Skip to content

Follow Security Guide to update release.yml #1010

Follow Security Guide to update release.yml

Follow Security Guide to update release.yml #1010

Workflow file for this run

name: CI Checks
env:
bashPass: \033[32;1mPASSED -
bashInfo: \033[33;1mINFO -
bashFail: \033[31;1mFAILED -
bashEnd: \033[0m
on:
push:
branches: ["**"]
pull_request:
branches: [main]
workflow_dispatch:
jobs:
system-tests:
runs-on: ubuntu-latest
steps:
- name: Clone This Repo
uses: actions/checkout@v4
- name: Build
run: |
CFLAGS="-Wall -Wextra -DNDEBUG -DLIBRARY_LOG_LEVEL=LOG_DEBUG"
CFLAGS+=" -fsanitize=address,undefined"
cmake -S test -B build/ \
-G "Unix Makefiles" \
-DCMAKE_BUILD_TYPE=Debug \
-DSYSTEM_TESTS=1 \
-DUNITTEST=0 \
-DCMAKE_C_FLAGS="${CFLAGS}"
make -C build/ all
- name: Integration Tests
run: ctest --test-dir build --output-on-failure
- name: Archive Test Results
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: system_test_results
path: |
build/Testing/Temporary/LastTest.log
unit-tests-with-sanitizer:
runs-on: ubuntu-latest
steps:
- name: Clone This Repo
uses: actions/checkout@v4
- env:
stepName: Build corePKCS11 Sanitizer Unit Tests
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
CFLAGS="-Wall -Wextra -DNDEBUG"
CFLAGS+=" -fsanitize=address,undefined"
cmake -S test -B build/ \
-G "Unix Makefiles" \
-DCMAKE_BUILD_TYPE=Debug \
-DUNITTEST=1 \
-DSYSTEM_TESTS=0 \
-DCMAKE_C_FLAGS="${CFLAGS}"
make -C build/ all
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{env.stepName}} ${{ env.bashEnd }}"
- name: Run Unit Tests
run: ctest --test-dir build --output-on-failure
unit-tests:
runs-on: ubuntu-latest
steps:
- name: Clone This Repo
uses: actions/checkout@v4
- env:
stepName: Build corePKCS11 Unit Tests
id: build-unit-tests
shell: bash
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
sudo apt-get install -y lcov
# target_enable_gcov is added in each unit test already, --coverage option is not required
CFLAGS="-Wall -Wextra -DNDEBUG"
cmake -S test -B build/ \
-G "Unix Makefiles" \
-DCMAKE_BUILD_TYPE=Debug \
-DUNITTEST=1 \
-DSYSTEM_TESTS=0 \
-DCMAKE_C_FLAGS="${CFLAGS}"
make -C build/ all
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{env.stepName}} ${{ env.bashEnd }}"
- name: Run Unit Tests
id: run-unit-tests
shell: bash
run: ctest --test-dir build --output-on-failure
- env:
stepName: Line and Branch Coverage Build
if: steps.build-unit-tests.outcome == 'success'
id: line-and-branch-coverage
shell: bash
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} Build Coverage Target ${{ env.bashEnd }}"
# Build the coverage target
make -C build/ coverage
# Generate coverage report, excluding extra directories
lcov --rc lcov_branch_coverage=1 -r build/coverage.info -o build/coverage.info '*test*' '*CMakeCCompilerId*' '*mocks*'
echo "::endgroup::"
lcov --rc lcov_branch_coverage=1 --list build/coverage.info
echo -e "${{ env.bashPass }} ${{env.stepName}} ${{ env.bashEnd }}"
- env:
stepName: Check Coverage
uses: FreeRTOS/CI-CD-Github-Actions/coverage-cop@main
if: steps.build-unit-tests.outcome == 'success'
with:
coverage-file: ./build/coverage.info
line-coverage-min: 100
branch-coverage-min: 92
- name: Archive Test Results
if: steps.build-unit-tests.outcome == 'success'
uses: actions/upload-artifact@v4
with:
name: unit_test_results
path: |
build/utest_report.txt
build/*_out.txt
build/coverage.info
build/report.xml
build/Testing/Temporary/LastTest.log
- name: Upload coverage data to Codecov
if: steps.build-unit-tests.outcome == 'success'
uses: codecov/codecov-action@v4
with:
files: build/coverage.info
flags: unit_tests
fail_ci_if_error: false
verbose: false
complexity:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check complexity
uses: FreeRTOS/CI-CD-Github-Actions/complexity@main
with:
path: ./
horrid_threshold: 20
doxygen:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check doxygen build
uses: FreeRTOS/CI-CD-Github-Actions/doxygen@main
with:
path: ./
spell-check:
runs-on: ubuntu-latest
steps:
- name: Clone This Repo
uses: actions/checkout@v4
- name: Run spellings check
uses: FreeRTOS/CI-CD-Github-Actions/spellings@main
with:
path: ./
formatting:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- name: Check formatting
uses: FreeRTOS/CI-CD-Github-Actions/formatting@main
with:
path: ./
exclude-dirs: .git
link-verifier:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check Links
uses: FreeRTOS/CI-CD-Github-Actions/link-verifier@main
with:
path: ./
verify-manifest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- name: Run manifest verifier
uses: FreeRTOS/CI-CD-GitHub-Actions/manifest-verifier@main
with:
path: ./
fail-on-incorrect-version: true
git-secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkout awslabs/git-secrets
uses: actions/checkout@v4
with:
repository: awslabs/git-secrets
ref: master
path: git-secrets
- name: Install git-secrets
run: cd git-secrets && sudo make install && cd ..
- name: Run git-secrets
run: |
git-secrets --register-aws
git-secrets --scan
memory_statistics:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: git submodule update --init --recursive --checkout
- name: Fetch dependencies (mbedtls)
run: |
cmake -S test -B build/ \
-G "Unix Makefiles" \
-DUNITTEST=0 \
-DSYSTEM_TESTS=0 \
-DCMAKE_C_FLAGS="${CFLAGS}"
- name: Install Python3
uses: actions/setup-python@v5
with:
python-version: "3.11.0"
- name: Measure sizes
uses: FreeRTOS/CI-CD-Github-Actions/memory_statistics@main
with:
config: .github/memory_statistics_config.json
check_against: docs/doxygen/include/size_table.md
proof_ci:
if: ${{ github.event.pull_request }}
runs-on: cbmc_ubuntu-latest_16-core
steps:
- name: Set up CBMC runner
uses: FreeRTOS/CI-CD-Github-Actions/set_up_cbmc_runner@main
with:
cbmc_version: "5.61.0"
cbmc_viewer_version: "3.5"
- name: Install cmake
run: |
sudo apt-get install -y cmake
- name: Fetch Mbedtls
run: |
cd test && cmake -B build
- name: check for mbedtls header file
run: |
cat test/build/_deps/mbedtls_2-src/include/mbedtls/pk.h
- name: Run CBMC
uses: FreeRTOS/CI-CD-Github-Actions/run_cbmc@main
with:
proofs_dir: test/cbmc/proofs