Restrict system operations on OpenBSD #505
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish | |
on: | |
pull_request: | |
push: | |
branches: | |
- '*' | |
tags: | |
- '*' | |
jobs: | |
build_tarballs: | |
name: Build tarballs | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- uses: cachix/install-nix-action@v22 | |
- name: Build tarballs | |
run: | | |
nix build -L .#hydraJobs.tarball | |
install -D ./result/tarballs/*.tar.bz2 ./dist/patchelf-$(cat version).tar.bz2 | |
install -D ./result/tarballs/*.tar.gz ./dist/patchelf-$(cat version).tar.gz | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: patchelf | |
path: dist/* | |
build_windows: | |
name: Build windows executable | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- uses: cachix/install-nix-action@v22 | |
- name: Build windows executable | |
run: | | |
nix build -L .#patchelf-win32 .#patchelf-win64 | |
install -D ./result/bin/patchelf.exe ./dist/patchelf-win32-$(cat version).exe | |
install -D ./result-1/bin/patchelf.exe ./dist/patchelf-win64-$(cat version).exe | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: patchelf | |
path: dist/* | |
test_windows: | |
name: Test windows binaries | |
needs: [build_windows] | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: patchelf | |
path: dist | |
- name: Show binaries | |
run: dir .\\dist | |
- name: Test windows 64-bit binary | |
run: .\\dist\\patchelf-win32-*.exe --version | |
- name: Test windows 32-bit binary | |
run: .\\dist\\patchelf-win64-*.exe --version | |
build_musl: | |
name: Build static musl binaries | |
needs: [build_tarballs] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: ["amd64", "i386", "ppc64le", "arm64v8", "arm32v7", "s390x", "riscv64"] | |
steps: | |
- name: Set up QEMU | |
if: matrix.platform != 'amd64' | |
uses: docker/setup-qemu-action@v3 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: patchelf | |
path: dist | |
- name: Build binaries | |
env: | |
CXXFLAGS: "-D_FORTIFY_SOURCE=2 -fstack-protector-strong -Wformat -Werror=format-security -O2 -static" | |
run: | | |
cat <<EOF > build.sh | |
set -e | |
set -x | |
apk add build-base | |
tar -xf dist/*.tar.bz2 | |
rm -f dist/* | |
cd patchelf-* | |
./configure --prefix /patchelf | |
make check || (cat tests/test-suite.log; exit 1) | |
make install-strip | |
cd - | |
tar -czf ./dist/patchelf-\$(cat patchelf-*/version)-\$(uname -m).tar.gz -C /patchelf . | |
EOF | |
if [ "${{ matrix.platform }}" == "i386" ]; then | |
ENTRYPOINT=linux32 | |
else | |
ENTRYPOINT= | |
fi | |
docker run -e CXXFLAGS -v $(pwd):/gha ${{ matrix.platform }}/alpine:edge ${ENTRYPOINT} sh -ec "cd /gha && sh ./build.sh" | |
- name: Check binaries | |
run: | | |
cat <<EOF > check.sh | |
set -e | |
set -x | |
tar -xf ./dist/patchelf-*-*.tar.gz | |
./bin/patchelf --version | |
EOF | |
docker run -v $(pwd):/gha ${{ matrix.platform }}/debian:unstable-slim sh -ec "cd /gha && sh ./check.sh" | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: patchelf | |
path: dist/* | |
publish: | |
name: Publish tarballs & binaries | |
needs: [build_tarballs, build_windows, build_musl] | |
if: github.event_name == 'push' && github.repository == 'NixOS/patchelf' && startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/download-artifact@v3 | |
with: | |
name: patchelf | |
path: dist | |
- name: Upload binaries to release | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: dist/* | |
tag: ${{ github.ref }} | |
overwrite: true | |
file_glob: true |