name: build auth
runs-on: ubuntu-20.04
env:
- UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
ASAN_OPTIONS: detect_leaks=0
+ FUZZING_TARGETS: yes
+ SANITIZERS: asan+ubsan
+ UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
+ UNIT_TESTS: yes
steps:
- uses: PowerDNS/pdns/set-ubuntu-mirror@meta
- uses: actions/checkout@v3.1.0
matrix:
sanitizers: [ubsan+asan, tsan]
env:
- UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
ASAN_OPTIONS: detect_leaks=0
SANITIZERS: ${{ matrix.sanitizers }}
+ UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
+ UNIT_TESTS: yes
defaults:
run:
working-directory: ./pdns/recursordist/
- sanitizers: tsan
features: least
env:
- UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
ASAN_OPTIONS: detect_leaks=0
SANITIZERS: ${{ matrix.sanitizers }}
+ UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
+ UNIT_TESTS: yes
defaults:
run:
working-directory: ./pdns/dnsdistdist/
- name: Check if Debian is about to toss us off a balcony
run: ./build-scripts/check-debian-autoremovals.py
+
+ coverity-auth:
+ name: coverity scan of the auth
+ runs-on: ubuntu-20.04
+ env:
+ FUZZING_TARGETS: no
+ SANITIZERS:
+ UNIT_TESTS: no
+ steps:
+ - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
+ - uses: actions/checkout@v3.1.0
+ with:
+ fetch-depth: 5
+ submodules: recursive
+ - run: build-scripts/gh-actions-setup-inv # this runs apt update+upgrade
+ - run: inv install-clang
+ - run: inv install-auth-build-deps
+ - run: inv install-coverity-tools ${{ secrets.coverity_auth_token }} PowerDNS
+ - run: inv coverity-clang-configure
+ - run: inv ci-autoconf
+ - run: inv ci-auth-configure
+ - run: inv coverity-make
+ - run: inv coverity-tarball auth.tar.bz2
+ - run: inv coverity-upload ${{ secrets.coverity_auth_token }} ${{ secrets.coverity_email }} PowerDNS auth.tar.bz2
+
+ coverity-dnsdist:
+ name: coverity scan of dnsdist
+ runs-on: ubuntu-20.04
+ env:
+ SANITIZERS:
+ UNIT_TESTS: no
+ steps:
+ - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
+ - uses: actions/checkout@v3.1.0
+ with:
+ fetch-depth: 5
+ submodules: recursive
+ - run: build-scripts/gh-actions-setup-inv # this runs apt update+upgrade
+ - run: inv install-clang
+ - run: inv install-dnsdist-build-deps
+ - run: inv install-coverity-tools ${{ secrets.coverity_dnsdist_token }} dnsdist
+ - run: inv coverity-clang-configure
+ - run: inv ci-autoconf
+ working-directory: ./pdns/dnsdistdist/
+ - run: inv ci-dnsdist-configure full
+ working-directory: ./pdns/dnsdistdist/
+ - run: inv coverity-make
+ working-directory: ./pdns/dnsdistdist/
+ - run: inv coverity-tarball dnsdist.tar.bz2
+ working-directory: ./pdns/dnsdistdist/
+ - run: inv coverity-upload ${{ secrets.coverity_dnsdist_token }} ${{ secrets.coverity_email }} dnsdist dnsdist.tar.bz2
+ working-directory: ./pdns/dnsdistdist/
+
+ coverity-rec:
+ name: coverity scan of the rec
+ runs-on: ubuntu-20.04
+ env:
+ SANITIZERS:
+ UNIT_TESTS: no
+ steps:
+ - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
+ - uses: actions/checkout@v3.1.0
+ with:
+ fetch-depth: 5
+ submodules: recursive
+ - run: build-scripts/gh-actions-setup-inv # this runs apt update+upgrade
+ - run: inv install-clang
+ - run: inv install-rec-build-deps
+ - run: inv install-coverity-tools ${{ secrets.coverity_rec_token }} 'PowerDNS+Recursor'
+ - run: inv coverity-clang-configure
+ - run: inv ci-autoconf
+ working-directory: ./pdns/recursordist/
+ - run: inv ci-rec-configure
+ working-directory: ./pdns/recursordist/
+ - run: inv coverity-make
+ working-directory: ./pdns/recursordist/
+ - run: inv coverity-tarball recursor.tar.bz2
+ working-directory: ./pdns/recursordist/
+ - run: inv coverity-upload ${{ secrets.coverity_rec_token }} ${{ secrets.coverity_email }} 'PowerDNS+Recursor' recursor.tar.bz2
+ working-directory: ./pdns/recursordist/
@task
def ci_auth_configure(c):
+ sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+')) if os.getenv('SANITIZERS') != '' else ''
+ unittests = ' --enable-unit-tests --enable-backend-unit-tests' if os.getenv('UNIT_TESTS') == 'yes' else ''
+ fuzzingtargets = ' --enable-fuzz-targets' if os.getenv('FUZZING_TARGETS') == 'yes' else ''
res = c.run('''CFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int" \
CXXFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int -Wp,-D_GLIBCXX_ASSERTIONS" \
./configure \
--with-modules='bind geoip gmysql godbc gpgsql gsqlite3 ldap lmdb lua2 pipe remote tinydns' \
--enable-systemd \
--enable-tools \
- --enable-unit-tests \
- --enable-backend-unit-tests \
--enable-fuzz-targets \
--enable-experimental-pkcs11 \
--enable-experimental-gss-tsig \
--prefix=/opt/pdns-auth \
--enable-ixfrdist \
--enable-fortify-source=auto \
- --enable-auto-var-init=pattern \
- --enable-asan \
- --enable-ubsan''', warn=True)
+ --enable-auto-var-init=pattern ''' + sanitizers + unittests + fuzzingtargets, warn=True)
if res.exited != 0:
c.run('cat config.log')
raise UnexpectedExit(res)
@task
def ci_rec_configure(c):
- sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+'))
+ sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+')) if os.getenv('SANITIZERS') != '' else ''
+ unittests = ' --enable-unit-tests' if os.getenv('UNIT_TESTS') == 'yes' else ''
res = c.run(''' CFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int" \
CXXFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int -Wp,-D_GLIBCXX_ASSERTIONS" \
./configure \
CC='clang-12' \
CXX='clang++-12' \
--enable-option-checking=fatal \
- --enable-unit-tests \
--enable-nod \
--enable-systemd \
--prefix=/opt/pdns-recursor \
--with-net-snmp \
--enable-fortify-source=auto \
--enable-auto-var-init=pattern \
- --enable-dns-over-tls ''' + sanitizers, warn=True)
+ --enable-dns-over-tls ''' + sanitizers + unittests, warn=True)
if res.exited != 0:
c.run('cat config.log')
raise UnexpectedExit(res)
-DDISABLE_HASHED_CREDENTIALS \
-DDISABLE_FALSE_SHARING_PADDING \
-DDISABLE_NPN'
- sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+'))
+ unittests = ' --enable-unit-tests' if os.getenv('UNIT_TESTS') == 'yes' else ''
+ sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+')) if os.getenv('SANITIZERS') != '' else ''
cflags = '-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int'
cxxflags = cflags + ' -Wp,-D_GLIBCXX_ASSERTIONS ' + additional_flags
res = c.run('''CFLAGS="%s" \
CC='clang-12' \
CXX='clang++-12' \
--enable-option-checking=fatal \
- --enable-unit-tests \
--enable-fortify-source=auto \
--enable-auto-var-init=pattern \
--enable-lto=thin \
- --prefix=/opt/dnsdist %s %s''' % (cflags, cxxflags, features_set, sanitizers), warn=True)
+ --prefix=/opt/dnsdist %s %s %s''' % (cflags, cxxflags, features_set, sanitizers, unittests), warn=True)
if res.exited != 0:
c.run('cat config.log')
raise UnexpectedExit(res)
def swagger_syntax_check(c):
c.run('api-spec-converter docs/http-api/swagger/authoritative-api-swagger.yaml -f swagger_2 -t openapi_3 -s json -c')
+@task
+def install_coverity_tools(c, token, project):
+ c.sudo(f'curl -s https://scan.coverity.com/download/linux64 --data "token={token}&project={project}" | gunzip | sudo tar xvf /dev/stdin --strip-components=1 --no-same-owner -C /usr/local')
+
+@task
+def coverity_clang_configure(c):
+ c.sudo('/usr/local/bin/cov-configure --template --comptype clangcc --compiler clang++-12')
+
+@task
+def coverity_make(c):
+ c.run('/usr/local/bin/cov-build --dir cov-int make -j8 -k')
+
+@task
+def coverity_tarball(c, tarball):
+ c.run(f'tar caf {tarball} cov-int')
+
+@task
+def coverity_upload(c, token, email, project, tarball):
+ c.run(f'curl --form token={token} \
+ --form email="{email}" \
+ --form file=@{tarball} \
+ --form version="$(./builder-support/gen-version)" \
+ --form description="master build" \
+ https://scan.coverity.com/builds?project={project}')
+
# this is run always
def setup():
if '/usr/lib/ccache' not in os.environ['PATH']:
projects / thirdparty / pdns.git / commitdiff
