nexus
/
nipbox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nipbox/.forgejo/workflows/ci.yml

132 lines
3.5 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: Rumpk CI
on:
push:
branches: [unstable, main]
pull_request:
branches: [unstable, main]
jobs:
build-riscv:
runs-on: ubuntu-latest
container:
image: nexus-os/build-env:latest
options: --privileged
steps:
- uses: actions/checkout@v4
- name: Build RISC-V kernel
run: |
echo "Building for RISC-V..."
zig build -Darch=riscv64 -Drelease
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: rumpk-riscv64
path: zig-out/rumpk-riscv64.elf
retention-days: 7
build-aarch64:
runs-on: ubuntu-latest
container:
image: nexus-os/build-env:latest
options: --privileged
steps:
- uses: actions/checkout@v4
- name: Build ARM64 kernel
run: |
echo "Building for ARM64..."
zig build -Darch=aarch64 -Drelease
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: rumpk-aarch64
path: zig-out/rumpk-aarch64.elf
retention-days: 7
security-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Sensitive content scan
run: |
echo "🔍 Scanning for sensitive content..."
# Check for forbidden directories
if git log --all --name-only | grep -qE '\.agent/|\.vscode/|\.claude/|\.kiro/'; then
echo "❌ CRITICAL: Forbidden directory found in git history"
exit 1
fi
# Check for internal paths
if git log --all -p | grep -qE '/home/markus/zWork/|/home/markus/\.claude/'; then
echo "❌ CRITICAL: Internal path found in git history"
exit 1
fi
echo "✅ No sensitive content detected"
- name: License header check
run: |
echo "Checking license headers..."
# TODO: Implement license header checker
echo " License check pending"
test-qemu:
needs: [build-riscv]
runs-on: ubuntu-latest
container:
image: nexus-os/build-env:latest
options: --privileged
steps:
- uses: actions/checkout@v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: rumpk-riscv64
path: zig-out/
- name: QEMU boot test
timeout-minutes: 5
run: |
echo "🚀 Booting RISC-V kernel in QEMU..."
timeout 10s qemu-system-riscv64 \
-machine virt \
-cpu rv64 \
-smp 2 \
-m 128M \
-kernel zig-out/rumpk-riscv64.elf \
-serial stdio \
-display none \
-bios none || echo "Boot test completed"
reproducibility-check:
runs-on: ubuntu-latest
container:
image: nexus-os/build-env:latest
steps:
- uses: actions/checkout@v4
- name: Build twice and compare
run: |
echo "🔧 Building first time..."
zig build -Drelease
cp zig-out/rumpk-riscv64.elf /tmp/build1.elf
echo "🔧 Building second time..."
zig build -Drelease
echo "📊 Comparing builds..."
if diff /tmp/build1.elf zig-out/rumpk-riscv64.elf; then
echo "✅ Reproducible build verified"
else
echo "⚠️ Build not reproducible (timestamps embedded)"
fi
Reference in New Issue View Git Blame Copy Permalink