File: ci.yml

package info (click to toggle)
ima-evm-utils 1.5-2
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 880 kB
sloc: ansic: 4,211; sh: 3,159; awk: 113; makefile: 109
file content (231 lines) | stat: -rw-r--r-- 6,557 bytes
# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
name: "distros"
on: [push, pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }}
    name: build
    timeout-minutes: 100
    strategy:
      fail-fast: false

    steps:
      - uses: actions/checkout@v3

      - name: Determine last kernel commit
        id: last-commit
        shell: bash
        run: |
          mkdir linux-integrity
          pushd linux-integrity
          git init
          LINUX_URL=${{ vars.LINUX_URL }}
          if [ -z "$LINUX_URL" ]; then
              LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
          fi
          LINUX_BRANCH=${{ vars.LINUX_BRANCH }}
          if [ -z "$LINUX_BRANCH" ]; then
              LINUX_BRANCH=next-integrity
          fi
          git remote add origin $LINUX_URL
          LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME | awk '{print $1}')
          [ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH | awk '{print $1}')
          echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT
          popd

      - name: Cache UML kernel
        id: cache-linux
        uses: actions/cache@v3
        with:
          path: linux
          key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}

      - name: Cache signing key
        id: cache-key
        uses: actions/cache@v3
        with:
          path: signing_key.pem
          key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}

      - name: Compile UML kernel
        if: steps.cache-linux.outputs.cache-hit != 'true' || steps.cache-key.outputs.cache-hit != 'true'
        shell: bash
        run: |
          if [ "$DEVTOOLSET" = "yes" ]; then
                  source /opt/rh/devtoolset-10/enable
          fi
          if [ "$ARCH" = "i386" ]; then
                  CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-"
          fi
          pushd linux-integrity
          git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }}
          make ARCH=um defconfig
          ./scripts/kconfig/merge_config.sh -m .config $(ls ../kernel-configs/*)
          # Update manually, to specify ARCH=um
          make ARCH=um olddefconfig
          # Make everything built-in
          make ARCH=um localyesconfig
          make ARCH=um $CROSS_COMPILE_OPT -j$(nproc)
          chmod +x linux
          cp linux ..
          cp certs/signing_key.pem ..
          popd

  job:
    needs: build
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        include:
          # 32bit build
          - container: "debian:stable"
            env:
              CC: gcc
              ARCH: i386
              TSS: tpm2-tss
              VARIANT: i386
              COMPILE_SSL: openssl-3.0.5

          # cross compilation builds
          - container: "debian:stable"
            env:
              ARCH: ppc64el
              CC: powerpc64le-linux-gnu-gcc
              TSS: ibmtss
              VARIANT: cross-compile

          - container: "debian:stable"
            env:
              ARCH: arm64
              CC: aarch64-linux-gnu-gcc
              TSS: tpm2-tss
              VARIANT: cross-compile

          - container: "debian:stable"
            env:
              ARCH: s390x
              CC: s390x-linux-gnu-gcc
              TSS: ibmtss
              VARIANT: cross-compile

          # musl (native)
          - container: "alpine:latest"
            env:
              CC: gcc
              TSS: tpm2-tss

          # glibc (gcc/clang)
          - container: "opensuse/tumbleweed"
            env:
              CC: clang
              TSS: ibmtss

          - container: "opensuse/leap"
            env:
              CC: gcc
              TSS: tpm2-tss

          - container: "ubuntu:jammy"
            env:
              CC: gcc
              TSS: ibmtss
              COMPILE_SSL: openssl-3.0.5

          - container: "ubuntu:xenial"
            env:
              CC: clang
              TSS: tpm2-tss

          - container: "fedora:latest"
            env:
              CC: clang
              TSS: ibmtss

          - container: "fedora:latest"
            env:
              CC: clang
              TSS: ibmtss
              TST_ENV: um
              TST_KERNEL: ../linux

          - container: "centos:7"
            env:
              CC: gcc
              TSS: tpm2-tss

          - container: "debian:testing"
            env:
              CC: clang
              TSS: tpm2-tss

          - container: "debian:stable"
            env:
              CC: clang
              TSS: ibmtss

          - container: "alt:sisyphus"
            env:
              CC: gcc
              TSS: libtpm2-tss-devel

    container:
      image: ${{ matrix.container }}
      env: ${{ matrix.env }}
      options: --privileged --device /dev/loop-control -v /dev/shm:/dev/shm

    steps:
    - name: Show OS
      run: cat /etc/os-release

    - name: Git checkout
      uses: actions/checkout@v1

    - name: Install additional packages
      run: |
        INSTALL=${{ matrix.container }}
        INSTALL="${INSTALL%%:*}"
        INSTALL="${INSTALL%%/*}"
        if [ "$VARIANT" ]; then ARCH="$ARCH" ./ci/$INSTALL.$VARIANT.sh; fi
        ARCH="$ARCH" CC="$CC" TSS="$TSS" ./ci/$INSTALL.sh

    - name: Build openSSL
      run: |
        if [ "$COMPILE_SSL" ]; then
          COMPILE_SSL="$COMPILE_SSL" VARIANT="$VARIANT" ./tests/install-openssl3.sh; \
        fi

    - name: Build swtpm
      run: |
        if [ ! "$VARIANT" ]; then
          which tpm_server || which swtpm || \
            if which tssstartup; then
              ./tests/install-swtpm.sh;
            fi
        fi

    - name: Retrieve UML kernel
      if: ${{ matrix.env.TST_ENV }}
      uses: actions/cache@v3
      continue-on-error: false
      with:
        path: linux
        key: linux-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}

    - name: Retrieve signing key
      if: ${{ matrix.env.TST_ENV }}
      continue-on-error: false
      uses: actions/cache@v3
      with:
        path: signing_key.pem
        key: signing_key.pem-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}

    - name: Compiler version
      run: $CC --version

    - name: Compile
      run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" TST_ENV="$TST_ENV" TST_KERNEL="$TST_KERNEL" ./build.sh