Skip to content

[StepSecurity] Apply security best practices #20

[StepSecurity] Apply security best practices

[StepSecurity] Apply security best practices #20

Workflow file for this run

name: Package and release
on:
push:
tags:
- '*'
pull_request:
paths:
# Also run this workflow when this package.yml is update by a PR
- '.github/workflows/package.yml'
env:
BUILD_DIR: Dist
jobs:
linux:
runs-on: ubuntu-latest
container: seladb/${{ matrix.image }}
strategy:
matrix:
include:
- image: ubuntu2204
config-zstd: OFF
- image: ubuntu2204-icpx
config-zstd: OFF
additional-flags: -DCMAKE_C_COMPILER=icx -DCMAKE_CXX_COMPILER=icpx
- image: ubuntu2004
config-zstd: OFF
- image: ubuntu1804
config-zstd: OFF
- image: rhel93
config-zstd: OFF
- image: fedora37
config-zstd: OFF
- image: alpine317
config-zstd: OFF
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
# Checkout is performed out of the container and doesn't match our user
- name: Fix checkout ownership
run: chown -R "$(id -u):$(id -g)" "$GITHUB_WORKSPACE"
- name: Setup Intel Compiler variables
if: contains(matrix.image, 'icpx')
run: |
. /opt/intel/oneapi/setvars.sh
printenv >> $GITHUB_ENV
- name: Debug Cmake
run: cmake --system-information
- name: Configure PcapPlusPlus
run: cmake -DPCAPPP_PACKAGE=ON -DLIGHT_PCAPNG_ZSTD=${{ matrix.config-zstd }} ${{ matrix.additional-flags }} -S . -B "$BUILD_DIR"
- name: Build PcapPlusPlus
run: cmake --build "$BUILD_DIR" -j
- name: Package
run: cmake --build "$BUILD_DIR" --target package
- name: Upload binaries to release
if: github.ref_type == 'tag'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
draft: true
allowUpdates: true
updateOnlyUnreleased: true
artifacts: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.deb,${{ env.BUILD_DIR }}/*.rpm"
freebsd:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- freebsd-version: "13.2"
- freebsd-version: "14.0"
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Test in FreeBSD
uses: vmactions/freebsd-vm@f8be330398166d1eb0601f01353839d4052367b2 # v1.0.7
with:
release: ${{ matrix.freebsd-version }}
envs: 'BUILD_DIR'
usesh: true
prepare: |
pkg install -y bash cmake git-tiny gmake gsed libpcap py39-pip
run: |
cmake -DPCAPPP_PACKAGE=ON -S . -B "$BUILD_DIR"
cmake --build "$BUILD_DIR" -j 4
cmake --build "$BUILD_DIR" --target package
- name: Upload binaries to release
if: github.ref_type == 'tag'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
draft: true
allowUpdates: true
updateOnlyUnreleased: true
artifacts: ${{ env.BUILD_DIR }}/*.tar.gz
macos:
runs-on: macos-12
strategy:
matrix:
xcode-version: [14.2.0, 13.4.1]
arch: [x86_64, arm64]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
with:
xcode-version: "${{ matrix.xcode-version }}"
- name: Checkout code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Configure PcapPlusPlus
run: |
cmake -DPCAPPP_PACKAGE=ON -DLIGHT_PCAPNG_ZSTD=${{ matrix.config-zstd }} -DCMAKE_OSX_ARCHITECTURES=${{ matrix.arch }} -S . -B "$BUILD_DIR"
- name: Build PcapPlusPlus
run: cmake --build "$BUILD_DIR" -j
- name: Package
run: cmake --build "$BUILD_DIR" --target package
- name: Upload binaries to release
if: github.ref_type == 'tag'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
draft: true
allowUpdates: true
updateOnlyUnreleased: true
artifacts: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.pkg"
mingw-w64:
runs-on: windows-latest
strategy:
matrix:
include:
- env: i686
sys: mingw32
- env: x86_64
sys: mingw64
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Setup MSYS2
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0
with:
msystem: ${{matrix.sys}}
update: true
install: >-
git
mingw-w64-${{matrix.env}}-cmake
mingw-w64-${{matrix.env}}-gcc
mingw-w64-${{matrix.env}}-make
- name: Install NPcap
env:
NPCAP_USERNAME: ${{ secrets.NPCAP_USERNAME }}
NPCAP_PASSWORD: ${{ secrets.NPCAP_PASSWORD }}
run: |
ci\install_npcap.bat
echo "PCAP_SDK_DIR=/C/Npcap-sdk" >> $env:GITHUB_ENV
- name: Configure PcapPlusPlus
shell: msys2 {0}
run: |
cmake -G "MinGW Makefiles" -DPCAP_ROOT=/C/Npcap-sdk -DLIGHT_PCAPNG_ZSTD=OFF -DPCAPPP_PACKAGE=ON -S . -B "$BUILD_DIR"
- name: Debug Cmake
shell: msys2 {0}
run: cmake --system-information
- name: Build PcapPlusPlus
shell: msys2 {0}
# More than 2 jobs would make the build crash with OOM
# cc1plus.exe: out of memory allocating 65536 bytes
run: cmake --build "$BUILD_DIR" -j 2
- name: Package
shell: msys2 {0}
run: cmake --build "$BUILD_DIR" --target package
- name: Upload binaries to release
if: github.ref_type == 'tag'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
draft: true
allowUpdates: true
updateOnlyUnreleased: true
artifacts: ${{ env.BUILD_DIR }}/*.zip
visual-studio:
strategy:
matrix:
os: [ windows-2019, windows-2022 ]
arch: [ Win32, x64 ]
configuration: [ Debug, Release ]
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0
- name: Install WinPcap
run: |
ci\install_winpcap.bat
echo "PCAP_SDK_DIR=C:\WpdPack" >> $env:GITHUB_ENV
- name: Configure PcapPlusPlus
run: |
$platform = if ("${{ matrix.os }}" -eq "windows-2019") { "Visual Studio 16 2019" } else { "Visual Studio 17 2022" }
cmake -A ${{ matrix.arch }} -G "$platform" -DPCAP_ROOT=${{ env.PCAP_SDK_DIR }} -DCMAKE_BUILD_TYPE=${{ matrix.configuration }} -DPCAPPP_PACKAGE=ON -S . -B "$env:BUILD_DIR"
- name: Build PcapPlusPlus
run: cmake --build $env:BUILD_DIR --config ${{ matrix.configuration }} -j
- name: Package
run: cmake --build "$env:BUILD_DIR" --config ${{ matrix.configuration }} --target package
- name: Upload binaries to release
if: github.ref_type == 'tag'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
draft: true
allowUpdates: true
updateOnlyUnreleased: true
artifacts: ${{ env.BUILD_DIR }}/*.zip
android-build:
strategy:
matrix:
include:
- target: "armeabi-v7a"
api-version: 30
- target: "x86"
api-version: 30
- target: "arm64-v8a"
api-version: 30
- target: "x86_64"
api-version: 30
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Checkout lipbcap for Android
uses: actions/checkout@cd7d8d697e10461458bc61a30d094dc601a8b017 # main
with:
repository: seladb/libpcap-android
path: ./libpcap-android
- name: Configure and Build PcapPlusPlus
run: |
LIBPCAP_PATH="$(pwd)/libpcap-android"
export LIB_DIR="${{ matrix.target }}/${{ matrix.api-version }}"
export LOCAL_BUILD_DIR="${BUILD_DIR}/${LIB_DIR}"
cmake -DPCAPPP_BUILD_EXAMPLES=OFF -DCMAKE_INSTALL_LIBDIR="${LIB_DIR}" -DCMAKE_TOOLCHAIN_FILE="${ANDROID_NDK}/build/cmake/android.toolchain.cmake" -DANDROID_PLATFORM="${{ matrix.api-version }}" -DANDROID_ABI="${{ matrix.target }}" -DPCAP_INCLUDE_DIR="${LIBPCAP_PATH}/include/" -DPCAP_LIBRARY="${LIBPCAP_PATH}/${{ matrix.target }}/${{ matrix.api-version}}/libpcap.a" -DPCAPPP_PACKAGE=ON -S . -B "$LOCAL_BUILD_DIR"
cmake --build "$LOCAL_BUILD_DIR" -j --target package
- name: Prepare package
run: |
export LOCAL_BUILD_DIR="${BUILD_DIR}/${{ matrix.target }}/${{ matrix.api-version }}"
export PACKAGE_FILE=$(ls ${LOCAL_BUILD_DIR} | grep pcapplusplus)
export PACKAGE_DIR=$(basename ${PACKAGE_FILE%} .tar.gz)
export COMBINED_PACKAGE_DIR=$(echo "$PACKAGE_DIR" | cut -f1,2,3 -d'-')
tar -xvf "${LOCAL_BUILD_DIR}/${PACKAGE_FILE}"
mv "${PACKAGE_DIR}" "${COMBINED_PACKAGE_DIR}"
find . -name example-app -type d -exec rm -r {} +
find . -name cmake -type d -exec rm -r {} +
find . -name pkgconfig -type d -exec rm -r {} +
mv ${COMBINED_PACKAGE_DIR}/include/pcapplusplus/* "${COMBINED_PACKAGE_DIR}/include/"
rmdir "${COMBINED_PACKAGE_DIR}/include/pcapplusplus/"
mkdir -p "android-package"
mv "${COMBINED_PACKAGE_DIR}" "android-package"
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
path: android-package
name: android-package-${{ matrix.target }}-${{ matrix.api-version }}
if-no-files-found: error
android-package:
needs: android-build
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
pattern: android-package-*
merge-multiple: true
- name: Package into archive
run: |
export PACKAGE_DIR=$(ls | grep pcapplusplus)
echo "PACKAGE_DIR=$PACKAGE_DIR" >> $GITHUB_ENV
tar cvf "${PACKAGE_DIR}.tar.gz" "${PACKAGE_DIR}"
- name: Upload binaries to release
if: github.ref_type == 'tag'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
draft: true
allowUpdates: true
updateOnlyUnreleased: true
artifacts: ${{ env.PACKAGE_DIR }}.tar.gz