Add security override for sha1 #3644
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) 2023 [Ribose Inc](https://www.ribose.com). | |
# All rights reserved. | |
# This file is a part of rnp | |
# | |
# Redistribution and use in source and binary forms, with or without | |
# modification, are permitted provided that the following conditions | |
# are met: | |
# 1. Redistributions of source code must retain the above copyright | |
# notice, this list of conditions and the following disclaimer. | |
# 2. Redistributions in binary form must reproduce the above copyright | |
# notice, this list of conditions and the following disclaimer in the | |
# documentation and/or other materials provided with the distribution. | |
# | |
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | |
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS | |
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
# POSSIBILITY OF SUCH DAMAGE. | |
name: ubuntu | |
on: | |
push: | |
branches: | |
- main | |
- 'release/**' | |
paths-ignore: | |
- '/*.sh' | |
- '/.*' | |
- '/_*' | |
- 'Brewfile' | |
- 'docs/**' | |
- '**.adoc' | |
- '**.md' | |
- '**.nix' | |
- 'flake.lock' | |
- '.github/workflows/*.yml' | |
- '!.github/workflows/ubuntu.yml' | |
pull_request: | |
paths-ignore: | |
- '/*.sh' | |
- '/.*' | |
- '/_*' | |
- 'Brewfile' | |
- 'docs/**' | |
- '**.adoc' | |
- '**.md' | |
- '**.nix' | |
- 'flake.lock' | |
concurrency: | |
group: '${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.ref_name }}' | |
cancel-in-progress: true | |
jobs: | |
tests: | |
name: ${{ matrix.os }} [CC ${{ matrix.env.CC }}; ${{ matrix.backend.name }}; shared libs ${{ matrix.shared_libs }}; GnuPG stable] | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest ] | |
shared_libs: [ 'on' ] | |
backend: | |
- { name: 'botan', package: 'libbotan-2-dev' } | |
- { name: 'openssl', package: 'libssl-dev' } | |
env: | |
- { CC: gcc, CXX: g++ } | |
- { CC: clang, CXX: clang++ } | |
include: | |
# This implies openssl 1.1.1 as opposed to ubuntu-latest which is openssl 3 | |
- os: ubuntu-20.04 | |
shared_libs: 'on' | |
backend: { name: 'openssl', package: 'libssl-dev' } | |
env: { CC: gcc, CXX: g++ } | |
- os: ubuntu-latest | |
shared_libs: 'off' | |
backend: { name: 'botan', package: 'libbotan-2-dev' } | |
env: { CC: gcc, CXX: g++ } | |
if: "!contains(github.event.head_commit.message, 'skip ci')" | |
env: ${{ matrix.env }} | |
timeout-minutes: 50 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
submodules: true | |
- name: Install dependencies | |
# Already installed on GHA: build-essential libbz2-dev zlib1g-dev | |
run: | | |
sudo apt-get -y update | |
sudo apt-get -y install cmake libjson-c-dev ${{ matrix.backend.package }} asciidoctor | |
- name: Configure | |
run: | | |
echo CORES="$(nproc --all)" >> $GITHUB_ENV | |
cmake -B build -DBUILD_SHARED_LIBS=${{ matrix.shared_libs}} \ | |
-DCRYPTO_BACKEND=${{ matrix.backend.name }} \ | |
-DDOWNLOAD_GTEST=ON \ | |
-DCMAKE_BUILD_TYPE=Release . | |
- name: Build | |
run: cmake --build build --parallel ${{ env.CORES }} | |
- name: Test | |
run: | | |
mkdir -p "build/Testing/Temporary" | |
cp "cmake/CTestCostData.txt" "build/Testing/Temporary" | |
export PATH="$PWD/build/src/lib:$PATH" | |
ctest --parallel ${{ env.CORES }} --test-dir build --output-on-failure | |
cmake-offline-googletest-src: | |
runs-on: ubuntu-latest | |
if: "!contains(github.event.head_commit.message, 'skip ci')" | |
timeout-minutes: 30 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
submodules: true | |
- name: Install dependencies | |
run: | | |
sudo apt-get -y update | |
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor googletest | |
- name: Configure | |
run: | | |
echo CORES="$(nproc --all)" >> $GITHUB_ENV | |
cmake -B build -DBUILD_SHARED_LIBS=ON \ | |
-DCRYPTO_BACKEND=botan \ | |
-DDOWNLOAD_GTEST=OFF \ | |
-DGTEST_SOURCES=/usr/src/googletest \ | |
-DCMAKE_BUILD_TYPE=Release . | |
- name: Build | |
run: cmake --build build --parallel ${{ env.CORES }} | |
- name: Test | |
run: | | |
mkdir -p "build/Testing/Temporary" | |
cp "cmake/CTestCostData.txt" "build/Testing/Temporary" | |
export PATH="$PWD/build/src/lib:$PATH" | |
ctest --parallel ${{ env.CORES }} --test-dir build --output-on-failure | |
- name: Check googletest | |
run: | | |
[ -d "build/src/tests" ] | |
[ -d "build/src/tests/googletest-build" ] | |
[ ! -d "build/src/tests/googletest-src" ] | |
cmake-offline-googletest: | |
runs-on: ubuntu-latest | |
if: "!contains(github.event.head_commit.message, 'skip ci')" | |
timeout-minutes: 30 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
submodules: true | |
- name: Install dependencies | |
run: | | |
sudo apt-get -y update | |
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor googletest | |
- name: Build googletest | |
run: | | |
cmake -B googletest-build /usr/src/googletest | |
cmake --build googletest-build | |
sudo cmake --install googletest-build | |
- name: Configure | |
run: | | |
echo CORES="$(nproc --all)" >> $GITHUB_ENV | |
cmake -B build -DBUILD_SHARED_LIBS=ON \ | |
-DCRYPTO_BACKEND=botan \ | |
-DDOWNLOAD_GTEST=OFF \ | |
-DCMAKE_BUILD_TYPE=Release . | |
- name: Build | |
run: cmake --build build --parallel ${{ env.CORES }} | |
- name: Test | |
run: | | |
mkdir -p "build/Testing/Temporary" | |
cp "cmake/CTestCostData.txt" "build/Testing/Temporary" | |
export PATH="$PWD/build/src/lib:$PATH" | |
ctest --parallel ${{ env.CORES }} --test-dir build --output-on-failure | |
- name: Check googletest | |
run: | | |
[ -d "build/src/tests" ] | |
[ ! -d "build/src/tests/googletest-build" ] | |
[ ! -d "build/src/tests/googletest-src" ] | |
cmake-system-sexpp: | |
name: system-sexpp, sexpp shared libs ${{ matrix.sexpp_shared_libs }}, rnp shared libs ${{ matrix.rnp_shared_libs }} | |
runs-on: ubuntu-latest | |
if: "!contains(github.event.head_commit.message, 'skip ci')" | |
timeout-minutes: 30 | |
strategy: | |
fail-fast: false | |
matrix: | |
sexpp_shared_libs: [ 'on', 'off' ] | |
rnp_shared_libs: ['on', 'off'] | |
steps: | |
- name: Install dependencies | |
run: | | |
sudo apt-get -y update | |
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor | |
- name: Checkout sexpp | |
uses: actions/checkout@v4 | |
with: | |
repository: rnpgp/sexpp | |
path: sexpp | |
- name: Configure sexpp | |
run: | | |
echo CORES="$(nproc --all)" >> $GITHUB_ENV | |
cmake -S sexpp -B sexpp/build \ | |
-DCMAKE_BUILD_TYPE=Release \ | |
-DDOWNLOAD_GTEST=OFF \ | |
-DWITH_SEXP_TESTS=OFF \ | |
-DBUILD_SHARED_LIBS=${{ matrix.sexpp_shared_libs}} | |
- name: Build sexpp | |
run: cmake --build sexpp/build --parallel ${{ env.CORES }} | |
- name: Install sexpp | |
run: sudo cmake --install sexpp/build | |
- name: Clean sexpp | |
run: rm -rf sexpp | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
submodules: false | |
- name: Configure | |
run: | | |
cmake -B build \ | |
-DBUILD_SHARED_LIBS=${{ matrix.rnp_shared_libs }} \ | |
-DCRYPTO_BACKEND=botan \ | |
-DDOWNLOAD_GTEST=ON \ | |
-DSYSTEM_LIBSEXPP=ON \ | |
-DCMAKE_BUILD_TYPE=Release . | |
- name: Build | |
run: cmake --build build --parallel ${{ env.CORES }} | |
- name: Test | |
run: | | |
mkdir -p "build/Testing/Temporary" | |
cp "cmake/CTestCostData.txt" "build/Testing/Temporary" | |
export PATH="$PWD/build/src/lib:$PATH" | |
ctest --parallel ${{ env.CORES }} --test-dir build -R rnp_tests --output-on-failure | |
package-source: | |
runs-on: ubuntu-latest | |
if: "!contains(github.event.head_commit.message, 'skip ci')" | |
timeout-minutes: 30 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
submodules: true | |
- name: Install dependencies | |
run: | | |
sudo apt-get -y update | |
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor | |
- name: Configure | |
run: | | |
cmake . -B build \ | |
-DBUILD_SHARED_LIBS=ON \ | |
-DBUILD_TESTING=OFF \ | |
-DCMAKE_BUILD_TYPE=Release \ | |
-DCRYPTO_BACKEND=botan \ | |
-DCMAKE_INSTALL_PREFIX=/usr | |
- name: Package source | |
run: cpack -B build/source-deb -G DEB --config build/CPackSourceConfig.cmake | |
- name: Upload source package | |
uses: actions/upload-artifact@v4 | |
with: | |
name: 'source-debian' | |
path: 'build/source-deb/*.deb' | |
retention-days: 5 | |
- name: Stash packaging tests | |
uses: actions/upload-artifact@v4 | |
with: | |
name: tests | |
path: 'ci/tests/**' | |
retention-days: 1 | |
package: | |
runs-on: ubuntu-latest | |
needs: package-source | |
if: "!contains(github.event.head_commit.message, 'skip ci')" | |
timeout-minutes: 30 | |
steps: | |
- name: Install dependencies | |
run: | | |
sudo apt-get -y update | |
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor | |
- name: Download source package | |
uses: actions/download-artifact@v4 | |
with: | |
name: 'source-debian' | |
path: source-debian | |
- name: Extract sources | |
run: dpkg-deb --extract source-debian/*.deb rnp | |
- name: Configure | |
run: | | |
echo CORES="$(nproc --all)" >> $GITHUB_ENV | |
cmake rnp -B rnp/build \ | |
-DBUILD_SHARED_LIBS=ON \ | |
-DBUILD_TESTING=OFF \ | |
-DCMAKE_BUILD_TYPE=Release \ | |
-DCRYPTO_BACKEND=botan \ | |
-DCMAKE_INSTALL_PREFIX=/usr | |
- name: Build | |
run: cmake --build rnp/build --config Release --parallel ${{ env.CORES }} | |
- name: Create binary package | |
run: cpack -G DEB -B debian --config rnp/build/CPackConfig.cmake | |
- name: Upload binary package | |
uses: actions/upload-artifact@v4 | |
with: | |
name: 'debian' | |
path: 'debian/*.deb' | |
retention-days: 5 | |
debian-tests: | |
runs-on: ubuntu-latest | |
needs: package | |
timeout-minutes: 30 | |
steps: | |
- name: Download enp deb file | |
uses: actions/download-artifact@v4 | |
with: | |
name: 'debian' | |
- name: Checkout shell test framework | |
uses: actions/checkout@v4 | |
with: | |
repository: kward/shunit2 | |
path: ci/tests/shunit2 | |
- name: Unstash tests | |
uses: actions/download-artifact@v4 | |
with: | |
name: tests | |
path: ci/tests | |
- name: Run debian tests | |
# - no source checkout or upload [we get only test scripts from the previous step using GHA artifacts] | |
# - no environment set up with rnp scripts | |
# - no dependencies setup, we test that apt can install whatever is required | |
run: | | |
chmod +x ci/tests/deb-tests.sh | |
ci/tests/deb-tests.sh |