Follow Security Guide to update release.yml #1010
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Checks | |
env: | |
bashPass: \033[32;1mPASSED - | |
bashInfo: \033[33;1mINFO - | |
bashFail: \033[31;1mFAILED - | |
bashEnd: \033[0m | |
on: | |
push: | |
branches: ["**"] | |
pull_request: | |
branches: [main] | |
workflow_dispatch: | |
jobs: | |
system-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clone This Repo | |
uses: actions/checkout@v4 | |
- name: Build | |
run: | | |
CFLAGS="-Wall -Wextra -DNDEBUG -DLIBRARY_LOG_LEVEL=LOG_DEBUG" | |
CFLAGS+=" -fsanitize=address,undefined" | |
cmake -S test -B build/ \ | |
-G "Unix Makefiles" \ | |
-DCMAKE_BUILD_TYPE=Debug \ | |
-DSYSTEM_TESTS=1 \ | |
-DUNITTEST=0 \ | |
-DCMAKE_C_FLAGS="${CFLAGS}" | |
make -C build/ all | |
- name: Integration Tests | |
run: ctest --test-dir build --output-on-failure | |
- name: Archive Test Results | |
if: success() || failure() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: system_test_results | |
path: | | |
build/Testing/Temporary/LastTest.log | |
unit-tests-with-sanitizer: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clone This Repo | |
uses: actions/checkout@v4 | |
- env: | |
stepName: Build corePKCS11 Sanitizer Unit Tests | |
run: | | |
# ${{ env.stepName }} | |
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}" | |
CFLAGS="-Wall -Wextra -DNDEBUG" | |
CFLAGS+=" -fsanitize=address,undefined" | |
cmake -S test -B build/ \ | |
-G "Unix Makefiles" \ | |
-DCMAKE_BUILD_TYPE=Debug \ | |
-DUNITTEST=1 \ | |
-DSYSTEM_TESTS=0 \ | |
-DCMAKE_C_FLAGS="${CFLAGS}" | |
make -C build/ all | |
echo "::endgroup::" | |
echo -e "${{ env.bashPass }} ${{env.stepName}} ${{ env.bashEnd }}" | |
- name: Run Unit Tests | |
run: ctest --test-dir build --output-on-failure | |
unit-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clone This Repo | |
uses: actions/checkout@v4 | |
- env: | |
stepName: Build corePKCS11 Unit Tests | |
id: build-unit-tests | |
shell: bash | |
run: | | |
# ${{ env.stepName }} | |
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}" | |
sudo apt-get install -y lcov | |
# target_enable_gcov is added in each unit test already, --coverage option is not required | |
CFLAGS="-Wall -Wextra -DNDEBUG" | |
cmake -S test -B build/ \ | |
-G "Unix Makefiles" \ | |
-DCMAKE_BUILD_TYPE=Debug \ | |
-DUNITTEST=1 \ | |
-DSYSTEM_TESTS=0 \ | |
-DCMAKE_C_FLAGS="${CFLAGS}" | |
make -C build/ all | |
echo "::endgroup::" | |
echo -e "${{ env.bashPass }} ${{env.stepName}} ${{ env.bashEnd }}" | |
- name: Run Unit Tests | |
id: run-unit-tests | |
shell: bash | |
run: ctest --test-dir build --output-on-failure | |
- env: | |
stepName: Line and Branch Coverage Build | |
if: steps.build-unit-tests.outcome == 'success' | |
id: line-and-branch-coverage | |
shell: bash | |
run: | | |
# ${{ env.stepName }} | |
echo -e "::group::${{ env.bashInfo }} Build Coverage Target ${{ env.bashEnd }}" | |
# Build the coverage target | |
make -C build/ coverage | |
# Generate coverage report, excluding extra directories | |
lcov --rc lcov_branch_coverage=1 -r build/coverage.info -o build/coverage.info '*test*' '*CMakeCCompilerId*' '*mocks*' | |
echo "::endgroup::" | |
lcov --rc lcov_branch_coverage=1 --list build/coverage.info | |
echo -e "${{ env.bashPass }} ${{env.stepName}} ${{ env.bashEnd }}" | |
- env: | |
stepName: Check Coverage | |
uses: FreeRTOS/CI-CD-Github-Actions/coverage-cop@main | |
if: steps.build-unit-tests.outcome == 'success' | |
with: | |
coverage-file: ./build/coverage.info | |
line-coverage-min: 100 | |
branch-coverage-min: 92 | |
- name: Archive Test Results | |
if: steps.build-unit-tests.outcome == 'success' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: unit_test_results | |
path: | | |
build/utest_report.txt | |
build/*_out.txt | |
build/coverage.info | |
build/report.xml | |
build/Testing/Temporary/LastTest.log | |
- name: Upload coverage data to Codecov | |
if: steps.build-unit-tests.outcome == 'success' | |
uses: codecov/codecov-action@v4 | |
with: | |
files: build/coverage.info | |
flags: unit_tests | |
fail_ci_if_error: false | |
verbose: false | |
complexity: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Check complexity | |
uses: FreeRTOS/CI-CD-Github-Actions/complexity@main | |
with: | |
path: ./ | |
horrid_threshold: 20 | |
doxygen: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Check doxygen build | |
uses: FreeRTOS/CI-CD-Github-Actions/doxygen@main | |
with: | |
path: ./ | |
spell-check: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clone This Repo | |
uses: actions/checkout@v4 | |
- name: Run spellings check | |
uses: FreeRTOS/CI-CD-Github-Actions/spellings@main | |
with: | |
path: ./ | |
formatting: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Check formatting | |
uses: FreeRTOS/CI-CD-Github-Actions/formatting@main | |
with: | |
path: ./ | |
exclude-dirs: .git | |
link-verifier: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Check Links | |
uses: FreeRTOS/CI-CD-Github-Actions/link-verifier@main | |
with: | |
path: ./ | |
verify-manifest: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
fetch-depth: 0 | |
- name: Run manifest verifier | |
uses: FreeRTOS/CI-CD-GitHub-Actions/manifest-verifier@main | |
with: | |
path: ./ | |
fail-on-incorrect-version: true | |
git-secrets: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Checkout awslabs/git-secrets | |
uses: actions/checkout@v4 | |
with: | |
repository: awslabs/git-secrets | |
ref: master | |
path: git-secrets | |
- name: Install git-secrets | |
run: cd git-secrets && sudo make install && cd .. | |
- name: Run git-secrets | |
run: | | |
git-secrets --register-aws | |
git-secrets --scan | |
memory_statistics: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- run: git submodule update --init --recursive --checkout | |
- name: Fetch dependencies (mbedtls) | |
run: | | |
cmake -S test -B build/ \ | |
-G "Unix Makefiles" \ | |
-DUNITTEST=0 \ | |
-DSYSTEM_TESTS=0 \ | |
-DCMAKE_C_FLAGS="${CFLAGS}" | |
- name: Install Python3 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.11.0" | |
- name: Measure sizes | |
uses: FreeRTOS/CI-CD-Github-Actions/memory_statistics@main | |
with: | |
config: .github/memory_statistics_config.json | |
check_against: docs/doxygen/include/size_table.md | |
proof_ci: | |
if: ${{ github.event.pull_request }} | |
runs-on: cbmc_ubuntu-latest_16-core | |
steps: | |
- name: Set up CBMC runner | |
uses: FreeRTOS/CI-CD-Github-Actions/set_up_cbmc_runner@main | |
with: | |
cbmc_version: "5.61.0" | |
cbmc_viewer_version: "3.5" | |
- name: Install cmake | |
run: | | |
sudo apt-get install -y cmake | |
- name: Fetch Mbedtls | |
run: | | |
cd test && cmake -B build | |
- name: check for mbedtls header file | |
run: | | |
cat test/build/_deps/mbedtls_2-src/include/mbedtls/pk.h | |
- name: Run CBMC | |
uses: FreeRTOS/CI-CD-Github-Actions/run_cbmc@main | |
with: | |
proofs_dir: test/cbmc/proofs |