json: Limit how deeply nested arrays and objects can be #5238
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
pull_request: | |
workflow_dispatch: | |
name: ci | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
permissions: | |
contents: read | |
jobs: | |
linux-ci: | |
name: linux-${{ matrix.name }} | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 30 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: gcc-14 | |
os: ubuntu-24.04 | |
compiler: gcc | |
version: 14 | |
bazel: -c dbg --test_timeout=120 --run_under="valgrind --leak-check=full --errors-for-leak-kinds=all --error-exitcode=1 --track-origins=yes --show-leak-kinds=all --num-callers=32" --test_tag_filters=-no-valgrind | |
apt: valgrind | |
- name: clang-18-tsan | |
os: ubuntu-24.04 | |
compiler: clang | |
version: 18 | |
bazel: -c dbg --config tsan --test_env=TSAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-18 --config libfuzzer | |
apt: libclang-rt-18-dev llvm-18 | |
fuzz: true | |
- name: clang-18-asan-ubsan | |
os: ubuntu-24.04 | |
compiler: clang | |
version: 18 | |
bazel: -c dbg --config asan --config ubsan --test_env=ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-18 --config libfuzzer | |
apt: libclang-rt-18-dev llvm-18 | |
fuzz: true | |
- name: clang-17-libc++ | |
os: ubuntu-24.04 | |
compiler: clang | |
version: 17 | |
bazel: --config libc++ | |
apt: libc++abi-17-dev libc++-17-dev libclang-rt-17-dev | |
- name: clang-18-libc++ | |
os: ubuntu-24.04 | |
compiler: clang | |
version: 18 | |
bazel: --config libc++ | |
apt: libc++abi-18-dev libc++-18-dev libclang-rt-18-dev | |
steps: | |
- name: Setup gcc | |
if: startsWith(matrix.compiler, 'gcc') | |
run: | | |
echo "CC=gcc-${{ matrix.version }}" >> $GITHUB_ENV | |
echo "CXX=g++-${{ matrix.version }}" >> $GITHUB_ENV | |
- name: Setup clang | |
if: startsWith(matrix.compiler, 'clang') | |
run: | | |
echo "CC=clang-${{ matrix.version }}" >> $GITHUB_ENV | |
echo "CXX=clang++-${{ matrix.version }}" >> $GITHUB_ENV | |
- uses: actions/checkout@v4 | |
- name: Install | |
run: | | |
sudo apt-get update | |
sudo apt-get install --no-install-recommends ${{ matrix.compiler }}-${{ matrix.version }} ${{ matrix.apt }} libx11-dev libxi-dev | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.cache/bazel | |
key: ${{ matrix.name }}-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }} | |
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >.bazelrc.local | |
env: | |
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
- name: Test | |
run: bazel test //... ${{ matrix.bazel }} | |
- name: Run | |
run: | | |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html | |
bazel run browser:tui file://$(pwd)/example.html ${{ matrix.bazel }} | |
- name: Fuzz test | |
if: ${{ matrix.fuzz }} | |
run: | | |
./bzl/run_fuzz_tests ... \ | |
${{ matrix.bazel }} \ | |
-- --timeout_secs=10 | |
coverage: | |
name: linux-${{ matrix.compiler }}-${{ matrix.version }}-coverage | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 30 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- compiler: gcc | |
version: 13 | |
- compiler: clang | |
version: 19 | |
bazel: --config=clang19-coverage | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.cache/bazel | |
key: coverage-${{ matrix.compiler }}-${{ matrix.version }}-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }} | |
- name: Setup (gcc) | |
if: startsWith(matrix.compiler, 'gcc') | |
run: | | |
sudo apt-get update | |
sudo apt-get install --no-install-recommends lcov gcc-${{ matrix.version }} g++-${{ matrix.version }} | |
echo "CC=gcc-${{ matrix.version }}" >> $GITHUB_ENV | |
echo "CXX=g++-${{ matrix.version }}" >> $GITHUB_ENV | |
echo "GCOV=gcov-${{ matrix.version }}" >> $GITHUB_ENV | |
- name: Setup (clang) | |
if: startsWith(matrix.compiler, 'clang') | |
run: | | |
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - | |
sudo apt-add-repository "deb http://apt.llvm.org/noble/ llvm-toolchain-noble-19 main" | |
sudo apt-get update | |
sudo apt-get install --no-install-recommends lcov clang-${{ matrix.version }} libclang-rt-${{ matrix.version }}-dev llvm-${{ matrix.version }} | |
echo "CC=clang-19" >> $GITHUB_ENV | |
echo "CXX=clang++-19" >> $GITHUB_ENV | |
- run: sudo apt-get install libx11-dev libxi-dev | |
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >.bazelrc.local | |
env: | |
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
- name: Coverage | |
run: bazel coverage ... ${{ matrix.bazel }} | |
# clang 19 coverage has a lot of problems w/ boringssl: | |
# lcov: ERROR: "external/boringssl/crypto/conf/internal.h":30: function conf.c:lh_CONF_VALUE_insert found on line but no corresponding 'line' coverage data point. Cannot derive function end line. | |
- run: lcov --ignore-errors inconsistent --summary bazel-out/_coverage/_coverage_report.dat | |
- name: Upload | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
# TODO(robinlinden): codecov-cli 0.7.x breaks PRs from forks w/ | |
# "Error: Codecov token not found. Please provide Codecov token with -t flag." | |
# whereas in 0.6.0, it still correctly detects PRs where tokenless | |
# uploads are required: | |
# "info - 2024-06-21 21:24:10,269 -- The PR is happening in a forked | |
# repo. Using tokenless upload." | |
run: | | |
pipx install codecov-cli==0.6.0 | |
codecovcli upload-process --fail-on-error --file bazel-out/_coverage/_coverage_report.dat | |
linux-aarch64-muslc: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.cache/bazel | |
key: aarch64_linux_muslc-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }} | |
- run: sudo apt-get update && sudo apt-get install -y --no-install-recommends qemu-user-static binfmt-support | |
- run: sudo update-binfmts --enable qemu-aarch64 | |
- run: echo "build --config=linux-aarch64-musl" >.bazelrc.local | |
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >>.bazelrc.local | |
env: | |
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
- run: bazel test ... | |
- name: Run tui | |
run: | | |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html | |
bazel run browser:tui file://$(pwd)/example.html | |
# https://github.com/bytecodealliance/wasmtime | |
wasi-wasm: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 30 | |
env: | |
WASMTIME_VERSION: v28.0.1 | |
WASMTIME_NAME: wasmtime-v28.0.1-x86_64-linux | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up wasmtime | |
run: | | |
wget --no-verbose --output-document=wasmtime.tar.xz https://github.com/bytecodealliance/wasmtime/releases/download/${WASMTIME_VERSION}/${WASMTIME_NAME}.tar.xz | |
tar -xf wasmtime.tar.xz | |
chmod +x ${WASMTIME_NAME}/wasmtime | |
mkdir -p $HOME/.cache/wasmtime | |
# Register wasmtime as the wasm binary format handler. | |
- run: echo -n ":wasm32-wasi:M::\x00asm:\xff\xff\xff\xff:$(pwd)/${WASMTIME_NAME}/wasmtime:" | sudo tee /proc/sys/fs/binfmt_misc/register | |
- run: echo "build --config=wasi-wasm" >.bazelrc.local | |
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >>.bazelrc.local | |
env: | |
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
- run: bazel test ... | |
macos: | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: macos-15 | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v4 | |
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >.bazelrc.local | |
env: | |
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
- run: bazelisk test //... | |
- name: Run tui | |
run: | | |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html | |
bazelisk run browser:tui file://$(pwd)/example.html | |
- run: bazelisk run browser -- --exit-after-load file://$(pwd)/example.html | |
windows-msvc: | |
runs-on: windows-2025 | |
timeout-minutes: 30 | |
defaults: | |
run: | |
shell: bash | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.cache/bazel | |
key: windows_msvc-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }} | |
- run: echo "build --disk_cache ~/.cache/bazel" >.bazelrc.local | |
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >>.bazelrc.local | |
env: | |
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
- name: Test | |
run: bazel test ... -c dbg | |
- name: Run tui | |
run: | | |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html | |
python3 -m http.server --bind localhost 12345 & | |
sleep 5 # Sometimes the server isn't ready by the time the tui starts. | |
bazel run browser:tui -c dbg http://localhost:12345/example.html | |
- run: bazel run browser -c dbg -- --exit-after-load http://localhost:12345/example.html | |
windows-clang-cl: | |
runs-on: windows-2025 | |
timeout-minutes: 30 | |
defaults: | |
run: | |
shell: bash | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.cache/bazel | |
key: windows_clang_cl-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }} | |
- run: echo "build --config clang-cl" >.bazelrc.local | |
- run: echo "build --disk_cache ~/.cache/bazel" >>.bazelrc.local | |
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >>.bazelrc.local | |
env: | |
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
- run: bazel test ... | |
- name: Run tui | |
run: | | |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html | |
python3 -m http.server --bind localhost 12345 & | |
sleep 5 # Sometimes the server isn't ready by the time the tui starts. | |
bazel run browser:tui http://localhost:12345/example.html | |
- run: bazel run browser -- --exit-after-load http://localhost:12345/example.html | |
pre-commit: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- run: pipx install pre-commit==4.0.1 | |
- run: pre-commit run --all-files | |
clang-format: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up the llvm repository | |
run: | | |
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - | |
sudo apt-add-repository "deb http://apt.llvm.org/noble/ llvm-toolchain-noble-19 main" | |
- run: sudo apt-get update && sudo apt-get install --no-install-recommends clang-format-19 | |
- run: find . -name "*.h" -o -name "*.cpp" | xargs clang-format-19 -style=file -i | |
- run: git diff --exit-code | |
clang-tidy: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 45 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.cache/bazel | |
key: clang_tidy-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }} | |
- name: Set up the llvm repository | |
run: | | |
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - | |
sudo apt-add-repository "deb http://apt.llvm.org/noble/ llvm-toolchain-noble-19 main" | |
- run: sudo apt-get update && sudo apt-get install --no-install-recommends clang-tidy-19 libc++abi-19-dev libc++-19-dev | |
- run: echo "CC=clang-19" >>$GITHUB_ENV && echo "CXX=clang++-19" >>$GITHUB_ENV | |
- run: | | |
sudo update-alternatives --install /usr/bin/clang-tidy clang-tidy /usr/bin/clang-tidy-19 100 | |
sudo update-alternatives --set clang-tidy /usr/bin/clang-tidy-19 | |
update-alternatives --query clang-tidy | |
clang-tidy --version | |
- run: bazel build ... --config libc++ --config clang-tidy --config buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY} --keep_going | |
env: | |
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
buildifier: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install | |
run: | | |
wget --output-document=buildifier https://github.com/bazelbuild/buildtools/releases/download/v8.0.1/buildifier-linux-amd64 | |
sudo chmod +x buildifier | |
- name: Check | |
run: ./buildifier --lint=warn --warnings=all -mode diff $(find . -type f -iname "*.BUILD" -or -iname BUILD -or -iname "*.bzl" -or -iname "*.bazel") | |
prettier: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- run: npm install --global [email protected] | |
# Prettier thinks our fragment shaders are JS-something and complains | |
# about syntax errors. | |
- run: npx prettier --ignore-path .gitignore --write . '!**/*.frag' | |
- run: git diff --exit-code | |
shfmt: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- run: wget --output-document=shfmt https://github.com/mvdan/sh/releases/download/v3.10.0/shfmt_v3.10.0_linux_amd64 && chmod +x shfmt | |
- run: ./shfmt -i 2 -w $(./shfmt -f .) | |
- run: git diff --exit-code | |
gitlint: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- run: pipx install gitlint-core==0.19.1 | |
- run: gitlint --commits origin/master.. | |
concurrency: | |
group: ${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true |