/checkout@v2 - with: - submodules: true - fetch-depth: 1 + echo "CC=${{ matrix.c_compiler || 'clang-14' }}" >> $GITHUB_ENV + echo "CXX=${{ matrix.cxx_compiler || 'clang++-14' }}" >> $GITHUB_ENV + - name: Build run: | CMAKE_FLAGS="${{ matrix.cmake_flags }}" ./ci.sh release \ @@ -168,16 +168,147 @@ jobs: env: SKIP_TEST: 1 BUILD_TARGET: ${{ matrix.build_target }} - - name: Build stats ${{ matrix.build_target }} + TARGETS: ${{ env.WILL_RUN_TESTS == 'true' && 'all_tests cjxl djxl libjxl.so libjxl_dec.so' || 'all' }} + + - name: Build stats run: | - tools/build_stats.py --save build/stats.json \ + tools/scripts/build_stats.py --save build/stats.json \ --binutils ${{ matrix.build_target }}- \ --max-stack ${{ matrix.max_stack || '0' }} \ cjxl djxl libjxl.so libjxl_dec.so - # Run the tests on push and when requested in pull_request. - - name: Test + + - name: Prepare artefacts if: env.WILL_RUN_TESTS == 'true' run: | - ./ci.sh test - env: - BUILD_TARGET: ${{ matrix.build_target }} + find ./build -regextype egrep -type f -regex '.*\.(a|h|jar|log|o)' + find ./build -type f -executable > executable.lst + cp /etc/apt/sources.list.d/debian.sources ./ + + - name: Test ranging + if: ${{ !matrix.disable_tests }} + run: | + mkdir -p ./build/Testing/Temporary + unzip ./tools/scripts/test_cost-${{ matrix.identifier }}.zip -d ./build/Testing/Temporary + + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + if: env.WILL_RUN_TESTS == 'true' + with: + name: cross_binary-${{ matrix.identifier }} + path: | + build/ + ci.sh + debian.sources + executable.lst + testdata/ + retention-days: 1 + + test: + name: Testing ${{ matrix.identifier }} shard ${{ matrix.shard_number }} + needs: compile + runs-on: [ubuntu-22.04] + container: + image: debian:bookworm + strategy: + fail-fast: false + matrix: + shard_number: [0, 1, 2, 3, 4, 5, 6, 7] + identifier: [arm64, arm64-lowprecision, armhf, i386] + include: + - arch: arm64 + - identifier: arm64 + last_shard: 8 + + #- arch: arm64 + #- identifier: arm64-sve + # last_shard: 8 + + - arch: arm64 + identifier: arm64-lowprecision + last_shard: 8 + + - arch: armhf + identifier: armhf + last_shard: 8 + + - arch: i386 + identifier: i386 + test_in_pr: true + last_shard: 4 + + env: + BUILD_DIR: build + UPLOAD_TEST_COST: false + LAST_SHARD: ${{ false && 1 || matrix.last_shard}} + # Run the tests on push and when requested in pull_request. + WILL_RUN_TESTS: ${{ (github.event_name == 'push' || (github.event_name == 'pull_request' && (matrix.test_in_pr || contains(github.event.pull_request.labels.*.name, 'CI:full')))) }} + + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + if: (matrix.shard_number < env.LAST_SHARD) && (env.WILL_RUN_TESTS == 'true') + with: + name: cross_binary-${{ matrix.identifier }} + + - name: Setup apt + if: (matrix.shard_number < env.LAST_SHARD) && (env.WILL_RUN_TESTS == 'true') + shell: bash + run: | + set -x + rm -f /var/lib/man-db/auto-update + apt-get update -y + apt-get install -y ca-certificates debian-ports-archive-keyring + + dpkg --add-architecture "${{ matrix.arch }}" + + cp ./debian.sources /etc/apt/sources.list.d/ + + - name: Install build deps + if: (matrix.shard_number < env.LAST_SHARD) && (env.WILL_RUN_TESTS == 'true') + shell: bash + run: | + set -x + apt update + pkgs=( + # Build dependencies + cmake + qemu-user-static + + # Dependencies + libbrotli-dev:${{ matrix.arch }} + libgif-dev:${{ matrix.arch }} + libjpeg-dev:${{ matrix.arch }} + libpng-dev:${{ matrix.arch }} + libwebp-dev:${{ matrix.arch }} + + # For OpenEXR: + libilmbase-dev:${{ matrix.arch }} + libopenexr-dev:${{ matrix.arch }} + ) + DEBIAN_FRONTEND=noninteractive apt install -y "${pkgs[@]}" + + - name: Prepare + if: (env.UPLOAD_TEST_COST == 'true') && (matrix.shard_number == 0) && (env.WILL_RUN_TESTS == 'true') + run: | + rm build/Testing/Temporary/CTestCostData.txt + + - name: Test + if: (matrix.shard_number < env.LAST_SHARD) && (env.WILL_RUN_TESTS == 'true') + run: | + chmod +x ./ci.sh + chmod +x `cat executable.lst` + ./ci.sh test \ + -I ${{ matrix.shard_number }},,${{ env.LAST_SHARD }} \ + -E '(bash_test|conformance_tooling_test|test_jxl_jni_wrapper)' + + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + name: Upload test cost + if: (env.UPLOAD_TEST_COST == 'true') && (matrix.shard_number == 0) && (env.WILL_RUN_TESTS == 'true') + with: + name: test_cost-${{ matrix.identifier }} + path: | + build/Testing/Temporary/CTestCostData.txt + retention-days: 1 diff --git a/.github/workflows/build_test_md.yml b/.github/workflows/build_test_md.yml new file mode 100644 index 0000000..e109523 --- /dev/null +++ b/.github/workflows/build_test_md.yml @@ -0,0 +1,60 @@ +# Copyright (c) the JPEG XL Project Authors. All rights reserved. +# +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# Workflow for building and running tests. + +name: Build/Test +on: + pull_request: + types: [opened, reopened, labeled, synchronize] + paths: + - '**.md' + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + ubuntu-build: + name: Ubuntu Build ${{ matrix.name }} + # Include all names of required jobs here + strategy: + matrix: + include: + - name: release + - name: debug + - name: scalar + - name: asan + - name: release-nojpeg + - name: release-lcms2 + - name: release:gcc8 + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - run: 'echo "markdown only changes: no build required"' + + windows_msys: + name: Windows MSYS2 / ${{ matrix.msystem }} + # Include all msystem of required jobs here + strategy: + matrix: + include: + - msystem: clang64 + - msystem: clang32 + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - run: 'echo "markdown only changes: no build required"' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..49821fe --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,116 @@ +# Copyright (c) the JPEG XL Project Authors. All rights reserved. +# +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["cpp"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + - name: Install build deps + run: | + sudo rm -f /var/lib/man-db/auto-update + sudo apt update + sudo apt install -y \ + ccache \ + clang \ + cmake \ + doxygen \ + graphviz \ + imagemagick \ + libbenchmark-dev \ + libbenchmark-tools \ + libbrotli-dev \ + libgdk-pixbuf2.0-dev \ + libgif-dev \ + libgtest-dev \ + libgtk2.0-dev \ + libjpeg-dev \ + libjpeg-turbo-progs \ + libopenexr-dev \ + libpng-dev \ + libwebp-dev \ + ninja-build \ + pkg-config \ + xvfb \ + ${{ matrix.apt_pkgs }} \ + # + echo "CC=${{ matrix.cc || 'clang' }}" >> $GITHUB_ENV + echo "CXX=${{ matrix.cxx || 'clang++' }}" >> $GITHUB_ENV + - name: Checkout the source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: true + fetch-depth: 2 + + + - name: Build + run: | + ./ci.sh opt -DJPEGXL_FORCE_SYSTEM_BROTLI=ON \ + -DBUILD_TESTING=OFF + env: + SKIP_TEST: 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index c59dc89..5ce1e3b 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -7,6 +7,7 @@ name: Conformance on: + merge_group: push: branches: - main @@ -14,24 +15,36 @@ on: pull_request: types: [opened, reopened, labeled, synchronize] +permissions: + contents: read + +env: + CONFORMANCE_REPO_HASH: ee6008ef151489a5330cd886b422af8f6ed58881 + LIBJXL_VERSION: 0.9.0 + LIBJXL_ABI_VERSION: 0.9 + concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: - warmup: # If necessary, fetch files just once, before tests are run. + warmup: # If necessary, fetch files just once, before tests are run. name: Warmup caches runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Checkout the conformance source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: libjxl/conformance - # TODO(eustas): move ref to a global variable / file? - ref: a6a44bbbd69830e1dc862174599ce5738a0a414f + ref: ${{ env.CONFORMANCE_REPO_HASH }} path: conformance - name: Cache - uses: actions/cache@v2 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ${{ github.workspace }}/conformance/.objects key: conformance-refs @@ -64,14 +77,21 @@ jobs: env: CCACHE_DIR: ${{ github.workspace }}/.ccache steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Install build deps run: | + sudo rm -f /var/lib/man-db/auto-update sudo apt update sudo apt install -y \ ccache \ - clang-7 \ + clang \ cmake \ doxygen \ + graphviz \ libbenchmark-dev \ libbenchmark-tools \ libbrotli-dev \ @@ -88,20 +108,20 @@ jobs: xvfb \ ${{ matrix.apt_pkgs }} \ # - echo "CC=clang-7" >> $GITHUB_ENV - echo "CXX=clang++-7" >> $GITHUB_ENV + echo "CC=clang" >> $GITHUB_ENV + echo "CXX=clang++" >> $GITHUB_ENV - name: Checkout the jxl source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 2 - name: Git environment id: git-env run: | - echo "::set-output name=parent::$(git rev-parse ${{ github.sha }}^)" + echo "parent=$(git rev-parse ${{ github.sha }}^)" >> $GITHUB_OUTPUT shell: bash - name: ccache - uses: actions/cache@v2 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ${{ env.CCACHE_DIR }} # When the cache hits the key it is not updated, so if this is a rebuild @@ -116,6 +136,7 @@ jobs: mkdir -p ${CCACHE_DIR} echo "max_size = 200M" > ${CCACHE_DIR}/ccache.conf CMAKE_FLAGS="${{ matrix.cflags }}" \ + TARGETS="tools/djxl" \ ./ci.sh ${{ matrix.build_type || 'release' }} -DJPEGXL_FORCE_SYSTEM_BROTLI=ON \ -DCMAKE_CXX_COMPILER_LAUNCHER=ccache \ -DCMAKE_C_COMPILER_LAUNCHER=ccache \ @@ -124,19 +145,23 @@ jobs: cp tools/conformance/conformance.py build/tools/conformance cp tools/conformance/lcms2.py build/tools/conformance cp build/tools/djxl build/tools/conformance - cp build/libjxl.so.0.7.0 build/tools/conformance - cp build/libjxl_threads.so.0.7.0 build/tools/conformance + cp build/lib/libjxl.so.${{ env.LIBJXL_VERSION }} build/tools/conformance + cp build/lib/libjxl_cms.so.${{ env.LIBJXL_VERSION }} build/tools/conformance + cp build/lib/libjxl_threads.so.${{ env.LIBJXL_VERSION }} build/tools/conformance + cp build/lib/libjxl_extras_codec.so.${{ env.LIBJXL_VERSION }} build/tools/conformance env: SKIP_TEST: 1 - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: conformance_binary-${{ matrix.name }} path: | build/tools/conformance/conformance.py build/tools/conformance/lcms2.py build/tools/conformance/djxl - build/tools/conformance/libjxl.so.0.7.0 - build/tools/conformance/libjxl_threads.so.0.7.0 + build/tools/conformance/libjxl.so.${{ env.LIBJXL_VERSION }} + build/tools/conformance/libjxl_cms.so.${{ env.LIBJXL_VERSION }} + build/tools/conformance/libjxl_threads.so.${{ env.LIBJXL_VERSION }} + build/tools/conformance/libjxl_extras_codec.so.${{ env.LIBJXL_VERSION }} - name: ccache stats run: ccache --show-stats @@ -150,31 +175,38 @@ jobs: name: [main_level5, main_level10] target: [AVX3, AVX2, SSE4, SSSE3, EMU128, SCALAR, SCALAR_ASAN] steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Install deps run: | pip install numpy - name: Checkout the conformance source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: libjxl/conformance - ref: a6a44bbbd69830e1dc862174599ce5738a0a414f + ref: ${{ env.CONFORMANCE_REPO_HASH }} path: conformance - name: Cache - uses: actions/cache@v2 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ${{ github.workspace }}/conformance/.objects key: conformance-refs - name: Download and link conformance files run: | ${{ github.workspace }}/conformance/scripts/download_and_symlink.sh - - uses: actions/download-artifact@v2 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: conformance_binary-${{ matrix.target }} - name: Run conformance tests run: | chmod +x djxl - ln -s libjxl.so.0.7.0 libjxl.so.0.7 - ln -s libjxl_threads.so.0.7.0 libjxl_threads.so.0.7 + ln -s libjxl.so.${{ env.LIBJXL_VERSION }} libjxl.so.${{ env.LIBJXL_ABI_VERSION }} + ln -s libjxl_cms.so.${{ env.LIBJXL_VERSION }} libjxl_cms.so.${{ env.LIBJXL_ABI_VERSION }} + ln -s libjxl_threads.so.${{ env.LIBJXL_VERSION }} libjxl_threads.so.${{ env.LIBJXL_ABI_VERSION }} + ln -s libjxl_extras_codec.so.${{ env.LIBJXL_VERSION }} libjxl_extras_codec.so.${{ env.LIBJXL_ABI_VERSION }} export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`pwd` python conformance.py \ --decoder=`pwd`/djxl \ diff --git a/.github/workflows/debug_ci.yml b/.github/workflows/debug_ci.yml index fb3522e..d7f6295 100644 --- a/.github/workflows/debug_ci.yml +++ b/.github/workflows/debug_ci.yml @@ -11,49 +11,134 @@ on: branches: - ci-*-debug +permissions: + contents: read + jobs: - ubuntu_build: - name: Ubuntu Build and SSH - runs-on: [ubuntu-latest] + cross_compile_ubuntu: + name: Cross-compiling ${{ matrix.build_target }} ${{ matrix.variant }} + runs-on: [ubuntu-22.04] + container: + image: debian:bookworm + strategy: + fail-fast: false + matrix: + include: + - arch: i386 + build_target: i686-linux-gnu + + env: + BUILD_DIR: build steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Setup apt + shell: bash + run: | + set -x + rm -f /var/lib/man-db/auto-update + apt-get update -y + apt-get install -y ca-certificates debian-ports-archive-keyring + + dpkg --add-architecture "${{ matrix.arch }}" + + # Update the sources.list with the split of supported architectures. + bkplist="/etc/apt/sources.list.bkp" + mv /etc/apt/sources.list "${bkplist}" + + newlist="/etc/apt/sources.list" + rm -f "${newlist}" + + main_list="amd64,${{ matrix.arch }}" + port_list="" + if [[ "${{ matrix.arch }}" == "i386" ]]; then + main_list="amd64,i386" + else + port_list="${{ matrix.arch }}" + fi + + grep -v -E '^#' "${bkplist}" | + sed -E "s;^deb (http[^ ]+) (.*)\$;deb [arch=${main_list}] \\1 \\2\ndeb-src [arch=${main_list}] \\1 \\2;" \ + | tee -a "${newlist}" + - name: Install build deps + shell: bash run: | - sudo apt update - sudo apt install -y \ - ccache \ - clang-7 \ - cmake \ - doxygen \ - libbrotli-dev \ - libgdk-pixbuf2.0-dev \ - libgif-dev \ - libgtest-dev \ - libgtk2.0-dev \ - libjpeg-dev \ - libopenexr-dev \ - libpng-dev \ - libwebp-dev \ - ninja-build \ - pkg-config \ - xvfb \ - ${{ matrix.apt_pkgs }} \ - # - echo "CC=clang-7" >> $GITHUB_ENV - echo "CXX=clang++-7" >> $GITHUB_ENV + set -x + rm -f /var/lib/man-db/auto-update + apt update + pkgs=( + # Build dependencies + cmake + doxygen + git + graphviz + ninja-build + pkg-config + qemu-user-static + xdg-utils + xvfb + + # Toolchain for cross-compiling. + clang-11 + g++-aarch64-linux-gnu + libc6-dev-${{ matrix.arch }}-cross + libstdc++-10-dev-${{ matrix.arch }}-cross + libstdc++-10-dev:${{ matrix.arch }} + + # Dependencies + libbrotli-dev:${{ matrix.arch }} + libgif-dev:${{ matrix.arch }} + libjpeg-dev:${{ matrix.arch }} + libpng-dev:${{ matrix.arch }} + libwebp-dev:${{ matrix.arch }} + + # For OpenEXR: + libilmbase-dev:${{ matrix.arch }} + libopenexr-dev:${{ matrix.arch }} + + # GTK plugins + libgdk-pixbuf2.0-dev:${{ matrix.arch }} + libgtk2.0-dev:${{ matrix.arch }} + ) + if [[ "${{ matrix.build_target }}" != "x86_64-linux-gnu" ]]; then + pkgs+=( + binutils-${{ matrix.build_target }} + gcc-${{ matrix.build_target }} + ) + fi + if [[ "${{ matrix.arch }}" != "i386" ]]; then + pkgs+=( + # TCMalloc + libgoogle-perftools-dev:${{ matrix.arch }} + libgoogle-perftools4:${{ matrix.arch }} + libtcmalloc-minimal4:${{ matrix.arch }} + libunwind-dev:${{ matrix.arch }} + ) + fi + DEBIAN_FRONTEND=noninteractive apt install -y "${pkgs[@]}" + echo "CC=${{ matrix.c_compiler || 'clang-11' }}" >> $GITHUB_ENV + echo "CXX=${{ matrix.cxx_compiler || 'clang++-11' }}" >> $GITHUB_ENV - name: Checkout the source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true - fetch-depth: 2 - - name: Build + fetch-depth: 1 + - name: Configure run: | - ./ci.sh $(echo ${{ github.ref }} | sed 's_refs/heads/ci-\([a-z_]*\)-debug_\1_') \ - -DJPEGXL_FORCE_SYSTEM_BROTLI=ON + CMAKE_FLAGS="${{ matrix.cmake_flags }}" ./ci.sh release \ + -DJPEGXL_FORCE_SYSTEM_BROTLI=ON \ + -DJPEGXL_ENABLE_JNI=OFF \ + ${{ join(matrix.cmake_args, ' ') }} env: - SKIP_TEST: 1 + SKIP_BUILD: 1 + BUILD_TARGET: ${{ matrix.build_target }} - name: Setup tmate session - uses: mxschmitt/action-tmate@v3 + uses: mxschmitt/action-tmate@a283f9441d2d96eb62436dc46d7014f5d357ac22 # v3.17 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..46417a7 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,36 @@ +# Copyright (c) the JPEG XL Project Authors. All rights reserved. +# +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: 'Dependency Review' + uses: actions/dependency-review-action@fde92acd0840415674c16b39c7d703fc28bc511e # v3.1.2 diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 188a4c7..eaa04cd 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -9,6 +9,7 @@ name: CIFuzz on: + merge_group: pull_request: types: [opened, reopened, synchronize] paths: @@ -19,7 +20,10 @@ on: - '**CMakeLists.txt' - .github/workflows/fuzz.yml -concurrency: +permissions: + contents: read + +concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} @@ -27,8 +31,13 @@ jobs: fuzzing: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Checkout source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 id: checkout with: # The build_fuzzers action checks out the code to the storage/libjxl @@ -38,18 +47,18 @@ jobs: submodules: true - name: Build Fuzzers id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@71ecd5d4e4bf9a6edc19c9fa6d2422fb528bca4f # master with: oss-fuzz-project-name: 'libjxl' language: c++ - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@71ecd5d4e4bf9a6edc19c9fa6d2422fb528bca4f # master with: oss-fuzz-project-name: 'libjxl' language: c++ fuzz-seconds: 600 - name: Upload Crash - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: failure() && steps.build.outcome == 'success' with: name: artifacts diff --git a/.github/workflows/gitlab_mirror.yml b/.github/workflows/gitlab_mirror.yml new file mode 100644 index 0000000..72ce463 --- /dev/null +++ b/.github/workflows/gitlab_mirror.yml @@ -0,0 +1,53 @@ +# Copyright (c) the JPEG XL Project Authors. All rights reserved. +# +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# Workflow for building and running tests. + +name: Mirror to GitLab + +on: + push: + branches: + - main + - v*.*.x + +env: + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} + +permissions: + contents: read + +jobs: + mirror: + permissions: + contents: write # for Git to git push + if: github.repository_owner == 'libjxl' + runs-on: ubuntu-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Checkout source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 # Disable shallow clone + + - name: Set up SSH + run: | + mkdir -p ~/.ssh/ + chmod 700 ~/.ssh/ + echo "${{ secrets.GITLAB_DEPLOY_KEY }}" > ~/.ssh/id_ed25519 + chmod 400 ~/.ssh/id_ed25519 + ssh-keyscan gitlab.com >> ~/.ssh/known_hosts + + - name: Push to GitLab + env: + GIT_SSH_COMMAND: ssh -v -i ~/.ssh/id_ed25519 -o IdentitiesOnly=yes -o StrictHostKeyChecking=no + run: | + git remote add gitlab git@gitlab.com:wg1/jpeg-xl.git + git push gitlab $BRANCH_NAME:$BRANCH_NAME diff --git a/.github/workflows/highway.patch b/.github/workflows/highway.patch new file mode 100644 index 0000000..a63dbbf --- /dev/null +++ b/.github/workflows/highway.patch @@ -0,0 +1,12 @@ +diff --git a/BUILD b/BUILD +index 438b671..d2777b2 100644 +--- a/BUILD ++++ b/BUILD +@@ -153,6 +153,7 @@ cc_library( + "hwy/detect_compiler_arch.h", # private + "hwy/print.h", + ], ++ includes = ["."], + compatible_with = [], + copts = COPTS, + defines = DEFINES, diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml new file mode 100644 index 0000000..f4338d2 --- /dev/null +++ b/.github/workflows/pages.yml @@ -0,0 +1,69 @@ +# Copyright (c) the JPEG XL Project Authors. All rights reserved. +# +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# Simple workflow for deploying static content to GitHub Pages +name: Deploy static content to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Single deploy job since we're just deploying + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: true + fetch-depth: 2 + - name: Install build deps + run: | + sudo rm -f /var/lib/man-db/auto-update + sudo apt update + sudo apt install -y \ + cmake \ + doxygen \ + graphviz + - name: Sphinx dependencies + run: | + pip3 install -r doc/sphinx/requirements.txt + - name: Build + run: | + cmake -B build . \ + -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DJPEGXL_FORCE_SYSTEM_BROTLI=ON \ + -DBUILD_TESTING=OFF + cmake --build build -- rtd-html + - name: Setup Pages + uses: actions/configure-pages@v4 + - name: Upload artifact + uses: actions/upload-pages-artifact@v2 + with: + # Upload entire repository + path: './build/rtd' + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v3 diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index b1214e1..29f4c5c 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -7,36 +7,59 @@ name: PR on: + merge_group: pull_request: types: [opened, reopened, synchronize] +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: # Checks that the AUTHORS files is updated with new contributors. authors: runs-on: [ubuntu-latest] steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Checkout the source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Check AUTHORS file + # This is an optional check + continue-on-error: True run: ./ci.sh authors format: runs-on: [ubuntu-latest] steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Install build deps run: | + sudo rm -f /var/lib/man-db/auto-update sudo apt update sudo apt install -y \ clang-format \ - clang-format-7 \ - clang-format-8 \ - clang-format-9 \ - clang-format-10 \ - clang-format-11 \ + clang-format-14 \ + clang-format-15 \ # - name: Checkout the source - uses: actions/checkout@v2 - - name: clang-format - run: + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Install buildifier + run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" + brew install buildifier + - name: lint + run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" ./ci.sh lint >&2 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4222266..515d2c8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,26 +13,47 @@ name: Release build / deploy on: + merge_group: push: branches: - main - v*.*.x + pull_request: + types: [opened, reopened, labeled, synchronize] + paths-ignore: + - '**.md' + - 'AUTHORS' release: types: [ published ] + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: ubuntu_static_x86_64: name: Release linux x86_64 static runs-on: [ubuntu-latest] steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Install build deps run: | + sudo rm -f /var/lib/man-db/auto-update sudo apt update sudo apt install -y \ asciidoc \ clang \ cmake \ doxygen \ + graphviz \ libbrotli-dev \ libgdk-pixbuf2.0-dev \ libgif-dev \ @@ -49,7 +70,7 @@ jobs: echo "CXX=clang++" >> $GITHUB_ENV - name: Checkout the source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 1 @@ -60,29 +81,31 @@ jobs: run: | ./ci.sh release \ -DJPEGXL_DEP_LICENSE_DIR=/usr/share/doc \ - -DJPEGXL_STATIC=ON \ + -DBUILD_SHARED_LIBS=OFF \ -DBUILD_TESTING=OFF \ + -DJPEGXL_ENABLE_JPEGLI_LIBJPEG=OFF \ -DJPEGXL_ENABLE_VIEWERS=OFF \ -DJPEGXL_ENABLE_PLUGINS=OFF \ -DJPEGXL_ENABLE_OPENEXR=OFF \ + -DJPEGXL_ENABLE_DEVTOOLS=ON \ - name: Package release tarball run: | cd build tar -zcvf ${{ runner.workspace }}/release_file.tar.gz \ - LICENSE* tools/{cjxl,djxl,benchmark_xl} + LICENSE* tools/{cjxl,djxl,benchmark_xl,cjpegli,djpegli,jxlinfo,butteraugli_main,ssimulacra2} ln -s ${{ runner.workspace }}/release_file.tar.gz \ ${{ runner.workspace }}/jxl-linux-x86_64-static-${{ github.event.release.tag_name }}.tar.gz - name: Upload artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: jxl-linux-x86_64-static path: ${{ runner.workspace }}/release_file.tar.gz - name: Upload binaries to release if: github.event_name == 'release' - uses: AButler/upload-release-assets@v2.0 + uses: AButler/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a # v2.0.2 with: files: ${{ runner.workspace }}/jxl-linux-x86_64-static-${{ github.event.release.tag_name }}.tar.gz repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -96,76 +119,48 @@ jobs: fail-fast: false matrix: os: + - ubuntu:22.04 - ubuntu:20.04 - - ubuntu:18.04 - - debian:buster - debian:bullseye - debian:bookworm + - debian:trixie - debian:sid container: image: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Set env shell: 'bash' id: 'env' run: | artifact_name="jxl-debs-amd64-${matrix_os/:/-}" echo ${artifact_name} - echo "::set-output name=artifact_name::${artifact_name}" + echo "artifact_name=${artifact_name}" >> $GITHUB_OUTPUT env: matrix_os: ${{ matrix.os }} - name: Install build deps run: | + rm -f /var/lib/man-db/auto-update apt update DEBIAN_FRONTEND=noninteractive apt install -y \ build-essential \ devscripts \ # - - name: Install git (only 18.04) - if: matrix.os == 'ubuntu:18.04' - # Ubuntu 18.04 ships with git 2.17 but we need 2.18 or newer for - # actions/checkout@v2 to work - shell: 'bash' - run: | - apt install -y \ - libcurl4-openssl-dev \ - libexpat1-dev \ - libssl-dev \ - wget \ - zlib1g-dev \ - # - git_version="2.32.0" - wget -nv \ - "https://github.com/git/git/archive/refs/tags/v${git_version}.tar.gz" - tar -zxf "v${git_version}.tar.gz" - cd "git-${git_version}" - make prefix=/usr -j4 install - - - name: Install gcc-8 (only 18.04) - if: matrix.os == 'ubuntu:18.04' - # Compiler bug workaround: install and use gcc-8 - shell: 'bash' - run: | - apt install -y \ - gcc-8 \ - g++-8 \ - # - update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-8 100 - update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-8 100 - update-alternatives --set g++ /usr/bin/g++-8 - update-alternatives --set gcc /usr/bin/gcc-8 - - name: Set git safe dir run: | export GIT_CEILING_DIRECTORIES=/__w # only work before git v2.35.2 git config --global --add safe.directory /__w/libjxl/libjxl - name: Checkout the source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 1 @@ -197,20 +192,6 @@ jobs: dch -M --distribution unstable --release '' fi - - name: Install gtest (only 18.04) - if: matrix.os == 'ubuntu:18.04' - # In Ubuntu 18.04 no package installed the libgtest.a. libgtest-dev - # installs the source files only. - run: | - apt install -y libgtest-dev cmake - for prj in googletest googlemock; do - (cd /usr/src/googletest/${prj}/ && - cmake CMakeLists.txt -DCMAKE_INSTALL_PREFIX=/usr && - make all install) - done - # Remove libgmock-dev dependency in Ubuntu 18.04. It doesn't exist there. - sed '/libgmock-dev,/d' -i debian/control - - name: Install gmock-dev (debian:sid) # gtest-dev cmake depends on gmock-dev, but it is not installed by the # package. @@ -218,11 +199,10 @@ jobs: run: | apt install -y libgmock-dev - - name: Remove libjxl-gimp-plugin package (only 18.04) - if: matrix.os == 'ubuntu:18.04' + - name: Configure hwy + if: ${{ github.event_name == 'schedule' || github.event_name == 'release' || contains(github.event.pull_request.labels.*.name, 'CI:full') }} run: | - # Gimp 2.8 is not supported. - sed -i '/Package: libjxl-gimp-plugin/,/^$/d' debian/control + echo "HWY_PKG_OPTIONS=" >> $GITHUB_ENV - name: Build hwy run: | @@ -240,7 +220,7 @@ jobs: ./ci.sh debian_stats - name: Upload artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ steps.env.outputs.artifact_name }} path: | @@ -256,7 +236,7 @@ jobs: - name: Upload binaries to release if: github.event_name == 'release' - uses: AButler/upload-release-assets@v2.0 + uses: AButler/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a # v2.0.2 with: files: ${{ steps.env.outputs.artifact_name }}-${{ github.event.release.tag_name }}.tar.gz repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -280,13 +260,18 @@ jobs: VCPKG_DISABLE_METRICS: 1 steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Checkout the source - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 2 - - uses: actions/cache@v2 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 id: cache-vcpkg with: path: vcpkg @@ -327,14 +312,17 @@ jobs: set -x mkdir build cmake -Bbuild -H. ${{ matrix.arch }} \ + -DBUILD_SHARED_LIBS=OFF \ -DBUILD_TESTING=OFF \ -DCMAKE_BUILD_TYPE=Release \ -DCMAKE_INSTALL_PREFIX=`pwd`/prefix \ -DCMAKE_TOOLCHAIN_FILE=${VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake \ + -DJPEGXL_ENABLE_JPEGLI_LIBJPEG=OFF \ -DJPEGXL_ENABLE_OPENEXR=OFF \ -DJPEGXL_ENABLE_PLUGINS=OFF \ -DJPEGXL_ENABLE_TCMALLOC=OFF \ -DJPEGXL_ENABLE_VIEWERS=OFF \ + -DJPEGXL_ENABLE_DEVTOOLS=ON \ -DVCPKG_TARGET_TRIPLET=${{ matrix.triplet }} \ # - name: Build @@ -357,7 +345,7 @@ jobs: cp third_party/brotli/LICENSE prefix/bin/LICENSE.brotli cp LICENSE prefix/bin/LICENSE.libjxl - name: Upload artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: jxl-${{matrix.triplet}} path: | @@ -372,7 +360,7 @@ jobs: - name: Upload binaries to release if: github.event_name == 'release' - uses: AButler/upload-release-assets@v2.0 + uses: AButler/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a # v2.0.2 with: files: jxl-${{matrix.triplet}}.zip repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..f719f01 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,75 @@ +# Copyright (c) the JPEG XL Project Authors. All rights reserved. +# +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '13 2 * * 3' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # you want to enable the Branch-Protection check on a *public* repository + # To create the PAT, follow the steps in + # https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional + repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test_new_highway.yml b/.github/workflows/test_new_highway.yml new file mode 100644 index 0000000..81669da --- /dev/null +++ b/.github/workflows/test_new_highway.yml @@ -0,0 +1,56 @@ +# Copyright (c) the JPEG XL Project Authors. All rights reserved. +# +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# Workflow for building and running tests. + +name: Update branch with updated submodule on libjxl + +on: + workflow_dispatch: + schedule: + - cron: '37 2 * * *' # Daily on 02:37 UTC + +permissions: + contents: read + +jobs: + update: + if: github.repository_owner == 'libjxl' + runs-on: ubuntu-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: 'Cloning libjxl' + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: recursive + persist-credentials: false # otherwise, the wrong auhtentication is used in the push + fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository. + - name: Pull & update highway + working-directory: ./third_party/highway + run: | + git fetch origin + git checkout origin/master + - name: Update deps.sh + run: | + NEWHASH=`git submodule status third_party/highway | cut -d' ' -f1 | cut -c2-` + sed -i "s/\(THIRD_PARTY_HIGHWAY=\"\)[^\"]*/\1$NEWHASH/" deps.sh + - name: Commit + run: | + git config user.email "firsching@google.com" + git config user.name "GitHub Actions - update submodules" + git add --all + git commit -m "Update highway submodule" || echo "No changes to commit" + + - name: Push changes + uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 + with: + github_token: ${{ secrets.TOKEN }} + branch: 'refs/heads/test_highway' + force: true |