Skip to content

Bump 3rdparty/broker from 3dc3aef to aa81a91 #617

Bump 3rdparty/broker from 3dc3aef to aa81a91

Bump 3rdparty/broker from 3dc3aef to aa81a91 #617

Workflow file for this run

name: CI pipeline
on: push
jobs:
debug_ubuntu_22:
runs-on: ubuntu-22.04
strategy:
matrix:
zeek: [{version: 6.0.2-0, tag: -lts}]
env:
ZEEK_VERSION: ${{ matrix.zeek.version }}
ZEEK_TAG: ${{ matrix.zeek.tag }}
ZEEK_AGENT_CONFIGURE_ADDL: ${{ matrix.configure }}
LD_LIBRARY_PATH: /usr/lib/llvm-17/lib/clang/17/lib/linux
steps:
- name: Prepare
run: |
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y ninja-build ccache curl ca-certificates
sudo pip3 install btest zkg pre-commit
# LLVM toolchain
echo 'deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-17 main' | sudo tee -a /etc/apt/sources.list.d/llvm17.list
echo 'deb-src http://apt.llvm.org/jammy/ llvm-toolchain-jammy-17 main' | sudo tee -a /etc/apt/sources.list.d/llvm17.list
sudo curl https://apt.llvm.org/llvm-snapshot.gpg.key -o /etc/apt/trusted.gpg.d/llvm.asc
sudo apt-get update
sudo apt-get install -y llvm-17-dev clang-17 libclang-17-dev clang-format-17 clang-tidy-17 libclang-rt-17-dev
# for bpftool
sudo ln -s $(which llvm-strip-17) /usr/local/bin/llvm-strip
sudo apt-get install libelf-dev gcc-multilib
- name: Install Zeek
run: |
(cd /tmp && curl -L -O https://download.zeek.org/binary-packages/xUbuntu_22.04/amd64/zeek${ZEEK_TAG}-core_${ZEEK_VERSION}_amd64.deb)
sudo apt install -y /tmp/zeek${ZEEK_TAG}-core_${ZEEK_VERSION}_amd64.deb
echo "/opt/zeek/bin:$PATH" >> $GITHUB_PATH
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up ccache
uses: hendrikmuhs/ccache-action@v1.2
with:
key: ${{ github.job }}
- name: Build
run: |
./configure --prefix=/tmp/zeek-agent --enable-debug --enable-sanitizer --enable-ccache --enable-werror --generator=Ninja $ZEEK_AGENT_CONFIGURE_ADDL
ninja -C build
- name: Test
run: |
make test
- name: Check code
run: |
pre-commit run -a --show-diff-on-failure
# TODO: tidy fails in Broker currently
# ninja -C build tidy
- uses: actions/upload-artifact@v4
if: failure()
with:
name: Test output
path: |
tests/.tmp
zeek-agent/tests/.tmp
# TODO: Install Zeek and run Zeek tests.
release_alpine_3_19_static:
runs-on: ubuntu-22.04
environment: ${{ (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/topic/ci-release-test' || startsWith(github.ref, 'refs/tags/v')) && 'release' || '' }}
container:
image: alpine:3.19
steps:
- name: Prepare
run: |
apk update
apk add linux-headers ccache cmake g++ gcc git make ninja tar zlib-static zlib-dev openssl-libs-static openssl-dev zstd-static python3 py3-pip bash
pip3 install --break-system-packages btest zkg
# for bpftool
apk add clang llvm libelf elfutils-dev
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up ccache
uses: hendrikmuhs/ccache-action@v1.2
with:
key: ${{ github.job }}
- name: Build
run: |
./configure --prefix=/tmp/zeek-agent --enable-ccache --enable-werror --enable-static --generator=Ninja --with-openssl=
ninja -C build
- name: Test
run: |
ldd build/bin/zeek-agent 2>&1 | grep -q "Not a valid dynamic program"
make -C tests test-no-zeek
- name: Install
run: |
ninja -C build install
find /tmp/zeek-agent -exec ls -ald '{}' ';'
- name: Package
run: |
ninja -C build package
(cd build/dist && echo "ZA_DIST=$(echo *.tar.gz)" >>$GITHUB_ENV)
- uses: actions/upload-artifact@v4
with:
name: ${{env.ZA_DIST}}
path: build/dist/${{env.ZA_DIST}}
# TODO: Install Zeek and run Zeek tests.
release_macos_13:
env:
MACOS_VERSION: 13.0
runs-on: macos-13
environment: ${{ (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/topic/ci-release-test' || startsWith(github.ref, 'refs/tags/v')) && 'release' || '' }}
steps:
- name: Prepare
run: |
brew update
brew upgrade cmake
brew install ninja ccache
pip3 install btest zkg
# time can be off, which confuses codesigning; this host can be accessed from GH actions
sudo sntp -sS time.windows.com
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up ccache
uses: hendrikmuhs/ccache-action@v1.2
with:
key: ${{ github.job }}
- name: Build universal arch OpenSSL
env:
OPENSSL_VERSION: 1.1.1w
run: |
curl -O https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
tar xvzf openssl-${OPENSSL_VERSION}.tar.gz && mv openssl-${OPENSSL_VERSION} openssl_x86_64
tar xvzf openssl-${OPENSSL_VERSION}.tar.gz && mv openssl-${OPENSSL_VERSION} openssl_arm64
(cd openssl_x86_64 && CC="ccache cc" ./Configure darwin64-x86_64-cc no-shared no-tests -mmacosx-version-min=${MACOS_VERSION} && make -j)
(cd openssl_arm64 && CC="ccache cc" ./Configure darwin64-arm64-cc no-shared no-tests -mmacosx-version-min=${MACOS_VERSION} && make -j)
mkdir -p /tmp/openssl/lib /tmp/openssl/include
lipo -create openssl_arm64/libcrypto.a openssl_x86_64/libcrypto.a -output /tmp/openssl/lib/libcrypto.a
lipo -create openssl_arm64/libssl.a openssl_x86_64/libssl.a -output /tmp/openssl/lib/libssl.a
cp -r openssl_x86_64/include/openssl /tmp/openssl/include/
rm -rf openssl-${OPENSSL_VERSION}*
- name: Build
run: |
./configure --prefix=${{runner.temp}}/zeek-agent --enable-ccache --enable-werror --enable-osx-universal --generator=Ninja --with-openssl=/tmp/openssl --osx-deployment-target=${MACOS_VERSION}
ninja -C build
- name: Test
run: |
file build/bin/zeek-agent | grep -q "universal binary with 2 architectures"
make -C tests test-no-zeek || true
- name: Install
run: |
ninja -C build install
find ${{runner.temp}}/zeek-agent -exec ls -ald '{}' ';'
### Only on topic branches
- name: Package (without codesign)
if: github.ref_name != 'main' && github.ref != 'refs/heads/topic/ci-release-test' && !startsWith(github.ref, 'refs/tags/v')
run: |
ninja -C build package
(cd build/dist && echo "ZA_DIST=$(echo *.dmg)" >>$GITHUB_ENV)
### Only on the main branch
- name: Set up keychain for code signing
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/topic/ci-release-test' || startsWith(github.ref, 'refs/tags/v')
env:
MACOS_APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_ISSUER_ID }}
MACOS_APP_STORE_CONNECT_KEY_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY_ID }}
MACOS_APP_STORE_CONNECT_KEY_P8: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY_P8 }}
MACOS_CERTIFICATE_APPLICATION_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_APPLICATION_PASSWORD }}
MACOS_CERTIFICATE_APPLICATION_PEM: ${{ secrets.MACOS_CERTIFICATE_APPLICATION_PEM }}
MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
run: |
echo -n "${MACOS_CERTIFICATE_APPLICATION_PEM}" >"${RUNNER_TEMP}/cert.pem"
security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" "${RUNNER_TEMP}/keychain-db"
security set-keychain-settings -lut 100 "${RUNNER_TEMP}/keychain-db"
security default-keychain -s "${RUNNER_TEMP}/keychain-db"
security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" "${RUNNER_TEMP}/keychain-db"
security import "${RUNNER_TEMP}/cert.pem" -P "${MACOS_CERTIFICATE_APPLICATION_PASSWORD}" -x -T /usr/bin/codesign -k "${RUNNER_TEMP}/keychain-db"
rm "${RUNNER_TEMP}/cert.pem"
echo -n "${MACOS_APP_STORE_CONNECT_KEY_P8}" >"${RUNNER_TEMP}/key.p8"
xcrun notarytool store-credentials -k "${RUNNER_TEMP}/key.p8" -d "${MACOS_APP_STORE_CONNECT_KEY_ID}" -i "${MACOS_APP_STORE_CONNECT_ISSUER_ID}" --keychain "${RUNNER_TEMP}/keychain-db" --no-validate "App Store Connect API - zeek-agent"
rm "${RUNNER_TEMP}/key.p8"
# must come last
security set-key-partition-list -S apple-tool:,apple: -s -k "${MACOS_KEYCHAIN_PASSWORD}" "${RUNNER_TEMP}/keychain-db"
- name: Package (with codesign)
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/topic/ci-release-test' || startsWith(github.ref, 'refs/tags/v')
env:
MACOS_NOTARIZE: 1
MACOS_CERTIFICATE_APPLICATION_ID: ${{ secrets.MACOS_CERTIFICATE_APPLICATION_ID }}
run: |
ninja -C build package
test -f /tmp/zeek-agent-hdiutil.log && cat /tmp/zeek-agent-hdiutil.log
(cd build/dist && echo "ZA_DIST=$(echo *.dmg)" >>$GITHUB_ENV)
- name: Clean up keychain
if: always() && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/topic/ci-release-test' || startsWith(github.ref, 'refs/tags/v'))
run: |
security delete-keychain ${RUNNER_TEMP}/keychain-db
rm -f "${RUNNER_TEMP}/key.p8" "${RUNNER_TEMP}/cert.p8"
### Back to running on all branches
- uses: actions/upload-artifact@v4
with:
name: ${{env.ZA_DIST}}
path: build/dist/${{env.ZA_DIST}}
release_windows_2022:
runs-on: windows-2022
env:
VCPKG_ROOT: ${{ github.workspace }}/3rdparty/vcpkg
VCPKG_DEFAULT_BINARY_CACHE: ${{ github.workspace }}/3rdparty/vcpkg/bincache
VCPKG_TARGET_TRIPLET: x64-windows-static
# Something in the Windows build configuration breaks ccache and causes it to forget
# what its configuration is by the time we call configure and run the build. This
# forces it to remember.
CCACHE_CONFIGPATH: ~/ccache/ccache.conf
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
- name: Create vcpkg binary cache directory
run: mkdir -p $VCPKG_DEFAULT_BINARY_CACHE
shell: bash
# The github runner provides a version of ccache, but it's too old to
# properly support use with cl.exe. We need at least version 4.6 for
# everything to work right. The ccache-action below should be doing
# if but it's still picking up the wrong version of ccache.
- name: Install newer ccache
run: >
choco install ccache
shell: cmd
- name: Set up ccache
uses: hendrikmuhs/ccache-action@v1.2
with:
key: ${{ github.job }}
- name: Set up Visual Studio shell
uses: egor-tensin/vs-shell@v2
with:
arch: x64
- name: Cache vcpkg output
uses: actions/cache@v4
with:
path: |
${{ env.VCPKG_ROOT }}
!${{ env.VCPKG_ROOT }}/buildtrees
!${{ env.VCPKG_ROOT }}/packages
!${{ env.VCPKG_ROOT }}/downloads
!${{ env.VCPKG_ROOT }}/installed
key: |
${{ hashFiles( 'vcpkg.json' ) }}-${{ hashFiles( '.git/modules/vcpkg/HEAD' )}}-${{ env.VCPKG_TARGET_TRIPLET }}
- name: Configure
run: >
cmake -S . -B build -G Ninja -DCMAKE_C_COMPILER=cl.exe -DCMAKE_CXX_COMPILER=cl.exe -DCMAKE_MAKE_PROGRAM=ninja.exe -DCMAKE_BUILD_TYPE=Release -DCMAKE_VERBOSE_MAKEFILE=ON -DUSE_CCACHE=yes -DCMAKE_TOOLCHAIN_FILE="3rdparty/vcpkg/scripts/buildsystems/vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=${{env.VCPKG_TARGET_TRIPLET}}
shell: cmd
- name: Build
run: >
cmake --build build --target install --config Release --parallel 2
shell: cmd
### We can't run btest here for a number of reasons. See
### https://github.com/zeek/btest/issues/26. This also means
### there's no artifacts to upload upon failure.
- name: Test
run: >
"C:\Program Files (x86)\ZeekAgent\bin\zeek-agent.exe" -T
shell: cmd
- name: Build installer
run: |
cmake --build build --target package --config Release
(cd build/dist && echo "ZA_DIST=$(echo *.msi)" >>$GITHUB_ENV)
shell: bash
- uses: actions/upload-artifact@v4
with:
name: ${{env.ZA_DIST}}
path: build/dist/${{env.ZA_DIST}}
release_source:
runs-on: ubuntu-22.04
environment: ${{ (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/topic/ci-release-test' || startsWith(github.ref, 'refs/tags/v')) && 'release' || '' }}
steps:
- name: Prepare
run: |
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y ninja-build ccache curl ca-certificates
# for bpftool
sudo apt-get install llvm libelf-dev gcc-multilib
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up ccache
uses: hendrikmuhs/ccache-action@v1.2
with:
key: ${{ github.job }}
- name: Configure
run: |
./configure --generator=Ninja
- name: Package source code
run: |
ninja -C build package_source
(cd build/dist && echo "ZA_DIST=$(echo *.tar.gz)" >>$GITHUB_ENV)
- name: Test build of source code
run: |
mkdir -p ${{ runner.temp }}/test-build
cat build/dist/${{env.ZA_DIST}} | (cd ${{ runner.temp }}/test-build && tar xzvf -)
(cd $(echo ${{ runner.temp }}/test-build/zeek-agent*) && ./configure --generator=Ninja --enable-ccache && ninja -C build && ninja -C build test)
- uses: actions/upload-artifact@v4
with:
name: ${{env.ZA_DIST}}
path: build/dist/${{env.ZA_DIST}}
publish_release:
permissions:
contents: write
runs-on: ubuntu-22.04
if: (startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-dev'))
needs: [debug_ubuntu_22, release_alpine_3_19_static, release_macos_13, release_windows_2022, release_source]
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: recursive
- name: Prepare release message
run: |
cat CHANGES | awk '/^[0-9]+\./{ n++; next; } n < 2 { print }' >${{ runner.temp }}/release-msg
echo "release_name=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> $GITHUB_ENV
- uses: actions/download-artifact@v4
with:
path: artifacts
- name: Display artifacts
run: ls -al artifacts/*/*
- name: Upload artifacts
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
draft: false
prerelease: false
name: ${{ env.release_name }}
body_path: ${{ runner.temp }}/release-msg
files: |
artifacts/*/*.tar.gz
artifacts/*/*.dmg
artifacts/*/*.msi