From d7cf63bb05a51a69a58820255b336a19cfa6b269 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Fri, 6 Jun 2025 10:54:35 +0200 Subject: [PATCH] GHA: fix zizmor and shellcheck warnings, verify in CI Closes #1609 --- .github/workflows/appveyor_docker.yml | 19 +- .github/workflows/ci.yml | 468 ++++++++++++++------------ .github/workflows/cifuzz.yml | 4 +- .github/workflows/openssh_server.yml | 15 +- 4 files changed, 282 insertions(+), 224 deletions(-) diff --git a/.github/workflows/appveyor_docker.yml b/.github/workflows/appveyor_docker.yml index c0e3ecf4..080c6f52 100644 --- a/.github/workflows/appveyor_docker.yml +++ b/.github/workflows/appveyor_docker.yml @@ -52,6 +52,13 @@ jobs: daemon: runs-on: ubuntu-latest timeout-minutes: 60 + env: + SSH_HOST: '${{ github.event.inputs.ssh_host }}' + SSH_PORT: '${{ github.event.inputs.ssh_port }}' + SSH_USER: '${{ github.event.inputs.ssh_user }}' + SSH_FORWARD: '${{ github.event.inputs.ssh_forward }}' + SSH_HOSTKEY: '${{ github.event.inputs.ssh_hostkey }}' + SSH_PRIVKEY: '${{ github.event.inputs.ssh_privkey }}' steps: - name: Setup SSH client configuration run: | @@ -60,15 +67,17 @@ jobs: install -m 0600 /dev/null .ssh/config { echo 'ServerAliveInterval 45' - echo 'Host ${{ github.event.inputs.ssh_host }}' - echo '${{ github.event.inputs.ssh_forward }}' | sed 's/,/\n/g' | sed 's/^/ RemoteForward /g' + echo "Host ${SSH_HOST}" + # shellcheck disable=SC2001 + echo "${SSH_FORWARD}" | sed 's/,/\n/g' | sed 's/^/ RemoteForward /g' } | tee -a .ssh/config install -m 0600 /dev/null .ssh/known_hosts - echo '${{ github.event.inputs.ssh_host }} ${{ github.event.inputs.ssh_hostkey }}' | sed 's/,/\n${{ github.event.inputs.ssh_host }} /g' | tee -a .ssh/known_hosts + echo "${SSH_HOST} ${SSH_HOSTKEY}" | sed "s/,/\n${SSH_HOST} /g" | tee -a .ssh/known_hosts install -m 0600 /dev/null .ssh/id_rsa - echo '${{ github.event.inputs.ssh_privkey }}' | sed 's/,/\n/g' >> .ssh/id_rsa + # shellcheck disable=SC2001 + echo "${SSH_PRIVKEY}" | sed 's/,/\n/g' >> .ssh/id_rsa # we sleep explicitly to allow the remote system to kill the sleep process - name: Connect to AppVeyor and sleep run: | - ssh -v -p ${{ github.event.inputs.ssh_port }} ${{ github.event.inputs.ssh_user }}@${{ github.event.inputs.ssh_host }} sleep 1h + ssh -v -p "${SSH_PORT}" "${SSH_USER}@${SSH_HOST}" sleep 1h diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eef39bf1..5f0348fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,16 +28,6 @@ jobs: - name: 'checksrc' run: ./ci/checksrc.sh - shellcheck: - runs-on: ubuntu-latest - timeout-minutes: 5 - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - persist-credentials: false - - name: 'shellcheck' - run: ./ci/shellcheck.sh - spellcheck: runs-on: ubuntu-latest steps: @@ -49,6 +39,40 @@ jobs: - name: 'spellcheck' run: ./ci/spellcheck.sh + shellcheck: + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - name: 'shellcheck' + run: ./ci/shellcheck.sh + + cicheck: + runs-on: macos-latest + timeout-minutes: 1 + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - name: 'install prereqs' + run: brew install shellcheck zizmor + - name: 'zizmor GHA' + run: zizmor --pedantic .github/workflows/*.yml + - name: 'shellcheck' + run: | + shellcheck --version + export SHELLCHECK_OPTS='--exclude=1090,1091,2086,2153 --enable=avoid-nullary-conditions,deprecate-which' + git ls-files '.github/workflows/*.yml' | while read -r f; do + echo "Verifying ${f}..." + { + echo '#!/usr/bin/env bash' + echo 'set -eu' + yq eval '.. | select(has("run") and (.run | type == "!!str")) | .run + "\ntrue\n"' "${f}" + } | sed -E 's|\$\{\{ .+ \}\}|GHA_EXPRESSION|g' | shellcheck - + done + build_integration: name: 'integration on ${{ matrix.image }}' runs-on: ${{ matrix.image }} @@ -58,7 +82,8 @@ jobs: shell: ${{ contains(matrix.image, 'windows') && 'msys2 {0}' || 'bash' }} env: CC: ${{ !contains(matrix.image, 'windows') && 'clang' || '' }} - old-cmake-version: 3.11.4 + MATRIX_IMAGE: '${{ matrix.image }}' + OLD_CMAKE_VERSION: 3.11.4 strategy: fail-fast: false matrix: @@ -77,26 +102,26 @@ jobs: - name: 'install packages' run: | - if [[ '${{ matrix.image }}' = *'windows'* ]]; then - cd "${HOME}" || exit 1 + if [[ "${MATRIX_IMAGE}" = *'windows'* ]]; then + cd ~ curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 60 --retry 3 --retry-connrefused \ - --location 'https://github.com/Kitware/CMake/releases/download/v${{ env.old-cmake-version }}/cmake-${{ env.old-cmake-version }}-win64-x64.zip' --output bin.zip + --location "https://github.com/Kitware/CMake/releases/download/v${OLD_CMAKE_VERSION}/cmake-${OLD_CMAKE_VERSION}-win64-x64.zip" --output bin.zip unzip -q bin.zip rm -f bin.zip - printf '%s' "${HOME}/cmake-${{ env.old-cmake-version }}-win64-x64/bin/cmake.exe" > "${HOME}/old-cmake-path.txt" - elif [[ '${{ matrix.image }}' = *'ubuntu'* ]]; then + printf '%s' ~/cmake-"${OLD_CMAKE_VERSION}"-win64-x64/bin/cmake.exe > ~/old-cmake-path.txt + elif [[ "${MATRIX_IMAGE}" = *'ubuntu'* ]]; then sudo rm -f /var/lib/man-db/auto-update sudo apt-get -o Dpkg::Use-Pty=0 install libgcrypt-dev libssl-dev libmbedtls-dev libwolfssl-dev - cd "${HOME}" || exit 1 + cd ~ curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 60 --retry 3 --retry-connrefused \ - --location https://github.com/Kitware/CMake/releases/download/v${{ env.old-cmake-version }}/cmake-${{ env.old-cmake-version }}-Linux-x86_64.tar.gz | tar -xzf - - printf '%s' "$PWD/cmake-${{ env.old-cmake-version }}-Linux-x86_64/bin/cmake" > "${HOME}/old-cmake-path.txt" + --location "https://github.com/Kitware/CMake/releases/download/v${OLD_CMAKE_VERSION}/cmake-${OLD_CMAKE_VERSION}-Linux-x86_64.tar.gz" | tar -xz + printf '%s' ~/cmake-"${OLD_CMAKE_VERSION}"-Linux-x86_64/bin/cmake > ~/old-cmake-path.txt else brew install libgcrypt openssl mbedtls wolfssl - cd "${HOME}" || exit 1 + cd ~ curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 60 --retry 3 --retry-connrefused \ - --location https://github.com/Kitware/CMake/releases/download/v${{ env.old-cmake-version }}/cmake-${{ env.old-cmake-version }}-Darwin-x86_64.tar.gz | tar -xzf - - printf '%s' "$PWD/cmake-${{ env.old-cmake-version }}-Darwin-x86_64/CMake.app/Contents/bin/cmake" > "${HOME}/old-cmake-path.txt" + --location "https://github.com/Kitware/CMake/releases/download/v${OLD_CMAKE_VERSION}/cmake-${OLD_CMAKE_VERSION}-Darwin-x86_64.tar.gz" | tar -xz + printf '%s' ~/cmake-"${OLD_CMAKE_VERSION}"-Darwin-x86_64/CMake.app/Contents/bin/cmake > ~/old-cmake-path.txt fi - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -121,23 +146,23 @@ jobs: - name: 'via add_subdirectory OpenSSL (old cmake)' run: | - export TEST_CMAKE_CONSUMER="$(cat "${HOME}/old-cmake-path.txt")" - [[ '${{ matrix.image }}' = *'macos'* ]] && export CFLAGS='-arch arm64' - if [[ '${{ matrix.image }}' = *'windows'* ]]; then + export TEST_CMAKE_CONSUMER; TEST_CMAKE_CONSUMER="$(cat ~/old-cmake-path.txt)" + [[ "${MATRIX_IMAGE}" = *'macos'* ]] && export CFLAGS='-arch arm64' + if [[ "${MATRIX_IMAGE}" = *'windows'* ]]; then export TEST_CMAKE_GENERATOR='MSYS Makefiles' export TEST_CMAKE_FLAGS='-DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc -DOPENSSL_ROOT_DIR=C:/msys64/mingw64' fi - ./tests/cmake/test.sh add_subdirectory -DCRYPTO_BACKEND=OpenSSL ${options} + ./tests/cmake/test.sh add_subdirectory -DCRYPTO_BACKEND=OpenSSL - name: 'via find_package OpenSSL (old cmake)' run: | - export TEST_CMAKE_CONSUMER="$(cat "${HOME}/old-cmake-path.txt")" - [[ '${{ matrix.image }}' = *'macos'* ]] && export CFLAGS='-arch arm64' - if [[ '${{ matrix.image }}' = *'windows'* ]]; then + export TEST_CMAKE_CONSUMER; TEST_CMAKE_CONSUMER="$(cat ~/old-cmake-path.txt)" + [[ "${MATRIX_IMAGE}" = *'macos'* ]] && export CFLAGS='-arch arm64' + if [[ "${MATRIX_IMAGE}" = *'windows'* ]]; then export TEST_CMAKE_GENERATOR='MSYS Makefiles' export TEST_CMAKE_FLAGS='-DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc -DOPENSSL_ROOT_DIR=C:/msys64/mingw64' fi - ./tests/cmake/test.sh find_package -DCRYPTO_BACKEND=OpenSSL ${options} + ./tests/cmake/test.sh find_package -DCRYPTO_BACKEND=OpenSSL build_linux: name: 'linux' @@ -234,34 +259,38 @@ jobs: options: --disable-static env: CC: ${{ matrix.compiler == 'clang-tidy' && 'clang' || matrix.compiler }} - mbedtls-version: 3.6.2 - wolfssl-version: 5.7.4 - wolfssl-version-prev: 5.5.4 - boringssl-version: 0.20250114.0 - awslc-version: 1.46.1 - libressl-version: 4.0.0 - openssl-version: 3.4.0 - openssl111-version: 1.1.1w - openssl110-version: 1.1.0l - openssl102-version: 1.0.2u + MATRIX_ARCH: '${{ matrix.arch }}' + MATRIX_CRYPTO: '${{ matrix.crypto }}' + MATRIX_OPTIONS: '${{ matrix.options }}' + MATRIX_ZLIB: '${{ matrix.zlib }}' + MBEDTLS_VERSION: 3.6.2 + WOLFSSL_VERSION: 5.7.4 + WOLFSSL_VERSION_PREV: 5.5.4 + BORINGSSL_VERSION: 0.20250114.0 + AWSLC_VERSION: 1.46.1 + LIBRESSL_VERSION: 4.0.0 + OPENSSL_VERSION: 3.4.0 + OPENSSL111_VERSION: 1.1.1w + OPENSSL110_VERSION: 1.1.0l + OPENSSL102_VERSION: 1.0.2u steps: - name: 'install architecture' if: ${{ matrix.arch != 'amd64' }} run: | - sudo dpkg --add-architecture '${{ matrix.arch }}' + sudo dpkg --add-architecture "${MATRIX_ARCH}" sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list sudo apt-get -o Dpkg::Use-Pty=0 update sudo rm -f /var/lib/man-db/auto-update - sudo apt-get -o Dpkg::Use-Pty=0 install gcc-multilib build-essential zlib1g-dev:${{ matrix.arch }} + sudo apt-get -o Dpkg::Use-Pty=0 install gcc-multilib build-essential zlib1g-dev:"${MATRIX_ARCH}" - name: 'install packages' run: | - [ '${{ matrix.crypto }}' = 'OpenSSL' ] && pkg='libssl-dev' - [ '${{ matrix.crypto }}' = 'Libgcrypt' ] && pkg='libgcrypt-dev' - [ '${{ matrix.crypto }}' = 'mbedTLS' ] && pkg='libmbedtls-dev' - [ '${{ matrix.crypto }}' = 'wolfSSL' ] && pkg='libwolfssl-dev' + [ "${MATRIX_CRYPTO}" = 'OpenSSL' ] && pkg='libssl-dev' + [ "${MATRIX_CRYPTO}" = 'Libgcrypt' ] && pkg='libgcrypt-dev' + [ "${MATRIX_CRYPTO}" = 'mbedTLS' ] && pkg='libmbedtls-dev' + [ "${MATRIX_CRYPTO}" = 'wolfSSL' ] && pkg='libwolfssl-dev' if [ -n "${pkg}" ]; then - sudo apt-get -o Dpkg::Use-Pty=0 install "${pkg}:${{ matrix.arch }}" + sudo apt-get -o Dpkg::Use-Pty=0 install "${pkg}:${MATRIX_ARCH}" fi - name: 'cache mbedTLS' @@ -270,40 +299,37 @@ jobs: id: cache-mbedtls with: path: ~/usr - key: ${{ runner.os }}-mbedtls-${{ env.mbedtls-version }}-${{ matrix.arch }} + key: ${{ runner.os }}-mbedtls-${{ env.MBEDTLS_VERSION }}-${{ matrix.arch }} - name: 'install mbedTLS from source' - if: ${{ matrix.crypto == 'mbedTLS-from-source' }} + if: ${{ matrix.crypto == 'mbedTLS-from-source' && !steps.cache-mbedtls.outputs.cache-hit }} run: | - if [ '${{ steps.cache-mbedtls.outputs.cache-hit }}' != 'true' ]; then - curl -fsS -L https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-${{ env.mbedtls-version }}/mbedtls-${{ env.mbedtls-version }}.tar.bz2 | tar -xjf - - cd mbedtls-${{ env.mbedtls-version }} - if [ '${{ matrix.arch }}' = 'i386' ]; then - crossoptions='-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_SYSTEM_VERSION=1 -DCMAKE_SYSTEM_PROCESSOR=${{ matrix.arch }}' - cflags='-m32 -mpclmul -msse2 -maes' - fi - cmake -B . -G Ninja ${crossoptions} \ - -DCMAKE_C_FLAGS="${cflags}" \ - -DENABLE_PROGRAMS=OFF \ - -DENABLE_TESTING=OFF \ - -DUSE_STATIC_MBEDTLS_LIBRARY=OFF \ - -DUSE_SHARED_MBEDTLS_LIBRARY=ON \ - -DCMAKE_INSTALL_PREFIX="$HOME/usr" - cmake --build . --parallel 5 - cmake --install . - cd .. + curl -fsS -L "https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-${MBEDTLS_VERSION}/mbedtls-${MBEDTLS_VERSION}.tar.bz2" | tar -xj + cd "mbedtls-${MBEDTLS_VERSION}" + if [ "${MATRIX_ARCH}" = 'i386' ]; then + crossoptions="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_SYSTEM_VERSION=1 -DCMAKE_SYSTEM_PROCESSOR=${MATRIX_ARCH}" + cflags='-m32 -mpclmul -msse2 -maes' fi + cmake -B . -G Ninja ${crossoptions} \ + -DCMAKE_C_FLAGS="${cflags}" \ + -DENABLE_PROGRAMS=OFF \ + -DENABLE_TESTING=OFF \ + -DUSE_STATIC_MBEDTLS_LIBRARY=OFF \ + -DUSE_SHARED_MBEDTLS_LIBRARY=ON \ + -DCMAKE_INSTALL_PREFIX="$HOME"/usr + cmake --build . --parallel 5 + cmake --install . - name: 'install wolfSSL from source' if: ${{ startsWith(matrix.crypto, 'wolfSSL-from-source') }} run: | - if [ '${{ matrix.crypto }}' = 'wolfSSL-from-source' ]; then - WOLFSSLVER=${{ env.wolfssl-version }} + if [ "${MATRIX_CRYPTO}" = 'wolfSSL-from-source' ]; then + WOLFSSLVER="${WOLFSSL_VERSION}" else - WOLFSSLVER=${{ env.wolfssl-version-prev }} + WOLFSSLVER="${WOLFSSL_VERSION_PREV}" options='-DWOLFSSL_OPENSSLEXTRA=ON' fi - curl -fsS -L https://github.com/wolfSSL/wolfssl/archive/refs/tags/v$WOLFSSLVER-stable.tar.gz | tar -xzf - + curl -fsS -L https://github.com/wolfSSL/wolfssl/archive/refs/tags/v$WOLFSSLVER-stable.tar.gz | tar -xz cd wolfssl-$WOLFSSLVER-stable cmake -B bld -G Ninja ${options} \ -DWOLFSSL_LIBSSH2=ON \ @@ -313,7 +339,7 @@ jobs: -DWOLFSSL_CRYPT_TESTS=OFF \ -DCMAKE_POSITION_INDEPENDENT_CODE=ON \ -DCMAKE_C_FLAGS='-DWOLFSSL_AESGCM_STREAM' \ - -DCMAKE_INSTALL_PREFIX="$HOME/usr" + -DCMAKE_INSTALL_PREFIX="$HOME"/usr cmake --build bld --parallel 5 cmake --install bld cd .. @@ -324,25 +350,22 @@ jobs: id: cache-boringssl with: path: ~/usr - key: ${{ runner.os }}-boringssl-${{ env.boringssl-version }}-${{ matrix.arch }} + key: ${{ runner.os }}-boringssl-${{ env.BORINGSSL_VERSION }}-${{ matrix.arch }} - name: 'install BoringSSL from source' - if: ${{ matrix.crypto == 'BoringSSL' }} + if: ${{ matrix.crypto == 'BoringSSL' && !steps.cache-boringssl.outputs.cache-hit }} run: | - if [ '${{ steps.cache-boringssl.outputs.cache-hit }}' != 'true' ]; then - mkdir boringssl - cd boringssl - curl -fsS https://boringssl.googlesource.com/boringssl/+archive/${{ env.boringssl-version }}.tar.gz | tar -xzf - - # Skip tests to finish the build faster - echo 'set_target_properties(decrepit bssl_shim test_fips boringssl_gtest test_support_lib urandom_test crypto_test ssl_test decrepit_test all_tests pki pki_test run_tests PROPERTIES EXCLUDE_FROM_ALL TRUE)' >> ./CMakeLists.txt - cmake -B . -G Ninja \ - -DOPENSSL_SMALL=ON \ - -DCMAKE_POSITION_INDEPENDENT_CODE=ON \ - -DCMAKE_INSTALL_PREFIX="$HOME/usr" - cmake --build . --parallel 5 - cmake --install . - cd .. - fi + mkdir boringssl + cd boringssl + curl -fsS "https://boringssl.googlesource.com/boringssl/+archive/${BORINGSSL_VERSION}.tar.gz" | tar -xz + # Skip tests to finish the build faster + echo 'set_target_properties(decrepit bssl_shim test_fips boringssl_gtest test_support_lib urandom_test crypto_test ssl_test decrepit_test all_tests pki pki_test run_tests PROPERTIES EXCLUDE_FROM_ALL TRUE)' >> ./CMakeLists.txt + cmake -B . -G Ninja \ + -DOPENSSL_SMALL=ON \ + -DCMAKE_POSITION_INDEPENDENT_CODE=ON \ + -DCMAKE_INSTALL_PREFIX="$HOME"/usr + cmake --build . --parallel 5 + cmake --install . - name: 'cache AWS-LC' if: ${{ matrix.crypto == 'AWS-LC' }} @@ -350,20 +373,17 @@ jobs: id: cache-aws-lc with: path: ~/usr - key: ${{ runner.os }}-aws-lc-${{ env.awslc-version }}-${{ matrix.arch }} + key: ${{ runner.os }}-aws-lc-${{ env.AWSLC_VERSION }}-${{ matrix.arch }} - name: 'install AWS-LC from source' - if: ${{ matrix.crypto == 'AWS-LC' }} + if: ${{ matrix.crypto == 'AWS-LC' && !steps.cache-aws-lc.outputs.cache-hit }} run: | - if [ '${{ steps.cache-aws-lc.outputs.cache-hit }}' != 'true' ]; then - mkdir aws-lc - cd aws-lc - curl -fsS -L https://github.com/aws/aws-lc/archive/refs/tags/v${{ env.awslc-version }}.tar.gz | tar -xzf - - cmake aws-lc-${{ env.awslc-version }} -B . -DCMAKE_INSTALL_PREFIX="$HOME/usr" - cmake --build . --parallel 5 - cmake --install . - cd .. - fi + mkdir aws-lc + cd aws-lc + curl -fsS -L "https://github.com/aws/aws-lc/archive/refs/tags/v${AWSLC_VERSION}.tar.gz" | tar -xz + cmake "aws-lc-${AWSLC_VERSION}" -B . -DCMAKE_INSTALL_PREFIX="$HOME"/usr + cmake --build . --parallel 5 + cmake --install . - name: 'cache LibreSSL' if: ${{ matrix.crypto == 'LibreSSL' }} @@ -371,22 +391,19 @@ jobs: id: cache-libressl with: path: ~/usr - key: ${{ runner.os }}-libressl-${{ env.libressl-version }}-${{ matrix.arch }} + key: ${{ runner.os }}-libressl-${{ env.LIBRESSL_VERSION }}-${{ matrix.arch }} - name: 'install LibreSSL from source' - if: ${{ matrix.crypto == 'LibreSSL' }} + if: ${{ matrix.crypto == 'LibreSSL' && !steps.cache-libressl.outputs.cache-hit }} run: | - if [ '${{ steps.cache-libressl.outputs.cache-hit }}' != 'true' ]; then - curl -fsS -L https://github.com/libressl/portable/releases/download/v${{ env.libressl-version }}/libressl-${{ env.libressl-version }}.tar.gz | tar -xzf - - cd libressl-${{ env.libressl-version }} - cmake -B . -G Ninja \ - -DLIBRESSL_APPS=OFF \ - -DLIBRESSL_TESTS=OFF \ - -DCMAKE_INSTALL_PREFIX="$HOME/usr" - cmake --build . --parallel 5 - cmake --install . - cd .. - fi + curl -fsS -L "https://github.com/libressl/portable/releases/download/v${LIBRESSL_VERSION}/libressl-${LIBRESSL_VERSION}.tar.gz" | tar -xz + cd "libressl-${LIBRESSL_VERSION}" + cmake -B . -G Ninja \ + -DLIBRESSL_APPS=OFF \ + -DLIBRESSL_TESTS=OFF \ + -DCMAKE_INSTALL_PREFIX="$HOME"/usr + cmake --build . --parallel 5 + cmake --install . - name: 'cache OpenSSL' if: ${{ matrix.crypto == 'OpenSSL-3-no-deprecated' }} @@ -394,20 +411,17 @@ jobs: id: cache-openssl with: path: ~/usr - key: ${{ runner.os }}-openssl-${{ env.openssl-version }}-${{ matrix.arch }} + key: ${{ runner.os }}-openssl-${{ env.OPENSSL_VERSION }}-${{ matrix.arch }} - name: 'install OpenSSL from source' - if: ${{ matrix.crypto == 'OpenSSL-3-no-deprecated' }} + if: ${{ matrix.crypto == 'OpenSSL-3-no-deprecated' && !steps.cache-openssl.outputs.cache-hit }} run: | - if [ '${{ steps.cache-openssl.outputs.cache-hit }}' != 'true' ]; then - curl -fsS -L https://github.com/openssl/openssl/releases/download/openssl-${{ env.openssl-version }}/openssl-${{ env.openssl-version }}.tar.gz | tar -xzf - - cd openssl-${{ env.openssl-version }} - ./Configure no-deprecated \ - no-apps no-docs no-tests no-makedepend \ - no-comp no-quic no-legacy --prefix="$HOME/usr" - make -j5 install_sw - cd .. - fi + curl -fsS -L "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" | tar -xz + cd "openssl-${OPENSSL_VERSION}" + ./Configure no-deprecated \ + no-apps no-docs no-tests no-makedepend \ + no-comp no-quic no-legacy --prefix="$HOME"/usr + make -j5 install_sw - name: 'cache OpenSSL 1.1.1' if: ${{ matrix.crypto == 'OpenSSL-111-from-source' }} @@ -415,19 +429,16 @@ jobs: id: cache-openssl111 with: path: ~/usr - key: ${{ runner.os }}-openssl-${{ env.openssl111-version }}-${{ matrix.arch }} + key: ${{ runner.os }}-openssl-${{ env.OPENSSL111_VERSION }}-${{ matrix.arch }} - name: 'install OpenSSL 1.1.1 from source' - if: ${{ matrix.crypto == 'OpenSSL-111-from-source' }} + if: ${{ matrix.crypto == 'OpenSSL-111-from-source' && !steps.cache-openssl111.outputs.cache-hit }} run: | - if [ '${{ steps.cache-openssl111.outputs.cache-hit }}' != 'true' ]; then - curl -fsS -L https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-${{ env.openssl111-version }}.tar.gz | tar -xzf - - cd openssl-${{ env.openssl111-version }} - ./config no-unit-test no-makedepend --prefix="$HOME/usr" no-tests - make -j5 - make -j1 install_sw - cd .. - fi + curl -fsS -L "https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-${OPENSSL111_VERSION}.tar.gz" | tar -xz + cd "openssl-${OPENSSL111_VERSION}" + ./config no-unit-test no-makedepend --prefix="$HOME"/usr no-tests + make -j5 + make -j1 install_sw - name: 'cache OpenSSL 1.1.0' if: ${{ matrix.crypto == 'OpenSSL-110-from-source' }} @@ -435,19 +446,16 @@ jobs: id: cache-openssl110 with: path: ~/usr - key: ${{ runner.os }}-openssl-${{ env.openssl110-version }}-${{ matrix.arch }} + key: ${{ runner.os }}-openssl-${{ env.OPENSSL110_VERSION }}-${{ matrix.arch }} - name: 'install OpenSSL 1.1.0 from source' - if: ${{ matrix.crypto == 'OpenSSL-110-from-source' }} + if: ${{ matrix.crypto == 'OpenSSL-110-from-source' && !steps.cache-openssl110.outputs.cache-hit }} run: | - if [ '${{ steps.cache-openssl110.outputs.cache-hit }}' != 'true' ]; then - curl -fsS -L https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_0l/openssl-${{ env.openssl110-version }}.tar.gz | tar -xzf - - cd openssl-${{ env.openssl110-version }} - ./config no-unit-test no-makedepend --prefix="$HOME/usr" - make -j5 - make -j1 install_sw - cd .. - fi + curl -fsS -L "https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_0l/openssl-${OPENSSL110_VERSION}.tar.gz" | tar -xz + cd "openssl-${OPENSSL110_VERSION}" + ./config no-unit-test no-makedepend --prefix="$HOME"/usr + make -j5 + make -j1 install_sw - name: 'cache OpenSSL 1.0.2' if: ${{ matrix.crypto == 'OpenSSL-102-from-source' }} @@ -455,19 +463,16 @@ jobs: id: cache-openssl102 with: path: ~/usr - key: ${{ runner.os }}-openssl-${{ env.openssl102-version }}-${{ matrix.arch }} + key: ${{ runner.os }}-openssl-${{ env.OPENSSL102_VERSION }}-${{ matrix.arch }} - name: 'install OpenSSL 1.0.2 from source' - if: ${{ matrix.crypto == 'OpenSSL-102-from-source' }} + if: ${{ matrix.crypto == 'OpenSSL-102-from-source' && !steps.cache-openssl102.outputs.cache-hit }} run: | - if [ '${{ steps.cache-openssl102.outputs.cache-hit }}' != 'true' ]; then - curl -fsS -L https://github.com/openssl/openssl/releases/download/OpenSSL_1_0_2u/openssl-${{ env.openssl102-version }}.tar.gz | tar -xzf - - cd openssl-${{ env.openssl102-version }} - ./config no-unit-test no-makedepend --prefix="$HOME/usr" -fPIC - make -j5 - make -j1 install_sw - cd .. - fi + curl -fsS -L "https://github.com/openssl/openssl/releases/download/OpenSSL_1_0_2u/openssl-${OPENSSL102_VERSION}.tar.gz" | tar -xz + cd "openssl-${OPENSSL102_VERSION}" + ./config no-unit-test no-makedepend --prefix="$HOME"/usr -fPIC + make -j5 + make -j1 install_sw - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -478,12 +483,13 @@ jobs: - name: 'autotools configure' if: ${{ matrix.build == 'autotools' && matrix.target != 'maketgz' }} run: | - if [ '${{ matrix.arch }}' = 'i386' ]; then + if [ "${MATRIX_ARCH}" = 'i386' ]; then crossoptions='--host=i686-pc-linux-gnu' export CFLAGS=-m32 fi - mkdir bld && cd bld && ../configure --enable-werror --enable-debug \ - ${crossoptions} ${{ matrix.options }} \ + mkdir bld && cd bld + ../configure --enable-werror --enable-debug \ + ${crossoptions} ${MATRIX_OPTIONS} \ --disable-dependency-tracking || { tail -n 1000 config.log; false; } - name: 'autotools build' @@ -503,7 +509,7 @@ jobs: run: | export SOURCE_DATE_EPOCH=1711526400 ./configure --enable-werror --disable-debug \ - ${{ matrix.options }} --disable-dependency-tracking + ${MATRIX_OPTIONS} --disable-dependency-tracking ./maketgz 99.98.97 # Test reproducibility mkdir run1; mv ./libssh2-99.98.97.* run1/ @@ -514,38 +520,40 @@ jobs: # Test build from tarball tar -xvf libssh2-99.98.97.tar.gz cd libssh2-99.98.97 - ./configure --enable-werror --enable-debug --prefix="${HOME}/temp" \ - ${{ matrix.options }} --disable-dependency-tracking + ./configure --enable-werror --enable-debug --prefix="$HOME"/temp \ + ${MATRIX_OPTIONS} --disable-dependency-tracking make -j5 install cd .. # Verify install - diff -u <(find docs -name '*.3' -printf '%f\n' | grep -v template | sort) <(find "${HOME}/temp/share/man/man3" -name '*.3' -printf '%f\n' | sort) - diff -u <(find include -name '*.h' -printf '%f\n' | sort) <(find "${HOME}/temp/include" -name '*.h' -printf '%f\n' | sort) + diff -u <(find docs -name '*.3' -printf '%f\n' | grep -v template | sort) <(find "$HOME"/temp/share/man/man3 -name '*.3' -printf '%f\n' | sort) + diff -u <(find include -name '*.h' -printf '%f\n' | sort) <(find "$HOME"/temp/include -name '*.h' -printf '%f\n' | sort) rm -rf libssh2-99.98.97 - name: 'cmake configure' if: ${{ matrix.build == 'cmake' }} + env: + MATRIX_COMPILER: '${{ matrix.compiler }}' run: | - if [ '${{ matrix.crypto }}' = 'BoringSSL' ] || \ - [ '${{ matrix.crypto }}' = 'AWS-LC' ] || \ - [ '${{ matrix.crypto }}' = 'LibreSSL' ] || \ - [[ '${{ matrix.crypto }}' = 'OpenSSL-'* ]]; then + if [ "${MATRIX_CRYPTO}" = 'BoringSSL' ] || \ + [ "${MATRIX_CRYPTO}" = 'AWS-LC' ] || \ + [ "${MATRIX_CRYPTO}" = 'LibreSSL' ] || \ + [[ "${MATRIX_CRYPTO}" = 'OpenSSL-'* ]]; then crypto='OpenSSL' - elif [[ '${{ matrix.crypto }}' = 'mbedTLS-'* ]]; then + elif [[ "${MATRIX_CRYPTO}" = 'mbedTLS-'* ]]; then crypto='mbedTLS' - elif [[ '${{ matrix.crypto }}' = 'wolfSSL-'* ]]; then + elif [[ "${MATRIX_CRYPTO}" = 'wolfSSL-'* ]]; then crypto='wolfSSL' else - crypto='${{ matrix.crypto }}' + crypto="${MATRIX_CRYPTO}" fi - [ -d "$HOME/usr" ] && options+=" -DCMAKE_PREFIX_PATH=$HOME/usr" - [ '${{ matrix.arch }}' = 'i386' ] && options+=' -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_SYSTEM_VERSION=1 -DCMAKE_SYSTEM_PROCESSOR=${{ matrix.arch }} -DCMAKE_C_FLAGS=-m32' + [ -d "$HOME"/usr ] && options+=" -DCMAKE_PREFIX_PATH=$HOME/usr" + [ "${MATRIX_ARCH}" = 'i386' ] && options+=" -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_SYSTEM_VERSION=1 -DCMAKE_SYSTEM_PROCESSOR=${MATRIX_ARCH} -DCMAKE_C_FLAGS=-m32" + [ "${MATRIX_COMPILER}" = 'clang-tidy' ] && options+=' -DLIBSSH2_CLANG_TIDY=ON' cmake -B bld -G Ninja ${options} $TOOLCHAIN_OPTION \ -DCMAKE_UNITY_BUILD=ON \ -DENABLE_WERROR=ON \ -DCRYPTO_BACKEND=${crypto} \ - -DENABLE_ZLIB_COMPRESSION=${{ matrix.zlib }} \ - ${{ matrix.compiler == 'clang-tidy' && '-DLIBSSH2_CLANG_TIDY=ON' || '' }} \ + -DENABLE_ZLIB_COMPRESSION="${MATRIX_ZLIB}" \ || { cat bld/CMakeFiles/CMake*.yaml; false; } - name: 'cmake build' @@ -555,8 +563,8 @@ jobs: if: ${{ matrix.build == 'cmake' }} timeout-minutes: 10 run: | - export OPENSSH_SERVER_IMAGE=ghcr.io/libssh2/ci_tests_openssh_server:$(git rev-parse --short=20 HEAD:tests/openssh_server) - [ -d "$HOME/usr" ] && export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$HOME/usr/lib" + export OPENSSH_SERVER_IMAGE; OPENSSH_SERVER_IMAGE=ghcr.io/libssh2/ci_tests_openssh_server:$(git rev-parse --short=20 HEAD:tests/openssh_server) + [ -d "$HOME"/usr ] && export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$HOME/usr/lib" cd bld && ctest -VV --output-on-failure build_linux_cross_mingw64: @@ -573,12 +581,15 @@ jobs: env: MAKEFLAGS: -j 5 TRIPLET: 'x86_64-w64-mingw32' + MATRIX_BUILD: '${{ matrix.build }}' steps: - name: 'install packages' + env: + INSTALL_PACKAGES: ${{ matrix.compiler == 'clang-tidy' && 'clang' || '' }} run: | sudo rm -f /var/lib/man-db/auto-update sudo apt-get -o Dpkg::Use-Pty=0 install mingw-w64 \ - ${{ matrix.compiler == 'clang-tidy' && 'clang' || '' }} + ${INSTALL_PACKAGES} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -589,9 +600,11 @@ jobs: run: autoreconf -fi - name: 'configure' + env: + MATRIX_COMPILER: '${{ matrix.compiler }}' run: | - if [ '${{ matrix.build }}' = 'cmake' ]; then - if [ '${{ matrix.compiler }}' = 'clang-tidy' ]; then + if [ "${MATRIX_BUILD}" = 'cmake' ]; then + if [ "${MATRIX_COMPILER}" = 'clang-tidy' ]; then options+=' -DLIBSSH2_CLANG_TIDY=ON' options+=' -DCMAKE_C_COMPILER=clang' options+=" -DCMAKE_RC_COMPILER=llvm-windres-$(clang -dumpversion | cut -d '.' -f 1)" @@ -600,13 +613,14 @@ jobs: fi cmake -B bld -G Ninja \ -DCMAKE_SYSTEM_NAME=Windows \ - -DCMAKE_C_COMPILER_TARGET=${TRIPLET} \ + -DCMAKE_C_COMPILER_TARGET="${TRIPLET}" \ -DCMAKE_UNITY_BUILD=ON \ -DENABLE_WERROR=ON \ ${options} \ || { cat bld/CMakeFiles/CMake*.yaml; false; } else - mkdir bld && cd bld && ../configure --enable-werror --enable-debug \ + mkdir bld && cd bld + ../configure --enable-werror --enable-debug \ --host="${TRIPLET}" \ --disable-dependency-tracking \ || { tail -n 1000 config.log; false; } @@ -614,7 +628,7 @@ jobs: - name: 'build' run: | - if [ '${{ matrix.build }}' = 'cmake' ]; then + if [ "${MATRIX_BUILD}" = 'cmake' ]; then cmake --build bld else make -C bld @@ -650,9 +664,10 @@ jobs: timeout-minutes: 10 shell: D:\cygwin\bin\bash.exe '{0}' run: | - export PATH="/usr/bin:$(cygpath ${SYSTEMROOT})/System32" + PATH="/usr/bin:$(cygpath ${SYSTEMROOT})/System32" autoreconf -fi - mkdir bld && cd bld && ../configure --enable-werror --enable-debug \ + mkdir bld && cd bld + ../configure --enable-werror --enable-debug \ --with-crypto=openssl \ --disable-docker-tests \ --disable-dependency-tracking || { tail -n 1000 config.log; false; } @@ -664,7 +679,7 @@ jobs: timeout-minutes: 10 shell: D:\cygwin\bin\bash.exe '{0}' run: | - export PATH="/usr/bin:$(cygpath ${SYSTEMROOT})/System32" + PATH="/usr/bin:$(cygpath ${SYSTEMROOT})/System32" cmake -B bld -G Ninja \ -DCMAKE_UNITY_BUILD=ON \ -DENABLE_WERROR=ON \ @@ -698,6 +713,9 @@ jobs: - { build: 'cmake' , sys: clang64, crypto: OpenSSL, env: clang-x86_64 } - { build: 'cmake' , sys: mingw64, crypto: OpenSSL, env: x86_64, test: 'uwp' } - { build: 'cmake' , sys: mingw64, crypto: OpenSSL, env: x86_64, test: 'no-options' } + env: + MATRIX_CRYPTO: '${{ matrix.crypto }}' + MATRIX_ENV: '${{ matrix.env }}' steps: - uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2 if: ${{ matrix.sys == 'msys' }} @@ -726,12 +744,13 @@ jobs: SSHD: 'C:/Program Files/Git/usr/bin/sshd.exe' shell: msys2 {0} run: | - if [ '${{ matrix.crypto }}' = 'wincng' ] && [[ '${{ matrix.env }}' = 'clang'* ]]; then + if [ "${MATRIX_CRYPTO}" = 'wincng' ] && [[ "${MATRIX_ENV}" = 'clang'* ]]; then options='--enable-ecdsa-wincng' fi # sshd tests sometimes hang - mkdir bld && cd bld && ../configure --enable-werror --enable-debug \ - --with-crypto=${{ matrix.crypto }} \ + mkdir bld && cd bld + ../configure --enable-werror --enable-debug \ + --with-crypto="${MATRIX_CRYPTO}" \ --disable-docker-tests \ --disable-sshd-tests \ ${options} \ @@ -749,19 +768,21 @@ jobs: - name: 'cmake configure' if: ${{ matrix.build == 'cmake' }} shell: msys2 {0} + env: + MATRIX_TEST: '${{ matrix.test }}' run: | - if [[ '${{ matrix.env }}' = 'clang'* ]]; then + if [[ "${MATRIX_ENV}" = 'clang'* ]]; then options='-DCMAKE_C_COMPILER=clang' else options='-DCMAKE_C_COMPILER=gcc' fi - if [ '${{ matrix.test }}' = 'uwp' ]; then + if [ "${MATRIX_TEST}" = 'uwp' ]; then options+=' -DCMAKE_SYSTEM_NAME=WindowsStore -DCMAKE_SYSTEM_VERSION=10.0' - pacman --noconfirm --ask 20 --noprogressbar --sync --needed 'mingw-w64-${{ matrix.env }}-winstorecompat-git' + pacman --noconfirm --ask 20 --noprogressbar --sync --needed "mingw-w64-${MATRIX_ENV}-winstorecompat-git" specs="$(realpath gcc-specs-uwp)" gcc -dumpspecs | sed -e 's/-lmingwex/-lwindowsapp -lmingwex -lwindowsapp -lwindowsappcompat/' -e 's/-lmsvcrt/-lmsvcr120_app/' > "${specs}" cflags="-specs=$(cygpath -w "${specs}") -DWINSTORECOMPAT -DWINAPI_FAMILY=WINAPI_FAMILY_APP" - elif [ '${{ matrix.test }}' = 'no-options' ]; then + elif [ "${MATRIX_TEST}" = 'no-options' ]; then options+=' -DLIBSSH2_NO_DEPRECATED=ON' cflags='-DLIBSSH2_NO_MD5 -DLIBSSH2_NO_MD5_PEM -DLIBSSH2_NO_HMAC_RIPEMD -DLIBSSH2_DSA_ENABLE -DLIBSSH2_NO_AES_CBC -DLIBSSH2_NO_AES_CTR -DLIBSSH2_NO_BLOWFISH -DLIBSSH2_NO_RC4 -DLIBSSH2_NO_CAST -DLIBSSH2_NO_3DES' else @@ -772,7 +793,7 @@ jobs: -DCMAKE_UNITY_BUILD=ON \ -DENABLE_WERROR=ON \ -DENABLE_DEBUG_LOGGING=ON \ - -DCRYPTO_BACKEND=${{ matrix.crypto }} \ + -DCRYPTO_BACKEND="${MATRIX_CRYPTO}" \ -DENABLE_ZLIB_COMPRESSION=ON \ -DRUN_DOCKER_TESTS=OFF \ -DRUN_SSHD_TESTS=OFF \ @@ -811,28 +832,37 @@ jobs: persist-credentials: false - name: 'cmake configure' shell: bash + env: + MATRIX_ARCH: '${{ matrix.arch }}' + MATRIX_CRYPTO: '${{ matrix.crypto }}' + MATRIX_PLAT: '${{ matrix.plat }}' + MATRIX_WINCND_ECDSA: '${{ matrix.wincng_ecdsa }}' + MATRIX_LOG: '${{ matrix.log }}' + MATRIX_SHARED: '${{ matrix.shared }}' + MATRIX_ZLIB: '${{ matrix.zlib }}' + MATRIX_UNITY: '${{ matrix.unity }}' run: | options='' - archgen=${{ matrix.arch }}; [ "${archgen}" = 'x86' ] && archgen='Win32' - if [ '${{ matrix.plat }}' = 'uwp' ]; then + archgen="${MATRIX_ARCH}"; [ "${archgen}" = 'x86' ] && archgen='Win32' + if [ "${MATRIX_PLAT}" = 'uwp' ]; then system='WindowsStore' options+=' -DCMAKE_SYSTEM_VERSION=10.0' else system='Windows' fi - [ '${{ matrix.crypto }}' = 'WinCNG' ] && options+=' -DENABLE_ECDSA_WINCNG=${{ matrix.wincng_ecdsa }}' + [ "${MATRIX_CRYPTO}" = 'WinCNG' ] && options+=" -DENABLE_ECDSA_WINCNG=${MATRIX_WINCND_ECDSA}" cmake -B bld ${options} \ -DCMAKE_SYSTEM_NAME=${system} \ -DCMAKE_TOOLCHAIN_FILE=C:/vcpkg/scripts/buildsystems/vcpkg.cmake \ -DCMAKE_GENERATOR_PLATFORM=${archgen} \ - -DVCPKG_TARGET_TRIPLET=${{ matrix.arch }}-${{ matrix.plat }} \ + -DVCPKG_TARGET_TRIPLET="${MATRIX_ARCH}-${MATRIX_PLAT}" \ -DCMAKE_VS_GLOBALS=TrackFileAccess=false \ - -DCMAKE_UNITY_BUILD=${{ matrix.unity }} \ + -DCMAKE_UNITY_BUILD="${MATRIX_UNITY}" \ -DENABLE_WERROR=ON \ - -DENABLE_DEBUG_LOGGING=${{ matrix.log }} \ - -DBUILD_SHARED_LIBS=${{ matrix.shared }} \ - -DCRYPTO_BACKEND=${{ matrix.crypto }} \ - -DENABLE_ZLIB_COMPRESSION=${{ matrix.zlib }} \ + -DENABLE_DEBUG_LOGGING="${MATRIX_LOG}" \ + -DBUILD_SHARED_LIBS="${MATRIX_SHARED}" \ + -DCRYPTO_BACKEND="${MATRIX_CRYPTO}" \ + -DENABLE_ZLIB_COMPRESSION="${MATRIX_ZLIB}" \ -DRUN_DOCKER_TESTS=OFF \ -DRUN_SSHD_TESTS=OFF \ || { cat bld/CMakeFiles/CMake*.yaml; false; } @@ -856,31 +886,34 @@ jobs: crypto: - name: 'OpenSSL 3' install: openssl - configure: --with-crypto=openssl --with-libssl-prefix="$(brew --prefix)/opt/openssl" - cmake: -DCRYPTO_BACKEND=OpenSSL -DOPENSSL_ROOT_DIR="$(brew --prefix)/opt/openssl" + configure: --with-crypto=openssl --with-libssl-prefix=/opt/homebrew/opt/openssl + cmake: -DCRYPTO_BACKEND=OpenSSL -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl - name: 'OpenSSL 1.1' install: openssl@1.1 - configure: --with-crypto=openssl --with-libssl-prefix="$(brew --prefix)/opt/openssl@1.1" - cmake: -DCRYPTO_BACKEND=OpenSSL -DOPENSSL_ROOT_DIR="$(brew --prefix)/opt/openssl@1.1" + configure: --with-crypto=openssl --with-libssl-prefix=/opt/homebrew/opt/openssl@1.1 + cmake: -DCRYPTO_BACKEND=OpenSSL -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl@1.1 - name: 'LibreSSL' install: libressl - configure: --with-crypto=openssl --with-libssl-prefix="$(brew --prefix)/opt/libressl" - cmake: -DCRYPTO_BACKEND=OpenSSL -DOPENSSL_ROOT_DIR="$(brew --prefix)/opt/libressl" + configure: --with-crypto=openssl --with-libssl-prefix=/opt/homebrew/opt/libressl + cmake: -DCRYPTO_BACKEND=OpenSSL -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl - name: 'Libgcrypt' install: libgcrypt - configure: --with-crypto=libgcrypt --with-libgcrypt-prefix="$(brew --prefix)" + configure: --with-crypto=libgcrypt --with-libgcrypt-prefix=/opt/homebrew cmake: -DCRYPTO_BACKEND=Libgcrypt - name: 'mbedTLS' install: mbedtls - configure: --with-crypto=mbedtls --with-libmbedcrypto-prefix="$(brew --prefix)" + configure: --with-crypto=mbedtls --with-libmbedcrypto-prefix=/opt/homebrew cmake: -DCRYPTO_BACKEND=mbedTLS - name: 'wolfSSL' install: wolfssl - configure: --with-crypto=wolfssl --with-libwolfssl-prefix="$(brew --prefix)" + configure: --with-crypto=wolfssl --with-libwolfssl-prefix=/opt/homebrew cmake: -DCRYPTO_BACKEND=wolfSSL steps: - name: 'install packages' - run: brew install ${{ matrix.build == 'autotools' && 'automake libtool' || '' }} ${{ matrix.crypto.install }} + env: + INSTALL_PACKAGES: ${{ matrix.build == 'autotools' && 'automake libtool' || '' }} + MATRIX_INSTALL: '${{ matrix.crypto.install }}' + run: brew install ${INSTALL_PACKAGES} ${MATRIX_INSTALL} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: persist-credentials: false @@ -889,9 +922,12 @@ jobs: run: autoreconf -fi - name: 'autotools configure' if: ${{ matrix.build == 'autotools' }} + env: + MATRIX_CONFIGURE: '${{ matrix.crypto.configure }}' run: | - mkdir bld && cd bld && ../configure --enable-werror --enable-debug \ - --with-libz ${{ matrix.crypto.configure }} \ + mkdir bld && cd bld + ../configure --enable-werror --enable-debug \ + --with-libz ${MATRIX_CONFIGURE} \ --disable-docker-tests \ --disable-sshd-tests \ --disable-dependency-tracking || { tail -n 1000 config.log; false; } @@ -905,8 +941,10 @@ jobs: run: make -C bld check V=1 || { cat bld/tests/*.log; false; } - name: 'cmake configure' if: ${{ matrix.build == 'cmake' }} + env: + MATRIX_GENERATE: '${{ matrix.crypto.cmake }}' run: | - cmake -B bld -G Ninja ${{ matrix.crypto.cmake }} \ + cmake -B bld -G Ninja ${MATRIX_GENERATE} \ -DCMAKE_UNITY_BUILD=ON \ -DENABLE_WERROR=ON \ -DENABLE_DEBUG_LOGGING=ON \ @@ -1013,7 +1051,8 @@ jobs: # https://ports.freebsd.org/ sudo pkg install -y autoconf automake libtool autoreconf -fi - mkdir bld && cd bld && ../configure --enable-werror --enable-debug \ + mkdir bld && cd bld + ../configure --enable-werror --enable-debug \ --with-crypto=openssl \ --disable-docker-tests \ --disable-dependency-tracking || { tail -n 1000 config.log; false; } @@ -1036,7 +1075,8 @@ jobs: prepare: pkg install build-essential libtool run: | autoreconf -fi - mkdir bld && cd bld && ../configure --enable-werror --enable-debug \ + mkdir bld && cd bld + ../configure --enable-werror --enable-debug \ --with-crypto=openssl \ --disable-docker-tests \ --disable-dependency-tracking || { tail -n 1000 config.log; false; } diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index ad7455f6..3e42d67e 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -18,13 +18,13 @@ jobs: steps: - name: Build Fuzzers id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master # zizmor: ignore[unpinned-uses] with: oss-fuzz-project-name: 'libssh2' dry-run: false language: c - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master # zizmor: ignore[unpinned-uses] with: oss-fuzz-project-name: 'libssh2' fuzz-seconds: 600 diff --git a/.github/workflows/openssh_server.yml b/.github/workflows/openssh_server.yml index c7da7016..3a068416 100644 --- a/.github/workflows/openssh_server.yml +++ b/.github/workflows/openssh_server.yml @@ -24,15 +24,22 @@ # # SPDX-License-Identifier: BSD-3-Clause +# https://docs.github.com/actions/use-cases-and-examples/publishing-packages/publishing-docker-images + name: OpenSSH Server Docker Image on: push: branches: [ master ] +permissions: {} + jobs: build-and-push: runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: @@ -50,21 +57,23 @@ jobs: - shell: bash id: poll - run: docker manifest inspect ghcr.io/${{ github.repository_owner }}/ci_tests_openssh_server:${{ steps.hash.outputs.hash }} continue-on-error: true + env: + HASH: '${{ steps.hash.outputs.hash }}' + run: docker manifest inspect "ghcr.io/${GITHUB_REPOSITORY_OWNER}/ci_tests_openssh_server:${HASH}" - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 + if: ${{ steps.poll.outcome == 'failure' }} id: meta with: images: ghcr.io/${{ github.repository_owner }}/ci_tests_openssh_server tags: | type=raw,value=${{ steps.hash.outputs.hash }} - if: ${{ steps.poll.outcome == 'failure' }} - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6 + if: ${{ steps.poll.outcome == 'failure' }} with: context: ./tests/openssh_server push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - if: ${{ steps.poll.outcome == 'failure' }}