go.yml

name: AAARRR

on:
  push:
    branches: [ n2 ]
  pull_request:
    branches: [ n2 ]
  workflow_dispatch:

jobs:

  build:
    name: 🧬 Build
    runs-on: ubuntu-latest
    steps:

    - name: 🥏 Checkout code
      uses: actions/checkout@v4

    - name: 🐼 Setup go1.23+
      uses: actions/setup-go@v5
      with:
        go-version: '>=1.23.2'

    - name: 🏗️ Make
      run: |
        # outputs firestack.aar and firestack-arm.aar; also see: "Obj" below
        ./make-aar nogo debug
      shell: bash

    - name: 🧪 Test
      if: success()
      run: |
        go env
        # go test -v -race -bench=. -benchtime=100ms ./...
        echo "::notice::success"

    - name: 🔮 Vet
      run: |
        # github.com/actions/setup-go/issues/27
        export PATH=${PATH}:`go env GOPATH`/bin

        # vet: fails: archive.is/XcDl6
        go vet ./...
        # staticcheck
        # go install honnef.co/go/tools/cmd/staticcheck@latest
        # staticcheck ./...
        go install go.uber.org/nilaway/cmd/nilaway@latest
        nilaway ./...
        go install golang.org/x/vuln/cmd/govulncheck@latest
        govulncheck -test ./...
      shell: bash

    - name: 🐍 Python3
      uses: actions/setup-python@v5
      with:
        python-version: '3.10'

    - name: 💿 Obj
      run: |
        wget --tries=2 --waitretry=3 --no-dns-cache https://github.com/Zxilly/go-size-analyzer/releases/download/v1.0.8/go-size-analyzer_1.0.8_linux_amd64.deb -O gsa.deb
        sudo dpkg -i gsa.deb
        # s/tun2socks*.aar/firestack*.aar; see: make-aar
        #
        # Archive:  firestack-debug.aar
        # inflating: AndroidManifest.xml
        # inflating: proguard.txt
        # inflating: classes.jar
        # inflating: jni/armeabi-v7a/libgojni.so
        # inflating: jni/arm64-v8a/libgojni.so
        # inflating: jni/x86/libgojni.so
        # inflating: jni/x86_64/libgojni.so
        # inflating: R.txt
        # creating: res/
        # /usr/bin/jar
        unzip firestack-debug.aar
        which jar && jar tf ./classes.jar
        gsa jni/arm64-v8a/*.so -f text --verbose

        #pip install sqlelf

        #sqlelf jni/arm64-v8a/libgojni.so --sql \
        #  "SELECT mnemonic, COUNT(*) from elf_instructions GROUP BY mnemonic ORDER BY 2 DESC LIMIT 20"

        #sqlelf jni/arm64-v8a/libgojni.so --sql \
        #  "SELECT * from elf_headers"

        # determine NEEDED entries
        #sqlelf jni/arm64-v8a/libgojni.so --sql \
        #  "SELECT elf_strings.path, elf_strings.value
        #  FROM elf_dynamic_entries
        #  INNER JOIN elf_strings ON elf_dynamic_entries.value = elf_strings.offset
        #  WHERE elf_dynamic_entries.tag = 'NEEDED'"

        # determine the largest functions
        #sqlelf jni/arm64-v8a/libgojni.so --sql \
        #  "SELECT name AS function_name, (high_pc - low_pc) AS function_size
        #  FROM dwarf_dies
        #  WHERE tag = 'DW_TAG_subprogram'
        #  ORDER BY function_size DESC
        #  LIMIT 50;"
      shell: bash

      # github.com/actions/upload-artifact
    - name: 🚀 Upload
      uses: actions/upload-artifact@v4
      if: success()
      with:
        name: firestack-aar-${{ github.sha }} # must be unique
        path: firestack*.aar # see: make-aar
        retention-days: 52 # 0-90; 90 is max
        if-no-files-found: error # error, warn (default), ignore
        compression-level: 9 # 0-9; 9 is max

  checker:
    name: 🔐 Security checker
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      id-token: write
    env:
      GO111MODULE: on
    steps:
      - name: 🥏 Checkout
        uses: actions/checkout@v4

      - name: 🕵️ Gosec Scanner
        uses: securego/gosec@master
        with:
          # github.com/securego/gosec/issues/1219
          # we let the report trigger content trigger a failure using the GitHub Security features.
          args: '-no-fail -fmt sarif -out results.sarif ./...'
      - name: 📡 Upload to code-scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

  # from: github.com/golangci/golangci-lint-action
  golangci-lint:
    name: 🧭 Lint 
    runs-on: ubuntu-latest
    permissions:
      # Required: allow read access to the content for analysis.
      contents: read
      # Optional: allow read access to pull request. Use with `only-new-issues` option.
      pull-requests: read
      # Optional: Allow write access to checks to allow the action to annotate code in the PR.
      checks: write
    steps:
      - name: 🥏 Checkout
        uses: actions/checkout@v4
      - name: 🐼 Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '>=1.23'
          cache: false
      # github.com/tailscale/tailscale/blob/93324cc7b/.github/workflows/depaware.yml
      # consolidated in: github.com/tailscale/tailscale/commit/4022796484
      - name: 📦 Depaware
        run: |
          go run github.com/tailscale/depaware github.com/celzero/firestack/intra
          go run github.com/tailscale/depaware github.com/celzero/firestack/tunnel
      - name: 🏅 Lint
        uses: golangci/golangci-lint-action@v3.7.0
        with:
          args: --config=.golangci.yml --issues-exit-code=0
      - name: 📡 Staticheck
        uses: dominikh/staticcheck-action@v1.3.1
        with:
          version: "latest"
          install-go: false