add control flow hardening docs #1634
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: | |
- master | |
- ci-test | |
pull_request: | |
branches: | |
- master | |
# Note that a full "go test" is quite heavy, | |
# as it runs many builds under the hood. | |
# The default -timeout=10m can be hit by the hosted runners. | |
# | |
# Also note that we don't use Actions caching for Go on purpose. | |
# Caching GOMODCACHE wouldn't help much, as we have few deps. | |
# Caching GOCACHE would do more harm than good, | |
# as the tests redo most of their work if the garble version changes, | |
# and the majority of commits or PRs will do so. | |
# Moreover, GitHub saves and restores caches via compressed archives over the | |
# network, which means it can easily add one minute of overhead on its own for | |
# just a few hundred megabytes worth of files. | |
name: Test | |
jobs: | |
test: | |
strategy: | |
matrix: | |
go-version: [1.21.x] | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go-version }} | |
cache: false | |
# linux already runs the tests with -race below, plus extra checks, | |
# so skip the regular tests to prevent it from taking the longest. | |
- if: matrix.os != 'ubuntu-latest' | |
run: go test -timeout=15m ./... | |
# macos and windows failures with bincmp can be hard to reproduce locally, | |
# so upload the binaries as artifacts. | |
- uses: actions/upload-artifact@v3 | |
if: failure() | |
with: | |
name: bincmp_output | |
path: bincmp_output/ | |
# macos and windows tend to be a bit slower, | |
# and it's rare that a race in garble would be OS-specific. | |
- if: matrix.os == 'ubuntu-latest' | |
run: go test -race -timeout=20m ./... | |
# Static checks from this point forward. Only run on one Go version and on | |
# linux, since it's the fastest platform, and the tools behave the same. | |
- name: Test third-party project builds | |
if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' | |
run: | | |
go install | |
./scripts/check-third-party.sh | |
- if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' | |
run: ./scripts/crlf-test.sh | |
- if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' | |
run: diff <(echo -n) <(gofmt -d .) | |
- if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' | |
run: go vet ./... | |
- if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' | |
uses: dominikh/staticcheck-action@v1 | |
with: | |
version: "2023.1.3" | |
install-go: false | |
# We don't care about GOARCH=386 particularly, hence -short, | |
# but it helps ensure we support 32-bit hosts and targets well. | |
# TODO: use CGO_ENABLED=1 once we figure out how to install gcc-multilib, | |
# and once gotooltest forwards the value of CGO_ENABLED to the scripts. | |
test-386: | |
runs-on: ubuntu-latest | |
env: | |
GOARCH: 386 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: 1.21.x | |
cache: false | |
- run: go test -short ./... | |
test-gotip: | |
if: false # let tip for 1.22 settle first | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install Go | |
env: | |
GO_COMMIT: a031f4ef83edc132d5f49382bfef491161de2476 # 2023-06-24 | |
run: | | |
cd $HOME | |
mkdir $HOME/gotip | |
cd $HOME/gotip | |
wget -O gotip.tar.gz https://go.googlesource.com/go/+archive/${GO_COMMIT}.tar.gz | |
tar -xf gotip.tar.gz | |
echo "devel go1.21-${GO_COMMIT}" >VERSION | |
cd src | |
./make.bash | |
echo "GOROOT=$HOME/gotip" >>$GITHUB_ENV | |
echo "$HOME/gotip/bin" >>$GITHUB_PATH | |
- run: go test -timeout=15m ./... |