forked from OISF/suricata
-
Notifications
You must be signed in to change notification settings - Fork 2
259 lines (232 loc) · 8.71 KB
/
legacy-centos-7.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
name: builds
on:
push:
pull_request:
workflow_dispatch:
inputs:
LIBHTP_REPO:
LIBHTP_BRANCH:
SU_REPO:
SU_BRANCH:
SV_REPO:
SV_BRANCH:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: read-all
env:
DEFAULT_SV_REPO: https://github.com/OISF/suricata-verify
DEFAULT_SV_BRANCH: master
DEFAULT_CFLAGS: "-Wall -Wextra -Werror -Wno-unused-parameter -Wno-unused-function"
# Apt sometimes likes to ask for user input, this will prevent that.
DEBIAN_FRONTEND: "noninteractive"
# A recent version of stable Rust that is known to pass build, test and other
# verification steps in this workflow. This was added because using "stable"
# could cause some steps to fail.
RUST_VERSION_KNOWN: "1.70.0"
# The minimum version of Rust supported.
RUST_VERSION_MIN: "1.63.0"
jobs:
prepare-deps:
name: Prepare dependencies
runs-on: ubuntu-latest
steps:
- name: Dumping github context for debugging
run: echo $JSON
env:
JSON: ${{ toJSON(github) }}
- run: sudo apt update && sudo apt -y install jq curl
- name: Parse repo and branch information
env:
# We fetch the actual pull request to get the latest body as
# github.event.pull_request.body has the body from the
# initial pull request.
PR_HREF: ${{ github.event.pull_request._links.self.href }}
run: |
if test "${PR_HREF}"; then
body=$(curl -s "${PR_HREF}" | jq -r .body | tr -d '\r')
echo "Parsing branch and PR info from:"
echo "${body}"
LIBHTP_REPO=$(echo "${body}" | awk -F = '/^LIBHTP_REPO=/ { print $2 }')
LIBHTP_BRANCH=$(echo "${body}" | awk -F = '/^LIBHTP_BRANCH=/ { print $2 }')
SU_REPO=$(echo "${body}" | awk -F = '/^SU_REPO=/ { print $2 }')
SU_BRANCH=$(echo "${body}" | awk -F = '/^SU_BRANCH=/ { print $2 }')
SV_REPO=$(echo "${body}" | awk -F = '/^SV_REPO=/ { print $2 }')
SV_BRANCH=$(echo "${body}" | awk -F = '/^SV_BRANCH=/ { print $2 }')
else
echo "No pull request body, will use inputs or defaults."
LIBHTP_REPO=${{ inputs.LIBHTP_REPO }}
LIBHTP_BRANCH=${{ inputs.LIBHTP_BRANCH }}
SU_REPO=${{ inputs.SU_REPO }}
SU_BRANCH=${{ inputs.SU_BRANCH }}
SV_REPO=${{ inputs.SV_REPO }}
SV_BRANCH=${{ inputs.SV_BRANCH }}
fi
# If the _REPO variables don't contain a full URL, add GitHub.
if [ "${LIBHTP_REPO}" ] && ! echo "${LIBHTP_REPO}" | grep -q '^https://'; then
LIBHTP_REPO="https://github.com/${LIBHTP_REPO}"
fi
if [ "${SU_REPO}" ] && ! echo "${SU_REPO}" | grep -q '^https://'; then
SU_REPO="https://github.com/${SU_REPO}"
fi
if [ "${SV_REPO}" ] && ! echo "${SV_REPO}" | grep -q '^https://'; then
SV_REPO="https://github.com/${SV_REPO}"
fi
echo LIBHTP_REPO=${LIBHTP_REPO} | tee -a ${GITHUB_ENV}
echo LIBHTP_BRANCH=${LIBHTP_BRANCH} | tee -a ${GITHUB_ENV}
echo SU_REPO=${SU_REPO} | tee -a ${GITHUB_ENV}
echo SU_BRANCH=${SU_BRANCH} | tee -a ${GITHUB_ENV}
echo SV_REPO=${SV_REPO:-${DEFAULT_SV_REPO}} | tee -a ${GITHUB_ENV}
echo SV_BRANCH=${SV_BRANCH:-${DEFAULT_SV_BRANCH}} | tee -a ${GITHUB_ENV}
- name: Annotate output
run: |
echo "::notice:: LIBHTP_REPO=${LIBHTP_REPO}"
echo "::notice:: LIBHTP_BRANCH=${LIBHTP_BRANCH}"
echo "::notice:: SU_REPO=${SU_REPO}"
echo "::notice:: SU_BRANCH=${SU_BRANCH}"
echo "::notice:: SV_REPO=${SV_REPO}"
echo "::notice:: SV_BRANCH=${SV_BRANCH}"
# Now checkout Suricata for the bundle script.
- name: Checking out Suricata
uses: actions/checkout@v4.1.1
- name: Fetching libhtp
run: |
DESTDIR=./bundle ./scripts/bundle.sh libhtp
tar zcf libhtp.tar.gz -C bundle libhtp
- name: Fetching suricata-update
run: |
DESTDIR=./bundle ./scripts/bundle.sh suricata-update
tar zcf suricata-update.tar.gz -C bundle suricata-update
- name: Fetching suricata-verify
run: |
# Looking for a pull request number. in the SV_BRANCH
# value. This could be "pr/NNN", "pull/NNN" or a link to an
# OISF/suricata-verify pull request.
pr=$(echo "${SV_BRANCH}" | sed -n \
-e 's/^https:\/\/github.com\/OISF\/suricata-verify\/pull\/\([0-9]*\)$/\1/p' \
-e 's/^pull\/\([0-9]*\)$/\1/p' \
-e 's/^pr\/\([0-9]*\)$/\1/p')
if [ "${pr}" ]; then
SV_BRANCH="refs/pull/${pr}/head"
echo "Using suricata-verify pull-request ${SV_BRANCH}"
else
echo "Using suricata-verify branch ${SV_BRANCH}"
fi
git clone --depth 1 ${SV_REPO} suricata-verify
cd suricata-verify
git fetch --depth 1 origin ${SV_BRANCH}
git -c advice.detachedHead=false checkout FETCH_HEAD
cd ..
tar zcf suricata-verify.tar.gz suricata-verify
- name: Uploading prep archive
uses: actions/upload-artifact@v3
with:
name: prep
path: |
libhtp.tar.gz
suricata-update.tar.gz
suricata-verify.tar.gz
overwrite: true
prepare-cbindgen:
name: Prepare cbindgen
runs-on: ubuntu-latest
steps:
- name: Cache ~/.cargo
uses: actions/cache@v4.0.0
with:
path: ~/.cargo
key: ${{ github.job }}-cargo
- name: Installing Rust
run: |
curl https://sh.rustup.rs -sSf | sh -s -- -y
echo "$HOME/.cargo/bin" >> $GITHUB_PATH
rustup target add x86_64-unknown-linux-musl
- name: Building static cbindgen for Linux
run: |
cargo install --target x86_64-unknown-linux-musl --debug cbindgen
cp $HOME/.cargo/bin/cbindgen .
- name: Uploading cbindgen artifact
uses: actions/upload-artifact@v3
with:
name: cbindgen
path: .
# Actions pinned to v3 for now as the newer ones require a newer glibc:
# https://github.com/actions/runner/pull/3128
centos-7:
name: CentOS 7
runs-on: ubuntu-latest
container: centos:7
needs: [prepare-deps, debian-12-dist]
steps:
- name: Cache ~/.cargo
uses: actions/cache@v3
with:
path: ~/.cargo
key: ${{ github.job }}-cargo
- name: Cache RPMs
uses: actions/cache@v3
with:
path: /var/cache/yum
key: ${{ github.job }}-yum
- run: echo "keepcache=1" >> /etc/yum.conf
- name: Determine number of CPUs
run: echo CPUS=$(nproc --all) >> $GITHUB_ENV
- name: Install system dependencies
run: |
yum -y install epel-release
yum -y install \
autoconf \
automake \
cargo \
diffutils \
file-devel \
gcc \
gcc-c++ \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
libnetfilter_queue-devel \
libnet-devel \
libcap-ng-devel \
libevent-devel \
libmaxminddb-devel \
libpcap-devel \
lz4-devel \
make \
nss-devel \
pcre2-devel \
pkgconfig \
python36-PyYAML \
rust \
sudo \
which \
zlib-devel
- name: Download suricata.tar.gz
uses: actions/download-artifact@v3
with:
name: dist
- run: tar zxf suricata-*.tar.gz --strip-components=1
# This isn't really needed as we are building from a prepared
# package, but some package managers like RPM and Debian like to
# run this command even on prepared packages, so make sure it
# works.
- name: Test autoreconf
run: autoreconf -fv --install
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure
- run: make -j ${{ env.CPUS }}
- run: make install
- run: make install-conf
- run: make distcheck
- run: make clean
- run: make -j ${{ env.CPUS }}
- uses: actions/download-artifact@v3
with:
name: prep
path: prep
- run: tar xf prep/suricata-verify.tar.gz
- run: python3 ./suricata-verify/run.py -q --debug-failed
- run: suricata-update -V
- run: suricatasc -h