Update GitHub Actions workflows as per security guidelines (#187) #934
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Checks | |
on: | |
push: | |
branches: ["**"] | |
pull_request: | |
branches: ["**"] | |
workflow_dispatch: | |
jobs: | |
unittest: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clone This Repo | |
uses: actions/checkout@v3 | |
- name: Build | |
run: | | |
sudo apt-get install -y lcov | |
# Build the coverity analysis project as well to check compiler warning. | |
# Coverity analysis project builds coreHTTP source file only. llhttp source | |
# files are not built in this target. | |
cmake -S test -B build/ \ | |
-G "Unix Makefiles" \ | |
-DCMAKE_BUILD_TYPE=Debug \ | |
-DUNITTEST=1 \ | |
-DCOV_ANALYSIS=1 \ | |
-DCMAKE_C_FLAGS='--coverage -Wall -Wextra -DNDEBUG' | |
make -C build/ all | |
- name: Run CTests | |
run: ctest --test-dir build -E system --output-on-failure | |
- name: Run Coverage | |
run: | | |
make -C build/ coverage | |
declare -a EXCLUDE=("\*test\*" "\*CMakeCCompilerId\*" "\*mocks\*" "\*3rdparty\*") | |
echo ${EXCLUDE[@]} | xargs lcov --rc lcov_branch_coverage=1 -r build/coverage.info -o build/coverage.info | |
lcov --rc lcov_branch_coverage=1 --list build/coverage.info | |
- name: Check Coverage | |
uses: FreeRTOS/CI-CD-Github-Actions/coverage-cop@main | |
with: | |
coverage-file: ./build/coverage.info | |
branch-coverage-min: 100 | |
line-coverage-min: 100 | |
complexity: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Check complexity | |
uses: FreeRTOS/CI-CD-Github-Actions/complexity@main | |
with: | |
path: ./ | |
doxygen: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Run doxygen build | |
uses: FreeRTOS/CI-CD-Github-Actions/doxygen@main | |
with: | |
path: ./ | |
spell-check: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clone This Repo | |
uses: actions/checkout@v3 | |
- name: Run spellings check | |
uses: FreeRTOS/CI-CD-Github-Actions/spellings@main | |
with: | |
path: ./ | |
formatting: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Check formatting | |
uses: FreeRTOS/CI-CD-Github-Actions/formatting@main | |
with: | |
path: ./ | |
ssot-check: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
with: | |
path: current | |
- name: Checkout coreMQTT | |
uses: actions/checkout@v3 | |
with: | |
ref: main | |
repository: FreeRTOS/coreMQTT | |
path: ssot | |
- name: Check transport_interface.h | |
run: | | |
SSOT_FILE="ssot/source/interface/transport_interface.h" | |
CURRENT_FILE="current/source/interface/transport_interface.h" | |
diff <(tail -n +3 $SSOT_FILE) <(tail -n +3 $CURRENT_FILE) | |
if [ "$?" -ne "0" ]; then | |
echo "transport_interface.h differs from coreMQTT." | |
exit 1 | |
else | |
exit 0 | |
fi | |
git-secrets: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Checkout awslabs/git-secrets | |
uses: actions/checkout@v3 | |
with: | |
repository: awslabs/git-secrets | |
ref: master | |
path: git-secrets | |
- name: Install git-secrets | |
run: cd git-secrets && sudo make install && cd .. | |
- name: Run git-secrets | |
run: | | |
git-secrets --register-aws | |
git-secrets --scan | |
memory_statistics: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: "recursive" | |
- name: Install Python3 | |
uses: actions/setup-python@v3 | |
with: | |
python-version: "3.11.0" | |
- name: Measure sizes | |
uses: FreeRTOS/CI-CD-Github-Actions/memory_statistics@main | |
with: | |
config: .github/memory_statistics_config.json | |
check_against: docs/doxygen/include/size_table.md | |
link-verifier: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Check Links | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
uses: FreeRTOS/CI-CD-Github-Actions/link-verifier@main | |
with: | |
path: ./ | |
verify-manifest: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
fetch-depth: 0 | |
# At time of writing the gitmodules are set not to pull | |
# Even when using fetch submodules. Need to run this command | |
# To force it to grab them. | |
- name: Perform Recursive Clone | |
shell: bash | |
run: git submodule update --checkout --init --recursive | |
- name: Run manifest verifier | |
uses: FreeRTOS/CI-CD-GitHub-Actions/manifest-verifier@main | |
with: | |
path: ./ | |
fail-on-incorrect-version: true | |
proof_ci: | |
if: ${{ github.event.pull_request }} | |
runs-on: cbmc_ubuntu-latest_64-core | |
steps: | |
- name: Set up CBMC runner | |
uses: FreeRTOS/CI-CD-Github-Actions/set_up_cbmc_runner@main | |
with: | |
kissat_tag: latest | |
cbmc_version: "6.3.1" | |
- run: | | |
git submodule update --init --recursive --checkout | |
sudo apt-get update | |
sudo apt-get install --yes --no-install-recommends gcc-multilib build-essential | |
- name: Run CBMC | |
uses: FreeRTOS/CI-CD-Github-Actions/run_cbmc@main | |
with: | |
proofs_dir: test/cbmc/proofs |