-
Notifications
You must be signed in to change notification settings - Fork 8
143 lines (139 loc) · 4.9 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Build
on:
push:
branches: main
pull_request:
branches: main
concurrency:
# Cancel any workflow currently in progress for the same PR.
# Allow running concurrently with any other commits.
group: build-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
permissions: read-all
jobs:
build:
name: Build
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
os: [ubuntu, windows]
tls: [schannel, openssl, openssl3]
link: [static, shared]
config: [Debug, Release]
exclude:
- os: ubuntu
tls: schannel
runs-on: ${{ matrix.os }}-latest
timeout-minutes: 15
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
submodules: 'recursive'
- name: Install Perl
if: runner.os == 'Windows'
uses: shogo82148/actions-setup-perl@98dfedee230bcf1ee68d5b021931fc8d63f2016e
with:
perl-version: '5.34'
- name: Install NASM
if: runner.os == 'Windows'
uses: ilammy/setup-nasm@13cbeb366c45c4379d3478cdcbadd8295feb5028
- name: Install libnuma-dev
if: runner.os == 'Ubuntu'
run: sudo apt-get install -y libnuma-dev
- name: Initialize CodeQL
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
with:
languages: c-cpp
build-mode: manual
config: |
queries:
- uses: security-and-quality # (very verbose)
query-filters:
- exclude:
id: cpp/loop-variable-changed
- exclude:
id: cpp/include-non-header
- name: Build
shell: pwsh
run: ./.github/workflows/build.ps1 -Config ${{ matrix.config }} -Tls ${{ matrix.tls }} -Link ${{ matrix.link }} -BuildId ${{ github.run_number }} -Suffix "-official" -WithTests -WithTools -Debug
- name: Perform CodeQL Analysis
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
with:
category: "/language:c-cpp"
output: sarif-results
upload: failure-only
- name: Filter SARIF
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d
with:
patterns: |
-build/**/*
-ls-qpack/**/*
-msquic/**/*
-test/**/*
input: sarif-results/cpp.sarif
output: sarif-results/cpp.sarif
- name: Upload SARIF
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
with:
sarif_file: sarif-results/cpp.sarif
- name: Upload SARIF to Artifacts
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
with:
name: sarif-results
path: sarif-results
- name: Upload
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
with:
name: bin-${{ matrix.os }}-${{ matrix.tls }}-${{ matrix.link }}-${{ matrix.config }}
path: |
artifacts/*.dll
artifacts/*.exe
artifacts/*.pdb
artifacts/*.so
artifacts/msh3app
artifacts/msh3test
- name: msh3app
run: |
./artifacts/msh3app outlook.office.com
./artifacts/msh3app www.cloudflare.com
./artifacts/msh3app www.google.com
timeout-minutes: 1
- name: msh3test
run: ./artifacts/msh3test
timeout-minutes: 1
dependabot-merge:
name: Merge Dependabot
runs-on: ubuntu-latest
needs: []
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@45fc124d949b19b6b8bf6645b6c9d55f4f9ac61a
if: ${{ github.event_name == 'pull_request' }}
with:
target: minor
github-token: ${{ secrets.GITHUB_TOKEN }}
all-done:
name: Build Complete
runs-on: ubuntu-latest
needs: build
steps:
- name: No-op
shell: pwsh
run: Write-Host "All done!"