From: Jason Ish Date: Wed, 16 Oct 2024 18:36:17 +0000 (-0600) Subject: github-ci: sync with master branch X-Git-Tag: suricata-7.0.8~58 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7198c0516cc3b163b01bdca983e34ea7f0920e64;p=thirdparty%2Fsuricata.git github-ci: sync with master branch Mainly hashes of actions and other minor changes. --- diff --git a/.github/workflows/authors-done.yml b/.github/workflows/authors-done.yml index b1700e1d03..fa449745f9 100644 --- a/.github/workflows/authors-done.yml +++ b/.github/workflows/authors-done.yml @@ -12,7 +12,7 @@ jobs: - run: echo "Author check is complete" - name: Download artifact new authors - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea with: script: | let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -38,14 +38,13 @@ jobs: fi - name: Comment on PR if: ${{ env.new_authors == 'yes' }} - uses: actions/github-script@v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | let fs = require('fs'); let issue_number = Number(fs.readFileSync('./pr-number.txt')); - let new_authors = String(fs.readFileSync('./new-authors.txt')); - let msg = 'NOTE: This PR may contain new authors:\n\n```\n' + new_authors + '```'; + let msg = 'NOTE: This PR may contain new authors.'; await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, diff --git a/.github/workflows/authors.yml b/.github/workflows/authors.yml index 5c4702a138..35b0456ae3 100644 --- a/.github/workflows/authors.yml +++ b/.github/workflows/authors.yml @@ -3,13 +3,19 @@ name: New Authors Check on: pull_request: +permissions: read-all + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: check-id: name: New Author Check runs-on: ubuntu-latest steps: - name: Checkout PR code - uses: actions/checkout@v3 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -17,13 +23,13 @@ jobs: - name: Export known authors from master branch run: git log --format="%an <%ae>" origin/master | sort | uniq > authors.txt - name: Export authors from new commits - run: git log --format="%an <%ae>" origin/${GITHUB_BASE_REF}... | sort | uniq > commit-authors.txt + run: git log --format="%an <%ae>" ${{ github.event.pull_request.base.sha }}... | sort | uniq > commit-authors.txt - name: Check new authors run: | touch new-authors.txt while read -r author; do echo "Checking author: ${author}" - if ! grep -q "^${author}\$" authors.txt; then + if ! grep -qFx "${author}" authors.txt; then echo "ERROR: ${author} NOT FOUND" echo "::warning ::New author found: ${author}" echo "${author}" >> new-authors.txt @@ -35,7 +41,7 @@ jobs: - run: echo ${{ github.event.number }} > new-authors/pr-number.txt - run: ls -l - name: Upload new authors - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 with: name: new-authors path: new-authors diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 883c3ea78c..df00eeceb6 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -2,6 +2,10 @@ name: builds on: push: + paths-ignore: + # Don't run this workflow if only files under doc/ have been + # modified. + - "doc/**" pull_request: workflow_dispatch: inputs: @@ -12,6 +16,10 @@ on: SV_REPO: SV_BRANCH: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: read-all env: @@ -147,7 +155,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Cache ~/.cargo - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo key: ${{ github.job }}-cargo @@ -174,13 +182,13 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry - name: Cache RPMs - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf @@ -290,7 +298,7 @@ jobs: needs: [prepare-deps, prepare-cbindgen] steps: - name: Cache RPMs - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf # TODO: Find some variable that matches the job name. @@ -299,7 +307,7 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -382,13 +390,13 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry - name: Cache RPMs - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf @@ -474,13 +482,13 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry - name: Cache RPMs - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf @@ -528,7 +536,7 @@ jobs: which \ zlib-devel - name: Download suricata.tar.gz - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: dist - run: tar zxvf suricata-*.tar.gz --strip-components=1 @@ -547,7 +555,7 @@ jobs: test -e /usr/local/lib/suricata/python/suricata/update/configs/modify.conf test -e /usr/local/lib/suricata/python/suricata/update/configs/threshold.in test -e /usr/local/lib/suricata/python/suricata/update/configs/update.yaml - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -565,13 +573,13 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry - name: Cache RPMs - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf @@ -619,9 +627,10 @@ jobs: - name: Install Rust run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.63.0 -y - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - uses: ./.github/actions/install-cbindgen + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -645,7 +654,7 @@ jobs: - run: llvm-profdata merge -o default.profdata $(find suricata-verify/tests/ -name '*.profraw') - run: llvm-cov show ./src/suricata -instr-profile=default.profdata --show-instantiations --ignore-filename-regex="^/root/.*" > coverage.txt - name: Upload coverage to Codecov - uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 with: fail_ci_if_error: false flags: suricata-verify @@ -660,13 +669,13 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry - name: Cache RPMs - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf @@ -714,9 +723,10 @@ jobs: systemd-devel \ which \ zlib-devel - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - uses: ./.github/actions/install-cbindgen + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -767,7 +777,7 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -808,9 +818,10 @@ jobs: sudo \ which \ zlib-devel - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata - uses: ./.github/actions/install-cbindgen + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -855,13 +866,13 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry - name: Cache RPMs - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf @@ -907,9 +918,10 @@ jobs: systemd-devel \ which \ zlib-devel - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata - uses: ./.github/actions/install-cbindgen + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -955,7 +967,7 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -996,9 +1008,10 @@ jobs: sudo \ which \ zlib-devel - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - uses: ./.github/actions/install-cbindgen + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1081,9 +1094,10 @@ jobs: which \ zlib-devel - run: adduser suricata - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - uses: ./.github/actions/install-cbindgen + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1125,13 +1139,13 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry - name: Cache RPMs - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf @@ -1172,8 +1186,9 @@ jobs: sudo \ which \ zlib-devel - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1195,13 +1210,13 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry - name: Cache RPMs - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf @@ -1224,18 +1239,22 @@ jobs: dnf -y install dnf-plugins-core epel-release dnf config-manager --set-enabled crb - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: ./.github/actions/install-cbindgen + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 + + - name: Install minimal dependencies + run: ./scripts/docs-almalinux9-minimal-build.sh + + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep - run: tar xf prep/libhtp.tar.gz - run: ./autogen.sh - - uses: ./.github/actions/install-cbindgen - - - name: Install minimal dependencies - run: ./scripts/docs-almalinux9-minimal-build.sh - - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure - run: make -j ${{ env.CPUS }} - run: ./src/suricata --build-info # check if we can run Suricata @@ -1247,7 +1266,7 @@ jobs: needs: [prepare-deps, prepare-cbindgen] steps: - name: Cache ~/.cargo - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -1297,8 +1316,9 @@ jobs: # packaged Rust version is too old for coverage, so get from rustup - name: Install Rust run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.63.0 -y - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1347,7 +1367,7 @@ jobs: - run: llvm-profdata-14 merge -o htp-test.profdata /tmp/htp-test.profraw - run: llvm-cov-14 show libhtp/test/test_all -instr-profile=htp-test.profdata --show-instantiations --ignore-filename-regex="^/root/.*" >> coverage.txt - name: Upload coverage to Codecov - uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 with: fail_ci_if_error: false flags: unittests @@ -1415,8 +1435,9 @@ jobs: # packaged Rust version is too old for coverage, so get from rustup - name: Install Rust run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.63.0 -y - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1447,7 +1468,7 @@ jobs: - run: llvm-profdata-14 merge -o default.profdata $(find /tmp/ -name '*.profraw') - run: llvm-cov-14 show ./src/suricata -instr-profile=default.profdata --show-instantiations --ignore-filename-regex="^/root/.*" > coverage.txt - name: Upload coverage to Codecov - uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 with: fail_ci_if_error: false flags: fuzzcorpus @@ -1459,7 +1480,7 @@ jobs: needs: [prepare-deps, prepare-cbindgen] steps: - name: Cache ~/.cargo - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -1503,8 +1524,9 @@ jobs: zlib1g-dev \ exuberant-ctags \ dpdk-dev - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1543,7 +1565,7 @@ jobs: needs: debian-12-dist steps: - name: Cache ~/.cargo - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -1582,7 +1604,7 @@ jobs: - run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.62.0 -y - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH - name: Download suricata.tar.gz - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: dist - run: tar zxvf suricata-*.tar.gz --strip-components=1 @@ -1605,7 +1627,7 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -1648,8 +1670,9 @@ jobs: zlib1g \ zlib1g-dev \ exuberant-ctags - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1684,7 +1707,7 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -1723,8 +1746,9 @@ jobs: zlib1g \ zlib1g-dev - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1741,7 +1765,7 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -1792,12 +1816,20 @@ jobs: linux-headers-$(uname -r) - name: Checkout Netmap repository - uses: actions/checkout@v3.5.3 + if: steps.netmap-cache.outputs.cache-hit != 'true' + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: repository: luigirizzo/netmap # gets cloned to $GITHUB_WORKSPACE/netmap/ path: netmap/ + - name: Save Netmap Cache + if: steps.netmap-cache.outputs.cache-hit != 'true' + uses: actions/cache/save@v4 + with: + path: netmap/ + key: netmap-git + - name: Compile and install Netmap run: | cd $GITHUB_WORKSPACE/netmap/LINUX @@ -1805,8 +1837,9 @@ jobs: make -j2 sudo make install - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1824,7 +1857,7 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -1839,8 +1872,9 @@ jobs: git \ libtool - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1868,7 +1902,7 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -1937,8 +1971,9 @@ jobs: ninja -C build install ldconfig cd $HOME - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -1957,7 +1992,7 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -2009,8 +2044,9 @@ jobs: texlive-latex-extra \ zlib1g \ zlib1g-dev - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -2044,7 +2080,7 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -2092,8 +2128,9 @@ jobs: texlive-latex-extra \ zlib1g \ zlib1g-dev - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -2108,7 +2145,7 @@ jobs: run: | mkdir dist mv suricata-*.tar.gz dist - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 name: Uploading distribution with: name: dist @@ -2122,7 +2159,7 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -2171,8 +2208,9 @@ jobs: texlive-latex-extra \ zlib1g \ zlib1g-dev - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -2204,7 +2242,7 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -2248,8 +2286,9 @@ jobs: - name: Install Rust run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain $RUST_VERSION_KNOWN -y - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -2275,7 +2314,7 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -2317,8 +2356,9 @@ jobs: - name: Install Rust run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain $RUST_VERSION_KNOWN -y - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -2343,7 +2383,7 @@ jobs: steps: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -2367,9 +2407,10 @@ jobs: rust \ xz - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata - name: Downloading prep archive - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -2408,7 +2449,7 @@ jobs: shell: msys2 {0} steps: - name: Cache ~/.cargo - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -2421,8 +2462,9 @@ jobs: # preinstalled one to be picked up by configure - name: cbindgen run: cargo install --root /usr --force --debug --version 0.24.3 cbindgen - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -2463,7 +2505,7 @@ jobs: shell: msys2 {0} steps: - name: Cache ~/.cargo - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -2476,8 +2518,9 @@ jobs: # preinstalled one to be picked up by configure - name: cbindgen run: cargo install --root /usr --force --debug --version 0.24.3 cbindgen - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep @@ -2506,7 +2549,7 @@ jobs: shell: msys2 {0} steps: - name: Cache ~/.cargo - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -2519,8 +2562,9 @@ jobs: # preinstalled one to be picked up by configure - name: cbindgen run: cargo install --root /usr --force --debug --version 0.24.3 cbindgen - - uses: actions/checkout@v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 with: name: prep path: prep diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index c0ea14a8d9..4d130f38c6 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -6,6 +6,10 @@ on: paths-ignore: - "doc/**" +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: read-all jobs: Fuzzing: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3d13d276b0..297317efb8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,6 +13,12 @@ on: schedule: - cron: '18 21 * * 1' +permissions: read-all + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: analyze: name: Analyze @@ -31,13 +37,14 @@ jobs: # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] steps: - name: Checkout repository - uses: actions/checkout@v3.5.3 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3.26.12 with: languages: ${{ matrix.language }} + queries: security-extended - run: | sudo apt-get update @@ -55,4 +62,4 @@ jobs: ./configure make - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3.26.12 diff --git a/.github/workflows/commits.yml b/.github/workflows/commits.yml index 12368cb54c..18908ead0b 100644 --- a/.github/workflows/commits.yml +++ b/.github/workflows/commits.yml @@ -5,6 +5,10 @@ on: permissions: read-all +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + env: DEBIAN_FRONTEND: "noninteractive" @@ -16,7 +20,7 @@ jobs: container: ubuntu:20.04 steps: - name: Caching ~/.cargo - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo key: commit-check-cargo @@ -71,7 +75,7 @@ jobs: cd $HOME/.cargo/bin curl -OL https://github.com/eqrion/cbindgen/releases/download/v0.24.3/cbindgen chmod 755 cbindgen - - uses: actions/checkout@v3.3.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 # The action above is supposed to do this for us, but it doesn't appear to stick. @@ -97,7 +101,7 @@ jobs: make -ik distclean > /dev/null done - run: sccache -s - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 name: Uploading build log if: always() with: diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml index 03a8e81169..1d8900a18b 100644 --- a/.github/workflows/formatting.yml +++ b/.github/workflows/formatting.yml @@ -12,6 +12,10 @@ on: paths-ignore: - "doc/**" +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: read-all env: @@ -29,7 +33,7 @@ jobs: # Cache Rust stuff. - name: Cache cargo registry - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo/registry key: cargo-registry @@ -85,7 +89,7 @@ jobs: # My patience simply ran too short to keep on looking. See follow-on # action to manually fix this up. - name: Checkout - might be merge commit! - uses: actions/checkout@v3.5.3 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 # Use last commit of branch, not potential merge commit! diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index b25c1bab58..47dcb2f377 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -11,6 +11,10 @@ on: permissions: contents: read # to fetch code (actions/checkout) +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: check-rust: name: Check Rust @@ -18,7 +22,7 @@ jobs: container: almalinux:9 steps: - name: Cache rust - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo key: check-rust @@ -69,7 +73,7 @@ jobs: echo "$HOME/.cargo/bin" >> $GITHUB_PATH - name: Install cbindgen run: cargo install --debug cbindgen - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - run: git config --global --add safe.directory /__w/suricata/suricata - run: ./scripts/bundle.sh - run: ./autogen.sh diff --git a/.github/workflows/scan-build.yml b/.github/workflows/scan-build.yml index ef675297f5..9407471483 100644 --- a/.github/workflows/scan-build.yml +++ b/.github/workflows/scan-build.yml @@ -8,6 +8,12 @@ on: paths-ignore: - "doc/**" +permissions: read-all + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: scan-build: name: Scan-build @@ -15,7 +21,7 @@ jobs: container: ubuntu:24.04 steps: - name: Cache scan-build - uses: actions/cache@v3.3.1 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo key: scan-build @@ -63,7 +69,8 @@ jobs: software-properties-common \ zlib1g \ zlib1g-dev - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - run: git config --global --add safe.directory /__w/suricata/suricata - run: ./scripts/bundle.sh - run: ./autogen.sh - run: scan-build-18 ./configure --enable-dpdk --enable-nfqueue --enable-nflog diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 3b66128492..b634de025f 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -7,6 +7,10 @@ on: push: branches: [ master ] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + # Declare default permissions as read only. permissions: read-all @@ -17,39 +21,36 @@ jobs: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - actions: read - contents: read + id-token: write steps: - name: "Checkout code" - uses: actions/checkout@v3.5.3 - with: - persist-credentials: false + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v1.0.1 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. + # Scorecard team runs a weekly scan of public GitHub repos, + # see https://github.com/ossf/scorecard#public-data. + # Setting `publish_results: true` helps us scale by leveraging your workflow to + # extract the results instead of relying on our own infrastructure to run scans. + # And it's free for you! publish_results: true - # Upload the results as artifacts (optional). + # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts + # Optional. - name: "Upload artifact" - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.1.2 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v2 # v1.0.26 + - name: "Upload SARIF results" + uses: github/codeql-action/upload-sarif@ea2cd92c21b192add69983116b8b3222b09da33b # v1 with: sarif_file: results.sarif