Bump step-security/harden-runner from 2.11.1 to 2.12.0 #1138
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: packchk | |
| on: | |
| workflow_call: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '.github/workflows/packchk.yml' | |
| - '.github/workflows/unit_test_results.yml' | |
| - '.github/matrix_includes_packchk.json' | |
| - 'CMakeLists.txt' | |
| - 'tools/packchk/**' | |
| - 'libs/xml**' | |
| - 'libs/rte**' | |
| - 'external/cxxopts' | |
| - 'external/cxxopts.patch' | |
| - 'external/xerces-c' | |
| - 'external/xerces-c.patch' | |
| - '!**/docs/**/*' | |
| - '!**/*.md' | |
| pull_request: | |
| paths: | |
| - '.github/workflows/packchk.yml' | |
| - '.github/workflows/unit_test_results.yml' | |
| - '.github/matrix_includes_packchk.json' | |
| - 'CMakeLists.txt' | |
| - 'tools/packchk/**' | |
| - 'libs/xml**' | |
| - 'libs/rte**' | |
| - 'external/cxxopts' | |
| - 'external/cxxopts.patch' | |
| - 'external/xerces-c' | |
| - 'external/xerces-c.patch' | |
| - '!**/docs/**/*' | |
| - '!**/*.md' | |
| release: | |
| types: [published] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| setup: | |
| uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main | |
| with: | |
| run_if: ${{ fromJSON((github.event_name == 'pull_request') || (github.event_name == 'workflow_dispatch') || (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/packchk/')) || ((github.event.schedule != '') && (!github.event.repository.private))) }} | |
| matrix_prep: | |
| needs: setup | |
| uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_matrix_prep.yml@main | |
| with: | |
| workflow_name: packchk | |
| build: | |
| needs: [ setup, matrix_prep ] | |
| runs-on: ${{ matrix.runs_on }} | |
| timeout-minutes: 15 | |
| strategy: | |
| fail-fast: true | |
| matrix: ${{ fromJson(needs.matrix_prep.outputs.matrix) }} | |
| steps: | |
| - name: Harden Runner | |
| if: ${{ !github.event.repository.private }} | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout devtools | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| submodules: recursive | |
| fetch-depth: 0 | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build packchk | |
| uses: Open-CMSIS-Pack/devtools-build-action@f447c00e0c2a58681faacce9312ead5813f93888 # arm64 | |
| with: | |
| target: packchkdist | |
| arch: ${{ matrix.arch }} | |
| - name: Archive packchk binary | |
| if: ${{ github.event_name != 'release' }} | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: packchk-${{ matrix.target }}-${{ matrix.arch }} | |
| path: build/tools/packchk/packchk-*-${{ matrix.target }}-${{ matrix.arch }}.* | |
| retention-days: ${{ needs.setup.outputs.retention_days }} | |
| if-no-files-found: error | |
| - name: Attach zipped binary to the release | |
| if: ${{ github.event_name == 'release' }} | |
| uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| tag: ${{ github.ref }} | |
| overwrite: true | |
| file_glob: true | |
| file: build/tools/packchk/packchk-*-${{ matrix.target }}-${{ matrix.arch }}.* | |
| test: | |
| needs: [ setup, matrix_prep ] | |
| runs-on: ${{ matrix.runs_on }} | |
| timeout-minutes: 15 | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.matrix_prep.outputs.matrix) }} | |
| steps: | |
| - name: Harden Runner | |
| if: ${{ !github.event.repository.private }} | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout devtools | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| submodules: recursive | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build PackChkUnitTests | |
| uses: Open-CMSIS-Pack/devtools-build-action@f447c00e0c2a58681faacce9312ead5813f93888 # arm64 | |
| with: | |
| arch: ${{ matrix.arch }} | |
| build_type: Debug | |
| target: PackChkUnitTests | |
| - name: Run packchk unit tests | |
| if: matrix.arch != 'arm64' | |
| run: | | |
| ctest -V -R PackChkUnitTests | |
| working-directory: ./build | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build PackChkIntegTests | |
| uses: Open-CMSIS-Pack/devtools-build-action@f447c00e0c2a58681faacce9312ead5813f93888 # arm64 | |
| with: | |
| arch: ${{ matrix.arch }} | |
| build_type: Debug | |
| target: PackChkIntegTests | |
| - name: Run packchk integ tests | |
| if: matrix.arch != 'arm64' | |
| run: | | |
| ctest -V -R PackChkIntegTests | |
| working-directory: ./build | |
| - name: Archive unit test results | |
| if: always() && (matrix.arch != 'arm64') | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: unit_test_result_packchk-${{ matrix.target }}-${{ matrix.arch }} | |
| path: ./build/test_reports/packchkunittests-*.xml | |
| if-no-files-found: error | |
| retention-days: ${{ needs.setup.outputs.retention_days }} | |
| - name: Archive integration test results | |
| if: always() && (matrix.arch != 'arm64') | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: integ_test_result_packchk-${{ matrix.target }}-${{ matrix.arch }} | |
| path: ./build/test_reports/packchkintegtests-*.xml | |
| if-no-files-found: error | |
| retention-days: ${{ needs.setup.outputs.retention_days }} | |
| coverage: | |
| if: | | |
| (github.event_name == 'pull_request') || | |
| (github.event_name == 'workflow_dispatch') || | |
| (github.event_name == 'push') || | |
| (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/packchk/')) || | |
| ((github.event.schedule != '') && (!github.event.repository.private)) | |
| env: | |
| lcov_base: https://github.com/linux-test-project/lcov/releases/download/v1.15/ | |
| lcov_installer: lcov-1.15.tar.gz | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Harden Runner | |
| if: ${{ !github.event.repository.private }} | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install \ | |
| lcov | |
| - name: Checkout devtools | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| submodules: recursive | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build PackChkUnitTests | |
| uses: Open-CMSIS-Pack/devtools-build-action@f447c00e0c2a58681faacce9312ead5813f93888 # arm64 | |
| with: | |
| add_cmake_variables: -DCOVERAGE=ON | |
| arch: amd64 | |
| build_type: Debug | |
| target: PackChkUnitTests | |
| # https://github.com/Open-CMSIS-Pack/devtools-build-action | |
| - name: Build PackChkIntegTests | |
| uses: Open-CMSIS-Pack/devtools-build-action@f447c00e0c2a58681faacce9312ead5813f93888 # arm64 | |
| with: | |
| add_cmake_variables: -DCOVERAGE=ON | |
| arch: amd64 | |
| build_type: Debug | |
| target: PackChkIntegTests | |
| - name: Run packchk tests | |
| run: | | |
| ctest -V -C Debug -R PackChkUnitTests | |
| ctest -V -C Debug -R PackChkIntegTests | |
| working-directory: ./build | |
| - name: Get retention days | |
| id: var | |
| run: | | |
| echo "retention_days=$(echo '${{ (!github.event.repository.private && (github.event_name == 'push' || github.event.schedule != '')) && '7' || '1' }}')" >> $GITHUB_OUTPUT | |
| - name: Archive unit test results | |
| if: (github.event_name == 'push') | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: unit_test_result_packchk-linux-amd64 | |
| path: ./build/test_reports/packchkunittests-*.xml | |
| if-no-files-found: error | |
| retention-days: ${{ steps.var.outputs.retention_days }} | |
| - name: Archive integration test results | |
| if: (github.event_name == 'push') | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: integ_test_result_packchk-linux-amd64 | |
| path: ./build/test_reports/packchkintegtests-*.xml | |
| if-no-files-found: error | |
| retention-days: ${{ steps.var.outputs.retention_days }} | |
| # Needs to be removed once the bug is resolved | |
| # lcov reporting 1.14 on 1.15 version | |
| # https://groups.google.com/g/linux.debian.bugs.dist/c/a9SZGCENJ2s?pli=1 | |
| - name: Setup lcov1.15 | |
| run: | | |
| wget -q ${{ env.lcov_base }}/${{ env.lcov_installer }} | |
| tar -xvf ${{ env.lcov_installer }} | |
| working-directory: ./build/tools/packchk | |
| - name: Generate coverage report | |
| run: | | |
| lcov-1.15/bin/lcov --rc lcov_branch_coverage=1 --rc geninfo_no_exception_branch=1 -c --directory . --output-file full_coverage.info | |
| lcov-1.15/bin/lcov --rc lcov_branch_coverage=1 --rc geninfo_no_exception_branch=1 -e full_coverage.info '*/tools/packchk/include/*' '*/tools/packchk/src/*' -o coverage_packchk.info | |
| genhtml coverage_packchk.info --output-directory coverage_packchk --branch-coverage | |
| working-directory: ./build/tools/packchk | |
| - name: Upload Report to Codecov | |
| if: ${{ !github.event.repository.private }} | |
| uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 | |
| with: | |
| action: codecov/codecov-action@v4 | |
| with: | | |
| files: ./build/tools/packchk/coverage_packchk.info | |
| fail_ci_if_error: true | |
| flags: packchk-cov | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| verbose: true | |
| attempt_limit: 3 | |
| attempt_delay: 5000 | |
| - name: Archive coverage report | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: coverage-report-packchk | |
| path: | | |
| ./build/tools/packchk/coverage_packchk/ | |
| ./build/tools/packchk/coverage_packchk.info | |
| retention-days: ${{ steps.var.outputs.retention_days }} | |
| if-no-files-found: error | |
| release: | |
| if: | | |
| github.event_name == 'release' && | |
| startsWith(github.ref, 'refs/tags/tools/packchk/') | |
| needs: [ build, test, coverage ] | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout devtools | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Create distribution folders | |
| run: | | |
| mkdir -p tools/packchk/distribution/ | |
| - name: Download coverage report | |
| uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 | |
| with: | |
| name: coverage-report-packchk | |
| path: tools/packchk/distribution/coverage/ | |
| - name: Zip distribution folder | |
| run: zip -r code-coverage.zip * | |
| working-directory: tools/packchk/distribution | |
| - name: Attach zip archive to release assets | |
| uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: tools/packchk/distribution/code-coverage.zip | |
| tag: ${{ github.ref }} | |
| overwrite: true | |
| asset_name: code-coverage.zip | |
| test-results-preparation: | |
| name: "Publish Tests Results" | |
| needs: [ test ] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Harden Runner | |
| if: ${{ !github.event.repository.private }} | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Event File | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: Event File packchk | |
| path: ${{ github.event_path }} |