Feature integration test sharding

.github/workflows/build.yml

@@ -15,7 +15,7 @@ jobs:
   basic-checks:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
           fetch-depth: 0
@@ -27,13 +27,10 @@ jobs:
           check-latest-tag-only: true
 
       - name: Check license header
-        uses: viperproject/check-license-header@v2
-        with:
-          path: ./
-          config: .github/license-check/config.json
+        run: make check-license
 
       - name: Lint Markdown docs
-        uses: DavidAnson/markdownlint-cli2-action@v16
+        uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23
         with:
           globs: |
             *.md
@@ -47,15 +44,15 @@ jobs:
       packages: write
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           submodules: recursive
 
       - name: Setup variables
         run: echo ROLLUPS_NODE_VERSION=`make version` >> $GITHUB_ENV
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
@@ -142,7 +139,7 @@ jobs:
         run: make copy-debian-package BUILD_PLATFORM=linux/arm64 DEB_ARCH=arm64 DEB_PACKAGER_IMG=${{ github.repository_owner }}/rollups-node:debian-packager-arm64
 
       - name: Upload deb artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: artifacts
           path: |
@@ -159,10 +156,10 @@ jobs:
       packages: read
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
@@ -185,10 +182,10 @@ jobs:
       packages: read
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
@@ -207,7 +204,7 @@ jobs:
             cartesi/rollups-node-devnet:devel
 
       - name: Cache test machine images
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: test/downloads
           key: test-deps-${{ hashFiles('test/dependencies.sha256') }}
@@ -218,19 +215,48 @@ jobs:
       - name: Run unit tests
         run: make unit-test-with-compose
 
+  # Runs the shard coverage guard and derives the integration matrix from the
+  # Makefile's shard × topology cells, so adding a shard or topology never
+  # requires a workflow change and an unassigned test fails fast here.
+  integration-test-setup:
+    runs-on: ubuntu-24.04
+    outputs:
+      cells: ${{ steps.matrix.outputs.cells }}
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v6
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - name: Check shard coverage
+        run: make integration-test-shard-check
+
+      - name: List shard x topology cells
+        id: matrix
+        run: echo "cells=$(make -s list-integration-cells)" >> "$GITHUB_OUTPUT"
+
   integration-test:
     runs-on: ubuntu-24.04
-    needs: [build]
+    needs: [build, integration-test-setup]
     timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.integration-test-setup.outputs.cells) }}
+    env:
+      COMPOSE_PROJECT: rollups-it-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.shard }}-${{ matrix.topology }}
     permissions:
       contents: read
       packages: read
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
@@ -249,25 +275,38 @@ jobs:
             cartesi/rollups-node-devnet:devel
 
       - name: Cache test machine images
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: test/downloads
           key: test-deps-${{ hashFiles('test/dependencies.sha256') }}
 
       - name: Download test dependencies
         run: make download-test-dependencies
 
-      - name: Run integration tests
-        run: make integration-test-with-compose
+      - name: Run integration shard ${{ matrix.shard }} (${{ matrix.topology }})
+        run: |
+          make integration-test-with-compose SHARD=${{ matrix.shard }} \
+            NODE_TOPOLOGY=${{ matrix.topology }} \
+            COMPOSE_PROJECT="$COMPOSE_PROJECT"
 
       - name: Upload integration test logs
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
-          name: integration-test-logs
-          path: integration-logs.txt
+          name: integration-test-logs-${{ matrix.shard }}-${{ matrix.topology }}
+          path: integration-logs-${{ matrix.shard }}-${{ matrix.topology }}.txt
           retention-days: 3
 
+      # Redundant with the trap in compose-integration-run.sh; this is the
+      # safety net for when concurrency cancel-in-progress SIGKILLs the make
+      # process before its trap can fire, which would otherwise leak the
+      # project's containers and volumes.
+      - name: Clean up compose project
+        if: always()
+        run: |
+          docker compose -p "$COMPOSE_PROJECT" \
+            -f test/compose/compose.integration.yaml down -v --remove-orphans || true
+
   publish_artifacts:
     name: Publish artifacts
     needs: [basic-checks, build, unit-test, integration-test]
@@ -277,13 +316,13 @@ jobs:
       contents: write
     steps:
       - name: Checkout emulator source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
 
       - name: Upload products to GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3
         with:
           draft: true
           files: |

.github/workflows/clean-up-images.yml

@@ -1,11 +1,16 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Clean-up Docker images
 
+# build.yml pushes four ci-<sha> tagged images to GHCR on every push; this
+# periodic sweep is what keeps them from accumulating without bound.
 on:
-  pull_request:
-    branches:
-      - main
-    types: [closed]
+  schedule:
+    # Approximately every 5 days. cron has no true "every N days", so this
+    # fires on days-of-month 1,6,11,16,21,26,31 and resets at each month
+    # start (one short gap at the boundary) — fine for a cleanup with a
+    # 7-day age floor.
+    - cron: "0 3 */5 * *"
+  workflow_dispatch:
 
 jobs:
   cleanup:
@@ -19,22 +24,14 @@ jobs:
           - rollups-node
           - rollups-node-devnet
     steps:
-      # Remove PR-scoped tags immediately.
-      - name: Prune PR tags
-        uses: vlaurin/action-ghcr-prune@v0.6.0
-        with:
-          organization: cartesi
-          container: ${{ matrix.image }}
-          token: ${{ secrets.GITHUB_TOKEN }}
-          prune-untagged: false
-          keep-last: 0
-          prune-tags-regexes: |
-            ^pr-${{ github.event.number }}$
-
       # Prune stale CI images older than 7 days to avoid deleting
       # images needed by concurrently running workflows.
       - name: Prune stale CI tags
-        uses: vlaurin/action-ghcr-prune@v0.6.0
+        # Pinned to a commit: third-party action holding a packages:write
+        # token. Still node20: no node24 release exists upstream (checked
+        # 2026-06); works until the runner removes node20 (announced
+        # 2026-09-16).
+        uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 # v0.6.0
         with:
           organization: cartesi
           container: ${{ matrix.image }}

.gitignore

@@ -21,3 +21,4 @@ machine-snapshot/**
 /applications
 /test/downloads
 /snapshots
+/integration-logs*.txt

Dockerfile

@@ -20,8 +20,10 @@ ARG GO_BUILD_PATH
 RUN <<EOF
     set -e
     apt-get update
+    # binutils-gold provides the gold linker, required for the linux/arm64
+    # build: without it the CGo link step fails on Apple-silicon (arm64) hosts.
     apt-get install -y --no-install-recommends \
-        ca-certificates curl wget build-essential pkg-config libssl-dev
+        ca-certificates curl wget build-essential binutils binutils-gold pkg-config libssl-dev
     groupadd --system --gid 102 cartesi
     useradd --system --uid 102 --gid cartesi --shell /usr/sbin/nologin --no-create-home cartesi
     ARCH=$(dpkg --print-architecture)