hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-15 16:23:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ripunzip: use releases from github

Browse Source 
This uses the ripunzip releases from github instead of building them
ourselves.
This commit is contained in:
Paolo Tranquilli
2025-11-18 17:18:05 +01:00
parent f4a6ba9e50
commit ddee385f37
9 changed files with 62 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitattributes vendored
View File

@@ -82,9 +82,6 @@
/csharp/paket.main.bzl linguist-generated=true
/csharp/paket.main_extension.bzl linguist-generated=true
# ripunzip tool
/misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
# swift prebuilt resources
/swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
/swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text

169
.github/workflows/build-ripunzip.yml vendored
View File

@@ -1,169 +0,0 @@
name: Build ripunzip
on:
workflow_dispatch:
inputs:
ripunzip-version:
description: What reference to checkout from google/ripunzip. Latest by default
required: false
openssl-version:
description: What reference to checkout from openssl/openssl for Linux. Latest by default
required: false
open-pr:
description: Open a pull request updating the ripunzip versions committed to lfs
required: false
default: true # will be false on PRs
pull_request:
paths:
- .github/workflows/build-ripunzip.yml
permissions: {}
jobs:
versions:
runs-on: ubuntu-slim
outputs:
ripunzip-version: ${{ inputs.ripunzip-version || steps.fetch-ripunzip-version.outputs.version }}
openssl-version: ${{ inputs.openssl-version || steps.fetch-openssl-version.outputs.version }}
steps:
- name: Fetch latest ripunzip version
id: fetch-ripunzip-version
if: "!inputs.ripunzip-version"
run: &fetch-version
echo "version=$(gh release view --repo $REPO --json tagName --jq .tagName)" | tee -a $GITHUB_OUTPUT
env:
REPO: "google/ripunzip"
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Fetch latest openssl version
id: fetch-openssl-version
if: "!inputs.openssl-version"
run: *fetch-version
env:
REPO: "openssl/openssl"
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
build:
needs: versions
strategy:
fail-fast: false
matrix:
os:
- ubuntu-22.04 # keep at lowest supported ubuntu version for broader glibc compatibility
- macos-15
- windows-2025
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
repository: google/ripunzip
ref: ${{ needs.versions.outputs.ripunzip-version }}
# we need to avoid ripunzip dynamically linking into libssl
# see https://github.com/sfackler/rust-openssl/issues/183
- if: runner.os == 'Linux'
name: checkout openssl
uses: actions/checkout@v5
with:
repository: openssl/openssl
path: openssl
ref: ${{ needs.versions.outputs.openssl-version }}
- if: runner.os == 'Linux'
name: build and install openssl with fPIC
shell: bash
working-directory: openssl
run: |
./config -fPIC --prefix=$HOME/.local --openssldir=$HOME/.local/ssl
make -j $(nproc)
make install_sw -j $(nproc)
- if: runner.os == 'Linux'
name: build (linux)
shell: bash
run: |
env OPENSSL_LIB_DIR=$HOME/.local/lib64 OPENSSL_INCLUDE_DIR=$HOME/.local/include OPENSSL_STATIC=yes cargo build --release
mv target/release/ripunzip ripunzip-linux
- if: runner.os == 'Windows'
name: build (windows)
shell: bash
run: |
cargo build --release
mv target/release/ripunzip ripunzip-windows
- name: build (macOS)
if: runner.os == 'macOS'
shell: bash
run: |
rustup target install x86_64-apple-darwin
rustup target install aarch64-apple-darwin
cargo build --target x86_64-apple-darwin --release
cargo build --target aarch64-apple-darwin --release
lipo -create -output ripunzip-macos \
-arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
-arch arm64 target/aarch64-apple-darwin/release/ripunzip
- name: Archive
shell: bash
run: |
tar acf ripunzip-$RUNNER_OS.tar.zst ripunzip-$(echo $RUNNER_OS | tr '[:upper:]' '[:lower:]')
- name: Upload built binary
uses: actions/upload-artifact@v4
with:
name: ripunzip-${{ runner.os }}
path: ripunzip-${{ runner.os }}.tar.zst
retention-days: 5
compression: 0
- name: Check built binary
shell: bash
run: |
rm -f ripunzip-*.tar.zst
./ripunzip-* --version
publish:
needs: [versions, build]
if: inputs.open-pr == 'true'
permissions:
contents: write
pull-requests: write
runs-on: ubuntu-slim
steps:
# workaround for git-lfs not being installed yet on ubuntu-slim runners
- name: Ensure git-lfs is installed
shell: bash
run: |
if which git-lfs &>/dev/null; then
echo "git-lfs is already installed"
exit 0
fi
cd $TMP
gh release download --repo git-lfs/git-lfs --pattern "git-lfs-linux-amd64-*.tar.gz" --clobber
tar xzf git-lfs-linux-amd64-*.tar.gz
rm git-lfs-linux-amd64-*.tar.gz
cd git-lfs-*
pwd | tee -a $GITHUB_PATH
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v5
with:
sparse-checkout: |
.github
misc/ripunzip
lfs: true
- name: Download built binaries
uses: actions/download-artifact@v4
with:
merge-multiple: true
path: misc/ripunzip
- name: Open PR
shell: bash
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git switch -c update-ripunzip
git add misc/ripunzip
git commit -m "Update ripunzip binaries to version $VERSION"
git push --set-upstream origin update-ripunzip --force
TITLE="Update ripunzip binaries to version $VERSION"
gh pr create \
--draft \
--title "$TITLE" \
--body "Automated update of ripunzip binaries." \
--assignee "$ACTOR" ||
(gh pr edit --title "$TITLE" --add-assignee "$ACTOR" && gh pr ready --undo)
env:
ACTOR: ${{ github.actor }}
VERSION: ${{ needs.versions.outputs.ripunzip-version }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

26
MODULE.bazel
View File

@@ -269,24 +269,16 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
go_deps.from_file(go_mod = "//go/extractor:go.mod")
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archive")
lfs_archive(
name = "ripunzip-linux",
src = "//misc/ripunzip:ripunzip-Linux.tar.zst",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
lfs_archive(
name = "ripunzip-windows",
src = "//misc/ripunzip:ripunzip-Windows.tar.zst",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
lfs_archive(
name = "ripunzip-macos",
src = "//misc/ripunzip:ripunzip-macOS.tar.zst",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
# go to https://github.com/GoogleChrome/ripunzip/releases to find latest version and corresponding sha256s
ripunzip_archive(
name = "ripunzip",
version = "2.0.3",
sha256_linux = "ee0e8a957687a5dc3a66b2a4b25883bf762df4c9c07f0651af527a32a405054b",
sha256_windows = "66d0c1375301bf5ab815348048f43b110631d3fa7200acd50d50a8ed8655ca62",
sha256_macos_intel = "4457a18bfcc5feabe09f5ea3d1157128e07b4873392cb404a870e611924abf64",
sha256_macos_arm = "8a88eea54eac232d162a72a42065e0429b82dbf4f05e9642915dff9d7a81f846",
)
register_toolchains(

2
misc/ripunzip/BUILD.bazel
View File

@@ -2,7 +2,7 @@ load("@rules_shell//shell:sh_binary.bzl", "sh_binary")
alias(
name = "ripunzip",
actual = select({"@platforms//os:" + os: "@ripunzip-%s//:ripunzip" % os for os in ("linux", "windows", "macos")}),
actual = "@ripunzip",
visibility = ["//visibility:public"],
)

2
misc/ripunzip/BUILD.ripunzip.bazel
View File

@@ -2,7 +2,7 @@ load("@bazel_skylib//rules:native_binary.bzl", "native_binary")
native_binary(
name = "ripunzip",
src = glob(["ripunzip-*"])[0],
src = glob(["bin/ripunzip*"])[0],
out = "ripunzip" + select({
"@platforms//os:windows": ".exe",
"//conditions:default": "",

BIN
misc/ripunzip/ripunzip-Linux.tar.zst (Stored with Git LFS)
View File

Binary file not shown.

BIN
misc/ripunzip/ripunzip-Windows.tar.zst (Stored with Git LFS)
View File

Binary file not shown.

BIN
misc/ripunzip/ripunzip-macOS.tar.zst (Stored with Git LFS)
View File

Binary file not shown.

51
misc/ripunzip/ripunzip.bzl Normal file
View File

@@ -0,0 +1,51 @@
def _impl(repository_ctx):
version = repository_ctx.attr.version
url_prefix = "https://github.com/GoogleChrome/ripunzip/releases/download/v%s" % version
build_file = Label("//misc/ripunzip:BUILD.ripunzip.bazel")
if repository_ctx.os.name == "linux":
repository_ctx.download_and_extract(
url="%s/ripunzip_%s-1_amd64.deb" % (url_prefix, version),
sha256=repository_ctx.attr.sha256_linux,
canonical_id="ripunzip-deb",
output="deb",
)
repository_ctx.extract(
"deb/data.tar.xz",
strip_prefix="usr",
)
elif repository_ctx.os.name == "windows":
repository_ctx.download_and_extract(
url="%s/ripunzip_v%s-x86_64-pc-windows-msvc.zip" % (url_prefix, version),
sha256=repository_ctx.attr.sha256_windows,
output="bin",
)
elif repository_ctx.os.name == "macos":
arch = repository_ctx.os.arch
if arch == "x86_64":
suffix = "x86_64-apple-darwin"
sha256 = repository_ctx.attr.sha256_macos_intel
elif arch == "aarch64":
suffix = "aarch64-apple-darwin"
sha256 = repository_ctx.attr.sha256_macos_arm
else:
fail("Unsupported macOS architecture: %s" % arch)
repository_ctx.download_and_extract(
url="%s/ripunzip_v%s-%s.tar.gz" % (url_prefix, version, suffix),
sha256=sha256,
output="bin",
)
else:
fail("Unsupported OS: %s" % repository_ctx.os.name)
repository_ctx.file("WORKSPACE.bazel")
repository_ctx.symlink(build_file, "BUILD.bazel")
ripunzip_archive = repository_rule(
implementation=_impl,
attrs={
"version": attr.string(mandatory=True),
"sha256_linux": attr.string(mandatory=True),
"sha256_windows": attr.string(mandatory=True),
"sha256_macos_intel": attr.string(mandatory=True),
"sha256_macos_arm": attr.string(mandatory=True),
},
)