-
Notifications
You must be signed in to change notification settings - Fork 8
250 lines (238 loc) · 9.57 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
name: Ghidra Build
on:
workflow_dispatch:
inputs:
prevRev:
description: 'Revision of the previous release'
required: false
rev:
description: 'NationalSecurityAgency/ghidra commit to build'
required: true
env:
GRADLE_VERSION: 8.5
JAVA_VERSION: 21
jobs:
build-natives:
strategy:
matrix:
include:
#- target: win_x86_32
# os: windows-latest
- target: win_x86_64
os: windows-latest
- target: linux_x86_64
os: ubuntu-latest
- target: linux_arm_64
os: ubuntu-latest
- target: mac_x86_64
os: macos-latest
- target: mac_arm_64
os: macos-latest
fail-fast: false
name: Build ${{ matrix.target }} Binaries
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
repository: NationalSecurityAgency/Ghidra
ref: ${{ github.event.inputs.rev }}
- uses: actions/setup-java@v4
with:
distribution: 'zulu'
java-version: ${{ env.JAVA_VERSION }}
- name: Install bison
if: ${{ matrix.os == 'windows-latest' }}
shell: pwsh
run: |
Invoke-WebRequest -URI "https://github.com/lexxmark/winflexbison/releases/download/v2.4.12/win_flex_bison-2.4.12.zip" -OutFile "win_flex_bison-2.4.12.zip"
Expand-Archive -Path "win_flex_bison-2.4.12.zip" -DestinationPath "winflexbison"
Rename-Item -Path "$pwd\winflexbison\win_bison.exe" -NewName "bison.exe"
Rename-Item -Path "$pwd\winflexbison\win_flex.exe" -NewName "flex.exe"
"$pwd\winflexbison" >> $env:GITHUB_PATH
- name: Checkout Ghidra-CI Repo
uses: actions/checkout@v4
with:
path: ghidra-ci-roblabla
- uses: eskatos/gradle-command-action@v3
with:
gradle-version: ${{ env.GRADLE_VERSION }}
arguments: --init-script gradle/support/fetchDependencies.gradle init
- name: Setup Linux ARM toolchain
if: ${{ matrix.target == 'linux_arm_64' }}
run: |
sudo dpkg --add-architecture arm64
sudo bash -c 'echo "http://ports.ubuntu.com/ubuntu-ports/ priority:0" >> /etc/apt/apt-mirrors.txt'
sudo apt-get update
sudo apt-get install g++-aarch64-linux-gnu libc6-dev-arm64-cross zlib1g-dev:arm64
mkdir -p $HOME/.gradle
cp ghidra-ci-roblabla/linux_arm_64.init.gradle $HOME/.gradle/init.gradle
- name: Setup MacOS ARM toolchain
if: ${{ matrix.target == 'mac_arm_64' }}
run: |
mkdir -p $HOME/.gradle
cp ghidra-ci-roblabla/mac_arm_64.init.gradle $HOME/.gradle/init.gradle
- uses: eskatos/gradle-command-action@v3
with:
gradle-version: ${{ env.GRADLE_VERSION }}
arguments: buildNatives_${{ matrix.target }}
- name: "Sign macOS binaries"
if: ${{ env.MACOS_CODESIGN_CRT_PWD != '' && (matrix.target == 'mac_arm_64' || matrix.target == 'mac_x86_64') }}
run: |
echo "$MACOS_CODESIGN_CRT" | base64 -d > certificate.p12
security create-keychain -p test123 build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p test123 build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CODESIGN_CRT_PWD" -T /usr/bin/codesign
rm certificate.p12
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k test123 build.keychain
for file in $(find . -path "*/build/os/${{ matrix.target }}/*" -type f); do
echo "Signing file $file"
/usr/bin/codesign --force -s "$MACOS_CODESIGN_CRT_IDENTITY" --options runtime "$file" -v
done
security lock-keychain build.keychain
security default-keychain -s
security delete-keychain build.keychain
env:
MACOS_CODESIGN_CRT: ${{ secrets.MACOS_CODESIGN_CRT }}
MACOS_CODESIGN_CRT_PWD: ${{ secrets.MACOS_CODESIGN_CRT_PWD }}
MACOS_CODESIGN_CRT_IDENTITY: ${{ secrets.MACOS_CODESIGN_CRT_IDENTITY }}
# Apparently, github is an incompetent idiot that can't handle permissions
# properly. https://github.com/actions/upload-artifact/issues/38
# Wrap the binaries in a tar archive to fix that.
- name: Tar the binaries
run: tar -cvf "${{matrix.target}}.build.tar" $(find . -path "*/build/os/${{ matrix.target }}/*" -type f)
shell: bash
- name: "Notarize macOS binaries"
if: ${{ env.MACOS_APPLE_USERNAME != '' && (matrix.target == 'mac_arm_64' || matrix.target == 'mac_x86_64') }}
run: |
for file in $(find . -path "*/build/os/${{ matrix.target }}/*" -type f); do
echo "Notarizing file $file"
ditto -c -k "$file" "${file}.zip"
xcrun notarytool submit --apple-id "$MACOS_APPLE_USERNAME" --password "$MACOS_APPLE_PASSWORD" --team-id "$MACOS_APPLE_TEAMID" --wait "${file}.zip"
rm "${file}.zip"
done
env:
MACOS_APPLE_USERNAME: ${{ secrets.MACOS_APPLE_USERNAME }}
MACOS_APPLE_PASSWORD: ${{ secrets.MACOS_APPLE_PASSWORD }}
MACOS_APPLE_TEAMID: ${{ secrets.MACOS_APPLE_TEAMID }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: natives-${{ matrix.target }}
path: "${{matrix.target}}.build.tar"
dist:
name: "Build Ghidra distributable zip"
needs: ["build-natives"]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
repository: NationalSecurityAgency/Ghidra
ref: ${{ github.event.inputs.rev }}
fetch-depth: 0
#- name: Download Windows x86 binaries
# uses: actions/download-artifact@v4
# with:
# name: natives-win_x86_32
- name: Download Windows x86_64 binaries
uses: actions/download-artifact@v4
with:
name: natives-win_x86_64
- name: Download MacOS x86_64 binaries
uses: actions/download-artifact@v4
with:
name: natives-mac_x86_64
- name: Download MacOS ARM64 binaries
uses: actions/download-artifact@v4
with:
name: natives-mac_arm_64
- name: Download Linux x86_64 binaries
uses: actions/download-artifact@v4
with:
name: natives-linux_x86_64
- name: Download Linux ARM64 binaries
uses: actions/download-artifact@v4
with:
name: natives-linux_arm_64
- name: Extract all binaries
run: |
for file in *.build.tar; do
echo "Extracting $file"
tar xvf "$file"
done
- uses: actions/setup-java@v4
with:
distribution: 'zulu'
java-version: ${{ env.JAVA_VERSION }}
- name: Fetch the Ghidra dependencies.
uses: eskatos/gradle-command-action@v3
with:
gradle-version: ${{ env.GRADLE_VERSION }}
arguments: --init-script gradle/support/fetchDependencies.gradle init
# TODO: Pre-build GhidraDev
- name: Checkout ghidra-data
uses: actions/checkout@v4
with:
repository: NationalSecurityAgency/ghidra-data
path: 'ghidra-data'
- name: Copy ghidra-data files into the appropriate directories
run: cp -r ghidra-data/FunctionID/* Ghidra/Features/FunctionID/data
- name: Build ghidra, create a cross-platform distribution
uses: eskatos/gradle-command-action@v3
with:
gradle-version: ${{ env.GRADLE_VERSION }}
arguments: -x ip -PallPlatforms buildGhidra
# TODO: remove upload-artifact when create release is sure to work
- name: Upload final dist
uses: actions/upload-artifact@v4
with:
path: "build/dist/*"
- name: Remove temporary artifacts
uses: geekyeggo/delete-artifact@v5
with:
name: |
natives-win_x86_32
natives-win_x86_64
natives-mac_x86_64
natives-mac_arm_64
natives-linux_x86_64
natives-linux_arm_64
- name: Get current date, rev and dist name
id: date
run: |
echo date=$(date +'%Y-%m-%d') >> $GITHUB_OUTPUT
echo dist=$(ls build/dist) >> $GITHUB_OUTPUT
echo rev=$(git rev-parse --short HEAD) >> $GITHUB_OUTPUT
- uses: actions/checkout@v4
with:
path: ghidra-ci-roblabla
- name: Generate CHANGELOG.md
run: |
cd ghidra-ci-roblabla
sudo apt-get update
sudo apt-get install libkrb5-dev
npm i
node generate_changelog.js ${{github.event.inputs.prevRev}} ${{github.event.inputs.rev}} > CHANGELOG.md
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ steps.date.outputs.date }}
release_name: Release ${{ steps.date.outputs.date }}(${{ steps.date.outputs.rev }})
body_path: ./ghidra-ci-roblabla/CHANGELOG.md
# TODO: This is a horrible hack.
commitish: "master"
draft: false
prerelease: false
- name: Upload Release Asset
id: upload-release-asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./build/dist/${{ steps.date.outputs.dist }}
asset_name: release.zip
asset_content_type: application/zip