ci: add codeql.yml #261

Workflow file for this run

	name: Build release

	on:
	workflow_dispatch:
	push:
	branches: [ "main" ]
	paths:
	- 'src/**'
	- 'build/**'
	- 'build.c'
	- '.github/**'
	tags:
	- "v*"
	pull_request:

	jobs:
	update:
	name: Fetch Latest Version
	runs-on: ubuntu-latest
	outputs:
	release: ${{ steps.fetch_version.outputs.release }}
	version: ${{ steps.fetch_version.outputs.version }}
	release_name: ${{ steps.fetch_version.outputs.release_name }}
	build_time: ${{ steps.fetch_version.outputs.build_time }}
	steps:
	- name: Fetch latest version
	id: fetch_version
	run: \|
	if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_type }}" == "tag" ]]; then
	version="${{ github.ref_name }}"
	release_name="rurima ${{ github.ref_name }} Release"
	else
	response=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" -L "https://api.github.com/repos/${{ github.repository }}/releases/latest")
	version=$(echo "$response" \| jq -r .tag_name)
	release_name=$(echo "$response" \| jq -r .name)
	fi

	if [[ -n "$version" && "$version" != "null" && -n "$release_name" && "$release_name" != "null" ]]; then
	echo "release=true" >> $GITHUB_OUTPUT
	else
	echo "release=false" >> $GITHUB_OUTPUT
	fi

	build_time="UTC $(TZ=UTC date '+%Y%m%d%H%M')"
	echo "version=$version" >> $GITHUB_OUTPUT
	echo "release_name=$release_name" >> $GITHUB_OUTPUT
	echo "build_time=$build_time" >> $GITHUB_OUTPUT
	build-arch:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	strategy:
	matrix:
	arch: [x86_64, x86, aarch64, armhf, armv7, ppc64le, loongarch64, riscv64, s390x]
	env:
	ARCHITECTURE: ${{ matrix.arch }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Install Dependencies
	run: \|
	sudo apt-get update
	sudo apt-get --no-install-recommends -y install \
	binutils build-essential libcap-dev libseccomp-dev make qemu-user-static xz-utils

	- name: Build ruri for container
	run: \|
	cd build
	git clone --depth 1 https://github.com/moe-hacker/ruri.git
	cd ruri
	cc -Wl,--gc-sections -static src/.c src/easteregg/.c -o ruri -lcap -lseccomp -lpthread
	cp ./ruri ../../

	- name: Download alpine rootfs for ${{ matrix.arch }}
	env:
	URL: https://dl-cdn.alpinelinux.org/alpine/v3.22/releases
	run: \|
	cd build
	mkdir -p $ARCHITECTURE

	wget -q https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O yq
	sudo mv yq /usr/local/bin/yq
	sudo chmod +x /usr/local/bin/yq

	FILE=$(curl -s "$URL/$ARCHITECTURE/latest-releases.yaml" \| yq '.[] \| select(.flavor == "alpine-minirootfs") \| .file')
	wget "$URL/$ARCHITECTURE/$FILE"
	tar -xzf "$FILE" -C "$ARCHITECTURE"

	- name: Build for ${{ matrix.arch }}
	shell: bash
	run: \|
	cd build
	cp build.sh "$ARCHITECTURE/build.sh"
	sudo chmod +x ../ruri
	sudo chmod +x "$ARCHITECTURE/build.sh"

	case "$ARCHITECTURE" in
	x86_64\|x86)
	sudo ../ruri ./$ARCHITECTURE /bin/sh /build.sh
	;;
	aarch64\|armhf\|ppc64le\|armv7\|riscv64\|s390x\|loongarch64)
	if [ "$ARCHITECTURE" = "armv7" ]; then
	sudo ../ruri -a armv7 -q /usr/bin/qemu-arm-static ./$ARCHITECTURE /bin/sh /build.sh
	else
	sudo ../ruri -a $ARCHITECTURE -q /usr/bin/qemu-$ARCHITECTURE-static ./$ARCHITECTURE /bin/sh /build.sh
	fi
	;;
	esac
	PATH_BK=$(pwd)
	# Verify build
	case "$ARCHITECTURE" in
	x86_64\|x86)
	cd $ARCHITECTURE/output && ./rurima -v\|\|exit 1
	cd $PATH_BK
	;;
	aarch64\|armhf\|ppc64le\|armv7\|riscv64\|s390x\|loongarch64)
	if [ "$ARCHITECTURE" = "armv7" ]; then
	cd $ARCHITECTURE/output && /usr/bin/qemu-arm-static ./rurima -v\|\|exit 1
	cd $PATH_BK
	else
	cd $ARCHITECTURE/output && /usr/bin/qemu-$ARCHITECTURE-static ./rurima -v\|\|exit 1
	cd $PATH_BK
	fi
	;;
	esac
	cd $PATH_BK
	(cd $ARCHITECTURE/output && tar -cf ../../../$ARCHITECTURE.tar .)

	cd $GITHUB_WORKSPACE
	if [[ "$ARCHITECTURE" == "x86" ]]; then
	mv $ARCHITECTURE.tar i386.tar
	fi

	- name: Upload artifacts
	if: true
	uses: actions/upload-artifact@v4
	with:
	name: rurima-${{ matrix.arch }}
	path: \|
	./*.tar
	retention-days: 7

	release:
	name: Push Release
	needs: [update, build-arch]
	runs-on: ubuntu-latest
	permissions:
	contents: write
	steps:
	- name: Download All Build
	uses: actions/download-artifact@v4
	with:
	path: ./all

	- name: Move all .tar files
	run: \|
	find ./all -type f -name "*.tar" -exec mv {} ./ \;
	# Upload only if file > 100KB
	for file in ./*.tar; do
	if [ ! -f "$file" ] \|\| [ $(stat -c%s "$file") -lt 102400 ]; then
	echo "Removing $file as it is smaller than 100KB"
	rm -f "$file"
	fi
	done
	# If no .tar files exist, exit with error
	if [ -z "$(ls -A ./*.tar 2>/dev/null)" ]; then
	echo "No .tar files found to upload. Exiting."
	exit 1
	fi
	git clone https://github.com/rurioss/rurima
	cd rurima;git rev-parse --short HEAD > ../commit-id.txt

	- name: Release
	uses: softprops/action-gh-release@v2.2.2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	tag_name: ${{ needs.update.outputs.version }}
	name: ${{ needs.update.outputs.release_name }}
	body: \|
	This is rurima binary release.
	NOTE:
	rurima use musl as libc to build by default (in alpine container), for smaller binary size and better security.
	Build time: ${{ needs.update.outputs.build_time }}
	files: \|
	*.tar
	commit-id.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: add codeql.yml #261

Workflow file

ci: add codeql.yml #261

Uh oh!

Workflow file for this run