Merge branch 'main' into feature/update-clang

philips-software · Oct 19, 2023 · d0d3fb7 · d0d3fb7
2 parents dcb0a36 + dc50228
commit d0d3fb7
Show file tree

Hide file tree

Showing 26 changed files with 273 additions and 155 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,26 +1,23 @@
-FROM ubuntu@sha256:aabed3296a3d45cede1dc866a24476c4d7e093aa806263c27ddaadbdce3c1054
+FROM ubuntu@sha256:2b7412e6465c3c7fc5bb21d3e6f1917c167358449fecac8176c6e496e5c1f05f
 
-ARG BATS_VERSION=1.9.0
+ARG BATS_VERSION=1.10.0
 ARG CCACHE_VERSION=4.8.3
 ARG CLANG_VERSION=17
-ARG DOCKER_VERSION=24.0.4
-ARG GCC_VERSION=10
+ARG DOCKER_VERSION=24.0.6
 ARG MULL_VERSION=0.20.0
 ARG INCLUDE_WHAT_YOU_USE_VERSION=0.20
-ARG XWIN_VERSION=0.2.14
+ARG XWIN_VERSION=0.3.1
 
 ARG DEBIAN_FRONTEND=noninteractive
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # Install the base system with all tool dependencies
-COPY .devcontainer/base/apt-requirements.json /tmp/apt-requirements-base.json
-COPY .devcontainer/gcc-${GCC_VERSION}/apt-requirements.json /tmp/apt-requirements-gcc.json
+COPY .devcontainer/apt-requirements-base.json /tmp/apt-requirements-base.json
 # hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends jq \
- && jq -s '.[0] * .[1]' /tmp/apt-requirements-base.json /tmp/apt-requirements-gcc.json > /tmp/apt-requirements.json \
- && jq -r 'to_entries | .[] | .key + "=" + .value' /tmp/apt-requirements.json | xargs apt-get install -y --no-install-recommends \
- && rm /tmp/apt-requirements* \
+ && jq -r 'to_entries | .[] | .key + "=" + .value' /tmp/apt-requirements-base.json | xargs apt-get install -y --no-install-recommends \
+ && rm /tmp/apt-requirements-base.json \
  && rm -rf /var/lib/apt/lists/*
 
 # Include the Cisco Umbrella PKI Root
@@ -36,9 +33,11 @@ RUN python3 -m pip --no-cache-dir install \
 ENV CMAKE_GENERATOR="Ninja"
 
 # Install clang toolchain
-COPY .devcontainer/clang/apt-requirements.json /tmp/apt-requirements-clang.json
+COPY .devcontainer/apt-requirements-clang.json /tmp/apt-requirements-clang.json
+# hadolint ignore=SC1091
 RUN wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --dearmor -o /usr/share/keyrings/llvm-snapshot-keyring.gpg \
- && echo "deb [signed-by=/usr/share/keyrings/llvm-snapshot-keyring.gpg] http://apt.llvm.org/$(lsb_release -cs)/ llvm-toolchain-$(lsb_release -cs)-${CLANG_VERSION} main" | tee /etc/apt/sources.list.d/llvm.list > /dev/null \
+ && UBUNTU_CODENAME=$(. /etc/os-release; echo "${UBUNTU_CODENAME/*, /}") \
+ && echo "deb [signed-by=/usr/share/keyrings/llvm-snapshot-keyring.gpg] http://apt.llvm.org/${UBUNTU_CODENAME}/ llvm-toolchain-${UBUNTU_CODENAME}-${CLANG_VERSION} main" | tee /etc/apt/sources.list.d/llvm.list > /dev/null \
  && apt-get update \
  && jq -r 'to_entries | .[] | .key + "=" + .value' /tmp/apt-requirements-clang.json | xargs apt-get install -y --no-install-recommends \
  && rm /tmp/apt-requirements* \
@@ -50,22 +49,26 @@ ENV PATH="$PATH:/usr/lib/llvm-${CLANG_VERSION}/bin"
 RUN apt-get update && apt-get install -y --no-install-recommends libclang-${CLANG_VERSION}-dev llvm-${CLANG_VERSION}-dev libsqlite3-dev \
  && wget -qO - https://github.com/include-what-you-use/include-what-you-use/archive/refs/tags/${INCLUDE_WHAT_YOU_USE_VERSION}.tar.gz | tar xz -C /tmp \
  && CC=clang-${CLANG_VERSION} CXX=clang++-${CLANG_VERSION} cmake -S /tmp/include-what-you-use-${INCLUDE_WHAT_YOU_USE_VERSION} -B /tmp/include-what-you-use-${INCLUDE_WHAT_YOU_USE_VERSION}/build \
- && cmake --build /tmp/include-what-you-use-${INCLUDE_WHAT_YOU_USE_VERSION}/build \
  && cmake --build /tmp/include-what-you-use-${INCLUDE_WHAT_YOU_USE_VERSION}/build --target install \
  && rm -rf /tmp/include-what-you-use-${INCLUDE_WHAT_YOU_USE_VERSION} \
  && git -C /tmp clone --recurse-submodules -b ${MULL_VERSION} https://github.com/mull-project/mull.git \
  && CC=clang-${CLANG_VERSION} CXX=clang++-${CLANG_VERSION} cmake -S /tmp/mull -B /tmp/mull/build \
- && cmake --build /tmp/mull/build \
  && cmake --build /tmp/mull/build --target install \
  && rm -rf /tmp/mull \
  && apt-get purge -y libclang-${CLANG_VERSION}-dev llvm-${CLANG_VERSION}-dev libsqlite3-dev \
  && apt-get autoremove -y \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
+# Install ccache from source for a recent version
+RUN wget -qO - https://github.com/ccache/ccache/archive/refs/tags/v${CCACHE_VERSION}.tar.gz | tar xz -C /tmp \
+ && CC=clang-${CLANG_VERSION} CXX=clang++-${CLANG_VERSION} cmake -DCMAKE_BUILD_TYPE=Release -S /tmp/ccache-${CCACHE_VERSION} -B /tmp/ccache-${CCACHE_VERSION}/build \
+ && cmake --build /tmp/ccache-${CCACHE_VERSION}/build --target install \
+ && rm -rf /tmp/ccache-${CCACHE_VERSION}
+
 # Install arm-gcc toolchain
-COPY .devcontainer/gcc-${GCC_VERSION}/install-arm-none-eabi.sh /tmp/install-arm-none-eabi.sh
-RUN /tmp/install-arm-none-eabi.sh && rm /tmp/install-arm-none-eabi.sh
+RUN mkdir /opt/gcc-arm-none-eabi \
+ && wget -qO - "https://developer.arm.com/-/media/Files/downloads/gnu/12.3.rel1/binrel/arm-gnu-toolchain-12.3.rel1-$(uname -m)-arm-none-eabi.tar.xz" | tar --exclude='*arm-none-eabi-gdb*' --exclude='share' --strip-components=1 -xJC /opt/gcc-arm-none-eabi
 ENV PATH="$PATH:/opt/gcc-arm-none-eabi/bin"
 
 # Install docker-cli for Docker-from-Docker tools
@@ -85,16 +88,10 @@ RUN batstmp="$(mktemp -d /tmp/bats-core-${BATS_VERSION}.XXXX)" \
 RUN wget -qO - "https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl.tar.gz" | tar -xzv -C /usr/local/bin --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin"
 
 # Update all tool alternatives to the correct version
-RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-${GCC_VERSION} 20 \
- && update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-${GCC_VERSION} 20 \
- && update-alternatives --install /usr/bin/gcov gcov /usr/bin/gcov-${GCC_VERSION} 10 \
+RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-12 20 \
+ && update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-12 20 \
+ && update-alternatives --install /usr/bin/gcov gcov /usr/bin/gcov-12 10 \
  && update-alternatives --install /usr/bin/iwyu iwyu /usr/local/bin/include-what-you-use 10 \
  && update-alternatives --install /usr/bin/mull-runner mull-runner /usr/local/bin/mull-runner-15 10 \
  && update-alternatives --install /usr/lib/mull-ir-frontend mull-ir-frontend /usr/local/lib/mull-ir-frontend-15 10 \
  && update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-
-# Install ccache from source for a recent version
-RUN wget -qO - https://github.com/ccache/ccache/archive/refs/tags/v${CCACHE_VERSION}.tar.gz | tar xz -C /tmp \
- && cmake -DCMAKE_BUILD_TYPE=Release -S /tmp/ccache-${CCACHE_VERSION} -B /tmp/ccache-${CCACHE_VERSION}/build \
- && cmake --build /tmp/ccache-${CCACHE_VERSION}/build --target install \
- && rm -rf /tmp/ccache-${CCACHE_VERSION}
diff --git a/.devcontainer/base/apt-requirements.json → .devcontainer/apt-requirements-base.json b/.devcontainer/base/apt-requirements.json → .devcontainer/apt-requirements-base.json
@@ -1,15 +1,14 @@
 {
   "bzip2": "1.0.8-5build1",
   "ca-certificates": "20230311ubuntu0.22.04.1",
-  "gdb": "12.1-0ubuntu1~22.04",
+  "g++-12": "12.3.0-1ubuntu1~22.04",
+  "gdb-multiarch": "12.1-0ubuntu1~22.04",
   "git": "1:2.34.1-1ubuntu1.10",
   "gnupg2": "2.2.27-3ubuntu2.1",
-  "libncurses5": "6.3-2ubuntu0.1",
-  "libpython2.7": "2.7.18-13ubuntu1.1",
-  "lsb-release": "11.1.0ubuntu4",
   "ninja-build": "1.10.1-1",
   "python3-pip": "22.0.2+dfsg-1ubuntu0.3",
   "unzip": "6.0-26ubuntu3.1",
   "wget": "1.21.2-2ubuntu1",
-  "xsltproc": "1.1.34-4ubuntu0.22.04.1"
+  "xsltproc": "1.1.34-4ubuntu0.22.04.1",
+  "xz-utils": "5.2.5-2ubuntu1"
 }
diff --git a/.devcontainer/apt-requirements-clang.json b/.devcontainer/apt-requirements-clang.json
@@ -0,0 +1,9 @@
+{
+  "clang-15": "1:15.0.7-0ubuntu0.22.04.3",
+  "clangd-15": "1:15.0.7-0ubuntu0.22.04.3",
+  "clang-format-15": "1:15.0.7-0ubuntu0.22.04.3",
+  "clang-tidy-15": "1:15.0.7-0ubuntu0.22.04.3",
+  "clang-tools-15": "1:15.0.7-0ubuntu0.22.04.3",
+  "lld-15": "1:15.0.7-0ubuntu0.22.04.3",
+  "llvm-15": "1:15.0.7-0ubuntu0.22.04.3"
+}
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -11,11 +11,15 @@
   "mounts": [
     "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"
   ],
-  "extensions": [
-    "jetmartin.bats",
-    "matepek.vscode-catch2-test-adapter",
-    "ms-vscode.cmake-tools",
-    "ms-vscode.cpptools",
-    "SonarSource.sonarlint-vscode"
-  ]
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "jetmartin.bats",
+        "matepek.vscode-catch2-test-adapter",
+        "ms-vscode.cmake-tools",
+        "ms-vscode.cpptools",
+        "SonarSource.sonarlint-vscode"
+      ]
+    }
+  }
 }
diff --git a/.devcontainer/gcc-10/apt-requirements.json b/.devcontainer/gcc-10/apt-requirements.json
diff --git a/.devcontainer/gcc-10/install-arm-none-eabi.sh b/.devcontainer/gcc-10/install-arm-none-eabi.sh
diff --git a/.devcontainer/update-dependencies.sh b/.devcontainer/update-dependencies.sh
@@ -5,15 +5,13 @@ set -Eeuo pipefail
 apt-get update
 apt-get install jq -y
 
-for DIR in "$@"; do
-    echo $DIR
-
-    JSON=$( cat $DIR/apt-requirements.json )
+for FILE in "$@"; do
+    JSON=$( cat $FILE )
 
     for PACKAGE in $( echo $JSON | jq -r 'keys | .[]' ); do
         VERSION=$( apt-cache policy "$PACKAGE" | grep -oP '(?<=Candidate:\s)(.+)' )
         JSON=$( echo $JSON | jq '.[$package] = $version' --arg package $PACKAGE --arg version $VERSION )
     done
 
-    echo $JSON | jq . > $DIR/apt-requirements.json
+    echo $JSON | jq . > $FILE
 done
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -2,6 +2,7 @@
 name: Build & Push
 
 on:
+  merge_group:
   pull_request:
   push:
     tags: ["v*.*.*"]
@@ -28,25 +29,23 @@ jobs:
       id-token: write
     steps:
       - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
-        if: github.event_name != 'pull_request'
+        if: ${{ github.event_name != 'merge_group' }}
       - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
         id: meta
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}
           # Generate Docker tags based on the following events/attributes
+          # When modifying please update the tags in the clean up workflow as well
           tags: |
-            type=schedule
             type=raw,value=latest,enable={{is_default_branch}}
-            type=ref,event=branch
             type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
-            type=sha
       - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
       - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        if: github.event_name != 'pull_request'
+        if: ${{ github.event_name != 'merge_group' }}
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -56,17 +55,21 @@ jobs:
         with:
           file: .devcontainer/Dockerfile
           platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.event_name != 'merge_group' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           sbom: true
           provenance: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
-      - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        # This step uses the identity token to provision an ephemeral certificate
+      - uses: crazy-max/ghaction-container-scan@3e9c23f89cd6b0bda949ffe14f28a3ce282323b7 # v3.0.0
+        with:
+          image: ${{ env.REGISTRY }}/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }}
+      - name: Sign the image with GitHub OIDC token
+        if: ${{ github.event_name != 'merge_group' }}
+        # This step uses the GitHub OIDC identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: cosign sign --yes "${TAGS}@${DIGEST}"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,38 +1,38 @@
----
-name: Continuous Integration
-
-on:
-  merge_group:
-  pull_request:
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.ref }}-${{ github.workflow }}
-  cancel-in-progress: true
-
-permissions:
-  contents: read
-
-jobs:
-  build-test:
-    runs-on: ubuntu-latest
-    steps:
-      # While the docker/build-push-action works from the Git context, we still need
-      # the checkout step for running our tests.
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+---
+name: Continuous Integration
+
+on:
+  merge_group:
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  build-test:
+    runs-on: ubuntu-latest
+    steps:
+      # While the docker/build-push-action works from the Git context, we still need
+      # the checkout step for running our tests.
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
       - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
-        with:
-          file: .devcontainer/Dockerfile
-          load: true
-          tags: ${{ github.repository }}:test
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-      - name: Run Tests
-        run: |
-          set -Eeuo pipefail
-          docker run --rm --mount type=bind,src="$(pwd)/test",dst=/ws -w /ws ${{ github.repository }}:test bats --formatter junit testsuite.bats | tee test-report.xml
-      - uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # v2.1
-        with:
-          paths: test-report.xml
-          show: all
+        with:
+          file: .devcontainer/Dockerfile
+          load: true
+          tags: ${{ github.repository }}:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: Run Tests
+        run: |
+          set -Eeuo pipefail
+          docker run --rm --mount type=bind,src="$(pwd)/test",dst=/ws -w /ws ${{ github.repository }}:test bats --formatter junit testsuite.bats | tee test-report.xml
+      - uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # v2.1
+        with:
+          paths: test-report.xml
+          show: all
diff --git a/.github/workflows/cleanup-pr-image.yml b/.github/workflows/cleanup-pr-image.yml
@@ -0,0 +1,31 @@
+name: Cleanup Pull-Request Image
+
+on:
+  pull_request:
+    types: [closed]
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  delete-images:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+      - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - run: cosign clean -f --type=signature "${{ env.REGISTRY }}/${{ github.repository }}:pr-${{ github.event.pull_request.number }}"
+      - uses: bots-house/ghcr-delete-image-action@3827559c68cb4dcdf54d813ea9853be6d468d3a4 # v1.1.0
+        with:
+          owner: ${{ github.repository_owner }}
+          name: ${{ github.event.repository.name }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tag: pr-${{ github.event.pull_request.number }}
diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml
@@ -22,20 +22,20 @@ jobs:
       pull-requests: write
       security-events: write
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: oxsecurity/megalinter@fda6ac3a38be0e969820709ac16e442464e5a035 # v7.3.0
+      - uses: oxsecurity/megalinter@a87b2872713c6bdde46d2473c5d7ed23e5752dc2 # v7.4.0
         env:
           APPLY_FIXES: all
           VALIDATE_ALL_CODEBASE: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: github/codeql-action/upload-sarif@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
-        if: ${{ success() }} || ${{ failure() }}
+      - uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+        if: ${{ success() || failure() }}
         with:
           sarif_file: megalinter-reports/megalinter-report.sarif
       - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        if: ${{ success() }} || ${{ failure() }}
+        if: ${{ success() || failure() }}
         with:
           name: Linter Report
           path: |

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -16,7 +16,7 @@ jobs:
   create-release:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@ca6063f4ed81b55db15b8c42d1b6f7925866342d # v3.7.11
+      - uses: google-github-actions/release-please-action@4c5670f886fe259db4d11222f7dff41c1382304d # v3.7.12
         with:
           command: manifest
           token: ${{ secrets.AMP_RELEASER_TOKEN }}