Verify server certificates against the full Mozilla trust store #910
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Copyright (C) 2019-2021 OpenBikeSensor Contributors | |
| # Contact: https://openbikesensor.org | |
| # | |
| # This file is part of the OpenBikeSensor firmware. | |
| # | |
| # The OpenBikeSensor firmware is free software: you can redistribute it | |
| # and/or modify it under the terms of the GNU Lesser General Public License as | |
| # published by the Free Software Foundation, either version 3 of the License, | |
| # or (at your option) any later version. | |
| # | |
| # OpenBikeSensor firmware is distributed in the hope that it will be | |
| # useful, but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser | |
| # General Public License for more details. | |
| # | |
| # You should have received a copy of the GNU Lesser General Public License | |
| # along with the OpenBikeSensor firmware. If not, see | |
| # <http://www.gnu.org/licenses/>. | |
| # | |
| name: OpenBikeSensor - CI | |
| on: | |
| # Trigger when pushing in main or pull requests, and when creating | |
| # a pull request. | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| container: | |
| # could use a container with sq tools already installed | |
| image: infinitecoding/platformio-for-ci:latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Prepare source | |
| run: | | |
| mkdir bin | |
| echo GITHUB Ref: ${{ github.ref }} | |
| VERSION_STRING=`grep "const char \*OBSVersion =" src/OpenBikeSensorFirmware.cpp` | |
| MAJOR=`echo ${VERSION_STRING} | cut -f2 -d\"` | |
| if [ "${{ github.ref }}" = "refs/heads/main" ] | |
| then | |
| PATCH=${GITHUB_RUN_NUMBER} | |
| SEPARATOR=. | |
| PREPARE_RELEASE=true | |
| else | |
| PATCH=RC${GITHUB_RUN_NUMBER} | |
| SEPARATOR=- | |
| PREPARE_RELEASE=false | |
| fi | |
| VERSION=${MAJOR}${SEPARATOR}${PATCH} | |
| echo "OBS_PREPARE_RELEASE=${PREPARE_RELEASE}" >> $GITHUB_ENV | |
| echo "OBS_VERSION=${VERSION}" >> $GITHUB_ENV | |
| echo "OBS_MAJOR_VERSION=${MAJOR}" >> $GITHUB_ENV | |
| echo $VERSION > VERSION | |
| echo $VERSION > version.txt | |
| echo Building OBS Version: $VERSION | |
| sed -i 's|-DBUILD_NUMBER=\\"-dev\\"|-DBUILD_NUMBER=\\"'${SEPARATOR}${PATCH}'\\"|' platformio.ini | |
| echo "SONAR_SCANNER_VERSION=5.0.1.3006" >> $GITHUB_ENV | |
| - name: Cache SonarCloud packages | |
| id: cache-sonar | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.sonar/cache | |
| sonarqube | |
| key: ${{ runner.os }}-sonar-${{ env.SONAR_SCANNER_VERSION }}-ng6 | |
| restore-keys: ${{ runner.os }}-sonar-${{ env.SONAR_SCANNER_VERSION }}-ng6 | |
| - name: Install SonarQube dependencies | |
| if: steps.cache-sonar.outputs.cache-hit != 'true' | |
| run: | | |
| mkdir -p sonarqube | |
| cd sonarqube | |
| wget --no-verbose https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip | |
| unzip -qq build-wrapper-linux-x86.zip | |
| rm build-wrapper-linux-x86.zip | |
| wget --no-verbose https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${{ env.SONAR_SCANNER_VERSION }}-linux.zip | |
| unzip -qq sonar-scanner-cli-${{ env.SONAR_SCANNER_VERSION }}-linux.zip | |
| rm sonar-scanner-cli-${{ env.SONAR_SCANNER_VERSION }}-linux.zip | |
| cd .. | |
| - name: Install build dependencies | |
| run: | | |
| apt-get update | |
| apt-get install -qq -y zip curl python | |
| - name: Update TLS Truststore | |
| run: | | |
| cd src/truststore/ | |
| curl --remote-name https://raw.githubusercontent.com/espressif/arduino-esp32/master/tools/gen_crt_bundle.py | |
| curl --remote-name https://curl.se/ca/cacert.pem | |
| python3 gen_crt_bundle.py --input cacert.pem | |
| - name: Build firmware | |
| run: | | |
| mkdir sonarqube-out | |
| ./sonarqube/build-wrapper-linux-x86/build-wrapper-linux-x86-64 --out-dir sonarqube-out \ | |
| platformio ci --build-dir="./bin" --keep-build-dir --project-conf=platformio.ini ./src/ | |
| - name: Package firmware | |
| run: | | |
| set -eux | |
| if [ -f "/github/home/.platformio/packages/framework-arduinoespressif32/tools/sdk/esp32/bin/bootloader_dio_40m.elf" ]; then | |
| cp /github/home/.platformio/packages/framework-arduinoespressif32/tools/sdk/esp32/bin/bootloader_dio_40m.elf 0x01000.elf | |
| elif [ -f "/github/home/.platformio/packages/framework-arduinoespressif32/tools/sdk/bin/bootloader_dio_40m.bin" ]; then | |
| cp /github/home/.platformio/packages/framework-arduinoespressif32/tools/sdk/bin/bootloader_dio_40m.bin 0x01000.bin | |
| else | |
| echo could not find bootloader_dio_40m.bin, new location? | |
| find /github/home/.platformio/ -name "bootloader*.bin" | |
| find /github/home/.platformio/ -name "bootloader*.elf" | |
| exit 1 | |
| fi | |
| cp bin/.pio/build/esp32dev/partitions.bin 0x08000.bin | |
| cp /github/home/.platformio/packages/framework-arduinoespressif32/tools/partitions/boot_app0.bin 0x0e000.bin | |
| cp bin/.pio/build/esp32dev/firmware.bin 0x10000.bin | |
| cp bin/.pio/build/esp32dev/firmware.bin firmware.bin | |
| ESPTOOL=/github/home/.platformio/packages/tool-esptoolpy/esptool.py | |
| chmod +x ${ESPTOOL} | |
| # CMD to create a merged binary (still missing flash.app) | |
| # ${ESPTOOL} --trace --chip esp32 merge_bin --output merged.bin \ | |
| # --flash_freq keep --flash_mode dio --flash_size 4MB \ | |
| # 0x01000 0x01000.bin \ | |
| # 0x08000 0x08000.bin \ | |
| # 0x0e000 0x0e000.bin \ | |
| # 0x10000 0x10000.bin | |
| ${ESPTOOL} --trace --chip esp32 elf2image \ | |
| --dont-append-digest \ | |
| --flash_freq 40m --flash_mode dio \ | |
| 0x01000.elf | |
| echo Original bootloader params after elf2image | |
| ${ESPTOOL} --chip esp32 image_info --version 2 0x01000.bin || echo image_info for converted bootloader failed | |
| mv 0x01000.bin 0x01000.bin.org | |
| ${ESPTOOL} --trace --chip esp32 merge_bin --output 0x01000.bin \ | |
| --flash_freq 40m --flash_mode dio --flash_size 4MB \ | |
| --target-offset 0x01000 \ | |
| 0x01000 0x01000.bin.org | |
| echo OpenBikeSensor bootloader params | |
| ${ESPTOOL} --chip esp32 image_info --version 2 0x01000.bin || echo image_info failed | |
| cp src/fonts/LICENSE.txt LICENSE-OpenSans.txt | |
| wget --no-verbose -O COPYRIGHT-ESP.html https://docs.espressif.com/projects/esp-idf/en/latest/esp32/COPYRIGHT.html | |
| wget --no-verbose -O LICENSE-ARDUINO-ESP32.md https://github.com/espressif/arduino-esp32/raw/master/LICENSE.md | |
| zip --junk-paths obs-${{ env.OBS_VERSION }}-initial-flash.zip \ | |
| 0x*.bin \ | |
| COPYRIGHT-ESP.html \ | |
| LICENSE-ARDUINO-ESP32.md \ | |
| LICENSE-OpenSans.txt \ | |
| LICENSE | |
| zip --junk-paths obs-${{ env.OBS_VERSION }}.zip \ | |
| firmware.bin \ | |
| COPYRIGHT-ESP.html \ | |
| LICENSE-ARDUINO-ESP32.md \ | |
| LICENSE-OpenSans.txt \ | |
| LICENSE | |
| - name: Analyze with SonarCloud | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -eux | |
| # Hack - point sonarqube to the real sources not the copy of it | |
| # See also https://community.sonarsource.com/t/scanning-platformio-c-embeded-projects/35141/2 | |
| sed -i 's|OpenBikeSensorFirmware/bin|OpenBikeSensorFirmware|g' \ | |
| sonarqube-out/build-wrapper-dump.json | |
| sed -i 's|\.pio/|bin/.pio/|g' \ | |
| sonarqube-out/build-wrapper-dump.json | |
| # replace gcc with our script that reports the fake arch "le32-unknown-nacl" | |
| ## might be fixed with https://sonarsource.atlassian.net/browse/CPP-4482 | |
| ## not as of 2023-06-09 | |
| sed -i "s|/github/home/.platformio/packages/toolchain-xtensa-esp32/bin/xtensa-esp32-elf-g..|`pwd`/.github/fake-cc|g" \ | |
| sonarqube-out/build-wrapper-dump.json | |
| ./sonarqube/sonar-scanner-${{ env.SONAR_SCANNER_VERSION }}-linux/bin/sonar-scanner \ | |
| -Dsonar.host.url=https://sonarcloud.io \ | |
| -Dsonar.organization=openbikesensor \ | |
| -Dsonar.projectKey=openbikesensor_OpenBikeSensorFirmware \ | |
| -Dsonar.coverage.exclusions=**/* \ | |
| -Dsonar.sources=src \ | |
| -Dsonar.sourceEncoding=UTF-8 \ | |
| -Dsonar.cfamily.build-wrapper-output=sonarqube-out \ | |
| -Dsonar.projectVersion=${{ env.OBS_MAJOR_VERSION }} | |
| - name: Upload Build Asset | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: obs-${{ env.OBS_VERSION }} | |
| path: | | |
| firmware.bin | |
| COPYRIGHT-ESP.html | |
| LICENSE-ARDUINO-ESP32.md | |
| LICENSE-OpenSans.txt | |
| LICENSE | |
| if-no-files-found: error | |
| - name: Upload Build Asset Initial Flash | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: obs-${{ env.OBS_VERSION }}-initial-flash | |
| path: | | |
| 0x*.bin | |
| COPYRIGHT-ESP.html | |
| LICENSE-ARDUINO-ESP32.md | |
| LICENSE-OpenSans.txt | |
| LICENSE | |
| sonarqube-out/build-wrapper-dump.json | |
| if-no-files-found: error | |
| - name: Generate changelog | |
| id: changelog | |
| if: ${{ env.OBS_PREPARE_RELEASE == 'true' }} | |
| uses: metcalfc/[email protected] | |
| with: | |
| myToken: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create Release | |
| id: create_release | |
| if: ${{ env.OBS_PREPARE_RELEASE == 'true' }} | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ env.OBS_VERSION }} | |
| release_name: ${{ env.OBS_VERSION }} | |
| body: | | |
|   | |
| Version ${{ env.OBS_VERSION }} based on ${{ github.ref }} ${{ github.sha }} | |
| ${{ steps.changelog.outputs.changelog }} | |
| ## :tada: Major features and improvements | |
| ## :rocket: New features and improvements | |
| ## :bug: Bug Fixes | |
| ## :ghost: Maintenance | |
| ## :package: Dependency updates | |
| ## :construction_worker: Changes for developers / internal | |
| draft: true | |
| prerelease: true | |
| - name: Upload Release Asset | |
| id: upload-release-asset | |
| if: ${{ env.OBS_PREPARE_RELEASE == 'true' }} | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} | |
| asset_path: ./obs-${{ env.OBS_VERSION }}.zip | |
| asset_name: obs-${{ env.OBS_VERSION }}.zip | |
| asset_content_type: application/zip | |
| - name: Upload Release Asset Initial Flash | |
| id: upload-release-asset-initial-flash | |
| if: ${{ env.OBS_PREPARE_RELEASE == 'true' }} | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} | |
| asset_path: ./obs-${{ env.OBS_VERSION }}-initial-flash.zip | |
| asset_name: obs-${{ env.OBS_VERSION }}-initial-flash.zip | |
| asset_content_type: application/zip | |
| - name: Upload Release Asset app bin | |
| id: upload-release-asset-app-bin | |
| if: ${{ env.OBS_PREPARE_RELEASE == 'true' }} | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} | |
| asset_path: ./bin/.pio/build/esp32dev/firmware.bin | |
| asset_name: firmware.bin | |
| asset_content_type: application/x-esp32 |