From 4aad3efa72d14c57d29b29f82201ff5765995e06 Mon Sep 17 00:00:00 2001 From: tigercosmos Date: Sun, 23 Jun 2024 18:35:03 +0900 Subject: [PATCH] Revert "remove all ci for testing" This reverts commit e1368e04517580984db2f8ea5217ef5c35f7bcfc. --- .github/workflows/auto_update.yml | 75 +++ .github/workflows/build_and_test.yml | 698 +++++++++++++++++++++++++ .github/workflows/check_dependabot.yml | 18 + .github/workflows/cifuzz.yml | 38 ++ .github/workflows/codeql.yml | 47 ++ .github/workflows/doxygen.yml | 48 ++ .github/workflows/package.yml | 336 ++++++++++++ .github/workflows/scorecards.yml | 71 +++ 8 files changed, 1331 insertions(+) create mode 100644 .github/workflows/auto_update.yml create mode 100644 .github/workflows/build_and_test.yml create mode 100644 .github/workflows/check_dependabot.yml create mode 100644 .github/workflows/cifuzz.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/doxygen.yml create mode 100644 .github/workflows/package.yml create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/workflows/auto_update.yml b/.github/workflows/auto_update.yml new file mode 100644 index 0000000000..8582a269bd --- /dev/null +++ b/.github/workflows/auto_update.yml @@ -0,0 +1,75 @@ +name: Auto Update + +on: + schedule: + - cron: '0 0 1 * *' # Runs at 00:00, on day 1 of the month + +permissions: + contents: read + +jobs: + precommit-update: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: dev + - name: Setup Python + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + with: + python-version: "3.8.x" + - name: Run update + run: | + pip install pre-commit + pre-commit autoupdate + - name: Create Pull Request + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + with: + token: ${{ secrets.PAT }} + author: GitHub + add-paths: .pre-commit-config.yaml + commit-message: Auto pre-commit update + body: | + Update pre-commit hooks to latest + + Auto generated + branch: auto-update/precommit_update + delete-branch: true + title: Auto precommit update + labels: automated-pr + assignees: seladb + + oui-update: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: dev + - name: Setup Python + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + with: + python-version: "3.9.x" + - name: Run update + run: | + python3 3rdParty/OUIDataset/create_oui_data.py + mv -f PCPP_OUIDataset.json 3rdParty/OUIDataset/PCPP_OUIDataset.json + - name: Create Pull Request + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + with: + token: ${{ secrets.PAT }} + author: GitHub + add-paths: 3rdParty/OUIDataset/PCPP_OUIDataset.json + commit-message: Auto OUI Database Update + body: | + Update OUI database to latest + + Auto generated + branch: auto-update/oui_update + delete-branch: true + title: Auto OUI Database Update + labels: automated-pr + assignees: seladb diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml new file mode 100644 index 0000000000..f3044812e2 --- /dev/null +++ b/.github/workflows/build_and_test.yml @@ -0,0 +1,698 @@ +name: Build and test +on: + push: + branches: ["master", "dev"] + pull_request: + branches: ["dev"] + schedule: + - cron: '0 0 * * 0' # Run every Sunday at midnight + +env: + BUILD_DIR: Dist + GCOVR_FLAGS: --gcov-ignore-parse-errors --exclude-throw-branches --filter Common --filter Pcap --filter Packet --xml + +permissions: + contents: read + +jobs: + pre-commit: + runs-on: ubuntu-latest + container: seladb/alpine317 + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + # Checkout is performed out of the container and doesn't match our user + - name: Fix checkout ownership + run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE" + + - name: Install dependencies + run: | + apk update && apk add cppcheck python3-dev + python3 -m pip install cmake-format clang-format==18.1.6 + + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 + + - name: CMake format + run: | + ./ci/cmake-format-all.sh + git diff --exit-code + + - name: Configure PcapPlusPlus for Static analysis + run: CXX=clang++ CC=clang cmake -DLIGHT_PCAPNG_ZSTD=ON -DPCAPPP_ENABLE_CLANG_TIDY=ON -S . -B "$BUILD_DIR" + + - name: Build PcapPlusPlus and check any diff + run: | + cmake --build "$BUILD_DIR" -j + git diff --exit-code + + linux: + runs-on: ubuntu-latest + container: seladb/${{ matrix.image }} + strategy: + matrix: + include: + - image: ubuntu2204 + python: python3 + config-zstd: OFF + - image: ubuntu2204-icpx + python: python3 + config-zstd: OFF + additional-flags: -DCMAKE_C_COMPILER=icx -DCMAKE_CXX_COMPILER=icpx + additional-gcov-flags: --gcov-executable "llvm-cov gcov" + - image: ubuntu2004 + python: python3 + config-zstd: OFF + - image: ubuntu1804 + python: python3.8 + config-zstd: OFF + - image: rhel93 + python: python3 + config-zstd: OFF + - image: fedora37 + python: python3 + config-zstd: OFF + - image: alpine317 + python: python3 + config-zstd: OFF + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + # Checkout is performed out of the container and doesn't match our user + - name: Fix checkout ownership + run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE" + + - name: Setup Intel Compiler variables + if: contains(matrix.image, 'icpx') + run: | + . /opt/intel/oneapi/setvars.sh + printenv >> $GITHUB_ENV + + - name: Configure PcapPlusPlus + run: cmake -DLIGHT_PCAPNG_ZSTD=${{ matrix.config-zstd }} -DPCAPPP_BUILD_COVERAGE=ON ${{ matrix.additional-flags }} -S . -B "$BUILD_DIR" + + - name: Build PcapPlusPlus + run: cmake --build "$BUILD_DIR" -j + + - name: Test PcapPlusPlus + run: | + ${{ matrix.python }} -m pip install -U pip + ${{ matrix.python }} -m pip install -r ci/run_tests/requirements.txt + ${{ matrix.python }} ci/run_tests/run_tests.py --interface eth0 ${{ matrix.test-flags }} + + - name: Test Examples + run: | + cd Tests/ExamplesTest + ${{ matrix.python }} -m pip install -U pip + ${{ matrix.python }} -m pip install -r requirements.txt + ${{ matrix.python }} -m pytest --interface eth0 --root-path=../../Dist/examples_bin + + - name: Check installation + run: | + cmake -DPCAPPP_BUILD_COVERAGE=OFF -S . -B "$BUILD_DIR" + cmake --build "$BUILD_DIR" -j + cmake --install $BUILD_DIR + + - name: Build Tutorials + run: | + cmake -DPCAPPP_BUILD_TUTORIALS=ON ${{ matrix.additional-flags }} -S Examples -B build_examples + cmake --build build_examples -j + + - name: Test Tutorials + run: cd build_examples/tutorials_bin && ./Tutorial-HelloWorld + + - name: Create Cobertura Report + run: | + ${{ matrix.python }} -m pip install gcovr + gcovr -v -r . ${{ matrix.additional-gcov-flags }} $GCOVR_FLAGS -o coverage.xml + + - name: Upload Coverage Results + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 + with: + files: ./coverage.xml + flags: ${{ matrix.image }},unittest + fail_ci_if_error: false + verbose: true + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + dpdk: + runs-on: ubuntu-latest + container: seladb/${{ matrix.image }} + strategy: + matrix: + include: + - image: ubuntu2204-dpdk2211 + - image: ubuntu2004-dpdk2111 + additional-flags: -DPCAPPP_USE_DPDK_KNI=ON + - image: ubuntu2004-dpdk2011 + additional-flags: -DPCAPPP_USE_DPDK_KNI=ON + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Configure PcapPlusPlus + run: cmake -DPCAPPP_USE_DPDK=ON ${{ matrix.additional-flags }} -S . -B "$BUILD_DIR" + + - name: Build PcapPlusPlus + run: cmake --build "$BUILD_DIR" -j + + - name: Check AVX + run: grep avx /proc/cpuinfo + + - name: Test Packet++ + run: | + cd Tests/Packet++Test + if [ -n "$(grep avx512 /proc/cpuinfo)" ]; then Bin/Packet++Test; else echo AVX-512 SUPPORT NOT FOUND, CANNOT RUN Packet++Test; fi + + - name: Test Pcap++ + run: | + cd Tests/Pcap++Test + if [ -n "$(grep avx512 /proc/cpuinfo)" ]; then Bin/Pcap++Test -n; else echo AVX-512 SUPPORT NOT FOUND, CANNOT RUN Pcap++Test; fi + + - name: Check installation + run: | + cmake -DPCAPPP_BUILD_COVERAGE=OFF -S . -B "$BUILD_DIR" + cmake --build "$BUILD_DIR" -j + cmake --install $BUILD_DIR + + - name: Build Tutorials + run: | + cmake -DPCAPPP_BUILD_TUTORIALS=ON -S Examples -B build_examples + cmake --build build_examples -j + + - name: Test Tutorials + run: cd build_examples/tutorials_bin && ./Tutorial-HelloWorld + + pfring: + runs-on: ubuntu-latest + container: seladb/ubuntu2004-pfring + strategy: + matrix: + include: + - configure: cmake -DPCAPPP_USE_PF_RING=ON -DPF_RING_ROOT="/PF_RING" -S . -B "$BUILD_DIR" + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Configure PcapPlusPlus + run: ${{ matrix.configure }} + + - name: Build PcapPlusPlus + run: cmake --build "$BUILD_DIR" -j + + - name: Test Packet++ + run: | + cd Tests/Packet++Test + Bin/Packet++Test + + - name: Test Pcap++ + run: | + cd Tests/Pcap++Test + Bin/Pcap++Test -n + + - name: Check installation + run: | + cmake -DPCAPPP_BUILD_COVERAGE=OFF -S . -B "$BUILD_DIR" + cmake --build "$BUILD_DIR" -j + cmake --install $BUILD_DIR + + - name: Build Tutorials + run: | + cmake -DPCAPPP_BUILD_TUTORIALS=ON -DPF_RING_ROOT="/PF_RING" -S Examples -B build_examples + cmake --build build_examples -j + + - name: Test Tutorials + run: cd build_examples/tutorials_bin && ./Tutorial-HelloWorld + + macos-x86: + runs-on: ${{ matrix.os-version }} + strategy: + matrix: + os-version: [macos-12, macos-13] + arch: [x86_64, arm64] + # Handle ZSTD build by Cirrus CI + # config-zstd: [ON, OFF] + config-zstd: [OFF] + exclude: + # excludes ZSTD on Arm64 + - arch: arm64 + config-zstd: ON + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + with: + # support version: https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json + python-version: "3.12" + + - name: Configure PcapPlusPlus + # Ensure user have access to network devices instead of giving super-user right + run: | + sudo chmod a+rw /dev/bpf* + cmake -DLIGHT_PCAPNG_ZSTD=${{ matrix.config-zstd }} -DCMAKE_OSX_ARCHITECTURES=${{ matrix.arch }} -DPCAPPP_BUILD_COVERAGE=ON -S . -B "$BUILD_DIR" + + - name: Build PcapPlusPlus + run: cmake --build "$BUILD_DIR" -j + + - name: Check architecture + run: lipo $BUILD_DIR/Pcap++/libPcap++.a -verify_arch ${{ matrix.arch }} + + - name: Install Tcpreplay + run: brew install tcpreplay + + - name: Test PcapPlusPlus + # We can't run cross compiled binaries + if: ${{ matrix.arch == 'x86_64' }} + run: | + python -m pip install -U pip + python -m pip install -r ci/run_tests/requirements.txt + python ci/run_tests/run_tests.py --interface en0 + + - name: Test Examples + if: ${{ matrix.arch == 'x86_64' }} + run: | + cd Tests/ExamplesTest + python -m pip install -U pip + python -m pip install -r requirements.txt + python -m pytest --interface en0 --use-sudo --root-path=../../Dist/examples_bin + + - name: Check installation + run: | + cmake -DPCAPPP_BUILD_COVERAGE=OFF -S . -B "$BUILD_DIR" + cmake --build "$BUILD_DIR" -j + cmake --install $BUILD_DIR + + - name: Build Tutorials + run: | + mkdir -p build_examples + cmake -DPCAPPP_BUILD_TUTORIALS=ON -DCMAKE_OSX_ARCHITECTURES=${{ matrix.arch }} -S Examples -B build_examples + cmake --build build_examples -j + + - name: Test Tutorials + if: ${{ matrix.arch == 'x86_64' }} + run: cd build_examples/tutorials_bin && ./Tutorial-HelloWorld + + - name: Create Cobertura Report + run: | + python3 -m pip install gcovr + gcovr -v -r . $GCOVR_FLAGS -o coverage.xml + + - name: Upload Coverage Results + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 + with: + files: ./coverage.xml + flags: ${{ matrix.os-version }},unittest + fail_ci_if_error: false + verbose: true + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + macos-m1: + runs-on: ${{ matrix.os-version }} + strategy: + matrix: + os-version: [macos-14] + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + with: + # support version: https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json + python-version: "3.12" + + - name: Configure PcapPlusPlus + # Ensure user have access to network devices instead of giving super-user right + # Seems macos-14 has more strict file permission + run: | + sudo chmod a+rw /dev/bpf* + sudo chmod a+rw /usr/local + cmake -DPCAPPP_BUILD_COVERAGE=ON -S . -B "$BUILD_DIR" + + - name: Build PcapPlusPlus + run: cmake --build "$BUILD_DIR" -j + + - name: Check architecture + run: lipo $BUILD_DIR/Pcap++/libPcap++.a -verify_arch arm64 + + - name: Install Tcpreplay + run: brew install tcpreplay + + - name: Test PcapPlusPlus + run: | + python -m pip install -U pip + python -m pip install -r ci/run_tests/requirements.txt + python ci/run_tests/run_tests.py --interface en0 + + - name: Test Examples + run: | + cd Tests/ExamplesTest + python -m pip install -U pip + python -m pip install -r requirements.txt + python -m pytest --interface en0 --use-sudo --root-path=../../Dist/examples_bin + + - name: Check installation + run: | + cmake -DPCAPPP_BUILD_COVERAGE=OFF -S . -B "$BUILD_DIR" + cmake --build "$BUILD_DIR" -j + cmake --install "$BUILD_DIR" + + - name: Build Tutorials + run: | + mkdir -p build_examples + cmake -DPCAPPP_BUILD_TUTORIALS=ON -S Examples -B build_examples + cmake --build build_examples -j + + - name: Test Tutorials + run: cd build_examples/tutorials_bin && ./Tutorial-HelloWorld + + - name: Create Cobertura Report + run: | + python3 -m pip install gcovr + gcovr -v -r . $GCOVR_FLAGS -o coverage.xml + + - name: Upload Coverage Results + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 + with: + files: ./coverage.xml + flags: ${{ matrix.os-version }},unittest + fail_ci_if_error: false + verbose: true + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + mingw-w64: + runs-on: windows-latest + strategy: + matrix: + include: + - env: i686 + sys: mingw32 + - env: x86_64 + sys: mingw64 + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Setup MSYS2 + uses: msys2/setup-msys2@d0e80f58dffbc64f6a3a1f43527d469b4fc7b6c8 # v2.23.0 + with: + msystem: ${{matrix.sys}} + install: >- + git + mingw-w64-${{matrix.env}}-cmake + mingw-w64-${{matrix.env}}-gcc + mingw-w64-${{matrix.env}}-make + + - name: Setup Python + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + with: + python-version: "3.8.x" + + - name: Install NPcap + env: + NPCAP_USERNAME: ${{ secrets.NPCAP_USERNAME }} + NPCAP_PASSWORD: ${{ secrets.NPCAP_PASSWORD }} + run: | + ci\install_npcap.bat + echo "PCAP_SDK_DIR=/C/Npcap-sdk" >> $env:GITHUB_ENV + + - name: Configure PcapPlusPlus + shell: msys2 {0} + run: | + cmake -G "MinGW Makefiles" -DPCAP_ROOT=/C/Npcap-sdk -DLIGHT_PCAPNG_ZSTD=OFF -DPCAPPP_BUILD_COVERAGE=ON -S . -B "$BUILD_DIR" + + - name: Build PcapPlusPlus + shell: msys2 {0} + # More than 2 jobs would make the build crash with OOM + # cc1plus.exe: out of memory allocating 65536 bytes + run: cmake --build "$BUILD_DIR" -j 2 + + - name: Install tcpreplay + run: ci\install_tcpreplay.bat + + - name: Test PcapPlusPlus + run: | + python -m pip install -r ci\run_tests\requirements.txt + python ci\run_tests\run_tests_windows.py + + - name: Test Examples + run: | + cd Tests\ExamplesTest + python -m pip install -r requirements.txt + python -m pytest --root-path=../../Dist/examples_bin + + - name: Install Coverage Requirements + run: python3 -m pip install gcovr + + - name: Process Coverage Files + shell: msys2 {0} + run: find . -name "*.gcno" -exec gcov -b -l -p -c {} + + + - name: Create Coberture Report + run: gcovr -v -g -k -r . $env:GCOVR_FLAGS.split() -o coverage.xml + + - name: Upload Coverage Results + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 + with: + files: ./coverage.xml + flags: ${{ matrix.sys }},unittest + fail_ci_if_error: false + verbose: true + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + visual-studio: + strategy: + matrix: + include: + - os: "windows-2019" + platform: "Visual Studio 16 2019" + arch: "x64" + pcap_lib: "npcap" + - os: windows-2019 + platform: "Visual Studio 16 2019" + arch: Win32 + pcap_lib: "winpcap" + - os: windows-2022 + platform: "Visual Studio 17 2022" + arch: "x64" + pcap_lib: "winpcap" + - os: windows-2022 + platform: "Visual Studio 17 2022" + arch: "x64" + pcap_lib: "npcap" + + runs-on: ${{ matrix.os }} + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + with: + python-version: "3.8.x" + + - name: Add MSBuild to PATH + uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0 + + - name: Setup OpenCppCoverage and add to PATH + run: | + choco install OpenCppCoverage -y + echo "C:\Program Files\OpenCppCoverage" >> $env:GITHUB_PATH + + - name: Install WinPcap + run: | + ci\install_winpcap.bat + echo "PCAP_SDK_DIR=C:\WpdPack" >> $env:GITHUB_ENV + if: matrix.pcap_lib == 'winpcap' + + - name: Install NPcap + env: + NPCAP_USERNAME: ${{ secrets.NPCAP_USERNAME }} + NPCAP_PASSWORD: ${{ secrets.NPCAP_PASSWORD }} + run: | + ci\install_npcap.bat + echo "PCAP_SDK_DIR=C:\Npcap-sdk" >> $env:GITHUB_ENV + if: matrix.pcap_lib == 'npcap' + + - name: Set Zstd + run: | + ci\install_zstd.bat + echo "ZSTD_HOME_PARAM=-z C:\zstd" >> $env:GITHUB_ENV + if: matrix.use_zstd == true + + - name: Configure PcapPlusPlus + run: cmake -A ${{ matrix.arch }} -G "${{ matrix.platform }}" -DPCAP_ROOT=${{ env.PCAP_SDK_DIR }} -S . -B "$env:BUILD_DIR" + + - name: Build PcapPlusPlus + run: cmake --build $env:BUILD_DIR -j + + - name: Install tcpreplay + run: ci\install_tcpreplay.bat + + - name: Test PcapPlusPlus + run: | + python -m pip install -r ci\run_tests\requirements.txt + python ci\run_tests\run_tests_windows.py --coverage + + - name: Test Examples + run: | + move ".\Dist\examples_bin\Debug\*" ".\Dist\examples_bin\" + cd Tests\ExamplesTest + python -m pip install -r requirements.txt + python -m pytest --root-path=../../Dist/examples_bin + + - name: Upload Coverage Results + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 + with: + files: ./Tests/Pcap++Test/Pcap++Coverage.xml,./Tests/Packet++Test/Packet++Coverage.xml + flags: ${{ matrix.os }},unittest,${{ matrix.pcap_lib }} + fail_ci_if_error: false + verbose: true + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + android: + strategy: + matrix: + include: + - run-on-os: ubuntu-20.04 + target: armeabi-v7a + api-version: 30 + - run-on-os: ubuntu-20.04 + target: x86 + api-version: 30 + - run-on-os: macos-11 + target: arm64-v8a + cmake_configure: "-DCMAKE_OSX_ARCHITECTURES=arm64" + api-version: 30 + - run-on-os: macos-11 + target: x86_64 + cmake_configure: "-DCMAKE_OSX_ARCHITECTURES=x86_64" + api-version: 30 + + runs-on: ${{ matrix.run-on-os }} + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Checkout lipbcap for Android + uses: actions/checkout@cd7d8d697e10461458bc61a30d094dc601a8b017 # main + with: + repository: seladb/libpcap-android + path: ./libpcap-android + + - name: Configure PcapPlusPlus + run: | + LIBPCAP_PATH=$(pwd)/libpcap-android + cmake -DCMAKE_TOOLCHAIN_FILE="${ANDROID_NDK}/build/cmake/android.toolchain.cmake" -DANDROID_PLATFORM="${{ matrix.api-version}}" -DANDROID_ABI="${{ matrix.target }}" -DPCAP_INCLUDE_DIR="${LIBPCAP_PATH}/include/" -DPCAP_LIBRARY="${LIBPCAP_PATH}/${{ matrix.target }}/${{ matrix.api-version}}/libpcap.a" -S . -B "$BUILD_DIR" + + - name: Build PcapPlusPlus + run: cmake --build "$BUILD_DIR" -j + + - name: Checkout ToyVpn-PcapPlusPlus + uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master + with: + repository: seladb/ToyVpn-PcapPlusPlus + path: ./ToyVpn-PcapPlusPlus + submodules: true + + - name: Install locally PcapPlusPlus + # CMake install library in $prefix/lib ToyVpn want $prefix/$target/$api-version + run: | + TOYVPN_PCAPPLUSPLUS="./ToyVpn-PcapPlusPlus/app/libs/pcapplusplus" + PCAPPLUSPLUS_LIBS_PATH="$TOYVPN_PCAPPLUSPLUS/${{ matrix.target }}/${{ matrix.api-version }}" + PCAPPLUSPLUS_INCLUDE_PATH="$TOYVPN_PCAPPLUSPLUS/include" + cmake -DPCAPPP_BUILD_COVERAGE=OFF -S . -B "$BUILD_DIR" + cmake --build "$BUILD_DIR" -j + cmake --install $BUILD_DIR --prefix ${TOYVPN_PCAPPLUSPLUS} + mkdir -p ${PCAPPLUSPLUS_LIBS_PATH} ${PCAPPLUSPLUS_INCLUDE_PATH} + mv ${TOYVPN_PCAPPLUSPLUS}/lib/*.a ${PCAPPLUSPLUS_LIBS_PATH}/ + mv ${TOYVPN_PCAPPLUSPLUS}/include/pcapplusplus/*.h ${PCAPPLUSPLUS_INCLUDE_PATH}/ + + - name: Build ToyVpn-PcapPlusPlus + working-directory: ./ToyVpn-PcapPlusPlus + run: | + sed -i.bak "s|abiFilters.*$|abiFilters '${{ matrix.target }}'|g" app/build.gradle + chmod +x gradlew + ./gradlew assembleDebug + + xdp: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Install dependencies + run: | + sudo apt update && sudo apt -y install libpcap-dev libbpf-dev tcpreplay + + - name: Configure PcapPlusPlus + run: cmake -DPCAPPP_USE_XDP=ON -DPCAPPP_BUILD_COVERAGE=ON -S . -B $BUILD_DIR + + - name: Build PcapPlusPlus + run: cmake --build $BUILD_DIR -j + + - name: Test PcapPlusPlus + run: | + python -m pip install -U pip + python -m pip install -r ci/run_tests/requirements.txt + python ci/run_tests/run_tests.py --interface eth0 --use-sudo --pcap-test-args="-t xdp" + + - name: Create Cobertura Report + run: | + python -m pip install gcovr + gcovr -v -r . $GCOVR_FLAGS -o coverage.xml + + - name: Upload Coverage Results + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 + with: + files: ./coverage.xml + flags: xdp,unittest + fail_ci_if_error: false + verbose: true + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + test_regressions: + name: Run ${{ matrix.engine }}-${{ matrix.sanitizer }} fuzzer for regressions + runs-on: ubuntu-latest + strategy: + fail-fast: true + matrix: + sanitizer: [address, undefined, memory] + engine: [libfuzzer] + container: + image: gcr.io/oss-fuzz-base/base-builder + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Install prerequisites + run: | + apt-get update && apt-get install -y cmake autoconf flex bison + cd .. + cp -r PcapPlusPlus/ $SRC/PcapPlusPlus + git clone --depth=1 https://github.com/the-tcpdump-group/libpcap.git $SRC/libpcap + cd $SRC/PcapPlusPlus/ + - name: Compile fuzzer + run: | + export FUZZING_LANGUAGE=c + export ARCHITECTURE=x86_64 + export FUZZING_ENGINE=${{ matrix.engine }} + export SANITIZER=${{ matrix.sanitizer }} + $SRC/PcapPlusPlus/Tests/Fuzzers/ossfuzz.sh + - name: Check for regressions + run: | + export BINARY="$OUT/FuzzTarget" + export SAMPLES="Tests/Fuzzers/RegressionTests/regression_samples" + Tests/Fuzzers/RegressionTests/run_tests.sh diff --git a/.github/workflows/check_dependabot.yml b/.github/workflows/check_dependabot.yml new file mode 100644 index 0000000000..5b46b6c383 --- /dev/null +++ b/.github/workflows/check_dependabot.yml @@ -0,0 +1,18 @@ +name: Validate dependabot + +on: + pull_request: + paths: + - '.github/dependabot.yml' + - '.github/workflows/check_dependabot.yml' + +permissions: + contents: read + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: marocchino/validate-dependabot@d8ae5c0d03dd75fbd0ad5f8ab4ba8101ebbd4b37 # v3.0.0 + id: validate diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml new file mode 100644 index 0000000000..84805e64a6 --- /dev/null +++ b/.github/workflows/cifuzz.yml @@ -0,0 +1,38 @@ +name: Fuzz CI +on: + pull_request: + branches: ["dev"] + schedule: + - cron: '0 0 * * 0' # Run every Sunday at midnight + +permissions: + contents: read + +jobs: + Fuzzing: + runs-on: ubuntu-latest + strategy: + fail-fast: true + matrix: + sanitizer: [address, undefined, memory] + steps: + - name: Build Fuzzers + id: build + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@c2c0632831767ff05c568e7b552cef2801d739ff # master + with: + oss-fuzz-project-name: 'pcapplusplus' + dry-run: false + sanitizer: ${{ matrix.sanitizer }} + - name: Run Fuzzers + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@c2c0632831767ff05c568e7b552cef2801d739ff # master + with: + oss-fuzz-project-name: 'pcapplusplus' + fuzz-seconds: 600 + dry-run: false + sanitizer: ${{ matrix.sanitizer }} + - name: Upload Crash + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + if: failure() && steps.build.outcome == 'success' + with: + name: artifacts + path: ./out/artifacts diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..bf6b0dc7db --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,47 @@ +name: "CodeQL" + +on: + push: + branches: [ "master", "dev" ] + workflow_dispatch: + schedule: + - cron: '0 0 * * 0' # Run every Sunday at midnight + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + container: seladb/ubuntu2204 + permissions: + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + - run: | + cmake -S . -B build + cmake --build build -j + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7 diff --git a/.github/workflows/doxygen.yml b/.github/workflows/doxygen.yml new file mode 100644 index 0000000000..1d1c0e7aec --- /dev/null +++ b/.github/workflows/doxygen.yml @@ -0,0 +1,48 @@ +name: Build doxygen +on: + push: + branches: ["master", "dev"] + pull_request: + branches: ["dev"] + +permissions: + contents: read + +jobs: + doxygen: + runs-on: ubuntu-latest + container: seladb/ubuntu2204:latest + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Checkout docs repo + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + repository: PcapPlusPlus/pcapplusplus.github.io + path: pcapplusplus.github.io + + - name: Run doxygen + run: | + cd pcapplusplus.github.io/static/api-docs/next/doxygen + doxygen Doxyfile-ci + + - name: Prepare documentation + if: github.ref_name == 'refs/heads/master' + run: | + cd pcapplusplus.github.io/static/api-docs/ + find next/ -maxdepth 1 -type f -exec rm {} \; + rm -rf next/search/ + mv next/html/* next/ + + - name: Upload documentation + if: github.ref_name == 'refs/heads/master' + uses: cpina/github-action-push-to-another-repository@main + env: + SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }} + with: + source-directory: pcapplusplus.github.io + destination-github-username: "PcapPlusPlus" + destination-repository-name: "pcapplusplus.github.io" + user-email: noreply@github.com + commit-message: Update API documentation for commit ORIGIN_COMMIT diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml new file mode 100644 index 0000000000..c97d658999 --- /dev/null +++ b/.github/workflows/package.yml @@ -0,0 +1,336 @@ +name: Package and release + +on: + push: + tags: + - '*' + pull_request: + paths: + # Also run this workflow when this package.yml is update by a PR + - '.github/workflows/package.yml' + schedule: + - cron: '0 0 * * 0' # Run every Sunday at midnight + +env: + BUILD_DIR: Dist + +permissions: + contents: read + +jobs: + linux: + runs-on: ubuntu-latest + permissions: + contents: write + container: seladb/${{ matrix.image }} + strategy: + matrix: + include: + - image: ubuntu2204 + config-zstd: OFF + - image: ubuntu2204-icpx + config-zstd: OFF + additional-flags: -DCMAKE_C_COMPILER=icx -DCMAKE_CXX_COMPILER=icpx + - image: ubuntu2004 + config-zstd: OFF + - image: ubuntu1804 + config-zstd: OFF + - image: rhel93 + config-zstd: OFF + - image: fedora37 + config-zstd: OFF + - image: alpine317 + config-zstd: OFF + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + # Checkout is performed out of the container and doesn't match our user + - name: Fix checkout ownership + run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE" + + - name: Setup Intel Compiler variables + if: contains(matrix.image, 'icpx') + run: | + . /opt/intel/oneapi/setvars.sh + printenv >> $GITHUB_ENV + + - name: Debug Cmake + run: cmake --system-information + + - name: Configure PcapPlusPlus + run: cmake -DPCAPPP_PACKAGE=ON -DLIGHT_PCAPNG_ZSTD=${{ matrix.config-zstd }} ${{ matrix.additional-flags }} -S . -B "$BUILD_DIR" + + - name: Build PcapPlusPlus + run: cmake --build "$BUILD_DIR" -j + + - name: Package + run: cmake --build "$BUILD_DIR" --target package + + - name: Upload binaries to release + if: github.ref_type == 'tag' + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 + with: + draft: true + allowUpdates: true + updateOnlyUnreleased: true + artifacts: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.deb,${{ env.BUILD_DIR }}/*.rpm" + + freebsd: + runs-on: ubuntu-latest + permissions: + contents: write + strategy: + matrix: + include: + - freebsd-version: "13.2" + - freebsd-version: "14.0" + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Test in FreeBSD + uses: vmactions/freebsd-vm@f8be330398166d1eb0601f01353839d4052367b2 # v1.0.7 + with: + release: ${{ matrix.freebsd-version }} + envs: 'BUILD_DIR' + usesh: true + prepare: | + pkg install -y bash cmake git-tiny gmake gsed libpcap py39-pip + run: | + cmake -DPCAPPP_PACKAGE=ON -S . -B "$BUILD_DIR" + cmake --build "$BUILD_DIR" -j 4 + cmake --build "$BUILD_DIR" --target package + + - name: Upload binaries to release + if: github.ref_type == 'tag' + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 + with: + draft: true + allowUpdates: true + updateOnlyUnreleased: true + artifacts: ${{ env.BUILD_DIR }}/*.tar.gz + + macos: + runs-on: macos-12 + permissions: + contents: write + strategy: + matrix: + xcode-version: [14.2.0, 13.4.1] + arch: [x86_64, arm64] + + steps: + - uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0 + with: + xcode-version: "${{ matrix.xcode-version }}" + + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Configure PcapPlusPlus + run: | + cmake -DPCAPPP_PACKAGE=ON -DLIGHT_PCAPNG_ZSTD=${{ matrix.config-zstd }} -DCMAKE_OSX_ARCHITECTURES=${{ matrix.arch }} -S . -B "$BUILD_DIR" + + - name: Build PcapPlusPlus + run: cmake --build "$BUILD_DIR" -j + + - name: Package + run: cmake --build "$BUILD_DIR" --target package + + - name: Upload binaries to release + if: github.ref_type == 'tag' + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 + with: + draft: true + allowUpdates: true + updateOnlyUnreleased: true + artifacts: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.pkg" + + mingw-w64: + runs-on: windows-latest + permissions: + contents: write + strategy: + matrix: + include: + - env: i686 + sys: mingw32 + - env: x86_64 + sys: mingw64 + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Setup MSYS2 + uses: msys2/setup-msys2@d0e80f58dffbc64f6a3a1f43527d469b4fc7b6c8 # v2.23.0 + with: + msystem: ${{matrix.sys}} + update: true + install: >- + git + mingw-w64-${{matrix.env}}-cmake + mingw-w64-${{matrix.env}}-gcc + mingw-w64-${{matrix.env}}-make + + - name: Install NPcap + env: + NPCAP_USERNAME: ${{ secrets.NPCAP_USERNAME }} + NPCAP_PASSWORD: ${{ secrets.NPCAP_PASSWORD }} + run: | + ci\install_npcap.bat + echo "PCAP_SDK_DIR=/C/Npcap-sdk" >> $env:GITHUB_ENV + + - name: Configure PcapPlusPlus + shell: msys2 {0} + run: | + cmake -G "MinGW Makefiles" -DPCAP_ROOT=/C/Npcap-sdk -DLIGHT_PCAPNG_ZSTD=OFF -DPCAPPP_PACKAGE=ON -S . -B "$BUILD_DIR" + + - name: Debug Cmake + shell: msys2 {0} + run: cmake --system-information + + - name: Build PcapPlusPlus + shell: msys2 {0} + # More than 2 jobs would make the build crash with OOM + # cc1plus.exe: out of memory allocating 65536 bytes + run: cmake --build "$BUILD_DIR" -j 2 + + - name: Package + shell: msys2 {0} + run: cmake --build "$BUILD_DIR" --target package + + - name: Upload binaries to release + if: github.ref_type == 'tag' + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 + with: + draft: true + allowUpdates: true + updateOnlyUnreleased: true + artifacts: ${{ env.BUILD_DIR }}/*.zip + + visual-studio: + strategy: + matrix: + os: [ windows-2019, windows-2022 ] + arch: [ Win32, x64 ] + configuration: [ Debug, Release ] + + runs-on: ${{ matrix.os }} + permissions: + contents: write + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Add MSBuild to PATH + uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0 + + - name: Install WinPcap + run: | + ci\install_winpcap.bat + echo "PCAP_SDK_DIR=C:\WpdPack" >> $env:GITHUB_ENV + + - name: Configure PcapPlusPlus + run: | + $platform = if ("${{ matrix.os }}" -eq "windows-2019") { "Visual Studio 16 2019" } else { "Visual Studio 17 2022" } + cmake -A ${{ matrix.arch }} -G "$platform" -DPCAP_ROOT=${{ env.PCAP_SDK_DIR }} -DCMAKE_BUILD_TYPE=${{ matrix.configuration }} -DPCAPPP_PACKAGE=ON -S . -B "$env:BUILD_DIR" + + - name: Build PcapPlusPlus + run: cmake --build $env:BUILD_DIR --config ${{ matrix.configuration }} -j + + - name: Package + run: cmake --build "$env:BUILD_DIR" --config ${{ matrix.configuration }} --target package + + - name: Upload binaries to release + if: github.ref_type == 'tag' + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 + with: + draft: true + allowUpdates: true + updateOnlyUnreleased: true + artifacts: ${{ env.BUILD_DIR }}/*.zip + + android-build: + strategy: + matrix: + include: + - target: "armeabi-v7a" + api-version: 30 + - target: "x86" + api-version: 30 + - target: "arm64-v8a" + api-version: 30 + - target: "x86_64" + api-version: 30 + + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + - name: Checkout lipbcap for Android + uses: actions/checkout@cd7d8d697e10461458bc61a30d094dc601a8b017 # main + with: + repository: seladb/libpcap-android + path: ./libpcap-android + + - name: Configure and Build PcapPlusPlus + run: | + LIBPCAP_PATH="$(pwd)/libpcap-android" + export LIB_DIR="${{ matrix.target }}/${{ matrix.api-version }}" + export LOCAL_BUILD_DIR="${BUILD_DIR}/${LIB_DIR}" + cmake -DPCAPPP_BUILD_EXAMPLES=OFF -DCMAKE_INSTALL_LIBDIR="${LIB_DIR}" -DCMAKE_TOOLCHAIN_FILE="${ANDROID_NDK}/build/cmake/android.toolchain.cmake" -DANDROID_PLATFORM="${{ matrix.api-version }}" -DANDROID_ABI="${{ matrix.target }}" -DPCAP_INCLUDE_DIR="${LIBPCAP_PATH}/include/" -DPCAP_LIBRARY="${LIBPCAP_PATH}/${{ matrix.target }}/${{ matrix.api-version}}/libpcap.a" -DPCAPPP_PACKAGE=ON -S . -B "$LOCAL_BUILD_DIR" + cmake --build "$LOCAL_BUILD_DIR" -j --target package + + - name: Prepare package + run: | + export LOCAL_BUILD_DIR="${BUILD_DIR}/${{ matrix.target }}/${{ matrix.api-version }}" + export PACKAGE_FILE=$(ls ${LOCAL_BUILD_DIR} | grep pcapplusplus) + export PACKAGE_DIR=$(basename ${PACKAGE_FILE%} .tar.gz) + export COMBINED_PACKAGE_DIR=$(echo "$PACKAGE_DIR" | cut -f1,2,3 -d'-') + + tar -xvf "${LOCAL_BUILD_DIR}/${PACKAGE_FILE}" + mv "${PACKAGE_DIR}" "${COMBINED_PACKAGE_DIR}" + find . -name example-app -type d -exec rm -r {} + + find . -name cmake -type d -exec rm -r {} + + find . -name pkgconfig -type d -exec rm -r {} + + mv ${COMBINED_PACKAGE_DIR}/include/pcapplusplus/* "${COMBINED_PACKAGE_DIR}/include/" + rmdir "${COMBINED_PACKAGE_DIR}/include/pcapplusplus/" + mkdir -p "android-package" + mv "${COMBINED_PACKAGE_DIR}" "android-package" + + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + path: android-package + name: android-package-${{ matrix.target }}-${{ matrix.api-version }} + if-no-files-found: error + + android-package: + needs: android-build + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + with: + pattern: android-package-* + merge-multiple: true + + - name: Package into archive + run: | + export PACKAGE_DIR=$(ls | grep pcapplusplus) + echo "PACKAGE_DIR=$PACKAGE_DIR" >> $GITHUB_ENV + tar cvf "${PACKAGE_DIR}.tar.gz" "${PACKAGE_DIR}" + - name: Upload binaries to release + if: github.ref_type == 'tag' + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 + with: + draft: true + allowUpdates: true + updateOnlyUnreleased: true + artifacts: ${{ env.PACKAGE_DIR }}.tar.gz diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000000..da39647d47 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,71 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["master"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + repo_token: ${{ secrets.PAT }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7 + with: + sarif_file: results.sarif