build(deps): bump github/codeql-action from 3.27.1 to 3.27.2 #3237
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches-ignore: | |
# dependabot branches will fail on push since they run with fork-level permissions despite being in the main repo. | |
# said branches are tested anyhow when dependabot makes its PR and the pull_request triggers the run. | |
- 'dependabot/**' | |
pull_request: | |
name: CI | |
jobs: | |
prepare: | |
name: Prepare | |
runs-on: ubuntu-22.04 | |
outputs: | |
github_commit_desc: ${{ steps.get_commit_desc.outputs.github_commit_desc }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4.2.2 | |
with: | |
fetch-depth: 0 | |
- name: Get head branch latest commit | |
run: echo "GITHUB_PR_HEAD_SHA=$(git log --pretty=format:'%h' $GITHUB_SHA^2 -1)" >> $GITHUB_ENV | |
- name: Get base branch latest commit | |
run: echo "GITHUB_PR_BASE_SHA=$(git log --pretty=format:'%h' $GITHUB_SHA^1 -1)" >> $GITHUB_ENV | |
- name: Get latest commit | |
run: echo "GITHUB_HEAD_SHA=$(git log --pretty=format:'%h' -1)" >> $GITHUB_ENV | |
# on a pull_request event in github actions, the tests are not run on the head branch of the PR, rather they are run on the merge commit of head merged into the base branch | |
# this means the latest commit in github actions, which is used for build artifact names is a commit that does not exist in the repository | |
# so on pull requests we create a user-friendly string to use in place of the merge commit sha, otherwise we just use the normal git HEAD sha. | |
- id: get_commit_desc | |
run: | | |
if [[ ${{ github.event_name }} == 'pull_request' ]]; then | |
echo "github_commit_desc=merge-${{ env.GITHUB_PR_HEAD_SHA }}-into-${{ env.GITHUB_PR_BASE_SHA }}" >> $GITHUB_OUTPUT | |
else | |
echo "github_commit_desc=${{ env.GITHUB_HEAD_SHA }}" >> $GITHUB_OUTPUT | |
fi | |
flatpak: | |
name: Flatpak | |
runs-on: ubuntu-22.04 | |
env: | |
FLATPAK_BUILD_PATH: flatpak_app/files/share | |
needs: prepare | |
container: | |
image: bilelmoussaoui/flatpak-github-actions:gnome-46 | |
options: --privileged | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4.2.2 | |
- name: Enable errors on warnings | |
run: | | |
dnf install -y jq | |
# jq does not have an option to save edits in place so we should make a temporary file to edit this safely | |
updated_manifest=$(mktemp) | |
jq '.modules[0]."config-opts" += ["-Dwerror=true"]' util/flatpak/com.github.wwmm.easyeffects.Devel.json > "$updated_manifest" | |
mv "$updated_manifest" util/flatpak/com.github.wwmm.easyeffects.Devel.json | |
- uses: flatpak/flatpak-github-actions/flatpak-builder@v6.3 | |
with: | |
bundle: easyeffects-flatpak-${{ needs.prepare.outputs.github_commit_desc }}.flatpak | |
manifest-path: util/flatpak/com.github.wwmm.easyeffects.Devel.json | |
cache-key: flatpak-builder-${{ github.sha }} | |
run-tests: true | |
# we also validate appstream in the appstream-news-validate job, | |
# but we still should specifically ensure the flatpak outputs it properly | |
#- name: Validate AppStream | |
# shell: bash | |
# working-directory: ${{ env.FLATPAK_BUILD_PATH }} | |
#run: | | |
# appstream-util validate-relax appdata/com.github.wwmm.easyeffects.Devel.appdata.xml | |
# - name: Verify icon and metadata in app-info | |
# shell: bash | |
# working-directory: ${{ env.FLATPAK_BUILD_PATH }} | |
# run: | | |
# test -f app-info/icons/flatpak/128x128/com.github.wwmm.easyeffects.Devel.png || { echo "Missing 128x128 icon in app-info" ; exit 1; } | |
# test -f app-info/xmls/com.github.wwmm.easyeffects.Devel.xml.gz || { echo "Missing com.github.wwmm.easyeffects.Devel.xml.gz in app-info" ; exit 1; } | |
# this just validates, actual update PRs are done in flatpak-update.yaml | |
- name: Verify flatpak external data checker metadata | |
uses: docker://ghcr.io/flathub/flatpak-external-data-checker:latest | |
with: | |
args: util/flatpak/com.github.wwmm.easyeffects.Devel.json | |
arch-linux: | |
name: Arch Linux | |
runs-on: ubuntu-22.04 | |
needs: prepare | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4.2.2 | |
with: | |
# needed for getting git describe info for pkgver() in pkgbuild | |
fetch-depth: 0 | |
- name: Save commit description to file | |
# if this file is present, pkgver() in pkgbuild will use it to show a more user-friendly commit sha | |
run: echo ${{ needs.prepare.outputs.github_commit_desc }} >> GITHUB_COMMIT_DESC | |
- name: Makepkg Build and Check | |
id: makepkg | |
uses: edlanglois/pkgbuild-action@v1.1.8 | |
with: | |
# namcap doesn't actually exclude this rule, resulting in unnecessary warnings, so just disable namcap since it's not critical | |
# namcapExcludeRules: unusedsodepends | |
namcapDisable: true | |
- name: Upload Package Archive | |
uses: actions/upload-artifact@v4.4.3 | |
with: | |
name: easyeffects-archlinux-${{ needs.prepare.outputs.github_commit_desc }}-x86_64 | |
path: ${{ steps.makepkg.outputs.pkgfile0 }} | |
if-no-files-found: error | |
alpine-linux: | |
name: Alpine Linux | |
runs-on: ubuntu-22.04 | |
strategy: | |
# test also with libc++ as that is not the default, and is good to test as some distros like chimera linux use it over libstdc++ | |
matrix: | |
stdlib: [libstdc++, libc++] | |
container: | |
image: alpine | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4.2.2 | |
- name: Install deps | |
run: | | |
apk update | |
apk upgrade | |
# install general build deps | |
apk add meson clang clang-extra-tools build-base bash libc++-dev | |
# copy pasted from https://git.alpinelinux.org/aports/plain/community/easyeffects/APKBUILD | |
depends="lv2" | |
makedepends=" | |
appstream-glib-dev | |
desktop-file-utils | |
fftw-dev | |
fmt-dev | |
gsl-dev | |
gtk4.0-dev | |
itstool | |
libadwaita-dev | |
libbs2b-dev | |
libebur128-dev | |
libsamplerate-dev | |
libsigc++3-dev | |
libsndfile-dev | |
libtbb-dev | |
lilv-dev | |
lv2-dev | |
meson | |
nlohmann-json | |
pipewire-dev | |
rnnoise-dev | |
soundtouch-dev | |
speexdsp-dev | |
zita-convolver-dev | |
ladspa-dev | |
" | |
# install easyeffects deps | |
apk add $makedepends $depends | |
# install libportal since we technically need it for a full check | |
apk add libportal-dev | |
- name: Build with Clang and ${{ matrix.stdlib }} | |
run: | | |
CC=clang CXX=clang++ CXXFLAGS=-stdlib=${{ matrix.stdlib }} meson setup build -Dwerror=true -Denable-libportal=true -Dbuildtype=debug ${{ matrix.stdlib == 'libc++' && '-Denable-libcpp-workarounds=true' || '' }} | |
meson compile -C build | |
codeql-analyze: | |
name: CodeQL Analyze | |
runs-on: ubuntu-22.04 | |
permissions: | |
security-events: write | |
container: | |
image: archlinux | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4.2.2 | |
- name: Install deps | |
run: | | |
# install general build deps | |
pacman -Syu --noconfirm ninja gcc pkgconf python3 python-pip which | |
# install easyeffects deps | |
source ./PKGBUILD && pacman -Syu --noconfirm --needed --asdeps "${makedepends[@]}" "${depends[@]}" | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3.27.2 | |
with: | |
languages: cpp # we don't use a matrix build (to analyze multiple lanaguages in parallel) as we are only analyzing c++ | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@v3.27.2 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3.27.2 | |
clang-tidy: | |
name: Clang Tidy | |
runs-on: ubuntu-22.04 | |
container: | |
image: archlinux | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4.2.2 | |
- name: Install deps | |
run: | | |
# install general build deps | |
pacman -Syu --noconfirm ninja gcc pkgconf python3 python-pip which | |
# install easyeffects deps | |
source ./PKGBUILD && pacman -Syu --noconfirm --needed --asdeps "${makedepends[@]}" "${depends[@]}" | |
# install clang | |
pacman -S --noconfirm --needed --asdeps clang | |
# install libportal since we technically need it for a full check | |
pacman -S --noconfirm --needed --asdeps libportal libportal-gtk4 | |
- name: Build with Clang | |
# build with clang not because we strictly need to (we do need to do some kind of build so config.h shows up) | |
# but because any clang compiler failures will cause clang-tidy to fail later on, so we might as well fail fast | |
run: | | |
CC=clang CXX=clang++ meson setup build -Dwerror=true -Denable-libportal=true -Dbuildtype=debug | |
meson compile -C build | |
- name: Install ctcache | |
run: | | |
git clone https://github.com/matus-chochlik/ctcache | |
cd ctcache | |
git checkout bd1620a8609ddaf2f64500820abc8b4d150edeaf # v1.1.0 | |
./install-user-client | |
- name: Restore Clang Tidy cache | |
uses: actions/cache/restore@v4.1.2 | |
with: | |
# since the ctcache is just a list of checksums that were checked, we want to write to it every ci run to keep it up to date | |
# otherwise github actions just restores some old cache if the key didn't change | |
# the ctcache itself is what handles what misses or not | |
# https://github.com/actions/cache/blob/ea0503788c59256f4da17725d04df850ca027df5/tips-and-workarounds.md#update-a-cache | |
path: /tmp/ci-ctcache | |
key: clang-tidy-ctcache-${{ github.run_id }} | |
# this restores the most recently saved cache from the following 3 categories | |
# it first checks caches from the current branch/pull request, then the base branch of the pull request (if it exists), and then master (the default branch), as described here: | |
# https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key | |
# this also relies on github's fairly restricted isolation for caches: | |
# https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache | |
# note the most recently saved cache is not necessarily the one with the greatest run id, as a workflow run could have started before another but taken longer to complete | |
restore-keys: | | |
clang-tidy-ctcache- | |
- name: Clang Tidy | |
run: | | |
cd build | |
PATH=~/.local/bin:"$PATH" CTCACHE_DIR=/tmp/ci-ctcache ../util/clang-tidy.sh | |
- name: Save Clang Tidy cache | |
uses: actions/cache/save@v4.1.2 | |
# always run, except if the workflow was cancelled | |
# this means clang tidy will get cached even if some checks are failing | |
if: success() || failure() | |
with: | |
path: /tmp/ci-ctcache | |
key: clang-tidy-ctcache-${{ github.run_id }} | |
appstream-news-validate: | |
name: AppStream and News validate | |
runs-on: ubuntu-22.04 | |
container: | |
image: archlinux | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4.2.2 | |
- name: Install deps | |
run: pacman -Syu --noconfirm appstream appstream-glib libxslt which | |
- name: Validate existing files | |
run: ./util/update-release-files.sh --no-new-release |