diff --git a/.github/workflows/ci_new.yml b/.github/workflows/ci_new.yml index a1009e02b..1864411af 100644 --- a/.github/workflows/ci_new.yml +++ b/.github/workflows/ci_new.yml @@ -5,6 +5,97 @@ on: pull_request: jobs: + build-modsecurity-v3: + name: ModSecurity v3 (warn-only hardening build) + runs-on: ubuntu-24.04 + env: + CC: gcc + CXX: g++ + MODSECURITY_WARN_ONLY: "1" + COMMON_CC_OPT: "-O2 -pipe -fstack-protector-strong -fstack-clash-protection -ffunction-sections -fdata-sections -D_FORTIFY_SOURCE=2" + COMMON_LD_OPT: "-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed -Wl,--gc-sections" + PIC_CC_OPT: "-fPIC" + MODSECURITY_CC_OPT: "-Wall -Wextra -Wformat -Wformat-security" + MODSECURITY_CXX_OPT: "-Wall -Wextra -Wformat -Wformat-security" + MODSECURITY_LD_OPT: "-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed -Wl,--gc-sections" + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + submodules: recursive + + - name: Detect latest Lua dev package + id: detect_lua + shell: bash + run: | + set -euo pipefail + sudo apt-get update -y -qq + CANDIDATES="$(apt-cache pkgnames | grep -E '^liblua[0-9]+\.[0-9]+-dev$' || true)" + [ -n "$CANDIDATES" ] + BEST_PKG="$( + printf '%s\n' "$CANDIDATES" \ + | sed -E 's/^liblua([0-9]+\.[0-9]+)-dev$/\1 &/' \ + | sort -V \ + | tail -n1 \ + | awk '{print $2}' + )" + [ -n "$BEST_PKG" ] + echo "lua_pkg=$BEST_PKG" >> "$GITHUB_OUTPUT" + + - name: Install dependencies + run: | + sudo apt-get update -y -qq + sudo apt-get install -y \ + autoconf automake libtool pkg-config bison flex \ + libyajl-dev libcurl4-openssl-dev liblmdb-dev \ + ${{ steps.detect_lua.outputs.lua_pkg }} \ + libmaxminddb-dev libpcre2-dev libxml2-dev libfuzzy-dev + + - name: Build preparation + run: ./build.sh + + - name: Configure ModSecurity v3 flags + shell: bash + run: | + set -euo pipefail + + C_WARNINGS="${MODSECURITY_CC_OPT}" + CXX_WARNINGS="${MODSECURITY_CXX_OPT}" + + if [ "${MODSECURITY_WARN_ONLY:-0}" = "1" ]; then + C_WARNINGS="$(echo " ${C_WARNINGS} " | sed -E 's/[[:space:]]-Werror(=format-security)?[[:space:]]/ /g')" + CXX_WARNINGS="$(echo " ${CXX_WARNINGS} " | sed -E 's/[[:space:]]-Werror(=format-security)?[[:space:]]/ /g')" + fi + + echo "CFLAGS=${COMMON_CC_OPT} ${PIC_CC_OPT} ${C_WARNINGS}" >> "$GITHUB_ENV" + echo "CXXFLAGS=${COMMON_CC_OPT} ${PIC_CC_OPT} ${CXX_WARNINGS}" >> "$GITHUB_ENV" + echo "CPPFLAGS=-D_FORTIFY_SOURCE=2" >> "$GITHUB_ENV" + echo "LDFLAGS=${COMMON_LD_OPT} ${MODSECURITY_LD_OPT}" >> "$GITHUB_ENV" + + - name: Print toolchain and build configuration + shell: bash + run: | + set -euo pipefail + echo "compiler version:" + ${CC} --version + echo + echo "linker version:" + ${CC} -Wl,--version | head -n1 || ld --version | head -n1 + echo + echo "CFLAGS=${CFLAGS}" + echo "CXXFLAGS=${CXXFLAGS}" + echo "CPPFLAGS=${CPPFLAGS}" + echo "LDFLAGS=${LDFLAGS}" + echo "configure options: --enable-assertions=yes" + echo "MODSECURITY_WARN_ONLY=${MODSECURITY_WARN_ONLY}" + echo "Note: no LuaJIT rpath and no nginx/OpenResty-specific flags are used in this job." + + - name: Configure + run: ./configure --enable-assertions=yes + + - name: Build (verbose) + run: make -j "$(nproc)" V=1 + build-linux: name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }})