[StepSecurity] Apply security best practices #20
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package and release | |
on: | |
push: | |
tags: | |
- '*' | |
pull_request: | |
paths: | |
# Also run this workflow when this package.yml is update by a PR | |
- '.github/workflows/package.yml' | |
env: | |
BUILD_DIR: Dist | |
jobs: | |
linux: | |
runs-on: ubuntu-latest | |
container: seladb/${{ matrix.image }} | |
strategy: | |
matrix: | |
include: | |
- image: ubuntu2204 | |
config-zstd: OFF | |
- image: ubuntu2204-icpx | |
config-zstd: OFF | |
additional-flags: -DCMAKE_C_COMPILER=icx -DCMAKE_CXX_COMPILER=icpx | |
- image: ubuntu2004 | |
config-zstd: OFF | |
- image: ubuntu1804 | |
config-zstd: OFF | |
- image: rhel93 | |
config-zstd: OFF | |
- image: fedora37 | |
config-zstd: OFF | |
- image: alpine317 | |
config-zstd: OFF | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
# Checkout is performed out of the container and doesn't match our user | |
- name: Fix checkout ownership | |
run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE" | |
- name: Setup Intel Compiler variables | |
if: contains(matrix.image, 'icpx') | |
run: | | |
. /opt/intel/oneapi/setvars.sh | |
printenv >> $GITHUB_ENV | |
- name: Debug Cmake | |
run: cmake --system-information | |
- name: Configure PcapPlusPlus | |
run: cmake -DPCAPPP_PACKAGE=ON -DLIGHT_PCAPNG_ZSTD=${{ matrix.config-zstd }} ${{ matrix.additional-flags }} -S . -B "$BUILD_DIR" | |
- name: Build PcapPlusPlus | |
run: cmake --build "$BUILD_DIR" -j | |
- name: Package | |
run: cmake --build "$BUILD_DIR" --target package | |
- name: Upload binaries to release | |
if: github.ref_type == 'tag' | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
draft: true | |
allowUpdates: true | |
updateOnlyUnreleased: true | |
artifacts: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.deb,${{ env.BUILD_DIR }}/*.rpm" | |
freebsd: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
include: | |
- freebsd-version: "13.2" | |
- freebsd-version: "14.0" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: Test in FreeBSD | |
uses: vmactions/freebsd-vm@f8be330398166d1eb0601f01353839d4052367b2 # v1.0.7 | |
with: | |
release: ${{ matrix.freebsd-version }} | |
envs: 'BUILD_DIR' | |
usesh: true | |
prepare: | | |
pkg install -y bash cmake git-tiny gmake gsed libpcap py39-pip | |
run: | | |
cmake -DPCAPPP_PACKAGE=ON -S . -B "$BUILD_DIR" | |
cmake --build "$BUILD_DIR" -j 4 | |
cmake --build "$BUILD_DIR" --target package | |
- name: Upload binaries to release | |
if: github.ref_type == 'tag' | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
draft: true | |
allowUpdates: true | |
updateOnlyUnreleased: true | |
artifacts: ${{ env.BUILD_DIR }}/*.tar.gz | |
macos: | |
runs-on: macos-12 | |
strategy: | |
matrix: | |
xcode-version: [14.2.0, 13.4.1] | |
arch: [x86_64, arm64] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0 | |
with: | |
xcode-version: "${{ matrix.xcode-version }}" | |
- name: Checkout code | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: Configure PcapPlusPlus | |
run: | | |
cmake -DPCAPPP_PACKAGE=ON -DLIGHT_PCAPNG_ZSTD=${{ matrix.config-zstd }} -DCMAKE_OSX_ARCHITECTURES=${{ matrix.arch }} -S . -B "$BUILD_DIR" | |
- name: Build PcapPlusPlus | |
run: cmake --build "$BUILD_DIR" -j | |
- name: Package | |
run: cmake --build "$BUILD_DIR" --target package | |
- name: Upload binaries to release | |
if: github.ref_type == 'tag' | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
draft: true | |
allowUpdates: true | |
updateOnlyUnreleased: true | |
artifacts: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.pkg" | |
mingw-w64: | |
runs-on: windows-latest | |
strategy: | |
matrix: | |
include: | |
- env: i686 | |
sys: mingw32 | |
- env: x86_64 | |
sys: mingw64 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: Setup MSYS2 | |
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0 | |
with: | |
msystem: ${{matrix.sys}} | |
update: true | |
install: >- | |
git | |
mingw-w64-${{matrix.env}}-cmake | |
mingw-w64-${{matrix.env}}-gcc | |
mingw-w64-${{matrix.env}}-make | |
- name: Install NPcap | |
env: | |
NPCAP_USERNAME: ${{ secrets.NPCAP_USERNAME }} | |
NPCAP_PASSWORD: ${{ secrets.NPCAP_PASSWORD }} | |
run: | | |
ci\install_npcap.bat | |
echo "PCAP_SDK_DIR=/C/Npcap-sdk" >> $env:GITHUB_ENV | |
- name: Configure PcapPlusPlus | |
shell: msys2 {0} | |
run: | | |
cmake -G "MinGW Makefiles" -DPCAP_ROOT=/C/Npcap-sdk -DLIGHT_PCAPNG_ZSTD=OFF -DPCAPPP_PACKAGE=ON -S . -B "$BUILD_DIR" | |
- name: Debug Cmake | |
shell: msys2 {0} | |
run: cmake --system-information | |
- name: Build PcapPlusPlus | |
shell: msys2 {0} | |
# More than 2 jobs would make the build crash with OOM | |
# cc1plus.exe: out of memory allocating 65536 bytes | |
run: cmake --build "$BUILD_DIR" -j 2 | |
- name: Package | |
shell: msys2 {0} | |
run: cmake --build "$BUILD_DIR" --target package | |
- name: Upload binaries to release | |
if: github.ref_type == 'tag' | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
draft: true | |
allowUpdates: true | |
updateOnlyUnreleased: true | |
artifacts: ${{ env.BUILD_DIR }}/*.zip | |
visual-studio: | |
strategy: | |
matrix: | |
os: [ windows-2019, windows-2022 ] | |
arch: [ Win32, x64 ] | |
configuration: [ Debug, Release ] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: Add MSBuild to PATH | |
uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0 | |
- name: Install WinPcap | |
run: | | |
ci\install_winpcap.bat | |
echo "PCAP_SDK_DIR=C:\WpdPack" >> $env:GITHUB_ENV | |
- name: Configure PcapPlusPlus | |
run: | | |
$platform = if ("${{ matrix.os }}" -eq "windows-2019") { "Visual Studio 16 2019" } else { "Visual Studio 17 2022" } | |
cmake -A ${{ matrix.arch }} -G "$platform" -DPCAP_ROOT=${{ env.PCAP_SDK_DIR }} -DCMAKE_BUILD_TYPE=${{ matrix.configuration }} -DPCAPPP_PACKAGE=ON -S . -B "$env:BUILD_DIR" | |
- name: Build PcapPlusPlus | |
run: cmake --build $env:BUILD_DIR --config ${{ matrix.configuration }} -j | |
- name: Package | |
run: cmake --build "$env:BUILD_DIR" --config ${{ matrix.configuration }} --target package | |
- name: Upload binaries to release | |
if: github.ref_type == 'tag' | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
draft: true | |
allowUpdates: true | |
updateOnlyUnreleased: true | |
artifacts: ${{ env.BUILD_DIR }}/*.zip | |
android-build: | |
strategy: | |
matrix: | |
include: | |
- target: "armeabi-v7a" | |
api-version: 30 | |
- target: "x86" | |
api-version: 30 | |
- target: "arm64-v8a" | |
api-version: 30 | |
- target: "x86_64" | |
api-version: 30 | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: Checkout lipbcap for Android | |
uses: actions/checkout@cd7d8d697e10461458bc61a30d094dc601a8b017 # main | |
with: | |
repository: seladb/libpcap-android | |
path: ./libpcap-android | |
- name: Configure and Build PcapPlusPlus | |
run: | | |
LIBPCAP_PATH="$(pwd)/libpcap-android" | |
export LIB_DIR="${{ matrix.target }}/${{ matrix.api-version }}" | |
export LOCAL_BUILD_DIR="${BUILD_DIR}/${LIB_DIR}" | |
cmake -DPCAPPP_BUILD_EXAMPLES=OFF -DCMAKE_INSTALL_LIBDIR="${LIB_DIR}" -DCMAKE_TOOLCHAIN_FILE="${ANDROID_NDK}/build/cmake/android.toolchain.cmake" -DANDROID_PLATFORM="${{ matrix.api-version }}" -DANDROID_ABI="${{ matrix.target }}" -DPCAP_INCLUDE_DIR="${LIBPCAP_PATH}/include/" -DPCAP_LIBRARY="${LIBPCAP_PATH}/${{ matrix.target }}/${{ matrix.api-version}}/libpcap.a" -DPCAPPP_PACKAGE=ON -S . -B "$LOCAL_BUILD_DIR" | |
cmake --build "$LOCAL_BUILD_DIR" -j --target package | |
- name: Prepare package | |
run: | | |
export LOCAL_BUILD_DIR="${BUILD_DIR}/${{ matrix.target }}/${{ matrix.api-version }}" | |
export PACKAGE_FILE=$(ls ${LOCAL_BUILD_DIR} | grep pcapplusplus) | |
export PACKAGE_DIR=$(basename ${PACKAGE_FILE%} .tar.gz) | |
export COMBINED_PACKAGE_DIR=$(echo "$PACKAGE_DIR" | cut -f1,2,3 -d'-') | |
tar -xvf "${LOCAL_BUILD_DIR}/${PACKAGE_FILE}" | |
mv "${PACKAGE_DIR}" "${COMBINED_PACKAGE_DIR}" | |
find . -name example-app -type d -exec rm -r {} + | |
find . -name cmake -type d -exec rm -r {} + | |
find . -name pkgconfig -type d -exec rm -r {} + | |
mv ${COMBINED_PACKAGE_DIR}/include/pcapplusplus/* "${COMBINED_PACKAGE_DIR}/include/" | |
rmdir "${COMBINED_PACKAGE_DIR}/include/pcapplusplus/" | |
mkdir -p "android-package" | |
mv "${COMBINED_PACKAGE_DIR}" "android-package" | |
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
with: | |
path: android-package | |
name: android-package-${{ matrix.target }}-${{ matrix.api-version }} | |
if-no-files-found: error | |
android-package: | |
needs: android-build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
pattern: android-package-* | |
merge-multiple: true | |
- name: Package into archive | |
run: | | |
export PACKAGE_DIR=$(ls | grep pcapplusplus) | |
echo "PACKAGE_DIR=$PACKAGE_DIR" >> $GITHUB_ENV | |
tar cvf "${PACKAGE_DIR}.tar.gz" "${PACKAGE_DIR}" | |
- name: Upload binaries to release | |
if: github.ref_type == 'tag' | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
draft: true | |
allowUpdates: true | |
updateOnlyUnreleased: true | |
artifacts: ${{ env.PACKAGE_DIR }}.tar.gz |