Remove security options and ensure security in CI (#666) #347
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Publish Spice | |
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| jobs: | |
| build-compiler-linux-x86: | |
| name: Build compiler - Linux/x86_64 | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: zulu | |
| java-version: 11 | |
| - name: Setup Mold | |
| uses: rui314/setup-mold@v1 | |
| - name: Setup CCache | |
| uses: hendrikmuhs/ccache-action@v1 | |
| - name: Setup Dependencies | |
| run: sudo apt-get install ninja-build pipx uuid-dev | |
| - name: Cache LLVM | |
| id: cache-llvm | |
| uses: actions/cache@v4 | |
| with: | |
| path: /home/runner/work/spice/spice/llvm | |
| key: llvm-19.1.1-linux-x64 | |
| - name: Setup LLVM | |
| if: steps.cache-llvm.outputs.cache-hit != 'true' | |
| run: | | |
| git clone --depth 1 --branch llvmorg-19.1.1 https://github.com/llvm/llvm-project.git llvm | |
| mkdir ./llvm/build | |
| cd ./llvm/build | |
| cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER_LAUNCHER=ccache -DCMAKE_CXX_COMPILER_LAUNCHER=ccache -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++ -DCMAKE_CXX_FLAGS_RELEASE="-O2" -DLLVM_ENABLE_RTTI=ON -Wno-dev -Wattributes ../llvm | |
| cmake --build . | |
| - name: Download Libs | |
| run: | | |
| chmod +x setup-libs.sh | |
| ./setup-libs.sh | |
| - name: Configure & compile project | |
| env: | |
| LLVM_DIR: /home/runner/work/spice/spice/llvm/build/lib/cmake/llvm | |
| run: | | |
| mkdir ./bin | |
| cd ./bin | |
| cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++ -DSPICE_LINK_STATIC=ON -DSPICE_LTO=ON -DCMAKE_CXX_FLAGS_RELEASE="-O2" -DSPICE_VERSION="${{ github.ref_name }}" -DSPICE_BUILT_BY="ghactions" .. | |
| cmake --build . --target spice | |
| - name: Process build output | |
| working-directory: bin | |
| run: | | |
| mv ./src/spice spice | |
| chmod +x spice | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: spice-linux-x64 | |
| path: ./bin/spice** | |
| build-compiler-linux-aarch64: | |
| name: Build compiler - Linux/AArch64 | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: zulu | |
| java-version: 11 | |
| - name: Setup latest GCC and build dependencies | |
| run: | | |
| sudo apt update | |
| sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu | |
| - name: Setup Dependencies | |
| run: sudo apt-get install ninja-build uuid-dev checksec jq | |
| - name: Setup CCache | |
| uses: hendrikmuhs/ccache-action@v1 | |
| - name: Cache LLVM | |
| id: cache-llvm | |
| uses: actions/cache@v4 | |
| with: | |
| path: /home/runner/work/spice/spice/llvm | |
| key: llvm-19.1.1-linux-aarch64 | |
| - name: Clone LLVM | |
| if: steps.cache-llvm.outputs.cache-hit != 'true' | |
| run: | | |
| git clone --depth 1 --branch llvmorg-19.1.1 https://github.com/llvm/llvm-project.git llvm | |
| mkdir ./llvm/build | |
| - name: Setup LLVM | |
| if: steps.cache-llvm.outputs.cache-hit != 'true' | |
| run: | | |
| cd ./llvm/build | |
| cmake -GNinja -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_SYSTEM_PROCESSOR=aarch64 -DLLVM_HOST_TRIPLE=x86_64-linux-gnu -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_CXX_FLAGS_RELEASE="-O2" -DLLVM_ENABLE_RTTI=ON -Wno-dev -Wattributes ../llvm | |
| cmake --build . | |
| - name: Download Libs | |
| run: | | |
| chmod +x setup-libs.sh | |
| ./setup-libs.sh | |
| - name: Configure & compile project | |
| env: | |
| LLVM_DIR: /home/runner/work/spice/spice/llvm/build/lib/cmake/llvm | |
| run: | | |
| mkdir ./bin | |
| cd ./bin | |
| cmake cmake -GNinja -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_SYSTEM_PROCESSOR=aarch64 -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DSPICE_LTO=ON -DCMAKE_CXX_FLAGS_RELEASE="-O2" -DSPICE_VERSION="${{ github.ref_name }}" -DSPICE_BUILT_BY="ghactions" .. | |
| cmake --build . --target spice | |
| - name: Process build output | |
| working-directory: bin | |
| run: | | |
| mv ./src/spice spice | |
| chmod +x spice | |
| - name: Run Checksec | |
| working-directory: bin | |
| run: checksec --file=./spice --output=json | jq | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: spice-linux-arm64 | |
| path: ./bin/spice** | |
| build-compiler-windows-x86: | |
| name: Build compiler binaries - Windows/x86_64 | |
| runs-on: windows-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: zulu | |
| java-version: 11 | |
| - name: Setup latest GCC | |
| shell: pwsh | |
| run: | | |
| choco uninstall mingw --all-versions | |
| choco uninstall llvm --all-versions | |
| Remove-Item -Recurse -Force C:/Strawberry | |
| echo "Uninstalling done." | |
| Invoke-WebRequest https://chillibits.com/files/gh/mingw64_13_2_0.7z -OutFile mingw64.7z | |
| echo "Downloading done." | |
| 7z x mingw64.7z -oC:\mingw64 | |
| echo "Unpacking done." | |
| Copy-Item -Path C:\mingw64\mingw64\bin\mingw32-make.exe -Destination C:\mingw64\mingw64\bin\make.exe | |
| echo "All done." | |
| - name: Setup Ninja | |
| uses: seanmiddleditch/gha-setup-ninja@master | |
| - name: Setup CCache | |
| uses: hendrikmuhs/ccache-action@v1 | |
| - name: Cache LLVM | |
| id: cache-llvm | |
| uses: actions/cache@v4 | |
| with: | |
| path: D:/a/spice/spice/llvm | |
| key: llvm-19.1.1-win-x64 | |
| - name: Setup LLVM | |
| if: steps.cache-llvm.outputs.cache-hit != 'true' | |
| run: | | |
| git clone --depth 1 --branch llvmorg-19.1.1 https://github.com/llvm/llvm-project.git llvm | |
| setx /M PATH "%PATH%;C:\mingw64\mingw64\bin" | |
| $env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User") | |
| echo "Adding MinGW to path done." | |
| mkdir ./llvm/build | |
| cd ./llvm/build | |
| cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER_LAUNCHER=ccache -DCMAKE_CXX_COMPILER_LAUNCHER=ccache -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++ -DCMAKE_CXX_FLAGS_RELEASE="-O2" -DLLVM_ENABLE_RTTI=ON -GNinja -Wno-dev -Wattributes ../llvm | |
| cmake --build . | |
| - name: Download Libs | |
| run: .\setup-libs.bat | |
| - name: Configure & compile project | |
| env: | |
| LLVM_DIR: D:/a/spice/spice/llvm/build/lib/cmake/llvm | |
| run: | | |
| setx /M PATH "%PATH%;C:\mingw64\mingw64\bin" | |
| $env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User") | |
| echo "Adding MinGW to path done." | |
| mkdir ./bin | |
| cd ./bin | |
| cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++ -DSPICE_LINK_STATIC=ON -DCMAKE_CXX_FLAGS_RELEASE="-O2" -DSPICE_VERSION="${{ github.ref_name }}" -DSPICE_BUILT_BY="ghactions" .. | |
| cmake --build . --target spice | |
| - name: Process build output | |
| working-directory: bin | |
| run: mv ./src/spice.exe spice.exe | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: spice-windows-static-x64 | |
| path: ./bin/spice** | |
| build-artifacts: | |
| name: Build artifacts | |
| needs: [ build-compiler-linux-x86, build-compiler-linux-aarch64, build-compiler-windows-x86 ] | |
| runs-on: ubuntu-latest | |
| env: | |
| DOCKER_CLI_EXPERIMENTAL: enabled | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.23' | |
| - name: Restore Go modules cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: ${{ runner.os }}-go- | |
| - name: Docker login GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.CR_PAT }} | |
| - name: Docker login Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: docker.io | |
| username: chillibits | |
| password: ${{ secrets.DOCKER_HUB_SECRET }} | |
| - name: Download all artifacts of compiler build | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: bin | |
| - name: Rename compiler binaries & allow execution | |
| working-directory: bin | |
| run: | | |
| mv spice-windows-static-x64 spice-windows-amd64 | |
| mv spice-linux-x64 spice-linux-amd64 | |
| chmod -R +x ./ | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| version: v2.3.2 | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist-output | |
| path: dist/ | |
| deploy-nexus: | |
| name: Deploy to Nexus | |
| needs: build-artifacts | |
| runs-on: ubuntu-latest | |
| if: contains(github.ref, 'rc') == false | |
| strategy: | |
| matrix: | |
| arch: | |
| - amd64 | |
| - arm64 | |
| steps: | |
| - name: Download dist output | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist-output | |
| - name: Deploy to Debian / Raspbian repo | |
| run: | | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/debian-bookworm/" | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/debian-bullseye/" | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/debian-buster/" | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/debian-stretch/" | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/debian-jessie/" | |
| - name: Deploy to Ubuntu repo | |
| run: | | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/ubuntu-noble/" | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/ubuntu-jammy/" | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/ubuntu-focal/" | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/ubuntu-bionic/" | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.deb" "${{ secrets.NEXUS_URL }}/ubuntu-xenial/" | |
| - name: Deploy to CentOS repo | |
| run: | | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --upload-file ./spice_${{ matrix.arch }}.rpm ${{ secrets.NEXUS_URL }}/centos/spice/${{ github.ref_name }}/spice-${{ matrix.arch }}.rpm | |
| - name: Deploy to Fedora repo | |
| run: | | |
| curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --upload-file ./spice_${{ matrix.arch }}.rpm ${{ secrets.NEXUS_URL }}/fedora/spice/${{ github.ref_name }}/spice-${{ matrix.arch }}.rpm | |
| # - name: Deploy to Alpine repo | |
| # run: | | |
| # curl -sSf -u "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" -H "Content-Type: multipart/form-data" --data-binary "@./spice_${{ matrix.arch }}.apk" "${{ secrets.NEXUS_URL }}/alpine/spice/${{ github.ref_name }}/spice-${{ matrix.arch }}.apk" | |
| build-win-installers: | |
| name: Build Windows installers | |
| needs: build-artifacts | |
| runs-on: windows-latest | |
| strategy: | |
| matrix: | |
| config: | |
| - { | |
| arch: amd64, | |
| label: x64 | |
| } | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install GoMSI | |
| run: choco install -y go-msi | |
| - name: Download executables | |
| id: download_exe | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh release download "${GITHUB_REF#refs/tags/}" -p *windows_${{ matrix.config.arch }}*.zip | |
| printf "::set-output name=zip::%s\n" *.zip | |
| unzip -o *.zip && rm -v *.zip | |
| dir | |
| - name: Prepare PATH | |
| shell: bash | |
| run: | | |
| echo "$WIX\\bin" >> $GITHUB_PATH | |
| echo "C:\\Program Files\\go-msi" >> $GITHUB_PATH | |
| - name: Copy DLLs to source dir | |
| shell: bash | |
| env: | |
| ZIP_FILE: ${{ steps.download_exe.outputs.zip }} | |
| run: cp ./src/thirdparty/zlib1__.dll ./ | |
| - name: Build MSI | |
| shell: bash | |
| id: build_msi | |
| env: | |
| ZIP_FILE: ${{ steps.download_exe.outputs.zip }} | |
| run: | | |
| mkdir -p build | |
| msi="$(basename "$ZIP_FILE" ".zip").msi" | |
| printf "::set-output name=msi::%s\n" "$msi" | |
| go-msi make --msi "$PWD/$msi" --out "$PWD/build" --version ${{ github.ref_name }} | |
| printf "::set-output name=msi::%s\n" *.msi | |
| - name: Upload MSI | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: ${{ steps.build_msi.outputs.msi }} | |
| asset_name: spice_${{ matrix.config.label }}_setup.msi | |
| tag: ${{ github.ref }} | |
| - name: Deploy to WinGet | |
| uses: vedantmgoyal2009/winget-releaser@v2 | |
| continue-on-error: true | |
| with: | |
| identifier: ChilliBits.Spice | |
| version: ${{ github.ref_name }} | |
| release-tag: ${{ github.ref_name }} | |
| token: ${{ secrets.CR_PAT }} | |
| max-versions-to-keep: 10 |