From c4fa2ac607dbedf3ab49fc813eff778fb5769d29 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Mon, 31 Jul 2023 17:30:35 -0500
Subject: [PATCH] Enable stack protection (CI release executables)

---
 .github/workflows/ci.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e1461a60e9..1f23689ff2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -92,7 +92,8 @@ jobs:
             --disable-valgrind \
             --with-oniguruma=builtin \
             --enable-static \
-            --enable-all-static
+            --enable-all-static \
+            CFLAGS="-O2 -pthread -fstack-protector-all"
           make -j"$(nproc)"
           file ./jq
           cp ./jq jq-${{ env.SUFFIX }}
@@ -100,6 +101,7 @@ jobs:
         # Only run tests for amd64 matching the CI machine arch
         if: ${{ matrix.arch == 'amd64' }}
         run: |
+          nm jq | grep __stack_chk_fail
           make check VERBOSE=yes
           git diff --exit-code
       - name: Upload Test Logs
@@ -157,7 +159,8 @@ jobs:
             --disable-valgrind \
             --with-oniguruma=builtin \
             --enable-static \
-            --enable-all-static
+            --enable-all-static \
+            CFLAGS="-O2 -pthread -fstack-protector-all"
           make -j"$(nproc)"
           strip ./jq
           file ./jq
@@ -234,9 +237,11 @@ jobs:
             --with-oniguruma=builtin \
             --disable-shared \
             --enable-static \
-            --enable-all-static
+            --enable-all-static \
+            CFLAGS="-O2 -pthread -fstack-protector-all"
           make -j$(nproc)
           file ./jq.exe
+          nm ./jq.exe | grep __stack_chk_fail
           cp ./jq.exe jq-${{ env.SUFFIX }}.exe
       - name: Test
         # Only run tests for amd64 matching the CI machine arch