-
Notifications
You must be signed in to change notification settings - Fork 54
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Githubactions: Add workflow to build binaries for Centos
- Loading branch information
1 parent
1d25093
commit 511f3b4
Showing
1 changed file
with
120 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| name: Release binaries | ||
| # This machine tests building the software on a both 32 and 64 Windows architecture. | ||
|
|
||
| on: [push] | ||
|
|
||
| jobs: | ||
|
|
||
| redhat_based: | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| environment: [ | ||
| "centos:7", | ||
| "centos:8", | ||
| ] | ||
|
|
||
| name: build on ${{ matrix.environment }} | ||
| runs-on: ubuntu-latest | ||
| container: ${{ matrix.environment }} | ||
|
|
||
| steps: | ||
|
|
||
| - name: clone the Yubico/yubihsm-shell repository | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| path: yubihsm-shell | ||
|
|
||
| - name: apply environment specific changes to CMakeLists.txt | ||
| working-directory: yubihsm-shell | ||
| if: ${{ matrix.environment == 'centos:7' }} | ||
| run: | | ||
| # centos 7 comes with cmake version 2.8, but the project requires 3.5 | ||
| # we downgrade that requirement for the centos 7 build | ||
| sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt | ||
| # we also remove the following policies which are not supported in the older cmake version | ||
| sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt | ||
| sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt | ||
| sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt | ||
| # append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration | ||
| sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers/' cmake/SecurityFlags.cmake | ||
| - name: extract platform name | ||
| env: | ||
| DOCKER_IMAGE: ${{ matrix.environment }} | ||
| run: | | ||
| # Remove everything from DOCKER_IMAGE that is not a letter or a number | ||
| PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g') | ||
| echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV | ||
| - name: install dependencies | ||
| env: | ||
| PLATFORM: ${{ env.PLATFORM }} | ||
| run: | | ||
| cd yubihsm-shell/resources/release/linux | ||
| ./install_redhat_dependencies.sh $PLATFORM | ||
| if [ $PLATFORM = "centos7" ]; then | ||
| # enable the epel repository for centos | ||
| yum install -y epel-release | ||
| fi | ||
| yum install -y checksec procps-ng jq file which curl | ||
| - name: build release | ||
| working-directory: yubihsm-shell | ||
| env: | ||
| PLATFORM: ${{ env.PLATFORM }} | ||
| run: | | ||
| export CMAKE="cmake" | ||
| export INPUT=$GITHUB_WORKSPACE/yubihsm-shell | ||
| export OUTPUT=$GITHUB_WORKSPACE/$PLATFORM/yubihsm-shell | ||
| rm -rf $OUTPUT | ||
| mkdir -p $OUTPUT | ||
| # These 2 lines can be replaced by the command "rpmdev-setuptree", but this command seems to add macros that force check paths that do not exist | ||
| mkdir -p $GITHUB_WORKSPACE/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | ||
| echo '%_topdir %(echo $HOME)/rpmbuild' > $GITHUB_WORKSPACE/.rpmmacros | ||
| RPM_DIR=$GITHUB_WORKSPACE/rpmbuild | ||
| cp resources/release/linux/yubihsm-shell.spec $RPM_DIR/SPECS/ | ||
| QA_SKIP_BUILD_ROOT=1 QA_RPATHS=$(( 0x0001|0x0010 )) rpmbuild -bb $RPM_DIR/SPECS/yubihsm-shell.spec | ||
| cp /github/home/rpmbuild/RPMS/x86_64/*.rpm $OUTPUT/ | ||
| LICENSE_DIR="$OUTPUT/share/yubihsm-shell" | ||
| mkdir -p $LICENSE_DIR | ||
| cp -r $INPUT/resources/release/linux/licenses $LICENSE_DIR/ | ||
| for lf in $LICENSE_DIR/licenses/*; do | ||
| chmod 644 $lf | ||
| done | ||
| cd $OUTPUT | ||
| rm -f "yubihsm-shell-$PLATFORM-amd64.tar.gz" | ||
| tar -C ".." -zcvf "../yubihsm-shell-$PLATFORM-amd64.tar.gz" "yubihsm-shell" | ||
| rm -f *.rpm | ||
| rm -rf licenses | ||
| rm -rf ../yubihsm-shell | ||
| - name: install binaries | ||
| working-directory: /github/home/rpmbuild/RPMS/x86_64 | ||
| run: | | ||
| yum install -y ./yubihsm-shell-*.rpm | ||
| - name: check binaries for hardening | ||
| run: | | ||
| cs() { | ||
| checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1" | ||
| } | ||
| if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi | ||
| if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi | ||
| if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi | ||
| if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi | ||
| if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi | ||
| - name: upload artifacts | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: "yubihsm-shell-${{ env.PLATFORM }}-amd64" | ||
| path: ${{ env.PLATFORM }} |