|
5 | 5 | pull_request: |
6 | 6 |
|
7 | 7 | jobs: |
| 8 | + build-modsecurity-v3: |
| 9 | + name: ModSecurity v3 (warn-only hardening build) |
| 10 | + runs-on: ubuntu-24.04 |
| 11 | + env: |
| 12 | + CC: gcc |
| 13 | + CXX: g++ |
| 14 | + MODSECURITY_WARN_ONLY: "1" |
| 15 | + COMMON_CC_OPT: "-O2 -pipe -fstack-protector-strong -fstack-clash-protection -ffunction-sections -fdata-sections -D_FORTIFY_SOURCE=2" |
| 16 | + COMMON_LD_OPT: "-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed -Wl,--gc-sections" |
| 17 | + PIC_CC_OPT: "-fPIC" |
| 18 | + MODSECURITY_CC_OPT: "-Wall -Wextra -Wformat -Wformat-security" |
| 19 | + MODSECURITY_CXX_OPT: "-Wall -Wextra -Wformat -Wformat-security" |
| 20 | + MODSECURITY_LD_OPT: "-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed -Wl,--gc-sections" |
| 21 | + steps: |
| 22 | + - uses: actions/checkout@v6 |
| 23 | + with: |
| 24 | + fetch-depth: 0 |
| 25 | + submodules: recursive |
| 26 | + |
| 27 | + - name: Detect latest Lua dev package |
| 28 | + id: detect_lua |
| 29 | + shell: bash |
| 30 | + run: | |
| 31 | + set -euo pipefail |
| 32 | + sudo apt-get update -y -qq |
| 33 | + CANDIDATES="$(apt-cache pkgnames | grep -E '^liblua[0-9]+\.[0-9]+-dev$' || true)" |
| 34 | + [ -n "$CANDIDATES" ] |
| 35 | + BEST_PKG="$( |
| 36 | + printf '%s\n' "$CANDIDATES" \ |
| 37 | + | sed -E 's/^liblua([0-9]+\.[0-9]+)-dev$/\1 &/' \ |
| 38 | + | sort -V \ |
| 39 | + | tail -n1 \ |
| 40 | + | awk '{print $2}' |
| 41 | + )" |
| 42 | + [ -n "$BEST_PKG" ] |
| 43 | + echo "lua_pkg=$BEST_PKG" >> "$GITHUB_OUTPUT" |
| 44 | +
|
| 45 | + - name: Install dependencies |
| 46 | + run: | |
| 47 | + sudo apt-get update -y -qq |
| 48 | + sudo apt-get install -y \ |
| 49 | + autoconf automake libtool pkg-config bison flex \ |
| 50 | + libyajl-dev libcurl4-openssl-dev liblmdb-dev \ |
| 51 | + ${{ steps.detect_lua.outputs.lua_pkg }} \ |
| 52 | + libmaxminddb-dev libpcre2-dev libxml2-dev libfuzzy-dev |
| 53 | +
|
| 54 | + - name: Build preparation |
| 55 | + run: ./build.sh |
| 56 | + |
| 57 | + - name: Configure ModSecurity v3 flags |
| 58 | + shell: bash |
| 59 | + run: | |
| 60 | + set -euo pipefail |
| 61 | +
|
| 62 | + C_WARNINGS="${MODSECURITY_CC_OPT}" |
| 63 | + CXX_WARNINGS="${MODSECURITY_CXX_OPT}" |
| 64 | +
|
| 65 | + if [ "${MODSECURITY_WARN_ONLY:-0}" = "1" ]; then |
| 66 | + C_WARNINGS="$(echo " ${C_WARNINGS} " | sed -E 's/[[:space:]]-Werror(=format-security)?[[:space:]]/ /g')" |
| 67 | + CXX_WARNINGS="$(echo " ${CXX_WARNINGS} " | sed -E 's/[[:space:]]-Werror(=format-security)?[[:space:]]/ /g')" |
| 68 | + fi |
| 69 | +
|
| 70 | + echo "CFLAGS=${COMMON_CC_OPT} ${PIC_CC_OPT} ${C_WARNINGS}" >> "$GITHUB_ENV" |
| 71 | + echo "CXXFLAGS=${COMMON_CC_OPT} ${PIC_CC_OPT} ${CXX_WARNINGS}" >> "$GITHUB_ENV" |
| 72 | + echo "CPPFLAGS=-D_FORTIFY_SOURCE=2" >> "$GITHUB_ENV" |
| 73 | + echo "LDFLAGS=${COMMON_LD_OPT} ${MODSECURITY_LD_OPT}" >> "$GITHUB_ENV" |
| 74 | +
|
| 75 | + - name: Print toolchain and build configuration |
| 76 | + shell: bash |
| 77 | + run: | |
| 78 | + set -euo pipefail |
| 79 | + echo "compiler version:" |
| 80 | + ${CC} --version |
| 81 | + echo |
| 82 | + echo "linker version:" |
| 83 | + ${CC} -Wl,--version | head -n1 || ld --version | head -n1 |
| 84 | + echo |
| 85 | + echo "CFLAGS=${CFLAGS}" |
| 86 | + echo "CXXFLAGS=${CXXFLAGS}" |
| 87 | + echo "CPPFLAGS=${CPPFLAGS}" |
| 88 | + echo "LDFLAGS=${LDFLAGS}" |
| 89 | + echo "configure options: --enable-assertions=yes" |
| 90 | + echo "MODSECURITY_WARN_ONLY=${MODSECURITY_WARN_ONLY}" |
| 91 | + echo "Note: no LuaJIT rpath and no nginx/OpenResty-specific flags are used in this job." |
| 92 | +
|
| 93 | + - name: Configure |
| 94 | + run: ./configure --enable-assertions=yes |
| 95 | + |
| 96 | + - name: Build (verbose) |
| 97 | + run: make -j "$(nproc)" V=1 |
| 98 | + |
8 | 99 | build-linux: |
9 | 100 | name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }}) |
10 | 101 |
|
|
0 commit comments