Skip to content

add control flow hardening docs #1634

add control flow hardening docs

add control flow hardening docs #1634

Workflow file for this run

on:
push:
branches:
- master
- ci-test
pull_request:
branches:
- master
# Note that a full "go test" is quite heavy,
# as it runs many builds under the hood.
# The default -timeout=10m can be hit by the hosted runners.
#
# Also note that we don't use Actions caching for Go on purpose.
# Caching GOMODCACHE wouldn't help much, as we have few deps.
# Caching GOCACHE would do more harm than good,
# as the tests redo most of their work if the garble version changes,
# and the majority of commits or PRs will do so.
# Moreover, GitHub saves and restores caches via compressed archives over the
# network, which means it can easily add one minute of overhead on its own for
# just a few hundred megabytes worth of files.
name: Test
jobs:
test:
strategy:
matrix:
go-version: [1.21.x]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: ${{ matrix.go-version }}
cache: false
# linux already runs the tests with -race below, plus extra checks,
# so skip the regular tests to prevent it from taking the longest.
- if: matrix.os != 'ubuntu-latest'
run: go test -timeout=15m ./...
# macos and windows failures with bincmp can be hard to reproduce locally,
# so upload the binaries as artifacts.
- uses: actions/upload-artifact@v3
if: failure()
with:
name: bincmp_output
path: bincmp_output/
# macos and windows tend to be a bit slower,
# and it's rare that a race in garble would be OS-specific.
- if: matrix.os == 'ubuntu-latest'
run: go test -race -timeout=20m ./...
# Static checks from this point forward. Only run on one Go version and on
# linux, since it's the fastest platform, and the tools behave the same.
- name: Test third-party project builds
if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
run: |
go install
./scripts/check-third-party.sh
- if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
run: ./scripts/crlf-test.sh
- if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
run: diff <(echo -n) <(gofmt -d .)
- if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
run: go vet ./...
- if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
uses: dominikh/staticcheck-action@v1
with:
version: "2023.1.3"
install-go: false
# We don't care about GOARCH=386 particularly, hence -short,
# but it helps ensure we support 32-bit hosts and targets well.
# TODO: use CGO_ENABLED=1 once we figure out how to install gcc-multilib,
# and once gotooltest forwards the value of CGO_ENABLED to the scripts.
test-386:
runs-on: ubuntu-latest
env:
GOARCH: 386
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: 1.21.x
cache: false
- run: go test -short ./...
test-gotip:
if: false # let tip for 1.22 settle first
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Go
env:
GO_COMMIT: a031f4ef83edc132d5f49382bfef491161de2476 # 2023-06-24
run: |
cd $HOME
mkdir $HOME/gotip
cd $HOME/gotip
wget -O gotip.tar.gz https://go.googlesource.com/go/+archive/${GO_COMMIT}.tar.gz
tar -xf gotip.tar.gz
echo "devel go1.21-${GO_COMMIT}" >VERSION
cd src
./make.bash
echo "GOROOT=$HOME/gotip" >>$GITHUB_ENV
echo "$HOME/gotip/bin" >>$GITHUB_PATH
- run: go test -timeout=15m ./...