diff options
Diffstat (limited to '.github/workflows')
-rw-r--r-- | .github/workflows/build-extra.yml | 79 | ||||
-rw-r--r-- | .github/workflows/check-c.yml | 159 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 78 |
3 files changed, 159 insertions, 157 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index b6e8e902b..b538fde68 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -68,82 +68,3 @@ jobs: | |||
68 | run: sudo make install | 68 | run: sudo make install |
69 | - name: print version | 69 | - name: print version |
70 | run: command -V firejail && firejail --version | 70 | run: command -V firejail && firejail --version |
71 | scan-build: | ||
72 | runs-on: ubuntu-22.04 | ||
73 | steps: | ||
74 | - name: Harden Runner | ||
75 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
76 | with: | ||
77 | egress-policy: block | ||
78 | allowed-endpoints: > | ||
79 | archive.ubuntu.com:80 | ||
80 | azure.archive.ubuntu.com:80 | ||
81 | github.com:443 | ||
82 | packages.microsoft.com:443 | ||
83 | ppa.launchpadcontent.net:443 | ||
84 | security.ubuntu.com:80 | ||
85 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
86 | - name: update package information | ||
87 | run: sudo apt-get update -qy | ||
88 | - name: install clang-tools-14 and dependencies | ||
89 | run: > | ||
90 | sudo apt-get install -qy | ||
91 | clang-tools-14 libapparmor-dev libselinux1-dev | ||
92 | - name: print env | ||
93 | run: ./ci/printenv.sh | ||
94 | - name: configure | ||
95 | run: > | ||
96 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
97 | --enable-selinux | ||
98 | || (cat config.log; exit 1) | ||
99 | - name: scan-build | ||
100 | run: scan-build-14 --status-bugs make | ||
101 | cppcheck: | ||
102 | runs-on: ubuntu-22.04 | ||
103 | steps: | ||
104 | - name: Harden Runner | ||
105 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
106 | with: | ||
107 | egress-policy: block | ||
108 | allowed-endpoints: > | ||
109 | archive.ubuntu.com:80 | ||
110 | azure.archive.ubuntu.com:80 | ||
111 | github.com:443 | ||
112 | packages.microsoft.com:443 | ||
113 | ppa.launchpadcontent.net:443 | ||
114 | security.ubuntu.com:80 | ||
115 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
116 | - name: update package information | ||
117 | run: sudo apt-get update -qy | ||
118 | - name: install cppcheck | ||
119 | run: sudo apt-get install -qy cppcheck | ||
120 | - run: cppcheck --version | ||
121 | - name: cppcheck | ||
122 | run: > | ||
123 | cppcheck -q --force --error-exitcode=1 --enable=warning,performance | ||
124 | -i src/firejail/checkcfg.c -i src/firejail/main.c . | ||
125 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore | ||
126 | # scan all files also with older cppcheck version from ubuntu 20.04. | ||
127 | cppcheck_old: | ||
128 | runs-on: ubuntu-20.04 | ||
129 | steps: | ||
130 | - name: Harden Runner | ||
131 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
132 | with: | ||
133 | egress-policy: block | ||
134 | allowed-endpoints: > | ||
135 | archive.ubuntu.com:80 | ||
136 | azure.archive.ubuntu.com:80 | ||
137 | github.com:443 | ||
138 | packages.microsoft.com:443 | ||
139 | ppa.launchpad.net:80 | ||
140 | ppa.launchpadcontent.net:443 | ||
141 | security.ubuntu.com:80 | ||
142 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
143 | - name: update package information | ||
144 | run: sudo apt-get update -qy | ||
145 | - name: install cppcheck | ||
146 | run: sudo apt-get install -qy cppcheck | ||
147 | - run: cppcheck --version | ||
148 | - name: cppcheck | ||
149 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml new file mode 100644 index 000000000..472238ff0 --- /dev/null +++ b/.github/workflows/check-c.yml | |||
@@ -0,0 +1,159 @@ | |||
1 | name: Check-C | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | paths: | ||
6 | - 'm4/**' | ||
7 | - 'src/**.c' | ||
8 | - 'src/**.h' | ||
9 | - 'src/**.mk' | ||
10 | - 'src/**Makefile' | ||
11 | - .github/workflows/check-c.yml | ||
12 | - Makefile | ||
13 | - ci/printenv.sh | ||
14 | - config.mk.in | ||
15 | - config.sh.in | ||
16 | - configure | ||
17 | - configure.ac | ||
18 | pull_request: | ||
19 | paths: | ||
20 | - 'm4/**' | ||
21 | - 'src/**.c' | ||
22 | - 'src/**.h' | ||
23 | - 'src/**.mk' | ||
24 | - 'src/**Makefile' | ||
25 | - .github/workflows/check-c.yml | ||
26 | - Makefile | ||
27 | - ci/printenv.sh | ||
28 | - config.mk.in | ||
29 | - config.sh.in | ||
30 | - configure | ||
31 | - configure.ac | ||
32 | schedule: | ||
33 | - cron: '0 7 * * 2' | ||
34 | |||
35 | permissions: # added using https://github.com/step-security/secure-workflows | ||
36 | contents: read | ||
37 | |||
38 | jobs: | ||
39 | scan-build: | ||
40 | runs-on: ubuntu-22.04 | ||
41 | steps: | ||
42 | - name: Harden Runner | ||
43 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
44 | with: | ||
45 | egress-policy: block | ||
46 | allowed-endpoints: > | ||
47 | archive.ubuntu.com:80 | ||
48 | azure.archive.ubuntu.com:80 | ||
49 | github.com:443 | ||
50 | packages.microsoft.com:443 | ||
51 | ppa.launchpadcontent.net:443 | ||
52 | security.ubuntu.com:80 | ||
53 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
54 | - name: update package information | ||
55 | run: sudo apt-get update -qy | ||
56 | - name: install clang-tools-14 and dependencies | ||
57 | run: > | ||
58 | sudo apt-get install -qy | ||
59 | clang-tools-14 libapparmor-dev libselinux1-dev | ||
60 | - name: print env | ||
61 | run: ./ci/printenv.sh | ||
62 | - name: configure | ||
63 | run: > | ||
64 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | ||
65 | --enable-selinux | ||
66 | || (cat config.log; exit 1) | ||
67 | - name: scan-build | ||
68 | run: scan-build-14 --status-bugs make | ||
69 | |||
70 | cppcheck: | ||
71 | runs-on: ubuntu-22.04 | ||
72 | steps: | ||
73 | - name: Harden Runner | ||
74 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
75 | with: | ||
76 | egress-policy: block | ||
77 | allowed-endpoints: > | ||
78 | archive.ubuntu.com:80 | ||
79 | azure.archive.ubuntu.com:80 | ||
80 | github.com:443 | ||
81 | packages.microsoft.com:443 | ||
82 | ppa.launchpadcontent.net:443 | ||
83 | security.ubuntu.com:80 | ||
84 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
85 | - name: update package information | ||
86 | run: sudo apt-get update -qy | ||
87 | - name: install cppcheck | ||
88 | run: sudo apt-get install -qy cppcheck | ||
89 | - run: cppcheck --version | ||
90 | - name: cppcheck | ||
91 | run: > | ||
92 | cppcheck -q --force --error-exitcode=1 --enable=warning,performance | ||
93 | -i src/firejail/checkcfg.c -i src/firejail/main.c . | ||
94 | |||
95 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore | ||
96 | # scan all files also with older cppcheck version from ubuntu 20.04. | ||
97 | cppcheck_old: | ||
98 | runs-on: ubuntu-20.04 | ||
99 | steps: | ||
100 | - name: Harden Runner | ||
101 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
102 | with: | ||
103 | egress-policy: block | ||
104 | allowed-endpoints: > | ||
105 | archive.ubuntu.com:80 | ||
106 | azure.archive.ubuntu.com:80 | ||
107 | github.com:443 | ||
108 | packages.microsoft.com:443 | ||
109 | ppa.launchpad.net:80 | ||
110 | ppa.launchpadcontent.net:443 | ||
111 | security.ubuntu.com:80 | ||
112 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
113 | - name: update package information | ||
114 | run: sudo apt-get update -qy | ||
115 | - name: install cppcheck | ||
116 | run: sudo apt-get install -qy cppcheck | ||
117 | - run: cppcheck --version | ||
118 | - name: cppcheck | ||
119 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||
120 | |||
121 | codeql-cpp: | ||
122 | permissions: | ||
123 | actions: read | ||
124 | contents: read | ||
125 | security-events: write | ||
126 | runs-on: ubuntu-latest | ||
127 | |||
128 | steps: | ||
129 | - name: Harden Runner | ||
130 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
131 | with: | ||
132 | disable-sudo: true | ||
133 | egress-policy: block | ||
134 | allowed-endpoints: > | ||
135 | api.github.com:443 | ||
136 | github.com:443 | ||
137 | objects.githubusercontent.com:443 | ||
138 | uploads.github.com:443 | ||
139 | |||
140 | - name: Checkout repository | ||
141 | uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
142 | |||
143 | - name: print env | ||
144 | run: ./ci/printenv.sh | ||
145 | |||
146 | # Initializes the CodeQL tools for scanning. | ||
147 | - name: Initialize CodeQL | ||
148 | uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||
149 | with: | ||
150 | languages: cpp | ||
151 | |||
152 | - name: configure | ||
153 | run: ./configure | ||
154 | |||
155 | - name: make | ||
156 | run: make -j "$(nproc)" | ||
157 | |||
158 | - name: Perform CodeQL Analysis | ||
159 | uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index b4a5b55dd..000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null | |||
@@ -1,78 +0,0 @@ | |||
1 | name: CodeQL | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | paths: | ||
6 | - 'm4/**' | ||
7 | - 'src/**.c' | ||
8 | - 'src/**.h' | ||
9 | - 'src/**.mk' | ||
10 | - 'src/**Makefile' | ||
11 | - .github/workflows/codeql-analysis.yml | ||
12 | - Makefile | ||
13 | - ci/printenv.sh | ||
14 | - config.mk.in | ||
15 | - config.sh.in | ||
16 | - configure | ||
17 | - configure.ac | ||
18 | pull_request: | ||
19 | paths: | ||
20 | - 'm4/**' | ||
21 | - 'src/**.c' | ||
22 | - 'src/**.h' | ||
23 | - 'src/**.mk' | ||
24 | - 'src/**Makefile' | ||
25 | - .github/workflows/codeql-analysis.yml | ||
26 | - Makefile | ||
27 | - ci/printenv.sh | ||
28 | - config.mk.in | ||
29 | - config.sh.in | ||
30 | - configure | ||
31 | - configure.ac | ||
32 | schedule: | ||
33 | - cron: '0 7 * * 2' | ||
34 | |||
35 | permissions: # added using https://github.com/step-security/secure-workflows | ||
36 | contents: read | ||
37 | |||
38 | jobs: | ||
39 | analyze: | ||
40 | permissions: | ||
41 | actions: read | ||
42 | contents: read | ||
43 | security-events: write | ||
44 | name: Analyze | ||
45 | runs-on: ubuntu-latest | ||
46 | |||
47 | steps: | ||
48 | - name: Harden Runner | ||
49 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
50 | with: | ||
51 | disable-sudo: true | ||
52 | egress-policy: block | ||
53 | allowed-endpoints: > | ||
54 | api.github.com:443 | ||
55 | github.com:443 | ||
56 | objects.githubusercontent.com:443 | ||
57 | uploads.github.com:443 | ||
58 | |||
59 | - name: Checkout repository | ||
60 | uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
61 | |||
62 | - name: print env | ||
63 | run: ./ci/printenv.sh | ||
64 | |||
65 | # Initializes the CodeQL tools for scanning. | ||
66 | - name: Initialize CodeQL | ||
67 | uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||
68 | with: | ||
69 | languages: cpp | ||
70 | |||
71 | - name: configure | ||
72 | run: ./configure | ||
73 | |||
74 | - name: make | ||
75 | run: make -j "$(nproc)" | ||
76 | |||
77 | - name: Perform CodeQL Analysis | ||
78 | uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 | ||