# Can be used locally with https://github.com/nektos/act

name: BuildTest
on:
  pull_request:
  push:
    branches:
      - master
jobs:
  build:
    runs-on: ${{ matrix.os || 'ubuntu-20.04' }}
    strategy:
      matrix:
        # Rather than a boolean False we use eg
        #   runcheck: 'no'
        # Otherwise GH expressions will make a None var
        # compare with False. We want an undefined default of True.
        include:
          - name: plain linux

          - name: multi binary
            multi: 1

          - name: bundled libtom, bionic , no writev()
            # test can use an older distro with bundled libtommath
            os: ubuntu-18.04
            configure_flags: --enable-bundled-libtom
            # NOWRITEV is unrelated, test here to save a job
            nowritev: 1
            # pytest relies on python3.7
            runcheck: 'no'

          - name: linux clang
            cc: clang

          - name: macos 10.15
            os: macos-10.15
            cc: clang
            # OS X says daemon() and utmp are deprecated
            wextraflags: -Wno-deprecated-declarations -Werror
            runcheck: 'no'
            apt: 'no'
            # fails with:
            # .../ranlib: file: libtomcrypt.a(cbc_setiv.o) has no symbols
            ranlib: ranlib -no_warning_for_no_symbols

          - name: macos 11
            os: macos-11
            cc: clang
            wextraflags: -Wno-deprecated-declarations -Werror
            runcheck: 'no'
            apt: 'no'
            ranlib: ranlib -no_warning_for_no_symbols

          # # Fuzzers run standalone. A bit superfluous with cifuzz, but
          # # good to run the whole corpus to keep it working.
          # - name: fuzzing with address sanitizer
          #   configure_flags: --enable-fuzz --disable-harden --enable-bundled-libtom
          #   ldflags: -fsanitize=address
          #   extracflags: -fsanitize=address
          #   fuzz: True
          #   cc: clang

          # # Undefined Behaviour sanitizer
          # - name: fuzzing with undefined behaviour sanitizer
          #   configure_flags: --enable-fuzz --disable-harden --enable-bundled-libtom
          #   ldflags: -fsanitize=undefined
          #   # don't fail with alignment due to https://github.com/libtom/libtomcrypt/issues/549
          #   extracflags: -fsanitize=undefined -fno-sanitize-recover=undefined -fsanitize-recover=alignment
          #   fuzz: True
          #   cc: clang

    env:
      MULTI: ${{ matrix.multi }}
      WEXTRAFLAGS: ${{ matrix.wextraflags || '-Werror' }}
      CC: ${{ matrix.cc || 'gcc' }}
      LDFLAGS: ${{ matrix.ldflags }}
      EXTRACFLAGS: ${{ matrix.extracflags }}
      CONFIGURE_FLAGS: ${{ matrix.configure_flags }}
      # for fuzzing
      CXX: clang++
      RANLIB: ${{ matrix.ranlib || 'ranlib' }}

    steps:
      - name: deps
        if: ${{ matrix.apt != 'no' }}
        run: |
          sudo apt-get -y update
          sudo apt-get -y install zlib1g-dev libtomcrypt-dev libtommath-dev mercurial python3-venv socat $CC

      - uses: actions/checkout@v2

      - name: cache pip
        if: ${{ !env.ACT }}
        uses: actions/cache@v2
        with:
          path: test/venv
          key: ${{ runner.os }}-pip-${{ hashFiles('test/requirements.txt') }}
          restore-keys: ${{ runner.os }}-pip-

      - name: cache fuzzcorpus
        if: ${{ !env.ACT }}
        uses: actions/cache@v2
        with:
          path: fuzzcorpus
          key: "hg.ucc/fuzzcorpus"

      - name: configure
        run: ./configure $CONFIGURE_FLAGS CFLAGS="-O2 -Wall -Wno-pointer-sign $WEXTRAFLAGS $EXTRACFLAGS" --prefix="$HOME/inst" || (cat config.log; exit 1)

      - name: nowritev
        if: ${{ matrix.nowritev }}
        run: sed -i -e s/HAVE_WRITEV/DONT_HAVE_WRITEV/ config.h

      - name: make
        run: make -j3

      - name: multilink
        if: ${{ matrix.multi }}
        run: make multilink

      - name: makefuzz
        run: make fuzzstandalone
        if: ${{ matrix.fuzz }}

        # avoid concurrent install, osx/freebsd is racey (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208093)
      - name: make install
        run: make install

      - name: keys
        run: |
          mkdir -p ~/.ssh
          ~/inst/bin/dropbearkey -t ecdsa -f ~/.ssh/id_dropbear | grep ^ecdsa > ~/.ssh/authorized_keys

        # upload config.log if something has failed
      - name: config.log
        if: ${{ !env.ACT && (failure() || cancelled()) }}
        uses: actions/upload-artifact@v2
        with:
          name: config.log
          path: config.log

      - name: check
        if: ${{ matrix.runcheck != 'no' }}
      # run in a TTY for some tests
        run: socat - EXEC:"make check",pty

      # Sanity check that the binary runs
      - name: genrsa
        run: ~/inst/bin/dropbearkey -t rsa -f testrsa
      - name: gendss
        run: ~/inst/bin/dropbearkey -t dss -f testdss
      - name: genecdsa256
        run: ~/inst/bin/dropbearkey -t ecdsa -f testec256 -s 256
      - name: genecdsa384
        run: ~/inst/bin/dropbearkey -t ecdsa -f testec384 -s 384
      - name: genecdsa521
        run: ~/inst/bin/dropbearkey -t ecdsa -f testec521 -s 521
      - name: gened25519
        run: ~/inst/bin/dropbearkey -t ed25519 -f tested25519

      - name: fuzz
        if: ${{ matrix.fuzz }}
        run: ./fuzzers_test.sh