[PATCH] ci: Migrate to github actions

[Jan Kiszka]

From: Jan Kiszka <jan.k...@siemens.com>

Retire Travis which is no longer free, even for OSS, migrating to github
actions. This requires to open-code the Coverity integration which
turned out to be the simpler task.

The migration also brings CI integration for arm64. That was in fact the
hardest piece, both due to complications with Ubuntu (unhandy for cross-
building but only Linux image on github) and also glitches of EBG
itself.

Further change compared to travis: cppcheck is now pulled pre-built from
Ubuntu 21.04 (base image is still on 20.04, providing only an older
version). That removes the need to build and also cache that version
ourselves. For yet unknown reasons, the runtime of cppcheck is now twice
as long as under travis.

Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---
.github/workflows/coverity.yaml | 64 ++++++++++++
.github/workflows/main.yaml | 158 ++++++++++++++++++++++++++++
.travis-build.sh | 177 --------------------------------
.travis.yml | 46 ---------
4 files changed, 222 insertions(+), 223 deletions(-)
create mode 100644 .github/workflows/coverity.yaml
create mode 100644 .github/workflows/main.yaml
delete mode 100755 .travis-build.sh
delete mode 100644 .travis.yml

diff --git a/.github/workflows/coverity.yaml b/.github/workflows/coverity.yaml
new file mode 100644
index 0000000..99918ea
--- /dev/null
+++ b/.github/workflows/coverity.yaml
@@ -0,0 +1,64 @@
+#
+# EFI Boot Guard
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Claudius Heine <c...@denx.de>
+# Jan Kiszka <jan.k...@siemens.com>
+#
+# This work is licensed under the terms of the GNU GPL, version 2. See
+# the COPYING file in the top-level directory.
+#
+# SPDX-License-Identifier: GPL-2.0
+#
+
+name: Coverity Scan
+
+on:
+ push:
+ branches:
+ - coverity_scan
+
+jobs:
+ build:
+ runs-on: ubuntu-20.04
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Install amd64 dependencies
+ run: |
+ sudo apt-get install --no-install-recommends \
+ gcc-multilib gnu-efi libz-dev libpci-dev check
+ - name: Install Coverity
+ run: |
+ wget https://scan.coverity.com/download/cxx/linux64 \
+ --post-data "token=$COVERITY_TOKEN&project=siemens%2Fefibootguard" \
+ -O coverity_tool.tar.gz
+ tar -xf coverity_tool.tar.gz
+
+ - name: Prepare build
+ run: |
+ autoreconf -fi
+ mkdir -p build
+
+ - name: Build for Coverity
+ run: |
+ cd build
+ ../configure
+ ../cov-analysis-linux64-*/bin/cov-build --dir cov-int make -j $(nproc)
+
+ - name: Submit Coverity results
+ run: |
+ cd build
+ tar caf ebg-scan.tar.bz2 cov-int
+ curl --form token=$COVERITY_TOKEN \
+ --form email=$COVERITY_EMAIL \
+ --form file=@ebg-scan.tar.bz2 \
+ --form version="${{ github.sha }}" \
+ --form description="EFI Boot Guard Coverity Scan" \
+ https://scan.coverity.com/builds?project=siemens%2Fefibootguard
+ env:
+ COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
+ COVERITY_EMAIL: ${{ secrets.COVERITY_EMAIL }}
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
new file mode 100644
index 0000000..e3ca110
--- /dev/null
+++ b/.github/workflows/main.yaml
@@ -0,0 +1,158 @@
+#
+# EFI Boot Guard
+#
+# Copyright (c) Siemens AG, 2021
+#
+# Authors:
+# Claudius Heine <c...@denx.de>
+# Jan Kiszka <jan.k...@siemens.com>
+#
+# This work is licensed under the terms of the GNU GPL, version 2. See
+# the COPYING file in the top-level directory.
+#
+# SPDX-License-Identifier: GPL-2.0
+#
+
+name: CI
+
+on:
+ push:
+ branches-ignore:
+ - coverity_scan
+
+jobs:
+ build:
+ runs-on: ubuntu-20.04
+ strategy:
+ matrix:
+ target:
+ - amd64
+ - i386
+ - arm64
+ - cppcheck
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ with:
+ submodules: recursive
+
+ - name: Install amd64 dependencies
+ if: ${{ matrix.target == 'amd64' || matrix.target == 'cppcheck' }}
+ run: |
+ sudo apt-get install --no-install-recommends \
+ gcc-multilib gnu-efi libz-dev libpci-dev check
+ - name: Install i386 dependencies
+ if: ${{ matrix.target == 'i386' }}
+ run: |
+ sudo dpkg --add-architecture i386
+ sudo apt-get update
+ sudo apt-get install --no-install-recommends \
+ gcc-multilib gnu-efi libz-dev:i386 libpci-dev:i386 check:i386
+ - name: Install arm64 dependencies
+ if: ${{ matrix.target == 'arm64' }}
+ run: |
+ sudo dpkg --add-architecture arm64
+ sudo sed -i 's/^deb /deb [arch=amd64] /g' /etc/apt/sources.list
+ sudo sh -c "cat <<EOF > /etc/apt/sources.list.d/ports.list
+ deb [arch=arm64] http://ports.ubuntu.com/ focal main restricted
+ deb [arch=arm64] http://ports.ubuntu.com/ focal-updates main restricted
+ deb [arch=arm64] http://ports.ubuntu.com/ focal universe
+ deb [arch=arm64] http://ports.ubuntu.com/ focal-updates universe
+ deb [arch=arm64] http://ports.ubuntu.com/ focal multiverse
+ deb [arch=arm64] http://ports.ubuntu.com/ focal-updates multiverse
+ EOF"
+ sudo apt-get update
+ sudo apt-get install --no-install-recommends \
+ crossbuild-essential-arm64 gnu-efi:arm64 libz-dev:arm64 libpci-dev:arm64 check:arm64 qemu-user-static
+ - name: Install cppcheck
+ if: ${{ matrix.target == 'cppcheck' }}
+ run: |
+ sudo sh -c "echo 'deb http://archive.ubuntu.com/ubuntu hirsute main universe' \
+ > /etc/apt/sources.list.d/hirsute.list"
+ sudo sh -c "cat <<EOF > /etc/apt/preferences.d/hirsute.pref
+ Package: *
+ Pin: release n=hirsute
+ Pin-Priority: -1
+ EOF"
+ sudo apt-get update
+ sudo apt-get install --no-install-recommends libz3-4/hirsute cppcheck/hirsute
+
+ - name: Prepare build
+ run: |
+ autoreconf -fi
+ mkdir -p build
+
+ - name: Build amd64
+ if: ${{ matrix.target == 'amd64' }}
+ run: |
+ cd build
+ ../configure
+ make check -j $(nproc)
+ - name: Build i386
+ if: ${{ matrix.target == 'i386' }}
+ run: |
+ cd build
+ export PKG_CONFIG_DIR=
+ export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig
+ export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu
+ ../configure --with-gnuefi-lib-dir=/usr/lib32 CFLAGS=-m32 \
+ host_alias=i586-linux
+ make check -j $(nproc)
+ - name: Build arm64
+ if: ${{ matrix.target == 'arm64' }}
+ run: |
+ cd build
+ ../configure --host=aarch64-linux-gnu \
+ PKG_CONFIG=/usr/bin/aarch64-linux-gnu-pkg-config
+ make check -j $(nproc)
+ - name: Run cppcheck
+ if: ${{ matrix.target == 'cppcheck' }}
+ run: |
+ ./configure
+
+ ignore=""
+ ignore+=" -i tests/fff"
+
+ suppress=""
+ # Justified suppressions:
+ # Does not belong to the project
+ suppress+=" --suppress=*:/usr/include/*"
+ suppress+=" --suppress=*:/usr/include/bits/*"
+ # Function 'efi_main' is called by efi:
+ suppress+=" --suppress=unusedFunction:main.c"
+ # Some functions are defined for API only
+ suppress+=" --suppress=unusedFunction:utils.c"
+ suppress+=" --suppress=unusedFunction:env/env_api.c"
+ suppress+=" --suppress=unusedFunction:env/fatvars.c"
+ suppress+=" --suppress=unusedFunction:tools/tests/test_environment.c"
+ suppress+=" --suppress=unusedFunction:env/env_api_fat.c"
+ # Some functions are used by linker wrapping
+ suppress+=" --suppress=unusedFunction:tools/tests/test_probe_config_file.c"
+ suppress+=" --suppress=unusedFunction:tools/tests/test_ebgenv_api.c"
+ # EFI uses void* as ImageBase needed for further calculations
+ suppress+=" --suppress=arithOperationsOnVoidPointer:main.c"
+ # False positive on init_array iteration
+ suppress+=" --suppress=comparePointers:main.c"
+ # False positive on constructors, first hit
+ suppress+=" --suppress=unusedFunction:drivers/watchdog/amdfch_wdt.c"
+
+ enable="--enable=warning \
+ --enable=style \
+ --enable=performance \
+ --enable=portability \
+ --enable=unusedFunction"
+
+ includes="-I . \
+ -I include \
+ -I /usr/include \
+ -I /usr/include/linux \
+ -I /usr/include/efi \
+ -I /usr/include/efi/x86_64 \
+ -I /usr/include/x86_64-linux-gnu \
+ -I /usr/lib/gcc/x86_64-linux-gnu/9/include"
+
+ cpp_conf="-U__WINT_TYPE__ -U__GNUC__"
+ # Exit code '1' is returned if arguments are not valid or if no input
+ # files are provided. Compare 'cppcheck --help'.
+ cppcheck -f -q --error-exitcode=2 $enable $suppress $ignore \
+ $cpp_conf $includes .
diff --git a/.travis-build.sh b/.travis-build.sh
deleted file mode 100755
index 5eeb8d1..0000000
--- a/.travis-build.sh
+++ /dev/null
@@ -1,177 +0,0 @@
-#!/bin/bash
-#
-# EFI Boot Guard
-#
-# Copyright (c) Siemens AG, 2017
-#
-# Authors:
-# Claudius Heine <c...@denx.de>
-#
-# This work is licensed under the terms of the GNU GPL, version 2. See
-# the COPYING file in the top-level directory.
-#
-# SPDX-License-Identifier: GPL-2.0
-#
-
-set -euo pipefail
-
-PARAM="${PARAM-"${1-""}"}"
-TARGET="${TARGET-""}"
-
-COVERITY_SCAN_BRANCH="${COVERITY_SCAN_BRANCH:-"0"}"
-if [ "$COVERITY_SCAN_BRANCH" == "1" ]
-then
- if [ "$TARGET" == "native" ]
- then
- TARGET_EFFECTIVE="${PARAM:-"success"}"
- else
- TARGET_EFFECTIVE="success"
- fi
-else
- TARGET_EFFECTIVE="${PARAM:-"${TARGET}"}"
-fi
-
-install_common_deps()
-{
- sudo apt-get install gcc-multilib gnu-efi libpci-dev
-}
-
-install_native_deps()
-{
- sudo apt-get install --no-install-recommends \
- libz-dev check
-}
-
-install_i586_deps()
-{
- sudo apt-get install --no-install-recommends \
- libz-dev:i386 check:i386
-}
-
-prepare_build()
-{
- autoreconf -fi
-}
-
-
-enter_build()
-{
- mkdir -p build
- cd build
-}
-
-install_cppcheck()
-{
- git clone https://github.com/danmar/cppcheck.git
- git -C cppcheck checkout 2.3
- make -C cppcheck MATCHCOMPILER=yes \
- FILESDIR=/opt/cppcheck \
- PREFIX=/opt/cppcheck \
- HAVE_RULES=no install -j2 || \
- return -1
- rm -rf cppcheck
-}
-
-case "$TARGET_EFFECTIVE" in
- native)
- install_common_deps
- install_native_deps
- prepare_build
- enter_build
- ../configure
- exec make check
- ;;
-
- i586)
- install_common_deps
- install_i586_deps
- prepare_build
- enter_build
- export PKG_CONFIG_DIR=
- export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig
- export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu
- ../configure --with-gnuefi-lib-dir=/usr/lib32 CFLAGS=-m32 \
- host_alias=i586-linux
- exec make check
- ;;
-
- cppcheck)
- install_common_deps
- install_native_deps
- echo "Building and installing cppcheck..."
- if [ ! -x /opt/cppcheck/bin/cppcheck ]
- then
- install_cppcheck
- fi
- prepare_build
- ./configure
-
- ignore=""
- ignore+=" -i tests/fff"
-
- suppress=""
- # Justified suppressions:
- # Does not belong to the project
- suppress+=" --suppress=*:/usr/include/*"
- suppress+=" --suppress=*:/usr/include/bits/*"
- # Function 'efi_main' is called by efi:
- suppress+=" --suppress=unusedFunction:main.c"
- # Some functions are defined for API only
- suppress+=" --suppress=unusedFunction:utils.c"
- suppress+=" --suppress=unusedFunction:env/env_api.c"
- suppress+=" --suppress=unusedFunction:env/fatvars.c"
- suppress+=" --suppress=unusedFunction:tools/tests/test_environment.c"
- suppress+=" --suppress=unusedFunction:env/env_api_fat.c"
- # Some functions are used by linker wrapping
- suppress+=" --suppress=unusedFunction:tools/tests/test_probe_config_file.c"
- suppress+=" --suppress=unusedFunction:tools/tests/test_ebgenv_api.c"
- # EFI uses void* as ImageBase needed for further calculations
- suppress+=" --suppress=arithOperationsOnVoidPointer:main.c"
- # False positive on init_array iteration
- suppress+=" --suppress=comparePointers:main.c"
- # False positive on constructors, first hit
- suppress+=" --suppress=unusedFunction:drivers/watchdog/amdfch_wdt.c"
-
- enable="--enable=warning \
- --enable=style \
- --enable=performance \
- --enable=portability \
- --enable=unusedFunction"
-
- includes="-I . \
- -I include \
- -I /usr/include \
- -I /usr/include/linux \
- -I /usr/include/efi \
- -I /usr/include/efi/x86_64 \
- -I /usr/include/x86_64-linux-gnu \
- -I /usr/lib/gcc/x86_64-linux-gnu/4.8/include"
-
- cpp_conf="-U__WINT_TYPE__ -U__GNUC__"
- # Exit code '1' is returned if arguments are not valid or if no input
- # files are provided. Compare 'cppcheck --help'.
- exec /opt/cppcheck/bin/cppcheck -f -q --error-exitcode=2 \
- $enable $suppress $ignore $cpp_conf $includes .
- ;;
- coverity_prepare)
- install_common_deps
- install_native_deps
- prepare_build
- enter_build
- ../configure
- exit 0
- ;;
- coverity_build)
- enter_build
- exec make
- ;;
- success)
- echo "Skipping $TARGET" >&2
- exit 0
- ;;
- *)
- echo "No or not existing targen choosen." \
- "($TARGET, $TARGET_EFFECTIVE)" >&2
- exit -1
- ;;
-esac
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 6b48ac6..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-#
-# EFI Boot Guard
-#
-# Copyright (c) Siemens AG, 2017
-#
-# Authors:
-# Jan Kiszka <jan.k...@siemens.com>
-#
-# This work is licensed under the terms of the GNU GPL, version 2. See
-# the COPYING file in the top-level directory.
-#
-# SPDX-License-Identifier: GPL-2.0
-#
-
-env:
- jobs:
- - TARGET=native
- - TARGET=i586
- - TARGET=cppcheck
-language: c
-dist: xenial
-
-compiler:
- - gcc
-
-before_install:
- - sudo apt-get update
- - if [ $TRAVIS_BRANCH = coverity_scan ] && [ ${TRAVIS_JOB_NUMBER##*.} != 1 ]; then exit 0; fi
- - echo -n | openssl s_client -connect scan.coverity.com:444 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca-certificates.crt
-
-addons:
- coverity_scan:
- project:
- name: "siemens/efibootguard"
- description: "Build submitted via Travis CI"
- notification_email: jan.k...@siemens.com
- build_command_prepend: "./.travis-build.sh coverity_prepare"
- build_command: "./.travis-build.sh coverity_build"
- branch_pattern: coverity_scan
-
-cache:
- directories:
- - /opt/cppcheck
-
-script:
- - ./.travis-build.sh
--
2.31.1

[Jan Kiszka]

From: Jan Kiszka <jan.k...@siemens.com>

Retire Travis which is no longer free, even for OSS, migrating to github
actions. This requires to open-code the Coverity integration which
turned out to be the simpler task.

The migration also brings CI integration for arm64. That was in fact the
hardest piece, both due to complications with Ubuntu (unhandy for cross-
building but only Linux image on github) and also glitches of EBG
itself.

Further change compared to travis: cppcheck is now pulled pre-built from
Ubuntu 21.04 (base image is still on 20.04, providing only an older
version). That removes the need to build and also cache that version
ourselves. For yet unknown reasons, the runtime of cppcheck is now twice
as long as under travis.

Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---

Changes in v2:
- Update README as well

.github/workflows/coverity.yaml | 64 ++++++++++++
.github/workflows/main.yaml | 158 ++++++++++++++++++++++++++++
.travis-build.sh | 177 --------------------------------
.travis.yml | 46 ---------

README.md | 4 +-
5 files changed, 223 insertions(+), 226 deletions(-)

diff --git a/README.md b/README.md
index f1d701d..98d8baf 100644
--- a/README.md
+++ b/README.md
@@ -18,9 +18,7 @@ For sending patches, please refer to the mailing list and `CONTRIBUTING.md` in
the source tree.

Continuous integration:
-* [Travis CI](https://travis-ci.com/siemens/efibootguard):
- * Master branch: 
- * Next branch: 
+* Based on [https://github.com/siemens/efibootguard/actions](GitHub Actions)
* Coverity: 

## Watchdog support ##
--
2.31.1

[Jan Kiszka]

From: Jan Kiszka <jan.k...@siemens.com>

Retire Travis which is no longer free, even for OSS, migrating to github
actions. This requires to open-code the Coverity integration which
turned out to be the simpler task.

The migration also brings CI integration for arm64. That was in fact the
hardest piece, both due to complications with Ubuntu (unhandy for cross-
building but only Linux image on github) and also glitches of EBG
itself.

Further change compared to travis: cppcheck is now pulled pre-built from
Ubuntu 21.04 (base image is still on 20.04, providing only an older
version). That removes the need to build and also cache that version
ourselves. For yet unknown reasons, the runtime of cppcheck is now twice
as long as under travis.

Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---

Changes in v3:
- reduce dependencies for arm64 build

.github/workflows/coverity.yaml | 64 ++++++++++++
.github/workflows/main.yaml | 159 ++++++++++++++++++++++++++++

.travis-build.sh | 177 --------------------------------
.travis.yml | 46 ---------
README.md | 4 +-

5 files changed, 224 insertions(+), 226 deletions(-)

index 0000000..6bb9f66
--- /dev/null
+++ b/.github/workflows/main.yaml
@@ -0,0 +1,159 @@

+ gcc-aarch64-linux-gnu libc6-dev-arm64-cross gnu-efi:arm64 \
+ libz-dev:arm64 libpci-dev:arm64 check:arm64 qemu-user-static