From cfd815f4ce781100d3732b9fff4736c35bce5807 Mon Sep 17 00:00:00 2001 From: Daniel Wagner Date: Tue, 10 Mar 2026 11:58:45 +0100 Subject: [PATCH 1/2] build: update checkout action versioning Use explicit SHAs instead version strings. Signed-off-by: Daniel Wagner --- .github/workflows/build.yml | 4 ++-- .github/workflows/libnvme-cleanup-python.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1a9959cf44..e8250c0414 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -144,7 +144,7 @@ jobs: container: image: ghcr.io/linux-nvme/debian:latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build @@ -157,7 +157,7 @@ jobs: container: image: ghcr.io/linux-nvme/alpine:latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mark repo as safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build diff --git a/.github/workflows/libnvme-cleanup-python.yml b/.github/workflows/libnvme-cleanup-python.yml index 327d25e401..036677f0eb 100644 --- a/.github/workflows/libnvme-cleanup-python.yml +++ b/.github/workflows/libnvme-cleanup-python.yml @@ -19,7 +19,7 @@ jobs: environment: pypi steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install pypi-cleanup run: pip install pypi-cleanup From 9352aa9ec7afe832afb592add28e2482863b6a6e Mon Sep 17 00:00:00 2001 From: Daniel Wagner Date: Tue, 10 Mar 2026 10:24:30 +0100 Subject: [PATCH 2/2] build: use distro CFLAGS Instead of using the default settings, use the ones used to build the distros. This should also catch more bugs due to FORTIFY and friends being enabled. Signed-off-by: Daniel Wagner --- .github/workflows/build.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e8250c0414..40aa092bfd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,35 @@ jobs: run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: build run: | + if [ "${{ matrix.compiler }}" = "gcc" ]; then + if [ "${{ matrix.buildtype }}" = "release" ]; then + if [ "${{ matrix.distro }}" = "tumbleweed" ]; then + export CFLAGS="-O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \ + -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables \ + -fstack-clash-protection -Werror=return-type -flto=auto -g" + export CXXFLAGS="$CFLAGS" + export LDFLAGS="-flto=auto" + # TODO: The RH build depends on environment varibles/settings which prevent + # the compiler from working. + # + # elif [ "${{ matrix.distro }}" = "fedora" ]; then + # export CFLAGS="-O2 -flto=auto -ffat-lto-objects -fexceptions -g \ + # -grecord-gcc-switches -pipe -Wall -Werror=format-security \ + # -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS \ + # -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong \ + # -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=i686 -mtune=generic \ + # -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables \ + # -fstack-clash-protection" + # export CXXFLAGS="$CFLAGS" + # export LDFLAGS='-Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs \ + # -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld \ + # -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors \ + # -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 \ + # -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes' + fi + fi + fi + scripts/build.sh -b ${{ matrix.buildtype }} -c ${{ matrix.compiler }} -x - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 name: upload logs