From 2764d6625a1c60431d4668bda20859afe3f947e4 Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 10:31:01 +0200 Subject: [PATCH 01/13] run freebsd_build on ubuntu runner --- .github/workflows/freebsd_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index 987d2a32..c65fc19c 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -12,7 +12,7 @@ permissions: jobs: build: - runs-on: macos-12 + runs-on: ubuntu-latest steps: - name: Harden Runner From 10edfac690b0812c1798f3c25c4d5b4f8b37dda2 Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 11:22:53 +0200 Subject: [PATCH 02/13] run on FreeBSD 14.1 --- .github/workflows/freebsd_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index c65fc19c..a23a559d 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -30,7 +30,7 @@ jobs: memory: 2048 shell: sh operating_system: freebsd - version: '13.2' + version: '14.1' run: | sudo pkg install -y curl gmake cmake pwd From 2925d1a3696b218db7dcacf30034e1d6353d1a6d Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 11:26:23 +0200 Subject: [PATCH 03/13] run pkg upgrade --- .github/workflows/freebsd_build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index a23a559d..28087dd7 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -32,6 +32,7 @@ jobs: operating_system: freebsd version: '14.1' run: | + sudo pkg upgrade -y sudo pkg install -y curl gmake cmake pwd ls -lah From 7970dfd14db564495b48b389aed9b7d1ba98d0fd Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 12:01:42 +0200 Subject: [PATCH 04/13] ubuntu 24.04 runner --- .github/workflows/freebsd_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index 28087dd7..ccee2976 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -12,7 +12,7 @@ permissions: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Harden Runner From ff401b04830df8c33fbf2fc928c51e3ef4677deb Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 13:10:43 +0200 Subject: [PATCH 05/13] runner to vm option --- .github/workflows/freebsd_build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index ccee2976..73f52312 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -31,6 +31,7 @@ jobs: shell: sh operating_system: freebsd version: '14.1' + sync_files: runner-to-vm run: | sudo pkg upgrade -y sudo pkg install -y curl gmake cmake From 6fcd611fc96212a328435317c1bb04a7aab9c119 Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 12:13:33 +0000 Subject: [PATCH 06/13] debug: disable harden runner for a moment --- .github/workflows/freebsd_build.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index 73f52312..a2d39ced 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -15,10 +15,6 @@ jobs: runs-on: ubuntu-24.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: From cf2e8df8c30e6ade962139a8830fe5dff0ffe899 Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 12:16:40 +0000 Subject: [PATCH 07/13] Revert "debug: disable harden runner for a moment" This reverts commit 6fcd611fc96212a328435317c1bb04a7aab9c119. --- .github/workflows/freebsd_build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index a2d39ced..73f52312 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -15,6 +15,10 @@ jobs: runs-on: ubuntu-24.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: From 43086502889812cc7fd5162dc0c0e9640fd5308a Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 12:24:09 +0000 Subject: [PATCH 08/13] apply step-security policy --- .github/workflows/freebsd_build.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index 73f52312..f56e3f0c 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -16,9 +16,15 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + freebsd.pool.ntp.org:443 + github.com:443 + objects.githubusercontent.com:443 + pkg.FreeBSD.org:443 + pkg.FreeBSD.org:80 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: From 803e2fec837931755c7c623fcd14afda9491e2bc Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 12:55:42 +0000 Subject: [PATCH 09/13] refine --- .github/workflows/freebsd_build.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index f56e3f0c..319ab206 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -20,11 +20,10 @@ jobs: with: egress-policy: block allowed-endpoints: > - freebsd.pool.ntp.org:443 + *.freebsd.pool.ntp.org:443 github.com:443 objects.githubusercontent.com:443 - pkg.FreeBSD.org:443 - pkg.FreeBSD.org:80 + pkg.FreeBSD.org:* - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: From 0fb1e8a47e4e364f1ec8b80d9a800910c2bc89c8 Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 14:14:25 +0000 Subject: [PATCH 10/13] use https protocol only --- .github/workflows/freebsd_build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index 319ab206..50a96e27 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -38,6 +38,8 @@ jobs: version: '14.1' sync_files: runner-to-vm run: | + sudo sh -c 'echo "FreeBSD: { url: \"https://pkg.FreeBSD.org/\${ABI}/quarterly\", mirror_type: \"srv\", enabled: yes }" > /usr/local/etc/pkg/repos/FreeBSD.conf' + sudo pkg update -f sudo pkg upgrade -y sudo pkg install -y curl gmake cmake pwd From e31f1e09d4343974261c1bb2d766b1a861346ebd Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 14:17:35 +0000 Subject: [PATCH 11/13] mkdir --- .github/workflows/freebsd_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index 50a96e27..77178f01 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -36,8 +36,8 @@ jobs: shell: sh operating_system: freebsd version: '14.1' - sync_files: runner-to-vm run: | + sudo mkdir -p /usr/local/etc/pkg/repos sudo sh -c 'echo "FreeBSD: { url: \"https://pkg.FreeBSD.org/\${ABI}/quarterly\", mirror_type: \"srv\", enabled: yes }" > /usr/local/etc/pkg/repos/FreeBSD.conf' sudo pkg update -f sudo pkg upgrade -y From 02c1932681e213624a41b095a19df97a497df608 Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 14:25:58 +0000 Subject: [PATCH 12/13] scan too --- .github/workflows/freebsd_scan_build.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/freebsd_scan_build.yml b/.github/workflows/freebsd_scan_build.yml index 2b0c8406..ff401af2 100644 --- a/.github/workflows/freebsd_scan_build.yml +++ b/.github/workflows/freebsd_scan_build.yml @@ -12,13 +12,18 @@ permissions: jobs: build: - runs-on: macos-12 + runs-on: ubuntu-24.04 steps: - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + *.freebsd.pool.ntp.org:443 + github.com:443 + objects.githubusercontent.com:443 + pkg.FreeBSD.org:* - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: @@ -32,6 +37,10 @@ jobs: operating_system: freebsd version: '13.2' run: | + sudo mkdir -p /usr/local/etc/pkg/repos + sudo sh -c 'echo "FreeBSD: { url: \"https://pkg.FreeBSD.org/\${ABI}/quarterly\", mirror_type: \"srv\", enabled: yes }" > /usr/local/etc/pkg/repos/FreeBSD.conf' + sudo pkg update -f + sudo pkg upgrade -y sudo pkg install -y curl gmake cmake devel/llvm llvm pwd ls -lah From bca4d0c41951d6b2618ddac718a8dd9c5d7878ec Mon Sep 17 00:00:00 2001 From: opcm Date: Sun, 13 Oct 2024 14:32:14 +0000 Subject: [PATCH 13/13] bsd 14.1 --- .github/workflows/freebsd_scan_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/freebsd_scan_build.yml b/.github/workflows/freebsd_scan_build.yml index ff401af2..f67b8457 100644 --- a/.github/workflows/freebsd_scan_build.yml +++ b/.github/workflows/freebsd_scan_build.yml @@ -35,7 +35,7 @@ jobs: memory: 2048 shell: sh operating_system: freebsd - version: '13.2' + version: '14.1' run: | sudo mkdir -p /usr/local/etc/pkg/repos sudo sh -c 'echo "FreeBSD: { url: \"https://pkg.FreeBSD.org/\${ABI}/quarterly\", mirror_type: \"srv\", enabled: yes }" > /usr/local/etc/pkg/repos/FreeBSD.conf'