Audit findings #259

Workflow file for this run

	name: Build
	on:
	workflow_dispatch:
	push:
	pull_request:
	branches:
	- main
	- develop
	- master # for safety reasons
	- dev # for safety reasons

	jobs:
	configure:
	runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' \|\| 'ubuntu-latest' }}
	outputs:
	uid_gid: ${{ steps.get-user.outputs.uid_gid }}
	steps:
	- id: get-user
	run: echo "uid_gid=$(id -u):$(id -g)" >> $GITHUB_OUTPUT

	build:
	runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' \|\| 'ubuntu-latest' }}
	steps:
	- name: Install dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y curl protobuf-compiler build-essential git wget unzip python3 python3-pip \
	libssl-dev libffi-dev libreadline-dev zlib1g-dev libbz2-dev libsqlite3-dev libncurses5-dev \
	libgdbm-dev libnss3-dev liblzma-dev libxml2-dev libxmlsec1-dev libffi-dev libyaml-dev
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Install CMake 3.28
	run: \|
	wget https://github.com/Kitware/CMake/releases/download/v3.28.0/cmake-3.28.0-linux-x86_64.sh
	sudo mkdir /opt/cmake
	sudo sh cmake-3.28.0-linux-x86_64.sh --skip-license --prefix=/opt/cmake
	sudo ln -sf /opt/cmake/bin/cmake /usr/local/bin/cmake
	sudo ln -sf /opt/cmake/bin/ctest /usr/local/bin/ctest
	- name: Verify CMake version
	run: cmake --version
	- name: Install deps
	run: \|
	sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10
	make deps
	- name: Run CMake
	run: mkdir -p build && cd build && cmake -DCMAKE_BUILD_TYPE=Debug .. && make
	- run: make cpp_test

	build_ledger:
	needs: configure
	runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' \|\| 'ubuntu-latest' }}
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/nanos-secure-sdk
	outputs:
	size: ${{steps.build.outputs.size}}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Build Standard app
	id: build
	shell: bash -l {0}
	run: \|
	make
	echo "size=$(python3 deps/ledger-zxlib/scripts/getSize.py s)" >> $GITHUB_OUTPUT

	size_nano_s:
	needs: build_ledger
	runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' \|\| 'ubuntu-latest' }}
	env:
	NANOS_LIMIT_SIZE: 136
	steps:
	- run: \|
	echo "LNS app size: ${{needs.build_ledger.outputs.size}} KiB"
	[ ${{needs.build_ledger.outputs.size}} -le $NANOS_LIMIT_SIZE ]

	test_zemu:
	runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' \|\| 'ubuntu-latest' }}
	steps:
	- name: Test
	run: \|
	id
	echo $HOME
	echo $DISPLAY
	- name: Install dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y curl protobuf-compiler build-essential git wget unzip python3 python3-pip \
	libssl-dev libffi-dev libreadline-dev zlib1g-dev libbz2-dev libsqlite3-dev libncurses5-dev \
	libgdbm-dev libnss3-dev liblzma-dev libxml2-dev libxmlsec1-dev libffi-dev libyaml-dev
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- run: sudo apt-get update -y && sudo apt-get install -y libusb-1.0.0 libudev-dev
	- name: Install rust
	uses: actions-rs/toolchain@v1
	with:
	toolchain: stable
	- name: Install node
	uses: actions/setup-node@v4
	with:
	node-version: 18
	- name: Install yarn
	run: \|
	npm install -g yarn
	- name: Build and run zemu tests
	run: \|
	for i in {1..3}; do
	make zemu_install && break \|\| sleep 10
	done
	make
	make zemu_test
	- name: Upload Snapshots (only failure)
	if: ${{ failure() }}
	uses: actions/upload-artifact@v3
	with:
	name: snapshots-tmp
	path: tests_zemu/snapshots-tmp/

	build_package_nanos:
	needs: [configure, build, build_ledger, test_zemu]
	if: ${{ github.ref == 'refs/heads/main' }}
	runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' \|\| 'ubuntu-latest' }}
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/nanos-secure-sdk
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Install deps
	run: pip install ledgerblue

	- name: Build NanoS
	shell: bash -l {0}
	run: \|
	PRODUCTION_BUILD=0 make
	mv ./app/pkg/installer_s.sh ./app/pkg/installer_nanos.sh
	- name: Set tag
	id: nanos
	run: echo "tag_name=$(./app/pkg/installer_nanos.sh version)" >> $GITHUB_OUTPUT
	- name: Create or Update Release (1)
	id: create_release_0
	uses: softprops/action-gh-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
	with:
	files: ./app/pkg/installer_nanos.sh
	tag_name: ${{ steps.nanos.outputs.tag_name }}
	draft: false
	prerelease: false

	build_package_nanosp:
	needs: [configure, build, build_ledger, test_zemu]
	if: ${{ github.ref == 'refs/heads/main' }}
	runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' \|\| 'ubuntu-latest' }}
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/nanosplus-secure-sdk
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Install deps
	run: pip install ledgerblue

	- name: Build NanoSP
	shell: bash -l {0}
	run: \|
	PRODUCTION_BUILD=0 make
	mv ./app/pkg/installer_s2.sh ./app/pkg/installer_nanos_plus.sh
	- name: Set tag
	id: nanosp
	run: echo "tag_name=$(./app/pkg/installer_nanos_plus.sh version)" >> $GITHUB_OUTPUT
	- name: Update Release
	id: update_release_2
	uses: softprops/action-gh-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
	with:
	files: ./app/pkg/installer_nanos_plus.sh
	tag_name: ${{ steps.nanosp.outputs.tag_name }}
	draft: false
	prerelease: false

	build_package_stax:
	needs: [configure, build, build_ledger, test_zemu]
	if: ${{ github.ref == 'refs/heads/main' }}
	runs-on: zondax-runners
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/stax-secure-sdk
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Install deps
	run: pip install ledgerblue

	- name: Build Stax
	shell: bash -l {0}
	run: \|
	PRODUCTION_BUILD=0 make
	- name: Set tag
	id: stax
	run: echo "tag_name=$(./app/pkg/installer_stax.sh version)" >> $GITHUB_OUTPUT
	- name: Update Release
	id: update_release_2
	uses: softprops/action-gh-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
	with:
	files: \|
	./app/pkg/installer_stax.sh
	tag_name: ${{ steps.stax.outputs.tag_name }}
	draft: false
	prerelease: false

	build_package_flex:
	needs: [configure, build, build_ledger, test_zemu]
	if: ${{ github.ref == 'refs/heads/main' }}
	runs-on: ubuntu-latest
	container:
	image: zondax/ledger-app-builder:latest
	options: --user ${{ needs.configure.outputs.uid_gid }}
	env:
	BOLOS_SDK: /opt/flex-secure-sdk
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	submodules: true
	- name: Install deps
	run: pip install ledgerblue

	- name: Build Flex
	shell: bash -l {0}
	run: PRODUCTION_BUILD=0 make
	- name: Set tag
	id: flex
	run: echo "tag_name=$(./app/pkg/installer_flex.sh version)" >> $GITHUB_OUTPUT
	- name: Update Release
	id: update_release_2
	uses: softprops/action-gh-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
	with:
	files: ./app/pkg/installer_flex.sh
	tag_name: ${{ steps.flex.outputs.tag_name }}
	draft: false
	prerelease: false

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Audit findings #259

Workflow file

Audit findings #259

Jobs

Run details

Workflow file for this run