diff options
author | Jun Aruga <jaruga@redhat.com> | 2022-05-10 16:34:08 +0200 |
---|---|---|
committer | Jun Aruga <junaruga@users.noreply.github.com> | 2022-05-16 10:10:16 +0200 |
commit | dccfff943c3ea9defd91647cfa3fd8714041bb5a (patch) | |
tree | 980e2e0f05cc7f9771d9f521d649542d5b450088 /.github/workflows/compilers.yml | |
parent | 36efb2a146b247efd3d8d0ac85542998cd67b437 (diff) |
Add `make test-annocheck` to detect security issues.
* Note that as the annocheck binary package is not available on Ubuntu, and it
is working in progress in Debian, the script uses Fedora container, and
it requires docker or podman command.
https://www.debian.org/devel/wnpp/itp.en.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470
* .github/workflows/compilers.yml: Add "gcc-11 annocheck" case.
To pass the CI, set `TEST_ANNOCHECK_OPTS: "--skip-pie --skip-notes"` for now.
See <https://bugs.ruby-lang.org/issues/18061>.
* Skip MJIT tests in case of annocheck case.
The MJIT tests fail in the annocheck case.
See <https://bugs.ruby-lang.org/issues/18781>.
Notes
Notes:
Merged: https://github.com/ruby/ruby/pull/5900
Diffstat (limited to '.github/workflows/compilers.yml')
-rw-r--r-- | .github/workflows/compilers.yml | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/.github/workflows/compilers.yml b/.github/workflows/compilers.yml index 9aa7d407f4..ddb53cadb8 100644 --- a/.github/workflows/compilers.yml +++ b/.github/workflows/compilers.yml @@ -60,6 +60,8 @@ jobs: strategy: fail-fast: false matrix: + env: + - {} entry: - { key: default_cc, name: gcc-11, value: gcc-11, container: gcc-11 } - { key: default_cc, name: gcc-10, value: gcc-10, container: gcc-10 } @@ -75,6 +77,18 @@ jobs: container: gcc-11 configure_append: '--disable-shared optflags=-O2' # check: true + - key: default_cc + name: 'gcc-11 annocheck' + # Minimal flags to pass the check. + value: 'gcc-11 -O2 -fcf-protection -Wl,-z,now' + container: gcc-11 + env: + # FIXME: Drop skiping options + # https://bugs.ruby-lang.org/issues/18061 + # https://sourceware.org/annobin/annobin.html/Test-pie.html + # https://sourceware.org/annobin/annobin.html/Test-notes.html + TEST_ANNOCHECK_OPTS: "--skip-pie --skip-notes" + check: true - { key: default_cc, name: clang-15, value: clang-15, container: clang-15 } - { key: default_cc, name: clang-14, value: clang-14, container: clang-14 } - { key: default_cc, name: clang-13, value: clang-13, container: clang-13 } @@ -199,6 +213,7 @@ jobs: image: ghcr.io/ruby/ruby-ci-image:${{ matrix.entry.container || 'clang-14' }} options: --user root if: ${{ !startsWith(github.event.head_commit.message, '[DOC]') && !contains(github.event.pull_request.labels.*.name, 'Documentation') }} + env: ${{ matrix.entry.env || matrix.env }} steps: - run: id working-directory: @@ -233,10 +248,19 @@ jobs: if: ${{ matrix.entry.check }} - run: make test-tool if: ${{ matrix.entry.check }} + # FIXME: Skip MJIT tests failing in the annocheck case. + # https://bugs.ruby-lang.org/issues/18781 + - run: | + rm test/ruby/test_jit.rb + rm test/ruby/test_rubyvm_jit.rb + if: ${{ endsWith(matrix.entry.name, 'annocheck') }} + working-directory: src - run: make test-all TESTS='-- ruby -ext-' if: ${{ matrix.entry.check }} - run: make test-spec if: ${{ matrix.entry.check }} + - run: make test-annocheck + if: ${{ matrix.entry.check && endsWith(matrix.entry.name, 'annocheck') }} - uses: k0kubun/action-slack@v2.0.0 with: |