Add actions permission monitor to CI #1548
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | ||
on: | ||
pull_request: | ||
branches: [ main ] | ||
push: | ||
branches: [ main ] | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
concurrency: | ||
group: ci-${{ github.ref }} | ||
cancel-in-progress: true | ||
jobs: | ||
init: | ||
runs-on: ${{ matrix.os }} | ||
strategy: | ||
matrix: | ||
os: | ||
- 'ubuntu-20.04' | ||
- 'ubuntu-latest' | ||
steps: | ||
- uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
with: | ||
config: ${{ vars.PERMISSIONS_CONFIG }} | ||
- uses: actions/checkout@v4 | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get update -q | ||
sudo apt-get install -y\ | ||
build-essential flex bison libjson-c-dev liblzo2-dev \ | ||
libglib2.0-dev meson ninja-build lld llvm clang | ||
- name: Get submodule hashes version | ||
id: get-hash | ||
run: | | ||
echo XEN_HASH=$(git submodule | grep xen | awk '{ print $1 }') >> $GITHUB_OUTPUT | ||
echo LIBVMI_HASH=$(git submodule | grep libvmi | awk '{ print $1 }') >> $GITHUB_OUTPUT | ||
- name: Cache Xen debball | ||
id: cache-xen | ||
uses: actions/cache@v4 | ||
with: | ||
path: xen/dist | ||
key: xen-${{ matrix.os }}-${{ steps.get-hash.outputs.XEN_HASH }} | ||
- name: Create Xen debball | ||
if: steps.cache-xen.outputs.cache-hit != 'true' | ||
run: | | ||
sudo apt-get install -y \ | ||
wget git bcc bin86 gawk bridge-utils iproute2 libcurl4-openssl-dev \ | ||
bzip2 libpci-dev libc6-dev linux-libc-dev zlib1g-dev libncurses5-dev \ | ||
patch libvncserver-dev libssl-dev iasl libbz2-dev e2fslibs-dev git-core \ | ||
uuid-dev ocaml libx11-dev bison flex ocaml-findlib xz-utils gettext \ | ||
libyajl-dev libpixman-1-dev libaio-dev libfdt-dev cabextract libfuse-dev \ | ||
liblzma-dev kpartx python3-dev python3-pip golang libsystemd-dev ninja-build | ||
rm -rfv xen | ||
git submodule update --init xen | ||
cd xen | ||
./configure --enable-githttp --disable-pvshim --disable-stubdom --disable-docs | ||
make -j2 debball | ||
cd .. | ||
- name: Install Xen debball | ||
run: | | ||
sudo apt-get install -f ./xen/dist/xen-*.deb | ||
sudo ldconfig | ||
- name: Cache Libvmi files | ||
id: cache-libvmi | ||
uses: actions/cache@v4 | ||
with: | ||
path: libvmi/dist | ||
key: libvmi-${{ matrix.os }}-${{ steps.get-hash.outputs.LIBVMI_HASH }} | ||
- name: Build LibVMI | ||
if: steps.cache-libvmi.outputs.cache-hit != 'true' | ||
run: | | ||
rm -rfv libvmi | ||
sudo apt-get install -y build-essential autoconf-archive automake libtool flex bison libjson-c-dev debhelper | ||
git submodule update --init libvmi | ||
cd libvmi | ||
sed -i 's/--disable-kvm/--disable-kvm --disable-file --disable-bareflank --disable-examples --disable-vmifs/g' debian/rules | ||
dpkg-buildpackage -B | ||
mkdir dist | ||
mv ../*.deb dist/ | ||
- name: Install LibVMI | ||
run: | | ||
cd libvmi/dist | ||
sudo apt install -f ./*.deb | ||
sudo ldconfig | ||
cd ../.. | ||
outputs: | ||
XEN_HASH: ${{ steps.get-hash.outputs.XEN_HASH }} | ||
LIBVMI_HASH: ${{ steps.get-hash.outputs.LIBVMI_HASH }} | ||
compile: | ||
runs-on: ${{ matrix.os }} | ||
if: ${{ github.event_name == 'pull_request' }} | ||
needs: | ||
- init | ||
strategy: | ||
matrix: | ||
os: | ||
- 'ubuntu-20.04' | ||
- 'ubuntu-latest' | ||
flags: | ||
- '' | ||
- '-Dbuildtype=debug -Db_lto=false' | ||
- '-Dbuildtype=debug -Db_lto=false -Dplugin-syscalls=false' | ||
- '-Dbuildtype=debug -Db_lto=false -Db_sanitize=address,undefined' | ||
- '-Dbuildtype=debug -Db_lto=false -Drepl=true' | ||
- '-Dbuildtype=debug -Db_lto=false -Dthreadsafety=true' | ||
steps: | ||
- uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
with: | ||
config: ${{ vars.PERMISSIONS_CONFIG }} | ||
- uses: actions/checkout@v4 | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get update -q | ||
sudo apt-get install -y \ | ||
clang llvm lld build-essential flex bison \ | ||
libjson-c-dev liblzo2-dev libglib2.0-dev meson ninja-build | ||
sudo pip3 install ctypesgen ipython | ||
- name: Cache Xen debball | ||
uses: actions/cache@v4 | ||
with: | ||
path: xen/dist | ||
key: xen-${{ matrix.os }}-${{ needs.init.outputs.XEN_HASH }} | ||
- name: Cache Libvmi files | ||
uses: actions/cache@v4 | ||
with: | ||
path: libvmi/dist | ||
key: libvmi-${{ matrix.os }}-${{ needs.init.outputs.LIBVMI_HASH }} | ||
- name: Install Xen debball | ||
run: | | ||
sudo apt-get install -f ./xen/dist/xen-*.deb | ||
- name: Install LibVMI | ||
run: | | ||
cd libvmi/dist | ||
sudo apt install -f ./*.deb | ||
sudo ldconfig | ||
cd ../.. | ||
- name: Compile ${{ matrix.flags }} | ||
run: | | ||
meson setup build --native-file llvm.ini ${{ matrix.flags }} | ||
ninja -C build | ||
tarbuild: | ||
name: Build using autoconf tarball | ||
runs-on: ${{ matrix.os }} | ||
needs: | ||
- init | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
os: | ||
- 'ubuntu-20.04' | ||
- 'ubuntu-latest' | ||
steps: | ||
- uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
with: | ||
config: ${{ vars.PERMISSIONS_CONFIG }} | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get update -q | ||
sudo apt-get install -y \ | ||
clang autoconf-archive automake \ | ||
libjson-c-dev liblzo2-dev libglib2.0-dev | ||
sudo pip3 install ctypesgen ipython | ||
- name: Cache Xen debball | ||
uses: actions/cache@v4 | ||
with: | ||
path: xen/dist | ||
key: xen-${{ matrix.os }}-${{ needs.init.outputs.XEN_HASH }} | ||
- name: Cache Libvmi files | ||
uses: actions/cache@v4 | ||
with: | ||
path: libvmi/dist | ||
key: libvmi-${{ matrix.os }}-${{ needs.init.outputs.LIBVMI_HASH }} | ||
- name: Install Xen debball | ||
run: | | ||
sudo apt-get install -f ./xen/dist/xen-*.deb | ||
- name: Install LibVMI | ||
run: | | ||
cd libvmi/dist | ||
sudo apt install -f ./*.deb | ||
sudo ldconfig | ||
cd ../.. | ||
- name: autoreconf | ||
run: autoreconf -vif | ||
- name: Compile from make dist tarball | ||
env: | ||
CC: clang | ||
CXX: clang++ | ||
run: | | ||
./configure | ||
make -j2 dist | ||
mkdir build && cd build | ||
tar xvf ../drakvuf-*.tar.gz | ||
cd *drakvuf* | ||
./autogen.sh | ||
./configure | ||
make -j2 | ||
codeql-analyze: | ||
name: Code QL Analyze | ||
runs-on: ${{ matrix.os }} | ||
needs: | ||
- init | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
os: | ||
- 'ubuntu-20.04' | ||
- 'ubuntu-latest' | ||
steps: | ||
- uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
with: | ||
config: ${{ vars.PERMISSIONS_CONFIG }} | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
# Initializes the CodeQL tools for scanning. | ||
- name: Initialize CodeQL | ||
uses: github/codeql-action/init@v3 | ||
with: | ||
languages: cpp | ||
queries: security-and-quality | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get update -q | ||
sudo apt-get install -y \ | ||
clang llvm lld build-essential libjson-c-dev \ | ||
liblzo2-dev libglib2.0-dev meson ninja-build | ||
- name: Cache Xen debball | ||
uses: actions/cache@v4 | ||
with: | ||
path: xen/dist | ||
key: xen-${{ matrix.os }}-${{ needs.init.outputs.XEN_HASH }} | ||
- name: Cache Libvmi files | ||
uses: actions/cache@v4 | ||
with: | ||
path: libvmi/dist | ||
key: libvmi-${{ matrix.os }}-${{ needs.init.outputs.LIBVMI_HASH }} | ||
- name: Install Xen debball | ||
run: | | ||
sudo apt-get install -f ./xen/dist/xen-*.deb | ||
- name: Install LibVMI | ||
run: | | ||
cd libvmi/dist | ||
sudo apt install -f ./*.deb | ||
sudo ldconfig | ||
cd ../.. | ||
- name: Compile and install DRAKVUF | ||
run: | | ||
meson setup build --native-file llvm.ini | ||
ninja -C build | ||
- name: Perform CodeQL Analysis | ||
uses: github/codeql-action/analyze@v3 | ||
scan-build: | ||
runs-on: ubuntu-latest | ||
needs: | ||
- init | ||
if: ${{ github.event_name == 'pull_request' }} | ||
steps: | ||
- uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
with: | ||
config: ${{ vars.PERMISSIONS_CONFIG }} | ||
- uses: actions/checkout@v4 | ||
- name: Install dependencies | ||
run: | | ||
# Install packages | ||
sudo apt-get update -q | ||
sudo apt-get install -y \ | ||
clang clang-tools-15 llvm lld \ | ||
libjson-c-dev meson ninja-build | ||
- name: Cache Xen debball | ||
uses: actions/cache@v4 | ||
with: | ||
path: xen/dist | ||
key: xen-ubuntu-latest-${{ needs.init.outputs.XEN_HASH }} | ||
- name: Cache Libvmi files | ||
uses: actions/cache@v4 | ||
with: | ||
path: libvmi/dist | ||
key: libvmi-ubuntu-latest-${{ needs.init.outputs.LIBVMI_HASH }} | ||
- name: Install Xen debball | ||
run: | | ||
sudo apt-get install -f ./xen/dist/xen-*.deb | ||
- name: Install LibVMI | ||
run: | | ||
cd libvmi/dist | ||
sudo apt install -f ./*.deb | ||
sudo ldconfig | ||
cd ../.. | ||
- name: Scan build | ||
run: | | ||
meson setup build --buildtype debug --native-file llvm.ini | ||
analyze-build-15 -v --cdb build/compile_commands.json \ | ||
--status-bugs \ | ||
--disable-checker deadcode.DeadStores | ||
cognitive-complexity: | ||
runs-on: ubuntu-latest | ||
needs: | ||
- init | ||
if: ${{ github.event_name == 'pull_request' }} | ||
steps: | ||
- uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
with: | ||
config: ${{ vars.PERMISSIONS_CONFIG }} | ||
- uses: actions/checkout@v4 | ||
- name: Install dependencies | ||
run: | | ||
# Install packages | ||
sudo apt-get update -q | ||
sudo apt-get install -y \ | ||
clang clang-tools clang-tidy llvm lld \ | ||
libjson-c-dev meson ninja-build | ||
- name: Cache Xen debball | ||
uses: actions/cache@v4 | ||
with: | ||
path: xen/dist | ||
key: xen-ubuntu-latest-${{ needs.init.outputs.XEN_HASH }} | ||
- name: Cache Libvmi files | ||
uses: actions/cache@v4 | ||
with: | ||
path: libvmi/dist | ||
key: libvmi-ubuntu-latest-${{ needs.init.outputs.LIBVMI_HASH }} | ||
- name: Install Xen debball | ||
run: | | ||
sudo apt-get install -f ./xen/dist/xen-*.deb | ||
- name: Install LibVMI | ||
run: | | ||
cd libvmi/dist | ||
sudo apt install -f ./*.deb | ||
sudo ldconfig | ||
cd ../.. | ||
- name: Calculate cognitive complexity for pr | ||
env: | ||
CC: clang | ||
CXX: clang++ | ||
run: | | ||
cp scripts/complexity.sh /tmp | ||
/tmp/complexity.sh | ||
mv complexity.log /tmp/complexity.log | ||
- uses: actions/checkout@v4 | ||
with: | ||
ref: main | ||
- name: Calculate cognitive complexity for main | ||
env: | ||
CC: clang | ||
CXX: clang++ | ||
run: /tmp/complexity.sh | ||
- name: compare complexity | ||
run: | | ||
FUNCTIONS=$(tail -2 complexity.log | head -1 | awk '{ print $2 }') | ||
THRESHOLD=$(tail -1 complexity.log | awk '{ print $2 }') | ||
CURRENT_FUNCTIONS=$(tail -2 /tmp/complexity.log | head -1 | awk '{ print $2 }') | ||
COMPLEXITY=$(tail -1 /tmp/complexity.log | awk '{ print $2 }') | ||
echo "Complexity: $THRESHOLD" >> $GITHUB_STEP_SUMMARY | ||
echo "Complex functions: $FUNCTIONS" >> $GITHUB_STEP_SUMMARY | ||
echo "Complex functions with PR: $CURRENT_FUNCTIONS" >> $GITHUB_STEP_SUMMARY | ||
echo "Total complexity with PR: $COMPLEXITY" >> $GITHUB_STEP_SUMMARY | ||
if [ $CURRENT_FUNCTIONS -gt $FUNCTIONS ] || [ $COMPLEXITY -gt $THRESHOLD ]; then | ||
echo "## Complexity reduction in scope" >> $GITHUB_STEP_SUMMARY | ||
echo "Please don't increase complexity of existing complex functions or introduce new ones" | ||
echo "Showing diff of main (<) and this PR (>)" | ||
diff complexity.log /tmp/complexity.log | egrep '>|<' | ||
exit 1 | ||
fi |