diff --git a/.github/workflows/check_version.yml b/.github/workflows/check_version.yml index c631e80..d543028 100644 --- a/.github/workflows/check_version.yml +++ b/.github/workflows/check_version.yml @@ -20,11 +20,8 @@ jobs: needs: configure runs-on: ubuntu-latest container: - image: zondax/builder-bolos:latest + image: zondax/ledger-app-builder:latest options: --user ${{ needs.configure.outputs.uid_gid }} - env: - BOLOS_ENV: /opt/bolos - HOME: /home/zondax_circle outputs: version: ${{ steps.store-version.outputs.version }} steps: @@ -32,13 +29,7 @@ jobs: uses: actions/checkout@v3 with: submodules: true - - - name: Invoke `version` - shell: bash -l {0} - env: - BOLOS_SDK: ${{ github.workspace }}/deps/nanos-secure-sdk - run: make version - + - run: make version - id: store-version run: echo "version=$(cat ./app/app.version)" >> $GITHUB_OUTPUT diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..c9fd320 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,37 @@ +name: "CodeQL" + +on: + workflow_dispatch: + push: + pull_request: + branches: + - main + - develop + +jobs: + analyse: + name: Analyse + strategy: + matrix: + sdk: ["$NANOS_SDK", "$NANOX_SDK", "$NANOSP_SDK", "$STAX_SDK"] + runs-on: ubuntu-latest + container: + image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-legacy:latest + + steps: + - name: Clone + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: cpp + queries: security-and-quality + + - name: Build + run: | + make -j BOLOS_SDK=${{ matrix.sdk }} + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/guidelines_enforcer.yml b/.github/workflows/guidelines_enforcer.yml new file mode 100644 index 0000000..e2dae28 --- /dev/null +++ b/.github/workflows/guidelines_enforcer.yml @@ -0,0 +1,25 @@ +name: Ensure compliance with Ledger guidelines + +# This workflow is mandatory in all applications +# It calls a reusable workflow guidelines_enforcer developed by Ledger's internal developer team. +# The successful completion of the reusable workflow is a mandatory step for an app to be available on the Ledger +# application store. +# +# More information on the guidelines can be found in the repository: +# LedgerHQ/ledger-app-workflows/ + +on: + workflow_dispatch: + push: + branches: + - master + - main + - develop + pull_request: + +jobs: + guidelines_enforcer: + name: Call Ledger guidelines_enforcer + uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_guidelines_enforcer.yml@v1 + with: + relative_app_directory: app diff --git a/.github/workflows/ledger.yml b/.github/workflows/ledger.yml deleted file mode 100644 index f951500..0000000 --- a/.github/workflows/ledger.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: CI - -on: - # Triggers the workflow on push or pull request events but only for the main branch - push: - branches: - - main - - develop - pull_request: - branches: - - main - - develop - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - scan-build: - name: Clang Static Analyzer - runs-on: ubuntu-latest - - container: - image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest - - steps: - - uses: actions/checkout@v3 - with: - submodules: true - - - name: Build with Clang Static Analyzer - run: | - scan-build --use-cc=clang -analyze-headers -enable-checker security -enable-checker unix -enable-checker valist -o scan-build --status-bugs make default - - uses: actions/upload-artifact@v2 - if: failure() - with: - name: scan-build - path: scan-build diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 99620a5..b7b550c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -27,8 +27,7 @@ jobs: run: | sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 make deps - - run: cmake -DCMAKE_BUILD_TYPE=Debug . && make - - run: GTEST_COLOR=1 ASAN_OPTIONS=detect_leaks=0 ctest -VV + - run: make cpp_test build_only_rust: runs-on: ubuntu-latest @@ -37,9 +36,10 @@ jobs: uses: actions/checkout@v3 with: submodules: true - - name: Install deps - run: | - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + - name: Install rust + uses: actions-rs/toolchain@v1 + with: + toolchain: stable - name: rustfmt run: | cd ./app/rust @@ -59,12 +59,10 @@ jobs: needs: configure runs-on: ubuntu-latest container: - image: zondax/builder-bolos:latest + image: zondax/ledger-app-builder:latest options: --user ${{ needs.configure.outputs.uid_gid }} - env: - BOLOS_SDK: ${{ github.workspace }}/deps/nanos-secure-sdk - BOLOS_ENV: /opt/bolos - HOME: /home/zondax_circle + env: + BOLOS_SDK: /opt/nanos-secure-sdk outputs: size: ${{steps.build.outputs.size}} steps: @@ -76,14 +74,12 @@ jobs: id: build shell: bash -l {0} run: | - source $HOME/.cargo/env SUBSTRATE_PARSER_FULL=1 make echo "size=$(python3 deps/ledger-zxlib/scripts/getSize.py s)" >> $GITHUB_OUTPUT - name: Build SR25519 app shell: bash -l {0} run: | - source $HOME/.cargo/env - SUPPORT_SR25519=1 make + SUBSTRATE_PARSER_FULL=1 SUPPORT_SR25519=1 make size_nano_s: needs: build_ledger @@ -109,68 +105,27 @@ jobs: submodules: true - run: sudo apt-get update -y && sudo apt-get install -y libusb-1.0.0 libudev-dev - name: Install rust - run: | - sudo apt-get update - sudo apt-get install -y cmake binutils-dev libcurl4-openssl-dev libiberty-dev libelf-dev libdw-dev - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --no-modify-path --default-toolchain none -y; - - name: Install node - uses: actions/setup-node@v3 - - name: Install yarn - run: | - npm install -g yarn - - name: Build Ledger app - run: | - make SUBSTRATE_PARSER_FULL=1 - - name: Build/Install build js deps - run: | - export PATH=~/.cargo/bin:$PATH - make zemu_install - - name: Run zemu tests - run: | - export PATH=~/.cargo/bin:$PATH - make zemu_test - - test_zemu_sr25519: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 + uses: actions-rs/toolchain@v1 with: - submodules: true - - run: sudo apt-get update -y && sudo apt-get install -y libusb-1.0.0 libudev-dev - - name: Install rust - run: | - sudo apt-get update - sudo apt-get install -y cmake binutils-dev libcurl4-openssl-dev libiberty-dev libelf-dev libdw-dev - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --no-modify-path --default-toolchain none -y; + toolchain: stable - name: Install node uses: actions/setup-node@v3 - name: Install yarn run: | npm install -g yarn - - name: Build Ledger app + - name: Build and run zemu tests run: | - make clean_build && SUBSTRATE_PARSER_FULL=1 SUPPORT_SR25519=1 make buildS - - name: Build/Install build js deps - run: | - export PATH=~/.cargo/bin:$PATH - make zemu_install - - name: Run zemu tests for sr25519 - run: | - export PATH=~/.cargo/bin:$PATH - cd tests_zemu && yarn testSR25519 + make test_all - build_package_0: - needs: [configure, build, build_ledger, test_zemu, test_zemu_sr25519] + build_package_nanos: + needs: [configure, build, build_ledger, test_zemu] if: ${{ github.ref == 'refs/heads/main' }} runs-on: ubuntu-latest container: - image: zondax/builder-bolos:latest + image: zondax/ledger-app-builder:latest options: --user ${{ needs.configure.outputs.uid_gid }} - env: - BOLOS_SDK: ${{ github.workspace }}/deps/nanos-secure-sdk - BOLOS_ENV: /opt/bolos - HOME: /home/zondax_circle + env: + BOLOS_SDK: /opt/nanos-secure-sdk steps: - name: Checkout uses: actions/checkout@v3 @@ -182,7 +137,6 @@ jobs: - name: Build NanoS shell: bash -l {0} run: | - source $HOME/.cargo/env make SUBSTRATE_PARSER_FULL=0 mv ./app/pkg/installer_s.sh ./app/pkg/installer_nanos.sh - name: Set tag @@ -199,17 +153,15 @@ jobs: draft: false prerelease: false - build_package_1: - needs: [configure, build, build_ledger, test_zemu, test_zemu_sr25519] + build_package_nanos_xl: + needs: [configure, build, build_ledger, test_zemu] if: ${{ github.ref == 'refs/heads/main' }} runs-on: ubuntu-latest container: - image: zondax/builder-bolos:latest + image: zondax/ledger-app-builder:latest options: --user ${{ needs.configure.outputs.uid_gid }} - env: - BOLOS_SDK: ${{ github.workspace }}/deps/nanos-secure-sdk - BOLOS_ENV: /opt/bolos - HOME: /home/zondax_circle + env: + BOLOS_SDK: /opt/nanos-secure-sdk steps: - name: Checkout uses: actions/checkout@v3 @@ -221,8 +173,7 @@ jobs: - name: Build NanoS XL shell: bash -l {0} run: | - source $HOME/.cargo/env - make SUBSTRATE_PARSER_FULL=1 DISABLE_PREVIOUS=1 + make SUBSTRATE_PARSER_FULL=1 mv ./app/pkg/installer_s.sh ./app/pkg/installer_nanos_xl.sh - name: Set tag id: nanos_xl @@ -238,17 +189,15 @@ jobs: draft: false prerelease: false - build_package_2: - needs: [configure, build, build_ledger, test_zemu, test_zemu_sr25519] + build_package_nanosp: + needs: [configure, build, build_ledger, test_zemu] if: ${{ github.ref == 'refs/heads/main' }} runs-on: ubuntu-latest container: - image: zondax/builder-bolos:latest + image: zondax/ledger-app-builder:latest options: --user ${{ needs.configure.outputs.uid_gid }} - env: - BOLOS_SDK: ${{ github.workspace }}/deps/nanosplus-secure-sdk - BOLOS_ENV: /opt/bolos - HOME: /home/zondax_circle + env: + BOLOS_SDK: /opt/nanosplus-secure-sdk steps: - name: Checkout uses: actions/checkout@v3 @@ -260,7 +209,6 @@ jobs: - name: Build NanoSP shell: bash -l {0} run: | - source $HOME/.cargo/env make SUBSTRATE_PARSER_FULL=1 mv ./app/pkg/installer_s2.sh ./app/pkg/installer_nanos_plus.sh - name: Set tag @@ -276,3 +224,37 @@ jobs: tag_name: ${{ steps.nanosp.outputs.tag_name }} draft: false prerelease: false + + build_package_stax: + needs: [configure, build, build_ledger, test_zemu] + if: ${{ github.ref == 'refs/heads/main' }} + runs-on: ubuntu-latest + container: + image: zondax/ledger-app-builder:latest + options: --user ${{ needs.configure.outputs.uid_gid }} + env: + BOLOS_SDK: /opt/stax-secure-sdk + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: true + - name: Install deps + run: pip install ledgerblue + + - name: Build Stax + shell: bash -l {0} + run: make SUBSTRATE_PARSER_FULL=1 + - name: Set tag + id: stax + run: echo "tag_name=$(./app/pkg/installer_stax.sh version)" >> $GITHUB_OUTPUT + - name: Update Release + id: update_release_2 + uses: softprops/action-gh-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + with: + files: ./app/pkg/installer_stax.sh + tag_name: ${{ steps.stax.outputs.tag_name }} + draft: false + prerelease: false