trezor-firmware/.github/workflows/common.yml at 48bb0da30507bbbe403d9a6a82536de0fb69b121 · trezor/trezor-firmware · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Common

on:
  pull_request:
  workflow_dispatch:
  schedule:
    - cron: '14 23 * * *'  # every day @ 23:14
  push:
    branches:
      - 'release/**'
      - 'secfix/**'


# cancel any previous runs on the same PR
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  crypto_build:
    name: Crypto library
    runs-on: ubuntu-latest
    env:
      CC: gcc
      ADDRESS_SANITIZER: 1
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # actions/checkout@v6.0.2
        with:
          submodules: recursive
      - uses: ./.github/actions/environment
      - run: cp -r crypto crypto_noasan
      - run: nix-shell --run "uv run make -C crypto"
      - run: nix-shell --run "export ADDRESS_SANITIZER=0; uv run make -C crypto_noasan"
      - run: mv crypto_noasan/tests/test_check crypto/tests/test_check_noasan
      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # actions/upload-artifact@v7.0.0
        with:
          name: crypto-build
          path: |
            crypto/tests/aestst
            crypto/tests/libtrezor-crypto.so
            crypto/tests/test_check
            crypto/tests/test_check_noasan
            crypto/tests/test_openssl
          retention-days: 7

  crypto_test:
    name: Crypto test
    needs: [crypto_build]
    runs-on: ubuntu-latest
    env:
      ASAN_OPTIONS: "verify_asan_link_order=0"
      CK_TIMEOUT_MULTIPLIER: 5
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # actions/checkout@v6.0.2
        with:
          submodules: recursive
      - uses: ./.github/actions/environment
      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # actions/download-artifact@v8.0.0
        with:
          name: crypto-build
          path: crypto/tests
      - run: chmod +x crypto/tests/*
      - run: ./crypto/tests/aestst
      - run: ./crypto/tests/test_check
      - run: ./crypto/tests/test_openssl 1000
      - run: nix-shell --run "cd crypto && ITERS=10 uv run pytest tests"
      - run: nix-shell --run "CK_TIMEOUT_MULTIPLIER=20 valgrind -q --error-exitcode=1 ./crypto/tests/test_check_noasan"

  python_test:
    name: Python test
    runs-on: ubuntu-latest
    env:
      LC_ALL: C.UTF-8
      LANG: C.UTF-8
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # actions/checkout@v6.0.2
        with:
          submodules: recursive
      - uses: ./.github/actions/environment
      # LD_LIBRARY_PATH workaround: https://discourse.nixos.org/t/nixpkgs-nixos-unstable-many-package-fail-with-glibc-2-38-not-found/35078 https://github.com/NixOS/nixpkgs/issues/287764
      - run: nix-shell --run "unset LD_LIBRARY_PATH && cd python && uv run tox"

  rust_test:
    name: Rust crates test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # actions/checkout@v6.0.2
        with:
          submodules: recursive
      - uses: ./.github/actions/environment
      - run: nix-shell --run "make -C rust check"

  storage_test:
    name: Storage test
    # TODO: only for changes in storage/
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # actions/checkout@v6.0.2
        with:
          submodules: recursive
      - uses: ./.github/actions/environment
      - run: unset PYTEST_TIMEOUT
      - run: nix-shell --run "uv run make -C storage/tests build"
      - run: nix-shell --run "uv run make -C storage/tests tests_all"

  docker_build:
    name: Firmware docker build
    # scheduled, manual runs, push to release branches
    if: github.event_name != 'pull_request'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        model: [T1B1, T2T1, T2B1, T3B1, T3T1, T3W1]
    env:
      REF: ${{ github.head_ref || github.ref_name }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # actions/checkout@v6.0.2
        with:
          fetch-depth: 0

      - run: git checkout ${REF}

      - run: mkdir _artifacts/

      - name: Build prodtest & bootloader
        run: |
          ./build-docker.sh --models ${{ matrix.model }} --targets 'prodtest,bootloader' --skip-bitcoinonly ${REF}
          cd build/ && cp -v --recursive --parents * ../_artifacts/

      - name: Build secmon
        if: ${{ matrix.model == 'T3W1' }}
        run: |
          ./build-docker.sh --no-init --models ${{ matrix.model }} --targets 'secmon' --skip-bitcoinonly ${REF}
          cd build/ && cp -v --recursive --parents * ../_artifacts/

      - name: Build firmware
        # T3W1 requires a signed secmon.
        run: |
          ./build-docker.sh --no-init --models ${{ matrix.model }} --targets 'firmware' ${REF}
          cd build/ && cp -v --recursive --parents * ../_artifacts/

      - name: Show fingerprints
        run: |
          tree _artifacts
          for file in _artifacts/*/*/*.fingerprint
          do
            echo "\`$(tr -d '\n' < $file)\` ${file%.fingerprint}" >> $GITHUB_STEP_SUMMARY
          done
          cat $GITHUB_STEP_SUMMARY
        if: always()

      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # actions/upload-artifact@v7.0.0
        with:
          name: reproducible-${{ matrix.model }}
          path: |
            _artifacts/
          retention-days: 7
        if: always()