From: Jan Kiszka <[email protected]> Retire Travis which is no longer free, even for OSS, migrating to github actions. This requires to open-code the Coverity integration which turned out to be the simpler task.
The migration also brings CI integration for arm64. That was in fact the hardest piece, both due to complications with Ubuntu (unhandy for cross- building but only Linux image on github) and also glitches of EBG itself. Further change compared to travis: cppcheck is now pulled pre-built from Ubuntu 21.04 (base image is still on 20.04, providing only an older version). That removes the need to build and also cache that version ourselves. For yet unknown reasons, the runtime of cppcheck is now twice as long as under travis. Signed-off-by: Jan Kiszka <[email protected]> --- Changes in v2: - Update README as well .github/workflows/coverity.yaml | 64 ++++++++++++ .github/workflows/main.yaml | 158 ++++++++++++++++++++++++++++ .travis-build.sh | 177 -------------------------------- .travis.yml | 46 --------- README.md | 4 +- 5 files changed, 223 insertions(+), 226 deletions(-) create mode 100644 .github/workflows/coverity.yaml create mode 100644 .github/workflows/main.yaml delete mode 100755 .travis-build.sh delete mode 100644 .travis.yml diff --git a/.github/workflows/coverity.yaml b/.github/workflows/coverity.yaml new file mode 100644 index 0000000..99918ea --- /dev/null +++ b/.github/workflows/coverity.yaml @@ -0,0 +1,64 @@ +# +# EFI Boot Guard +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Claudius Heine <[email protected]> +# Jan Kiszka <[email protected]> +# +# This work is licensed under the terms of the GNU GPL, version 2. See +# the COPYING file in the top-level directory. +# +# SPDX-License-Identifier: GPL-2.0 +# + +name: Coverity Scan + +on: + push: + branches: + - coverity_scan + +jobs: + build: + runs-on: ubuntu-20.04 + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Install amd64 dependencies + run: | + sudo apt-get install --no-install-recommends \ + gcc-multilib gnu-efi libz-dev libpci-dev check + - name: Install Coverity + run: | + wget https://scan.coverity.com/download/cxx/linux64 \ + --post-data "token=$COVERITY_TOKEN&project=siemens%2Fefibootguard" \ + -O coverity_tool.tar.gz + tar -xf coverity_tool.tar.gz + + - name: Prepare build + run: | + autoreconf -fi + mkdir -p build + + - name: Build for Coverity + run: | + cd build + ../configure + ../cov-analysis-linux64-*/bin/cov-build --dir cov-int make -j $(nproc) + + - name: Submit Coverity results + run: | + cd build + tar caf ebg-scan.tar.bz2 cov-int + curl --form token=$COVERITY_TOKEN \ + --form email=$COVERITY_EMAIL \ + --form [email protected] \ + --form version="${{ github.sha }}" \ + --form description="EFI Boot Guard Coverity Scan" \ + https://scan.coverity.com/builds?project=siemens%2Fefibootguard + env: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + COVERITY_EMAIL: ${{ secrets.COVERITY_EMAIL }} diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml new file mode 100644 index 0000000..e3ca110 --- /dev/null +++ b/.github/workflows/main.yaml @@ -0,0 +1,158 @@ +# +# EFI Boot Guard +# +# Copyright (c) Siemens AG, 2021 +# +# Authors: +# Claudius Heine <[email protected]> +# Jan Kiszka <[email protected]> +# +# This work is licensed under the terms of the GNU GPL, version 2. See +# the COPYING file in the top-level directory. +# +# SPDX-License-Identifier: GPL-2.0 +# + +name: CI + +on: + push: + branches-ignore: + - coverity_scan + +jobs: + build: + runs-on: ubuntu-20.04 + strategy: + matrix: + target: + - amd64 + - i386 + - arm64 + - cppcheck + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + submodules: recursive + + - name: Install amd64 dependencies + if: ${{ matrix.target == 'amd64' || matrix.target == 'cppcheck' }} + run: | + sudo apt-get install --no-install-recommends \ + gcc-multilib gnu-efi libz-dev libpci-dev check + - name: Install i386 dependencies + if: ${{ matrix.target == 'i386' }} + run: | + sudo dpkg --add-architecture i386 + sudo apt-get update + sudo apt-get install --no-install-recommends \ + gcc-multilib gnu-efi libz-dev:i386 libpci-dev:i386 check:i386 + - name: Install arm64 dependencies + if: ${{ matrix.target == 'arm64' }} + run: | + sudo dpkg --add-architecture arm64 + sudo sed -i 's/^deb /deb [arch=amd64] /g' /etc/apt/sources.list + sudo sh -c "cat <<EOF > /etc/apt/sources.list.d/ports.list + deb [arch=arm64] http://ports.ubuntu.com/ focal main restricted + deb [arch=arm64] http://ports.ubuntu.com/ focal-updates main restricted + deb [arch=arm64] http://ports.ubuntu.com/ focal universe + deb [arch=arm64] http://ports.ubuntu.com/ focal-updates universe + deb [arch=arm64] http://ports.ubuntu.com/ focal multiverse + deb [arch=arm64] http://ports.ubuntu.com/ focal-updates multiverse + EOF" + sudo apt-get update + sudo apt-get install --no-install-recommends \ + crossbuild-essential-arm64 gnu-efi:arm64 libz-dev:arm64 libpci-dev:arm64 check:arm64 qemu-user-static + - name: Install cppcheck + if: ${{ matrix.target == 'cppcheck' }} + run: | + sudo sh -c "echo 'deb http://archive.ubuntu.com/ubuntu hirsute main universe' \ + > /etc/apt/sources.list.d/hirsute.list" + sudo sh -c "cat <<EOF > /etc/apt/preferences.d/hirsute.pref + Package: * + Pin: release n=hirsute + Pin-Priority: -1 + EOF" + sudo apt-get update + sudo apt-get install --no-install-recommends libz3-4/hirsute cppcheck/hirsute + + - name: Prepare build + run: | + autoreconf -fi + mkdir -p build + + - name: Build amd64 + if: ${{ matrix.target == 'amd64' }} + run: | + cd build + ../configure + make check -j $(nproc) + - name: Build i386 + if: ${{ matrix.target == 'i386' }} + run: | + cd build + export PKG_CONFIG_DIR= + export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig + export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu + ../configure --with-gnuefi-lib-dir=/usr/lib32 CFLAGS=-m32 \ + host_alias=i586-linux + make check -j $(nproc) + - name: Build arm64 + if: ${{ matrix.target == 'arm64' }} + run: | + cd build + ../configure --host=aarch64-linux-gnu \ + PKG_CONFIG=/usr/bin/aarch64-linux-gnu-pkg-config + make check -j $(nproc) + - name: Run cppcheck + if: ${{ matrix.target == 'cppcheck' }} + run: | + ./configure + + ignore="" + ignore+=" -i tests/fff" + + suppress="" + # Justified suppressions: + # Does not belong to the project + suppress+=" --suppress=*:/usr/include/*" + suppress+=" --suppress=*:/usr/include/bits/*" + # Function 'efi_main' is called by efi: + suppress+=" --suppress=unusedFunction:main.c" + # Some functions are defined for API only + suppress+=" --suppress=unusedFunction:utils.c" + suppress+=" --suppress=unusedFunction:env/env_api.c" + suppress+=" --suppress=unusedFunction:env/fatvars.c" + suppress+=" --suppress=unusedFunction:tools/tests/test_environment.c" + suppress+=" --suppress=unusedFunction:env/env_api_fat.c" + # Some functions are used by linker wrapping + suppress+=" --suppress=unusedFunction:tools/tests/test_probe_config_file.c" + suppress+=" --suppress=unusedFunction:tools/tests/test_ebgenv_api.c" + # EFI uses void* as ImageBase needed for further calculations + suppress+=" --suppress=arithOperationsOnVoidPointer:main.c" + # False positive on init_array iteration + suppress+=" --suppress=comparePointers:main.c" + # False positive on constructors, first hit + suppress+=" --suppress=unusedFunction:drivers/watchdog/amdfch_wdt.c" + + enable="--enable=warning \ + --enable=style \ + --enable=performance \ + --enable=portability \ + --enable=unusedFunction" + + includes="-I . \ + -I include \ + -I /usr/include \ + -I /usr/include/linux \ + -I /usr/include/efi \ + -I /usr/include/efi/x86_64 \ + -I /usr/include/x86_64-linux-gnu \ + -I /usr/lib/gcc/x86_64-linux-gnu/9/include" + + cpp_conf="-U__WINT_TYPE__ -U__GNUC__" + # Exit code '1' is returned if arguments are not valid or if no input + # files are provided. Compare 'cppcheck --help'. + cppcheck -f -q --error-exitcode=2 $enable $suppress $ignore \ + $cpp_conf $includes . diff --git a/.travis-build.sh b/.travis-build.sh deleted file mode 100755 index 5eeb8d1..0000000 --- a/.travis-build.sh +++ /dev/null @@ -1,177 +0,0 @@ -#!/bin/bash -# -# EFI Boot Guard -# -# Copyright (c) Siemens AG, 2017 -# -# Authors: -# Claudius Heine <[email protected]> -# -# This work is licensed under the terms of the GNU GPL, version 2. See -# the COPYING file in the top-level directory. -# -# SPDX-License-Identifier: GPL-2.0 -# - -set -euo pipefail - -PARAM="${PARAM-"${1-""}"}" -TARGET="${TARGET-""}" - -COVERITY_SCAN_BRANCH="${COVERITY_SCAN_BRANCH:-"0"}" -if [ "$COVERITY_SCAN_BRANCH" == "1" ] -then - if [ "$TARGET" == "native" ] - then - TARGET_EFFECTIVE="${PARAM:-"success"}" - else - TARGET_EFFECTIVE="success" - fi -else - TARGET_EFFECTIVE="${PARAM:-"${TARGET}"}" -fi - -install_common_deps() -{ - sudo apt-get install gcc-multilib gnu-efi libpci-dev -} - -install_native_deps() -{ - sudo apt-get install --no-install-recommends \ - libz-dev check -} - -install_i586_deps() -{ - sudo apt-get install --no-install-recommends \ - libz-dev:i386 check:i386 -} - -prepare_build() -{ - autoreconf -fi -} - - -enter_build() -{ - mkdir -p build - cd build -} - -install_cppcheck() -{ - git clone https://github.com/danmar/cppcheck.git - git -C cppcheck checkout 2.3 - make -C cppcheck MATCHCOMPILER=yes \ - FILESDIR=/opt/cppcheck \ - PREFIX=/opt/cppcheck \ - HAVE_RULES=no install -j2 || \ - return -1 - rm -rf cppcheck -} - -case "$TARGET_EFFECTIVE" in - native) - install_common_deps - install_native_deps - prepare_build - enter_build - ../configure - exec make check - ;; - - i586) - install_common_deps - install_i586_deps - prepare_build - enter_build - export PKG_CONFIG_DIR= - export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig - export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu - ../configure --with-gnuefi-lib-dir=/usr/lib32 CFLAGS=-m32 \ - host_alias=i586-linux - exec make check - ;; - - cppcheck) - install_common_deps - install_native_deps - echo "Building and installing cppcheck..." - if [ ! -x /opt/cppcheck/bin/cppcheck ] - then - install_cppcheck - fi - prepare_build - ./configure - - ignore="" - ignore+=" -i tests/fff" - - suppress="" - # Justified suppressions: - # Does not belong to the project - suppress+=" --suppress=*:/usr/include/*" - suppress+=" --suppress=*:/usr/include/bits/*" - # Function 'efi_main' is called by efi: - suppress+=" --suppress=unusedFunction:main.c" - # Some functions are defined for API only - suppress+=" --suppress=unusedFunction:utils.c" - suppress+=" --suppress=unusedFunction:env/env_api.c" - suppress+=" --suppress=unusedFunction:env/fatvars.c" - suppress+=" --suppress=unusedFunction:tools/tests/test_environment.c" - suppress+=" --suppress=unusedFunction:env/env_api_fat.c" - # Some functions are used by linker wrapping - suppress+=" --suppress=unusedFunction:tools/tests/test_probe_config_file.c" - suppress+=" --suppress=unusedFunction:tools/tests/test_ebgenv_api.c" - # EFI uses void* as ImageBase needed for further calculations - suppress+=" --suppress=arithOperationsOnVoidPointer:main.c" - # False positive on init_array iteration - suppress+=" --suppress=comparePointers:main.c" - # False positive on constructors, first hit - suppress+=" --suppress=unusedFunction:drivers/watchdog/amdfch_wdt.c" - - enable="--enable=warning \ - --enable=style \ - --enable=performance \ - --enable=portability \ - --enable=unusedFunction" - - includes="-I . \ - -I include \ - -I /usr/include \ - -I /usr/include/linux \ - -I /usr/include/efi \ - -I /usr/include/efi/x86_64 \ - -I /usr/include/x86_64-linux-gnu \ - -I /usr/lib/gcc/x86_64-linux-gnu/4.8/include" - - cpp_conf="-U__WINT_TYPE__ -U__GNUC__" - # Exit code '1' is returned if arguments are not valid or if no input - # files are provided. Compare 'cppcheck --help'. - exec /opt/cppcheck/bin/cppcheck -f -q --error-exitcode=2 \ - $enable $suppress $ignore $cpp_conf $includes . - ;; - coverity_prepare) - install_common_deps - install_native_deps - prepare_build - enter_build - ../configure - exit 0 - ;; - coverity_build) - enter_build - exec make - ;; - success) - echo "Skipping $TARGET" >&2 - exit 0 - ;; - *) - echo "No or not existing targen choosen." \ - "($TARGET, $TARGET_EFFECTIVE)" >&2 - exit -1 - ;; -esac diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 6b48ac6..0000000 --- a/.travis.yml +++ /dev/null @@ -1,46 +0,0 @@ -# -# EFI Boot Guard -# -# Copyright (c) Siemens AG, 2017 -# -# Authors: -# Jan Kiszka <[email protected]> -# -# This work is licensed under the terms of the GNU GPL, version 2. See -# the COPYING file in the top-level directory. -# -# SPDX-License-Identifier: GPL-2.0 -# - -env: - jobs: - - TARGET=native - - TARGET=i586 - - TARGET=cppcheck -language: c -dist: xenial - -compiler: - - gcc - -before_install: - - sudo apt-get update - - if [ $TRAVIS_BRANCH = coverity_scan ] && [ ${TRAVIS_JOB_NUMBER##*.} != 1 ]; then exit 0; fi - - echo -n | openssl s_client -connect scan.coverity.com:444 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca-certificates.crt - -addons: - coverity_scan: - project: - name: "siemens/efibootguard" - description: "Build submitted via Travis CI" - notification_email: [email protected] - build_command_prepend: "./.travis-build.sh coverity_prepare" - build_command: "./.travis-build.sh coverity_build" - branch_pattern: coverity_scan - -cache: - directories: - - /opt/cppcheck - -script: - - ./.travis-build.sh diff --git a/README.md b/README.md index f1d701d..98d8baf 100644 --- a/README.md +++ b/README.md @@ -18,9 +18,7 @@ For sending patches, please refer to the mailing list and `CONTRIBUTING.md` in the source tree. Continuous integration: -* [Travis CI](https://travis-ci.com/siemens/efibootguard): - * Master branch:  - * Next branch:  +* Based on [https://github.com/siemens/efibootguard/actions](GitHub Actions) * Coverity:  ## Watchdog support ## -- 2.31.1 -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/1cc7196a-8a2a-47f1-c5ae-d7abf086e261%40siemens.com.
