mirror of
https://github.com/github/codeql.git
synced 2025-12-16 00:33:11 +01:00
170 lines
5.9 KiB
YAML
170 lines
5.9 KiB
YAML
name: Build ripunzip
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
ripunzip-version:
|
|
description: What reference to checkout from google/ripunzip. Latest by default
|
|
required: false
|
|
openssl-version:
|
|
description: What reference to checkout from openssl/openssl for Linux. Latest by default
|
|
required: false
|
|
open-pr:
|
|
description: Open a pull request updating the ripunzip versions committed to lfs
|
|
required: false
|
|
default: true # will be false on PRs
|
|
pull_request:
|
|
paths:
|
|
- .github/workflows/build-ripunzip.yml
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
versions:
|
|
runs-on: ubuntu-slim
|
|
outputs:
|
|
ripunzip-version: ${{ inputs.ripunzip-version || steps.fetch-ripunzip-version.outputs.version }}
|
|
openssl-version: ${{ inputs.openssl-version || steps.fetch-openssl-version.outputs.version }}
|
|
steps:
|
|
- name: Fetch latest ripunzip version
|
|
id: fetch-ripunzip-version
|
|
if: "!inputs.ripunzip-version"
|
|
run: &fetch-version
|
|
echo "version=$(gh release view --repo $REPO --json tagName --jq .tagName)" | tee -a $GITHUB_OUTPUT
|
|
env:
|
|
REPO: "google/ripunzip"
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Fetch latest openssl version
|
|
id: fetch-openssl-version
|
|
if: "!inputs.openssl-version"
|
|
run: *fetch-version
|
|
env:
|
|
REPO: "openssl/openssl"
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
build:
|
|
needs: versions
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os:
|
|
- ubuntu-22.04 # keep at lowest supported ubuntu version for broader glibc compatibility
|
|
- macos-15
|
|
- windows-2025
|
|
runs-on: ${{ matrix.os }}
|
|
steps:
|
|
- uses: actions/checkout@v5
|
|
with:
|
|
repository: google/ripunzip
|
|
ref: ${{ needs.versions.outputs.ripunzip-version }}
|
|
# we need to avoid ripunzip dynamically linking into libssl
|
|
# see https://github.com/sfackler/rust-openssl/issues/183
|
|
- if: runner.os == 'Linux'
|
|
name: checkout openssl
|
|
uses: actions/checkout@v5
|
|
with:
|
|
repository: openssl/openssl
|
|
path: openssl
|
|
ref: ${{ needs.versions.outputs.openssl-version }}
|
|
- if: runner.os == 'Linux'
|
|
name: build and install openssl with fPIC
|
|
shell: bash
|
|
working-directory: openssl
|
|
run: |
|
|
./config -fPIC --prefix=$HOME/.local --openssldir=$HOME/.local/ssl
|
|
make -j $(nproc)
|
|
make install_sw -j $(nproc)
|
|
- if: runner.os == 'Linux'
|
|
name: build (linux)
|
|
shell: bash
|
|
run: |
|
|
env OPENSSL_LIB_DIR=$HOME/.local/lib64 OPENSSL_INCLUDE_DIR=$HOME/.local/include OPENSSL_STATIC=yes cargo build --release
|
|
mv target/release/ripunzip ripunzip-linux
|
|
- if: runner.os == 'Windows'
|
|
name: build (windows)
|
|
shell: bash
|
|
run: |
|
|
cargo build --release
|
|
mv target/release/ripunzip ripunzip-windows
|
|
- name: build (macOS)
|
|
if: runner.os == 'macOS'
|
|
shell: bash
|
|
run: |
|
|
rustup target install x86_64-apple-darwin
|
|
rustup target install aarch64-apple-darwin
|
|
cargo build --target x86_64-apple-darwin --release
|
|
cargo build --target aarch64-apple-darwin --release
|
|
lipo -create -output ripunzip-macos \
|
|
-arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
|
|
-arch arm64 target/aarch64-apple-darwin/release/ripunzip
|
|
- name: Archive
|
|
shell: bash
|
|
run: |
|
|
tar acf ripunzip-$RUNNER_OS.tar.zst ripunzip-$(echo $RUNNER_OS | tr '[:upper:]' '[:lower:]')
|
|
- name: Upload built binary
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: ripunzip-${{ runner.os }}
|
|
path: ripunzip-${{ runner.os }}.tar.zst
|
|
retention-days: 5
|
|
compression: 0
|
|
- name: Check built binary
|
|
shell: bash
|
|
run: |
|
|
rm -f ripunzip-*.tar.zst
|
|
./ripunzip-* --version
|
|
publish:
|
|
needs: [versions, build]
|
|
if: inputs.open-pr == 'true'
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
runs-on: ubuntu-slim
|
|
steps:
|
|
# workaround for git-lfs not being installed yet on ubuntu-slim runners
|
|
- name: Ensure git-lfs is installed
|
|
shell: bash
|
|
run: |
|
|
if which git-lfs &>/dev/null; then
|
|
echo "git-lfs is already installed"
|
|
exit 0
|
|
fi
|
|
cd $TMP
|
|
gh release download --repo git-lfs/git-lfs --pattern "git-lfs-linux-amd64-*.tar.gz" --clobber
|
|
tar xzf git-lfs-linux-amd64-*.tar.gz
|
|
rm git-lfs-linux-amd64-*.tar.gz
|
|
cd git-lfs-*
|
|
pwd | tee -a $GITHUB_PATH
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
- uses: actions/checkout@v5
|
|
with:
|
|
sparse-checkout: |
|
|
.github
|
|
misc/ripunzip
|
|
lfs: true
|
|
- name: Download built binaries
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
merge-multiple: true
|
|
path: misc/ripunzip
|
|
- name: Open PR
|
|
shell: bash
|
|
run: |
|
|
git config --global user.name "github-actions[bot]"
|
|
git config --global user.email "github-actions[bot]@users.noreply.github.com"
|
|
git switch -c update-ripunzip
|
|
git add misc/ripunzip
|
|
git commit -m "Update ripunzip binaries to version $VERSION"
|
|
git push --set-upstream origin update-ripunzip --force
|
|
TITLE="Update ripunzip binaries to version $VERSION"
|
|
gh pr create \
|
|
--draft \
|
|
--title "$TITLE" \
|
|
--body "Automated update of ripunzip binaries." \
|
|
--assignee "$ACTOR" ||
|
|
(gh pr edit --title "$TITLE" --add-assignee "$ACTOR" && gh pr ready --undo)
|
|
env:
|
|
ACTOR: ${{ github.actor }}
|
|
VERSION: ${{ needs.versions.outputs.ripunzip-version }}
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|