Skip to content

Move coverity-only check ahead of first use (CID #1635782) #3569

Move coverity-only check ahead of first use (CID #1635782)

Move coverity-only check ahead of first use (CID #1635782) #3569

Workflow file for this run

name: CI macOS
on:
push:
branches-ignore:
- coverity_scan
- run-fuzzer**
- debug-fuzzer-**
pull_request:
env:
ASAN_OPTIONS: symbolize=1 detect_leaks=1 detect_stack_use_after_return=1
LSAN_OPTIONS: fast_unwind_on_malloc=0:malloc_context_size=50
UBSAN_OPTIONS: print_stacktrace=1
M_PERTURB: "0x42"
PANIC_ACTION: "gdb -batch -x raddb/panic.gdb %e %p 1>&0 2>&0"
ANALYZE_C_DUMP: 1
FR_GLOBAL_POOL: 4M
TEST_CERTS: yes
NO_PERFORMANCE_TESTS: yes
DO_BUILD: yes
HOSTAPD_BUILD_DIR: eapol_test.ci
HOSTAPD_GIT_TAG: hostap_2_11
DEBIAN_FRONTEND: noninteractive
CI: 1
GH_ACTIONS: 1
jobs:
pre-ci:
runs-on: ubuntu-latest
# Map a step output to a job output
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/skip-duplicate-actions@master
ci:
timeout-minutes: 90
needs: pre-ci
if: ${{ needs.pre-ci.outputs.should_skip != 'true' }}
runs-on: ${{ matrix.env.OS }}
strategy:
fail-fast: false
matrix:
env:
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: macos, OS: macos-14, NAME: macos-clang }
env: ${{ matrix.env }}
# If branch protection is in place with status checks enabled, ensure
# names are updated if new matrix entries are added or the name format
# changes.
name: "master-${{ matrix.env.NAME }}"
steps:
# Checkout, but defer pulling LFS objects until we've restored the cache
- uses: actions/checkout@v4
with:
lfs: false
- name: Create LFS file list as cache key
run: git lfs ls-files -l | cut -d' ' -f1 | sort > .lfs-assets-id
- name: Restore LFS cache
uses: actions/cache@v4
id: lfs-cache
with:
path: .git/lfs
key: ${{ runner.os }}-lfs-${{ hashFiles('.lfs-assets-id') }}-v1
# Now the LFS pull will be local if we hit the cache, or remote otherwise
- name: Git LFS pull
run: git lfs pull
- name: Restore eapol_test build directory from cache
uses: actions/cache@v4
id: hostapd-cache
with:
path: ${{ env.HOSTAPD_BUILD_DIR }}
key: hostapd-${{ runner.os }}-${{ env.HOSTAPD_GIT_TAG }}-v4
- name: Install dependencies (macOS)
run: |
brew install \
cassandra-cpp-driver \
gperftools \
hiredis \
json-c \
libidn \
libmemcached \
libyubikey \
llvm@14 \
luajit \
mariadb \
make \
mruby \
openssl \
[email protected] \
talloc
ln -s `brew --prefix`/opt/make/bin/gmake /usr/local/bin/make
echo "#! /bin/sh" >> /usr/local/bin/nproc
echo "sysctl -n hw.physicalcpu" >> /usr/local/bin/nproc
chmod +x /usr/local/bin/nproc
env:
HOMEBREW_NO_AUTO_UPDATE: 1
HOMEBREW_NO_INSTALL_CLEANUP: 1
HOMEBREW_CLEANUP_PERIODIC_FULL_DAYS: 3650
- name: Install tacacs_plus
run: |
PIP_BREAK_SYSTEM_PACKAGES=1 pip3 install tacacs_plus
#
# Ensure the homebrew version of clang is run rather than the Apple compiler.
#
- name: Set path for clang
run: |
echo "PATH=`brew --prefix`/opt/llvm@14/bin/:$PATH" >> $GITHUB_ENV
#
# Ensure Python 3.10 is used
#
- name: Set path for Python 3.10
run: |
echo "PATH=`brew --prefix [email protected]`/bin/:$PATH" >> $GITHUB_ENV
#
# Build using some alternative libraries
#
# PCRE 2 -> PCRE 1
# MIT Kerberos -> HEIMDAL Kerberos
# OpenSSL 1.0 -> OpenSSL 3.0
#
- name: 'Fetch OpenSSL 3.0 SHA'
id: opensslshasum
if: ${{ matrix.env.LIBS_ALT == 'yes' }}
run: |
wget -qO- http://www.openssl.org/source/openssl-$ALT_OPENSSL.tar.gz.sha256 | sed -ne 's/^\s\+/shasum=/p' >> $GITHUB_OUTPUT
- name: 'Restore OpenSSL 3.0 from the cache'
if: ${{ matrix.env.LIBS_ALT == 'yes' }}
uses: actions/cache@v4
id: openssl-cache
with:
path: /opt/openssl/
key: openssl3-${{ steps.opensslshasum.outputs.shasum }}
- name: 'Build OpenSSL 3.0 (if cache stale)'
if: ${{ matrix.env.LIBS_ALT == 'yes' && steps.openssl-cache.outputs.cache-hit != 'true' }}
run: |
cd ~
wget https://www.openssl.org/source/openssl-$ALT_OPENSSL.tar.gz
tar xzf openssl-$ALT_OPENSSL.tar.gz
cd openssl-$ALT_OPENSSL
./Configure --prefix=/opt/openssl --openssldir=. --debug
make -j `nproc`
make install_sw
- name: Use alternative libraries
if: ${{ matrix.env.LIBS_ALT == 'yes' }}
run: |
echo /opt/openssl/lib64 | sudo tee /etc/ld.so.conf.d/openssl3.conf >/dev/null
sudo ldconfig
sudo apt-get install -y --no-install-recommends libpcre3-dev # "PCRE 1"
sudo apt-get purge -y libpcre2-dev # Remove default PCRE 2, leaving only PCRE 1
sudo apt-get install -y --no-install-recommends heimdal-dev
- name: Show versions
run: |
$CC --version
make --version
krb5-config --all || :
pcre-config --libs-posix --version 2>/dev/null || :
pcre2-config --libs-posix --version 2>/dev/null || :
[ -d /opt/openssl ] && export PATH=/opt/openssl/bin:$PATH
openssl version
- name: Configure
run: |
if $CC -v 2>&1 | grep clang > /dev/null; then
echo "Enabling sanitizers"
enable_sanitizers="--enable-address-sanitizer --enable-undefined-behaviour-sanitizer"
if [ "`uname`" != "Darwin" ]; then
enable_sanitizers="$enable_sanitizers --enable-leak-sanitizer"
fi
else
enable_sanitizers=""
fi
build_paths=""
if [ "`uname`" = "Darwin" ]; then
build_paths="--with-libfreeradius-ldap-lib-dir=`brew --prefix`/opt/openldap/lib --with-libfreeradius-ldap-include-dir=`brew --prefix`/opt/openldap/include --with-openssl-lib-dir=`brew --prefix`/opt/openssl/lib --with-openssl-include-dir=`brew --prefix`/opt/openssl/include --with-unixodbc-lib-dir=`brew --prefix`/opt/unixodbc/lib --with-unixodbc-include-dir=`brew --prefix`/opt/unixodbc/include --with-rlm-python-config-bin=`brew --prefix [email protected]`/bin/python3.10-config"
elif [ -d /opt/openssl ]; then
export PATH=/opt/openssl/bin:$PATH
build_paths="--with-openssl-lib-dir=/opt/openssl/lib64 --with-openssl-include-dir=/opt/openssl/include"
fi
CFLAGS="${BUILD_CFLAGS}" ./configure -C \
--enable-developer \
--enable-werror \
$enable_sanitizers \
$build_paths \
--prefix=$HOME/freeradius \
--with-threads=$LIBS_OPTIONAL \
--with-udpfromto=$LIBS_OPTIONAL \
--with-openssl=$LIBS_OPTIONAL \
--with-pcre=$LIBS_OPTIONAL
echo "config.log"
cat config.log
echo "Contents of src/include/autoconf.h"
cat "./src/include/autoconf.h"
- name: Make
run: |
[ -d /opt/openssl ] && export PATH=/opt/openssl/bin:$PATH
make -j `nproc`
- name: "Clang Static Analyzer: Store assets on failure"
uses: actions/upload-artifact@v4
with:
name: clang-scan.tgz
path: build/plist/**/*.html
retention-days: 30
if: ${{ matrix.env.CC == 'clang' && failure() }}
# No detect_leaks support for ASAN on macOS
- name: Run basic tests (macOS)
run: |
make -j `nproc` test.keywords test.unit test.modules test.auth test.digest
make test
env:
ASAN_OPTIONS: symbolize=1 detect_stack_use_after_return=1
#
# If the CI has failed and the branch is ci-debug then we start a tmate
# session to provide interactive shell access to the session.
#
# The SSH rendezvous point will be emited continuously in the job output,
# which will look something like:
#
# SSH: ssh [email protected]
#
# For example:
#
# git push origin ci-debug --force
#
# Look at the job output in: https://github.com/FreeRADIUS/freeradius-server/actions
#
# ssh [email protected]
#
# Access requires that you have the private key corresponding to the
# public key of the GitHub user that initiated the job.
#
- name: "Debug: Start tmate"
uses: mxschmitt/action-tmate@v3
with:
limit-access-to-actor: true
if: ${{ github.ref == 'refs/heads/ci-debug' && failure() }}