diff options
| author | David Lönnhager <david.l@mullvad.net> | 2025-09-14 16:46:40 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2025-09-18 14:03:47 +0200 |
| commit | d9aadd756173fcb2d613419050733d07fbecdc1e (patch) | |
| tree | ad26122bc54e64ebdfb7a2cccfda3809fee2e169 | |
| parent | 5b7d13731b4e7d38ae060dc3948b979237974ff7 (diff) | |
| download | mullvadvpn-d9aadd756173fcb2d613419050733d07fbecdc1e.tar.xz mullvadvpn-d9aadd756173fcb2d613419050733d07fbecdc1e.zip | |
Create custom action for Mullvad build env
| -rw-r--r-- | .github/actions/mullvad-build-env/action.yml | 112 | ||||
| -rw-r--r-- | .github/workflows/clippy.yml | 37 | ||||
| -rw-r--r-- | .github/workflows/daemon.yml | 82 | ||||
| -rw-r--r-- | .github/workflows/desktop-e2e.yml | 42 | ||||
| -rw-r--r-- | .github/workflows/frontend.yml | 10 | ||||
| -rw-r--r-- | .github/workflows/rust-supply-chain.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/rust-unused-dependencies.yml | 30 | ||||
| -rw-r--r-- | .github/workflows/rustfmt.yml | 9 | ||||
| -rw-r--r-- | .github/workflows/testframework-clippy.yml | 24 | ||||
| -rw-r--r-- | .github/workflows/unicode-check.yml | 18 | ||||
| -rwxr-xr-x | build-windows-modules.sh | 39 | ||||
| -rwxr-xr-x | ci/check-trojan-source.sh | 36 |
12 files changed, 166 insertions, 276 deletions
diff --git a/.github/actions/mullvad-build-env/action.yml b/.github/actions/mullvad-build-env/action.yml new file mode 100644 index 0000000000..784db29f5e --- /dev/null +++ b/.github/actions/mullvad-build-env/action.yml @@ -0,0 +1,112 @@ +name: "Mullvad build env" +description: "Set up build environment for Mullvad" +inputs: + rust-toolchain: + description: "Rust toolchain (stable, beta, nightly, or version)" + default: stable + required: false + rustup-components: + description: "Space-separated Rustup components to install (e.g. rustfmt, clippy)" + default: clippy + required: false + protoc-token: + description: "Token for setup-protoc (defaults to GITHUB_TOKEN)" + default: "${{ github.token }}" + required: false +runs: + using: "composite" + steps: + - name: Cache cargo cache and index + uses: actions/cache@v4 + with: + path: | + ~/.cargo/registry/index/ + ~/.cargo/registry/cache/ + ~/.cargo/git/db/ + key: ${{ runner.os }}-cargo-${{ inputs.rust-toolchain }}-${{ hashFiles('**/Cargo.lock') }} + + - name: Override Rust toolchain + if: ${{ inputs.rust-toolchain != 'stable' }} + shell: bash + run: rustup override set ${{ inputs.rust-toolchain }} + + - name: Install Rust components + if: ${{ inputs.rustup-components != '' }} + shell: bash + run: rustup component add ${{ inputs.rustup-components }} + + # The x64 target is needed to build talpid-openvpn-plugin + # TODO: Remove once fixed + - name: Install Rust x64 target + if: runner.os == 'Windows' && runner.arch == 'ARM64' + shell: bash + run: rustup target add x86_64-pc-windows-msvc + + # Install 32-bit target for NSIS plugins + - name: Install Rust 32-bit x86 target + if: runner.os == 'Windows' + shell: bash + run: rustup target add i686-pc-windows-msvc + + - name: Install Protoc + uses: arduino/setup-protoc@v3 + with: + repo-token: ${{ inputs.protoc-token }} + + - name: Checkout submodules + shell: bash + run: | + git config --global --add safe.directory '*' + git submodule update --init --depth=1 dist-assets/binaries + git submodule update --init --depth=1 windows + git submodule update --init wireguard-go-rs/libwg/wireguard-go + + - name: Calculate Windows libraries cache hash + if: runner.os == 'Windows' + id: windows-modules-hash + shell: bash + run: | + hash="$(git grep --recurse-submodules --cached -l '' -- './windows/' \ + | grep -v '\.exe$\|\.md$' \ + | xargs sha1sum \ + | sha1sum \ + | cut -d" " -f1)" + echo "hash=$hash" >> "$GITHUB_OUTPUT" + + - name: Cache Windows libraries + if: runner.os == 'Windows' + uses: actions/cache@v4 + with: + path: ./windows/*/bin/ + key: windows-modules-${{ steps.windows-modules-hash.outputs.hash }} + + - name: Install msbuild + if: runner.os == 'Windows' + uses: microsoft/setup-msbuild@v1.0.2 + with: + vs-version: 16 + + - name: Install latest zig + if: runner.os == 'Windows' + uses: mlugg/setup-zig@v2 + with: + version: 0.14.1 + + - name: Install build dependencies + if: runner.os == 'Linux' + shell: bash + run: | + sudo apt-get update + sudo apt-get install libdbus-1-dev + + - name: Install Go + uses: actions/setup-go@v5 + with: + go-version: 1.21.3 + + - name: Setup node + uses: actions/setup-node@v4 + with: + node-version-file: desktop/package.json + cache: 'npm' + cache-dependency-path: desktop/package-lock.json diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml index 1e448fb863..d904c03924 100644 --- a/.github/workflows/clippy.yml +++ b/.github/workflows/clippy.yml @@ -46,42 +46,9 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Install Protoc - uses: arduino/setup-protoc@v3 + - uses: ./.github/actions/mullvad-build-env with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - - name: Checkout submodules - run: | - git submodule update --init --depth=1 dist-assets/binaries - git submodule update --init wireguard-go-rs/libwg/wireguard-go - - - name: Install build dependencies - if: matrix.os == 'ubuntu-latest' - run: | - sudo apt-get update - sudo apt-get install libdbus-1-dev - - - name: Install msbuild - if: matrix.os == 'windows-latest' - uses: microsoft/setup-msbuild@v1.0.2 - with: - vs-version: 16 - - - name: Install latest zig - if: matrix.os == 'windows-latest' - uses: mlugg/setup-zig@v2 - with: - version: 0.14.1 - - - name: Install Go - uses: actions/setup-go@v5 - with: - go-version: 1.21.3 - - - name: Install Rust components - shell: bash - run: rustup component add clippy + rustup-components: clippy - name: Clippy check shell: bash diff --git a/.github/workflows/daemon.yml b/.github/workflows/daemon.yml index 49fefca8c5..994c7faf33 100644 --- a/.github/workflows/daemon.yml +++ b/.github/workflows/daemon.yml @@ -97,20 +97,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Checkout wireguard-go submodule - run: | - git config --global --add safe.directory '*' - git submodule update --init wireguard-go-rs/libwg/wireguard-go - - - name: Install Protoc - uses: arduino/setup-protoc@v3 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version: 1.21.3 + - uses: ./.github/actions/mullvad-build-env - name: Build and test crates run: ./ci/check-rust.sh @@ -133,79 +120,22 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Checkout submodules - run: | - git submodule update --init --depth=1 - git submodule update --init wireguard-go-rs/libwg/wireguard-go - - - name: Install Protoc - uses: arduino/setup-protoc@v3 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - - name: Calculate Windows libraries cache hash - id: windows-modules-hash - shell: bash - run: | - hash="$(git grep --recurse-submodules --cached -l '' -- './windows/' \ - | grep -v '\.exe$\|\.md$' \ - | xargs sha1sum \ - | sha1sum \ - | cut -d" " -f1)" - echo "hash=$hash" >> "$GITHUB_OUTPUT" - - - name: Cache Windows libraries - uses: actions/cache@v4 - id: cache-windows-modules - with: - path: | - ./windows/*/bin/${{ matrix.config.arch }}-*/*.dll - ./windows/*/bin/${{ matrix.config.arch }}-*/*.lib - !./windows/*/bin/${{ matrix.config.arch }}-*/libcommon.lib - !./windows/*/bin/${{ matrix.config.arch }}-*/libshared.lib - !./windows/*/bin/${{ matrix.config.arch }}-*/libwfp.lib - key: windows-modules-${{ steps.windows-modules-hash.outputs.hash }} - - # The x64 toolchain is needed to build talpid-openvpn-plugin - # TODO: Remove once fixed - - name: Install Rust x64 target - uses: actions-rust-lang/setup-rust-toolchain@v1 - if: ${{ matrix.config.arch == 'arm64' }} - with: - target: x86_64-pc-windows-msvc - - - name: Install Rust - uses: actions-rust-lang/setup-rust-toolchain@v1 - with: - target: i686-pc-windows-msvc - - - name: Install msbuild - uses: microsoft/setup-msbuild@v1.0.2 - with: - vs-version: 16 - - - name: Install latest zig - uses: mlugg/setup-zig@v2 - - - name: Install Go - uses: actions/setup-go@v5 - with: - go-version: 1.21.3 + - uses: ./.github/actions/mullvad-build-env - name: Build Windows modules (x86_64) - if: ${{ (steps.cache-windows-modules.outputs.cache-hit != 'true') && (matrix.config.arch == 'x64') }} + if: ${{ matrix.config.arch == 'x64' }} shell: bash - run: ./build-windows-modules.sh + run: ./build-windows-modules.sh build winfw - name: Build Windows modules (ARM64) - if: ${{ (steps.cache-windows-modules.outputs.cache-hit != 'true') && (matrix.config.arch == 'arm64') }} + if: ${{ matrix.config.arch == 'arm64' }} shell: bash # By default, ./build-windows-modules.sh will use 4 concurrent processes during compilation # because the Windows 11 ARM runner has 4 cores: # https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories # # Cap the number of concurrent processes to something less than 4 to avoid OOM issues. - run: ./build-windows-modules.sh --max-concurrent-processes 2 + run: ./build-windows-modules.sh --max-concurrent-processes 2 build winfw - name: Build and test crates shell: bash diff --git a/.github/workflows/desktop-e2e.yml b/.github/workflows/desktop-e2e.yml index 5fa4667e2b..ce74e237af 100644 --- a/.github/workflows/desktop-e2e.yml +++ b/.github/workflows/desktop-e2e.yml @@ -324,29 +324,7 @@ jobs: git config --system core.longpaths true - name: Checkout repository uses: actions/checkout@v4 - - name: Checkout submodules - run: | - git config --global --add safe.directory '*' - git submodule update --init --depth=1 - - name: Install Protoc - uses: arduino/setup-protoc@v3 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/setup-node@v4 - with: - node-version-file: desktop/package.json - cache: 'npm' - cache-dependency-path: desktop/package-lock.json - - name: Install Rust - run: rustup target add i686-pc-windows-msvc - - name: Install latest zig - uses: mlugg/setup-zig@v2 - with: - version: 0.14.0-dev.3036+7ac110ac2 - - name: Install msbuild - uses: microsoft/setup-msbuild@v1.0.2 - with: - vs-version: 16 + - uses: ./.github/actions/mullvad-build-env - name: Build app shell: bash run: | @@ -439,23 +417,7 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Checkout submodules - run: | - git config --global --add safe.directory '*' - git submodule update --init --depth=1 - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version: 1.21.3 - - name: Install Protoc - uses: arduino/setup-protoc@v3 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/setup-node@v4 - with: - node-version-file: desktop/package.json - cache: 'npm' - cache-dependency-path: desktop/package-lock.json + - uses: ./.github/actions/mullvad-build-env - name: Build app run: ./build.sh - name: Build test executable diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index a1c648d358..c6bd51e2f8 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -27,15 +27,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Checkout wireguard-go submodule - run: git submodule update --init --depth=1 wireguard-go-rs - - - name: Setup node - uses: actions/setup-node@v4 - with: - node-version-file: desktop/package.json - cache: 'npm' - cache-dependency-path: desktop/package-lock.json + - uses: ./.github/actions/mullvad-build-env - name: Install dependencies working-directory: desktop diff --git a/.github/workflows/rust-supply-chain.yml b/.github/workflows/rust-supply-chain.yml index f2650d886c..4b5d4a0907 100644 --- a/.github/workflows/rust-supply-chain.yml +++ b/.github/workflows/rust-supply-chain.yml @@ -19,8 +19,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Checkout wireguard-go submodule - run: git submodule update --init --depth=1 wireguard-go-rs + - uses: ./.github/actions/mullvad-build-env - name: Run cargo deny uses: EmbarkStudios/cargo-deny-action@v2 diff --git a/.github/workflows/rust-unused-dependencies.yml b/.github/workflows/rust-unused-dependencies.yml index b5caa33e97..b710f34220 100644 --- a/.github/workflows/rust-unused-dependencies.yml +++ b/.github/workflows/rust-unused-dependencies.yml @@ -108,40 +108,14 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Checkout wireguard-go submodule - run: | - git config --global --add safe.directory '*' - git submodule update --init --depth=1 - git submodule update --init wireguard-go-rs/libwg/wireguard-go - - - name: Install msbuild - if: matrix.os == 'windows-latest' - uses: microsoft/setup-msbuild@v1.0.2 - with: - vs-version: 16 - - - name: Install latest zig - if: matrix.os == 'windows-latest' - uses: mlugg/setup-zig@v2 - - - name: Install Protoc - uses: arduino/setup-protoc@v3 + - uses: ./.github/actions/mullvad-build-env with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - - name: Install nightly Rust - run: rustup override set ${{ env.RUST_NIGHTLY_TOOLCHAIN }} + rust-toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN }} - uses: taiki-e/install-action@v2 with: tool: cargo-udeps - - name: Install Go - if: matrix.os == 'macos-latest' - uses: actions/setup-go@v3 - with: - go-version: 1.21.3 - - name: Check for unused dependencies shell: bash run: cargo udeps --workspace diff --git a/.github/workflows/rustfmt.yml b/.github/workflows/rustfmt.yml index 381280c2c4..efcbfb7838 100644 --- a/.github/workflows/rustfmt.yml +++ b/.github/workflows/rustfmt.yml @@ -17,12 +17,9 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Checkout wireguard-go submodule - run: git submodule update --init --depth=1 wireguard-go-rs - - - name: Install Rust components - shell: bash - run: rustup component add rustfmt + - uses: ./.github/actions/mullvad-build-env + with: + rustup-components: rustfmt - name: Check formatting run: |- diff --git a/.github/workflows/testframework-clippy.yml b/.github/workflows/testframework-clippy.yml index 34926e20c7..b4cd42e43f 100644 --- a/.github/workflows/testframework-clippy.yml +++ b/.github/workflows/testframework-clippy.yml @@ -23,20 +23,9 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Install Protoc - uses: arduino/setup-protoc@v3 + - uses: ./.github/actions/mullvad-build-env with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - - name: Install build dependencies - if: matrix.os == 'ubuntu-latest' - run: | - sudo apt-get update - sudo apt-get install libdbus-1-dev - - - name: Install Rust components - shell: bash - run: rustup component add clippy + rustup-components: clippy - name: Clippy check working-directory: test @@ -59,14 +48,9 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Install Protoc - uses: arduino/setup-protoc@v3 + - uses: ./.github/actions/mullvad-build-env with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - - name: Install Rust components - shell: bash - run: rustup component add clippy + rustup-components: clippy - name: Clippy check working-directory: test diff --git a/.github/workflows/unicode-check.yml b/.github/workflows/unicode-check.yml deleted file mode 100644 index 407262ffdf..0000000000 --- a/.github/workflows/unicode-check.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -name: Bidirectional Unicode scan -on: [pull_request, workflow_dispatch] - -permissions: {} - -jobs: - build-linux: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Checkout submodules - run: git submodule update --init --depth=1 dist-assets/binaries wireguard-go-rs - - - name: Scan for code points - run: ./ci/check-trojan-source.sh . diff --git a/build-windows-modules.sh b/build-windows-modules.sh index c66556bc67..c5bf60885f 100755 --- a/build-windows-modules.sh +++ b/build-windows-modules.sh @@ -3,7 +3,7 @@ set -eu function usage { - echo "usage: $0 [clean] [--max-concurrent-processes <n>]" + echo "usage: $0 [clean|build] [--max-concurrent-processes <n>] [solution...]" echo " --max-concurrent-processes <n> Limit concurrent processes that msbuild can spawn to <n>. Defaults to number of processor cores." exit 1 } @@ -24,10 +24,15 @@ case $HOST in esac ACTION=build +SOLUTIONS=() while [[ "$#" -gt 0 ]]; do case $1 in clean) ACTION="clean";; + build) ACTION="build";; + winfw) SOLUTIONS+=(winfw);; + driverlogic) SOLUTIONS+=(driverlogic);; + nsis-plugins) SOLUTIONS+=(nsis-plugins);; --max-concurrent-processes) MAX_CPUS="$2" shift @@ -41,6 +46,22 @@ while [[ "$#" -gt 0 ]]; do shift done +if [[ -z "${SOLUTIONS[*]}" ]]; then + SOLUTIONS=(winfw driverlogic nsis-plugins) +fi + +BUILD_WINFW=false +BUILD_NSIS=false +BUILD_DRIVERLOGIC=false + +for sln in "${SOLUTIONS[@]}"; do + case $sln in + winfw) BUILD_WINFW=true;; + nsis-plugins) BUILD_NSIS=true;; + driverlogic) BUILD_DRIVERLOGIC=true;; + esac +done + # List of solution configurations to build. # Default configurations generated by Visual Studio are "Release" and "Debug". CPP_BUILD_MODES=${CPP_BUILD_MODES:-"Debug"} @@ -127,16 +148,22 @@ function clean_all { clean_solution "./windows/libwfp" } -function build_all { - build_solution "./windows/winfw" "winfw.sln" +function build { + if [[ $BUILD_WINFW == "true" ]]; then + build_solution "./windows/winfw" "winfw.sln" + fi - build_solution "./windows/driverlogic" "driverlogic.sln" + if [[ $BUILD_DRIVERLOGIC == "true" ]]; then + build_solution "./windows/driverlogic" "driverlogic.sln" + fi - build_nsis_plugins + if [[ $BUILD_NSIS == "true" ]]; then + build_nsis_plugins + fi } case $ACTION in - "build") build_all;; + "build") build;; "clean") clean_all;; *) echo "Unknown build action: $ACTION" diff --git a/ci/check-trojan-source.sh b/ci/check-trojan-source.sh deleted file mode 100755 index 1e35a05338..0000000000 --- a/ci/check-trojan-source.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash - -# This script scans text and source code for bidirectional Unicode characters. -# See CVE-2021-42574. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574 -# UTF-8 encoding is assumed. - -# Pass the path to the directory to check as the first argument - -set -eu - -export LC_ALL=en_US.UTF-8 - -if [ $# -ne 1 ]; then - echo "Usage: $0 <path>" - exit 1 -fi -cd "$1" - -FILES=() -while IFS='' read -r line; do FILES+=("$line"); done < <( find . -type f -exec grep -Il . {} + ) - -CODEPOINT_REGEX=$( printf "\u202a\|\u202b\|\u202c\|\u202d\|\u202e\|\u2066\|\u2067\|\u2068\|\u2069" ) - -matched=0 -for file in "${FILES[@]}"; do - if grep -q "${CODEPOINT_REGEX}" "$file"; then - echo "Found potentially malicious unicode code points in $file" - matched=1 - fi -done - -if [[ "$matched" == 0 ]]; then - echo "No potentially malicious unicode found" -fi - -exit $matched |