Skip to content

Push a use-after-free to test if CodeQL actually checks the code #1078

Push a use-after-free to test if CodeQL actually checks the code

Push a use-after-free to test if CodeQL actually checks the code #1078

Workflow file for this run

name: Build
on:
push:
branches:
- '**'
create:
env:
QT_VERSION: '6.6.0'
QT_MODULES: 'qtmultimedia qtwebsockets qtimageformats'
EM_VERSION: '3.1.25'
permissions:
contents: write
pages: write
id-token: write
jobs:
iOS:
runs-on: macos-13
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Import signing keys
run: |
security create-keychain -p password build.keychain
security default-keychain -s ~/Library/Keychains/build.keychain
base64 -D <<< "${{ secrets.CERT_APPLE_DISTRIBUTION }}" > Apple_Distribution_Z52EFCPL6D.p7b
security import ./Apple_Distribution_Z52EFCPL6D.p7b -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_APPLE_DEVELOPMENT }}" > Apple_Development_N952V7G2F5.p7b
security import ./Apple_Development_N952V7G2F5.p7b -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_IOS_DEVELOPMENT }}" > Ios_Development_N952V7G2F5.p7b
security import ./Ios_Development_N952V7G2F5.p7b -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_IOS_DISTRIBUTION }}" > Ios_Distribution_N952V7G2F5.p7b
security import ./Ios_Distribution_N952V7G2F5.p7b -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_APPLE_DISTRIBUTION_P12 }}" > Apple_Distribution_Z52EFCPL6D.p12
security import ./Apple_Distribution_Z52EFCPL6D.p12 -k ~/Library/Keychains/build.keychain -P heslo -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_APPLE_DEVELOPMENT_P12 }}" > Apple_Development_N952V7G2F5.p12
security import ./Apple_Development_N952V7G2F5.p12 -k ~/Library/Keychains/build.keychain -P heslo -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_IOS_DEVELOPMENT_P12 }}" > Ios_Development_N952V7G2F5.p12
security import ./Ios_Development_N952V7G2F5.p12 -k ~/Library/Keychains/build.keychain -P heslo -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_IOS_DISTRIBUTION_P12 }}" > Ios_Distribution_N952V7G2F5.p12
security import ./Ios_Distribution_N952V7G2F5.p12 -k ~/Library/Keychains/build.keychain -P heslo -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_DEVELOPER_ID_APPLICATION }}" > Developer_ID_Application_Z52EFCPL6D.p7b
security import ./Developer_ID_Application_Z52EFCPL6D.p7b -k ~/Library/Keychains/build.keychain -P heslo -T /usr/bin/codesign
# Unlock
security unlock-keychain -p password ~/Library/Keychains/build.keychain
security set-keychain-settings -lu
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password ~/Library/Keychains/build.keychain
- name: Import provisioning profile
run: |
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
base64 -D <<< "${{ secrets.IOS_PROVISIONING_PROFILE }}" > ~/Library/MobileDevice/Provisioning\ Profiles/Lith_Testflight.mobileprovision
base64 -D <<< "${{ secrets.DEVELOPMENT_PROVISIONING_PROFILE }}" > ~/Library/MobileDevice/Provisioning\ Profiles/Lith_Development.mobileprovision
base64 -D <<< "${{ secrets.MANUAL_PROVISIONING_PROFILE }}" > ~/Library/MobileDevice/Provisioning\ Profiles/5f6dbe73-4785-410f-97dd-1f5d24c359be.mobileprovision
base64 -D <<< "${{ secrets.MANUAL_PROVISIONING_PROFILE_2 }}" > ~/Library/MobileDevice/Provisioning\ Profiles/924f12c6-0542-4827-8c84-cfd0f137e270.mobileprovision
- name: Set up CPM cache
id: cache-cpm
uses: actions/cache@v3
with:
path: ~/cpm-cache
key: ${{ runner.os }}-cpm-${{ hashFiles('CMakeLists.txt') }}
restore-keys: |
${{ runner.os }}-cpm-
- name: Install Host Qt
uses: jurplel/install-qt-action@v3
with:
version: ${{env.QT_VERSION}}
set-env: false
modules: ${{env.QT_MODULES}} qtquick3d
cache: true
cache-key-prefix: ${{ github.job }}-qt-host
- name: Install Qt
uses: jurplel/install-qt-action@v3
with:
version: ${{env.QT_VERSION}}
target: ios
modules: ${{env.QT_MODULES}} qtquick3d
cache: true
cache-key-prefix: ${{ github.job }}-qt
- name: Build the iOS binary
run: |
export VERSION_NAME=$(./dist/get-version-name.sh)
export CPM_SOURCE_CACHE=~/cpm-cache
IMGUR_API_KEY=${{ secrets.IMGUR_API_KEY }} bash ./dist/ios/build.sh
- name: Upload artifacts to GitHub
if: github.event_name != 'create'
uses: actions/upload-artifact@v2
with:
name: Lith.ipa
path: build_ios/Lith.ipa
- name: Upload to GitHub
if: github.event_name == 'create'
run: |
export VERSION_NAME=$(./dist/get-version-name.sh)
if [[ "$VERSION_NAME" != "" ]]; then
./dist/upload-github-release-asset.sh github_api_token="${{ secrets.GITHUB_TOKEN }}" tag="v${VERSION_NAME}" filename="build_ios/Lith.ipa" renameto="Lith-iOS-${VERSION_NAME}.ipa"
fi
- name: Upload to Testflight
if: github.event_name == 'create'
run: |
export VERSION_NAME=$(./dist/get-version-name.sh)
if [[ "$VERSION_NAME" != "" ]]; then
xcrun altool --validate-app --file build_ios/Lith.ipa --type ios --username "${{ secrets.APPLEID_NAME }}" --password "${{ secrets.APPLEID_PASSWORD }}"
xcrun altool --upload-app --file build_ios/Lith.ipa --type ios --username "${{ secrets.APPLEID_NAME }}" --password "${{ secrets.APPLEID_PASSWORD }}"
fi
Android:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Set up CPM cache
id: cache-cpm
uses: actions/cache@v2
with:
path: ~/cpm-cache
key: ${{ runner.os }}-cpm-${{ hashFiles('CMakeLists.txt') }}
restore-keys: |
${{ runner.os }}-cpm-
- name: Install Host Qt
uses: jurplel/install-qt-action@v3
with:
host: 'linux'
version: ${{env.QT_VERSION}}
set-env: false
aqtversion: '==3.1.*'
modules: ${{env.QT_MODULES}}
cache: true
cache-key-prefix: ${{ github.job }}-qt-host
- name: Install Qt
uses: jurplel/install-qt-action@v3
with:
host: 'linux'
version: ${{env.QT_VERSION}}
target: android
arch: android_armv7
aqtversion: '==3.1.*'
modules: ${{env.QT_MODULES}}
cache: true
cache-key-prefix: ${{ github.job }}-qt
- name: Get OpenSSL
run: |
git clone https://github.com/KDAB/android_openssl.git --depth=1
- name: Build the Android binary
run: |
export ANDROID_SDK=${ANDROID_SDK_ROOT}
export CPM_SOURCE_CACHE=~/cpm-cache
export ANDROID_OPENSSL_PATH="$PWD/android_openssl/ssl_3"
export ANDROID_NDK="${ANDROID_NDK_LATEST_HOME}"
export ANDROID_NDK_HOME="${ANDROID_NDK_LATEST_HOME}"
export ANDROID_NDK_ROOT="${ANDROID_NDK_LATEST_HOME}"
IMGUR_API_KEY=${{ secrets.IMGUR_API_KEY }} bash ./dist/android/build.sh
- name: Upload artifacts to GitHub
if: github.event_name != 'create'
uses: actions/upload-artifact@v2
with:
name: android-build-debug.apk
path: build_android/app/android-build/Lith.apk
- name: Upload to GitHub
if: github.event_name == 'create'
run: |
VERSION_NAME=$(./dist/get-version-name.sh)
if [[ "$VERSION_NAME" != "" ]]; then
./dist/upload-github-release-asset.sh github_api_token=${{ secrets.GITHUB_TOKEN }} tag="v${VERSION_NAME}" filename="build_android/app/android-build/Lith.apk" renameto="Lith-android-${VERSION_NAME}.apk"
fi
Webassembly:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Set up CPM cache
id: cache-cpm
uses: actions/cache@v2
with:
path: ~/cpm-cache
key: ${{ runner.os }}-cpm-${{ hashFiles('CMakeLists.txt') }}
restore-keys: |
${{ runner.os }}-cpm-
- name: Install Host Qt
uses: jurplel/install-qt-action@v3
with:
version: ${{env.QT_VERSION}}
set-env: false
aqtversion: '==3.1.*'
cache: true
cache-key-prefix: ${{ github.job }}-qt-host
- name: Install Qt
uses: jurplel/install-qt-action@v3
with:
version: ${{env.QT_VERSION}}
host: linux
target: desktop
arch: wasm_singlethread
modules: ${{env.QT_MODULES}}
aqtversion: '==3.1.*'
cache: true
cache-key-prefix: ${{ github.job }}-qt
- uses: mymindstorm/setup-emsdk@v11
with:
version: ${{env.EM_VERSION}}
- name: Build the Emscripten binary
run: |
IMGUR_API_KEY=${{ secrets.IMGUR_API_KEY }} bash ./dist/wasm/build.sh
mkdir installed
cp build_wasm/app/*.js build_wasm/app/*.html build_wasm/app/*.wasm build_wasm/app/*.svg installed
cp installed/Lith.html installed/index.html
cp assets/icons/icon.ico installed/favicon.ico
- name: Setup Pages
if: github.event_name == 'create'
uses: actions/configure-pages@v3
- name: Upload artifact
if: github.event_name == 'create'
uses: actions/upload-pages-artifact@v2
with:
path: 'installed/'
- name: Deploy to GitHub Pages
id: deployment
if: github.event_name == 'create'
uses: actions/deploy-pages@v2
Windows-MSVC:
runs-on: windows-2019
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Set up CPM cache
id: cache-cpm
uses: actions/cache@v2
with:
path: ~/cpm-cache
key: ${{ runner.os }}-cpm-${{ hashFiles('CMakeLists.txt') }}
restore-keys: |
${{ runner.os }}-cpm-
- name: Install Qt
uses: jurplel/install-qt-action@v3
with:
version: ${{env.QT_VERSION}}
modules: ${{env.QT_MODULES}}
cache: true
cache-key-prefix: ${{ github.job }}-qt
- name: Add msbuild to PATH
uses: microsoft/setup-msbuild@v1.0.2
- name: Build the application
shell: bash
run: |
VERSION_NAME="$(./dist/get-version-name.sh)"
eval "$(./dist/win/make-vs2019-env.bat)"
mkdir build_win
cd build_win
export CPM_SOURCE_CACHE=~/cpm-cache
export CMAKE_PREFIX_PATH="$Qt6_DIR"/lib/cmake
cmake .. -GNinja -DCMAKE_INSTALL_PREFIX=installed -DCMAKE_BUILD_TYPE=Release -DIMGUR_API_KEY=${{ secrets.IMGUR_API_KEY }} -DVERSION=$VERSION_NAME
cmake --build . --config Release
cmake --install . --config Release
- name: Windeployqt + zip
shell: bash
run: |
mkdir -p build_win/composed
cp build_win/installed/bin/* build_win/composed
cp -r build_win/installed/lib/modules build_win/composed/
cd build_win/composed
"$Qt6_DIR"/bin/windeployqt.exe Lith.exe LithCore.dll LithStyle.dll LithUI.dll --verbose 2 --release --compiler-runtime --qmldir ../..
7z a ../../Lith.zip *
- name: Upload artifacts to GitHub
if: github.event_name != 'create'
uses: actions/upload-artifact@v2
with:
name: Lith.zip
path: Lith.zip
- name: Upload to GitHub
shell: bash
if: github.event_name == 'create'
run: |
VERSION_NAME=$(./dist/get-version-name.sh)
if [[ "$VERSION_NAME" != "" ]]; then
./dist/upload-github-release-asset.sh github_api_token=${{ secrets.GITHUB_TOKEN }} tag="v${VERSION_NAME}" filename="Lith.zip" renameto="Lith-win64-${VERSION_NAME}.zip"
fi
Linux:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Install Make
run: |
sudo apt update
sudo apt install make libxkbcommon-dev
- name: Set up CPM cache
id: cache-cpm
uses: actions/cache@v2
with:
path: ~/cpm-cache
key: ${{ runner.os }}-cpm-${{ hashFiles('CMakeLists.txt') }}
restore-keys: |
${{ runner.os }}-cpm-
- name: Install Qt
uses: jurplel/install-qt-action@v3
with:
version: ${{env.QT_VERSION}}
modules: ${{env.QT_MODULES}}
cache: true
cache-key-prefix: ${{ github.job }}-qt
- name: Build the application
run: |
mkdir build
cd build
export CPM_SOURCE_CACHE=~/cpm-cache
export VERSION_NAME=$(./dist/get-version-name.sh)
export CMAKE_PREFIX_PATH="$Qt6_DIR"/lib/cmake
cmake .. -DCMAKE_BUILD_TYPE=Release -DIMGUR_API_KEY=${{ secrets.IMGUR_API_KEY }} -DVERSION=$VERSION_NAME -DLITH_FORCE_DOWNLOAD_DEPENDENCIES=ON
make -j5
Flatpak:
runs-on: ubuntu-latest
if: false
container:
image: docker.io/bilelmoussaoui/flatpak-github-actions
options: --privileged
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- uses: bilelmoussaoui/flatpak-github-actions@v2
with:
bundle: "app.Lith.Lith.flatpak"
manifest-path: "dist/linux/flatpak/app.Lith.Lith.json"
- name: Upload artifacts to GitHub
if: github.event_name != 'create'
uses: actions/upload-artifact@v2
with:
name: app.Lith.Lith.flatpak
path: app.Lith.Lith.flatpak
- name: Upload to GitHub
if: github.event_name == 'create'
run: |
VERSION_NAME=$(./dist/get-version-name.sh)
if [[ "$VERSION_NAME" != "" ]]; then
./dist/upload-github-release-asset.sh github_api_token=${{ secrets.GITHUB_TOKEN }} tag="v${VERSION_NAME}" filename="app.Lith.Lith.flatpak" renameto="Lith-linux-${VERSION_NAME}.flatpak"
fi
macOS:
runs-on: macos-13
steps:
- name: Import signing keys
run: |
security create-keychain -p password build.keychain
security default-keychain -s ~/Library/Keychains/build.keychain
base64 -D <<< "${{ secrets.CERT_APPLE_DISTRIBUTION }}" > Apple_Distribution_Z52EFCPL6D.p7b
security import ./Apple_Distribution_Z52EFCPL6D.p7b -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_APPLE_DEVELOPMENT }}" > Apple_Development_N952V7G2F5.p7b
security import ./Apple_Development_N952V7G2F5.p7b -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_APPLE_DISTRIBUTION_P12 }}" > Apple_Distribution_Z52EFCPL6D.p12
security import ./Apple_Distribution_Z52EFCPL6D.p12 -k ~/Library/Keychains/build.keychain -P heslo -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_APPLE_DEVELOPMENT_P12 }}" > Apple_Development_N952V7G2F5.p12
security import ./Apple_Development_N952V7G2F5.p12 -k ~/Library/Keychains/build.keychain -P heslo -T /usr/bin/codesign
base64 -D <<< "${{ secrets.CERT_DEVELOPER_ID_APPLICATION }}" > Developer_ID_Application_Z52EFCPL6D.p7b
security import ./Developer_ID_Application_Z52EFCPL6D.p7b -k ~/Library/Keychains/build.keychain -P heslo -T /usr/bin/codesign
# Unlock
security unlock-keychain -p password ~/Library/Keychains/build.keychain
security set-keychain-settings -lu
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password ~/Library/Keychains/build.keychain
- uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Set up CPM cache
id: cache-cpm
uses: actions/cache@v2
with:
path: ~/cpm-cache
key: ${{ runner.os }}-cpm-${{ hashFiles('CMakeLists.txt') }}
restore-keys: |
${{ runner.os }}-cpm-
- name: Install Qt
uses: jurplel/install-qt-action@v3
with:
version: ${{env.QT_VERSION}}
modules: ${{env.QT_MODULES}}
cache: true
cache-key-prefix: ${{ github.job }}-qt
- name: Build the application
run: |
export VERSION_NAME=$(./dist/get-version-name.sh)
export CPM_SOURCE_CACHE=~/cpm-cache
IMGUR_API_KEY=${{ secrets.IMGUR_API_KEY }} ./dist/macos/build.sh
- name: Generate .dmg
run: |
# A workaround mentioned here https://github.com/actions/runner-images/issues/7522
echo killing...; sudo pkill -9 XProtect >/dev/null || true;
echo waiting...; while pgrep XProtect; do sleep 3; done;
"$Qt6_DIR"/bin/macdeployqt build_macos/app/Lith.app -qmldir=modules -appstore-compliant #-codesign=Z52EFCPL6D
# No idea why but macdeployqt deploys debug libs too, just remove them, maybe fix this sometimes
for i in `find build_macos/app/Lith.app/ -name '*.dSYM'`; do rm -fr "$i"; done
"$Qt6_DIR"/bin/macdeployqt build_macos/app/Lith.app -no-plugins -dmg -always-overwrite -appstore-compliant
- name: Upload artifacts to GitHub
if: github.event_name != 'create'
uses: actions/upload-artifact@v2
with:
name: Lith.dmg
path: build_macos/app/Lith.dmg
- name: Upload to GitHub
if: github.event_name == 'create'
run: |
VERSION_NAME=$(./dist/get-version-name.sh)
if [[ "$VERSION_NAME" != "" ]]; then
./dist/upload-github-release-asset.sh github_api_token=${{ secrets.GITHUB_TOKEN }} tag="v${VERSION_NAME}" filename="build_macos/app/Lith.dmg" renameto="Lith-macOS-${VERSION_NAME}.dmg"
fi