view .github/workflows/build.yml @ 1843:03dfecca99bd

Use sudo for the real github action job (Wasn't required by act's runner)
author Matt Johnston <matt@ucc.asn.au>
date Mon, 18 Oct 2021 23:25:20 +0800
parents 827cee5feb46
children 7a3cd7b598d8
line wrap: on
line source
# Can be used locally with https://github.com/nektos/act

name: BuildTest
on:
  pull_request:
  push:
    branches:
      - master
jobs:
  build:
    runs-on: ${{ matrix.os || 'ubuntu-20.04' }}
    strategy:
      matrix:
        include:
          - name: plain linux

          - name: multi binary
            multi: 1

          - name: bundled libtom, bionic , no writev()
            # test can use an older distro with bundled libtommath
            os: ubuntu-18.04
            configure_flags: --enable-bundled-libtom
            # NOWRITEV is unrelated, test here to save a job
            nowritev: 1
            # pytest relies on python3.7
            skipcheck: True

          - name: linux clang
            cc: clang

          - name: macos 10.15
            os: macos-10.15
            cc: clang
            # OS X says daemon() and utmp are deprecated
            wextraflags: -Wno-deprecated-declarations -Werror

          - name: macos 11
            os: macos-11
            cc: clang
            # OS X says daemon() and utmp are deprecated
            wextraflags: -Wno-deprecated-declarations -Werror

          # Fuzzers run standalone. A bit superfluous with cifuzz, but
          # good to run the whole corpus to keep it working.
          - name: fuzzing with address sanitizer
            configure_flags: --enable-fuzz --disable-harden --enable-bundled-libtom
            ldflags: -fsanitize=address
            extracflags: -fsanitize=address
            fuzz: True
            cc: clang

          # Undefined Behaviour sanitizer
          - name: fuzzing with undefined behaviour sanitizer
            configure_flags: --enable-fuzz --disable-harden --enable-bundled-libtom
            ldflags: -fsanitize=undefined
            # don't fail with alignment due to https://github.com/libtom/libtomcrypt/issues/549
            extracflags: -fsanitize=undefined -fno-sanitize-recover=undefined -fsanitize-recover=alignment
            fuzz: True
            cc: clang

    env:
      MULTI: ${{ matrix.multi }}
      WEXTRAFLAGS: ${{ matrix.wextraflags || '-Werror' }}
      CC: ${{ matrix.cc || 'gcc' }}
      LDFLAGS: ${{ matrix.ldflags }}
      EXTRACFLAGS: ${{ matrix.extracflags }}
      CONFIGURE_FLAGS: ${{ matrix.configure_flags }}
      # for fuzzing
      CXX: clang++

    steps:
      - name: deps
        run: |
          sudo apt-get -y update
          sudo apt-get -y install zlib1g-dev libtomcrypt-dev libtommath-dev mercurial python3-venv socat $CC

      - uses: actions/[email protected]

      - name: cache pip
        uses: actions/[email protected]
        with:
          path: test/venv
          key: ${{ runner.os }}-pip-${{ hashFiles('test/requirements.txt') }}
          restore-keys: ${{ runner.os }}-pip-

      - name: cache fuzzcorpus
        uses: actions/[email protected]
        with:
          path: fuzzcorpus
          key: "hg.ucc/fuzzcorpus"

      - name: configure
        run: ./configure $CONFIGURE_FLAGS CFLAGS="-O2 -Wall -Wno-pointer-sign $WEXTRAFLAGS $EXTRACFLAGS" --prefix="$HOME/inst" || (cat config.log; exit 1)

      - name: nowritev
        if: ${{ matrix.nowritev }}
        run: sed -i -e s/HAVE_WRITEV/DONT_HAVE_WRITEV/ config.h

      - name: make
        run: make -j3

      - name: multilink
        if: ${{ matrix.multi }}
        run: make multilink

      - name: makefuzz
        run: make fuzzstandalone
        if: ${{ matrix.fuzz }}

        # avoid concurrent install, osx/freebsd is racey (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208093)
      - name: make install
        run: make install

      - name: keys
        run: |
          mkdir -p ~/.ssh
          ~/inst/bin/dropbearkey -t ecdsa -f ~/.ssh/id_dropbear | grep ^ecdsa > ~/.ssh/authorized_keys

      - name: check
        if: ${{ !matrix.skipcheck }}
      # run in a TTY for some tests
        run: socat - EXEC:"make check",pty

      # Sanity check that the binary runs
      - name: genrsa
        run: ~/inst/bin/dropbearkey -t rsa -f testrsa
      - name: gendss
        run: ~/inst/bin/dropbearkey -t dss -f testdss
      - name: genecdsa256
        run: ~/inst/bin/dropbearkey -t ecdsa -f testec256 -s 256
      - name: genecdsa384
        run: ~/inst/bin/dropbearkey -t ecdsa -f testec384 -s 384
      - name: genecdsa521
        run: ~/inst/bin/dropbearkey -t ecdsa -f testec521 -s 521
      - name: gened25519
        run: ~/inst/bin/dropbearkey -t ed25519 -f tested25519

      - name: fuzz
        if: ${{ matrix.fuzz }}
        run: ./fuzzers_test.sh