phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-03-23 15:50:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 41
Kelsidavis-WoWee/.github/workflows/security.yml
Kelsi 8fe53171eb Fix release packaging and macOS stack overflow crash 
- Fix StormLib package name: libstormlib-dev → libstorm-dev (correct
  Ubuntu package name) across all CI workflows and extract_assets.sh
- Build StormLib from source on Windows CI (no MSYS2 package exists),
  ensuring asset_extract.exe is included in release archives
- Update extract_assets.sh/.ps1 to prefer pre-built asset_extract
  binary next to the script (release archives) before trying build dir
- Move ADTTerrain allocations from stack to heap in prepareTile() to
  fix stack overflow on macOS (worker threads default to 512 KB stack,
  two ADTTerrain structs ≈ 560 KB exceeded that)
2026-02-25 01:55:16 -08:00

144 lines
3.7 KiB
YAML
Raw Blame History

name: Security
on:
push:
branches: [master]
pull_request:
branches: [master]
workflow_dispatch:
permissions:
contents: read
jobs:
codeql:
name: CodeQL (C/C++)
runs-on: ubuntu-24.04
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
cmake \
build-essential \
pkg-config \
libsdl2-dev \
libglew-dev \
libglm-dev \
libssl-dev \
zlib1g-dev \
libvulkan-dev \
vulkan-tools \
glslc \
libavformat-dev \
libavcodec-dev \
libswscale-dev \
libavutil-dev \
libunicorn-dev \
libx11-dev
sudo apt-get install -y libstorm-dev || true
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: cpp
config-file: ./.github/codeql/codeql-config.yml
- name: Build
run: |
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build --parallel $(nproc)
- name: Analyze
uses: github/codeql-action/analyze@v3
semgrep:
name: Semgrep
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Install Semgrep
run: |
python -m pip install --upgrade pip
python -m pip install semgrep
- name: Run Semgrep (security + secrets)
run: |
semgrep scan \
--config p/security-audit \
--config p/secrets \
--error
sanitizer-build:
name: Sanitizer Build (ASan/UBSan)
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
cmake \
build-essential \
pkg-config \
libsdl2-dev \
libglew-dev \
libglm-dev \
libssl-dev \
zlib1g-dev \
libvulkan-dev \
vulkan-tools \
glslc \
libavformat-dev \
libavcodec-dev \
libswscale-dev \
libavutil-dev \
libunicorn-dev \
libx11-dev
sudo apt-get install -y libstorm-dev || true
- name: Configure (ASan/UBSan)
run: |
cmake -S . -B build \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DWOWEE_BUILD_TESTS=ON \
-DCMAKE_C_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" \
-DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address,undefined" \
-DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address,undefined"
- name: Build
run: cmake --build build --parallel $(nproc)
- name: Run tests (if present)
env:
ASAN_OPTIONS: detect_leaks=1:halt_on_error=1
UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
run: |
if [ -f build/CTestTestfile.cmake ] || [ -d build/tests ]; then
ctest --test-dir build --output-on-failure
else
echo "No tests configured; sanitizer build completed."
fi
Reference in a new issue View git blame Copy permalink