Alex Low 303b784cc8
build: harden GitHub workflow permissions
Grant pull-requests write permission to the labeler workflow and
read-only to everything else.

Signed-off-by: Alex Low <aleksandrosansan@gmail.com>
[ wrap to 80 columns and fix wrong author as requested by author itself ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 715259940776843d8799bc39de8eb50eb764189b)
2022-12-04 17:36:57 +01:00

202 lines
5.6 KiB
YAML

name: Build host tools
on:
pull_request:
paths:
- 'tools/**'
- '.github/workflows/tools.yml'
push:
paths:
- 'tools/**'
- '.github/workflows/tools.yml'
permissions:
contents: read
jobs:
build-macos-latest:
if: github.event_name != 'push'
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
path: openwrt
- name: Setup MacOS
run: |
echo "WORKPATH=/Volumes/OpenWrt" >> "$GITHUB_ENV"
hdiutil create -size 20g -type SPARSE -fs "Case-sensitive HFS+" -volname OpenWrt OpenWrt.sparseimage
hdiutil attach OpenWrt.sparseimage
mv "$GITHUB_WORKSPACE/openwrt" /Volumes/OpenWrt/
- name: Install required prereq on MacOS
working-directory: ${{ env.WORKPATH }}/openwrt
run: |
brew install \
autoconf \
automake \
coreutils \
diffutils \
findutils \
gawk \
gettext \
git-extras \
gmp \
gnu-getopt \
gnu-sed \
gnu-tar \
grep \
libidn2 \
libunistring \
m4 \
make \
mpfr \
ncurses \
openssl@1.1 \
pcre \
pkg-config \
quilt \
readline \
wget \
zstd
echo "/bin" >> "$GITHUB_PATH"
echo "/sbin/Library/Apple/usr/bin" >> "$GITHUB_PATH"
echo "/usr/bin" >> "$GITHUB_PATH"
echo "/usr/local/bin" >> "$GITHUB_PATH"
echo "/usr/local/opt/coreutils/bin" >> "$GITHUB_PATH"
echo "/usr/local/opt/findutils/libexec/gnubin" >> "$GITHUB_PATH"
echo "/usr/local/opt/gettext/bin" >> "$GITHUB_PATH"
echo "/usr/local/opt/gnu-getopt/bin" >> "$GITHUB_PATH"
echo "/usr/local/opt/make/libexec/gnubin" >> "$GITHUB_PATH"
echo "/usr/local/opt/make/libexec/gnubin" >> "$GITHUB_PATH"
echo "/usr/sbin" >> "$GITHUB_PATH"
- name: Make prereq
working-directory: ${{ env.WORKPATH }}/openwrt
run: make defconfig
- name: Build tools MacOS
working-directory: ${{ env.WORKPATH }}/openwrt
run: make tools/install -j$(nproc) BUILD_LOG=1 || ret=$? .github/workflows/scripts/show_build_failures.sh
- name: Upload logs
if: always()
uses: actions/upload-artifact@v2
with:
name: macos-latest-logs
path: ${{ env.WORKPATH }}/openwrt/logs
- name: Upload config
if: always()
uses: actions/upload-artifact@v2
with:
name: macos-latest-config
path: ${{ env.WORKPATH }}/openwrt/.config
build-linux-buildbot:
runs-on: ubuntu-latest
container: registry.gitlab.com/openwrt/buildbot/buildworker-3.4.1
steps:
- name: Checkout
uses: actions/checkout@v2
with:
path: 'openwrt'
- name: Fix permission
run: |
chown -R buildbot:buildbot openwrt
- name: Set configs for tools container
if: github.event_name == 'push'
shell: su buildbot -c "sh -e {0}"
working-directory: openwrt
run: |
touch .config
echo CONFIG_DEVEL=y >> .config
echo CONFIG_AUTOREMOVE=y >> .config
echo CONFIG_CCACHE=y >> .config
- name: Make prereq
shell: su buildbot -c "sh -e {0}"
working-directory: openwrt
run: make defconfig
- name: Build tools BuildBot Container
shell: su buildbot -c "sh -e {0}"
working-directory: openwrt
run: make tools/install -j$(nproc) BUILD_LOG=1 || ret=$? .github/workflows/scripts/show_build_failures.sh
- name: Upload logs
if: always()
uses: actions/upload-artifact@v2
with:
name: linux-buildbot-logs
path: openwrt/logs
- name: Upload config
if: always()
uses: actions/upload-artifact@v2
with:
name: linux-buildbot-config
path: openwrt/.config
- name: Archive prebuilt tools
if: github.event_name == 'push'
shell: su buildbot -c "sh -e {0}"
working-directory: openwrt
run: tar --mtime=now -cf tools.tar staging_dir/host build_dir/host dl
- name: Upload prebuilt tools
if: github.event_name == 'push'
uses: actions/upload-artifact@v2
with:
name: linux-buildbot-prebuilt-tools
path: openwrt/tools.tar
retention-days: 1
push-tools-container:
needs: build-linux-buildbot
runs-on: ubuntu-latest
if: github.event_name == 'push'
permissions:
contents: read
packages: write
steps:
- name: Set lower case owner name
env:
OWNER: ${{ github.repository_owner }}
run: |
echo "OWNER_LC=${OWNER,,}" >> "$GITHUB_ENV"
- name: Checkout
uses: actions/checkout@v2
with:
path: 'openwrt'
- name: Download prebuilt tools from build job
uses: actions/download-artifact@v2
with:
name: linux-buildbot-prebuilt-tools
path: openwrt
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v3
with:
context: openwrt
push: true
tags: ghcr.io/${{ env.OWNER_LC }}/tools:latest
file: openwrt/.github/workflows/Dockerfile.tools