Add native build to CI and MUSL build #2490
Conversation
Quinn-With-Two-Ns
force-pushed
the
musl-build
branch
from
5c6c17b to
75b4c6e
Compare
Quinn-With-Two-Ns
changed the title
| @@ -188,3 +188,9 @@ jobs: | |||
|
|
|||
| - name: Run copyright and code format checks | |||
| run: ./gradlew --no-daemon checkLicenseMain checkLicenses spotlessCheck | |||
|
|
|||
| build_native_images: | |||
There was a problem hiding this comment.
Is it by intention that we are building native images for every CI run now or is this leftover from testing? If it is by intention, I would usually be concerned with unnecessarily using storage for all of these images, though I see we only retain for one day, but I wonder if it's even worth that vs just a workflow call option to not upload the artifacts.
There was a problem hiding this comment.
Yes, I do want to build as part of CI so we don't discover issue when trying to cut a release. I would be OK only doing the builds post merge or not including artifacts for CI
There was a problem hiding this comment.
Works for me, especially if it's concurrent and doesn't take longer than the existing jobs (doesn't seem to though that poor macos-arm one in last CI run took a really long time). I do think we should skip uploading the artifact though, but not a big deal.
There was a problem hiding this comment.
Are the test server artifacts on this PR's CI run much larger than what we've released in the past? For instance, Windows x64 on this PR's CI run is 62.4MB (exe inside about the same size), but the one at https://github.com/temporalio/sdk-java/releases is 18.4MB (exe inside about the same size). I wonder if it's due to Java upgrade or if we're inadvertently not trimming something anymore or what.
There was a problem hiding this comment.
hm good callout, not sure let me check
There was a problem hiding this comment.
OK I think I addressed the size by adjusting the optimization level and reverting the extra reflection stuff I was including by mistake
There was a problem hiding this comment.
Once you double check the size I will remove the artifacts from the CI build
There was a problem hiding this comment.
It's still slightly bigger. For instance, Linux amd64 in this CI is 22.5MB vs 18.8MB in the last release. I'm ok with that if you are.
Switching topics (sorry, just easy to keep the same thread), I kinda figured the musl-based binary would be bigger than the libc-based one since it should statically link musl. Can you confirm that, unlike glibc build, we statically link musl? (meaning it could technically run on any Linux not just musl-based distros)
There was a problem hiding this comment.
musl is statically linked
There was a problem hiding this comment.
And I assume you're ok with the ~12% size-after-extracted increase? Checked extracted sizes, for Linux amd64 on release it's 60.3MB but here on CI it's 67.8MB. I don't think I have a big problem with this, though is a bit strange I think to increase sizes for every binary just to add a new musl binary (though I assume/understand it's mostly due to our switching of how we build w/ graal).
Quinn-With-Two-Ns
force-pushed
the
musl-build
branch
from
90a7e9e to
23d79ed
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build native test server | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - runner: ubuntu-latest | ||
| os_family: linux | ||
| arch: amd64 | ||
| musl: true | ||
| - runner: ubuntu-latest | ||
| os_family: linux | ||
| arch: amd64 | ||
| musl: false | ||
| - runner: macos-13 | ||
| os_family: macOS | ||
| arch: amd64 | ||
| - runner: macos-latest | ||
| os_family: macOS | ||
| arch: arm64 | ||
| - runner: ubuntu-24.04-arm | ||
| os_family: linux | ||
| arch: arm64 | ||
| - runner: windows-latest | ||
| os_family: windows | ||
| arch: amd64 | ||
| runs-on: ${{ matrix.runner }} | ||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| submodules: recursive | ||
| ref: ${{ env.INPUT_REF }} | ||
|
|
||
| - name: Set up Java | ||
| if: matrix.os_family != 'Linux' | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: | | ||
| 21 | ||
| 23 | ||
| distribution: "graalvm" | ||
|
|
||
| - name: Set up Gradle | ||
| if: matrix.os_family != 'Linux' | ||
| uses: gradle/actions/setup-gradle@v4 | ||
|
|
||
| - name: Build native test server (non-Docker) | ||
| if: matrix.os_family != 'Linux' | ||
| run: | | ||
| ./gradlew -PnativeBuild :temporal-test-server:nativeCompile | ||
|
|
||
| - name: Build native test server (Docker non-musl) | ||
| if: matrix.os_family == 'Linux' && matrix.musl == false | ||
| run: | | ||
| docker run \ | ||
| --rm -w /github/workspace -v "$(pwd):/github/workspace" \ | ||
| $(docker build -q ./docker/native-image) \ | ||
| sh -c "./gradlew -PnativeBuild :temporal-test-server:nativeCompile" | ||
|
|
||
| - name: Build native test server (Docker musl) | ||
| if: matrix.os_family == 'Linux' && matrix.musl == true | ||
| run: | | ||
| docker run \ | ||
| --rm -w /github/workspace -v "$(pwd):/github/workspace" \ | ||
| $(docker build -q ./docker/native-image-musl) \ | ||
| sh -c "./gradlew -PnativeBuild -PnativeBuildMusl :temporal-test-server:nativeCompile" | ||
| # path ends in a wildcard because on windows the file ends in '.exe' | ||
| - name: Upload executable to workflow | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: ${{ matrix.musl && format('{0}_{1}_musl', matrix.os_family, matrix.arch) || format('{0}_{1}', matrix.os_family, matrix.arch)}} | ||
| path: | | ||
| temporal-test-server/build/native/nativeCompile/temporal-test-server* | ||
| if-no-files-found: error | ||
| retention-days: 1 |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To address the issue, we will add a permissions block to the workflow file. This block will explicitly define the minimal permissions required for the workflow to function correctly. Based on the workflow's actions, it primarily interacts with repository contents (e.g., checking out code) and uploads artifacts. Therefore, the contents: read permission is sufficient for this workflow. We will add the permissions block at the root level of the workflow to apply it to all jobs.
| @@ -1,2 +1,4 @@ | ||
| name: Build native image | ||
| permissions: | ||
| contents: read | ||
| defaults: |
| name: Build native test server | ||
| uses: ./.github/workflows/build-native-image.yml | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the issue, we will add a permissions block at the root of the workflow file to define the minimal permissions required for all jobs. Based on the workflow's actions, the contents: read permission is sufficient for most steps, as they involve checking out the repository and running tests. If any job requires additional permissions, we will define a specific permissions block for that job.
| @@ -1,2 +1,4 @@ | ||
| name: Continuous Integration | ||
| permissions: | ||
| contents: read | ||
| on: |
Quinn-With-Two-Ns
force-pushed
the
musl-build
branch
2 times, most recently
from
2375763 to
4ee467f
Compare
Quinn-With-Two-Ns
force-pushed
the
musl-build
branch
from
ec940f9 to
c189e8b
Compare
Quinn-With-Two-Ns
force-pushed
the
musl-build
branch
from
c189e8b to
2fa7b45
Compare
Add native build to CI and MUSL build
closes #2402