.github/workflows/build.yml

name: Build

on:
  push:
    branches: main
  pull_request:
    branches: main

permissions: read-all

jobs:
  dependabot-merge:
    name: Merge Dependabot
    runs-on: ubuntu-latest
    needs: []
    steps:
    - uses: ahmadnassri/action-dependabot-auto-merge@45fc124d949b19b6b8bf6645b6c9d55f4f9ac61a
      if: ${{ github.event_name == 'pull_request' }}
      with:
        target: minor
        github-token: ${{ secrets.GITHUB_TOKEN }}
  build:
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu, windows]
        arch: [x86, x64, arm64]
        tls: [schannel, openssl]
        link: [static, shared]
        exclude:
        - os: ubuntu
          tls: schannel
        - os: ubuntu
          arch: x86
    permissions:
      # required for all workflows
      security-events: write
      # required to fetch internal or private CodeQL packs
      packages: read
      # only required for workflows in private repositories
      actions: read
      contents: read
    name: Build
    runs-on: ${{ matrix.os }}-latest
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350
      with:
        egress-policy: audit
    - name: Checkout repository
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        submodules: 'recursive'
    - name: Install Perl
      if: runner.os == 'Windows'
      uses: shogo82148/actions-setup-perl@b87d1e37759952f1474fdac8a45d6996cf3d5512
      with:
        perl-version: '5.34'
    - name: Install NASM
      if: runner.os == 'Windows'
      uses: ilammy/setup-nasm@13cbeb366c45c4379d3478cdcbadd8295feb5028
    - name: Install libnuma-dev
      if: runner.os == 'Ubuntu'
      run: sudo apt-get install -y libnuma-dev
    - name: Initialize CodeQL
      if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }}
      uses: github/codeql-action/init@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c
      with:
        languages: c-cpp
        build-mode: manual
        config: |
          queries:
            - uses: security-and-quality # (very verbose)
          query-filters:
            - exclude:
                id: cpp/loop-variable-changed
            - exclude:
                id: cpp/include-non-header
    - name: Build
      shell: pwsh
      run: ./build.ps1 -Arch ${{ matrix.arch }} -Tls ${{ matrix.tls }} -Link ${{ matrix.link }} -Install -BuildInstaller -Debug
    - name: Perform CodeQL Analysis
      if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }}
      uses: github/codeql-action/analyze@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c
      with:
        category: "/language:c-cpp"
        output: sarif-results
        upload: failure-only
    - name: Filter SARIF
      if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }}
      uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d
      with:
        patterns: |
          -msquic/**/*
          -build/**/*
        input: sarif-results/cpp.sarif
        output: sarif-results/cpp.sarif
    - name: Upload SARIF
      if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }}
      uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c
      with:
        sarif_file: sarif-results/cpp.sarif
    - name: Upload SARIF to Artifacts
      if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }}
      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
      with:
        name: sarif-results
        path: sarif-results
    - name: Upload
      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
      with:
        name: bin-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.tls }}-${{ matrix.link }}
        path: |
          build/bin/**/*.so
          build/bin/**/*.dll
          build/bin/**/quicreach
          build/bin/**/quicreach.exe
          build/bin/**/quicreach.msi
    - name: Test (Linux)
      if: runner.os == 'Linux'
      run: /usr/local/bin/quicreach outlook-evergreen.office.com,www.cloudflare.com,www.google.com --req-all --stats
    - name: Test (Windows, x64)
      if: ${{ runner.os == 'Windows' && matrix.arch == 'x64' }}
      run: |
        & 'C:/Program Files/quicreach/bin/quicreach' outlook-evergreen.office.com,www.cloudflare.com,www.google.com --req-all --stats
    - name: Test (Windows, x86)
      if: ${{ runner.os == 'Windows' && matrix.arch == 'x86' }}
      run: |
        & 'C:/Program Files (x86)/quicreach/bin/quicreach' outlook-evergreen.office.com,www.cloudflare.com,www.google.com --req-all --stats
  Complete:
    name: Complete
    if: always()
    needs: [build]
    runs-on: ubuntu-latest
    permissions: {} # No need for any permissions.
    steps:
    - name: Decide whether the needed jobs succeeded or failed
      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
      with:
        jobs: ${{ toJSON(needs) }}