build: use distro CFLAGS

igaw · igaw · commit ade3cc93d56a · 2026-03-10T11:10:47.000+01:00
Instead of using the default settings, use the ones used to build the
distros. This should also catch more bugs due to FORTIFY and friends
being enabled.

Signed-off-by: Daniel Wagner &lt;wagi@kernel.org&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -25,6 +25,40 @@ jobs:
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: build
         run: |
+          if [ "${{ matrix.compiler }}" = "gcc" ]; then
+            if [ "${{ matrix.distro }}" = "tumbleweed" ]; then
+              BASE_FLAGS="-Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \
+                -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables \
+                -fstack-clash-protection -Werror -g"
+
+              if [ "${{ matrix.buildtype }}" = "release" ]; then
+                export CFLAGS="-O2 ${BASE_FLAGS} -flto=auto"
+                export LDFLAGS="-flto=auto"
+              else
+                export CFLAGS="-O0 ${BASE_FLAGS}"
+                export LDFLAGS=""
+              fi
+            fi
+            export CXXFLAGS="$CFLAGS"
+          elif [ "${{ matrix.distro }}" = "fedora" ] && \
+               [ "${{ matrix.buildtype }}" = "release" ]; then
+            BASE_FLAGS="-O2 -flto=auto -ffat-lto-objects -fexceptions -g \
+              -grecord-gcc-switches -pipe -Wall -Werror=format-security \
+              -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS \
+              -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong \
+              -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=i686 -mtune=generic \
+              -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables \
+              -fstack-clash-protection"
+
+            export CFLAGS="$BASE_FLAGS"
+            export CXXFLAGS="$BASE_FLAGS"
+            export LDFLAGS='-Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs \
+              -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld \
+              -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors \
+              -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 \
+              -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes'
+          fi
+
           scripts/build.sh -b ${{ matrix.buildtype }} -c ${{ matrix.compiler }} -x
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         name: upload logs
