+++ /dev/null
----
-name: Build push and test docker images
-
-on:
- workflow_call:
- inputs:
- product:
- required: true
- description: Product to build
- type: string
- ref:
- description: git ref to checkout
- type: string
- default: master
- required: false
- image-name:
- description: repository name for the requested image
- type: string
- required: true
- image-tags:
- description: tag for the requested image
- type: string
- required: true
- image-description:
- description: short description for the image repository
- type: string
- required: true
- platforms:
- description: target platform(s)
- type: string
- default: linux/arm64/v8,linux/amd64
- required: false
- build-args:
- description: build-time variables
- type: string
- default: ''
- required: false
- push:
- description: push image to DockerHub
- type: boolean
- required: true
- secrets:
- DOCKERHUB_ORGANIZATION_NAME:
- required: true
- DOCKERHUB_USERNAME:
- required: true
- DOCKERHUB_TOKEN:
- required: true
-
-permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
- contents: read
-
-jobs:
- validate-push-image:
- name: Check only images built from tags and master are pushed
- runs-on: ubuntu-24.04
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- submodules: recursive
- ref: ${{ inputs.ref }}
- persist-credentials: false
- - name: validate reference only if image will be pushed
- if: ${{ inputs.push }}
- env:
- REF: ${{ inputs.ref }}
- run: |
- [[ "${REF}" == "master" ]] || git describe --tags --exact-match
-
- build:
- name: build docker image for a product
- runs-on: ubuntu-24.04
- needs: validate-push-image
- outputs:
- image-digest: ${{ steps.build-image.outputs.digest }}
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0
- submodules: recursive
- ref: ${{ inputs.ref }}
- persist-credentials: false
- - name: Set up QEMU
- uses: docker/setup-qemu-action@v3
- with:
- platforms: linux/arm64/v8
- - name: Set up Docker Buildx for multi-platform builds
- uses: docker/setup-buildx-action@v3
- with:
- platforms: ${{ inputs.platforms }}
- - name: Login to Docker Hub
- if: ${{ inputs.push }}
- uses: docker/login-action@v3
- with:
- username: ${{ secrets.DOCKERHUB_USERNAME }}
- password: ${{ secrets.DOCKERHUB_TOKEN }}
- - name: Docker image metadata
- id: meta
- uses: docker/metadata-action@v5
- with:
- images: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME || 'powerdns' }}/${{ inputs.image-name }}
- tags: ${{ inputs.image-tags }}
- - name: Build and load powerdns product images
- id: build-image
- uses: docker/build-push-action@v6
- with:
- context: .
- file: Dockerfile-${{ inputs.product }}
- platforms: ${{ inputs.platforms }}
- push: ${{ inputs.push }}
- sbom: true
- tags: ${{ steps.meta.outputs.tags }}
- build-args: ${{ inputs.build-args }}
- - name: Update repo description
- if: ${{ inputs.push }}
- uses: peter-evans/dockerhub-description@v4
- with:
- username: ${{ secrets.DOCKERHUB_USERNAME }}
- password: ${{ secrets.DOCKERHUB_TOKEN }}
- repository: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ inputs.image-name }}
- short-description: ${{ inputs.image-description }}
-
- prepare-test-runner-os-list:
- name: generate runner list
- if: ${{ inputs.push }}
- needs: build
- runs-on: ubuntu-24.04
- outputs:
- runnerlist: ${{ steps.get-runnerlist.outputs.runnerlist }}
- skiptests: ${{ steps.get-runnerlist.outputs.skiptests }}
- steps:
- - run: sudo apt-get update && sudo apt-get -y install jo
- - id: get-runnerlist
- run: |
- runner_os=()
- [[ -n "${{ contains(inputs.platforms, 'amd64') && 'ubuntu-24.04' || '' }}" ]] && runner_os+=('ubuntu-24.04')
- [[ -n "${{ vars.ARM64_USE_UBICLOUD == '1' && contains(inputs.platforms, 'arm64') || '' }}" ]] && runner_os+=('ubicloud-standard-2-arm')
- echo "runnerlist=$(jo -a ${runner_os[@]})" >> "$GITHUB_OUTPUT"
- # Skip tests if no runner is suitable for running them. Set a default runner to avoid CI failure
- if [[ -z "${runner_os[@]}" ]]; then
- echo "runnerlist=$(jo -a ubuntu-24.04)" >> "$GITHUB_OUTPUT"
- echo "skiptests=1" >> "$GITHUB_OUTPUT"
- fi
-
- test-uploaded-images:
- name: test uploaded images
- if: ${{ inputs.push && ! needs.prepare-test-runner-os-list.outputs.skiptests }}
- needs: [build, prepare-test-runner-os-list]
- runs-on: ${{ matrix.runner-os }}
- strategy:
- matrix:
- runner-os: ${{ fromJson(needs.prepare-test-runner-os-list.outputs.runnerlist )}}
- fail-fast: false
- env:
- INPUT_IMAGE_NAME: ${{ inputs.image-name }}
- INPUT_IMAGE_TAGS: ${{ inputs.image-tags }}
- INPUT_PLATFORMS: ${{ inputs.platforms }}
- steps:
- - name: Check running image
- run: |
- image_name="${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${INPUT_IMAGE_NAME}"
- for tag in `echo "${INPUT_IMAGE_TAGS}" | tr '\n' ' '`; do
- echo 'Testing: '${image_name}':'${tag};
- # pdns-auth image returns a 134 exit code
- docker run ${image_name}:${tag} --version || [ "$?" == "134" ]
- done
- - name: Check image digest matches
- env:
- EXPECTED_DIGEST: ${{ needs.build.outputs.image-digest }}
- run: |
- image_name="${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${INPUT_IMAGE_NAME}"
- for tag in `echo "${INPUT_IMAGE_TAGS}" | tr '\n' ' '`; do
- image_digest=$(docker inspect --format='{{index .RepoDigests 0}}' ${image_name}:${tag} | cut -d '@' -f 2)
- [[ "${EXPECTED_DIGEST}" == "${image_digest}" ]] || \
- ( echo "Image digest does not match => output_digest: "${EXPECTED_DIGEST}" - image_digest: "${image_digest} && exit 1 )
- done
- - name: Check SBOM and Provenance
- run: |
- image_name="${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${INPUT_IMAGE_NAME}"
- for tag in `echo "${INPUT_IMAGE_TAGS}" | tr '\n' ' '`; do
- if $(echo "${INPUT_PLATFORMS}" | grep -qq ','); then
- docker buildx imagetools inspect ${image_name}:${tag} --format "{{json .Provenance}}" | jq -e '."linux/'$(dpkg --print-architecture)'" | has("SLSA")'
- docker buildx imagetools inspect ${image_name}:${tag} --format "{{json .SBOM}}" | jq -e '."linux/'$(dpkg --print-architecture)'" | has("SPDX")'
- else
- docker buildx imagetools inspect ${image_name}:${tag} --format "{{json .Provenance}}" | jq -e 'has("SLSA")'
- docker buildx imagetools inspect ${image_name}:${tag} --format "{{json .SBOM}}" | jq -e 'has("SPDX")'
- fi
- done
+++ /dev/null
----
-name: Build packages
-
-on:
- workflow_call:
- inputs:
- product:
- required: true
- description: Product to build
- type: string
- os:
- required: false
- description: OSes to build for, space separated
- type: string
- # please remember to update the pkghashes below when you
- # update this list, as well as the one in builder-dispatch.yml
- default: >-
- el-8
- el-9
- el-10
- debian-bullseye
- debian-bookworm
- debian-trixie
- ubuntu-focal
- ubuntu-jammy
- ubuntu-noble
- ref:
- description: git ref to checkout
- type: string
- default: master
- required: false
- is_release:
- description: is this a release build?
- type: string
- required: false
- default: 'NO'
- secrets:
- DOWNLOADS_AUTOBUILT_SECRET:
- required: true
- DOWNLOADS_AUTOBUILT_RSYNCTARGET:
- required: true
- DOWNLOADS_AUTOBUILT_HOSTKEY:
- required: true
-
-permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
- contents: read
-
-jobs:
- prepare:
- name: generate OS runner and arch list
- runs-on: ubuntu-24.04
- outputs:
- oslist: ${{ steps.get-oslist.outputs.oslist }}
- runnerlist: ${{ steps.get-runnerlist.outputs.runnerlist }}
- archlist: ${{ steps.get-archlist.outputs.archlist }}
- steps:
- # instead of jo, we could use jq here, which avoids running apt, and thus would be faster.
- # but, as this whole workflow needs at least 30 minutes to run, I prefer spending a few seconds here
- # so that the command remains readable, because jo is simpler to use.
- - run: sudo apt-get update && sudo apt-get -y install jo
- - uses: actions/checkout@v4
- with:
- fetch-depth: 1
- submodules: recursive
- ref: ${{ inputs.ref }}
- persist-credentials: false
- - id: get-oslist
- env:
- OS: ${{ inputs.os }}
- REF: ${{ inputs.ref }}
- run: |
- available_targets=$(ls builder-support/dockerfiles/Dockerfile.target.* )
- for i in $(echo "${OS}"); do
- if echo $available_targets | grep -qq $i; then
- targets+=($i)
- else
- if [[ "${REF}" == "master" ]]; then
- echo "::error title=Dockerfile not found for ${i}::OS ${i} not available as target in ${REF}" && exit 1
- else
- echo "::warning title=Packages will not be generated for ${i}::OS ${i} not available as target in ${REF}"
- fi
- fi
- done
- echo "oslist=$(jo -a ${targets[*]})" >> "$GITHUB_OUTPUT"
- - id: get-runnerlist
- run: echo "runnerlist=$(jo -a ubuntu-24.04 ${{ vars.ARM64_USE_UBICLOUD == '1' && 'ubicloud-standard-2-arm' || '' }})" >> "$GITHUB_OUTPUT"
- - id: get-archlist
- run: echo "archlist=$(jo -a x86_64 ${{ vars.ARM64_USE_UBICLOUD == '1' && 'aarch64' || '' }})" >> "$GITHUB_OUTPUT"
-
- build:
- needs: prepare
- name: for ${{ matrix.os }} ${{ inputs.product }} (${{ inputs.ref }}) on ${{ matrix.runner-os }}
- runs-on: ${{ matrix.runner-os }}
- strategy:
- matrix:
- os: ${{fromJson(needs.prepare.outputs.oslist)}}
- runner-os: ${{ fromJson(needs.prepare.outputs.runnerlist )}}
- fail-fast: false
- outputs:
- product-name: ${{ steps.normalize-name.outputs.normalized-package-name }}
- version: ${{ steps.getversion.outputs.version }}
- pkghashes-el-8-x86_64: ${{ steps.pkghashes.outputs.pkghashes-el-8-x86_64 }}
- pkghashes-el-8-aarch64: ${{ steps.pkghashes.outputs.pkghashes-el-8-aarch64 }}
- pkghashes-el-9-x86_64: ${{ steps.pkghashes.outputs.pkghashes-el-9-x86_64 }}
- pkghashes-el-9-aarch64: ${{ steps.pkghashes.outputs.pkghashes-el-9-aarch64 }}
- pkghashes-el-10-x86_64: ${{ steps.pkghashes.outputs.pkghashes-el-10-x86_64 }}
- pkghashes-el-10-aarch64: ${{ steps.pkghashes.outputs.pkghashes-el-10-aarch64 }}
- pkghashes-debian-bullseye-x86_64: ${{ steps.pkghashes.outputs.pkghashes-debian-bullseye-x86_64 }}
- pkghashes-debian-bullseye-aarch64: ${{ steps.pkghashes.outputs.pkghashes-debian-bullseye-aarch64 }}
- pkghashes-debian-bookworm-x86_64: ${{ steps.pkghashes.outputs.pkghashes-debian-bookworm-x86_64 }}
- pkghashes-debian-bookworm-aarch64: ${{ steps.pkghashes.outputs.pkghashes-debian-bookworm-aarch64 }}
- pkghashes-debian-trixie-x86_64: ${{ steps.pkghashes.outputs.pkghashes-debian-trixie-x86_64 }}
- pkghashes-debian-trixie-aarch64: ${{ steps.pkghashes.outputs.pkghashes-debian-trixie-aarch64 }}
- pkghashes-ubuntu-focal-x86_64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-focal-x86_64 }}
- pkghashes-ubuntu-focal-aarch64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-focal-aarch64 }}
- pkghashes-ubuntu-jammy-x86_64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-jammy-x86_64 }}
- pkghashes-ubuntu-jammy-aarch64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-jammy-aarch64 }}
- pkghashes-ubuntu-noble-x86_64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-noble-x86_64 }}
- pkghashes-ubuntu-noble-aarch64: ${{ steps.pkghashes.outputs.pkghashes-ubuntu-noble-aarch64 }}
- srchashes: ${{ steps.srchashes.outputs.srchashes }}
- env:
- IS_RELEASE: ${{ inputs.is_release}}
- PRODUCT: ${{ inputs.product }}
- OS: ${{ matrix.os }}
- steps:
- - uses: actions/checkout@v4
- with:
- fetch-depth: 0 # for correct version numbers
- submodules: recursive
- ref: ${{ inputs.ref }}
- persist-credentials: false
- # this builds packages and runs our unit tests (make check)
- - run: IS_RELEASE=${IS_RELEASE} builder/build.sh -v -m ${PRODUCT} ${OS}
- - name: Get version number
- run: |
- echo "version=$(readlink builder/tmp/latest)" >> $GITHUB_OUTPUT
- id: getversion
- - name: Get target architecture
- run: |
- echo "target-arch=$(uname -m)" >> $GITHUB_OUTPUT
- id: getarch
- - name: Normalize package name
- id: normalize-name
- run: |
- if [ "x${PRODUCT}" = "xauthoritative" ]; then
- echo "normalized-package-name=pdns" >> $GITHUB_OUTPUT
- elif [ "x${PRODUCT}" = "xrecursor" ]; then
- echo "normalized-package-name=pdns-recursor" >> $GITHUB_OUTPUT
- else
- echo "normalized-package-name=${PRODUCT}" >> $GITHUB_OUTPUT
- fi
- - name: Include architecture in the packages compressed file name
- env:
- TARGET_ARCH: ${{ steps.getarch.outputs.target-arch }}
- run: for f in $(ls ./built_pkgs/*/*/*-${OS}.tar.bz2 | sed 's/\.tar.bz2$//'); do mv $f.tar.bz2 $f-${TARGET_ARCH}.tar.bz2; done
- - name: Upload packages as GH artifacts
- uses: actions/upload-artifact@v4
- with:
- name: ${{ inputs.product }}-${{ matrix.os }}-${{ steps.getversion.outputs.version }}-${{ steps.getarch.outputs.target-arch }}
- path: built_pkgs/
- retention-days: 7
- - name: Extract packages from the tarball
- # so we get provenance for individual packages (and the JSON package manifests from the builder)
- id: extract
- env:
- TARGET_ARCH: ${{ steps.getarch.outputs.target-arch }}
- PACKAGE_NAME: ${{ steps.normalize-name.outputs.normalized-package-name }}
- VERSION: ${{ steps.getversion.outputs.version }}
- run: |
- mkdir -m 700 -p ./packages/
- tar xvf ./built_pkgs/*/*/${PACKAGE_NAME}-${VERSION}-${OS}-${TARGET_ARCH}.tar.bz2 -C ./packages/ --transform='s/.*\///'
- - name: Generate package hashes for provenance
- shell: bash
- id: pkghashes
- env:
- TARGET_ARCH: ${{ steps.getarch.outputs.target-arch }}
- run: |
- echo "pkghashes-${OS}-${TARGET_ARCH}=$(shopt -s nullglob; sha256sum ./packages/*.rpm ./packages/*.deb ./packages/*.json | base64 -w0)" >> $GITHUB_OUTPUT
- - name: Generate source hash for provenance
- shell: bash
- id: srchashes
- env:
- PACKAGE_NAME: ${{ steps.normalize-name.outputs.normalized-package-name }}
- VERSION: ${{ steps.getversion.outputs.version }}
- run: |
- echo "srchashes=$(sha256sum ./built_pkgs/*/*/${PACKAGE_NAME}-${VERSION}.tar.* | base64 -w0)" >> $GITHUB_OUTPUT
- - name: Upload packages to downloads.powerdns.com
- env:
- SSHKEY: ${{ secrets.DOWNLOADS_AUTOBUILT_SECRET }}
- RSYNCTARGET: ${{ secrets.DOWNLOADS_AUTOBUILT_RSYNCTARGET }}
- HOSTKEY: ${{ secrets.DOWNLOADS_AUTOBUILT_HOSTKEY }}
- if:
- "${{ env.SSHKEY != '' }}"
- run: |
- mkdir -m 700 -p ~/.ssh
- echo "$SSHKEY" > ~/.ssh/id_ed25519
- chmod 600 ~/.ssh/id_ed25519
- echo "$HOSTKEY" > ~/.ssh/known_hosts
- rsync -4rlptD built_pkgs/* "$RSYNCTARGET"
-
- check-hashes:
- needs: [prepare, build]
- name: Check if hashes were created for all requested targets
- runs-on: ubuntu-24.04
- env:
- OUTPUTS: ${{ toJSON(needs.build.outputs) }}
- OSLIST: ${{ needs.prepare.outputs.oslist }}
- steps:
- - name: Get list of outputs from build jobs
- run: echo "${OUTPUTS}" | jq 'keys[]' | grep -vE 'version|product-name' | tee /tmp/build-outputs.txt
- - name: Get list of OS inputs
- run: |
- for os in $(echo "${OSLIST}" | jq -r '.[]'); do
- for architecture in x86_64 ${{ vars.ARM64_USE_UBICLOUD == '1' && 'aarch64' || '' }}; do
- echo "\"pkghashes-$os-$architecture\"" | tee -a /tmp/os-inputs.txt
- done
- done
- sort -o /tmp/os-inputs.txt /tmp/os-inputs.txt
- echo "\"srchashes\"" | tee -a /tmp/os-inputs.txt
- - name: Fail if there is a hash missing
- run: if ! diff -q /tmp/build-outputs.txt /tmp/os-inputs.txt; then exit 1; fi
-
- provenance-pkgs:
- needs: [prepare, build]
- name: Generate provenance for ${{ inputs.product }} (${{ inputs.ref }}) for ${{ matrix.os }}
- strategy:
- matrix:
- os: ${{fromJson(needs.prepare.outputs.oslist)}}
- architecture: ${{ fromJson(needs.prepare.outputs.archlist )}}
- permissions:
- actions: read # To read the workflow path.
- id-token: write # To sign the provenance.
- contents: write # To be able to upload assets as release artifacts
- uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
- with:
- base64-subjects: "${{ needs.build.outputs[format('pkghashes-{0}-{1}', matrix.os, matrix.architecture)] }}"
- upload-assets: false
- provenance-name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-${{ matrix.os }}-${{ matrix.architecture }}.intoto.jsonl"
- private-repository: true
-
- provenance-src:
- needs: build
- name: Generate provenance for ${{ inputs.product }} (${{ inputs.ref }}) source tarball
- permissions:
- actions: read # To read the workflow path.
- id-token: write # To sign the provenance.
- contents: write # To be able to upload assets as release artifacts
- uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
- with:
- base64-subjects: "${{ needs.build.outputs.srchashes }}"
- upload-assets: false
- provenance-name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-src.intoto.jsonl"
- private-repository: true
-
- upload-provenance:
- needs: [prepare, build, provenance-src, provenance-pkgs]
- name: Upload the provenance artifacts to downloads.powerdns.com
- runs-on: ubuntu-24.04
- strategy:
- matrix:
- os: ${{fromJson(needs.prepare.outputs.oslist)}}
- architecture: ${{ fromJson(needs.prepare.outputs.archlist )}}
- steps:
- - name: Download source tarball provenance for ${{ inputs.product }} (${{ inputs.ref }})
- id: download-src-provenance
- uses: actions/download-artifact@v4 # be careful, this needs to match what https://github.com/slsa-framework/slsa-github-generator is using
- with:
- name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-src.intoto.jsonl"
- - name: Download provenance for ${{ inputs.product }} (${{ inputs.ref }}) for ${{ matrix.os }}
- id: download-provenance
- uses: actions/download-artifact@v4 # be careful, this needs to match what https://github.com/slsa-framework/slsa-github-generator is using
- with:
- name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-${{ matrix.os }}-${{ matrix.architecture }}.intoto.jsonl"
- - name: Upload provenance artifacts to downloads.powerdns.com
- id: upload-provenance
- env:
- SSHKEY: ${{ secrets.DOWNLOADS_AUTOBUILT_SECRET }}
- RSYNCTARGET: ${{ secrets.DOWNLOADS_AUTOBUILT_RSYNCTARGET }}
- HOSTKEY: ${{ secrets.DOWNLOADS_AUTOBUILT_HOSTKEY }}
- PRODUCT: ${{ needs.build.outputs.product-name }}
- VERSION: ${{ needs.build.outputs.version }}
- DOWNLOAD_PATH: ${{ steps.download-provenance.outputs.download-path }}
- if:
- "${{ env.SSHKEY != '' }}"
- shell: bash
- run: |
- mkdir -m 700 -p ~/.ssh
- echo "$SSHKEY" > ~/.ssh/id_ed25519
- chmod 600 ~/.ssh/id_ed25519
- echo "$HOSTKEY" > ~/.ssh/known_hosts
- mkdir -m 755 -p "slsa/${PRODUCT}/${VERSION}/"
- mv "${DOWNLOAD_PATH}"/*.jsonl "slsa/${PRODUCT}/${VERSION}"
- rsync -4rlptD slsa/* "$RSYNCTARGET"
+++ /dev/null
----
-name: Trigger specific package build
-
-on:
- workflow_dispatch:
- inputs:
- product:
- description: Product to build
- type: choice
- options:
- - authoritative
- - recursor
- - dnsdist
- os:
- description: OSes to build for, space separated
- type: string
- # please remember to update build-packages.yml as well
- default: >-
- el-8
- el-9
- el-10
- debian-bullseye
- debian-bookworm
- debian-trixie
- ubuntu-jammy
- ubuntu-noble
- ref:
- description: git ref to checkout
- type: string
- default: master
- is_release:
- description: is this a release build?
- type: choice
- options:
- - 'NO'
- - 'YES'
-
-permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
- actions: read
- contents: write # To be able to upload assets as release artifacts
- id-token: write # To sign the provenance in the build packages reusable workflow.
-
-jobs:
- call-build-packages:
- uses: PowerDNS/pdns/.github/workflows/build-packages.yml@master
- with:
- product: ${{ github.event.inputs.product }}
- os: ${{ github.event.inputs.os }}
- ref: ${{ github.event.inputs.ref }}
- is_release: ${{ github.event.inputs.is_release }}
- secrets:
- DOWNLOADS_AUTOBUILT_SECRET: ${{ secrets.DOWNLOADS_AUTOBUILT_SECRET }}
- DOWNLOADS_AUTOBUILT_RSYNCTARGET: ${{ secrets.DOWNLOADS_AUTOBUILT_RSYNCTARGET }}
- DOWNLOADS_AUTOBUILT_HOSTKEY: ${{ secrets.DOWNLOADS_AUTOBUILT_HOSTKEY }}
+++ /dev/null
----
-name: Trigger workflow builder for different releases
-
-on:
- workflow_dispatch:
- schedule:
- - cron: '0 2 * * *'
-
-permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
- actions: read
- contents: read
-
-jobs:
- call-builder-auth-49:
- if: ${{ vars.SCHEDULED_JOBS_BUILDER }}
- uses: PowerDNS/pdns/.github/workflows/builder.yml@rel/auth-4.9.x
- with:
- branch-name: rel/auth-4.9.x
-
- call-builder-auth-48:
- if: ${{ vars.SCHEDULED_JOBS_BUILDER }}
- uses: PowerDNS/pdns/.github/workflows/builder.yml@rel/auth-4.8.x
- with:
- branch-name: rel/auth-4.8.x
-
- call-builder-auth-47:
- if: ${{ vars.SCHEDULED_JOBS_BUILDER }}
- uses: PowerDNS/pdns/.github/workflows/builder.yml@rel/auth-4.7.x
- with:
- branch-name: rel/auth-4.7.x
-
- call-builder-rec-52:
- if: ${{ vars.SCHEDULED_JOBS_BUILDER }}
- uses: PowerDNS/pdns/.github/workflows/builder.yml@rel/rec-5.2.x
- with:
- branch-name: rel/rec-5.2.x
-
- call-builder-rec-51:
- if: ${{ vars.SCHEDULED_JOBS_BUILDER }}
- uses: PowerDNS/pdns/.github/workflows/builder.yml@rel/rec-5.1.x
- with:
- branch-name: rel/rec-5.1.x
-
- call-builder-rec-50:
- if: ${{ vars.SCHEDULED_JOBS_BUILDER }}
- uses: PowerDNS/pdns/.github/workflows/builder.yml@rel/rec-5.0.x
- with:
- branch-name: rel/rec-5.0.x
-
- call-builder-dnsdist-19:
- if: ${{ vars.SCHEDULED_JOBS_BUILDER }}
- uses: PowerDNS/pdns/.github/workflows/builder.yml@rel/dnsdist-1.9.x
- with:
- branch-name: rel/dnsdist-1.9.x
-
- call-builder-dnsdist-18:
- if: ${{ vars.SCHEDULED_JOBS_BUILDER }}
- uses: PowerDNS/pdns/.github/workflows/builder.yml@rel/dnsdist-1.8.x
- with:
- branch-name: rel/dnsdist-1.8.x
+++ /dev/null
----
-name: Trigger specific coverity scan
-
-on:
- workflow_dispatch:
- inputs:
- product:
- description: Product to build
- type: choice
- options:
- - authoritative
- - recursor
- - dnsdist
-
-permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
- contents: read
-
-jobs:
- coverity-auth:
- name: coverity scan of the auth
- if: ${{ github.event.inputs.product == 'authoritative' }}
- uses: PowerDNS/pdns/.github/workflows/coverity.yml@master
- with:
- product: ${{ github.event.inputs.product }}
- secrets:
- COVERITY_TOKEN: ${{ secrets.coverity_auth_token }}
- COVERITY_EMAIL: ${{ secrets.coverity_email }}
-
- coverity-dnsdist:
- name: coverity scan of dnsdist
- if: ${{ github.event.inputs.product == 'dnsdist' }}
- uses: PowerDNS/pdns/.github/workflows/coverity.yml@master
- with:
- product: ${{ github.event.inputs.product }}
- secrets:
- COVERITY_TOKEN: ${{ secrets.coverity_dnsdist_token }}
- COVERITY_EMAIL: ${{ secrets.coverity_email }}
-
- coverity-rec:
- name: coverity scan of the rec
- if: ${{ github.event.inputs.product == 'recursor' }}
- uses: PowerDNS/pdns/.github/workflows/coverity.yml@master
- with:
- product: ${{ github.event.inputs.product }}
- secrets:
- COVERITY_TOKEN: ${{ secrets.coverity_rec_token }}
- COVERITY_EMAIL: ${{ secrets.coverity_email }}
+++ /dev/null
----
-name: Coverity scan
-
-on:
- workflow_call:
- inputs:
- product:
- required: true
- description: Product to build
- type: string
- secrets:
- COVERITY_TOKEN:
- required: true
- COVERITY_EMAIL:
- required: true
-
-permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
- contents: read
-
-env:
- CLANG_VERSION: '12'
-
-jobs:
- coverity-auth:
- name: coverity scan of the auth
- if: ${{ inputs.product == 'authoritative' }}
- runs-on: ubuntu-22.04
- env:
- COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
- FUZZING_TARGETS: no
- SANITIZERS:
- UNIT_TESTS: no
- steps:
- - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
- - uses: actions/checkout@v4
- with:
- fetch-depth: 5
- submodules: recursive
- persist-credentials: false
- - uses: actions/setup-python@v5
- with:
- python-version: '3.11'
- - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade
- - run: inv install-clang
- - run: inv install-auth-build-deps
- - run: inv install-coverity-tools PowerDNS
- - run: inv coverity-clang-configure
- - run: inv ci-autoconf
- - run: inv ci-auth-configure
- - run: inv coverity-make
- - run: inv coverity-tarball auth.tar.bz2
- - run: inv coverity-upload ${{ secrets.COVERITY_EMAIL }} PowerDNS auth.tar.bz2
-
- coverity-dnsdist:
- name: coverity scan of dnsdist
- if: ${{ inputs.product == 'dnsdist' }}
- runs-on: ubuntu-22.04
- env:
- COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
- SANITIZERS:
- UNIT_TESTS: no
- REPO_HOME: ${{ github.workspace }}
- steps:
- - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
- - uses: actions/checkout@v4
- with:
- fetch-depth: 5
- submodules: recursive
- persist-credentials: false
- - uses: actions/setup-python@v5
- with:
- python-version: '3.11'
- # installing the python3-package does not work because of actions/setup-python which installs a different version in /opt/hostedtoolcache/Python
- - name: Install python yaml
- run: |
- pip install pyyaml
- - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade
- - run: inv install-clang
- - run: inv install-lld-linker-if-needed
- - run: inv install-dnsdist-build-deps --skipXDP
- - run: inv install-coverity-tools dnsdist
- - run: inv coverity-clang-configure
- - run: inv ci-autoconf
- working-directory: ./pdns/dnsdistdist/
- - run: inv ci-install-rust $REPO_HOME
- working-directory: ./pdns/dnsdistdist/
- - run: inv ci-build-and-install-quiche $REPO_HOME
- working-directory: ./pdns/dnsdistdist/
- - run: inv ci-dnsdist-configure full autotools build-dir
- working-directory: ./pdns/dnsdistdist/
- - run: inv coverity-make
- working-directory: ./pdns/dnsdistdist/
- - run: inv coverity-tarball dnsdist.tar.bz2
- working-directory: ./pdns/dnsdistdist/
- - run: inv coverity-upload ${{ secrets.COVERITY_EMAIL }} dnsdist dnsdist.tar.bz2
- working-directory: ./pdns/dnsdistdist/
-
- coverity-rec:
- name: coverity scan of the rec
- if: ${{ inputs.product == 'recursor' }}
- runs-on: ubuntu-22.04
- env:
- COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
- SANITIZERS:
- UNIT_TESTS: no
- steps:
- - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
- - uses: actions/checkout@v4
- with:
- fetch-depth: 5
- submodules: recursive
- persist-credentials: false
- - uses: actions/setup-python@v5
- with:
- python-version: '3.11'
- - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade
- - run: inv install-clang
- - run: inv install-rec-build-deps
- - run: inv install-coverity-tools 'PowerDNS+Recursor'
- - run: inv coverity-clang-configure
- - run: inv ci-autoconf
- working-directory: ./pdns/recursordist/
- - run: inv ci-rec-configure full
- working-directory: ./pdns/recursordist/
- - run: inv coverity-make
- working-directory: ./pdns/recursordist/
- - run: inv coverity-tarball recursor.tar.bz2
- working-directory: ./pdns/recursordist/
- - run: inv coverity-upload ${{ secrets.COVERITY_EMAIL }} 'PowerDNS+Recursor' recursor.tar.bz2
- working-directory: ./pdns/recursordist/
projects / thirdparty / pdns.git / commitdiff
