Skip to content

Commit

Permalink
Merge branch 'main' into readme
Browse files Browse the repository at this point in the history
  • Loading branch information
marcransome authored Mar 25, 2024
2 parents b0207c6 + 43d4e5c commit 66e6d1f
Show file tree
Hide file tree
Showing 5 changed files with 116 additions and 87 deletions.
36 changes: 20 additions & 16 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,19 +19,23 @@ jobs:
permissions:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Install dependencies
run: brew install popt
- name: Initialize CodeQL
uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
languages: cpp
queries: security-and-quality
source-root: src
- name: Build sources
run: |
cmake -S . -B build
cmake --build build
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Install dependencies
run: brew install popt
- name: Initialize CodeQL
uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
languages: cpp
queries: security-and-quality
source-root: src
- name: Build sources
run: |
cmake -S . -B build
cmake --build build
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
6 changes: 5 additions & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,14 @@ jobs:
permissions:
pull-requests: write
steps:
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Dependency review
uses: actions/dependency-review-action@0fa40c3c10055986a88de3baa0d6ec17c5a894b3 # v4.2.3
uses: actions/dependency-review-action@733dd5d4a5203f238c33806593ec0f5fc5343d8c # v4.2.4
with:
comment-summary-in-pr: true
fail-on-severity: low
Expand Down
34 changes: 19 additions & 15 deletions .github/workflows/markdown-links.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,18 +19,22 @@ jobs:
markdown-links:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Check links in modified Markdown files
if: github.event_name == 'pull_request'
uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
with:
base-branch: main
check-modified-files-only: yes
use-verbose-mode: yes
config-file: .github/markdown/markdown-links.json
- name: Check links in all Markdown files
if: github.event_name != 'pull_request'
uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
with:
use-verbose-mode: yes
config-file: .github/markdown/markdown-links.json
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Check links in modified Markdown files
if: github.event_name == 'pull_request'
uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
with:
base-branch: main
check-modified-files-only: yes
use-verbose-mode: yes
config-file: .github/markdown/markdown-links.json
- name: Check links in all Markdown files
if: github.event_name != 'pull_request'
uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
with:
use-verbose-mode: yes
config-file: .github/markdown/markdown-links.json
4 changes: 4 additions & 0 deletions .github/workflows/openssf-scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ jobs:
security-events: write # Needed to upload the results to code scanning dashboard
id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below)
steps:
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
Expand Down
123 changes: 68 additions & 55 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,61 +20,65 @@ jobs:
sha256-filename-darwin-arm64: ${{ steps.checksum.outputs.sha256-filename-darwin-arm64 }}
sha256-filename-darwin-x86_64: ${{ steps.checksum.outputs.sha256-filename-darwin-x86_64 }}
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Install runtime dependencies
run: brew install popt
- name: Install test dependencies
run: brew install cmocka
- name: Install build tools
run: brew install just pandoc
- id: arch
name: Get machine hardware name
run: |
set -euo pipefail
arch=$(uname -m)
if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then
echo "Unexpected machine hardware name: ${arch}"
exit 1
fi
echo "name=${arch}" >> "${GITHUB_OUTPUT}"
- id: artifact
name: Generate build artifact
env:
ARCHITECTURE: ${{ steps.arch.outputs.name }}
run: |
set -euo pipefail
just package "${GITHUB_REF_NAME}"
artifact="flog-${GITHUB_REF_NAME}-darwin-${ARCHITECTURE}.tar.xz"
if [[ ! -f "${artifact}" ]]; then
echo "Failed to generated expected build artifact: ${artifact}"
fi
echo "name=${artifact}" >> "${GITHUB_OUTPUT}"
echo "artifact-filename-darwin-${{ steps.arch.outputs.name }}=${artifact}" >> "${GITHUB_OUTPUT}"
- id: checksum
name: Generate build artifact SHA-256 checksum file
env:
ARCHITECTURE: ${{ steps.arch.outputs.name }}
ARTIFACT_NAME: ${{ steps.artifact.outputs.name }}
run: |
set -euo pipefail
shasum -a 256 "${ARTIFACT_NAME}" > "${ARTIFACT_NAME}.sha256"
echo "sha256-checksum-darwin-${ARCHITECTURE}=$(cat "${ARTIFACT_NAME}.sha256" | base64)" >> "${GITHUB_OUTPUT}"
echo "sha256-filename-darwin-${ARCHITECTURE}=${ARTIFACT_NAME}.sha256" >> "${GITHUB_OUTPUT}"
- name: Upload build artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.artifact.outputs.name }}
path: ${{ steps.artifact.outputs.name }}
if-no-files-found: error
retention-days: 7
- name: Upload SHA-256 checksum file
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.artifact.outputs.name }}.sha256
path: ${{ steps.artifact.outputs.name }}.sha256
if-no-files-found: error
retention-days: 7
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Install runtime dependencies
run: brew install popt
- name: Install test dependencies
run: brew install cmocka
- name: Install build tools
run: brew install just pandoc
- id: arch
name: Get machine hardware name
run: |
set -euo pipefail
arch=$(uname -m)
if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then
echo "Unexpected machine hardware name: ${arch}"
exit 1
fi
echo "name=${arch}" >> "${GITHUB_OUTPUT}"
- id: artifact
name: Generate build artifact
env:
ARCHITECTURE: ${{ steps.arch.outputs.name }}
run: |
set -euo pipefail
just package "${GITHUB_REF_NAME}"
artifact="flog-${GITHUB_REF_NAME}-darwin-${ARCHITECTURE}.tar.xz"
if [[ ! -f "${artifact}" ]]; then
echo "Failed to generated expected build artifact: ${artifact}"
fi
echo "name=${artifact}" >> "${GITHUB_OUTPUT}"
echo "artifact-filename-darwin-${{ steps.arch.outputs.name }}=${artifact}" >> "${GITHUB_OUTPUT}"
- id: checksum
name: Generate build artifact SHA-256 checksum file
env:
ARCHITECTURE: ${{ steps.arch.outputs.name }}
ARTIFACT_NAME: ${{ steps.artifact.outputs.name }}
run: |
set -euo pipefail
shasum -a 256 "${ARTIFACT_NAME}" > "${ARTIFACT_NAME}.sha256"
echo "sha256-checksum-darwin-${ARCHITECTURE}=$(cat "${ARTIFACT_NAME}.sha256" | base64)" >> "${GITHUB_OUTPUT}"
echo "sha256-filename-darwin-${ARCHITECTURE}=${ARTIFACT_NAME}.sha256" >> "${GITHUB_OUTPUT}"
- name: Upload build artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.artifact.outputs.name }}
path: ${{ steps.artifact.outputs.name }}
if-no-files-found: error
retention-days: 7
- name: Upload SHA-256 checksum file
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.artifact.outputs.name }}.sha256
path: ${{ steps.artifact.outputs.name }}.sha256
if-no-files-found: error
retention-days: 7
combine-checksums:
needs: [build]
runs-on: ubuntu-latest
Expand All @@ -83,7 +87,12 @@ jobs:
env:
CHECKSUMS: ${{ toJSON(needs.build.outputs) }}
steps:
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- id: checksums
name: Combine SHA-256 checksums
run: |
set -euo pipefail
echo "${CHECKSUMS}" | jq -r 'with_entries(select(.key | match("sha256-checksum-.*-.*")))[] | @base64d' | sed "/^$/d" > checksums.txt
Expand All @@ -106,6 +115,10 @@ jobs:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Download x86_64 build artifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
Expand Down

0 comments on commit 66e6d1f

Please sign in to comment.