Mitigate RUSTSEC-2024-0421 #8870
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Daemon+CLI - Build and test | |
on: | |
pull_request: | |
paths: | |
- '**' | |
- '!**/**.md' | |
- '!.github/workflows/**' | |
- '.github/workflows/daemon.yml' | |
- '!.github/CODEOWNERS' | |
- '!android/**' | |
- '!audits/**' | |
- '!build-apk.sh' | |
- '!build.sh' | |
- '!ci/**' | |
- 'ci/check-rust.sh' | |
- '!clippy.toml' | |
- '!deny.toml' | |
- '!docs/**' | |
- '!graphics/**' | |
- '!desktop/**' | |
- '!ios/**' | |
- '!scripts/**' | |
- '!.*ignore' | |
- '!prepare-release.sh' | |
- '!rustfmt.toml' | |
- '!.yamllint' | |
- '!**/osv-scanner.toml' | |
workflow_dispatch: | |
inputs: | |
override_container_image: | |
description: Override container image | |
type: string | |
required: false | |
permissions: {} | |
jobs: | |
prepare-linux: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Use custom container image if specified | |
if: ${{ github.event.inputs.override_container_image != '' }} | |
run: echo "inner_container_image=${{ github.event.inputs.override_container_image }}" | |
>> $GITHUB_ENV | |
- name: Use default container image and resolve digest | |
if: ${{ github.event.inputs.override_container_image == '' }} | |
run: | | |
echo "inner_container_image=$(cat ./building/linux-container-image.txt)" >> $GITHUB_ENV | |
outputs: | |
container_image: ${{ env.inner_container_image }} | |
build-linux: | |
needs: prepare-linux | |
runs-on: ubuntu-latest | |
container: | |
image: ${{ needs.prepare-linux.outputs.container_image }} | |
strategy: | |
matrix: | |
rust: [stable, beta, nightly] | |
continue-on-error: true | |
steps: | |
# Fix for HOME path overridden by GH runners when building in containers, see: | |
# https://github.com/actions/runner/issues/863 | |
- name: Fix HOME path | |
run: echo "HOME=/root" >> $GITHUB_ENV | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Checkout submodules | |
run: | | |
git config --global --add safe.directory '*' | |
git submodule update --init --depth=1 dist-assets/binaries | |
git submodule update --init --recursive --depth=1 wireguard-go-rs | |
# The container image already has rustup and Rust, but only the stable toolchain | |
- name: Install Rust toolchain | |
run: rustup default ${{ matrix.rust }} | |
- name: Build and test crates | |
run: ./ci/check-rust.sh | |
build-macos: | |
runs-on: macos-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Checkout wireguard-go submodule | |
run: | | |
git config --global --add safe.directory '*' | |
git submodule update --init --recursive --depth=1 wireguard-go-rs | |
- name: Install Protoc | |
uses: arduino/setup-protoc@v3 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install Rust | |
uses: actions-rs/[email protected] | |
with: | |
toolchain: stable | |
default: true | |
- name: Install Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: 1.21.3 | |
- name: Build and test crates | |
run: ./ci/check-rust.sh | |
build-windows: | |
strategy: | |
matrix: | |
config: | |
- os: windows-latest | |
arch: x64 | |
- os: [self-hosted, ARM64, Windows] | |
arch: arm64 | |
runs-on: ${{ matrix.config.os }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Checkout submodules | |
run: git submodule update --init --depth=1 | |
- name: Install Protoc | |
# NOTE: ARM runner already has protoc | |
if: ${{ matrix.config.arch != 'arm64' }} | |
uses: arduino/setup-protoc@v3 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Calculate Windows libraries cache hash | |
id: windows-modules-hash | |
shell: bash | |
run: | | |
hash="$(git grep --recurse-submodules --cached -l '' -- './windows/' \ | |
| grep -v '\.exe$\|\.md$' \ | |
| xargs sha1sum \ | |
| sha1sum \ | |
| cut -d" " -f1)" | |
echo "hash=$hash" >> "$GITHUB_OUTPUT" | |
- name: Cache Windows libraries | |
uses: actions/cache@v2 | |
id: cache-windows-modules | |
with: | |
path: | | |
./windows/*/bin/${{ matrix.config.arch }}-*/*.dll | |
./windows/*/bin/${{ matrix.config.arch }}-*/*.lib | |
!./windows/*/bin/${{ matrix.config.arch }}-*/libcommon.lib | |
!./windows/*/bin/${{ matrix.config.arch }}-*/libshared.lib | |
!./windows/*/bin/${{ matrix.config.arch }}-*/libwfp.lib | |
key: windows-modules-${{ steps.windows-modules-hash.outputs.hash }} | |
# The x64 toolchain is needed to build talpid-openvpn-plugin | |
# TODO: Remove once fixed | |
- name: Install Rust x64 target | |
if: ${{ matrix.config.arch == 'arm64' }} | |
uses: actions-rs/[email protected] | |
with: | |
toolchain: stable | |
target: x86_64-pc-windows-msvc | |
- name: Install Rust | |
uses: actions-rs/[email protected] | |
with: | |
toolchain: stable | |
target: i686-pc-windows-msvc | |
default: true | |
- name: Install msbuild | |
uses: microsoft/[email protected] | |
with: | |
vs-version: 16 | |
- name: Build Windows modules | |
if: steps.cache-windows-modules.outputs.cache-hit != 'true' | |
shell: bash | |
run: ./build-windows-modules.sh | |
- name: Build and test crates | |
shell: bash | |
env: | |
# On Windows, the checkout is on the D drive, which is very small. | |
# Moving the target directory to the C drive ensures that the runner | |
# doesn't run out of space on the D drive. | |
CARGO_TARGET_DIR: "C:/cargo-target" | |
run: ./ci/check-rust.sh |