Disable check for dev branch which is local and the working branch pr… #369
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
workflow_dispatch: | |
push: | |
pull_request: | |
branches: | |
- main | |
- develop | |
- master # for safety reasons | |
- dev # for safety reasons | |
jobs: | |
configure: | |
runs-on: ubuntu-latest | |
outputs: | |
uid_gid: ${{ steps.get-user.outputs.uid_gid }} | |
steps: | |
- id: get-user | |
run: echo "uid_gid=$(id -u):$(id -g)" >> $GITHUB_OUTPUT | |
rust_tests: | |
runs-on: ubuntu-latest | |
container: | |
image: zondax/rust-ci:latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Cache/restore Cargo dependencies | |
uses: actions/cache@v3 | |
with: | |
path: ./app/rust/.cargo | |
key: ${{ runner.os }}-${{ hashFiles('./Cargo.lock') }} | |
restore-keys: | | |
${{ runner.os }}-${{ github.sha }} | |
- name: run rust tests | |
run: make rust_test | |
clippy: | |
runs-on: ubuntu-latest | |
container: | |
image: zondax/rust-ci:latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Cache/restore Cargo dependencies | |
uses: actions/cache@v3 | |
with: | |
path: ./app/rust/.cargo | |
key: ${{ runner.os }}-${{ hashFiles('./Cargo.lock') }} | |
restore-keys: | | |
${{ runner.os }}-${{ github.sha }} | |
- name: clippy | |
run: | | |
cd ./app/rust | |
cargo clippy --all-targets --features "clippy" | |
- name: cargo fmt | |
run: | | |
cd ./app/rust | |
cargo fmt | |
build_ledger: | |
needs: configure | |
runs-on: ubuntu-latest | |
container: | |
image: zondax/ledger-app-builder:latest | |
options: --user ${{ needs.configure.outputs.uid_gid }} | |
env: | |
BOLOS_SDK: /opt/nanos-secure-sdk | |
outputs: | |
size: ${{steps.build.outputs.size}} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Build Standard app | |
id: build | |
shell: bash -l {0} | |
run: | | |
make PRODUCTION_BUILD=1 | |
echo "size=$(python3 deps/ledger-zxlib/scripts/getSize.py s)" >> $GITHUB_OUTPUT | |
size_nano_s: | |
needs: build_ledger | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
env: | |
NANOS_LIMIT_SIZE: 136 | |
steps: | |
- run: | | |
echo "LNS app size: ${{needs.build_ledger.outputs.size}} KiB" | |
[ ${{needs.build_ledger.outputs.size}} -le $NANOS_LIMIT_SIZE ] | |
test_zemu: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Test | |
run: | | |
id | |
echo $HOME | |
echo $DISPLAY | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- run: sudo apt-get update -y && sudo apt-get install -y libusb-1.0.0 libudev-dev | |
- name: Install rust | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: stable | |
- name: Install node | |
uses: actions/setup-node@v3 | |
- name: Install yarn | |
run: | | |
npm install -g yarn | |
- name: Build and run zemu tests | |
run: | | |
make test_all | |
- name: Upload Snapshots (only failure) | |
if: ${{ failure() }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: snapshots-tmp | |
path: tests_zemu/snapshots-tmp/ | |
build_package_nanos: | |
needs: [configure, build_ledger, test_zemu, rust_tests] | |
if: ${{ github.ref == 'refs/heads/main' }} | |
runs-on: ubuntu-latest | |
container: | |
image: zondax/ledger-app-builder:latest | |
options: --user ${{ needs.configure.outputs.uid_gid }} | |
env: | |
BOLOS_SDK: /opt/nanos-secure-sdk | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install deps | |
run: pip install ledgerblue | |
- name: Build NanoS | |
shell: bash -l {0} | |
run: | | |
PRODUCTION_BUILD=0 make | |
mv ./app/pkg/installer_s.sh ./app/pkg/installer_nanos.sh | |
- name: Set tag | |
id: nanos | |
run: echo "tag_name=$(./app/pkg/installer_nanos.sh version)" >> $GITHUB_OUTPUT | |
- name: Create or Update Release (1) | |
id: create_release_0 | |
uses: softprops/action-gh-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token | |
with: | |
files: ./app/pkg/installer_nanos.sh | |
tag_name: ${{ steps.nanos.outputs.tag_name }} | |
draft: false | |
prerelease: false | |
build_package_nanosp: | |
needs: [configure, build_ledger, test_zemu, rust_tests] | |
if: ${{ github.ref == 'refs/heads/main' }} | |
runs-on: ubuntu-latest | |
container: | |
image: zondax/ledger-app-builder:latest | |
options: --user ${{ needs.configure.outputs.uid_gid }} | |
env: | |
BOLOS_SDK: /opt/nanosplus-secure-sdk | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install deps | |
run: pip install ledgerblue | |
- name: Build NanoSP | |
shell: bash -l {0} | |
run: | | |
PRODUCTION_BUILD=0 make | |
mv ./app/pkg/installer_s2.sh ./app/pkg/installer_nanos_plus.sh | |
- name: Set tag | |
id: nanosp | |
run: echo "tag_name=$(./app/pkg/installer_nanos_plus.sh version)" >> $GITHUB_OUTPUT | |
- name: Update Release | |
id: update_release_2 | |
uses: softprops/action-gh-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token | |
with: | |
files: ./app/pkg/installer_nanos_plus.sh | |
tag_name: ${{ steps.nanosp.outputs.tag_name }} | |
draft: false | |
prerelease: false | |
build_package_stax: | |
needs: [configure, build_ledger, test_zemu, rust_tests] | |
if: ${{ github.ref == 'refs/heads/main' }} | |
runs-on: ubuntu-latest | |
container: | |
image: zondax/ledger-app-builder:latest | |
options: --user ${{ needs.configure.outputs.uid_gid }} | |
env: | |
BOLOS_SDK: /opt/stax-secure-sdk | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Install deps | |
run: pip install ledgerblue | |
- name: Build Stax | |
shell: bash -l {0} | |
run: | | |
PRODUCTION_BUILD=0 make | |
- name: Set tag | |
id: stax | |
run: echo "tag_name=$(./app/pkg/installer_stax.sh version)" >> $GITHUB_OUTPUT | |
- name: Update Release | |
id: update_release_2 | |
uses: softprops/action-gh-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token | |
with: | |
files: ./app/pkg/installer_stax.sh | |
tag_name: ${{ steps.stax.outputs.tag_name }} | |
draft: false | |
prerelease: false | |
build_package_flex: | |
needs: [configure, build_ledger, test_zemu, rust_tests] | |
if: ${{ github.ref == 'refs/heads/main' }} | |
runs-on: ubuntu-latest | |
container: | |
image: zondax/ledger-app-builder:latest | |
options: --user ${{ needs.configure.outputs.uid_gid }} | |
env: | |
BOLOS_SDK: /opt/flex-secure-sdk | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Install deps | |
run: pip install ledgerblue | |
- name: Build Flex | |
shell: bash -l {0} | |
run: | | |
PRODUCTION_BUILD=0 make | |
- name: Set tag | |
id: flex | |
run: echo "tag_name=$(./app/pkg/installer_flex.sh version)" >> $GITHUB_OUTPUT | |
- name: Update Release | |
id: update_release_2 | |
uses: softprops/action-gh-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token | |
with: | |
files: ./app/pkg/installer_flex.sh | |
tag_name: ${{ steps.flex.outputs.tag_name }} | |
draft: false | |
prerelease: false | |
fuzzing: | |
name: fuzzing | |
runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' || 'ubuntu-latest' }} | |
container: | |
image: rust:latest | |
steps: | |
- uses: actions/checkout@v3 | |
# Install only the additional dependencies needed for honggfuzz | |
- name: Install system dependencies | |
run: | | |
apt-get update && apt-get install -y \ | |
binutils-dev \ | |
libunwind-dev \ | |
libblocksruntime-dev \ | |
liblzma-dev | |
- name: Install honggfuzz | |
run: cargo install honggfuzz | |
- name: Generate corpus | |
run: | | |
cd app/hfuzz-parser/corpus | |
cargo run | |
# Different fuzzing durations based on trigger | |
- name: Quick fuzz (PR) | |
if: github.event_name == 'push' | |
run: | | |
cd app/hfuzz-parser | |
timeout --preserve-status 5m cargo hfuzz run transaction ../hfuzz_corpus/ | |
- name: Medium fuzz (main) | |
if: github.event_name == 'pull_request' | |
run: | | |
cd app/hfuzz-parser | |
timeout --preserve-status 15m cargo hfuzz run transaction ../hfuzz_corpus/ | |
- name: Extended fuzz (weekly) | |
if: github.event_name == 'schedule' | |
run: | | |
cd app/hfuzz-parser | |
timeout --preserve-status 30m cargo hfuzz run transaction ../hfuzz_corpus/ | |
- name: Check for crashes | |
run: | | |
if ls app/hfuzz-parser/hfuzz_workspace/transaction/SIGABRT.PC.* 1> /dev/null 2>&1; then | |
echo "::error::Crashes found during fuzzing!" | |
exit 1 | |
fi | |
- name: Upload crash artifacts | |
if: failure() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: crash-reports | |
path: | | |
app/hfuzz-parser/hfuzz_workspace/transaction/SIGABRT.PC.* | |
app/hfuzz-parser/hfuzz_workspace/transaction/HONGGFUZZ.REPORT.TXT | |
app/hfuzz-parser/hfuzz_workspace/transaction/input/ | |
- name: Cache corpus | |
uses: actions/cache@v3 | |
with: | |
path: app/hfuzz_corpus | |
key: ${{ runner.os }}-fuzz-corpus-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-fuzz-corpus- | |
- name: Notify on failure | |
if: failure() | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
github.rest.issues.create({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
title: 'Fuzzing found crashes', | |
body: 'Fuzzing job failed. Check the artifacts in the workflow run.' | |
}) |