# Can be used locally with https://github.com/nektos/act

name: BuildTest
on:
  pull_request:
  push:
    branches:
      - master
jobs:
  build:
    runs-on: ${{ matrix.os || 'ubuntu-20.04' }}
    strategy:
      matrix:
        # Rather than a boolean False we use eg
        #   runcheck: 'no'
        # Otherwise GH expressions will make a None var
        # compare with False. We want an undefined default of True.

        # MULTI and NOWRITEV are passed as integers to the build
        include:
          - name: plain linux

          - name: multi binary
            multi: 1
            multilink: 1

          # - name: multi binary, dropbearmulti argv0
          #   multi: 1
          #   multiwrapper: 1

          # - name: bundled libtom, bionic , no writev()
          #   # test can use an older distro with bundled libtommath
          #   os: ubuntu-18.04
          #   configure_flags: --enable-bundled-libtom --enable-werror
          #   # NOWRITEV is unrelated, test here to save a job
          #   nowritev: 1
          #   # our tests expect >= python3.7
          #   runcheck: 'no'

          # - name: linux clang
          #   cc: clang

          # - name: macos 10.15
          #   os: macos-10.15
          #   cc: clang
          #   # OS X says daemon() and utmp are deprecated
          #   extracflags: -Wno-deprecated-declarations
          #   runcheck: 'no'
          #   apt: 'no'
          #   # fails with:
          #   # .../ranlib: file: libtomcrypt.a(cbc_setiv.o) has no symbols
          #   ranlib: ranlib -no_warning_for_no_symbols

          # - name: macos 11
          #   os: macos-11
          #   cc: clang
          #   extracflags: -Wno-deprecated-declarations
          #   runcheck: 'no'
          #   apt: 'no'
          #   ranlib: ranlib -no_warning_for_no_symbols

          # # Fuzzers run standalone. A bit superfluous with cifuzz, but
          # # good to run the whole corpus to keep it working.
          # - name: fuzzing with address sanitizer
          #   configure_flags: --enable-fuzz --disable-harden --enable-bundled-libtom --enable-werror
          #   ldflags: -fsanitize=address
          #   extracflags: -fsanitize=address
          #   fuzz: True
          #   cc: clang

          # # Undefined Behaviour sanitizer
          # - name: fuzzing with undefined behaviour sanitizer
          #   configure_flags: --enable-fuzz --disable-harden --enable-bundled-libtom --enable-werror
          #   ldflags: -fsanitize=undefined
          #   # don't fail with alignment due to https://github.com/libtom/libtomcrypt/issues/549
          #   extracflags: -fsanitize=undefined -fno-sanitize-recover=undefined -fsanitize-recover=alignment
          #   fuzz: True
          #   cc: clang

    env:
      MULTI: ${{ matrix.multi }}
      CC: ${{ matrix.cc || 'gcc' }}
      LDFLAGS: ${{ matrix.ldflags }}
      EXTRACFLAGS: ${{ matrix.extracflags }}
      CONFIGURE_FLAGS: ${{ matrix.configure_flags || '--enable-werror' }}
      # for fuzzing
      CXX: clang++
      RANLIB: ${{ matrix.ranlib || 'ranlib' }}

    steps:
      - name: deps
        if: ${{ matrix.apt != 'no' }}
        run: |
          sudo apt-get -y update
          sudo apt-get -y install zlib1g-dev libtomcrypt-dev libtommath-dev mercurial python3-venv $CC

      - uses: actions/checkout@v2

      - name: configure
        run: ./configure $CONFIGURE_FLAGS CFLAGS="-O2 -Wall -Wno-pointer-sign $EXTRACFLAGS" --prefix="$HOME/inst" || (cat config.log; exit 1)

      - name: nowritev
        if: ${{ matrix.nowritev }}
        run: sed -i -e s/HAVE_WRITEV/DONT_HAVE_WRITEV/ config.h

      - name: make
        run: make -j3

      - name: multilink
        if: ${{ matrix.multilink }}
        run: make multilink

      - name: multi wrapper script
        if: ${{ matrix.multiwrapper }}
        run: |
          cp .github/multiwrapper dropbear
          cp .github/multiwrapper dbclient
          cp .github/multiwrapper dropbearkey

      - name: makefuzz
        run: make fuzzstandalone
        if: ${{ matrix.fuzz }}

        # avoid concurrent install, osx/freebsd is racey (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208093)
      - name: make install
        run: make install

      - name: keys
        run: |
          mkdir -p ~/.ssh
          ~/inst/bin/dropbearkey -t ecdsa -f ~/.ssh/id_dropbear | grep ^ecdsa > ~/.ssh/authorized_keys
          chmod 700 ~ ~/.ssh ~/.ssh/authorized_keys
          ls -ld ~ ~/.ssh ~/.ssh/authorized_keys

        # upload config.log if something has failed
      - name: config.log
        if: ${{ !env.ACT && (failure() || cancelled()) }}
        uses: actions/upload-artifact@v2
        with:
          name: config.log
          path: config.log

      - name: check
        if: ${{ matrix.runcheck != 'no' }}
        run: make check

      # Sanity check that the binary runs
      - name: genrsa
        run: ~/inst/bin/dropbearkey -t rsa -f testrsa
      - name: gendss
        run: ~/inst/bin/dropbearkey -t dss -f testdss
      - name: genecdsa256
        run: ~/inst/bin/dropbearkey -t ecdsa -f testec256 -s 256
      - name: genecdsa384
        run: ~/inst/bin/dropbearkey -t ecdsa -f testec384 -s 384
      - name: genecdsa521
        run: ~/inst/bin/dropbearkey -t ecdsa -f testec521 -s 521
      - name: gened25519
        run: ~/inst/bin/dropbearkey -t ed25519 -f tested25519

      - name: fuzz
        if: ${{ matrix.fuzz }}
        run: ./fuzzers_test.sh