Do not allow to sign encrypted documents #2241
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: [push, pull_request] | |
| permissions: | |
| contents: read | |
| env: | |
| BUILD_NUMBER: ${{ github.run_number }} | |
| CMAKE_BUILD_PARALLEL_LEVEL: 4 | |
| UBUNTU_DEPS: ./libdigidocpp-pkg/*.deb cmake libldap2-dev gettext libpcsclite-dev libssl-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libflatbuffers-dev zlib1g-dev | |
| jobs: | |
| macos: | |
| name: Build on macOS | |
| runs-on: macos-latest | |
| env: | |
| MACOSX_DEPLOYMENT_TARGET: 13.0 | |
| LIBS_PATH: ${{ github.workspace }}/cache | |
| steps: | |
| - &Checkout | |
| name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| submodules: recursive | |
| - name: Download artifact | |
| uses: dawidd6/action-download-artifact@v11 | |
| with: | |
| workflow: build.yml | |
| branch: master | |
| name: macos | |
| path: libdigidocpp-pkg | |
| repo: open-eid/libdigidocpp | |
| - name: Install dependencies | |
| run: | | |
| brew install flatbuffers | |
| brew upgrade cmake || true | |
| curl -O -L -s https://installer.id.ee/media/github/opensc_0.26.1.pkg | |
| sudo installer -verboseR -pkg libdigidocpp-pkg/build/macos/libdigidocpp*.pkg -target / | |
| sudo installer -verboseR -pkg opensc_*.pkg -target / | |
| rm -rf libdigidocpp-pkg | |
| - name: Cache libraries | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ env.LIBS_PATH }} | |
| key: vcpkg-macOS-${{ hashFiles('prepare_osx_build_environment.sh') }} | |
| - name: Build libraries | |
| run: | | |
| mkdir -p ${LIBS_PATH}/Qt-6.10.1-OpenSSL | |
| ./prepare_osx_build_environment.sh -p ${LIBS_PATH} | |
| - name: Install Qt | |
| uses: jurplel/install-qt-action@v4 | |
| with: | |
| version: 6.10.1 | |
| arch: clang_64 | |
| - name: Build | |
| run: | | |
| cmake "-GNinja" -B build -S . -DCMAKE_BUILD_TYPE=RelWithDebInfo \ | |
| -DOPENSSL_ROOT_DIR=${LIBS_PATH}/OpenSSL \ | |
| -DLDAP_ROOT=${LIBS_PATH}/OpenLDAP \ | |
| -DCMAKE_OSX_ARCHITECTURES="x86_64;arm64" | |
| cmake --build build | |
| cmake --build build --target zipdebug | |
| cmake --build build --target macdeployqt | |
| cmake --build build --target zip | |
| - name: Archive artifacts | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: macOS | |
| path: build/qdigidoc4*.zip | |
| ubuntu: | |
| name: Build on Ubuntu ${{ matrix.container }} ${{ matrix.arch }} | |
| runs-on: ubuntu-24.04${{ matrix.arch == 'arm64' && '-arm' || '' }} | |
| container: ubuntu:${{ matrix.container }} | |
| strategy: | |
| matrix: | |
| container: ['22.04', '24.04', '25.04', '25.10'] | |
| arch: ['amd64', 'arm64'] | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| DEBFULLNAME: github-actions | |
| DEBEMAIL: [email protected] | |
| steps: | |
| - name: Download artifact | |
| uses: dawidd6/action-download-artifact@v11 | |
| with: | |
| workflow: build.yml | |
| branch: master | |
| name: ubuntu_${{ matrix.container }}_${{ matrix.arch }} | |
| path: libdigidocpp-pkg | |
| repo: open-eid/libdigidocpp | |
| - name: Install dependencies | |
| run: apt update -qq && apt install --no-install-recommends -y git lsb-release build-essential devscripts debhelper pkg-config lintian ${UBUNTU_DEPS} | |
| - name: Install gcc 12 | |
| if: matrix.container == '22.04' | |
| run: | | |
| apt install -y gcc-12 g++-12 | |
| update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 60 --slave /usr/bin/g++ g++ /usr/bin/g++-12 | |
| update-alternatives --set gcc /usr/bin/gcc-12 | |
| - *Checkout | |
| - name: Setup changelog | |
| run: | | |
| export VERSION=$(grep project CMakeLists.txt | egrep -o "([0-9]{1,}\.)+[0-9]{1,}") | |
| export VERSIONEX=${VERSION}.${BUILD_NUMBER}.$(lsb_release -rs) | |
| dch --distribution $(lsb_release -cs) -v ${VERSIONEX} "Release ${VERSIONEX}." | |
| - name: Build packages | |
| run: | | |
| dpkg-buildpackage -us -uc | |
| mv ../qdigidoc4*.* . | |
| - name: Lintian | |
| run: lintian *.deb; | |
| - name: Archive artifacts | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: ubuntu_${{ matrix.container }}_${{ matrix.arch }} | |
| path: qdigidoc4*.* | |
| fedora: | |
| name: Build on Fedora ${{ matrix.container }} | |
| runs-on: ubuntu-latest | |
| container: fedora:${{ matrix.container }} | |
| strategy: | |
| matrix: | |
| container: [42, 43] | |
| steps: | |
| - name: Download artifact | |
| uses: dawidd6/action-download-artifact@v11 | |
| with: | |
| workflow: build.yml | |
| branch: master | |
| name: fedora_${{ matrix.container }} | |
| path: libdigidocpp-pkg | |
| repo: open-eid/libdigidocpp | |
| - name: Install Deps | |
| run: dnf install -y ./libdigidocpp-pkg/*.rpm git gcc-c++ cmake rpm-build gettext openssl-devel openldap-devel pcsc-lite-devel qt6-qtsvg-devel qt6-qttools-devel flatbuffers-devel flatbuffers-compiler zlib-devel | |
| - *Checkout | |
| - name: Build | |
| run: | | |
| cmake -DCMAKE_INSTALL_PREFIX=/usr -B build -S . | |
| cmake --build build --target all package | |
| - name: Archive artifacts | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: fedora_${{ matrix.container }} | |
| path: build/qdigidoc4*.rpm | |
| windows: | |
| name: Build on Windows | |
| runs-on: windows-2025 | |
| strategy: | |
| matrix: | |
| vcver: [143] | |
| env: | |
| VER_SUFFIX: .VS${{ matrix.vcver }} | |
| steps: | |
| - *Checkout | |
| - name: Download artifact | |
| uses: dawidd6/action-download-artifact@v11 | |
| with: | |
| workflow: build.yml | |
| branch: master | |
| name: msi_${{ matrix.vcver }}_x64 | |
| path: ./ | |
| repo: open-eid/libdigidocpp | |
| - name: Install artifact | |
| run: | | |
| Rename-Item "libdigidocpp*.msi" libdigidocpp.msi | |
| msiexec /qn /i libdigidocpp.msi | |
| - name: Cache vcpkg | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ github.workspace }}/vcpkg_cache | |
| key: vcpkg-${{ matrix.vcver }}-${{ hashFiles('vcpkg.json') }} | |
| - name: Prepare vcpkg | |
| uses: lukka/run-vcpkg@v11 | |
| with: | |
| vcpkgJsonGlob: ./vcpkg.json | |
| runVcpkgInstall: true | |
| env: | |
| VCPKG_BINARY_SOURCES: clear;files,${{ github.workspace }}/vcpkg_cache,readwrite | |
| VCPKG_INSTALLED_DIR: ${{ github.workspace }}/build/vcpkg_installed | |
| - name: Install Qt | |
| uses: jurplel/install-qt-action@v4 | |
| with: | |
| version: 6.10.1 | |
| arch: win64_msvc2022_64 | |
| - name: Setup dev env | |
| uses: ilammy/msvc-dev-cmd@v1 | |
| with: | |
| arch: x64 | |
| - name: Install WiX | |
| run: | | |
| dotnet tool install -g wix --version 6.0.2 | |
| wix extension -g add WixToolset.UI.wixext/6.0.2 | |
| - name: Build | |
| run: | | |
| cmake "-GNinja" -B build -S . -DCMAKE_BUILD_TYPE=RelWithDebInfo ` | |
| -DCMAKE_TOOLCHAIN_FILE=${{ env.RUNVCPKG_VCPKG_ROOT }}/scripts/buildsystems/vcpkg.cmake | |
| cmake --build build --target msi | |
| cmake --build build --target msishellext | |
| cmake --build build --target appx | |
| - name: Archive artifacts | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: msi_${{ matrix.vcver }}_x64 | |
| path: | | |
| build/*.msi | |
| build/*.appx | |
| coverity: | |
| name: Run Coverity tests | |
| if: github.repository == 'open-eid/DigiDoc4-Client' && contains(github.ref, 'coverity_scan') | |
| runs-on: ubuntu-24.04 | |
| env: | |
| TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} | |
| PROJECTNAME: open-eid/DigiDoc4-Client | |
| steps: | |
| - *Checkout | |
| - name: Download artifact | |
| uses: dawidd6/action-download-artifact@v11 | |
| with: | |
| workflow: build.yml | |
| branch: master | |
| name: ubuntu_24.04_amd64 | |
| path: libdigidocpp-pkg | |
| repo: open-eid/libdigidocpp | |
| - name: Install dependencies | |
| run: sudo apt update -qq && sudo apt install --no-install-recommends -y ${UBUNTU_DEPS} | |
| - name: Download Coverity Build Tool | |
| run: | | |
| curl -s -d "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/cxx/linux64 | |
| mkdir cov-analysis-linux64 | |
| tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 | |
| - name: Build | |
| run: | | |
| cmake . | |
| export PATH=$PWD/cov-analysis-linux64/bin:$PATH | |
| cov-build --dir cov-int make | |
| - name: Submit the result to Coverity Scan | |
| run: | | |
| tar czvf upload.tgz cov-int | |
| curl -s \ | |
| -F project=$PROJECTNAME \ | |
| -F token=$TOKEN \ | |
| -F [email protected] \ | |
| -F [email protected] \ | |
| -F version=master \ | |
| -F description="Github Actions CI build" \ | |
| https://scan.coverity.com/builds?project=$PROJECTNAME | |
| codeql: | |
| name: Run CodeQL tests | |
| if: github.repository == 'open-eid/DigiDoc4-Client' | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| security-events: write | |
| steps: | |
| - *Checkout | |
| - name: Download artifact | |
| uses: dawidd6/action-download-artifact@v11 | |
| with: | |
| workflow: build.yml | |
| branch: master | |
| name: ubuntu_24.04_amd64 | |
| path: libdigidocpp-pkg | |
| repo: open-eid/libdigidocpp | |
| - name: Install dependencies | |
| run: sudo apt update -qq && sudo apt install --no-install-recommends -y ${UBUNTU_DEPS} | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: cpp | |
| queries: +security-and-quality | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v4 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| upload: False | |
| output: sarif-results | |
| - name: Filter results | |
| uses: advanced-security/filter-sarif@develop | |
| with: | |
| patterns: | | |
| -**/*autogen*/** | |
| -**/common/qtsingleapplication/** | |
| -**:cpp/loop-variable-changed | |
| -**:cpp/poorly-documented-function | |
| input: sarif-results/cpp.sarif | |
| output: sarif-results/cpp.sarif | |
| - name: Upload results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: sarif-results/cpp.sarif |