From 3b231ffd3664a4c731f4829de7862e2e94c06057 Mon Sep 17 00:00:00 2001 From: James Fantin-Hardesty <24646452+jfantinhardesty@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:48:44 -0700 Subject: [PATCH] Fix security issues with ci/cd --- .github/workflows/cmake-build.yml | 86 +++++----- .github/workflows/codespell.yml | 4 +- .github/workflows/lint.yml | 20 ++- .github/workflows/release.yml | 273 +++++++++++++++--------------- 4 files changed, 194 insertions(+), 189 deletions(-) diff --git a/.github/workflows/cmake-build.yml b/.github/workflows/cmake-build.yml index 5dd30b9..4509add 100644 --- a/.github/workflows/cmake-build.yml +++ b/.github/workflows/cmake-build.yml @@ -4,9 +4,9 @@ name: CMake on multiple platforms on: push: - branches: [ "main" ] + branches: ["main"] pull_request: - branches: [ "main" ] + branches: ["main"] jobs: build: @@ -61,51 +61,53 @@ jobs: arm_c_compiler: aarch64-linux-gnu-gcc arm_cpp_compiler: aarch64-linux-gnu-g++ - os: windows-latest - + steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + persist-credentials: false - - name: Install cross compiler - if: ${{ Contains(matrix.os, 'ubuntu-22.04') || Contains(matrix.os, 'ubuntu-20.04')}} - run: | - sudo apt-get update - sudo apt-get install -y g++-aarch64-linux-gnu gcc-aarch64-linux-gnu libstdc++6-arm64-cross linux-libc-dev-arm64-cross + - name: Install cross compiler + if: ${{ Contains(matrix.os, 'ubuntu-22.04') || Contains(matrix.os, 'ubuntu-20.04')}} + run: | + sudo apt-get update + sudo apt-get install -y g++-aarch64-linux-gnu gcc-aarch64-linux-gnu libstdc++6-arm64-cross linux-libc-dev-arm64-cross - - name: Install gcc-12 - if: ${{ Contains(matrix.os, 'ubuntu-24.04') }} - run: | - sudo apt-get update - sudo apt-get install -y g++-12-aarch64-linux-gnu gcc-12-aarch64-linux-gnu gcc-12 g++-12 g++-aarch64-linux-gnu gcc-aarch64-linux-gnu libstdc++6-arm64-cross linux-libc-dev-arm64-cross + - name: Install gcc-12 + if: ${{ Contains(matrix.os, 'ubuntu-24.04') }} + run: | + sudo apt-get update + sudo apt-get install -y g++-12-aarch64-linux-gnu gcc-12-aarch64-linux-gnu gcc-12 g++-12 g++-aarch64-linux-gnu gcc-aarch64-linux-gnu libstdc++6-arm64-cross linux-libc-dev-arm64-cross - - name: Setup vcpkg - uses: lukka/run-vcpkg@v11 - id: runvcpkg - with: - # The vcpkg.json file, which will be part of cache key computation. - vcpkgJsonGlob: '**/src/vcpkg.json' + - name: Setup vcpkg + uses: lukka/run-vcpkg@v11 + id: runvcpkg + with: + # The vcpkg.json file, which will be part of cache key computation. + vcpkgJsonGlob: "**/src/vcpkg.json" - - name: Build using CMake on Linux for amd64 - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: > - ./build_plugin_x64.sh - -DCMAKE_CXX_COMPILER=${{ matrix.cpp_compiler }} - -DCMAKE_C_COMPILER=${{ matrix.c_compiler }} + - name: Build using CMake on Linux for amd64 + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: > + ./build_plugin_x64.sh + -DCMAKE_CXX_COMPILER=${{ matrix.cpp_compiler }} + -DCMAKE_C_COMPILER=${{ matrix.c_compiler }} - - name: Cleanup Build - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: > - rm -r ../nx-lyve-cloud-plugin-build/ + - name: Cleanup Build + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: > + rm -r ../nx-lyve-cloud-plugin-build/ - - name: Build using CMake on Linux for arm64 - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: > - ./build_plugin_arm64.sh - -DCMAKE_CXX_COMPILER=${{ matrix.arm_cpp_compiler }} - -DCMAKE_C_COMPILER=${{ matrix.arm_c_compiler }} + - name: Build using CMake on Linux for arm64 + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: > + ./build_plugin_arm64.sh + -DCMAKE_CXX_COMPILER=${{ matrix.arm_cpp_compiler }} + -DCMAKE_C_COMPILER=${{ matrix.arm_c_compiler }} - - name: Build using CMake on Windows - shell: powershell - if: ${{ Contains(matrix.os, 'windows') }} - run: > - ./build_plugin.bat - --no-tests + - name: Build using CMake on Windows + shell: powershell + if: ${{ Contains(matrix.os, 'windows') }} + run: > + ./build_plugin.bat + --no-tests diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 379edcf..4beac59 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -16,9 +16,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false + - uses: codespell-project/actions-codespell@v2 with: check_filenames: true skip: ./.git,./.github/workflows/codespell.yml,.git,*.png,*.jpg,*.svg,*.sum,./vendor,./NOTICE ignore_words_list: Statics,statics - \ No newline at end of file diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8935ac8..df6923a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,20 +2,22 @@ name: Linting with Clang-format on: push: - branches: [ "main" ] + branches: ["main"] pull_request: - branches: [ "main" ] + branches: ["main"] jobs: code-format: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + persist-credentials: false - - name: Run clang-format - run: | - find ./src/lib/cloudfuse/ -iname '*.h' -o -iname '*.cpp' | xargs clang-format -i --dry-run --Werror - find ./src/plugin/ -iname '*.h' -o -iname '*.cpp' | xargs clang-format -i --dry-run --Werror - find ./src/unit_tests/ -iname '*.h' -o -iname '*.cpp' | xargs clang-format -i --dry-run --Werror - find ./unit_tests/ -iname '*.h' -o -iname '*.cpp' | xargs clang-format -i --dry-run --Werror + - name: Run clang-format + run: | + find ./src/lib/cloudfuse/ -iname '*.h' -o -iname '*.cpp' | xargs clang-format -i --dry-run --Werror + find ./src/plugin/ -iname '*.h' -o -iname '*.cpp' | xargs clang-format -i --dry-run --Werror + find ./src/unit_tests/ -iname '*.h' -o -iname '*.cpp' | xargs clang-format -i --dry-run --Werror + find ./unit_tests/ -iname '*.h' -o -iname '*.cpp' | xargs clang-format -i --dry-run --Werror diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fb700b7..85b7f2f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,7 @@ name: Build and Release on: push: tags: - - 'v*' + - "v*" jobs: build-release: @@ -28,144 +28,143 @@ jobs: arm_cpp_compiler: aarch64-linux-gnu-g++ - os: windows-latest steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install cross compiler - if: ${{ Contains(matrix.os, 'ubuntu-22.04') || Contains(matrix.os, 'ubuntu-20.04')}} - run: | - sudo apt-get update - sudo apt-get install -y g++-aarch64-linux-gnu gcc-aarch64-linux-gnu - - - name: Install gcc-12 - if: ${{ Contains(matrix.os, 'ubuntu-24.04') }} - run: | - sudo apt-get update - sudo apt-get install -y g++-12-aarch64-linux-gnu gcc-12-aarch64-linux-gnu gcc-12 g++-12 g++-aarch64-linux-gnu gcc-aarch64-linux-gnu - - - name: Setup vcpkg - uses: lukka/run-vcpkg@v11 - id: runvcpkg - with: - # The vcpkg.json file, which will be part of cache key computation. - vcpkgJsonGlob: '**/src/vcpkg.json' - - - name: Download cloudfuse for Windows - if: ${{ Contains(matrix.os, 'windows') }} - shell: pwsh - run: | - $download_url = Invoke-RestMethod -Uri "https://api.github.com/repos/Seagate/cloudfuse/releases/latest" | Select-Object -ExpandProperty assets | Where-Object { $_.name -like "*no_gui*" } | Where-Object { $_.name -like "*windows_amd64.exe*" } | Select-Object -ExpandProperty browser_download_url - $file_name = $download_url.Split('/')[-1] - Invoke-WebRequest -Uri $download_url -OutFile $file_name - - - name: Download cloudfuse for Linux amd64 (no_gui) - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: | - download_url=$(curl -s https://api.github.com/repos/Seagate/cloudfuse/releases/latest | jq -r '.assets[] | select(.name | (contains("no_gui") and contains("linux_amd64.deb"))) | .browser_download_url') - curl -LO $download_url - - - name: Download cloudfuse for Linux arm64 (no_gui) - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: | - download_url=$(curl -s https://api.github.com/repos/Seagate/cloudfuse/releases/latest | jq -r '.assets[] | select(.name | (contains("no_gui") and contains("linux_arm64.deb"))) | .browser_download_url') - curl -LO $download_url - - - name: Run build script for Linux x64 - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: > - ./build_plugin_x64.sh - -DCMAKE_CXX_COMPILER=${{ matrix.cpp_compiler }} - -DCMAKE_C_COMPILER=${{ matrix.c_compiler }} - - - name: Package Artifacts Linux x64 - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: | - mkdir nx-lyve-cloud-plugin-${{ matrix.os }}_x64 - mv ../nx-lyve-cloud-plugin-build/cloudfuse_plugin/*.so nx-lyve-cloud-plugin-${{ matrix.os }}_x64/cloudfuse_plugin.so - mv ./cloudfuse*_linux_amd64.deb nx-lyve-cloud-plugin-${{ matrix.os }}_x64/ - cp ./install_plugin_linux.sh nx-lyve-cloud-plugin-${{ matrix.os }}_x64/ - zip -r nx-lyve-cloud-plugin-${{ matrix.os }}_x64.zip nx-lyve-cloud-plugin-${{ matrix.os }}_x64 - - - name: Cleanup Build - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: > - rm -r ../nx-lyve-cloud-plugin-build/ - - - name: Run build script for Linux arm64 - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: > - ./build_plugin_arm64.sh - -DCMAKE_CXX_COMPILER=${{ matrix.arm_cpp_compiler }} - -DCMAKE_C_COMPILER=${{ matrix.arm_c_compiler }} - - - name: Package Artifacts Linux arm64 - if: ${{ Contains(matrix.os, 'ubuntu') }} - run: | - mkdir nx-lyve-cloud-plugin-${{ matrix.os }}_arm64 - mv ../nx-lyve-cloud-plugin-build/cloudfuse_plugin/*.so nx-lyve-cloud-plugin-${{ matrix.os }}_arm64/cloudfuse_plugin.so - mv ./cloudfuse*_linux_arm64.deb nx-lyve-cloud-plugin-${{ matrix.os }}_arm64/ - cp ./install_plugin_linux.sh nx-lyve-cloud-plugin-${{ matrix.os }}_arm64/ - zip -r nx-lyve-cloud-plugin-${{ matrix.os }}_arm64.zip nx-lyve-cloud-plugin-${{ matrix.os }}_arm64 - - - name: Run build script for Windows - shell: powershell - if: ${{ Contains(matrix.os, 'windows') }} - run: > - .\build_plugin.bat - --no-tests - - - name: Package Artifacts Windows - shell: powershell - if: ${{ Contains(matrix.os, 'windows') }} - run: | - mkdir nx-lyve-cloud-plugin-windows - mv ..\nx-lyve-cloud-plugin-build\cloudfuse_plugin\Release\cloudfuse_plugin.dll nx-lyve-cloud-plugin-windows\cloudfuse_plugin.dll - mv .\install_plugin_windows.bat nx-lyve-cloud-plugin-windows\ - mv .\cloudfuse*_windows_amd64.exe nx-lyve-cloud-plugin-windows\ - Compress-Archive nx-lyve-cloud-plugin-windows nx-lyve-cloud-plugin-windows.zip - - - name: Archive production artifacts from Ubuntu x64 - if: ${{ Contains(matrix.os, 'ubuntu') }} - uses: actions/upload-artifact@v4 - with: - name: nx-lyve-cloud-plugin-${{ matrix.os }}_x64 - path: nx-lyve-cloud-plugin-${{ matrix.os }}_x64.zip - if-no-files-found: error - - - name: Archive production artifacts from Ubuntu arm64 - if: ${{ Contains(matrix.os, 'ubuntu') }} - uses: actions/upload-artifact@v4 - with: - name: nx-lyve-cloud-plugin-${{ matrix.os }}_arm64 - path: nx-lyve-cloud-plugin-${{ matrix.os }}_arm64.zip - if-no-files-found: error - - - name: Archive production artifacts from Windows - if: ${{ Contains(matrix.os, 'windows') }} - uses: actions/upload-artifact@v4 - with: - name: nx-lyve-cloud-plugin-windows - path: nx-lyve-cloud-plugin-windows.zip - if-no-files-found: error + - name: Checkout code + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install cross compiler + if: ${{ Contains(matrix.os, 'ubuntu-22.04') || Contains(matrix.os, 'ubuntu-20.04')}} + run: | + sudo apt-get update + sudo apt-get install -y g++-aarch64-linux-gnu gcc-aarch64-linux-gnu + + - name: Install gcc-12 + if: ${{ Contains(matrix.os, 'ubuntu-24.04') }} + run: | + sudo apt-get update + sudo apt-get install -y g++-12-aarch64-linux-gnu gcc-12-aarch64-linux-gnu gcc-12 g++-12 g++-aarch64-linux-gnu gcc-aarch64-linux-gnu + + - name: Setup vcpkg + uses: lukka/run-vcpkg@v11 + id: runvcpkg + with: + # The vcpkg.json file, which will be part of cache key computation. + vcpkgJsonGlob: "**/src/vcpkg.json" + + - name: Download cloudfuse for Windows + if: ${{ Contains(matrix.os, 'windows') }} + shell: pwsh + run: | + $download_url = Invoke-RestMethod -Uri "https://api.github.com/repos/Seagate/cloudfuse/releases/latest" | Select-Object -ExpandProperty assets | Where-Object { $_.name -like "*no_gui*" } | Where-Object { $_.name -like "*windows_amd64.exe*" } | Select-Object -ExpandProperty browser_download_url + $file_name = $download_url.Split('/')[-1] + Invoke-WebRequest -Uri $download_url -OutFile $file_name + + - name: Download cloudfuse for Linux amd64 (no_gui) + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: | + download_url=$(curl -s https://api.github.com/repos/Seagate/cloudfuse/releases/latest | jq -r '.assets[] | select(.name | (contains("no_gui") and contains("linux_amd64.deb"))) | .browser_download_url') + curl -LO $download_url + + - name: Download cloudfuse for Linux arm64 (no_gui) + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: | + download_url=$(curl -s https://api.github.com/repos/Seagate/cloudfuse/releases/latest | jq -r '.assets[] | select(.name | (contains("no_gui") and contains("linux_arm64.deb"))) | .browser_download_url') + curl -LO $download_url + + - name: Run build script for Linux x64 + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: > + ./build_plugin_x64.sh + -DCMAKE_CXX_COMPILER=${{ matrix.cpp_compiler }} + -DCMAKE_C_COMPILER=${{ matrix.c_compiler }} + + - name: Package Artifacts Linux x64 + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: | + mkdir nx-lyve-cloud-plugin-${{ matrix.os }}_x64 + mv ../nx-lyve-cloud-plugin-build/cloudfuse_plugin/*.so nx-lyve-cloud-plugin-${{ matrix.os }}_x64/cloudfuse_plugin.so + mv ./cloudfuse*_linux_amd64.deb nx-lyve-cloud-plugin-${{ matrix.os }}_x64/ + cp ./install_plugin_linux.sh nx-lyve-cloud-plugin-${{ matrix.os }}_x64/ + zip -r nx-lyve-cloud-plugin-${{ matrix.os }}_x64.zip nx-lyve-cloud-plugin-${{ matrix.os }}_x64 + + - name: Cleanup Build + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: > + rm -r ../nx-lyve-cloud-plugin-build/ + + - name: Run build script for Linux arm64 + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: > + ./build_plugin_arm64.sh + -DCMAKE_CXX_COMPILER=${{ matrix.arm_cpp_compiler }} + -DCMAKE_C_COMPILER=${{ matrix.arm_c_compiler }} + + - name: Package Artifacts Linux arm64 + if: ${{ Contains(matrix.os, 'ubuntu') }} + run: | + mkdir nx-lyve-cloud-plugin-${{ matrix.os }}_arm64 + mv ../nx-lyve-cloud-plugin-build/cloudfuse_plugin/*.so nx-lyve-cloud-plugin-${{ matrix.os }}_arm64/cloudfuse_plugin.so + mv ./cloudfuse*_linux_arm64.deb nx-lyve-cloud-plugin-${{ matrix.os }}_arm64/ + cp ./install_plugin_linux.sh nx-lyve-cloud-plugin-${{ matrix.os }}_arm64/ + zip -r nx-lyve-cloud-plugin-${{ matrix.os }}_arm64.zip nx-lyve-cloud-plugin-${{ matrix.os }}_arm64 + + - name: Run build script for Windows + shell: powershell + if: ${{ Contains(matrix.os, 'windows') }} + run: > + .\build_plugin.bat + --no-tests + + - name: Package Artifacts Windows + shell: powershell + if: ${{ Contains(matrix.os, 'windows') }} + run: | + mkdir nx-lyve-cloud-plugin-windows + mv ..\nx-lyve-cloud-plugin-build\cloudfuse_plugin\Release\cloudfuse_plugin.dll nx-lyve-cloud-plugin-windows\cloudfuse_plugin.dll + mv .\install_plugin_windows.bat nx-lyve-cloud-plugin-windows\ + mv .\cloudfuse*_windows_amd64.exe nx-lyve-cloud-plugin-windows\ + Compress-Archive nx-lyve-cloud-plugin-windows nx-lyve-cloud-plugin-windows.zip + + - name: Archive production artifacts from Ubuntu x64 + if: ${{ Contains(matrix.os, 'ubuntu') }} + uses: actions/upload-artifact@v4 + with: + name: nx-lyve-cloud-plugin-${{ matrix.os }}_x64 + path: nx-lyve-cloud-plugin-${{ matrix.os }}_x64.zip + if-no-files-found: error + + - name: Archive production artifacts from Ubuntu arm64 + if: ${{ Contains(matrix.os, 'ubuntu') }} + uses: actions/upload-artifact@v4 + with: + name: nx-lyve-cloud-plugin-${{ matrix.os }}_arm64 + path: nx-lyve-cloud-plugin-${{ matrix.os }}_arm64.zip + if-no-files-found: error + + - name: Archive production artifacts from Windows + if: ${{ Contains(matrix.os, 'windows') }} + uses: actions/upload-artifact@v4 + with: + name: nx-lyve-cloud-plugin-windows + path: nx-lyve-cloud-plugin-windows.zip + if-no-files-found: error release: needs: build-release runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Download all workflow run artifacts - uses: actions/download-artifact@v4 - - - name: Release - uses: softprops/action-gh-release@v2 - with: - files: | - nx-lyve-cloud-plugin-ubuntu-24.04_x64/* - nx-lyve-cloud-plugin-ubuntu-22.04_x64/* - nx-lyve-cloud-plugin-ubuntu-20.04_x64/* - nx-lyve-cloud-plugin-ubuntu-24.04_arm64/* - nx-lyve-cloud-plugin-ubuntu-22.04_arm64/* - nx-lyve-cloud-plugin-ubuntu-20.04_arm64/* - nx-lyve-cloud-plugin-windows/* + - name: Download all workflow run artifacts + uses: actions/download-artifact@v4 + + - name: Release + uses: softprops/action-gh-release@v2 + with: + files: | + nx-lyve-cloud-plugin-ubuntu-24.04_x64/* + nx-lyve-cloud-plugin-ubuntu-22.04_x64/* + nx-lyve-cloud-plugin-ubuntu-20.04_x64/* + nx-lyve-cloud-plugin-ubuntu-24.04_arm64/* + nx-lyve-cloud-plugin-ubuntu-22.04_arm64/* + nx-lyve-cloud-plugin-ubuntu-20.04_arm64/* + nx-lyve-cloud-plugin-windows/*