Skip to content

github-actions: bump step-security/harden-runner from 2.5.1 to 2.6.0 … #1402

github-actions: bump step-security/harden-runner from 2.5.1 to 2.6.0 …

github-actions: bump step-security/harden-runner from 2.5.1 to 2.6.0 … #1402

#
# Copyright (c) 2020, The OpenThread Authors.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. Neither the name of the copyright holder nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
name: Simulation 1.1
on:
push:
branches-ignore:
- 'dependabot/**'
pull_request:
branches:
- 'main'
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || (github.repository == 'openthread/openthread' && github.run_id) || github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
packet-verification:
runs-on: ubuntu-20.04
env:
PACKET_VERIFICATION: 1
REFERENCE_DEVICE: 1
THREAD_VERSION: 1.1
VIRTUAL_TIME: 1
MULTIPLY: 3
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
submodules: true
- name: Bootstrap
run: |
sudo rm /etc/apt/sources.list.d/* && sudo apt-get update
sudo apt-get --no-install-recommends install -y g++-multilib python3-setuptools python3-wheel ninja-build lcov
python3 -m pip install -r tests/scripts/thread-cert/requirements.txt
- name: Build
run: |
./script/test build
- name: Get Thread-Wireshark
run: |
./script/test get_thread_wireshark
- name: Run
run: |
./script/test cert_suite ./tests/scripts/thread-cert/Cert_*.py ./tests/scripts/thread-cert/test_*.py
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: ${{ failure() }}
with:
name: packet-verification-pcaps
path: |
*.pcap
*.json
- name: Generate Coverage
run: |
./script/test generate_coverage gcc
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cov-packet-verification
path: tmp/coverage.info
cli-ftd:
runs-on: ubuntu-20.04
env:
CFLAGS: -m32
CXXFLAGS: -m32
LDFLAGS: -m32
COVERAGE: 1
REFERENCE_DEVICE: 1
THREAD_VERSION: 1.1
VIRTUAL_TIME: 1
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
submodules: true
- name: Bootstrap
run: |
sudo rm /etc/apt/sources.list.d/* && sudo apt-get update
sudo apt-get --no-install-recommends install -y lcov ninja-build g++-multilib python3-setuptools python3-wheel
python3 -m pip install -r tests/scripts/thread-cert/requirements.txt
- name: Build
run: |
./script/test build
- name: Run
run: |
./script/test cert_suite ./tests/scripts/thread-cert/Cert_*.py ./tests/scripts/thread-cert/test_*.py
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: ${{ failure() }}
with:
name: cli-ftd-thread-cert
path: ot_testing
- name: Generate Coverage
run: |
./script/test generate_coverage gcc
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cov-cli-ftd
path: tmp/coverage.info
cli-mtd:
name: cli-mtd MESSAGE_USE_HEAP=${{ matrix.message_use_heap }}
runs-on: ubuntu-20.04
strategy:
fail-fast: false
matrix:
message_use_heap: [0, 1]
env:
CFLAGS: -m32
CXXFLAGS: -m32
LDFLAGS: -m32
COVERAGE: 1
REFERENCE_DEVICE: 1
THREAD_VERSION: 1.1
USE_MTD: 1
VIRTUAL_TIME: 1
MESSAGE_USE_HEAP: ${{ matrix.message_use_heap }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
submodules: true
- name: Bootstrap
run: |
sudo rm /etc/apt/sources.list.d/* && sudo apt-get update
sudo apt-get --no-install-recommends install -y lcov ninja-build g++-multilib python3-setuptools python3-wheel
python3 -m pip install -r tests/scripts/thread-cert/requirements.txt
- name: Build
run: |
./script/test build
- name: Run
run: |
./script/test cert_suite ./tests/scripts/thread-cert/Cert_*.py ./tests/scripts/thread-cert/test_*.py
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: ${{ failure() }}
with:
name: cli-mtd-thread-cert
path: ot_testing
- name: Generate Coverage
run: |
./script/test generate_coverage gcc
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cov-cli-mtd-${{ matrix.message_use_heap }}
path: tmp/coverage.info
cli-time-sync:
runs-on: ubuntu-20.04
env:
CFLAGS: -m32
CXXFLAGS: -m32
LDFLAGS: -m32
COVERAGE: 1
REFERENCE_DEVICE: 1
THREAD_VERSION: 1.1
VIRTUAL_TIME: 1
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
submodules: true
- name: Bootstrap
run: |
sudo rm /etc/apt/sources.list.d/* && sudo apt-get update
sudo apt-get --no-install-recommends install -y g++-multilib lcov ninja-build python3-setuptools python3-wheel
python3 -m pip install -r tests/scripts/thread-cert/requirements.txt
- name: Build
run: |
OT_OPTIONS="-DOT_TIME_SYNC=ON" ./script/test build
- name: Run
run: |
./script/test cert_suite ./tests/scripts/thread-cert/Cert_*.py ./tests/scripts/thread-cert/test_*.py
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: ${{ failure() }}
with:
name: cli-time-sync-thread-cert
path: ot_testing
- name: Generate Coverage
run: |
./script/test generate_coverage gcc
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cov-cli-time-sync
path: tmp/coverage.info
expects:
runs-on: ubuntu-20.04
env:
CFLAGS: -DCLI_COAP_SECURE_USE_COAP_DEFAULT_HANDLER=1 -DOPENTHREAD_CONFIG_MLE_MAX_CHILDREN=15
CXXFLAGS: -DCLI_COAP_SECURE_USE_COAP_DEFAULT_HANDLER=1 -DOPENTHREAD_CONFIG_MLE_MAX_CHILDREN=15
THREAD_VERSION: 1.1
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Bootstrap
run: |
sudo apt-get --no-install-recommends install -y expect ninja-build lcov socat
- name: Run
run: |
ulimit -c unlimited
./script/test prepare_coredump_upload
OT_OPTIONS='-DOT_TIME_SYNC=ON -DOT_FULL_LOGS=ON -DOT_LOG_OUTPUT=PLATFORM_DEFINED' VIRTUAL_TIME=0 ./script/test build expect
- name: Check Crash
if: ${{ failure() }}
run: |
CRASHED=$(./script/test check_crash | tail -1)
[[ $CRASHED -eq "1" ]] && echo "Crashed!" || echo "Not crashed."
echo "CRASHED_CLI=$CRASHED" >> $GITHUB_ENV
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: ${{ failure() && env.CRASHED_CLI == '1' }}
with:
name: core-expect-cli
path: |
./ot-core-dump/*
- name: Generate Coverage
run: |
./script/test generate_coverage gcc
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cov-expects
path: tmp/coverage.info
ot-commissioner:
runs-on: ubuntu-22.04
env:
THREAD_VERSION: 1.1
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
submodules: true
- name: Bootstrap
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
run: |
sudo rm /etc/apt/sources.list.d/*
sudo apt-get install -y avahi-daemon avahi-utils lcov
script/git-tool clone https://github.com/openthread/ot-commissioner.git /tmp/ot-commissioner --depth 1 --branch main
- name: Build
run: |
cd /tmp/ot-commissioner
script/bootstrap.sh
cmake -GNinja \
-DCMAKE_CXX_STANDARD=11 \
-DCMAKE_CXX_STANDARD_REQUIRED=ON \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=/usr/local \
-DOT_COMM_COVERAGE=ON \
-DOT_COMM_CCM=OFF \
-S . -B build
cmake --build build
sudo cmake --install build
- name: Run
run: |
export OT_COMM_OPENTHREAD="$(pwd)"
cd /tmp/ot-commissioner/tests/integration
./bootstrap.sh
./run_tests.sh
- name: Generate Coverage
run: |
./script/test generate_coverage gcc
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cov-ot-commissioner
path: tmp/coverage.info
multiple-instance:
runs-on: ubuntu-20.04
env:
COVERAGE: 1
THREAD_VERSION: 1.1
VIRTUAL_TIME: 1
CXXFLAGS: "-DOPENTHREAD_CONFIG_LOG_PREPEND_UPTIME=0"
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
submodules: true
- name: Bootstrap
run: |
sudo apt-get --no-install-recommends install -y lcov ninja-build python3-setuptools python3-wheel
python3 -m pip install -r tests/scripts/thread-cert/requirements.txt
- name: Build
run: |
OT_OPTIONS="-DOT_MULTIPLE_INSTANCE=ON" ./script/test build
- name: Run
run: |
./script/test cert_suite ./tests/scripts/thread-cert/Cert_*.py ./tests/scripts/thread-cert/test_*.py
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: ${{ failure() }}
with:
name: ot_testing
path: build/simulation/tests/scripts/thread-cert
- name: Generate Coverage
run: |
./script/test generate_coverage gcc
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cov-multiple-instance
path: tmp/coverage.info
upload-coverage:
needs:
- packet-verification
- cli-ftd
- cli-mtd
- cli-time-sync
- expects
- ot-commissioner
- multiple-instance
runs-on: ubuntu-20.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
submodules: true
- name: Bootstrap
run: |
sudo apt-get --no-install-recommends install -y lcov
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
path: coverage/
- name: Combine Coverage
run: |
script/test combine_coverage
- name: Upload Coverage
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
files: final.info
fail_ci_if_error: true
delete-coverage-artifacts:
needs: upload-coverage
runs-on: ubuntu-20.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
with:
name: cov-*
useGlob: true