Skip to content

Add actions permission monitor to CI #1548

Add actions permission monitor to CI

Add actions permission monitor to CI #1548

Workflow file for this run

name: ci
on:
pull_request:
branches: [ main ]
push:
branches: [ main ]
permissions:
actions: read
contents: read
security-events: write
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
init:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- 'ubuntu-20.04'
- 'ubuntu-latest'
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y\
build-essential flex bison libjson-c-dev liblzo2-dev \
libglib2.0-dev meson ninja-build lld llvm clang
- name: Get submodule hashes version
id: get-hash
run: |
echo XEN_HASH=$(git submodule | grep xen | awk '{ print $1 }') >> $GITHUB_OUTPUT
echo LIBVMI_HASH=$(git submodule | grep libvmi | awk '{ print $1 }') >> $GITHUB_OUTPUT
- name: Cache Xen debball
id: cache-xen
uses: actions/cache@v4
with:
path: xen/dist
key: xen-${{ matrix.os }}-${{ steps.get-hash.outputs.XEN_HASH }}
- name: Create Xen debball
if: steps.cache-xen.outputs.cache-hit != 'true'
run: |
sudo apt-get install -y \
wget git bcc bin86 gawk bridge-utils iproute2 libcurl4-openssl-dev \
bzip2 libpci-dev libc6-dev linux-libc-dev zlib1g-dev libncurses5-dev \
patch libvncserver-dev libssl-dev iasl libbz2-dev e2fslibs-dev git-core \
uuid-dev ocaml libx11-dev bison flex ocaml-findlib xz-utils gettext \
libyajl-dev libpixman-1-dev libaio-dev libfdt-dev cabextract libfuse-dev \
liblzma-dev kpartx python3-dev python3-pip golang libsystemd-dev ninja-build
rm -rfv xen
git submodule update --init xen
cd xen
./configure --enable-githttp --disable-pvshim --disable-stubdom --disable-docs
make -j2 debball
cd ..
- name: Install Xen debball
run: |
sudo apt-get install -f ./xen/dist/xen-*.deb
sudo ldconfig
- name: Cache Libvmi files
id: cache-libvmi
uses: actions/cache@v4
with:
path: libvmi/dist
key: libvmi-${{ matrix.os }}-${{ steps.get-hash.outputs.LIBVMI_HASH }}
- name: Build LibVMI
if: steps.cache-libvmi.outputs.cache-hit != 'true'
run: |
rm -rfv libvmi
sudo apt-get install -y build-essential autoconf-archive automake libtool flex bison libjson-c-dev debhelper
git submodule update --init libvmi
cd libvmi
sed -i 's/--disable-kvm/--disable-kvm --disable-file --disable-bareflank --disable-examples --disable-vmifs/g' debian/rules
dpkg-buildpackage -B
mkdir dist
mv ../*.deb dist/
- name: Install LibVMI
run: |
cd libvmi/dist
sudo apt install -f ./*.deb
sudo ldconfig
cd ../..
outputs:
XEN_HASH: ${{ steps.get-hash.outputs.XEN_HASH }}
LIBVMI_HASH: ${{ steps.get-hash.outputs.LIBVMI_HASH }}
compile:
runs-on: ${{ matrix.os }}
if: ${{ github.event_name == 'pull_request' }}
needs:
- init
strategy:
matrix:
os:
- 'ubuntu-20.04'
- 'ubuntu-latest'
flags:
- ''
- '-Dbuildtype=debug -Db_lto=false'
- '-Dbuildtype=debug -Db_lto=false -Dplugin-syscalls=false'
- '-Dbuildtype=debug -Db_lto=false -Db_sanitize=address,undefined'
- '-Dbuildtype=debug -Db_lto=false -Drepl=true'
- '-Dbuildtype=debug -Db_lto=false -Dthreadsafety=true'
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y \
clang llvm lld build-essential flex bison \
libjson-c-dev liblzo2-dev libglib2.0-dev meson ninja-build
sudo pip3 install ctypesgen ipython
- name: Cache Xen debball
uses: actions/cache@v4
with:
path: xen/dist
key: xen-${{ matrix.os }}-${{ needs.init.outputs.XEN_HASH }}
- name: Cache Libvmi files
uses: actions/cache@v4
with:
path: libvmi/dist
key: libvmi-${{ matrix.os }}-${{ needs.init.outputs.LIBVMI_HASH }}
- name: Install Xen debball
run: |
sudo apt-get install -f ./xen/dist/xen-*.deb
- name: Install LibVMI
run: |
cd libvmi/dist
sudo apt install -f ./*.deb
sudo ldconfig
cd ../..
- name: Compile ${{ matrix.flags }}
run: |
meson setup build --native-file llvm.ini ${{ matrix.flags }}
ninja -C build
tarbuild:
name: Build using autoconf tarball
runs-on: ${{ matrix.os }}
needs:
- init
strategy:
fail-fast: false
matrix:
os:
- 'ubuntu-20.04'
- 'ubuntu-latest'
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- name: Checkout repository
uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y \
clang autoconf-archive automake \
libjson-c-dev liblzo2-dev libglib2.0-dev
sudo pip3 install ctypesgen ipython
- name: Cache Xen debball
uses: actions/cache@v4
with:
path: xen/dist
key: xen-${{ matrix.os }}-${{ needs.init.outputs.XEN_HASH }}
- name: Cache Libvmi files
uses: actions/cache@v4
with:
path: libvmi/dist
key: libvmi-${{ matrix.os }}-${{ needs.init.outputs.LIBVMI_HASH }}
- name: Install Xen debball
run: |
sudo apt-get install -f ./xen/dist/xen-*.deb
- name: Install LibVMI
run: |
cd libvmi/dist
sudo apt install -f ./*.deb
sudo ldconfig
cd ../..
- name: autoreconf
run: autoreconf -vif
- name: Compile from make dist tarball
env:
CC: clang
CXX: clang++
run: |
./configure
make -j2 dist
mkdir build && cd build
tar xvf ../drakvuf-*.tar.gz
cd *drakvuf*
./autogen.sh
./configure
make -j2
codeql-analyze:

Check failure on line 227 in .github/workflows/ci.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/ci.yml

Invalid workflow file

You have an error in your yaml syntax on line 227
name: Code QL Analyze
runs-on: ${{ matrix.os }}
needs:
- init
strategy:
fail-fast: false
matrix:
os:
- 'ubuntu-20.04'
- 'ubuntu-latest'
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: cpp
queries: security-and-quality
- name: Install dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y \
clang llvm lld build-essential libjson-c-dev \
liblzo2-dev libglib2.0-dev meson ninja-build
- name: Cache Xen debball
uses: actions/cache@v4
with:
path: xen/dist
key: xen-${{ matrix.os }}-${{ needs.init.outputs.XEN_HASH }}
- name: Cache Libvmi files
uses: actions/cache@v4
with:
path: libvmi/dist
key: libvmi-${{ matrix.os }}-${{ needs.init.outputs.LIBVMI_HASH }}
- name: Install Xen debball
run: |
sudo apt-get install -f ./xen/dist/xen-*.deb
- name: Install LibVMI
run: |
cd libvmi/dist
sudo apt install -f ./*.deb
sudo ldconfig
cd ../..
- name: Compile and install DRAKVUF
run: |
meson setup build --native-file llvm.ini
ninja -C build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
scan-build:
runs-on: ubuntu-latest
needs:
- init
if: ${{ github.event_name == 'pull_request' }}
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- uses: actions/checkout@v4
- name: Install dependencies
run: |
# Install packages
sudo apt-get update -q
sudo apt-get install -y \
clang clang-tools-15 llvm lld \
libjson-c-dev meson ninja-build
- name: Cache Xen debball
uses: actions/cache@v4
with:
path: xen/dist
key: xen-ubuntu-latest-${{ needs.init.outputs.XEN_HASH }}
- name: Cache Libvmi files
uses: actions/cache@v4
with:
path: libvmi/dist
key: libvmi-ubuntu-latest-${{ needs.init.outputs.LIBVMI_HASH }}
- name: Install Xen debball
run: |
sudo apt-get install -f ./xen/dist/xen-*.deb
- name: Install LibVMI
run: |
cd libvmi/dist
sudo apt install -f ./*.deb
sudo ldconfig
cd ../..
- name: Scan build
run: |
meson setup build --buildtype debug --native-file llvm.ini
analyze-build-15 -v --cdb build/compile_commands.json \
--status-bugs \
--disable-checker deadcode.DeadStores
cognitive-complexity:
runs-on: ubuntu-latest
needs:
- init
if: ${{ github.event_name == 'pull_request' }}
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- uses: actions/checkout@v4
- name: Install dependencies
run: |
# Install packages
sudo apt-get update -q
sudo apt-get install -y \
clang clang-tools clang-tidy llvm lld \
libjson-c-dev meson ninja-build
- name: Cache Xen debball
uses: actions/cache@v4
with:
path: xen/dist
key: xen-ubuntu-latest-${{ needs.init.outputs.XEN_HASH }}
- name: Cache Libvmi files
uses: actions/cache@v4
with:
path: libvmi/dist
key: libvmi-ubuntu-latest-${{ needs.init.outputs.LIBVMI_HASH }}
- name: Install Xen debball
run: |
sudo apt-get install -f ./xen/dist/xen-*.deb
- name: Install LibVMI
run: |
cd libvmi/dist
sudo apt install -f ./*.deb
sudo ldconfig
cd ../..
- name: Calculate cognitive complexity for pr
env:
CC: clang
CXX: clang++
run: |
cp scripts/complexity.sh /tmp
/tmp/complexity.sh
mv complexity.log /tmp/complexity.log
- uses: actions/checkout@v4
with:
ref: main
- name: Calculate cognitive complexity for main
env:
CC: clang
CXX: clang++
run: /tmp/complexity.sh
- name: compare complexity
run: |
FUNCTIONS=$(tail -2 complexity.log | head -1 | awk '{ print $2 }')
THRESHOLD=$(tail -1 complexity.log | awk '{ print $2 }')
CURRENT_FUNCTIONS=$(tail -2 /tmp/complexity.log | head -1 | awk '{ print $2 }')
COMPLEXITY=$(tail -1 /tmp/complexity.log | awk '{ print $2 }')
echo "Complexity: $THRESHOLD" >> $GITHUB_STEP_SUMMARY
echo "Complex functions: $FUNCTIONS" >> $GITHUB_STEP_SUMMARY
echo "Complex functions with PR: $CURRENT_FUNCTIONS" >> $GITHUB_STEP_SUMMARY
echo "Total complexity with PR: $COMPLEXITY" >> $GITHUB_STEP_SUMMARY
if [ $CURRENT_FUNCTIONS -gt $FUNCTIONS ] || [ $COMPLEXITY -gt $THRESHOLD ]; then
echo "## Complexity reduction in scope" >> $GITHUB_STEP_SUMMARY
echo "Please don't increase complexity of existing complex functions or introduce new ones"
echo "Showing diff of main (<) and this PR (>)"
diff complexity.log /tmp/complexity.log | egrep '>|<'
exit 1
fi