From 453b18d893e01a4351aac0cf9517439ca077eca8 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Sat, 22 Jun 2024 16:26:28 +0200 Subject: [PATCH 01/27] [GHA] Rework how secrets are used inside Dockerfiles. --- .../docker/debian/bookworm/amd64/Dockerfile | 31 ++++++++++++------- .../docker/debian/bookworm/arm32v7/Dockerfile | 31 ++++++++++++------- .../docker/debian/bookworm/arm64v8/Dockerfile | 31 ++++++++++++------- .../docker/debian/bullseye/amd64/Dockerfile | 31 ++++++++++++------- .../docker/debian/bullseye/arm32v7/Dockerfile | 31 ++++++++++++------- .../docker/debian/bullseye/arm64v8/Dockerfile | 31 ++++++++++++------- .github/docker/debian/buster/amd64/Dockerfile | 31 ++++++++++++------- .../docker/debian/buster/arm32v7/Dockerfile | 31 ++++++++++++------- .../docker/debian/buster/arm64v8/Dockerfile | 31 ++++++++++++------- 9 files changed, 171 insertions(+), 108 deletions(-) diff --git a/.github/docker/debian/bookworm/amd64/Dockerfile b/.github/docker/debian/bookworm/amd64/Dockerfile index b500830148..844d9494a4 100644 --- a/.github/docker/debian/bookworm/amd64/Dockerfile +++ b/.github/docker/debian/bookworm/amd64/Dockerfile @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main EOF -RUN --mount=type=secret,id=REPO_PASSWORD \ - printf "machine ${REPO_DOMAIN} " > ~/.netrc && \ - printf "login ${REPO_USERNAME} " >> ~/.netrc && \ - printf "password " >> ~/.netrc && \ - cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \ - cp -f ~/.netrc /etc/apt/auth.conf - RUN git config --global --add safe.directory '*' \ && git config --global user.name "${MAINTAINER_NAME}" \ && git config --global user.email "${MAINTAINER_EMAIL}" -RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg - # Bootstrap and Build COPY . ${DATA_DIR} WORKDIR ${DATA_DIR} @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME} -RUN apt-get -q update && \ - mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \ - apt-get -y -f install +RUN --mount=type=secret,id=REPO_PASSWORD \ + printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ + printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ + printf "password " >> /etc/apt/auth.conf && \ + cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + curl \ + --fail \ + --netrc-file /etc/apt/auth.conf \ + --output ${GPG_KEY} \ + --silent \ + https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ + file ${GPG_KEY} && \ + apt-get --quiet update && \ + mk-build-deps \ + --install \ + --remove debian/control \ + --tool "apt-get --yes --no-install-recommends" && \ + apt-get --yes --fix-broken install && \ + rm -f /etc/apt/auth.conf ENV DEB_BUILD_OPTIONS="parallel=1" RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ diff --git a/.github/docker/debian/bookworm/arm32v7/Dockerfile b/.github/docker/debian/bookworm/arm32v7/Dockerfile index 43b4778b3e..164e602356 100644 --- a/.github/docker/debian/bookworm/arm32v7/Dockerfile +++ b/.github/docker/debian/bookworm/arm32v7/Dockerfile @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODE deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODENAME} main EOF -RUN --mount=type=secret,id=REPO_PASSWORD \ - printf "machine ${REPO_DOMAIN} " > ~/.netrc && \ - printf "login ${REPO_USERNAME} " >> ~/.netrc && \ - printf "password " >> ~/.netrc && \ - cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \ - cp -f ~/.netrc /etc/apt/auth.conf - RUN git config --global --add safe.directory '*' \ && git config --global user.name "${MAINTAINER_NAME}" \ && git config --global user.email "${MAINTAINER_EMAIL}" -RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg - # Bootstrap and Build COPY . ${DATA_DIR} WORKDIR ${DATA_DIR} @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME} -RUN apt-get -q update && \ - mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \ - apt-get -y -f install +RUN --mount=type=secret,id=REPO_PASSWORD \ + printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ + printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ + printf "password " >> /etc/apt/auth.conf && \ + cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + curl \ + --fail \ + --netrc-file /etc/apt/auth.conf \ + --output ${GPG_KEY} \ + --silent \ + https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \ + file ${GPG_KEY} && \ + apt-get --quiet update && \ + mk-build-deps \ + --install \ + --remove debian/control \ + --tool "apt-get --yes --no-install-recommends" && \ + apt-get --yes --fix-broken install && \ + rm -f /etc/apt/auth.conf ENV DEB_BUILD_OPTIONS="parallel=1" RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ diff --git a/.github/docker/debian/bookworm/arm64v8/Dockerfile b/.github/docker/debian/bookworm/arm64v8/Dockerfile index 50c24957f1..0e30f8504e 100644 --- a/.github/docker/debian/bookworm/arm64v8/Dockerfile +++ b/.github/docker/debian/bookworm/arm64v8/Dockerfile @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main EOF -RUN --mount=type=secret,id=REPO_PASSWORD \ - printf "machine ${REPO_DOMAIN} " > ~/.netrc && \ - printf "login ${REPO_USERNAME} " >> ~/.netrc && \ - printf "password " >> ~/.netrc && \ - cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \ - cp -f ~/.netrc /etc/apt/auth.conf - RUN git config --global --add safe.directory '*' \ && git config --global user.name "${MAINTAINER_NAME}" \ && git config --global user.email "${MAINTAINER_EMAIL}" -RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg - # Bootstrap and Build COPY . ${DATA_DIR} WORKDIR ${DATA_DIR} @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a arm64 ${CODENAME} -RUN apt-get -q update && \ - mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \ - apt-get -y -f install +RUN --mount=type=secret,id=REPO_PASSWORD \ + printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ + printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ + printf "password " >> /etc/apt/auth.conf && \ + cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + curl \ + --fail \ + --netrc-file /etc/apt/auth.conf \ + --output ${GPG_KEY} \ + --silent \ + https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ + file ${GPG_KEY} && \ + apt-get --quiet update && \ + mk-build-deps \ + --install \ + --remove debian/control \ + --tool "apt-get --yes --no-install-recommends" && \ + apt-get --yes --fix-broken install && \ + rm -f /etc/apt/auth.conf ENV DEB_BUILD_OPTIONS="parallel=1" RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ diff --git a/.github/docker/debian/bullseye/amd64/Dockerfile b/.github/docker/debian/bullseye/amd64/Dockerfile index aefbd38224..e4557f1ed6 100644 --- a/.github/docker/debian/bullseye/amd64/Dockerfile +++ b/.github/docker/debian/bullseye/amd64/Dockerfile @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main EOF -RUN --mount=type=secret,id=REPO_PASSWORD \ - printf "machine ${REPO_DOMAIN} " > ~/.netrc && \ - printf "login ${REPO_USERNAME} " >> ~/.netrc && \ - printf "password " >> ~/.netrc && \ - cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \ - cp -f ~/.netrc /etc/apt/auth.conf - RUN git config --global --add safe.directory '*' \ && git config --global user.name "${MAINTAINER_NAME}" \ && git config --global user.email "${MAINTAINER_EMAIL}" -RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg - # Bootstrap and Build COPY . ${DATA_DIR} WORKDIR ${DATA_DIR} @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME} -RUN apt-get -q update && \ - mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \ - apt-get -y -f install +RUN --mount=type=secret,id=REPO_PASSWORD \ + printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ + printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ + printf "password " >> /etc/apt/auth.conf && \ + cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + curl \ + --fail \ + --netrc-file /etc/apt/auth.conf \ + --output ${GPG_KEY} \ + --silent \ + https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ + file ${GPG_KEY} && \ + apt-get --quiet update && \ + mk-build-deps \ + --install \ + --remove debian/control \ + --tool "apt-get --yes --no-install-recommends" && \ + apt-get --yes --fix-broken install && \ + rm -f /etc/apt/auth.conf ENV DEB_BUILD_OPTIONS="parallel=1" RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ diff --git a/.github/docker/debian/bullseye/arm32v7/Dockerfile b/.github/docker/debian/bullseye/arm32v7/Dockerfile index b3a6f00c36..03eb59b40f 100644 --- a/.github/docker/debian/bullseye/arm32v7/Dockerfile +++ b/.github/docker/debian/bullseye/arm32v7/Dockerfile @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODE deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODENAME} main EOF -RUN --mount=type=secret,id=REPO_PASSWORD \ - printf "machine ${REPO_DOMAIN} " > ~/.netrc && \ - printf "login ${REPO_USERNAME} " >> ~/.netrc && \ - printf "password " >> ~/.netrc && \ - cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \ - cp -f ~/.netrc /etc/apt/auth.conf - RUN git config --global --add safe.directory '*' \ && git config --global user.name "${MAINTAINER_NAME}" \ && git config --global user.email "${MAINTAINER_EMAIL}" -RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg - # Bootstrap and Build COPY . ${DATA_DIR} WORKDIR ${DATA_DIR} @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME} -RUN apt-get -q update && \ - mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \ - apt-get -y -f install +RUN --mount=type=secret,id=REPO_PASSWORD \ + printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ + printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ + printf "password " >> /etc/apt/auth.conf && \ + cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + curl \ + --fail \ + --netrc-file /etc/apt/auth.conf \ + --output ${GPG_KEY} \ + --silent \ + https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \ + file ${GPG_KEY} && \ + apt-get --quiet update && \ + mk-build-deps \ + --install \ + --remove debian/control \ + --tool "apt-get --yes --no-install-recommends" && \ + apt-get --yes --fix-broken install && \ + rm -f /etc/apt/auth.conf ENV DEB_BUILD_OPTIONS="parallel=1" RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ diff --git a/.github/docker/debian/bullseye/arm64v8/Dockerfile b/.github/docker/debian/bullseye/arm64v8/Dockerfile index dfa899540e..ca216a82d7 100644 --- a/.github/docker/debian/bullseye/arm64v8/Dockerfile +++ b/.github/docker/debian/bullseye/arm64v8/Dockerfile @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main EOF -RUN --mount=type=secret,id=REPO_PASSWORD \ - printf "machine ${REPO_DOMAIN} " > ~/.netrc && \ - printf "login ${REPO_USERNAME} " >> ~/.netrc && \ - printf "password " >> ~/.netrc && \ - cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \ - cp -f ~/.netrc /etc/apt/auth.conf - RUN git config --global --add safe.directory '*' \ && git config --global user.name "${MAINTAINER_NAME}" \ && git config --global user.email "${MAINTAINER_EMAIL}" -RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg - # Bootstrap and Build COPY . ${DATA_DIR} WORKDIR ${DATA_DIR} @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a arm64 ${CODENAME} -RUN apt-get -q update && \ - mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \ - apt-get -y -f install +RUN --mount=type=secret,id=REPO_PASSWORD \ + printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ + printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ + printf "password " >> /etc/apt/auth.conf && \ + cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + curl \ + --fail \ + --netrc-file /etc/apt/auth.conf \ + --output ${GPG_KEY} \ + --silent \ + https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ + file ${GPG_KEY} && \ + apt-get --quiet update && \ + mk-build-deps \ + --install \ + --remove debian/control \ + --tool "apt-get --yes --no-install-recommends" && \ + apt-get --yes --fix-broken install && \ + rm -f /etc/apt/auth.conf ENV DEB_BUILD_OPTIONS="parallel=1" RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ diff --git a/.github/docker/debian/buster/amd64/Dockerfile b/.github/docker/debian/buster/amd64/Dockerfile index 119a18076e..a0da4dbe7c 100644 --- a/.github/docker/debian/buster/amd64/Dockerfile +++ b/.github/docker/debian/buster/amd64/Dockerfile @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main EOF -RUN --mount=type=secret,id=REPO_PASSWORD \ - printf "machine ${REPO_DOMAIN} " > ~/.netrc && \ - printf "login ${REPO_USERNAME} " >> ~/.netrc && \ - printf "password " >> ~/.netrc && \ - cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \ - cp -f ~/.netrc /etc/apt/auth.conf - RUN git config --global --add safe.directory '*' \ && git config --global user.name "${MAINTAINER_NAME}" \ && git config --global user.email "${MAINTAINER_EMAIL}" -RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg - # Bootstrap and Build COPY . ${DATA_DIR} WORKDIR ${DATA_DIR} @@ -73,9 +64,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME} -RUN apt-get -q update && \ - mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \ - apt-get -y -f install +RUN --mount=type=secret,id=REPO_PASSWORD \ + printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ + printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ + printf "password " >> /etc/apt/auth.conf && \ + cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + curl \ + --fail \ + --netrc-file /etc/apt/auth.conf \ + --output ${GPG_KEY} \ + --silent \ + https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ + file ${GPG_KEY} && \ + apt-get --quiet update && \ + mk-build-deps \ + --install \ + --remove debian/control \ + --tool "apt-get --yes --no-install-recommends" && \ + apt-get --yes --fix-broken install && \ + rm -f /etc/apt/auth.conf ENV DEB_BUILD_OPTIONS="parallel=1" RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ diff --git a/.github/docker/debian/buster/arm32v7/Dockerfile b/.github/docker/debian/buster/arm32v7/Dockerfile index 2113f55bd8..c283d9c6ce 100644 --- a/.github/docker/debian/buster/arm32v7/Dockerfile +++ b/.github/docker/debian/buster/arm32v7/Dockerfile @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODE deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODENAME} main EOF -RUN --mount=type=secret,id=REPO_PASSWORD \ - printf "machine ${REPO_DOMAIN} " > ~/.netrc && \ - printf "login ${REPO_USERNAME} " >> ~/.netrc && \ - printf "password " >> ~/.netrc && \ - cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \ - cp -f ~/.netrc /etc/apt/auth.conf - RUN git config --global --add safe.directory '*' \ && git config --global user.name "${MAINTAINER_NAME}" \ && git config --global user.email "${MAINTAINER_EMAIL}" -RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg - # Bootstrap and Build COPY . ${DATA_DIR} WORKDIR ${DATA_DIR} @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME} -RUN apt-get -q update && \ - mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \ - apt-get -y -f install +RUN --mount=type=secret,id=REPO_PASSWORD \ + printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ + printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ + printf "password " >> /etc/apt/auth.conf && \ + cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + curl \ + --fail \ + --netrc-file /etc/apt/auth.conf \ + --output ${GPG_KEY} \ + --silent \ + https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \ + file ${GPG_KEY} && \ + apt-get --quiet update && \ + mk-build-deps \ + --install \ + --remove debian/control \ + --tool "apt-get --yes --no-install-recommends" && \ + apt-get --yes --fix-broken install && \ + rm -f /etc/apt/auth.conf ENV DEB_BUILD_OPTIONS="parallel=1" RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ diff --git a/.github/docker/debian/buster/arm64v8/Dockerfile b/.github/docker/debian/buster/arm64v8/Dockerfile index 150a77fec2..ac1f77959f 100644 --- a/.github/docker/debian/buster/arm64v8/Dockerfile +++ b/.github/docker/debian/buster/arm64v8/Dockerfile @@ -51,19 +51,10 @@ deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${COD deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main EOF -RUN --mount=type=secret,id=REPO_PASSWORD \ - printf "machine ${REPO_DOMAIN} " > ~/.netrc && \ - printf "login ${REPO_USERNAME} " >> ~/.netrc && \ - printf "password " >> ~/.netrc && \ - cat /run/secrets/REPO_PASSWORD >> ~/.netrc && \ - cp -f ~/.netrc /etc/apt/auth.conf - RUN git config --global --add safe.directory '*' \ && git config --global user.name "${MAINTAINER_NAME}" \ && git config --global user.email "${MAINTAINER_EMAIL}" -RUN curl --netrc -o ${GPG_KEY} https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg - # Bootstrap and Build COPY . ${DATA_DIR} WORKDIR ${DATA_DIR} @@ -72,9 +63,25 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a arm64 ${CODENAME} -RUN apt-get -q update && \ - mk-build-deps --install --remove debian/control --tool "apt-get -y --no-install-recommends" && \ - apt-get -y -f install +RUN --mount=type=secret,id=REPO_PASSWORD \ + printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ + printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ + printf "password " >> /etc/apt/auth.conf && \ + cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + curl \ + --fail \ + --netrc-file /etc/apt/auth.conf \ + --output ${GPG_KEY} \ + --silent \ + https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ + file ${GPG_KEY} && \ + apt-get --quiet update && \ + mk-build-deps \ + --install \ + --remove debian/control \ + --tool "apt-get --yes --no-install-recommends" && \ + apt-get --yes --fix-broken install && \ + rm -f /etc/apt/auth.conf ENV DEB_BUILD_OPTIONS="parallel=1" RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ From 1c7163e2ce5bc404551bcc15224d3a1c37b7ab68 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Sat, 22 Jun 2024 18:49:55 +0200 Subject: [PATCH 02/27] [GHA] Fail early when required secret not set. --- .github/docker/debian/bookworm/amd64/Dockerfile | 3 +-- .github/docker/debian/bookworm/arm32v7/Dockerfile | 3 +-- .github/docker/debian/bookworm/arm64v8/Dockerfile | 3 +-- .github/docker/debian/bullseye/amd64/Dockerfile | 3 +-- .github/docker/debian/bullseye/arm32v7/Dockerfile | 3 +-- .github/docker/debian/bullseye/arm64v8/Dockerfile | 3 +-- .github/docker/debian/buster/amd64/Dockerfile | 3 +-- .github/docker/debian/buster/arm32v7/Dockerfile | 3 +-- .github/docker/debian/buster/arm64v8/Dockerfile | 3 +-- .github/workflows/build.yml | 8 +++++++- 10 files changed, 16 insertions(+), 19 deletions(-) diff --git a/.github/docker/debian/bookworm/amd64/Dockerfile b/.github/docker/debian/bookworm/amd64/Dockerfile index 844d9494a4..7b1dc8bf38 100644 --- a/.github/docker/debian/bookworm/amd64/Dockerfile +++ b/.github/docker/debian/bookworm/amd64/Dockerfile @@ -63,7 +63,7 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME} -RUN --mount=type=secret,id=REPO_PASSWORD \ +RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ @@ -72,7 +72,6 @@ RUN --mount=type=secret,id=REPO_PASSWORD \ --fail \ --netrc-file /etc/apt/auth.conf \ --output ${GPG_KEY} \ - --silent \ https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ file ${GPG_KEY} && \ apt-get --quiet update && \ diff --git a/.github/docker/debian/bookworm/arm32v7/Dockerfile b/.github/docker/debian/bookworm/arm32v7/Dockerfile index 164e602356..08608032a4 100644 --- a/.github/docker/debian/bookworm/arm32v7/Dockerfile +++ b/.github/docker/debian/bookworm/arm32v7/Dockerfile @@ -63,7 +63,7 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME} -RUN --mount=type=secret,id=REPO_PASSWORD \ +RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ @@ -72,7 +72,6 @@ RUN --mount=type=secret,id=REPO_PASSWORD \ --fail \ --netrc-file /etc/apt/auth.conf \ --output ${GPG_KEY} \ - --silent \ https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \ file ${GPG_KEY} && \ apt-get --quiet update && \ diff --git a/.github/docker/debian/bookworm/arm64v8/Dockerfile b/.github/docker/debian/bookworm/arm64v8/Dockerfile index 0e30f8504e..e509a587e6 100644 --- a/.github/docker/debian/bookworm/arm64v8/Dockerfile +++ b/.github/docker/debian/bookworm/arm64v8/Dockerfile @@ -63,7 +63,7 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a arm64 ${CODENAME} -RUN --mount=type=secret,id=REPO_PASSWORD \ +RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ @@ -72,7 +72,6 @@ RUN --mount=type=secret,id=REPO_PASSWORD \ --fail \ --netrc-file /etc/apt/auth.conf \ --output ${GPG_KEY} \ - --silent \ https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ file ${GPG_KEY} && \ apt-get --quiet update && \ diff --git a/.github/docker/debian/bullseye/amd64/Dockerfile b/.github/docker/debian/bullseye/amd64/Dockerfile index e4557f1ed6..0d11c84dec 100644 --- a/.github/docker/debian/bullseye/amd64/Dockerfile +++ b/.github/docker/debian/bullseye/amd64/Dockerfile @@ -63,7 +63,7 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME} -RUN --mount=type=secret,id=REPO_PASSWORD \ +RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ @@ -72,7 +72,6 @@ RUN --mount=type=secret,id=REPO_PASSWORD \ --fail \ --netrc-file /etc/apt/auth.conf \ --output ${GPG_KEY} \ - --silent \ https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ file ${GPG_KEY} && \ apt-get --quiet update && \ diff --git a/.github/docker/debian/bullseye/arm32v7/Dockerfile b/.github/docker/debian/bullseye/arm32v7/Dockerfile index 03eb59b40f..7ea36d1bcc 100644 --- a/.github/docker/debian/bullseye/arm32v7/Dockerfile +++ b/.github/docker/debian/bullseye/arm32v7/Dockerfile @@ -63,7 +63,7 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME} -RUN --mount=type=secret,id=REPO_PASSWORD \ +RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ @@ -72,7 +72,6 @@ RUN --mount=type=secret,id=REPO_PASSWORD \ --fail \ --netrc-file /etc/apt/auth.conf \ --output ${GPG_KEY} \ - --silent \ https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \ file ${GPG_KEY} && \ apt-get --quiet update && \ diff --git a/.github/docker/debian/bullseye/arm64v8/Dockerfile b/.github/docker/debian/bullseye/arm64v8/Dockerfile index ca216a82d7..ae3429cff7 100644 --- a/.github/docker/debian/bullseye/arm64v8/Dockerfile +++ b/.github/docker/debian/bullseye/arm64v8/Dockerfile @@ -63,7 +63,7 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a arm64 ${CODENAME} -RUN --mount=type=secret,id=REPO_PASSWORD \ +RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ @@ -72,7 +72,6 @@ RUN --mount=type=secret,id=REPO_PASSWORD \ --fail \ --netrc-file /etc/apt/auth.conf \ --output ${GPG_KEY} \ - --silent \ https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ file ${GPG_KEY} && \ apt-get --quiet update && \ diff --git a/.github/docker/debian/buster/amd64/Dockerfile b/.github/docker/debian/buster/amd64/Dockerfile index a0da4dbe7c..9f3d03f14c 100644 --- a/.github/docker/debian/buster/amd64/Dockerfile +++ b/.github/docker/debian/buster/amd64/Dockerfile @@ -64,7 +64,7 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME} -RUN --mount=type=secret,id=REPO_PASSWORD \ +RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ @@ -73,7 +73,6 @@ RUN --mount=type=secret,id=REPO_PASSWORD \ --fail \ --netrc-file /etc/apt/auth.conf \ --output ${GPG_KEY} \ - --silent \ https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ file ${GPG_KEY} && \ apt-get --quiet update && \ diff --git a/.github/docker/debian/buster/arm32v7/Dockerfile b/.github/docker/debian/buster/arm32v7/Dockerfile index c283d9c6ce..362c2a6602 100644 --- a/.github/docker/debian/buster/arm32v7/Dockerfile +++ b/.github/docker/debian/buster/arm32v7/Dockerfile @@ -63,7 +63,7 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME} -RUN --mount=type=secret,id=REPO_PASSWORD \ +RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ @@ -72,7 +72,6 @@ RUN --mount=type=secret,id=REPO_PASSWORD \ --fail \ --netrc-file /etc/apt/auth.conf \ --output ${GPG_KEY} \ - --silent \ https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \ file ${GPG_KEY} && \ apt-get --quiet update && \ diff --git a/.github/docker/debian/buster/arm64v8/Dockerfile b/.github/docker/debian/buster/arm64v8/Dockerfile index ac1f77959f..ed678405a9 100644 --- a/.github/docker/debian/buster/arm64v8/Dockerfile +++ b/.github/docker/debian/buster/arm64v8/Dockerfile @@ -63,7 +63,7 @@ RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x RUN . ~/.env && ./debian/util.sh prep-create-dsc -a arm64 ${CODENAME} -RUN --mount=type=secret,id=REPO_PASSWORD \ +RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ @@ -72,7 +72,6 @@ RUN --mount=type=secret,id=REPO_PASSWORD \ --fail \ --netrc-file /etc/apt/auth.conf \ --output ${GPG_KEY} \ - --silent \ https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ file ${GPG_KEY} && \ apt-get --quiet update && \ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e16da9a364..ec183137b4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,6 +1,12 @@ name: Build and Distribute on: + pull_request_target: + types: + - ready_for_review + paths: + - '**' + - '!.github/' pull_request: push: branches: @@ -23,7 +29,7 @@ jobs: run: | JSON="[]" - if [[ "${{ github.event_name }}" == "pull_request" ]]; then + if [[ "${{ github.event_name }}" == "pull_request" || "${{ github.event_name }}" == "pull_request_target" ]]; then JSON=$(jq -n '[ { "version": "bookworm", From 89a2db91c823086237600cfa3ce6bddfe92006e5 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Tue, 25 Jun 2024 17:00:45 +0200 Subject: [PATCH 03/27] [GHA] Increase verbosity for `mount=type=secret`. --- .github/docker/debian/bookworm/amd64/Dockerfile | 2 +- .github/docker/debian/bookworm/arm32v7/Dockerfile | 2 +- .github/docker/debian/bookworm/arm64v8/Dockerfile | 2 +- .github/docker/debian/bullseye/amd64/Dockerfile | 2 +- .github/docker/debian/bullseye/arm32v7/Dockerfile | 2 +- .github/docker/debian/bullseye/arm64v8/Dockerfile | 2 +- .github/docker/debian/buster/amd64/Dockerfile | 2 +- .github/docker/debian/buster/arm32v7/Dockerfile | 2 +- .github/docker/debian/buster/arm64v8/Dockerfile | 2 +- .github/workflows/build.yml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/docker/debian/bookworm/amd64/Dockerfile b/.github/docker/debian/bookworm/amd64/Dockerfile index 7b1dc8bf38..3ef7b38b38 100644 --- a/.github/docker/debian/bookworm/amd64/Dockerfile +++ b/.github/docker/debian/bookworm/amd64/Dockerfile @@ -8,7 +8,6 @@ ARG MAINTAINER_EMAIL="andrey@signalwire.com" # Credentials ARG REPO_DOMAIN=freeswitch.signalwire.com ARG REPO_USERNAME=user -ARG REPO_PASSWORD=password ARG BUILD_NUMBER=42 ARG GIT_SHA=0000000000 @@ -68,6 +67,7 @@ RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + sha512sum /run/secrets/REPO_PASSWORD && \ curl \ --fail \ --netrc-file /etc/apt/auth.conf \ diff --git a/.github/docker/debian/bookworm/arm32v7/Dockerfile b/.github/docker/debian/bookworm/arm32v7/Dockerfile index 08608032a4..6259c7e8e9 100644 --- a/.github/docker/debian/bookworm/arm32v7/Dockerfile +++ b/.github/docker/debian/bookworm/arm32v7/Dockerfile @@ -8,7 +8,6 @@ ARG MAINTAINER_EMAIL="andrey@signalwire.com" # Credentials ARG REPO_DOMAIN=freeswitch.signalwire.com ARG REPO_USERNAME=user -ARG REPO_PASSWORD=password ARG BUILD_NUMBER=42 ARG GIT_SHA=0000000000 @@ -68,6 +67,7 @@ RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + sha512sum /run/secrets/REPO_PASSWORD && \ curl \ --fail \ --netrc-file /etc/apt/auth.conf \ diff --git a/.github/docker/debian/bookworm/arm64v8/Dockerfile b/.github/docker/debian/bookworm/arm64v8/Dockerfile index e509a587e6..0df5a178fe 100644 --- a/.github/docker/debian/bookworm/arm64v8/Dockerfile +++ b/.github/docker/debian/bookworm/arm64v8/Dockerfile @@ -8,7 +8,6 @@ ARG MAINTAINER_EMAIL="andrey@signalwire.com" # Credentials ARG REPO_DOMAIN=freeswitch.signalwire.com ARG REPO_USERNAME=user -ARG REPO_PASSWORD=password ARG BUILD_NUMBER=42 ARG GIT_SHA=0000000000 @@ -68,6 +67,7 @@ RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + sha512sum /run/secrets/REPO_PASSWORD && \ curl \ --fail \ --netrc-file /etc/apt/auth.conf \ diff --git a/.github/docker/debian/bullseye/amd64/Dockerfile b/.github/docker/debian/bullseye/amd64/Dockerfile index 0d11c84dec..56586d338e 100644 --- a/.github/docker/debian/bullseye/amd64/Dockerfile +++ b/.github/docker/debian/bullseye/amd64/Dockerfile @@ -8,7 +8,6 @@ ARG MAINTAINER_EMAIL="andrey@signalwire.com" # Credentials ARG REPO_DOMAIN=freeswitch.signalwire.com ARG REPO_USERNAME=user -ARG REPO_PASSWORD=password ARG BUILD_NUMBER=42 ARG GIT_SHA=0000000000 @@ -68,6 +67,7 @@ RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + sha512sum /run/secrets/REPO_PASSWORD && \ curl \ --fail \ --netrc-file /etc/apt/auth.conf \ diff --git a/.github/docker/debian/bullseye/arm32v7/Dockerfile b/.github/docker/debian/bullseye/arm32v7/Dockerfile index 7ea36d1bcc..24c5804b68 100644 --- a/.github/docker/debian/bullseye/arm32v7/Dockerfile +++ b/.github/docker/debian/bullseye/arm32v7/Dockerfile @@ -8,7 +8,6 @@ ARG MAINTAINER_EMAIL="andrey@signalwire.com" # Credentials ARG REPO_DOMAIN=freeswitch.signalwire.com ARG REPO_USERNAME=user -ARG REPO_PASSWORD=password ARG BUILD_NUMBER=42 ARG GIT_SHA=0000000000 @@ -68,6 +67,7 @@ RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + sha512sum /run/secrets/REPO_PASSWORD && \ curl \ --fail \ --netrc-file /etc/apt/auth.conf \ diff --git a/.github/docker/debian/bullseye/arm64v8/Dockerfile b/.github/docker/debian/bullseye/arm64v8/Dockerfile index ae3429cff7..f5a6a906c4 100644 --- a/.github/docker/debian/bullseye/arm64v8/Dockerfile +++ b/.github/docker/debian/bullseye/arm64v8/Dockerfile @@ -8,7 +8,6 @@ ARG MAINTAINER_EMAIL="andrey@signalwire.com" # Credentials ARG REPO_DOMAIN=freeswitch.signalwire.com ARG REPO_USERNAME=user -ARG REPO_PASSWORD=password ARG BUILD_NUMBER=42 ARG GIT_SHA=0000000000 @@ -68,6 +67,7 @@ RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + sha512sum /run/secrets/REPO_PASSWORD && \ curl \ --fail \ --netrc-file /etc/apt/auth.conf \ diff --git a/.github/docker/debian/buster/amd64/Dockerfile b/.github/docker/debian/buster/amd64/Dockerfile index 9f3d03f14c..8e88ce56e6 100644 --- a/.github/docker/debian/buster/amd64/Dockerfile +++ b/.github/docker/debian/buster/amd64/Dockerfile @@ -8,7 +8,6 @@ ARG MAINTAINER_EMAIL="andrey@signalwire.com" # Credentials ARG REPO_DOMAIN=freeswitch.signalwire.com ARG REPO_USERNAME=user -ARG REPO_PASSWORD=password ARG BUILD_NUMBER=42 ARG GIT_SHA=0000000000 @@ -69,6 +68,7 @@ RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + sha512sum /run/secrets/REPO_PASSWORD && \ curl \ --fail \ --netrc-file /etc/apt/auth.conf \ diff --git a/.github/docker/debian/buster/arm32v7/Dockerfile b/.github/docker/debian/buster/arm32v7/Dockerfile index 362c2a6602..9326979622 100644 --- a/.github/docker/debian/buster/arm32v7/Dockerfile +++ b/.github/docker/debian/buster/arm32v7/Dockerfile @@ -8,7 +8,6 @@ ARG MAINTAINER_EMAIL="andrey@signalwire.com" # Credentials ARG REPO_DOMAIN=freeswitch.signalwire.com ARG REPO_USERNAME=user -ARG REPO_PASSWORD=password ARG BUILD_NUMBER=42 ARG GIT_SHA=0000000000 @@ -68,6 +67,7 @@ RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + sha512sum /run/secrets/REPO_PASSWORD && \ curl \ --fail \ --netrc-file /etc/apt/auth.conf \ diff --git a/.github/docker/debian/buster/arm64v8/Dockerfile b/.github/docker/debian/buster/arm64v8/Dockerfile index ed678405a9..71aca46052 100644 --- a/.github/docker/debian/buster/arm64v8/Dockerfile +++ b/.github/docker/debian/buster/arm64v8/Dockerfile @@ -8,7 +8,6 @@ ARG MAINTAINER_EMAIL="andrey@signalwire.com" # Credentials ARG REPO_DOMAIN=freeswitch.signalwire.com ARG REPO_USERNAME=user -ARG REPO_PASSWORD=password ARG BUILD_NUMBER=42 ARG GIT_SHA=0000000000 @@ -68,6 +67,7 @@ RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ printf "password " >> /etc/apt/auth.conf && \ cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ + sha512sum /run/secrets/REPO_PASSWORD && \ curl \ --fail \ --netrc-file /etc/apt/auth.conf \ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec183137b4..a3be4b2c2c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -93,7 +93,7 @@ jobs: PROXY_URL: ${{ secrets.PROXY_URL }} USERNAME: ${{ secrets.USERNAME }} TELEPORT_TOKEN: ${{ secrets.TELEPORT_TOKEN }} - REPO_USERNAME: 'signalwire' + REPO_USERNAME: 'SWUSERNAME' REPO_PASSWORD: ${{ secrets.REPOTOKEN }} meta: From c8b8f0d9614987fef2b07b48ba4d5ac9ddbf9e44 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Tue, 25 Jun 2024 20:35:43 +0200 Subject: [PATCH 04/27] [GHA] Rework `pull_request_target` workflow. --- .github/workflows/build-from-fork.yml | 75 +++++++++++++++++++++++++++ .github/workflows/build.yml | 8 +-- 2 files changed, 76 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/build-from-fork.yml diff --git a/.github/workflows/build-from-fork.yml b/.github/workflows/build-from-fork.yml new file mode 100644 index 0000000000..0fe53c239a --- /dev/null +++ b/.github/workflows/build-from-fork.yml @@ -0,0 +1,75 @@ +name: Build from fork + +on: + pull_request_target: + types: + - ready_for_review + paths: + - '**' + - '!.github/' + workflow_dispatch: + +concurrency: + group: ${{ github.head_ref || github.ref }} + +jobs: + deb: + name: 'DEB' + strategy: + max-parallel: 1 + fail-fast: true + matrix: + os: + - debian + version: + - bookworm + - bullseye + - buster + platform: + - name: amd64 + runner: ubuntu-latest + - name: arm32v7 + runner: linux-arm64-4-core-public + - name: arm64v8 + runner: linux-arm64-4-core-public + exclude: + - version: bookworm + platform: + name: amd64 + - version: bookworm + platform: + name: arm64v8 + - version: bullseye + + runs-on: ${{ matrix.platform.runner }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + path: code + + - name: Checkout reusable actions + uses: actions/checkout@v4 + with: + repository: signalwire/actions-template + ref: main + fetch-depth: 1 + path: actions + sparse-checkout: | + .github/actions/docker-build-artifacts/action.yml + sparse-checkout-cone-mode: false + + - name: Build artifacts via Docker + uses: ./actions/.github/actions/docker-build-artifacts + with: + REPO_DOMAIN: freeswitch.signalwire.com + PLATFORM: ${{ matrix.platform.name }} + DOCKERFILE: .github/docker/${{ matrix.os }}/${{ matrix.version }}/${{ matrix.platform.name }}/Dockerfile + MAINTAINER: 'Andrey Volk ' + WORKING_DIRECTORY: code + env: + REPO_USERNAME: 'SWUSERNAME' + REPO_PASSWORD: ${{ secrets.REPO_PASSWORD }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3be4b2c2c..df3baa4992 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,12 +1,6 @@ name: Build and Distribute on: - pull_request_target: - types: - - ready_for_review - paths: - - '**' - - '!.github/' pull_request: push: branches: @@ -29,7 +23,7 @@ jobs: run: | JSON="[]" - if [[ "${{ github.event_name }}" == "pull_request" || "${{ github.event_name }}" == "pull_request_target" ]]; then + if [[ "${{ github.event_name }}" == "pull_request" ]]; then JSON=$(jq -n '[ { "version": "bookworm", From 4a15dc1a6252a53ba18c76d595509c083de7d197 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Tue, 25 Jun 2024 21:38:29 +0200 Subject: [PATCH 05/27] [GHA] Pin workflow to repository. --- .github/workflows/build-from-fork.yml | 1 - .github/workflows/build.yml | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-from-fork.yml b/.github/workflows/build-from-fork.yml index 0fe53c239a..b98cadb134 100644 --- a/.github/workflows/build-from-fork.yml +++ b/.github/workflows/build-from-fork.yml @@ -7,7 +7,6 @@ on: paths: - '**' - '!.github/' - workflow_dispatch: concurrency: group: ${{ github.head_ref || github.ref }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index df3baa4992..5b7cfb3665 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,8 @@ concurrency: jobs: excludes: + name: 'Excludes' + if: github.repository == 'signalwire/freeswitch' runs-on: ubuntu-latest outputs: deb: ${{ steps.deb.outputs.excludes }} @@ -47,6 +49,7 @@ jobs: deb: name: 'DEB' + if: github.repository == 'signalwire/freeswitch' permissions: id-token: write contents: read From 318953d078c1b109120cac24af231eaf8e7b63f1 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Tue, 25 Jun 2024 22:15:53 +0200 Subject: [PATCH 06/27] [GHA] Pin workflow to repository. --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5b7cfb3665..59958dfc0a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,7 +15,7 @@ concurrency: jobs: excludes: name: 'Excludes' - if: github.repository == 'signalwire/freeswitch' + if: github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest outputs: deb: ${{ steps.deb.outputs.excludes }} @@ -49,7 +49,7 @@ jobs: deb: name: 'DEB' - if: github.repository == 'signalwire/freeswitch' + if: github.event.pull_request.head.repo.full_name == github.repository permissions: id-token: write contents: read From 460d1c19cfb191e73396650727b93ee8936d744d Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Thu, 27 Jun 2024 13:25:53 +0200 Subject: [PATCH 07/27] [GHA] Remove `build-from-fork.yml`. --- .github/workflows/build-from-fork.yml | 74 --------------------------- 1 file changed, 74 deletions(-) delete mode 100644 .github/workflows/build-from-fork.yml diff --git a/.github/workflows/build-from-fork.yml b/.github/workflows/build-from-fork.yml deleted file mode 100644 index b98cadb134..0000000000 --- a/.github/workflows/build-from-fork.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Build from fork - -on: - pull_request_target: - types: - - ready_for_review - paths: - - '**' - - '!.github/' - -concurrency: - group: ${{ github.head_ref || github.ref }} - -jobs: - deb: - name: 'DEB' - strategy: - max-parallel: 1 - fail-fast: true - matrix: - os: - - debian - version: - - bookworm - - bullseye - - buster - platform: - - name: amd64 - runner: ubuntu-latest - - name: arm32v7 - runner: linux-arm64-4-core-public - - name: arm64v8 - runner: linux-arm64-4-core-public - exclude: - - version: bookworm - platform: - name: amd64 - - version: bookworm - platform: - name: arm64v8 - - version: bullseye - - runs-on: ${{ matrix.platform.runner }} - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - path: code - - - name: Checkout reusable actions - uses: actions/checkout@v4 - with: - repository: signalwire/actions-template - ref: main - fetch-depth: 1 - path: actions - sparse-checkout: | - .github/actions/docker-build-artifacts/action.yml - sparse-checkout-cone-mode: false - - - name: Build artifacts via Docker - uses: ./actions/.github/actions/docker-build-artifacts - with: - REPO_DOMAIN: freeswitch.signalwire.com - PLATFORM: ${{ matrix.platform.name }} - DOCKERFILE: .github/docker/${{ matrix.os }}/${{ matrix.version }}/${{ matrix.platform.name }}/Dockerfile - MAINTAINER: 'Andrey Volk ' - WORKING_DIRECTORY: code - env: - REPO_USERNAME: 'SWUSERNAME' - REPO_PASSWORD: ${{ secrets.REPO_PASSWORD }} From 5f4036eaac7ca52b3b511ac4eeecd267f8d4d454 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Mon, 22 Jul 2024 16:39:05 +0200 Subject: [PATCH 08/27] [GHA] Disable repo name check. --- .github/workflows/build.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 59958dfc0a..2d1ddf07fc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,7 @@ on: push: branches: - master + - v1.10 paths: - "**" workflow_dispatch: @@ -15,7 +16,7 @@ concurrency: jobs: excludes: name: 'Excludes' - if: github.event.pull_request.head.repo.full_name == github.repository + # if: github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest outputs: deb: ${{ steps.deb.outputs.excludes }} @@ -49,7 +50,7 @@ jobs: deb: name: 'DEB' - if: github.event.pull_request.head.repo.full_name == github.repository + # if: github.event.pull_request.head.repo.full_name == github.repository permissions: id-token: write contents: read From 19270516bf9bf8b2854aa9788b8cba7de55c9314 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Mon, 22 Jul 2024 16:57:32 +0200 Subject: [PATCH 09/27] [UTIL] Generate reproducible source archive. --- debian/util.sh | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/debian/util.sh b/debian/util.sh index 46c1f95346..dab53b1d47 100755 --- a/debian/util.sh +++ b/debian/util.sh @@ -203,11 +203,16 @@ create_orig () { done shift $(($OPTIND-1)) - local orig + local commit_epoch=$(git log -1 --format=%ct) + local source_date=$(date -u -d @$commit_epoch +'%Y-%m-%d %H:%M:%S') + + local orig git_archive_prefix if $auto_orig; then orig="../freeswitch_$(debian/version-omit_revision.pl).orig.tar.xz" + git_archive_prefix="freeswitch/" else orig="../freeswitch_$(mk_dver "$uver")~$(lsb_release -sc).orig.tar.xz" + git_archive_prefix="freeswitch-$uver/" fi mv .gitattributes .gitattributes.orig @@ -226,12 +231,32 @@ create_orig () { git add -f configure.ac .version git commit --allow-empty -m "nightly v$uver" + local tmpsrcdir="$(mktemp -d)" git archive -v \ --worktree-attributes \ --format=tar \ - --prefix=freeswitch-$uver/ \ - HEAD \ - | xz -c -${zl}v > $orig + --prefix=$git_archive_prefix \ + HEAD | tar --extract --directory="$tmpsrcdir" + + # https://www.gnu.org/software/tar/manual/html_section/Reproducibility.html + tar \ + --sort=name \ + --format=posix \ + --pax-option='exthdr.name=%d/PaxHeaders/%f' \ + --pax-option='delete=atime,delete=ctime' \ + --clamp-mtime \ + --mtime="$source_date" \ + --numeric-owner \ + --owner=0 \ + --group=0 \ + --mode='go+u,go-w' \ + --create \ + --directory="$tmpsrcdir" \ + . | xz -v -c -${zl} > "$orig" && \ + rm -rf "$tmpsrcdir" + + echo "Source archive checksum:" + sha256sum $orig mv .gitattributes.orig .gitattributes From 93072c9503ed737303d0995ddeb7db330f17bdde Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Thu, 25 Jul 2024 21:46:40 +0300 Subject: [PATCH 10/27] [core] check_rtcp_and_ice() - stringop-overflow: Fix build on Debian Bookworm. --- src/switch_rtp.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/switch_rtp.c b/src/switch_rtp.c index 1125e2f59b..3d9e2ae624 100644 --- a/src/switch_rtp.c +++ b/src/switch_rtp.c @@ -185,6 +185,10 @@ typedef struct { char body[SWITCH_RTCP_MAX_BUF_LEN]; } rtcp_msg_t; +typedef struct { + switch_rtcp_hdr_t header; + uint32_t ssrc; +} sdes_ssrc_t; typedef enum { VAD_FIRE_TALK = (1 << 0), @@ -2228,9 +2232,9 @@ static int check_rtcp_and_ice(switch_rtp_t *rtp_session) struct switch_rtcp_report_block *rtcp_report_block = NULL; switch_size_t rtcp_bytes = sizeof(struct switch_rtcp_hdr_s)+sizeof(uint32_t); /* add size of the packet header and the ssrc */ switch_rtcp_hdr_t *sdes; + sdes_ssrc_t *sdes_ssrc; uint8_t *p; switch_size_t sdes_bytes = sizeof(struct switch_rtcp_hdr_s); - uint32_t *ssrc; switch_rtcp_sdes_unit_t *unit; switch_bool_t is_only_receiver = FALSE; @@ -2426,14 +2430,13 @@ static int check_rtcp_and_ice(switch_rtp_t *rtp_session) //SDES + CNAME p = (uint8_t *) (&rtp_session->rtcp_send_msg) + rtcp_bytes; - sdes = (switch_rtcp_hdr_t *) p; + sdes_ssrc = (sdes_ssrc_t *) p; + sdes = &sdes_ssrc->header; sdes->version = 2; sdes->type = _RTCP_PT_SDES; sdes->count = 1; sdes->p = 0; - p = (uint8_t *) (sdes) + sdes_bytes; - ssrc = (uint32_t *) p; - *ssrc = htonl(rtp_session->ssrc); + sdes_ssrc->ssrc = htonl(rtp_session->ssrc); sdes_bytes += sizeof(uint32_t); From b38d87941351b509382d6d83afbbcc1a7f150a44 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Fri, 7 Jun 2024 14:50:56 +0300 Subject: [PATCH 11/27] [Core] rtp_common_write: Coverity 1227609 Calling risky function --- src/switch_rtp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/switch_rtp.c b/src/switch_rtp.c index 3d9e2ae624..a27703f449 100644 --- a/src/switch_rtp.c +++ b/src/switch_rtp.c @@ -8267,11 +8267,11 @@ static int rtp_common_write(switch_rtp_t *rtp_session, if (switch_rtp_test_flag(rtp_session, SWITCH_RTP_FLAG_VIDEO)) { int external = (flags && *flags & SFF_EXTERNAL); /* Normalize the timestamps to our own base by generating a made up starting point then adding the measured deltas to that base - so if the timestamps and ssrc of the source change, it will not break the other end's jitter bufffer / decoder etc *cough* CHROME *cough* + so if the timestamps and ssrc of the source change, it will not break the other end's jitter buffer / decoder etc *cough* CHROME *cough* */ if (!rtp_session->ts_norm.ts) { - rtp_session->ts_norm.ts = (uint32_t) rand() % 1000000 + 1; + rtp_session->ts_norm.ts = (uint32_t) switch_rand() % 1000000 + 1; } if (!rtp_session->ts_norm.last_ssrc || send_msg->header.ssrc != rtp_session->ts_norm.last_ssrc || rtp_session->ts_norm.last_external != external) { From a99ed5c46f03094703befa056e1c95e84cbf9a14 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Mon, 29 Jul 2024 21:50:13 +0300 Subject: [PATCH 12/27] [Core] Introduce SWITCH_RAND_MAX to switch_rand() --- src/include/switch_types.h | 7 +++++++ src/switch_utils.c | 8 ++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/include/switch_types.h b/src/include/switch_types.h index f8ae00790d..c4c9131bd6 100644 --- a/src/include/switch_types.h +++ b/src/include/switch_types.h @@ -599,6 +599,13 @@ SWITCH_DECLARE_DATA extern switch_filenames SWITCH_GLOBAL_filenames; #define SWITCH_ACCEPTABLE_INTERVAL(_i) (_i && _i <= SWITCH_MAX_INTERVAL && (_i % 10) == 0) +/* Check if RAND_MAX is a power of 2 minus 1 or in other words all bits set */ +#if ((RAND_MAX) & ((RAND_MAX) + 1)) == 0 && (RAND_MAX) != 0 +#define SWITCH_RAND_MAX RAND_MAX +#else +#define SWITCH_RAND_MAX 0x7fff +#endif + typedef enum { SWITCH_RW_READ, SWITCH_RW_WRITE diff --git a/src/switch_utils.c b/src/switch_utils.c index 64577d3997..90c5de059a 100644 --- a/src/switch_utils.c +++ b/src/switch_utils.c @@ -4835,8 +4835,8 @@ SWITCH_DECLARE(int) switch_rand(void) BCryptCloseAlgorithmProvider(hAlgorithm, 0); - /* Make sure we return from 0 to RAND_MAX */ - return (random_number & 0x7FFF); + /* Make sure we return from 0 to SWITCH_RAND_MAX */ + return (random_number & (SWITCH_RAND_MAX)); #elif defined(__unix__) || defined(__APPLE__) int random_fd = open("/dev/urandom", O_RDONLY); ssize_t result; @@ -4865,8 +4865,8 @@ SWITCH_DECLARE(int) switch_rand(void) close(random_fd); - /* Make sure we return from 0 to RAND_MAX */ - return (random_number & 0x7FFF); + /* Make sure we return from 0 to SWITCH_RAND_MAX */ + return (random_number & (SWITCH_RAND_MAX)); #else return rand(); #endif From b43ae84564a971fe446759e3c9fce49be65b2bee Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Fri, 7 Jun 2024 14:53:44 +0300 Subject: [PATCH 13/27] [Core] switch_rtp_create: Coverity 1227620 Calling risky function --- src/switch_rtp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/switch_rtp.c b/src/switch_rtp.c index a27703f449..6f33b47992 100644 --- a/src/switch_rtp.c +++ b/src/switch_rtp.c @@ -4517,7 +4517,7 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_create(switch_rtp_t **new_rtp_session switch_sockaddr_create(&rtp_session->rtcp_from_addr, pool); } - rtp_session->seq = (uint16_t) rand(); + rtp_session->seq = (uint16_t) switch_rand(); rtp_session->ssrc = (uint32_t) ((intptr_t) rtp_session + (switch_time_t) switch_epoch_time_now(NULL)); #ifdef DEBUG_TS_ROLLOVER rtp_session->last_write_ts = TS_ROLLOVER_START; From 1ff5a6593cedc8c14855d314f614f9460fdcf7ad Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Thu, 6 Jun 2024 12:16:42 +0300 Subject: [PATCH 14/27] [Core] switch_rtp.c: Coverity 1500271, 1500287: Out-of-bounds access (OVERRUN) --- src/switch_rtp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/switch_rtp.c b/src/switch_rtp.c index 6f33b47992..46e13253b7 100644 --- a/src/switch_rtp.c +++ b/src/switch_rtp.c @@ -8520,9 +8520,9 @@ static int rtp_common_write(switch_rtp_t *rtp_session, } if (!rtp_session->flags[SWITCH_RTP_FLAG_SECURE_SEND_MKI]) { - stat = srtp_protect(rtp_session->send_ctx[rtp_session->srtp_idx_rtp], &send_msg->header, &sbytes); + stat = srtp_protect(rtp_session->send_ctx[rtp_session->srtp_idx_rtp], send_msg, &sbytes); } else { - stat = srtp_protect_mki(rtp_session->send_ctx[rtp_session->srtp_idx_rtp], &send_msg->header, &sbytes, 1, SWITCH_CRYPTO_MKI_INDEX); + stat = srtp_protect_mki(rtp_session->send_ctx[rtp_session->srtp_idx_rtp], send_msg, &sbytes, 1, SWITCH_CRYPTO_MKI_INDEX); } if (stat) { @@ -9044,9 +9044,9 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_write_raw(switch_rtp_t *rtp_session, } if (!rtp_session->flags[SWITCH_RTP_FLAG_SECURE_SEND_MKI]) { - stat = srtp_protect(rtp_session->send_ctx[rtp_session->srtp_idx_rtp], &rtp_session->write_msg.header, &sbytes); + stat = srtp_protect(rtp_session->send_ctx[rtp_session->srtp_idx_rtp], &rtp_session->write_msg, &sbytes); } else { - stat = srtp_protect_mki(rtp_session->send_ctx[rtp_session->srtp_idx_rtp], &rtp_session->write_msg.header, &sbytes, 1, SWITCH_CRYPTO_MKI_INDEX); + stat = srtp_protect_mki(rtp_session->send_ctx[rtp_session->srtp_idx_rtp], &rtp_session->write_msg, &sbytes, 1, SWITCH_CRYPTO_MKI_INDEX); } if (stat) { From 11e3cff7cb9097c347663fe3092947648eadef91 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Thu, 6 Jun 2024 12:58:57 +0300 Subject: [PATCH 15/27] [Core] switch_find_local_ip: Coverity 1024290 Resource leak. --- src/switch_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/switch_utils.c b/src/switch_utils.c index 90c5de059a..1af2011dbd 100644 --- a/src/switch_utils.c +++ b/src/switch_utils.c @@ -2015,7 +2015,7 @@ SWITCH_DECLARE(switch_status_t) switch_find_local_ip(char *buf, int len, int *ma } doh: - if (tmp_socket > 0) { + if (tmp_socket >= 0) { close(tmp_socket); } #endif From 9f7c64b6fafa1afb53c6ce4c3d944767382f4544 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Thu, 6 Jun 2024 12:47:07 +0300 Subject: [PATCH 16/27] [Core] switch_stun.c: Coverity 1468480: Out-of-bounds access (OVERRUN) --- src/include/switch_stun.h | 7 +++++++ src/switch_stun.c | 6 +++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/include/switch_stun.h b/src/include/switch_stun.h index 54b03088e8..ca612c06aa 100644 --- a/src/include/switch_stun.h +++ b/src/include/switch_stun.h @@ -141,6 +141,13 @@ typedef struct { uint32_t address; } switch_stun_ip_t; +typedef struct { + uint8_t wasted; + uint8_t family; + uint16_t port; + uint8_t address[16]; +} switch_stun_ipv6_t; + #if SWITCH_BYTE_ORDER == __BIG_ENDIAN typedef struct { diff --git a/src/switch_stun.c b/src/switch_stun.c index d4a2c96503..2ab1f41d5a 100644 --- a/src/switch_stun.c +++ b/src/switch_stun.c @@ -401,13 +401,17 @@ SWITCH_DECLARE(uint8_t) switch_stun_packet_attribute_get_mapped_address(switch_s SWITCH_DECLARE(uint8_t) switch_stun_packet_attribute_get_xor_mapped_address(switch_stun_packet_attribute_t *attribute, switch_stun_packet_header_t *header, char *ipstr, switch_size_t iplen, uint16_t *port) { switch_stun_ip_t *ip; + switch_stun_ipv6_t *ipv6; uint8_t x, *i; char *p = ipstr; ip = (switch_stun_ip_t *) attribute->value; if (ip->family == 2) { - uint8_t *v6addr = (uint8_t *) &ip->address; + uint8_t *v6addr; + + ipv6 = (switch_stun_ipv6_t *)attribute->value; + v6addr = (uint8_t *) &ipv6->address; v6_xor(v6addr, (uint8_t *)header->id); inet_ntop(AF_INET6, v6addr, ipstr, iplen); } else { From 6fbb49d66cdd6a630b30ad0b731707fc1f8c2903 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Sun, 9 Jun 2024 13:12:11 +0300 Subject: [PATCH 17/27] [mod_mariadb] mariadb_dsn: Coverity 1546237 COPY_INSTEAD_OF_MOVE --- src/mod/databases/mod_mariadb/mariadb_dsn.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/mod/databases/mod_mariadb/mariadb_dsn.cpp b/src/mod/databases/mod_mariadb/mariadb_dsn.cpp index eb7bfeedbd..06091eb469 100644 --- a/src/mod/databases/mod_mariadb/mariadb_dsn.cpp +++ b/src/mod/databases/mod_mariadb/mariadb_dsn.cpp @@ -83,11 +83,11 @@ public: if ("server" == key || "host" == key) { _host = value; } else if ("uid" == key || "user" == key || "username" == key) { - _user = value; + _user = std::move(value); } else if ("pwd" == key || "passwd" == key || "password" == key) { - _passwd = value; + _passwd = std::move(value); } else if ("database" == key || "db" == key) { - _db = value; + _db = std::move(value); } else if ("port" == key) { _port = std::stoi(value); } else if ("option" == key || "options" == key) { From 3c47eadd28505640113a76c3b82e2216be22dbbe Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Sun, 9 Jun 2024 13:13:43 +0300 Subject: [PATCH 18/27] [mod_v8] SayPhrase: Coverity 1546153 COPY_INSTEAD_OF_MOVE --- src/mod/languages/mod_v8/src/fssession.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mod/languages/mod_v8/src/fssession.cpp b/src/mod/languages/mod_v8/src/fssession.cpp index d3bc77ae13..2510457175 100644 --- a/src/mod/languages/mod_v8/src/fssession.cpp +++ b/src/mod/languages/mod_v8/src/fssession.cpp @@ -671,7 +671,7 @@ JS_SESSION_FUNCTION_IMPL(SayPhrase) String::Utf8Value str(info[2]); tmp = js_safe_str(*str); if (!zstr(tmp.c_str())) { - phrase_lang = tmp; + phrase_lang = std::move(tmp); } } From 0974bd112cb0489040386c68889ebf2964e8029c Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Fri, 7 Jun 2024 14:52:27 +0300 Subject: [PATCH 19/27] [Core] switch_simple_email: Coverity 1227612 Calling risky function --- src/switch_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/switch_utils.c b/src/switch_utils.c index 1af2011dbd..aa3fc74cae 100644 --- a/src/switch_utils.c +++ b/src/switch_utils.c @@ -1160,7 +1160,7 @@ SWITCH_DECLARE(switch_bool_t) switch_simple_email(const char *to, switch_safe_free(dupfile); } - switch_snprintf(filename, 80, "%s%smail.%d%04x", SWITCH_GLOBAL_dirs.temp_dir, SWITCH_PATH_SEPARATOR, (int)(switch_time_t) switch_epoch_time_now(NULL), rand() & 0xffff); + switch_snprintf(filename, 80, "%s%smail.%d%04x", SWITCH_GLOBAL_dirs.temp_dir, SWITCH_PATH_SEPARATOR, (int)(switch_time_t) switch_epoch_time_now(NULL), switch_rand() & 0xffff); if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0644)) > -1) { if (file) { From 844cce8595a9221e2620e1d61a4171a6a6f85524 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Thu, 6 Jun 2024 13:07:43 +0300 Subject: [PATCH 20/27] [mod_mariadb] Coverity 1546237 COPY_INSTEAD_OF_MOVE --- src/mod/databases/mod_mariadb/mariadb_dsn.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mod/databases/mod_mariadb/mariadb_dsn.cpp b/src/mod/databases/mod_mariadb/mariadb_dsn.cpp index 06091eb469..aa7fb89412 100644 --- a/src/mod/databases/mod_mariadb/mariadb_dsn.cpp +++ b/src/mod/databases/mod_mariadb/mariadb_dsn.cpp @@ -81,7 +81,7 @@ public: std::string value = pair[1]; if ("server" == key || "host" == key) { - _host = value; + _host = std::move(value); } else if ("uid" == key || "user" == key || "username" == key) { _user = std::move(value); } else if ("pwd" == key || "passwd" == key || "password" == key) { From 9d379b707171b212dcc7d4b0f9db860719eeefa4 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Fri, 7 Jun 2024 14:55:10 +0300 Subject: [PATCH 21/27] [Core] switch_core_port_allocator_request_port: Coverity 1227622 Calling risky function --- src/switch_core_port_allocator.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/switch_core_port_allocator.c b/src/switch_core_port_allocator.c index 074ce5f5ea..2ed956c6fb 100644 --- a/src/switch_core_port_allocator.c +++ b/src/switch_core_port_allocator.c @@ -155,7 +155,7 @@ SWITCH_DECLARE(switch_status_t) switch_core_port_allocator_request_port(switch_c uint32_t tries = 0; /* randomly pick a port */ - index = rand() % alloc->track_len; + index = switch_rand() % alloc->track_len; /* if it is used walk up the list to find a free one */ while (alloc->track[index] && tries < alloc->track_len) { From c736458a21368fba462957ba98aa3f948facc313 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Fri, 7 Jun 2024 14:56:56 +0300 Subject: [PATCH 22/27] [Core] switch_stun_random_string: Coverity 1227623 Calling risky function --- src/switch_stun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/switch_stun.c b/src/switch_stun.c index 2ab1f41d5a..d58dd6fd93 100644 --- a/src/switch_stun.c +++ b/src/switch_stun.c @@ -135,7 +135,7 @@ SWITCH_DECLARE(void) switch_stun_random_string(char *buf, uint16_t len, char *se max = (int) strlen(set); for (x = 0; x < len; x++) { - int j = (int) (max * 1.0 * rand() / (RAND_MAX + 1.0)); + int j = (int) (max * 1.0 * switch_rand() / (SWITCH_RAND_MAX + 1.0)); buf[x] = set[j]; } } From 251da2f905ed4585cea1e263f585a5dd9e42be05 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Fri, 7 Jun 2024 14:57:53 +0300 Subject: [PATCH 23/27] [mod_mariadb] mariadb_send_query: Coverity 1518917 Calling risky function --- src/mod/databases/mod_mariadb/mod_mariadb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mod/databases/mod_mariadb/mod_mariadb.c b/src/mod/databases/mod_mariadb/mod_mariadb.c index 09b67468bb..c39c2ce818 100644 --- a/src/mod/databases/mod_mariadb/mod_mariadb.c +++ b/src/mod/databases/mod_mariadb/mod_mariadb.c @@ -641,7 +641,7 @@ switch_status_t mariadb_send_query(mariadb_handle_t *handle, const char* sql) switch_safe_free(err_str); /* We are waiting for 500 ms and random time is not more than 500 ms. This is necessary so that the delay on the primary and secondary servers does not coincide and deadlock does not occur again. */ - switch_yield(500 + (rand() & 511)); + switch_yield(500 + (switch_rand() & 511)); goto again; } From b39f14679f6e030ce6a9da0fb754b5cb03bd0bd5 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Fri, 2 Aug 2024 18:54:28 +0200 Subject: [PATCH 24/27] [GHA] Remove Debian `Buster`. --- .github/docker/debian/buster/amd64/Dockerfile | 103 ------------------ .../docker/debian/buster/arm32v7/Dockerfile | 102 ----------------- .../docker/debian/buster/arm64v8/Dockerfile | 102 ----------------- .github/workflows/build.yml | 18 +-- 4 files changed, 10 insertions(+), 315 deletions(-) delete mode 100644 .github/docker/debian/buster/amd64/Dockerfile delete mode 100644 .github/docker/debian/buster/arm32v7/Dockerfile delete mode 100644 .github/docker/debian/buster/arm64v8/Dockerfile diff --git a/.github/docker/debian/buster/amd64/Dockerfile b/.github/docker/debian/buster/amd64/Dockerfile deleted file mode 100644 index 8e88ce56e6..0000000000 --- a/.github/docker/debian/buster/amd64/Dockerfile +++ /dev/null @@ -1,103 +0,0 @@ -ARG BUILDER_IMAGE=debian:buster-20240513 - -FROM ${BUILDER_IMAGE} AS builder - -ARG MAINTAINER_NAME="Andrey Volk" -ARG MAINTAINER_EMAIL="andrey@signalwire.com" - -# Credentials -ARG REPO_DOMAIN=freeswitch.signalwire.com -ARG REPO_USERNAME=user - -ARG BUILD_NUMBER=42 -ARG GIT_SHA=0000000000 - -ARG DATA_DIR=/data -ARG CODENAME=buster -ARG GPG_KEY="/usr/share/keyrings/signalwire-freeswitch-repo.gpg" - -MAINTAINER "${MAINTAINER_NAME} <${MAINTAINER_EMAIL}>" - -SHELL ["/bin/bash", "-c"] - -RUN apt-get -q update && \ - DEBIAN_FRONTEND=noninteractive apt-get -yq install \ - apt-transport-https \ - build-essential \ - ca-certificates \ - cmake \ - curl \ - debhelper \ - devscripts \ - dh-autoreconf \ - dos2unix \ - doxygen \ - git \ - graphviz \ - libglib2.0-dev \ - libssl-dev \ - lsb-release \ - pkg-config \ - wget - -RUN update-ca-certificates --fresh - -RUN echo "export CODENAME=${CODENAME}" | tee ~/.env && \ - chmod +x ~/.env - -RUN . ~/.env && cat < /etc/apt/sources.list.d/freeswitch.list -deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main -deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main -EOF - -RUN git config --global --add safe.directory '*' \ - && git config --global user.name "${MAINTAINER_NAME}" \ - && git config --global user.email "${MAINTAINER_EMAIL}" - -# Bootstrap and Build -COPY . ${DATA_DIR} -WORKDIR ${DATA_DIR} - -RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a ~/.env - -RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x -RUN . ~/.env && ./debian/util.sh prep-create-dsc ${CODENAME} - -RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ - printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ - printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ - printf "password " >> /etc/apt/auth.conf && \ - cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ - sha512sum /run/secrets/REPO_PASSWORD && \ - curl \ - --fail \ - --netrc-file /etc/apt/auth.conf \ - --output ${GPG_KEY} \ - https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ - file ${GPG_KEY} && \ - apt-get --quiet update && \ - mk-build-deps \ - --install \ - --remove debian/control \ - --tool "apt-get --yes --no-install-recommends" && \ - apt-get --yes --fix-broken install && \ - rm -f /etc/apt/auth.conf - -ENV DEB_BUILD_OPTIONS="parallel=1" -RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ - --force-distribution -D "${CODENAME}" "Nightly build, ${GIT_SHA}" -RUN . ~/.env && ./debian/util.sh create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x - -RUN dpkg-source \ - --diff-ignore=.* \ - --compression=xz \ - --compression-level=9 \ - --build \ - . \ - && debuild -b -us -uc \ - && mkdir OUT \ - && mv -v ../*.{deb,dsc,changes,tar.*} OUT/. - -# Artifacts image (mandatory part, the resulting image must have a single filesystem layer) -FROM scratch -COPY --from=builder /data/OUT/ / diff --git a/.github/docker/debian/buster/arm32v7/Dockerfile b/.github/docker/debian/buster/arm32v7/Dockerfile deleted file mode 100644 index 9326979622..0000000000 --- a/.github/docker/debian/buster/arm32v7/Dockerfile +++ /dev/null @@ -1,102 +0,0 @@ -ARG BUILDER_IMAGE=arm32v7/debian:buster-20240513 - -FROM --platform=linux/arm32 ${BUILDER_IMAGE} AS builder - -ARG MAINTAINER_NAME="Andrey Volk" -ARG MAINTAINER_EMAIL="andrey@signalwire.com" - -# Credentials -ARG REPO_DOMAIN=freeswitch.signalwire.com -ARG REPO_USERNAME=user - -ARG BUILD_NUMBER=42 -ARG GIT_SHA=0000000000 - -ARG DATA_DIR=/data -ARG CODENAME=buster -ARG GPG_KEY="/usr/share/keyrings/signalwire-freeswitch-repo.gpg" - -MAINTAINER "${MAINTAINER_NAME} <${MAINTAINER_EMAIL}>" - -SHELL ["/bin/bash", "-c"] - -RUN apt-get -q update && \ - DEBIAN_FRONTEND=noninteractive apt-get -yq install \ - apt-transport-https \ - build-essential \ - ca-certificates \ - cmake \ - curl \ - debhelper \ - devscripts \ - dh-autoreconf \ - dos2unix \ - doxygen \ - git \ - graphviz \ - libglib2.0-dev \ - libssl-dev \ - lsb-release \ - pkg-config \ - wget - -RUN update-ca-certificates --fresh - -RUN echo "export CODENAME=${CODENAME}" | tee ~/.env && \ - chmod +x ~/.env - -RUN . ~/.env && cat < /etc/apt/sources.list.d/freeswitch.list -deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODENAME} main -deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev ${CODENAME} main -EOF - -RUN git config --global --add safe.directory '*' \ - && git config --global user.name "${MAINTAINER_NAME}" \ - && git config --global user.email "${MAINTAINER_EMAIL}" - -# Bootstrap and Build -COPY . ${DATA_DIR} -WORKDIR ${DATA_DIR} -RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a ~/.env - -RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x -RUN . ~/.env && ./debian/util.sh prep-create-dsc -a armhf ${CODENAME} - -RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ - printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ - printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ - printf "password " >> /etc/apt/auth.conf && \ - cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ - sha512sum /run/secrets/REPO_PASSWORD && \ - curl \ - --fail \ - --netrc-file /etc/apt/auth.conf \ - --output ${GPG_KEY} \ - https://${REPO_DOMAIN}/repo/deb/rpi/debian-dev/signalwire-freeswitch-repo.gpg && \ - file ${GPG_KEY} && \ - apt-get --quiet update && \ - mk-build-deps \ - --install \ - --remove debian/control \ - --tool "apt-get --yes --no-install-recommends" && \ - apt-get --yes --fix-broken install && \ - rm -f /etc/apt/auth.conf - -ENV DEB_BUILD_OPTIONS="parallel=1" -RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ - --force-distribution -D "${CODENAME}" "Nightly build, ${GIT_SHA}" -RUN . ~/.env && ./debian/util.sh create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x - -RUN dpkg-source \ - --diff-ignore=.* \ - --compression=xz \ - --compression-level=9 \ - --build \ - . \ - && debuild -b -us -uc \ - && mkdir OUT \ - && mv -v ../*.{deb,dsc,changes,tar.*} OUT/. - -# Artifacts image (mandatory part, the resulting image must have a single filesystem layer) -FROM scratch -COPY --from=builder /data/OUT/ / diff --git a/.github/docker/debian/buster/arm64v8/Dockerfile b/.github/docker/debian/buster/arm64v8/Dockerfile deleted file mode 100644 index 71aca46052..0000000000 --- a/.github/docker/debian/buster/arm64v8/Dockerfile +++ /dev/null @@ -1,102 +0,0 @@ -ARG BUILDER_IMAGE=arm64v8/debian:buster-20240513 - -FROM --platform=linux/arm64 ${BUILDER_IMAGE} AS builder - -ARG MAINTAINER_NAME="Andrey Volk" -ARG MAINTAINER_EMAIL="andrey@signalwire.com" - -# Credentials -ARG REPO_DOMAIN=freeswitch.signalwire.com -ARG REPO_USERNAME=user - -ARG BUILD_NUMBER=42 -ARG GIT_SHA=0000000000 - -ARG DATA_DIR=/data -ARG CODENAME=buster -ARG GPG_KEY="/usr/share/keyrings/signalwire-freeswitch-repo.gpg" - -MAINTAINER "${MAINTAINER_NAME} <${MAINTAINER_EMAIL}>" - -SHELL ["/bin/bash", "-c"] - -RUN apt-get -q update && \ - DEBIAN_FRONTEND=noninteractive apt-get -yq install \ - apt-transport-https \ - build-essential \ - ca-certificates \ - cmake \ - curl \ - debhelper \ - devscripts \ - dh-autoreconf \ - dos2unix \ - doxygen \ - git \ - graphviz \ - libglib2.0-dev \ - libssl-dev \ - lsb-release \ - pkg-config \ - wget - -RUN update-ca-certificates --fresh - -RUN echo "export CODENAME=${CODENAME}" | tee ~/.env && \ - chmod +x ~/.env - -RUN . ~/.env && cat < /etc/apt/sources.list.d/freeswitch.list -deb [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main -deb-src [signed-by=${GPG_KEY}] https://${REPO_DOMAIN}/repo/deb/debian-unstable ${CODENAME} main -EOF - -RUN git config --global --add safe.directory '*' \ - && git config --global user.name "${MAINTAINER_NAME}" \ - && git config --global user.email "${MAINTAINER_EMAIL}" - -# Bootstrap and Build -COPY . ${DATA_DIR} -WORKDIR ${DATA_DIR} -RUN echo "export VERSION=$(cat ./build/next-release.txt | tr -d '\n')" | tee -a ~/.env - -RUN . ~/.env && ./debian/util.sh prep-create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x -RUN . ~/.env && ./debian/util.sh prep-create-dsc -a arm64 ${CODENAME} - -RUN --mount=type=secret,id=REPO_PASSWORD,required=true \ - printf "machine ${REPO_DOMAIN} " > /etc/apt/auth.conf && \ - printf "login ${REPO_USERNAME} " >> /etc/apt/auth.conf && \ - printf "password " >> /etc/apt/auth.conf && \ - cat /run/secrets/REPO_PASSWORD >> /etc/apt/auth.conf && \ - sha512sum /run/secrets/REPO_PASSWORD && \ - curl \ - --fail \ - --netrc-file /etc/apt/auth.conf \ - --output ${GPG_KEY} \ - https://${REPO_DOMAIN}/repo/deb/debian-unstable/signalwire-freeswitch-repo.gpg && \ - file ${GPG_KEY} && \ - apt-get --quiet update && \ - mk-build-deps \ - --install \ - --remove debian/control \ - --tool "apt-get --yes --no-install-recommends" && \ - apt-get --yes --fix-broken install && \ - rm -f /etc/apt/auth.conf - -ENV DEB_BUILD_OPTIONS="parallel=1" -RUN . ~/.env && dch -b -M -v "${VERSION}-${BUILD_NUMBER}-${GIT_SHA}~${CODENAME}" \ - --force-distribution -D "${CODENAME}" "Nightly build, ${GIT_SHA}" -RUN . ~/.env && ./debian/util.sh create-orig -n -V${VERSION}-${BUILD_NUMBER}-${GIT_SHA} -x - -RUN dpkg-source \ - --diff-ignore=.* \ - --compression=xz \ - --compression-level=9 \ - --build \ - . \ - && debuild -b -us -uc \ - && mkdir OUT \ - && mv -v ../*.{deb,dsc,changes,tar.*} OUT/. - -# Artifacts image (mandatory part, the resulting image must have a single filesystem layer) -FROM scratch -COPY --from=builder /data/OUT/ / diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2d1ddf07fc..37e29568a8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,12 +28,6 @@ jobs: if [[ "${{ github.event_name }}" == "pull_request" ]]; then JSON=$(jq -n '[ - { - "version": "bookworm", - "platform": { - "name": "amd64" - } - }, { "version": "bookworm", "platform": { @@ -41,7 +35,16 @@ jobs: } }, { - "version": "bullseye" + "version": "bullseye", + "platform": { + "name": "amd64" + } + }, + { + "version": "bullseye", + "platform": { + "name": "arm32v7" + } } ]') fi @@ -66,7 +69,6 @@ jobs: version: - bookworm - bullseye - - buster platform: - name: amd64 runner: ubuntu-latest From 6e8f30ea8b75033c7d5d56b957b142e5f53ec17b Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Fri, 2 Aug 2024 19:39:59 +0000 Subject: [PATCH 25/27] swigall --- src/mod/languages/mod_managed/freeswitch_wrap.cxx | 10 ++++++++++ src/mod/languages/mod_managed/managed/swig.cs | 4 ++++ 2 files changed, 14 insertions(+) diff --git a/src/mod/languages/mod_managed/freeswitch_wrap.cxx b/src/mod/languages/mod_managed/freeswitch_wrap.cxx index 7cec120fbe..c09f650f5a 100644 --- a/src/mod/languages/mod_managed/freeswitch_wrap.cxx +++ b/src/mod/languages/mod_managed/freeswitch_wrap.cxx @@ -3401,6 +3401,16 @@ SWIGEXPORT int SWIGSTDCALL CSharp_FreeSWITCHfNative_SWITCH_MAX_MANAGEMENT_BUFFER } +SWIGEXPORT int SWIGSTDCALL CSharp_FreeSWITCHfNative_SWITCH_RAND_MAX_get___() { + int jresult ; + int result; + + result = (int)(0x7fff); + jresult = result; + return jresult; +} + + SWIGEXPORT void SWIGSTDCALL CSharp_FreeSWITCHfNative_switch_error_period_t_start_set___(void * jarg1, long long jarg2) { error_period *arg1 = (error_period *) 0 ; int64_t arg2 ; diff --git a/src/mod/languages/mod_managed/managed/swig.cs b/src/mod/languages/mod_managed/managed/swig.cs index 6ca27764cf..20bcbf4273 100644 --- a/src/mod/languages/mod_managed/managed/swig.cs +++ b/src/mod/languages/mod_managed/managed/swig.cs @@ -15184,6 +15184,7 @@ else public static readonly int SWITCH_MAX_STATE_HANDLERS = freeswitchPINVOKE.SWITCH_MAX_STATE_HANDLERS_get(); public static readonly int SWITCH_CORE_QUEUE_LEN = freeswitchPINVOKE.SWITCH_CORE_QUEUE_LEN_get(); public static readonly int SWITCH_MAX_MANAGEMENT_BUFFER_LEN = freeswitchPINVOKE.SWITCH_MAX_MANAGEMENT_BUFFER_LEN_get(); + public static readonly int SWITCH_RAND_MAX = freeswitchPINVOKE.SWITCH_RAND_MAX_get(); public static readonly int SWITCH_RTP_CNG_PAYLOAD = freeswitchPINVOKE.SWITCH_RTP_CNG_PAYLOAD_get(); public static readonly int SWITCH_MEDIA_TYPE_TOTAL = freeswitchPINVOKE.SWITCH_MEDIA_TYPE_TOTAL_get(); public static readonly int SWITCH_SOCK_INVALID = freeswitchPINVOKE.SWITCH_SOCK_INVALID_get(); @@ -16292,6 +16293,9 @@ class freeswitchPINVOKE { [global::System.Runtime.InteropServices.DllImport("mod_managed", EntryPoint="CSharp_FreeSWITCHfNative_SWITCH_MAX_MANAGEMENT_BUFFER_LEN_get___")] public static extern int SWITCH_MAX_MANAGEMENT_BUFFER_LEN_get(); + [global::System.Runtime.InteropServices.DllImport("mod_managed", EntryPoint="CSharp_FreeSWITCHfNative_SWITCH_RAND_MAX_get___")] + public static extern int SWITCH_RAND_MAX_get(); + [global::System.Runtime.InteropServices.DllImport("mod_managed", EntryPoint="CSharp_FreeSWITCHfNative_switch_error_period_t_start_set___")] public static extern void switch_error_period_t_start_set(global::System.Runtime.InteropServices.HandleRef jarg1, long jarg2); From ed4a242931051d30fdcbd6554665f9730ba79c82 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Sat, 3 Aug 2024 18:24:55 +0300 Subject: [PATCH 26/27] version bump --- build/next-release.txt | 2 +- configure.ac | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build/next-release.txt b/build/next-release.txt index a3426275e7..27cbef8a6e 100644 --- a/build/next-release.txt +++ b/build/next-release.txt @@ -1 +1 @@ -1.10.12-dev +1.10.13-dev diff --git a/configure.ac b/configure.ac index 348103f8db..6991398ae7 100644 --- a/configure.ac +++ b/configure.ac @@ -3,10 +3,10 @@ # Must change all of the below together # For a release, set revision for that tagged release as well and uncomment -AC_INIT([freeswitch], [1.10.12-dev], bugs@freeswitch.org) +AC_INIT([freeswitch], [1.10.13-dev], bugs@freeswitch.org) AC_SUBST(SWITCH_VERSION_MAJOR, [1]) AC_SUBST(SWITCH_VERSION_MINOR, [10]) -AC_SUBST(SWITCH_VERSION_MICRO, [12-dev]) +AC_SUBST(SWITCH_VERSION_MICRO, [13-dev]) AC_SUBST(SWITCH_VERSION_REVISION, []) AC_SUBST(SWITCH_VERSION_REVISION_HUMAN, []) From 94b8ebaea7b03b3b23c2ffbe51ff3ea6589944f5 Mon Sep 17 00:00:00 2001 From: Ryan Williams Date: Thu, 22 Aug 2024 14:00:25 -0700 Subject: [PATCH 27/27] Delete .drone.yml (#2580) --- .drone.yml | 184 ----------------------------------------------------- 1 file changed, 184 deletions(-) delete mode 100644 .drone.yml diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 63838cfb73..0000000000 --- a/.drone.yml +++ /dev/null @@ -1,184 +0,0 @@ ---- -kind: pipeline -name: unit-tests - -steps: - - name: bootstrap - image: signalwire/freeswitch-public-base:bullseye - pull: always - commands: - - cat /proc/sys/kernel/core_pattern - - ./bootstrap.sh -j - - - name: configure - image: signalwire/freeswitch-public-base:bullseye - pull: always - environment: - REPOTOKEN: - from_secret: repotoken - commands: - - echo "machine freeswitch.signalwire.com password $REPOTOKEN" > /etc/apt/auth.conf - - apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -yq remove libsofia-sip-ua0 libspandsp-dev - - DEBIAN_FRONTEND=noninteractive apt-get -yq install libspandsp3-dev - - export REPOTOKEN='' - - rm -rf /etc/apt/auth.conf - - git clone https://github.com/freeswitch/sofia-sip.git - - cd sofia-sip && ./autogen.sh && ./configure.gnu && make -j`nproc` && make install && cd .. - - echo 'codecs/mod_openh264' >> modules.conf - - sed -i '/applications\\/mod_http_cache/s/^#//g' modules.conf - - sed -i '/event_handlers\\/mod_rayo/s/^#//g' modules.conf - - sed -i '/formats\\/mod_opusfile/s/^#//g' modules.conf - - sed -i '/languages\\/mod_lua/s/^#//g' modules.conf - - export ASAN_OPTIONS=log_path=stdout:disable_coredump=0:unmap_shadow_on_exit=1:fast_unwind_on_malloc=0 - - ./configure --enable-address-sanitizer --enable-fake-dlclose - - - name: build - image: signalwire/freeswitch-public-base:bullseye - pull: always - environment: - REPOTOKEN: - from_secret: repotoken - commands: - - echo "machine freeswitch.signalwire.com password $REPOTOKEN" > /etc/apt/auth.conf - - apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -yq remove libsofia-sip-ua0 libspandsp-dev - - DEBIAN_FRONTEND=noninteractive apt-get -yq install libspandsp3-dev - - export REPOTOKEN='' - - rm -rf /etc/apt/auth.conf - - cd sofia-sip && make install && cd .. - - echo '#!/bin/bash\nmake -j`nproc --all` |& tee ./unit-tests-build-result.txt\nexitstatus=$${PIPESTATUS[0]}\necho $$exitstatus > ./build-status.txt\n' > build.sh - - chmod +x build.sh - - ./build.sh - - - name: run-tests - image: signalwire/freeswitch-public-base:bullseye - pull: always - environment: - REPOTOKEN: - from_secret: repotoken - commands: - - echo "machine freeswitch.signalwire.com password $REPOTOKEN" > /etc/apt/auth.conf - - apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -yq remove libsofia-sip-ua0 libspandsp-dev - - DEBIAN_FRONTEND=noninteractive apt-get -yq install libspandsp3-dev - - export REPOTOKEN='' - - rm -rf /etc/apt/auth.conf - - cd sofia-sip && make install && cd .. - - make install || true - - cd tests/unit - - export ASAN_OPTIONS=log_path=stdout:disable_coredump=0:unmap_shadow_on_exit=1:fast_unwind_on_malloc=0 - - ./run-tests.sh - - ls -la /cores - - mkdir logs && (mv log_run-tests_*.html logs || true) && (mv backtrace_*.txt logs || true) - - echo 0 > run-tests-status.txt - - ./collect-test-logs.sh && exit 0 || echo 'Some tests failed' - - echo 1 > run-tests-status.txt - - cd logs && ls -la - - - name: notify - image: signalwire/drone-notify - pull: always - environment: - SLACK_WEBHOOK_URL: - from_secret: slack_webhook_url - ENV_FILE: - from_secret: notify_env - commands: - - /root/unit-tests-notify.sh - -trigger: - branch: - - master - event: - - pull_request - - push - ---- -kind: pipeline -name: scan-build - -steps: - - name: bootstrap - image: signalwire/freeswitch-public-base:bookworm - pull: always - commands: - - apt-get update && apt-get -yq install autoconf - - ./bootstrap.sh -j - - - name: configure - image: signalwire/freeswitch-public-base:bookworm - pull: always - environment: - REPOTOKEN: - from_secret: repotoken - commands: - - echo "machine freeswitch.signalwire.com password $REPOTOKEN" > /etc/apt/auth.conf - - apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -yq remove libspandsp-dev - - DEBIAN_FRONTEND=noninteractive apt-get -yq install libsofia-sip-ua-dev libspandsp3-dev - - export REPOTOKEN='' - - rm -rf /etc/apt/auth.conf - - cp build/modules.conf.most modules.conf - #Enable/Uncomment mods - - echo 'codecs/mod_openh264' >> modules.conf - - sed -i "/mod_mariadb/s/^#//g" modules.conf - - sed -i "/mod_v8/s/^#//g" modules.conf - #Disable/Comment out mods - - sed -i '/mod_ilbc/s/^/#/g' modules.conf - - sed -i '/mod_isac/s/^/#/g' modules.conf - - sed -i '/mod_mp4/s/^/#/g' modules.conf - - sed -i '/mod_mongo/s/^/#/g' modules.conf - - sed -i '/mod_pocketsphinx/s/^/#/g' modules.conf - - sed -i '/mod_sangoma_codec/s/^/#/g' modules.conf - - sed -i '/mod_siren/s/^/#/g' modules.conf - #Comment out mods for a while - - sed -i '/mod_avmd/s/^/#/g' modules.conf - - sed -i '/mod_basic/s/^/#/g' modules.conf - - sed -i '/mod_cdr_mongodb/s/^/#/g' modules.conf - - sed -i '/mod_cv/s/^/#/g' modules.conf - - sed -i '/mod_erlang_event/s/^/#/g' modules.conf - - sed -i '/mod_perl/s/^/#/g' modules.conf - - sed -i '/mod_rtmp/s/^/#/g' modules.conf - - sed -i '/mod_unimrcp/s/^/#/g' modules.conf - - sed -i '/mod_xml_rpc/s/^/#/g' modules.conf - - ./configure - - - name: scan-build - image: signalwire/freeswitch-public-base:bookworm - pull: always - environment: - REPOTOKEN: - from_secret: repotoken - commands: - - echo "machine freeswitch.signalwire.com password $REPOTOKEN" > /etc/apt/auth.conf - - apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -yq remove libspandsp-dev - - DEBIAN_FRONTEND=noninteractive apt-get -yq install libsofia-sip-ua-dev libspandsp3-dev - - export REPOTOKEN='' - - rm -rf /etc/apt/auth.conf - - mkdir -p scan-build - - echo '#!/bin/bash\nscan-build-14 --force-analyze-debug-code -o ./scan-build/ make -j`nproc --all` |& tee ./scan-build-result.txt\nexitstatus=$${PIPESTATUS[0]}\necho $$exitstatus > ./scan-build-status.txt\n' > scan.sh - - chmod +x scan.sh - - ./scan.sh - - exitstatus=`cat ./scan-build-status.txt` - - echo "*** Exit status is $exitstatus" - - - name: notify - image: signalwire/drone-notify - pull: always - environment: - SLACK_WEBHOOK_URL: - from_secret: slack_webhook_url - ENV_FILE: - from_secret: notify_env - commands: - - /root/scan-build-notify.sh - -trigger: - branch: - - master - event: - - pull_request - - push - ---- -kind: signature -hmac: 7e5f6cafc88da0be59243daf47a2a5607ff00b45f441ce4c1041d4b690e8a853 - -...