Merge pull request #183 from Zondax/feat/improvements #371

Workflow file for this run

	name: Build
	on:
	workflow_dispatch:
	push:
	pull_request:
	branches:
	- main
	- develop
	- master # for safety reasons
	- dev # for safety reasons

	jobs:
	configure:
	runs-on: ubuntu-latest
	outputs:
	uid_gid: ${{ steps.get-user.outputs.uid_gid }}
	steps:
	- id: get-user
	run: echo "uid_gid=$(id -u):$(id -g)" >> $GITHUB_OUTPUT

	rust_tests:
	runs-on: ubuntu-latest
	container:
	image: zondax/rust-ci:latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Cache/restore Cargo dependencies
	uses: actions/cache@v3
	with:
	path: ./app/rust/.cargo
	key: ${{ runner.os }}-${{ hashFiles('./Cargo.lock') }}
	restore-keys: \|
	${{ runner.os }}-${{ github.sha }}
	- name: run rust tests
	run: make rust_test

	clippy:
	runs-on: ubuntu-latest
	container:
	image: zondax/rust-ci:latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Cache/restore Cargo dependencies
	uses: actions/cache@v3
	with:
	path: ./app/rust/.cargo
	key: ${{ runner.os }}-${{ hashFiles('./Cargo.lock') }}
	restore-keys: \|
	${{ runner.os }}-${{ github.sha }}
	- name: clippy
	run: \|
	cd ./app/rust
	cargo clippy --all-targets --features "clippy"
	- name: cargo fmt
	run: \|
	cd ./app/rust
	cargo fmt

	build_ledger:
	needs: configure
	runs-on: ubuntu-latest
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/nanos-secure-sdk
	outputs:
	size: ${{steps.build.outputs.size}}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: recursive
	- name: Build Standard app
	id: build
	shell: bash -l {0}
	run: \|
	make PRODUCTION_BUILD=1
	echo "size=$(python3 deps/ledger-zxlib/scripts/getSize.py s)" >> $GITHUB_OUTPUT

	size_nano_s:
	needs: build_ledger
	runs-on: ubuntu-latest
	continue-on-error: true
	env:
	NANOS_LIMIT_SIZE: 136
	steps:
	- run: \|
	echo "LNS app size: ${{needs.build_ledger.outputs.size}} KiB"
	[ ${{needs.build_ledger.outputs.size}} -le $NANOS_LIMIT_SIZE ]

	test_zemu:
	runs-on: ubuntu-latest
	steps:
	- name: Test
	run: \|
	id
	echo $HOME
	echo $DISPLAY
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- run: sudo apt-get update -y && sudo apt-get install -y libusb-1.0.0 libudev-dev
	- name: Install rust
	uses: actions-rs/toolchain@v1
	with:
	toolchain: stable
	- name: Install node
	uses: actions/setup-node@v3
	- name: Install yarn
	run: \|
	npm install -g yarn
	- name: Build and run zemu tests
	run: \|
	make test_all
	- name: Upload Snapshots (only failure)
	if: ${{ failure() }}
	uses: actions/upload-artifact@v4
	with:
	name: snapshots-tmp
	path: tests_zemu/snapshots-tmp/

	build_package_nanos:
	needs: [configure, build_ledger, test_zemu, rust_tests]
	if: ${{ github.ref == 'refs/heads/main' }}
	runs-on: ubuntu-latest
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/nanos-secure-sdk
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: recursive
	- name: Install deps
	run: pip install ledgerblue

	- name: Build NanoS
	shell: bash -l {0}
	run: \|
	PRODUCTION_BUILD=0 make
	mv ./app/pkg/installer_s.sh ./app/pkg/installer_nanos.sh
	- name: Set tag
	id: nanos
	run: echo "tag_name=$(./app/pkg/installer_nanos.sh version)" >> $GITHUB_OUTPUT
	- name: Create or Update Release (1)
	id: create_release_0
	uses: softprops/action-gh-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
	with:
	files: ./app/pkg/installer_nanos.sh
	tag_name: ${{ steps.nanos.outputs.tag_name }}
	draft: false
	prerelease: false

	build_package_nanosp:
	needs: [configure, build_ledger, test_zemu, rust_tests]
	if: ${{ github.ref == 'refs/heads/main' }}
	runs-on: ubuntu-latest
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/nanosplus-secure-sdk
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: recursive
	- name: Install deps
	run: pip install ledgerblue

	- name: Build NanoSP
	shell: bash -l {0}
	run: \|
	PRODUCTION_BUILD=0 make
	mv ./app/pkg/installer_s2.sh ./app/pkg/installer_nanos_plus.sh
	- name: Set tag
	id: nanosp
	run: echo "tag_name=$(./app/pkg/installer_nanos_plus.sh version)" >> $GITHUB_OUTPUT
	- name: Update Release
	id: update_release_2
	uses: softprops/action-gh-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
	with:
	files: ./app/pkg/installer_nanos_plus.sh
	tag_name: ${{ steps.nanosp.outputs.tag_name }}
	draft: false
	prerelease: false

	build_package_stax:
	needs: [configure, build_ledger, test_zemu, rust_tests]
	if: ${{ github.ref == 'refs/heads/main' }}
	runs-on: ubuntu-latest
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/stax-secure-sdk
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Install deps
	run: pip install ledgerblue

	- name: Build Stax
	shell: bash -l {0}
	run: \|
	PRODUCTION_BUILD=0 make
	- name: Set tag
	id: stax
	run: echo "tag_name=$(./app/pkg/installer_stax.sh version)" >> $GITHUB_OUTPUT
	- name: Update Release
	id: update_release_2
	uses: softprops/action-gh-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
	with:
	files: ./app/pkg/installer_stax.sh
	tag_name: ${{ steps.stax.outputs.tag_name }}
	draft: false
	prerelease: false

	build_package_flex:
	needs: [configure, build_ledger, test_zemu, rust_tests]
	if: ${{ github.ref == 'refs/heads/main' }}
	runs-on: ubuntu-latest
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/flex-secure-sdk
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Install deps
	run: pip install ledgerblue

	- name: Build Flex
	shell: bash -l {0}
	run: \|
	PRODUCTION_BUILD=0 make
	- name: Set tag
	id: flex
	run: echo "tag_name=$(./app/pkg/installer_flex.sh version)" >> $GITHUB_OUTPUT
	- name: Update Release
	id: update_release_2
	uses: softprops/action-gh-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
	with:
	files: ./app/pkg/installer_flex.sh
	tag_name: ${{ steps.flex.outputs.tag_name }}
	draft: false
	prerelease: false

	fuzzing:
	name: fuzzing
	runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' \|\| 'ubuntu-latest' }}
	container:
	image: rust:latest
	steps:
	- uses: actions/checkout@v3

	# Install only the additional dependencies needed for honggfuzz
	- name: Install system dependencies
	run: \|
	apt-get update && apt-get install -y \
	binutils-dev \
	libunwind-dev \
	libblocksruntime-dev \
	liblzma-dev

	- name: Install honggfuzz
	run: cargo install honggfuzz

	- name: Generate corpus
	run: \|
	cd app/hfuzz-parser/corpus
	cargo run

	# Different fuzzing durations based on trigger
	- name: Quick fuzz (PR)
	if: github.event_name == 'push'
	run: \|
	cd app/hfuzz-parser
	timeout --preserve-status 5m cargo hfuzz run transaction ../hfuzz_corpus/

	- name: Medium fuzz (main)
	if: github.event_name == 'pull_request'
	run: \|
	cd app/hfuzz-parser
	timeout --preserve-status 15m cargo hfuzz run transaction ../hfuzz_corpus/

	- name: Extended fuzz (weekly)
	if: github.event_name == 'schedule'
	run: \|
	cd app/hfuzz-parser
	timeout --preserve-status 30m cargo hfuzz run transaction ../hfuzz_corpus/

	- name: Check for crashes
	run: \|
	if ls app/hfuzz-parser/hfuzz_workspace/transaction/SIGABRT.PC.* 1> /dev/null 2>&1; then
	echo "::error::Crashes found during fuzzing!"
	exit 1
	fi

	- name: Upload crash artifacts
	if: failure()
	uses: actions/upload-artifact@v3
	with:
	name: crash-reports
	path: \|
	app/hfuzz-parser/hfuzz_workspace/transaction/SIGABRT.PC.*
	app/hfuzz-parser/hfuzz_workspace/transaction/HONGGFUZZ.REPORT.TXT
	app/hfuzz-parser/hfuzz_workspace/transaction/input/

	- name: Cache corpus
	uses: actions/cache@v3
	with:
	path: app/hfuzz_corpus
	key: ${{ runner.os }}-fuzz-corpus-${{ github.sha }}
	restore-keys: \|
	${{ runner.os }}-fuzz-corpus-

	- name: Notify on failure
	if: failure()
	uses: actions/github-script@v6
	with:
	script: \|
	github.rest.issues.create({
	owner: context.repo.owner,
	repo: context.repo.repo,
	title: 'Fuzzing found crashes',
	body: 'Fuzzing job failed. Check the artifacts in the workflow run.'
	})

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #183 from Zondax/feat/improvements #371

Workflow file

Merge pull request #183 from Zondax/feat/improvements #371

Jobs

Run details

Workflow file for this run