Ghidra Build #564
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Ghidra Build | |
on: | |
workflow_dispatch: | |
inputs: | |
prevRev: | |
description: 'Revision of the previous release' | |
required: false | |
rev: | |
description: 'NationalSecurityAgency/ghidra commit to build' | |
required: true | |
jobs: | |
build-natives: | |
strategy: | |
matrix: | |
include: | |
#- target: win_x86_32 | |
# os: windows-latest | |
- target: win_x86_64 | |
os: windows-latest | |
- target: linux_x86_64 | |
os: ubuntu-latest | |
- target: linux_arm_64 | |
os: ubuntu-latest | |
- target: mac_x86_64 | |
os: macos-latest | |
- target: mac_arm_64 | |
os: macos-latest | |
fail-fast: false | |
name: Build ${{ matrix.target }} Binaries | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
repository: NationalSecurityAgency/Ghidra | |
ref: ${{ github.event.inputs.rev }} | |
- uses: actions/setup-java@v3 | |
with: | |
distribution: 'zulu' | |
java-version: 17 | |
- name: Install bison | |
if: ${{ matrix.os == 'windows-latest' }} | |
shell: pwsh | |
run: | | |
Invoke-WebRequest -URI "https://github.com/lexxmark/winflexbison/releases/download/v2.4.12/win_flex_bison-2.4.12.zip" -OutFile "win_flex_bison-2.4.12.zip" | |
Expand-Archive -Path "win_flex_bison-2.4.12.zip" -DestinationPath "winflexbison" | |
Rename-Item -Path "$pwd\winflexbison\win_bison.exe" -NewName "bison.exe" | |
Rename-Item -Path "$pwd\winflexbison\win_flex.exe" -NewName "flex.exe" | |
"$pwd\winflexbison" >> $env:GITHUB_PATH | |
- name: Checkout Ghidra-CI Repo | |
uses: actions/checkout@v3 | |
with: | |
path: ghidra-ci-roblabla | |
- uses: eskatos/gradle-command-action@v2 | |
with: | |
gradle-version: 7.3.3 | |
arguments: --init-script gradle/support/fetchDependencies.gradle init | |
- name: Setup Linux ARM toolchain | |
if: ${{ matrix.target == 'linux_arm_64' }} | |
run: | | |
sudo apt-get update | |
sudo apt-get install g++-aarch64-linux-gnu libc6-dev-arm64-cross | |
mkdir -p $HOME/.gradle | |
cp ghidra-ci-roblabla/linux_arm_64.init.gradle $HOME/.gradle/init.gradle | |
- name: Setup MacOS ARM toolchain | |
if: ${{ matrix.target == 'mac_arm_64' }} | |
run: | | |
mkdir -p $HOME/.gradle | |
cp ghidra-ci-roblabla/mac_arm_64.init.gradle $HOME/.gradle/init.gradle | |
- uses: eskatos/gradle-command-action@v2 | |
with: | |
gradle-version: 7.3.3 | |
arguments: buildNatives_${{ matrix.target }} | |
- name: "Sign macOS binaries" | |
if: ${{ env.MACOS_CODESIGN_CRT_PWD != '' && (matrix.target == 'mac_arm_64' || matrix.target == 'mac_x86_64') }} | |
run: | | |
echo "$MACOS_CODESIGN_CRT" | base64 -d > certificate.p12 | |
security create-keychain -p test123 build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p test123 build.keychain | |
security import certificate.p12 -k build.keychain -P "$MACOS_CODESIGN_CRT_PWD" -T /usr/bin/codesign | |
rm certificate.p12 | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k test123 build.keychain | |
for file in $(find . -path "*/build/os/${{ matrix.target }}/*" -type f); do | |
echo "Signing file $file" | |
/usr/bin/codesign --force -s "$MACOS_CODESIGN_CRT_IDENTITY" --options runtime "$file" -v | |
done | |
security lock-keychain build.keychain | |
security default-keychain -s | |
security delete-keychain build.keychain | |
env: | |
MACOS_CODESIGN_CRT: ${{ secrets.MACOS_CODESIGN_CRT }} | |
MACOS_CODESIGN_CRT_PWD: ${{ secrets.MACOS_CODESIGN_CRT_PWD }} | |
MACOS_CODESIGN_CRT_IDENTITY: ${{ secrets.MACOS_CODESIGN_CRT_IDENTITY }} | |
# Apparently, github is an incompetent idiot that can't handle permissions | |
# properly. https://github.com/actions/upload-artifact/issues/38 | |
# Wrap the binaries in a tar archive to fix that. | |
- name: Tar the binaries | |
run: tar -cvf "${{matrix.target}}.build.tar" $(find . -path "*/build/os/${{ matrix.target }}/*" -type f) | |
shell: bash | |
- name: "Notarize macOS binaries" | |
if: ${{ env.MACOS_APPLE_USERNAME != '' && (matrix.target == 'mac_arm_64' || matrix.target == 'mac_x86_64') }} | |
run: | | |
for file in $(find . -path "*/build/os/${{ matrix.target }}/*" -type f); do | |
echo "Notarizing file $file" | |
ditto -c -k "$file" "${file}.zip" | |
xcrun notarytool submit --apple-id "$MACOS_APPLE_USERNAME" --password "$MACOS_APPLE_PASSWORD" --team-id "$MACOS_APPLE_TEAMID" --wait "${file}.zip" | |
rm "${file}.zip" | |
done | |
env: | |
MACOS_APPLE_USERNAME: ${{ secrets.MACOS_APPLE_USERNAME }} | |
MACOS_APPLE_PASSWORD: ${{ secrets.MACOS_APPLE_PASSWORD }} | |
MACOS_APPLE_TEAMID: ${{ secrets.MACOS_APPLE_TEAMID }} | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: natives-${{ matrix.target }} | |
path: "${{matrix.target}}.build.tar" | |
dist: | |
name: "Build Ghidra distributable zip" | |
needs: ["build-natives"] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
repository: NationalSecurityAgency/Ghidra | |
ref: ${{ github.event.inputs.rev }} | |
fetch-depth: 0 | |
#- name: Download Windows x86 binaries | |
# uses: actions/download-artifact@v3 | |
# with: | |
# name: natives-win_x86_32 | |
- name: Download Windows x86_64 binaries | |
uses: actions/download-artifact@v3 | |
with: | |
name: natives-win_x86_64 | |
- name: Download MacOS x86_64 binaries | |
uses: actions/download-artifact@v3 | |
with: | |
name: natives-mac_x86_64 | |
- name: Download MacOS ARM64 binaries | |
uses: actions/download-artifact@v3 | |
with: | |
name: natives-mac_arm_64 | |
- name: Download Linux x86_64 binaries | |
uses: actions/download-artifact@v3 | |
with: | |
name: natives-linux_x86_64 | |
- name: Download Linux ARM64 binaries | |
uses: actions/download-artifact@v3 | |
with: | |
name: natives-linux_arm_64 | |
- name: Extract all binaries | |
run: | | |
for file in *.build.tar; do | |
echo "Extracting $file" | |
tar xvf "$file" | |
done | |
- uses: actions/setup-java@v3 | |
with: | |
distribution: 'zulu' | |
java-version: 17 | |
- name: Fetch the Ghidra dependencies. | |
uses: eskatos/gradle-command-action@v2 | |
with: | |
gradle-version: 7.3.3 | |
arguments: --init-script gradle/support/fetchDependencies.gradle init | |
# TODO: Pre-build GhidraDev | |
- name: Checkout ghidra-data | |
uses: actions/checkout@v3 | |
with: | |
repository: NationalSecurityAgency/ghidra-data | |
path: 'ghidra-data' | |
- name: Copy ghidra-data files into the appropriate directories | |
run: cp -r ghidra-data/FunctionID/* Ghidra/Features/FunctionID/data | |
- name: Build ghidra, create a cross-platform distribution | |
uses: eskatos/gradle-command-action@v2 | |
with: | |
gradle-version: 7.3.3 | |
arguments: -x ip -PallPlatforms buildGhidra | |
# TODO: remove upload-artifact when create release is sure to work | |
- name: Upload final dist | |
uses: actions/upload-artifact@v3 | |
with: | |
path: "build/dist/*" | |
- name: Remove temporary artifacts | |
uses: geekyeggo/delete-artifact@v2 | |
with: | |
name: | | |
natives-win_x86_32 | |
natives-win_x86_64 | |
natives-mac_x86_64 | |
natives-mac_arm_64 | |
natives-linux_x86_64 | |
natives-linux_arm_64 | |
- name: Get current date, rev and dist name | |
id: date | |
run: | | |
echo date=$(date +'%Y-%m-%d') >> $GITHUB_OUTPUT | |
echo dist=$(ls build/dist) >> $GITHUB_OUTPUT | |
echo rev=$(git rev-parse --short HEAD) >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v3 | |
with: | |
path: ghidra-ci-roblabla | |
- name: Generate CHANGELOG.md | |
run: | | |
cd ghidra-ci-roblabla | |
sudo apt-get update | |
sudo apt-get install libkrb5-dev | |
npm i | |
node generate_changelog.js ${{github.event.inputs.prevRev}} ${{github.event.inputs.rev}} > CHANGELOG.md | |
- name: Create Release | |
id: create_release | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ steps.date.outputs.date }} | |
release_name: Release ${{ steps.date.outputs.date }}(${{ steps.date.outputs.rev }}) | |
body_path: ./ghidra-ci-roblabla/CHANGELOG.md | |
# TODO: This is a horrible hack. | |
commitish: "master" | |
draft: false | |
prerelease: false | |
- name: Upload Release Asset | |
id: upload-release-asset | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: ./build/dist/${{ steps.date.outputs.dist }} | |
asset_name: release.zip | |
asset_content_type: application/zip |