Skip to content

Disable check for dev branch which is local and the working branch pr… #369

Disable check for dev branch which is local and the working branch pr…

Disable check for dev branch which is local and the working branch pr… #369

Workflow file for this run

name: Build
on:
workflow_dispatch:
push:
pull_request:
branches:
- main
- develop
- master # for safety reasons
- dev # for safety reasons
jobs:
configure:
runs-on: ubuntu-latest
outputs:
uid_gid: ${{ steps.get-user.outputs.uid_gid }}
steps:
- id: get-user
run: echo "uid_gid=$(id -u):$(id -g)" >> $GITHUB_OUTPUT
rust_tests:
runs-on: ubuntu-latest
container:
image: zondax/rust-ci:latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Cache/restore Cargo dependencies
uses: actions/cache@v3
with:
path: ./app/rust/.cargo
key: ${{ runner.os }}-${{ hashFiles('./Cargo.lock') }}
restore-keys: |
${{ runner.os }}-${{ github.sha }}
- name: run rust tests
run: make rust_test
clippy:
runs-on: ubuntu-latest
container:
image: zondax/rust-ci:latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Cache/restore Cargo dependencies
uses: actions/cache@v3
with:
path: ./app/rust/.cargo
key: ${{ runner.os }}-${{ hashFiles('./Cargo.lock') }}
restore-keys: |
${{ runner.os }}-${{ github.sha }}
- name: clippy
run: |
cd ./app/rust
cargo clippy --all-targets --features "clippy"
- name: cargo fmt
run: |
cd ./app/rust
cargo fmt
build_ledger:
needs: configure
runs-on: ubuntu-latest
container:
image: zondax/ledger-app-builder:latest
options: --user ${{ needs.configure.outputs.uid_gid }}
env:
BOLOS_SDK: /opt/nanos-secure-sdk
outputs:
size: ${{steps.build.outputs.size}}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Build Standard app
id: build
shell: bash -l {0}
run: |
make PRODUCTION_BUILD=1
echo "size=$(python3 deps/ledger-zxlib/scripts/getSize.py s)" >> $GITHUB_OUTPUT
size_nano_s:
needs: build_ledger
runs-on: ubuntu-latest
continue-on-error: true
env:
NANOS_LIMIT_SIZE: 136
steps:
- run: |
echo "LNS app size: ${{needs.build_ledger.outputs.size}} KiB"
[ ${{needs.build_ledger.outputs.size}} -le $NANOS_LIMIT_SIZE ]
test_zemu:
runs-on: ubuntu-latest
steps:
- name: Test
run: |
id
echo $HOME
echo $DISPLAY
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- run: sudo apt-get update -y && sudo apt-get install -y libusb-1.0.0 libudev-dev
- name: Install rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
- name: Install node
uses: actions/setup-node@v3
- name: Install yarn
run: |
npm install -g yarn
- name: Build and run zemu tests
run: |
make test_all
- name: Upload Snapshots (only failure)
if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: snapshots-tmp
path: tests_zemu/snapshots-tmp/
build_package_nanos:
needs: [configure, build_ledger, test_zemu, rust_tests]
if: ${{ github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
container:
image: zondax/ledger-app-builder:latest
options: --user ${{ needs.configure.outputs.uid_gid }}
env:
BOLOS_SDK: /opt/nanos-secure-sdk
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Install deps
run: pip install ledgerblue
- name: Build NanoS
shell: bash -l {0}
run: |
PRODUCTION_BUILD=0 make
mv ./app/pkg/installer_s.sh ./app/pkg/installer_nanos.sh
- name: Set tag
id: nanos
run: echo "tag_name=$(./app/pkg/installer_nanos.sh version)" >> $GITHUB_OUTPUT
- name: Create or Update Release (1)
id: create_release_0
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
files: ./app/pkg/installer_nanos.sh
tag_name: ${{ steps.nanos.outputs.tag_name }}
draft: false
prerelease: false
build_package_nanosp:
needs: [configure, build_ledger, test_zemu, rust_tests]
if: ${{ github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
container:
image: zondax/ledger-app-builder:latest
options: --user ${{ needs.configure.outputs.uid_gid }}
env:
BOLOS_SDK: /opt/nanosplus-secure-sdk
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Install deps
run: pip install ledgerblue
- name: Build NanoSP
shell: bash -l {0}
run: |
PRODUCTION_BUILD=0 make
mv ./app/pkg/installer_s2.sh ./app/pkg/installer_nanos_plus.sh
- name: Set tag
id: nanosp
run: echo "tag_name=$(./app/pkg/installer_nanos_plus.sh version)" >> $GITHUB_OUTPUT
- name: Update Release
id: update_release_2
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
files: ./app/pkg/installer_nanos_plus.sh
tag_name: ${{ steps.nanosp.outputs.tag_name }}
draft: false
prerelease: false
build_package_stax:
needs: [configure, build_ledger, test_zemu, rust_tests]
if: ${{ github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
container:
image: zondax/ledger-app-builder:latest
options: --user ${{ needs.configure.outputs.uid_gid }}
env:
BOLOS_SDK: /opt/stax-secure-sdk
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Install deps
run: pip install ledgerblue
- name: Build Stax
shell: bash -l {0}
run: |
PRODUCTION_BUILD=0 make
- name: Set tag
id: stax
run: echo "tag_name=$(./app/pkg/installer_stax.sh version)" >> $GITHUB_OUTPUT
- name: Update Release
id: update_release_2
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
files: ./app/pkg/installer_stax.sh
tag_name: ${{ steps.stax.outputs.tag_name }}
draft: false
prerelease: false
build_package_flex:
needs: [configure, build_ledger, test_zemu, rust_tests]
if: ${{ github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
container:
image: zondax/ledger-app-builder:latest
options: --user ${{ needs.configure.outputs.uid_gid }}
env:
BOLOS_SDK: /opt/flex-secure-sdk
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Install deps
run: pip install ledgerblue
- name: Build Flex
shell: bash -l {0}
run: |
PRODUCTION_BUILD=0 make
- name: Set tag
id: flex
run: echo "tag_name=$(./app/pkg/installer_flex.sh version)" >> $GITHUB_OUTPUT
- name: Update Release
id: update_release_2
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
files: ./app/pkg/installer_flex.sh
tag_name: ${{ steps.flex.outputs.tag_name }}
draft: false
prerelease: false
fuzzing:
name: fuzzing
runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' || 'ubuntu-latest' }}
container:
image: rust:latest
steps:
- uses: actions/checkout@v3
# Install only the additional dependencies needed for honggfuzz
- name: Install system dependencies
run: |
apt-get update && apt-get install -y \
binutils-dev \
libunwind-dev \
libblocksruntime-dev \
liblzma-dev
- name: Install honggfuzz
run: cargo install honggfuzz
- name: Generate corpus
run: |
cd app/hfuzz-parser/corpus
cargo run
# Different fuzzing durations based on trigger
- name: Quick fuzz (PR)
if: github.event_name == 'push'
run: |
cd app/hfuzz-parser
timeout --preserve-status 5m cargo hfuzz run transaction ../hfuzz_corpus/
- name: Medium fuzz (main)
if: github.event_name == 'pull_request'
run: |
cd app/hfuzz-parser
timeout --preserve-status 15m cargo hfuzz run transaction ../hfuzz_corpus/
- name: Extended fuzz (weekly)
if: github.event_name == 'schedule'
run: |
cd app/hfuzz-parser
timeout --preserve-status 30m cargo hfuzz run transaction ../hfuzz_corpus/
- name: Check for crashes
run: |
if ls app/hfuzz-parser/hfuzz_workspace/transaction/SIGABRT.PC.* 1> /dev/null 2>&1; then
echo "::error::Crashes found during fuzzing!"
exit 1
fi
- name: Upload crash artifacts
if: failure()
uses: actions/upload-artifact@v3
with:
name: crash-reports
path: |
app/hfuzz-parser/hfuzz_workspace/transaction/SIGABRT.PC.*
app/hfuzz-parser/hfuzz_workspace/transaction/HONGGFUZZ.REPORT.TXT
app/hfuzz-parser/hfuzz_workspace/transaction/input/
- name: Cache corpus
uses: actions/cache@v3
with:
path: app/hfuzz_corpus
key: ${{ runner.os }}-fuzz-corpus-${{ github.sha }}
restore-keys: |
${{ runner.os }}-fuzz-corpus-
- name: Notify on failure
if: failure()
uses: actions/github-script@v6
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: 'Fuzzing found crashes',
body: 'Fuzzing job failed. Check the artifacts in the workflow run.'
})