Files
vatrog-vm-introspection-engine/.gitea/workflows/release.yml
T
lirent 1b06206043 Add operand-normalized semantic code signatures
New semsig_hash(mem_view_t) primitive (include/semsig.h): a position-,
register-, immediate- and instruction-order-invariant function fingerprint.
It folds per-instruction operand-canonical tokens, splitting the body into
basic blocks via cfg_blocks and using a within-block order-insensitive
sort-then-fold (between-block order preserved), so it survives compiler
register reallocation and instruction scheduling that the byte-mask
func_hash/sig_generate cannot. Distinct hash domain from func_hash.

The operand decode is delegated to an OPTIONAL external disassembler behind
a private adapter seam (src/handlers/semsig_backend.h); semsig.c stays
backend-neutral and includes no backend header. VMIE_DISASM={OFF|zydis|
capstone} gates the build: OFF (default) compiles only semsig_stub.c and
keeps the zero-dependency build (VMIE_HAVE_DISASM=0, packages unchanged).
The backend is brought from VMIE_DISASM_SRC or find_package - never
vendored. Adds the vmie_win32_func_semsig wrapper.

The CI deb job builds with the Zydis backend (libzydis-dev); the runtime
package dependency on libzydis is derived automatically by dpkg-shlibdeps.
2026-06-28 21:51:47 +03:00

129 lines
4.1 KiB
YAML

name: release
on:
push:
tags:
- 'v*'
jobs:
windows-exe:
runs-on: ubuntu-latest
container:
image: node:20-bookworm-slim
defaults:
run:
shell: bash
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install toolchain
run: |
apt-get update
apt-get install -y --no-install-recommends \
cmake make zip jq curl ca-certificates \
gcc libc6-dev gcc-mingw-w64-x86-64
- name: Configure
run: cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
- name: Build Windows exe
run: cmake --build build -j --target vmie-startup
- name: Package
env:
TAG: ${{ github.ref_name }}
run: |
set -euo pipefail
mkdir -p dist/vmie-startup
cp build/vmie-startup.exe dist/vmie-startup/
[ -f LICENSE ] && cp LICENSE dist/vmie-startup/ || true
(cd dist && zip -r "vmie-startup-${TAG}-win64.zip" vmie-startup)
- name: Publish to release
env:
GITEA_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
SERVER: ${{ github.server_url }}
REPO: ${{ github.repository }}
TAG: ${{ github.ref_name }}
run: |
set -euo pipefail
asset="vmie-startup-${TAG}-win64.zip"
api="${SERVER}/api/v1/repos/${REPO}"
auth="Authorization: token ${GITEA_TOKEN}"
# find the release for this tag, or create it
rid=$(curl -sSL -H "$auth" "${api}/releases/tags/${TAG}" | jq -r '.id // empty' || true)
if [ -z "$rid" ]; then
rid=$(curl -fsSL -X POST -H "$auth" -H "Content-Type: application/json" \
-d "{\"tag_name\":\"${TAG}\",\"name\":\"${TAG}\"}" \
"${api}/releases" | jq -r '.id')
fi
# drop a prior asset of the same name so re-runs are idempotent
curl -fsSL -H "$auth" "${api}/releases/${rid}/assets" \
| jq -r ".[] | select(.name==\"${asset}\") | .id" \
| while read -r aid; do
[ -n "$aid" ] && curl -fsSL -X DELETE -H "$auth" "${api}/releases/${rid}/assets/${aid}"
done
curl -fsSL -X POST -H "$auth" \
-F "attachment=@dist/${asset};type=application/zip" \
"${api}/releases/${rid}/assets?name=${asset}"
deb:
runs-on: ubuntu-latest
container:
image: node:20-bookworm-slim
defaults:
run:
shell: bash
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install toolchain
run: |
apt-get update
apt-get install -y --no-install-recommends \
cmake make gcc libc6-dev dpkg-dev file \
libzydis-dev \
gcc-mingw-w64-x86-64 ca-certificates curl
- name: Configure
env:
TAG: ${{ github.ref_name }}
run: cmake -S . -B build -DCMAKE_BUILD_TYPE=Release -DVMIE_VERSION=${TAG#v} -DVMIE_DISASM=zydis
- name: Build shared library
run: cmake --build build -j --target vmie_shared
- name: Package
run: |
set -euo pipefail
(cd build && cpack -G DEB)
ls -l build/*.deb
- name: Publish to Debian registry
env:
TOKEN: ${{ secrets.PUBLISH_TOKEN }} # requires scope: package:write
SERVER: ${{ github.server_url }}
OWNER: ${{ github.repository_owner }}
DISTRIBUTION: stable
COMPONENT: main
run: |
set -euo pipefail
url="${SERVER}/api/packages/${OWNER}/debian/pool/${DISTRIBUTION}/${COMPONENT}/upload"
auth="Authorization: token ${TOKEN}"
for deb in build/*.deb; do
# 201 Created = uploaded; 409 Conflict = this version already present (re-run).
# Both are success; anything else fails. Do not use curl -f (it would fail 409).
code=$(curl -s -o /dev/null -w '%{http_code}' \
-X PUT -H "$auth" -T "$deb" "$url")
echo "$deb -> HTTP $code"
if [ "$code" != 201 ] && [ "$code" != 409 ]; then
echo "upload failed: $deb (HTTP $code)" >&2
exit 1
fi
done