mirror of
https://github.com/Kelsidavis/WoWee.git
synced 2026-03-23 07:40:14 +00:00
0830215b31
Some checks are pending
Build / Build (arm64) (push) Waiting to run
Build / Build (x86-64) (push) Waiting to run
Build / Build (macOS arm64) (push) Waiting to run
Build / Build (windows-arm64) (push) Waiting to run
Build / Build (windows-x86-64) (push) Waiting to run
Security / CodeQL (C/C++) (push) Waiting to run
Security / Semgrep (push) Waiting to run
Security / Sanitizer Build (ASan/UBSan) (push) Waiting to run
147 lines
3.7 KiB
YAML
147 lines
3.7 KiB
YAML
name: Security
|
|
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
pull_request:
|
|
branches: [master]
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
codeql:
|
|
name: CodeQL (C/C++)
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
submodules: true
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
cmake \
|
|
build-essential \
|
|
pkg-config \
|
|
libsdl2-dev \
|
|
libglew-dev \
|
|
libglm-dev \
|
|
libssl-dev \
|
|
zlib1g-dev \
|
|
libvulkan-dev \
|
|
vulkan-tools \
|
|
glslc \
|
|
libavformat-dev \
|
|
libavcodec-dev \
|
|
libswscale-dev \
|
|
libavutil-dev \
|
|
libunicorn-dev \
|
|
libx11-dev
|
|
sudo apt-get install -y libstorm-dev || true
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@v3
|
|
with:
|
|
languages: cpp
|
|
config-file: ./.github/codeql/codeql-config.yml
|
|
|
|
- name: Build
|
|
run: |
|
|
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
|
|
cmake --build build --parallel $(nproc)
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@v3
|
|
|
|
semgrep:
|
|
name: Semgrep
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
submodules: true
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.x"
|
|
|
|
- name: Install Semgrep
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
python -m pip install semgrep
|
|
|
|
- name: Run Semgrep (security + secrets)
|
|
run: |
|
|
semgrep scan \
|
|
--config p/security-audit \
|
|
--config p/secrets \
|
|
--error
|
|
|
|
sanitizer-build:
|
|
name: Sanitizer Build (ASan/UBSan)
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
submodules: true
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
cmake \
|
|
build-essential \
|
|
pkg-config \
|
|
libsdl2-dev \
|
|
libglew-dev \
|
|
libglm-dev \
|
|
libssl-dev \
|
|
zlib1g-dev \
|
|
libvulkan-dev \
|
|
vulkan-tools \
|
|
glslc \
|
|
libavformat-dev \
|
|
libavcodec-dev \
|
|
libswscale-dev \
|
|
libavutil-dev \
|
|
libunicorn-dev \
|
|
libx11-dev
|
|
sudo apt-get install -y libstorm-dev || true
|
|
|
|
- name: Configure (ASan/UBSan)
|
|
run: |
|
|
cmake -S . -B build \
|
|
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
|
|
-DWOWEE_BUILD_TESTS=ON \
|
|
-DCMAKE_C_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" \
|
|
-DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" \
|
|
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address,undefined" \
|
|
-DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address,undefined"
|
|
|
|
- name: Build
|
|
run: cmake --build build --parallel $(nproc)
|
|
|
|
- name: Run tests (if present)
|
|
env:
|
|
ASAN_OPTIONS: detect_leaks=1:halt_on_error=1
|
|
UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
|
|
run: |
|
|
if [ -f build/CTestTestfile.cmake ] || [ -d build/tests ]; then
|
|
ctest --test-dir build --output-on-failure
|
|
else
|
|
echo "No tests configured; sanitizer build completed."
|
|
fi
|