From bd35109fc5907b6178503a5127987d76cce880bf Mon Sep 17 00:00:00 2001
From: Matt Briggs <matthew.james.briggs@gmail.com>
Date: Wed, 20 Jan 2021 15:24:09 -0800
Subject: [PATCH 1/2] use cargo deny to check dependency licenses

---
 Makefile          |  5 +++++
 integ/deny.toml   | 38 ++++++++++++++++++++++++++++++++++++++
 updater/deny.toml | 38 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 integ/deny.toml
 create mode 100644 updater/deny.toml

diff --git a/Makefile b/Makefile
index 6aa0ff9..ba7a14b 100644
--- a/Makefile
+++ b/Makefile
@@ -21,3 +21,8 @@ image: fetch-sdk
 .PHONY: fetch-sdk
 fetch-sdk: # fetches and loads the image we use to build the updater docker image
 	scripts/load-bottlerocket-sdk.sh --site ${BOTTLEROCKET_SDK_SITE} --image ${BUILDER_IMAGE}
+
+.PHONY: check-licenses
+check-licenses:
+	cd updater && cargo deny check licenses
+	cd integ && cargo deny check licenses
diff --git a/integ/deny.toml b/integ/deny.toml
new file mode 100644
index 0000000..076b573
--- /dev/null
+++ b/integ/deny.toml
@@ -0,0 +1,38 @@
+[licenses]
+unlicensed = "deny"
+
+# Deny licenses unless they are specifically listed here
+copyleft = "deny"
+allow-osi-fsf-free = "neither"
+default = "deny"
+
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 0.93
+
+# Licenses that are allowed but unused are commented out to silence warnings
+allow = [
+    "Apache-2.0",
+    #"BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    #"CC0-1.0",
+    #"ISC",
+    "MIT",
+    # OpenSSL",
+    "Unlicense",
+    "Zlib"
+]
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[[licenses.clarify]]
+name = "webpki"
+expression = "ISC"
+license-files = [
+    { path = "LICENSE", hash = 0x001c7e6c },
+]
diff --git a/updater/deny.toml b/updater/deny.toml
new file mode 100644
index 0000000..14ebcbf
--- /dev/null
+++ b/updater/deny.toml
@@ -0,0 +1,38 @@
+[licenses]
+unlicensed = "deny"
+
+# Deny licenses unless they are specifically listed here
+copyleft = "deny"
+allow-osi-fsf-free = "neither"
+default = "deny"
+
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 0.93
+
+# Licenses that are allowed but unused are commented out to silence warnings
+allow = [
+    "Apache-2.0",
+    #"BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    #"CC0-1.0",
+    "ISC",
+    "MIT",
+    "OpenSSL",
+    "Unlicense",
+    "Zlib"
+]
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[[licenses.clarify]]
+name = "webpki"
+expression = "ISC"
+license-files = [
+    { path = "LICENSE", hash = 0x001c7e6c },
+]

From 27c1c2285f48d6df23f104f8dc6c06a9c8e6327f Mon Sep 17 00:00:00 2001
From: Matt Briggs <matthew.james.briggs@gmail.com>
Date: Wed, 20 Jan 2021 15:34:49 -0800
Subject: [PATCH 2/2] setup continuous integration

Continuous integration runs in two simultaneous jobs. One for make ci,
which runs cargo build, test, fmt and clippy. The other, make image,
builds the updater container image.

Caching for make ci speeds up the build time from over 10 minutes to
just a minute or two. cargo install cargo-deny took five minutes on its
own before caching CARGO_HOME.

Caching for the make image build required some hacks and ended up being
slower that running with no caching (due to all the compressing and
decompressing of docker image layers, CPU-bound), so no caching there.
---
 .github/cache-bust                |  4 +++
 .github/workflows/updater-ci.yaml | 55 +++++++++++++++++++++++++++++++
 Makefile                          | 20 +++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 .github/cache-bust
 create mode 100644 .github/workflows/updater-ci.yaml

diff --git a/.github/cache-bust b/.github/cache-bust
new file mode 100644
index 0000000..70cfb58
--- /dev/null
+++ b/.github/cache-bust
@@ -0,0 +1,4 @@
+# this file provides a manual way to clear out github actions caches. any change
+# to this file will cause all github action caches to miss. increment the number
+# below by 1 if you need to clear the caches.
+1
diff --git a/.github/workflows/updater-ci.yaml b/.github/workflows/updater-ci.yaml
new file mode 100644
index 0000000..d2a549a
--- /dev/null
+++ b/.github/workflows/updater-ci.yaml
@@ -0,0 +1,55 @@
+name: Updater CI
+on:
+  pull_request:
+    paths-ignore:
+      - '**.md'
+    branches: ['*']
+  push:
+    paths-ignore:
+      - '**.md'
+    branches: [develop]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Cargo Home Cache
+        uses: actions/cache@v2
+        env:
+          cache-name: cargo-home
+        with:
+          path: /usr/share/rust/.cargo
+          key: ${{ hashFiles('.github/cache-bust', '/usr/share/rust/.cargo/bin/cargo') }}-${{ hashFiles('updater/Cargo.lock', 'integ/Cargo.lock') }}
+          restore-keys: |
+            ${{ hashFiles('.github/cache-bust', '/usr/share/rust/.cargo/bin/cargo') }}-${{ hashFiles('updater/Cargo.lock', 'integ/Cargo.lock') }}
+            ${{ hashFiles('.github/cache-bust', '/usr/share/rust/.cargo/bin/cargo') }}-
+
+      - name: Updater Build Cache
+        uses: actions/cache@v2
+        env:
+          cache-name: updater-target
+        with:
+          path: updater/target
+          key: ${{ hashFiles('.github/cache-bust') }}-${{ hashFiles('updater/Cargo.lock') }}
+          restore-keys: |
+            ${{ hashFiles('.github/cache-bust') }}-
+
+      - name: Integ Build Cache
+        uses: actions/cache@v2
+        env:
+          cache-name: integ-target
+        with:
+          path: integ/target
+          key: ${{ hashFiles('.github/cache-bust') }}-${{ hashFiles('integ/Cargo.lock') }}
+          restore-keys: |
+            ${{ hashFiles('.github/cache-bust') }}-
+
+      - run: rustup update stable && cargo install cargo-deny
+      - run: make ci
+
+  image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: make image
diff --git a/Makefile b/Makefile
index ba7a14b..6ac0ba5 100644
--- a/Makefile
+++ b/Makefile
@@ -26,3 +26,23 @@ fetch-sdk: # fetches and loads the image we use to build the updater docker imag
 check-licenses:
 	cd updater && cargo deny check licenses
 	cd integ && cargo deny check licenses
+
+.PHONY: unit-tests
+unit-tests:
+	cd updater && cargo test --locked
+	cd integ && cargo test --locked
+
+.PHONY: build
+build:
+	cd updater && cargo build --locked
+	cd integ && cargo build --locked
+
+.PHONY: lint
+lint:
+	cd updater && cargo fmt -- --check
+	cd updater && cargo clippy --locked -- -D warnings
+	cd integ && cargo fmt -- --check
+	cd integ && cargo clippy --locked -- -D warnings
+
+.PHONY: ci # these are all of the checks (except for image) that we run for ci
+ci: check-licenses lint build unit-tests