mirror of
https://dev.lirent.ru/Vatrog/vm-introspection-engine.git
synced 2026-07-09 00:46:36 +03:00
1b06206043
New semsig_hash(mem_view_t) primitive (include/semsig.h): a position-,
register-, immediate- and instruction-order-invariant function fingerprint.
It folds per-instruction operand-canonical tokens, splitting the body into
basic blocks via cfg_blocks and using a within-block order-insensitive
sort-then-fold (between-block order preserved), so it survives compiler
register reallocation and instruction scheduling that the byte-mask
func_hash/sig_generate cannot. Distinct hash domain from func_hash.
The operand decode is delegated to an OPTIONAL external disassembler behind
a private adapter seam (src/handlers/semsig_backend.h); semsig.c stays
backend-neutral and includes no backend header. VMIE_DISASM={OFF|zydis|
capstone} gates the build: OFF (default) compiles only semsig_stub.c and
keeps the zero-dependency build (VMIE_HAVE_DISASM=0, packages unchanged).
The backend is brought from VMIE_DISASM_SRC or find_package - never
vendored. Adds the vmie_win32_func_semsig wrapper.
The CI deb job builds with the Zydis backend (libzydis-dev); the runtime
package dependency on libzydis is derived automatically by dpkg-shlibdeps.
129 lines
4.1 KiB
YAML
129 lines
4.1 KiB
YAML
name: release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
|
|
jobs:
|
|
windows-exe:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: node:20-bookworm-slim
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends \
|
|
cmake make zip jq curl ca-certificates \
|
|
gcc libc6-dev gcc-mingw-w64-x86-64
|
|
|
|
- name: Configure
|
|
run: cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
|
|
|
|
- name: Build Windows exe
|
|
run: cmake --build build -j --target vmie-startup
|
|
|
|
- name: Package
|
|
env:
|
|
TAG: ${{ github.ref_name }}
|
|
run: |
|
|
set -euo pipefail
|
|
mkdir -p dist/vmie-startup
|
|
cp build/vmie-startup.exe dist/vmie-startup/
|
|
[ -f LICENSE ] && cp LICENSE dist/vmie-startup/ || true
|
|
(cd dist && zip -r "vmie-startup-${TAG}-win64.zip" vmie-startup)
|
|
|
|
- name: Publish to release
|
|
env:
|
|
GITEA_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
|
|
SERVER: ${{ github.server_url }}
|
|
REPO: ${{ github.repository }}
|
|
TAG: ${{ github.ref_name }}
|
|
run: |
|
|
set -euo pipefail
|
|
asset="vmie-startup-${TAG}-win64.zip"
|
|
api="${SERVER}/api/v1/repos/${REPO}"
|
|
auth="Authorization: token ${GITEA_TOKEN}"
|
|
|
|
# find the release for this tag, or create it
|
|
rid=$(curl -sSL -H "$auth" "${api}/releases/tags/${TAG}" | jq -r '.id // empty' || true)
|
|
if [ -z "$rid" ]; then
|
|
rid=$(curl -fsSL -X POST -H "$auth" -H "Content-Type: application/json" \
|
|
-d "{\"tag_name\":\"${TAG}\",\"name\":\"${TAG}\"}" \
|
|
"${api}/releases" | jq -r '.id')
|
|
fi
|
|
|
|
# drop a prior asset of the same name so re-runs are idempotent
|
|
curl -fsSL -H "$auth" "${api}/releases/${rid}/assets" \
|
|
| jq -r ".[] | select(.name==\"${asset}\") | .id" \
|
|
| while read -r aid; do
|
|
[ -n "$aid" ] && curl -fsSL -X DELETE -H "$auth" "${api}/releases/${rid}/assets/${aid}"
|
|
done
|
|
|
|
curl -fsSL -X POST -H "$auth" \
|
|
-F "attachment=@dist/${asset};type=application/zip" \
|
|
"${api}/releases/${rid}/assets?name=${asset}"
|
|
|
|
deb:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: node:20-bookworm-slim
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends \
|
|
cmake make gcc libc6-dev dpkg-dev file \
|
|
libzydis-dev \
|
|
gcc-mingw-w64-x86-64 ca-certificates curl
|
|
|
|
- name: Configure
|
|
env:
|
|
TAG: ${{ github.ref_name }}
|
|
run: cmake -S . -B build -DCMAKE_BUILD_TYPE=Release -DVMIE_VERSION=${TAG#v} -DVMIE_DISASM=zydis
|
|
|
|
- name: Build shared library
|
|
run: cmake --build build -j --target vmie_shared
|
|
|
|
- name: Package
|
|
run: |
|
|
set -euo pipefail
|
|
(cd build && cpack -G DEB)
|
|
ls -l build/*.deb
|
|
|
|
- name: Publish to Debian registry
|
|
env:
|
|
TOKEN: ${{ secrets.PUBLISH_TOKEN }} # requires scope: package:write
|
|
SERVER: ${{ github.server_url }}
|
|
OWNER: ${{ github.repository_owner }}
|
|
DISTRIBUTION: stable
|
|
COMPONENT: main
|
|
run: |
|
|
set -euo pipefail
|
|
url="${SERVER}/api/packages/${OWNER}/debian/pool/${DISTRIBUTION}/${COMPONENT}/upload"
|
|
auth="Authorization: token ${TOKEN}"
|
|
for deb in build/*.deb; do
|
|
# 201 Created = uploaded; 409 Conflict = this version already present (re-run).
|
|
# Both are success; anything else fails. Do not use curl -f (it would fail 409).
|
|
code=$(curl -s -o /dev/null -w '%{http_code}' \
|
|
-X PUT -H "$auth" -T "$deb" "$url")
|
|
echo "$deb -> HTTP $code"
|
|
if [ "$code" != 201 ] && [ "$code" != 409 ]; then
|
|
echo "upload failed: $deb (HTTP $code)" >&2
|
|
exit 1
|
|
fi
|
|
done
|