git_clone/thorvg
1
0
Fork 0
mirror of https://github.com/thorvg/thorvg.git synced 2025-06-24 08:54:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
thorvg/.github/workflows/build_ubuntu.yml
Josh Soref 2fa723c947 infra/workflow: Reduce workflow permissions 
By explicitly listing the permissions required in general, repositories
without restrictive permissions will only allocate the specified
permissions which is much safer than the default, fairly wide,
permissions grant.

Most workflows don't appear to need any permissions beyond
`contents: read` which is required for checkout (when a repository is
private). By specifying this permission, it tells GitHub not to include
any of its additional default permissions (when a repository is
configured permissively).

The .github/workflows/memcheck_*.sh scripts called by build_ubuntu.yml
require write permissions in order to post their output to a pull
request (as a comment).

In locked down GitHub repositories, unless a workflow/job asks for
write permissions, it will not have them and such API calls will result
in:

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/issues/comments#create-an-issue-comment",
  "status": "403"
}

By specifically requesting the permissions, the workflow will continue
to work as expected.
2024-09-30 12:46:24 +09:00

92 lines
2.5 KiB
YAML
Raw Blame History

name: Ubuntu
on:
pull_request:
branches:
- main
push:
branches:
- main
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: true
- name: Install Packages
run: |
sudo apt-get update
sudo apt-get install meson ninja-build libturbojpeg0-dev libpng-dev libwebp-dev libgles-dev libsdl2-dev
- name: Build
run: |
meson setup build -Dlog=true -Dengines=all -Dexamples=true -Dloaders=all -Dsavers=all -Dbindings=capi -Dtools=all
sudo ninja -C build install
compact_test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: true
- name: Install Packages
run: |
sudo apt-get update
sudo apt-get install meson ninja-build libgles-dev
- name: Build
run: |
meson setup build -Dlog=true -Dengines=all -Dloaders=all -Dsavers=all -Dstatic=true -Dthreads=false
sudo ninja -C build install
unit_test:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
submodules: true
- name: Install Packages
run: |
sudo apt-get update
sudo apt-get install meson ninja-build libgtest-dev libasan5 valgrind curl jq software-properties-common libturbojpeg0-dev libpng-dev libwebp-dev libgles-dev
- name: Build
run: |
meson setup build -Dloaders="all" -Dengines=all -Dsavers="all" -Dbindings="capi" -Dtests=true --errorlogs
sudo ninja -C build install test
- uses: actions/upload-artifact@v4
with:
name: UnitTestReport
path: build/meson-logs/testlog.txt
- name: Run memcheck Script(valgrind)
run: |
export PATH=$PATH:~/.local/bin/
chmod +x "${GITHUB_WORKSPACE}/.github/workflows/memcheck_valgrind.sh"
"${GITHUB_WORKSPACE}/.github/workflows/memcheck_valgrind.sh"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Build & Run memcheck Script(ASAN)
run: |
sudo rm -rf ./build
meson setup build -Db_sanitize="address,undefined" -Dloaders="all" -Dsavers="all" -Dtests="true" -Dbindings="capi"
sudo ninja -C build install
export PATH=$PATH:~/.local/bin/
chmod +x "${GITHUB_WORKSPACE}/.github/workflows/memcheck_asan.sh"
"${GITHUB_WORKSPACE}/.github/workflows/memcheck_asan.sh"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Reference in a new issue View git blame Copy permalink