Skip to content

Follow Security Guide to update release.yml (#1202) #6708

Follow Security Guide to update release.yml (#1202)

Follow Security Guide to update release.yml (#1202) #6708

Workflow file for this run

name: CI Checks
on:
push:
branches: ["**"]
pull_request:
branches: ["**"]
workflow_dispatch:
env:
bashPass: \033[32;1mPASSED -
bashInfo: \033[33;1mWINFO -
bashFail: \033[31;1mFAILED -
bashEnd: \033[0m
jobs:
unittest:
runs-on: ubuntu-latest
steps:
- name: Clone This Repo
uses: actions/checkout@v4
with:
submodules: recursive
- env:
stepName: Install Dependencies
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
git submodule update --checkout --init --recursive
sudo apt-get update -y
sudo apt-get install -y lcov
sudo apt-get install -y unifdef
sudo apt-get install -y ninja-build
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
# Separate builds for sanitizers and coverage:
# These can currently not be combined without branch coverage dilution.
- env:
stepName: Build Unit Tests (aubsan build)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake --fresh -G Ninja -S test/unit-test -B test/unit-test/build/ -DSANITIZE=address,undefined
ninja -C test/unit-test/build/
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Run Unit Tests (aubsan build)
name: ${{ env.stepName }}
shell: bash
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
env ASAN_OPTIONS=detect_odr_violation=0 ctest --test-dir test/unit-test/build/ -E system --output-on-failure
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build Unit Tests (coverage build)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake --fresh -G Ninja -S test/unit-test -B test/unit-test/build/ -DSANITIZE=
ninja -C test/unit-test/build/
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Run Unit Tests (coverage build)
name: ${{ env.stepName }}
shell: bash
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
find test/unit-test/build/ -name '*.gcda' -delete
ctest --test-dir test/unit-test/build/ -E system --output-on-failure
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Test Line and Branch Coverage
name: ${{ env.stepName }}
shell: bash
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake --build test/unit-test/build/ --target coverage
echo "::endgroup::"
echo -e "${{ env.bashPass }} Built Coverage Tests ${{ env.bashEnd }}"
lcov --list --rc lcov_branch_coverage=1 test/unit-test/build/coverage.info
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- name: Check Coverage
uses: FreeRTOS/CI-CD-Github-Actions/coverage-cop@main
with:
coverage-file: ./test/unit-test/build/coverage.info
branch-coverage-min: 100
line-coverage-min: 100
spell-check:
runs-on: ubuntu-latest
steps:
- name: Clone This Repo
uses: actions/checkout@v4
- name: Run spellings check
uses: FreeRTOS/CI-CD-Github-Actions/spellings@main
with:
path: ./
exclude-dirs: source/portable/NetworkInterface/STM32
formatting:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- name: Check formatting
uses: FreeRTOS/CI-CD-Github-Actions/formatting@main
with:
path: ./
exclude-dirs: source/portable/NetworkInterface/STM32
doxygen:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run doxygen build
uses: FreeRTOS/CI-CD-Github-Actions/doxygen@main
with:
path: ./
verify-manifest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
# At time of writing the gitmodules are set not to pull
# Even when using fetch submodules. Need to run this command
# To force it to grab them.
- name: Perform Recursive Clone
shell: bash
run: git submodule update --checkout --init --recursive
- name: Run manifest verifier
uses: FreeRTOS/CI-CD-GitHub-Actions/manifest-verifier@main
with:
path: ./
fail-on-incorrect-version: true
link-verifier:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check Links
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
uses: FreeRTOS/CI-CD-Github-Actions/link-verifier@main
build-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- env:
stepName: Build Install Dependencies
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
sudo apt-get update -y
sudo apt-get install -y libpcap-dev
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build checks (Enable all functionalities)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake -S . -B build -DFREERTOS_PLUS_TCP_ENABLE_BUILD_CHECKS=ON -DFREERTOS_PLUS_TCP_TEST_CONFIGURATION=ENABLE_ALL
cmake --build build --target freertos_plus_tcp_build_test
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build checks (Enable all functionalities IPv4)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake -S . -B build -DFREERTOS_PLUS_TCP_ENABLE_BUILD_CHECKS=ON -DFREERTOS_PLUS_TCP_TEST_CONFIGURATION=ENABLE_ALL_IPV4
cmake --build build --target clean
cmake --build build --target freertos_plus_tcp_build_test
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build checks (Enable all functionalities IPv6)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake -S . -B build -DFREERTOS_PLUS_TCP_ENABLE_BUILD_CHECKS=ON -DFREERTOS_PLUS_TCP_TEST_CONFIGURATION=ENABLE_ALL_IPV6
cmake --build build --target freertos_plus_tcp_build_test
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build checks (Enable all functionalities IPv4 IPv6)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake -S . -B build -DFREERTOS_PLUS_TCP_ENABLE_BUILD_CHECKS=ON -DFREERTOS_PLUS_TCP_TEST_CONFIGURATION=ENABLE_ALL_IPV4_IPV6
cmake --build build --target clean
cmake --build build --target freertos_plus_tcp_build_test
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build checks (Enable all functionalities IPv4 TCP)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake -S . -B build -DFREERTOS_PLUS_TCP_ENABLE_BUILD_CHECKS=ON -DFREERTOS_PLUS_TCP_TEST_CONFIGURATION=ENABLE_ALL_IPV4_TCP
cmake --build build --target clean
cmake --build build --target freertos_plus_tcp_build_test
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build checks (Enable all functionalities IPv6 TCP)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake -S . -B build -DFREERTOS_PLUS_TCP_ENABLE_BUILD_CHECKS=ON -DFREERTOS_PLUS_TCP_TEST_CONFIGURATION=ENABLE_ALL_IPV6_TCP
cmake --build build --target freertos_plus_tcp_build_test
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build checks (Disable all functionalities)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake -S . -B build -DFREERTOS_PLUS_TCP_ENABLE_BUILD_CHECKS=ON -DFREERTOS_PLUS_TCP_TEST_CONFIGURATION=DISABLE_ALL
cmake --build build --target clean
cmake --build build --target freertos_plus_tcp_build_test
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build checks (Default configuration)
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cmake -S . -B build -DFREERTOS_PLUS_TCP_ENABLE_BUILD_CHECKS=ON -DFREERTOS_PLUS_TCP_TEST_CONFIGURATION=DEFAULT_CONF
cmake --build build --target clean
cmake --build build --target freertos_plus_tcp_build_test
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Build checks (Header Self Contain)
shell: bash
run: |
cmake -S . -B build -DFREERTOS_PLUS_TCP_ENABLE_BUILD_CHECKS=ON -DFREERTOS_PLUS_TCP_TEST_CONFIGURATION=HEADER_SELF_CONTAIN
cmake --build build --target clean
cmake --build build --target freertos_plus_tcp_build_test_FreeRTOS_DHCP
cmake --build build --target freertos_plus_tcp_build_test_FreeRTOS_DNS
cmake --build build --target freertos_plus_tcp_build_test_FreeRTOS_IP
cmake --build build --target freertos_plus_tcp_build_test_FreeRTOS_ND
cmake --build build --target freertos_plus_tcp_build_test_FreeRTOS_Routing
cmake --build build --target freertos_plus_tcp_build_test_FreeRTOS_Sockets
cmake --build build --target freertos_plus_tcp_build_test_NetworkBufferManagement
cmake --build build --target freertos_plus_tcp_build_test_NetworkInterface
complexity:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- env:
stepName: Setup
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
sudo apt-get install complexity
sudo apt-get install uncrustify
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Complexity
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
COMPLEXITY_PARAMS="--scores --threshold=10 --horrid-threshold=283"
TEMP_DIR=./temp
mkdir -p ${TEMP_DIR}
for SOURCE_FILE in source/portable/BufferManagement/*.c source/*.c
do
TARGET_DIR=${TEMP_DIR}/`dirname ${SOURCE_FILE}`
TARGET_FILE=${TARGET_DIR}/`basename ${SOURCE_FILE}`
mkdir -p ${TARGET_DIR}
uncrustify -c tools/uncrustify.complexity.cfg -f ${SOURCE_FILE} > ${TARGET_FILE}
done
find ${TEMP_DIR} -iname '*.c' | xargs complexity ${COMPLEXITY_PARAMS}
RESULT=$?
rm -rf ${TEMP_DIR}
echo "::endgroup::"
if [ "${RESULT}" = "0" ]; then
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
exit 0
else
echo -e "${{ env.bashFail }} Sources are too complex, rc = ${RESULT} ${{ env.bashEnd }}"
echo -e "${{ env.bashFail }} ${{ env.stepName }} ${{ env.bashEnd }}"
exit 1
fi
git-secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Checkout awslabs/git-secrets
uses: actions/checkout@v4
with:
repository: awslabs/git-secrets
ref: master
path: git-secrets
- env:
stepName: Install git-secrets
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
cd git-secrets && sudo make install && cd ..
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- env:
stepName: Run git-secrets
name: ${{ env.stepName }}
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
git-secrets --register-aws
git-secrets --scan
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
proof_ci:
if: ${{ github.event.pull_request }}
runs-on: cbmc_ubuntu-latest_16-core
steps:
- name: Set up CBMC runner
uses: FreeRTOS/CI-CD-Github-Actions/set_up_cbmc_runner@main
with:
cbmc_version: "6.3.1"
- env:
stepName: Install Dependencies
name: ${{ env.stepName }}
shell: bash
run: |
# ${{ env.stepName }}
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
git submodule update --init --checkout --recursive
sudo apt-get update
sudo apt-get install --yes --no-install-recommends gcc-multilib
echo "::endgroup::"
echo -e "${{ env.bashPass }} ${{ env.stepName }} ${{ env.bashEnd }}"
- name: Run CBMC
uses: FreeRTOS/CI-CD-Github-Actions/run_cbmc@main
with:
proofs_dir: test/cbmc/proofs