github-ci: breakout centos 7 to its own workflow #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: builds | ||
| on: | ||
| push: | ||
| pull_request: | ||
| workflow_dispatch: | ||
| inputs: | ||
| LIBHTP_REPO: | ||
| LIBHTP_BRANCH: | ||
| SU_REPO: | ||
| SU_BRANCH: | ||
| SV_REPO: | ||
| SV_BRANCH: | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
| permissions: read-all | ||
| env: | ||
| DEFAULT_SV_REPO: https://github.com/OISF/suricata-verify | ||
| DEFAULT_SV_BRANCH: master | ||
| DEFAULT_CFLAGS: "-Wall -Wextra -Werror -Wno-unused-parameter -Wno-unused-function" | ||
| # Apt sometimes likes to ask for user input, this will prevent that. | ||
| DEBIAN_FRONTEND: "noninteractive" | ||
| # A recent version of stable Rust that is known to pass build, test and other | ||
| # verification steps in this workflow. This was added because using "stable" | ||
| # could cause some steps to fail. | ||
| RUST_VERSION_KNOWN: "1.70.0" | ||
| # The minimum version of Rust supported. | ||
| RUST_VERSION_MIN: "1.63.0" | ||
| jobs: | ||
| prepare-deps: | ||
| name: Prepare dependencies | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Dumping github context for debugging | ||
| run: echo $JSON | ||
| env: | ||
| JSON: ${{ toJSON(github) }} | ||
| - run: sudo apt update && sudo apt -y install jq curl | ||
| - name: Parse repo and branch information | ||
| env: | ||
| # We fetch the actual pull request to get the latest body as | ||
| # github.event.pull_request.body has the body from the | ||
| # initial pull request. | ||
| PR_HREF: ${{ github.event.pull_request._links.self.href }} | ||
| run: | | ||
| if test "${PR_HREF}"; then | ||
| body=$(curl -s "${PR_HREF}" | jq -r .body | tr -d '\r') | ||
| echo "Parsing branch and PR info from:" | ||
| echo "${body}" | ||
| LIBHTP_REPO=$(echo "${body}" | awk -F = '/^LIBHTP_REPO=/ { print $2 }') | ||
| LIBHTP_BRANCH=$(echo "${body}" | awk -F = '/^LIBHTP_BRANCH=/ { print $2 }') | ||
| SU_REPO=$(echo "${body}" | awk -F = '/^SU_REPO=/ { print $2 }') | ||
| SU_BRANCH=$(echo "${body}" | awk -F = '/^SU_BRANCH=/ { print $2 }') | ||
| SV_REPO=$(echo "${body}" | awk -F = '/^SV_REPO=/ { print $2 }') | ||
| SV_BRANCH=$(echo "${body}" | awk -F = '/^SV_BRANCH=/ { print $2 }') | ||
| else | ||
| echo "No pull request body, will use inputs or defaults." | ||
| LIBHTP_REPO=${{ inputs.LIBHTP_REPO }} | ||
| LIBHTP_BRANCH=${{ inputs.LIBHTP_BRANCH }} | ||
| SU_REPO=${{ inputs.SU_REPO }} | ||
| SU_BRANCH=${{ inputs.SU_BRANCH }} | ||
| SV_REPO=${{ inputs.SV_REPO }} | ||
| SV_BRANCH=${{ inputs.SV_BRANCH }} | ||
| fi | ||
| # If the _REPO variables don't contain a full URL, add GitHub. | ||
| if [ "${LIBHTP_REPO}" ] && ! echo "${LIBHTP_REPO}" | grep -q '^https://'; then | ||
| LIBHTP_REPO="https://github.com/${LIBHTP_REPO}" | ||
| fi | ||
| if [ "${SU_REPO}" ] && ! echo "${SU_REPO}" | grep -q '^https://'; then | ||
| SU_REPO="https://github.com/${SU_REPO}" | ||
| fi | ||
| if [ "${SV_REPO}" ] && ! echo "${SV_REPO}" | grep -q '^https://'; then | ||
| SV_REPO="https://github.com/${SV_REPO}" | ||
| fi | ||
| echo LIBHTP_REPO=${LIBHTP_REPO} | tee -a ${GITHUB_ENV} | ||
| echo LIBHTP_BRANCH=${LIBHTP_BRANCH} | tee -a ${GITHUB_ENV} | ||
| echo SU_REPO=${SU_REPO} | tee -a ${GITHUB_ENV} | ||
| echo SU_BRANCH=${SU_BRANCH} | tee -a ${GITHUB_ENV} | ||
| echo SV_REPO=${SV_REPO:-${DEFAULT_SV_REPO}} | tee -a ${GITHUB_ENV} | ||
| echo SV_BRANCH=${SV_BRANCH:-${DEFAULT_SV_BRANCH}} | tee -a ${GITHUB_ENV} | ||
| - name: Annotate output | ||
| run: | | ||
| echo "::notice:: LIBHTP_REPO=${LIBHTP_REPO}" | ||
| echo "::notice:: LIBHTP_BRANCH=${LIBHTP_BRANCH}" | ||
| echo "::notice:: SU_REPO=${SU_REPO}" | ||
| echo "::notice:: SU_BRANCH=${SU_BRANCH}" | ||
| echo "::notice:: SV_REPO=${SV_REPO}" | ||
| echo "::notice:: SV_BRANCH=${SV_BRANCH}" | ||
| # Now checkout Suricata for the bundle script. | ||
| - name: Checking out Suricata | ||
| uses: actions/checkout@v4.1.1 | ||
| - name: Fetching libhtp | ||
| run: | | ||
| DESTDIR=./bundle ./scripts/bundle.sh libhtp | ||
| tar zcf libhtp.tar.gz -C bundle libhtp | ||
| - name: Fetching suricata-update | ||
| run: | | ||
| DESTDIR=./bundle ./scripts/bundle.sh suricata-update | ||
| tar zcf suricata-update.tar.gz -C bundle suricata-update | ||
| - name: Fetching suricata-verify | ||
| run: | | ||
| # Looking for a pull request number. in the SV_BRANCH | ||
| # value. This could be "pr/NNN", "pull/NNN" or a link to an | ||
| # OISF/suricata-verify pull request. | ||
| pr=$(echo "${SV_BRANCH}" | sed -n \ | ||
| -e 's/^https:\/\/github.com\/OISF\/suricata-verify\/pull\/\([0-9]*\)$/\1/p' \ | ||
| -e 's/^pull\/\([0-9]*\)$/\1/p' \ | ||
| -e 's/^pr\/\([0-9]*\)$/\1/p') | ||
| if [ "${pr}" ]; then | ||
| SV_BRANCH="refs/pull/${pr}/head" | ||
| echo "Using suricata-verify pull-request ${SV_BRANCH}" | ||
| else | ||
| echo "Using suricata-verify branch ${SV_BRANCH}" | ||
| fi | ||
| git clone --depth 1 ${SV_REPO} suricata-verify | ||
| cd suricata-verify | ||
| git fetch --depth 1 origin ${SV_BRANCH} | ||
| git -c advice.detachedHead=false checkout FETCH_HEAD | ||
| cd .. | ||
| tar zcf suricata-verify.tar.gz suricata-verify | ||
| - name: Uploading prep archive | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: prep | ||
| path: | | ||
| libhtp.tar.gz | ||
| suricata-update.tar.gz | ||
| suricata-verify.tar.gz | ||
| overwrite: true | ||
| prepare-cbindgen: | ||
| name: Prepare cbindgen | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Cache ~/.cargo | ||
| uses: actions/cache@v4.0.0 | ||
| with: | ||
| path: ~/.cargo | ||
| key: ${{ github.job }}-cargo | ||
| - name: Installing Rust | ||
| run: | | ||
| curl https://sh.rustup.rs -sSf | sh -s -- -y | ||
| echo "$HOME/.cargo/bin" >> $GITHUB_PATH | ||
| rustup target add x86_64-unknown-linux-musl | ||
| - name: Building static cbindgen for Linux | ||
| run: | | ||
| cargo install --target x86_64-unknown-linux-musl --debug cbindgen | ||
| cp $HOME/.cargo/bin/cbindgen . | ||
| - name: Uploading cbindgen artifact | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: cbindgen | ||
| path: . | ||
| # Actions pinned to v3 for now as the newer ones require a newer glibc: | ||
| # https://github.com/actions/runner/pull/3128 | ||
| centos-7: | ||
| name: CentOS 7 | ||
| runs-on: ubuntu-latest | ||
| container: centos:7 | ||
| needs: [prepare-deps, debian-12-dist] | ||
| steps: | ||
| - name: Cache ~/.cargo | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: ~/.cargo | ||
| key: ${{ github.job }}-cargo | ||
| - name: Cache RPMs | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: /var/cache/yum | ||
| key: ${{ github.job }}-yum | ||
| - run: echo "keepcache=1" >> /etc/yum.conf | ||
| - name: Determine number of CPUs | ||
| run: echo CPUS=$(nproc --all) >> $GITHUB_ENV | ||
| - name: Install system dependencies | ||
| run: | | ||
| yum -y install epel-release | ||
| yum -y install \ | ||
| autoconf \ | ||
| automake \ | ||
| cargo \ | ||
| diffutils \ | ||
| file-devel \ | ||
| gcc \ | ||
| gcc-c++ \ | ||
| jansson-devel \ | ||
| jq \ | ||
| lua-devel \ | ||
| libtool \ | ||
| libyaml-devel \ | ||
| libnfnetlink-devel \ | ||
| libnetfilter_queue-devel \ | ||
| libnet-devel \ | ||
| libcap-ng-devel \ | ||
| libevent-devel \ | ||
| libmaxminddb-devel \ | ||
| libpcap-devel \ | ||
| lz4-devel \ | ||
| make \ | ||
| nss-devel \ | ||
| pcre2-devel \ | ||
| pkgconfig \ | ||
| python36-PyYAML \ | ||
| rust \ | ||
| sudo \ | ||
| which \ | ||
| zlib-devel | ||
| - name: Download suricata.tar.gz | ||
| uses: actions/download-artifact@v3 | ||
| with: | ||
| name: dist | ||
| - run: tar zxf suricata-*.tar.gz --strip-components=1 | ||
| # This isn't really needed as we are building from a prepared | ||
| # package, but some package managers like RPM and Debian like to | ||
| # run this command even on prepared packages, so make sure it | ||
| # works. | ||
| - name: Test autoreconf | ||
| run: autoreconf -fv --install | ||
| - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure | ||
| - run: make -j ${{ env.CPUS }} | ||
| - run: make install | ||
| - run: make install-conf | ||
| - run: make distcheck | ||
| - run: make clean | ||
| - run: make -j ${{ env.CPUS }} | ||
| - uses: actions/download-artifact@v3 | ||
| with: | ||
| name: prep | ||
| path: prep | ||
| - run: tar xf prep/suricata-verify.tar.gz | ||
| - run: python3 ./suricata-verify/run.py -q --debug-failed | ||
| - run: suricata-update -V | ||
| - run: suricatasc -h | ||
