name: Build-extra CI on: push: branches: [ master ] paths-ignore: - '.github/ISSUE_TEMPLATE/*' - 'contrib/syntax/**' - 'contrib/vim/**' - 'etc/**' - 'src/man/*.txt' - .git-blame-ignore-revs - .github/dependabot.yml - .github/pull_request_template.md - .github/workflows/codeql-analysis.yml - .github/workflows/profile-checks.yml - .gitignore - .gitlab-ci.yml - CONTRIBUTING.md - COPYING - README - README.md - RELNOTES - SECURITY.md - src/firecfg/firecfg.config pull_request: branches: [ master ] paths-ignore: - '.github/ISSUE_TEMPLATE/*' - 'contrib/syntax/**' - 'contrib/vim/**' - 'etc/**' - 'src/man/*.txt' - .git-blame-ignore-revs - .github/dependabot.yml - .github/pull_request_template.md - .github/workflows/codeql-analysis.yml - .github/workflows/profile-checks.yml - .gitignore - .gitlab-ci.yml - CONTRIBUTING.md - COPYING - README - README.md - RELNOTES - SECURITY.md - src/firecfg/firecfg.config permissions: # added using https://github.com/step-security/secure-workflows contents: read jobs: build-clang: runs-on: ubuntu-22.04 steps: - name: Harden Runner uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 with: egress-policy: block allowed-endpoints: > azure.archive.ubuntu.com:80 github.com:443 - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: install dependencies run: sudo apt-get install libapparmor-dev libselinux1-dev - name: configure run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux - name: make run: make - name: make install run: sudo make install - name: print version run: command -V firejail && firejail --version scan-build: runs-on: ubuntu-22.04 steps: - name: Harden Runner uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 with: egress-policy: block allowed-endpoints: > azure.archive.ubuntu.com:80 github.com:443 - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: install clang-tools-14 and dependencies run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev - name: configure run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux - name: scan-build run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make cppcheck: runs-on: ubuntu-22.04 steps: - name: Harden Runner uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 with: egress-policy: block allowed-endpoints: > azure.archive.ubuntu.com:80 github.com:443 - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: install cppcheck run: sudo apt-get install cppcheck - name: cppcheck run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c . # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also # with older cppcheck version from ubuntu 20.04. cppcheck_old: runs-on: ubuntu-20.04 steps: - name: Harden Runner uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 with: egress-policy: block allowed-endpoints: > azure.archive.ubuntu.com:80 github.com:443 - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: install cppcheck run: sudo apt-get install cppcheck - name: cppcheck run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . codespell: runs-on: ubuntu-22.04 steps: - name: Harden Runner uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 with: egress-policy: block allowed-endpoints: > azure.archive.ubuntu.com:80 github.com:443 - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: install dependencies run: sudo apt-get install codespell - name: codespell run: make codespell