Merge branch 'main' into az-linux-3

Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>

Author: simongdavies

.devcontainer/Dockerfile

@@ -0,0 +1,64 @@
+## Dockerfile for devcontainer
+
+FROM mcr.microsoft.com/devcontainers/base:debian AS base
+
+ARG USER=vscode
+ARG GROUP=vscode
+
+ENV HOME="/home/${USER}"
+ENV PATH="$HOME/.cargo/bin:$PATH"
+
+# Install dependencies
+RUN apt-get update \
+    && apt-get -y install \
+        build-essential \
+        cmake \
+        curl \
+        git \
+        gnupg \
+        gnuplot \
+        lsb-release \
+        make \
+        software-properties-common \
+        sudo \
+        wget
+
+ARG LLVM_VERSION=17
+
+# Install llvm
+RUN wget https://apt.llvm.org/llvm.sh \
+    && chmod +x ./llvm.sh         \
+    && sudo ./llvm.sh ${LLVM_VERSION} all      \
+    && sudo ln -s /usr/lib/llvm-${LLVM_VERSION}/bin/clang-cl /usr/bin/clang-cl \
+    && sudo ln -s /usr/lib/llvm-${LLVM_VERSION}/bin/llvm-lib /usr/bin/llvm-lib \
+    && sudo ln -s /usr/lib/llvm-${LLVM_VERSION}/bin/lld-link /usr/bin/lld-link \
+    && sudo ln -s /usr/lib/llvm-${LLVM_VERSION}/bin/llvm-ml /usr/bin/llvm-ml   \
+    && sudo ln -s /usr/lib/llvm-${LLVM_VERSION}/bin/ld.lld /usr/bin/ld.lld     \
+    && sudo ln -s /usr/lib/llvm-${LLVM_VERSION}/bin/clang /usr/bin/clang
+
+FROM base AS dev
+
+# Make sure the devcontainer user has sudo access
+RUN chown -R "${USER}:${GROUP}" /home/${USER} \
+    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+# Persist bash hystory
+RUN SNIPPET="export PROMPT_COMMAND='history -a' && export HISTFILE=/commandhistory/.bash_history" \
+    && mkdir /commandhistory \
+    && touch /commandhistory/.bash_history \
+    && chown -R "${USER}" /commandhistory \
+    && echo "$SNIPPET" >> "/home/${USER}/.bashrc"
+
+USER $USER
+
+ARG RUST_TOOLCHAIN=1.81.0
+
+# Install rust
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \
+    && rustup default ${RUST_TOOLCHAIN} \
+    && rustup target add x86_64-unknown-linux-gnu \
+    && rustup target add x86_64-unknown-none      \
+    && rustup target add x86_64-pc-windows-msvc   \
+    && rustup toolchain add nightly-x86_64-unknown-linux-gnu \
+    && cargo install just
+

.devcontainer/devcontainer.json

@@ -0,0 +1,38 @@
+// For more info on the configuration below, check out the link:
+// https://code.visualstudio.com/docs/devcontainers/create-dev-container
+{
+  "name": "Hyperlight",
+
+  "image": "ghcr.io/hyperlight-dev/hyperlight-devcontainer:latest",
+
+  "containerUser": "vscode",
+  // Environment for the container also used by the `postCreateCommand`
+  "containerEnv": {
+    "DEVICE": "/dev/kvm",
+    "KVM_SHOULD_BE_PRESENT": "true",
+    "REMOTE_USER": "vscode",
+    "REMOTE_GROUP": "vscode"
+  },
+
+  "runArgs": [
+      "--device=/dev/kvm"
+  ],
+
+  // Use 'postCreateCommand' to run commands after the container is created
+  "postCreateCommand": "bash .devcontainer/setup.sh",
+
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "ms-vscode.cmake-tools",
+        "rust-lang.rust-analyzer",
+        "vadimcn.vscode-lldb"
+      ],
+      "settings": {
+        "rust-analyzer.rustfmt.extraArgs": [
+          "+nightly" // required for rustfmt.toml which uses nightly features
+        ]
+      }
+    }
+  }
+}

.devcontainer/setup.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# Change device ownership
+sudo chown -R $REMOTE_USER:$REMOTE_GROUP $DEVICE
+

.github/workflows/Benchmarks.yml

@@ -17,41 +17,12 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        build: [
-          windows-2022-release-amd,
-          linux-kvm-release-amd,
-          linux-hyperv-release-amd,
-          windows-2022-release-intel,
-          linux-kvm-release-intel,
-          linux-hyperv-release-intel,
-        ]
-        include:
-          - build: windows-2022-release-amd
-            os: [self-hosted, Windows, X64, "1ES.Pool=hld-win2022-amd"]
-            hypervisor: hyperv
-            arch: amd
-          - build: linux-kvm-release-amd
-            os: [self-hosted, Linux, X64, "1ES.Pool=hld-kvm-amd"]
-            hypervisor: kvm
-            arch: amd
-          - build: linux-hyperv-release-amd
-            os: [self-hosted, Linux, X64, "1ES.Pool=hld-mshv-amd"]
-            hypervisor: hyperv
-            arch: amd
-          - build: windows-2022-release-intel
-            os: [self-hosted, Windows, X64, "1ES.Pool=hld-win2022-intel"]
-            hypervisor: hyperv
-            arch: intel
-          - build: linux-kvm-release-intel
-            os: [self-hosted, Linux, X64, "1ES.Pool=hld-kvm-intel"]
-            hypervisor: kvm
-            arch: intel
-          - build: linux-hyperv-release-intel
-            os: [self-hosted, Linux, X64, "1ES.Pool=hld-mshv-intel"]
-            hypervisor: hyperv
-            arch: intel
+        hypervisor: [hyperv, mshv, kvm] # hyperv is windows, mshv and kvm are linux
+        cpu: [amd, intel]
+        config: [release] # don't want to benchmark debug-builds
 
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ fromJson(format('["self-hosted", "{0}", "X64", "1ES.Pool=hld-{1}-{2}"]', matrix.hypervisor == 'hyperv' && 'Windows' || 'Linux', matrix.hypervisor == 'hyperv' && 'win2022' || matrix.hypervisor, matrix.cpu)) }} 
+    
     steps:
       ### Setup ###
 
@@ -90,7 +61,7 @@ jobs:
         run: git fetch --tags origin
 
       - name: Download benchmarks from most recent release
-        run: just bench-download ${{ runner.os }} ${{ matrix.hypervisor }} ${{ matrix.arch }} # skip tag parameter to compare to latest stable release
+        run: just bench-download ${{ runner.os }} ${{ matrix.hypervisor }} ${{ matrix.cpu }} # skip tag parameter to compare to latest stable release
         continue-on-error: true
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -100,6 +71,6 @@ jobs:
 
       - uses: actions/upload-artifact@v4
         with:
-          name: benchmarks_${{runner.os}}_${{matrix.hypervisor}}_${{ matrix.arch }}
+          name: benchmarks_${{runner.os}}_${{matrix.hypervisor}}_${{ matrix.cpu }}
           path: ./target/criterion/
           if-no-files-found: error

.github/workflows/CreateDevcontainerImage.yml

@@ -0,0 +1,71 @@
+name: Create and publish devcontainer Docker image
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - ".devcontainer/Dockerfile"
+      - ".github/workflows/CreateDevcontainerImage.yml"
+      - "rust-toolchain.toml"
+
+# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}-devcontainer
+  USER: vscode
+  GROUP: vscode
+  LLVM_VERSION: 17
+  RUST_TOOLCHAIN_DEFAULT: 1.81.0
+  RUST_TOOLCHAIN_FILE: rust-toolchain.toml
+
+# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Read Rust toolchain version from ${{ env.RUST_TOOLCHAIN_FILE }}
+        id: toolchain
+        run: |
+          version=$(cat ${{ env.RUST_TOOLCHAIN_FILE }} | sed -n '/\[toolchain\]/,/^\[/{/^\s*channel = /s/[^"]*"\([^"]*\)".*/\1/p}')
+          cat ${{ env.RUST_TOOLCHAIN_FILE }} | grep $version &> /dev/null \
+            && echo "RUST_TOOLCHAIN=${version}" >> "$GITHUB_OUTPUT" \
+            || echo "RUST_TOOLCHAIN=${{ env.RUST_TOOLCHAIN_FILE }}" >> "$GITHUB_OUTPUT"
+        
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./.devcontainer
+          push: true
+          tags: |
+            ${{ steps.meta.outputs.tags }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            USER=${{ env.USER }}
+            GROUP=${{ env.GROUP }}
+            LLVM_VERSION=${{ env.LLVM_VERSION }}
+            RUST_TOOLCHAIN=${{ steps.toolchain.outputs.RUST_TOOLCHAIN }}

.github/workflows/PRLabelChecker.yml

@@ -14,16 +14,22 @@ jobs:
       - uses: actions/checkout@v4
       - name: Check for specific labels
         run: |
-          PR_NUMBER=$(echo ${{ github.event.pull_request.number }})
-          LABELS_JSON=$(gh pr view $PR_NUMBER --json labels -q '.labels.[] | .name')
-          REQUIRED_LABELS=("chore" "ignore" "breaking-change" "enhancement" "feature" "dependencies" "bug" "security" "performance" "refactor" "testing" "documentation" "github-actions")
-          for REQUIRED_LABEL in "${REQUIRED_LABELS[@]}"; do
-            if echo "$LABELS_JSON" | grep -q "$REQUIRED_LABEL"; then
-              echo "One of the required labels is present"
+          # Fetch repository labels from the GitHub API
+          REPO_LABELS=$(gh api repos/${{ github.repository }}/labels --jq '.[].name')
+
+          # Fetch labels applied to the current PR
+          PR_NUMBER=${{ github.event.pull_request.number }}
+          PR_LABELS=$(gh pr view $PR_NUMBER --json labels -q '.labels.[] | .name')
+
+          # Check if any PR label matches a repository label
+          for PR_LABEL in $PR_LABELS; do
+            if echo "$REPO_LABELS" | grep -qw "$PR_LABEL"; then
+              echo "Label '$PR_LABEL' matches a repository label."
               exit 0
             fi
           done
-          echo "None of the required labels are present"
+
+          echo "None of the PR labels match repository labels."
           exit 1
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ValidatePullRequest.yml

@@ -7,6 +7,12 @@ on:
     branches: [main, "release/**"]
   merge_group:
 
+# Cancels old running job if a new one is triggered (e.g. by a push onto the same branch).
+# This will cancel dependent jobs as well, such as dep_rust and dep_fuzzing
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true    
+
 permissions:
   id-token: write
   contents: read
@@ -42,6 +48,7 @@ jobs:
     secrets: inherit
     with: 
       docs_only: ${{needs.docs-pr.outputs.docs-only}}
+
   fuzzing:
     needs:
       - docs-pr
@@ -51,6 +58,14 @@ jobs:
       docs_only: ${{needs.docs-pr.outputs.docs-only}}
     secrets: inherit
 
+  spelling:
+    name: spell check with typos
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Spell Check Repo
+      uses: crate-ci/typos@master
+
   #####
   # start build-on-windows
   #####