Use libxml2/xmsec1 for XAdES signature parsing and validation #1398
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: [push, pull_request] | |
permissions: | |
contents: read | |
env: | |
BUILD_NUMBER: ${{ github.run_number }} | |
CMAKE_BUILD_PARALLEL_LEVEL: 4 | |
UBUNTU_DEPS: ./libdigidocpp-pkg/*.deb cmake libldap2-dev gettext libpcsclite-dev libssl-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libflatbuffers-dev zlib1g-dev | |
jobs: | |
macos: | |
name: Build on macOS | |
runs-on: macos-latest | |
env: | |
MACOSX_DEPLOYMENT_TARGET: 12.0 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v6 | |
with: | |
workflow: build.yml | |
branch: master | |
name: macOS | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install dependencies | |
env: | |
HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: YES | |
run: | | |
brew install ninja flatbuffers | |
HASH=($(shasum prepare_osx_build_environment.sh)) | |
curl -O -L -s https://installer.id.ee/media/github/opensc_0.23.0.pkg | |
curl -O -L -s https://installer.id.ee/media/github/${HASH}.zip | |
sudo installer -verboseR -pkg libdigidocpp-pkg/libdigidocpp*.pkg -target / | |
sudo installer -verboseR -pkg opensc_*.pkg -target / | |
sudo unzip -qq -d /Library/Developer ${HASH}.zip | |
- name: Build | |
run: | | |
QT_DIR=$(ls -d /Library/Developer/Qt-*-OpenSSL | tail -n 1) | |
cmake "-GNinja" \ | |
-DCMAKE_PREFIX_PATH=${QT_DIR} \ | |
-DOPENSSL_ROOT_DIR=/Library/Developer/OpenSSL \ | |
-DLDAP_ROOT=/Library/Developer/OpenLDAP \ | |
-DCMAKE_OSX_ARCHITECTURES="x86_64;arm64" -B build -S . | |
cmake --build build --target zipdebug macdeployqt zip | |
- name: Archive artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: macOS | |
path: build/qdigidoc4*.zip | |
ubuntu: | |
name: Build on Ubuntu ${{ matrix.container }} | |
runs-on: ubuntu-latest | |
container: ubuntu:${{ matrix.container }} | |
strategy: | |
matrix: | |
container: ['20.04', '22.04', '24.04'] | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
DEBFULLNAME: github-actions | |
DEBEMAIL: github-actions@github.com | |
steps: | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v6 | |
with: | |
workflow: build.yml | |
branch: master | |
name: ubuntu_${{ matrix.container }} | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install dependencies | |
if: matrix.container == '20.04' | |
run: apt update -qq && apt install --no-install-recommends -y git lsb-release build-essential devscripts debhelper pkg-config lintian ./libdigidocpp-pkg/*.deb cmake libldap2-dev gettext libpcsclite-dev libssl-dev libqt5svg5-dev qttools5-dev-tools qttools5-dev libflatbuffers-dev zlib1g-dev | |
- name: Install dependencies | |
if: matrix.container != '20.04' | |
run: apt update -qq && apt install --no-install-recommends -y git lsb-release build-essential devscripts debhelper pkg-config lintian ${UBUNTU_DEPS} | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Setup changelog | |
run: | | |
rm -rf libdigidocpp-pkg | |
export VERSION=$(grep project CMakeLists.txt | egrep -o "([0-9]{1,}\.)+[0-9]{1,}") | |
export VERSIONEX=${VERSION}.${BUILD_NUMBER}.$(lsb_release -rs) | |
dch --distribution $(lsb_release -cs) -v ${VERSIONEX} "Release ${VERSIONEX}." | |
- name: Build packages | |
run: | | |
dpkg-buildpackage -us -uc | |
mv ../qdigidoc4*.* . | |
- name: Lintian | |
run: lintian *.deb; | |
- name: Archive artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ubuntu_${{ matrix.container }} | |
path: qdigidoc4*.* | |
fedora: | |
name: Build on Fedora ${{ matrix.container }} | |
runs-on: ubuntu-latest | |
container: fedora:${{ matrix.container }} | |
strategy: | |
matrix: | |
container: [39, 40] | |
steps: | |
- name: Install Deps | |
run: | | |
dnf install -y --setopt=install_weak_deps=False \ | |
git gcc-c++ cmake rpm-build gettext openssl-devel openldap-devel pcsc-lite-devel qt6-qtsvg-devel qt6-qttools-devel flatbuffers-devel flatbuffers-compiler zlib-devel | |
- name: Install CMake | |
if: matrix.container == 39 | |
run: | | |
dnf install -y --setopt=install_weak_deps=False wget | |
wget -q https://github.com/Kitware/CMake/releases/download/v3.28.1/cmake-3.28.1-linux-x86_64.sh | |
sh cmake-3.28.1-linux-x86_64.sh --skip-license --prefix=/usr/local | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v6 | |
with: | |
workflow: build.yml | |
branch: master | |
name: fedora_${{ matrix.container }} | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install artifact | |
run: dnf install -y ./libdigidocpp-pkg/*.rpm | |
- name: Build | |
run: | | |
cmake -DCMAKE_INSTALL_PREFIX=/usr -B build -S . | |
cmake --build build --target all package | |
- name: Archive artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: fedora_${{ matrix.container }} | |
path: build/qdigidoc4*.rpm | |
windows: | |
name: Build on Windows | |
runs-on: ${{ matrix.image }} | |
strategy: | |
matrix: | |
vcver: [142, 143] | |
include: | |
- vcver: 142 | |
image: windows-2019 | |
- vcver: 143 | |
image: windows-2022 | |
env: | |
VER_SUFFIX: .VS${{ matrix.vcver }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v6 | |
with: | |
workflow: build.yml | |
branch: master | |
name: msi_${{ matrix.vcver }}_x64 | |
path: ./ | |
repo: open-eid/libdigidocpp | |
- name: Install artifact | |
run: | | |
Rename-Item "libdigidocpp*.msi" libdigidocpp.msi | |
msiexec /qn /a libdigidocpp.msi "TARGETDIR=$($pwd.Path)\\libs" | |
- name: Prepare vcpkg | |
uses: lukka/run-vcpkg@v7 | |
with: | |
vcpkgArguments: openssl zlib flatbuffers | |
vcpkgGitCommitId: 18b028fe785e707265fa0e35590b7537ae1d12ea | |
vcpkgTriplet: x64-windows | |
- name: Install Qt | |
uses: jurplel/install-qt-action@v4 | |
with: | |
version: 6.7.2 | |
arch: win64_msvc2019_64 | |
- name: Setup dev env | |
uses: ilammy/msvc-dev-cmd@v1 | |
with: | |
arch: x64 | |
- name: Install WiX | |
run: | | |
dotnet tool install -g wix --version 5.0.0 | |
wix extension -g add WixToolset.UI.wixext/5.0.0 | |
- name: Build | |
run: | | |
cmake "-GNinja" -B build -S . -DCMAKE_BUILD_TYPE=RelWithDebInfo ` | |
-DCMAKE_TOOLCHAIN_FILE=${{ env.RUNVCPKG_VCPKG_ROOT }}/scripts/buildsystems/vcpkg.cmake ` | |
"-DLibDigiDocpp_ROOT=libs/PFiles64/libdigidocpp" | |
cmake --build build --target msi | |
cmake --build build --target msishellext | |
cmake --build build --target appx | |
- name: Archive artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: msi_${{ matrix.vcver }}_x64 | |
path: | | |
build/*.msi | |
build/*.appx | |
coverity: | |
name: Run Coverity tests | |
if: github.repository == 'open-eid/DigiDoc4-Client' && contains(github.ref, 'coverity_scan') | |
runs-on: ubuntu-22.04 | |
env: | |
TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} | |
PROJECTNAME: open-eid/DigiDoc4-Client | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v6 | |
with: | |
workflow: build.yml | |
branch: master | |
name: ubuntu_22.04 | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install dependencies | |
run: sudo apt update -qq && sudo apt install --no-install-recommends -y ${UBUNTU_DEPS} | |
- name: Download Coverity Build Tool | |
run: | | |
curl -s -d "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/cxx/linux64 | |
mkdir cov-analysis-linux64 | |
tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 | |
- name: Build | |
run: | | |
cmake . | |
export PATH=$PWD/cov-analysis-linux64/bin:$PATH | |
cov-build --dir cov-int make | |
- name: Submit the result to Coverity Scan | |
run: | | |
tar czvf upload.tgz cov-int | |
curl -s \ | |
-F project=$PROJECTNAME \ | |
-F token=$TOKEN \ | |
-F email=eid-teenusehaldus@ria.ee \ | |
-F file=@upload.tgz \ | |
-F version=master \ | |
-F description="Github Actions CI build" \ | |
https://scan.coverity.com/builds?project=$PROJECTNAME | |
codeql: | |
name: Run CodeQL tests | |
if: github.repository == 'open-eid/DigiDoc4-Client' | |
runs-on: ubuntu-22.04 | |
permissions: | |
security-events: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v6 | |
with: | |
workflow: build.yml | |
branch: master | |
name: ubuntu_22.04 | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install dependencies | |
run: sudo apt update -qq && sudo apt install --no-install-recommends -y ${UBUNTU_DEPS} | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: cpp | |
queries: +security-and-quality | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@v3 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
upload: False | |
output: sarif-results | |
- name: Filter results | |
uses: advanced-security/filter-sarif@develop | |
with: | |
patterns: | | |
-**/*autogen*/** | |
-**/common/qtsingleapplication/** | |
-**:cpp/loop-variable-changed | |
-**:cpp/poorly-documented-function | |
input: sarif-results/cpp.sarif | |
output: sarif-results/cpp.sarif | |
- name: Upload results | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: sarif-results/cpp.sarif |