name: GitHub CI on: push: branches: [master, ci, coverity_scan] pull_request: jobs: build: runs-on: ${{ matrix.os }} name: build(${{ matrix.msystem || matrix.docker_image || matrix.os }}, ${{ matrix.cc }}${{ matrix.api && ', ' }}${{ matrix.api }}) strategy: fail-fast: false matrix: include: # Enable distcheck for one build - os: ubuntu-latest cc: gcc do_distc: yes # Run Coverity on a clang build; Coverity's gcc causes issues - os: ubuntu-latest cc: clang do_coverity: yes # Add a tcc build - os: ubuntu-latest cc: tcc ld: tcc # Add docker-build on Alpine - os: ubuntu-latest cc: gcc docker_image: alpine:latest shell: '/usr/bin/docker exec dockerciimage sh -e {0}' art_reg_skip: 'font_nonunicode' # Add docker-build with minimum version of dependencies - os: ubuntu-latest cc: gcc docker_image: oldlibs docker_pullprefix: 'ghcr.io/theoneric/libass-containers/' shell: '/usr/bin/docker exec dockerciimage sh -e {0}' # Crash Tests detect (false?) leaks in Fontconfig, and # various regression test fail, assumed due to older deps skip_tests: yes # MacOS build - os: macos-latest cc: clang # Add a Windows build (MinGW-gcc via MSYS2) with no extras - os: windows-2019 msystem: MINGW32 cc: gcc api: desktop shell: 'msys2 {0}' package_prefix: mingw-w64-i686 # Add a best-effort build for UWP apps for Microsoft Store - os: windows-2019 msystem: UCRT64 cc: gcc api: app extra_cflags: -DWINAPI_FAMILY=WINAPI_FAMILY_APP -specs=/tmp/windowsapp.specs shell: 'msys2 {0}' package_prefix: mingw-w64-ucrt-x86_64 defaults: run: shell: ${{ matrix.shell || 'bash' }} env: ART_SAMPLES: ext_art-samples steps: - name: checkout code uses: actions/checkout@v3 - name: download test samples uses: actions/checkout@v3 with: repository: libass/libass-tests path: ${{ env.ART_SAMPLES }} - name: Start Docker if: matrix.docker_image shell: bash run: | # Note: Many containers default to the root user docker pull "${{ matrix.docker_pullprefix }}${{ matrix.docker_image }}" docker create --name dockerciimage \ -v "/home/runner/work:/home/runner/work" --workdir "$PWD" \ --entrypoint "tail" \ "${{ matrix.docker_pullprefix }}${{ matrix.docker_image }}" \ "-f" "/dev/null" docker start dockerciimage - name: Setup MSys2 uses: msys2/setup-msys2@v2 if: matrix.msystem with: msystem: ${{ matrix.msystem }} update: false - name: install deps run: | case "${{ matrix.docker_image || matrix.os }}" in macos-*) #brew update # fontconfig, freetype, autoconf and libtool are preinstalled # and `brew install` fails if a non-uptodate version is already installed #brew upgrade fontconfig freetype autoconf libtool brew install automake fribidi harfbuzz nasm ;; windows-*) pre="${{ matrix.package_prefix }}" pacman --noconfirm -S \ automake autoconf libtool nasm make \ $pre-pkg-config $pre-gcc \ $pre-fribidi $pre-freetype $pre-harfbuzz $pre-fontconfig \ $pre-libpng ;; alpine:*) apk add nasm ${{ matrix.cc }} musl-dev \ make automake autoconf libtool pkgconf \ fontconfig-dev freetype-dev fribidi-dev harfbuzz-dev \ libpng-dev ;; oldlibs) : # Everything is preinstalled ;; *) sudo apt-get update #&& sudo apt-get upgrade ubver="$(apt-cache search libubsan | awk '/^libubsan[0-9]* / {print substr($1, 9)}' | sort -rn | head -n1)" asver="$(apt-cache search libasan | awk '/^libasan[0-9]* / {print substr($1, 8)}' | sort -rn | head -n1)" sudo apt-get install -y --no-install-recommends \ autoconf automake make libtool \ libfontconfig1-dev libfreetype6-dev libfribidi-dev \ libharfbuzz-dev nasm ${{ matrix.cc }} \ libpng-dev libubsan"$ubver" libasan"$asver" ;; esac - name: Determine Sanitizer Flags id: sanitizer run: | aflags="-fsanitize=address" uflags="-fsanitize=undefined -fsanitize=float-cast-overflow" if [ "${{ startsWith(matrix.cc, 'clang') }}" = "true" ] ; then # Clang's UBSAN exits with code zero even if issues were found # This options will instead force an SIGILL, but remove a report being printed # see https://reviews.llvm.org/D35085 uflags="$uflags -fsanitize-undefined-trap-on-error" fi # UBSAN: Alpine and MSys2 doesn't ship the UBSAN library, # but when SIGILL'ing the lib is not needed # ASAN: Not supported with musl and in Windows case "${{ matrix.docker_image || matrix.os }}" in alpine*|windows-*) flags="$uflags -fsanitize-undefined-trap-on-error" ;; *) flags="$aflags $uflags" ;; esac if [ -n "$flags" ] ; then flags="$flags -fno-sanitize-recover=all" fi if [ "${{ matrix.cc }}" = "tcc" ] || [ "${{ matrix.skip_tests }}" = "yes" ] \ || [ "${{ matrix.api }}" = "app" ] ; then # FIXME: For Windows UWP, UBSAN triggers on regression/karaoke/357-k-and-kf-desynced.ass flags="" fi echo "SANFLAGS=$flags" echo "::set-output name=flags::${flags}" - name: Customize compiler if: matrix.api == 'app' && matrix.cc == 'gcc' run: > gcc -dumpspecs | sed 's/-lmsvcrt/-lucrtapp/g; s/-lkernel32/-lwindowsapp/g; s/-ladvapi32//g; s/-lshell32//g; s/-luser32//g' > /tmp/windowsapp.specs - name: configure run: | export CC="${{ matrix.cc }}\ ${{ matrix.extra_cflags && ' ' }}${{ matrix.extra_cflags }}\ ${{ steps.sanitizer.outputs.flags && ' ' }}${{ steps.sanitizer.outputs.flags }}" export LD="${{ matrix.ld }}" export ART_SAMPLES="${{ env.ART_SAMPLES }}" ./autogen.sh ./configure --enable-compare --enable-fuzz - name: distcheck if: matrix.do_distc == 'yes' run: make -j 2 distcheck - name: compile run: make -j 2 - name: run tests if: matrix.skip_tests != 'yes' run: | ART_REG_SKIP="${{ matrix.art_reg_skip }}" make -j 1 check - name: Coverity scan if: > matrix.do_coverity == 'yes' && github.repository == 'libass/libass' && github.event_name != 'pull_request' env: COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} PROJECT_NAME: libass/libass NOTIFY_EMAIL: none@example.com TOOL_URL: https://scan.coverity.com/download/ UPLOAD_URL: https://scan.coverity.com/builds?project=libass%2Flibass SCAN_URL: https://scan.coverity.com RES_DIR: cov-int run: | exit_code=0 echo "Running Coverity ..." # Remove previous build output make clean # The upstream script is borked and always exits with 1 even on success # To get meaningful success/error status we're using our own script # but we still want to be informed about upstream script changes if curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh \ | shasum -a 256 \ | grep -Eq '^234d71b4a5257a79559e66dd3ba5765576d2af4845da83af4975b77b14ab536b ' then : remote unchanged else echo "Coverity's travis script changed!" exit_code=1 fi # Check if we are within quoata quota_res="$(curl -s --form project="$PROJECT_NAME" \ --form token="$COVERITY_SCAN_TOKEN" \ "$SCAN_URL"/api/upload_permitted)" if [ "$?" -ne 0 ] || [ "x$quota_res" = "xAccess denied" ] ; then echo "Coverity denied access or did not respond!" exit 1 elif echo "$quota_res" | grep -Eq 'upload_permitted": *true' ; then echo "Within Coverity quota." else echo "Exceeding Coverity quota! Try again later." echo "$quota_res" | grep -Eo 'next_upload_permitted_at":[^,}]*' exit 0 fi # Download cov tool and make it available wget -nv "$TOOL_URL""$(uname)" \ --post-data "project=$PROJECT_NAME&token=$COVERITY_SCAN_TOKEN" \ -O cov-analysis-tool.tar.gz mkdir cov-analysis-tool tar xzf cov-analysis-tool.tar.gz --strip 1 -C cov-analysis-tool export PATH="$(pwd)/cov-analysis-tool/bin:$PATH" # Coverity Build echo "Starting Coverity build..." #mkdir "$RES_DIR" # already done by cov-build COVERITY_UNSUPPORTED=1 cov-build --dir "$RES_DIR" make -j 2 cov-import-scm --dir "$RES_DIR" --scm git --log "$RES_DIR/scm_log.txt" 2>&1 # Submit results to Coverity's server tar czf libass.tar.gz "$RES_DIR" upstat="$(curl --silent --write-out "\n%{http_code}\n" \ --form project="PROJECT_NAME" \ --form token="$COVERITY_SCAN_TOKEN" \ --form email="$NOTIFY_EMAIL" \ --form file=@libass.tar.gz \ --form version="${{ github.sha }}" \ --form description="GitHubActions CI build" \ "$UPLOAD_URL")" if [ "$?" -ne 0 ] ; then echo "Upload failed (curl error)" exit_code=1 elif echo "$upstat" | tail -n 1 | grep -Eq '^2[0-9]{2}$' ; then echo "Upload successful." else echo "Upload failed (server error)" exit_code=1 fi echo "$upstat" | head exit $exit_code - name: Stop Docker if: matrix.docker_image shell: bash run: | docker rm --force dockerciimage