From 7e47abd525086bc10f18200aa33b534b7f724d47 Mon Sep 17 00:00:00 2001 From: Jonatan Antoni Date: Wed, 4 Feb 2026 16:00:21 +0100 Subject: [PATCH 1/4] Add GitHub workflow as sanity check --- .github/dependabot.yml | 11 ++++++ .github/workflows/build.yml | 76 +++++++++++++++++++++++++++++++++++++ fvp.sh | 2 +- 3 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/build.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..edf893f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 + +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + time: "02:00" + cooldown: + default-days: 3 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..28237bf --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,76 @@ +name: build + +on: + push: + branches: + - main + + pull_request: + paths: + - .github/workflows/build.yml + - dockerfile + - build.sh + - fvp.sh + - fvprc + +permissions: + contents: read + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + fetch-depth: 0 + + - name: Install Ubuntu deps + run: | + sudo apt-get update + sudo apt-get install \ + shellcheck + + - uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master + + - name: Run ShellCheck + run: | + shellcheck -s bash -f gcc *.sh fvprc + + - name: Lint Dockerfile + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 + with: + dockerfile: dockerfile + + build: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + fetch-depth: 0 + + - name: Create .armlm + run: mkdir -p ~/.armlm + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + + - name: Build Docker image + run: ./build.sh + + - name: Run FVP binaries to verify build + run: | + for x in ./bin/*; do + $x --version || exit 1 + done diff --git a/fvp.sh b/fvp.sh index c1208c3..4fe47c8 100755 --- a/fvp.sh +++ b/fvp.sh @@ -66,7 +66,7 @@ docker run \ "${MOUNTS[@]}" \ --workdir "$workdir" \ --env "ARMLM_CACHED_LICENSES_LOCATION=${HOME}/.armlm" \ - --env DISPLAY=${DISPLAY_IP}:0 \ + --env "DISPLAY=${DISPLAY_IP}:0" \ --volume /tmp/.X11-unix:/tmp/.X11-unix \ "fvp:${FVP_VERSION}" "${MODEL}" "${FLAGS[@]}" From 0ec83de5b337701eae3274c21b4d883b2667a55d Mon Sep 17 00:00:00 2001 From: Jonatan Antoni Date: Wed, 4 Feb 2026 16:21:30 +0100 Subject: [PATCH 2/4] Fixup --- .github/workflows/build.yml | 9 +++++---- dockerfile | 2 ++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 28237bf..8c112d9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -54,7 +54,11 @@ jobs: uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - + allowed-endpoints: > + archive.ubuntu.com:80 + security.ubuntu.com:80 + ppa.launchpadcontent.net:443 + - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: @@ -63,9 +67,6 @@ jobs: - name: Create .armlm run: mkdir -p ~/.armlm - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - name: Build Docker image run: ./build.sh diff --git a/dockerfile b/dockerfile index c175d9a..6cc3b5e 100644 --- a/dockerfile +++ b/dockerfile @@ -1,3 +1,5 @@ + +# hadolint global ignore=DL3008,DL3015 FROM ubuntu:22.04 ARG DEBIAN_FRONTEND=noninteractive From 530575bbdc592f299d7e30b8897a056407551b83 Mon Sep 17 00:00:00 2001 From: Jonatan Antoni Date: Wed, 4 Feb 2026 16:30:08 +0100 Subject: [PATCH 3/4] Disable hardened runner --- .github/workflows/build.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8c112d9..404d792 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -50,14 +50,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 - with: - egress-policy: audit - allowed-endpoints: > - archive.ubuntu.com:80 - security.ubuntu.com:80 - ppa.launchpadcontent.net:443 + # - name: Harden the runner (Audit all outbound calls) + # uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + # with: + # egress-policy: audit - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 From 697f4f3be4eb9de82aa91dd467ccc5c45b33b032 Mon Sep 17 00:00:00 2001 From: Jonatan Antoni Date: Wed, 4 Feb 2026 17:52:37 +0100 Subject: [PATCH 4/4] Reenable harden runner step --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 404d792..180380a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -50,10 +50,10 @@ jobs: build: runs-on: ubuntu-latest steps: - # - name: Harden the runner (Audit all outbound calls) - # uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 - # with: - # egress-policy: audit + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1