Skip to content

Commit b384f30

Browse files
jservjserv
committed
CI: Harden security and tweak performance
This improves CI/CD pipeline for better security, resource efficiency, and reliability. - Add minimal GitHub token permissions (contents:read, actions:read) - Add concurrency control to cancel redundant workflow runs - Add job-level and step-level timeouts across all workflows Performance Optimizations: - Add APT package caching for Linux runners - Add RISC-V toolchain caching with platform-specific keys - Add build artifacts caching (softfloat, mini-gdbstub, build/) - Enable recursive submodule checkout for dependency caching - Use -q flag for wget to reduce noise Timeout breakdown: - Checkout: 2 minutes - Cache operations: 2 minutes - Dependency installation: 10-15 minutes - Build tests: 10-30 minutes (depending on complexity) - System tests: 15 minutes - Full jobs: 60-180 minutes
1 parent 9f4e579 commit b384f30

File tree

6 files changed

+217
-71
lines changed

6 files changed

+217
-71
lines changed

.github/workflows/build-linux-artifacts.yml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -47,10 +47,8 @@ jobs:
4747
with:
4848
submodules: 'true'
4949
- name: Install dependencies
50-
run: |
51-
sudo apt-get update -q=2
52-
sudo apt-get upgrade -q=2
53-
sudo apt-get install -q=2 build-essential git
50+
uses: ./.github/actions/setup-rv32emu
51+
timeout-minutes: 30
5452
- name: Build Linux image
5553
run: |
5654
make build-linux-image

.github/workflows/deploy-wasm.yml

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,9 @@ jobs:
2121
steps:
2222
- name: Check out the repo
2323
uses: actions/checkout@v4
24-
- name: install-dependencies
25-
run: |
26-
sudo apt-get update -q=2
27-
sudo apt-get install -q=2 device-tree-compiler
24+
- name: Install dependencies
25+
uses: ./.github/actions/setup-rv32emu
26+
timeout-minutes: 30
2827
- name: Verify if the JS or HTML files has been modified
2928
id: changed-files
3029
uses: tj-actions/changed-files@v46
@@ -57,7 +56,7 @@ jobs:
5756
run: |
5857
make artifact
5958
# get from rv32emu-prebuilt
60-
wget -O build/shareware_doom_iwad.zip "https://raw.githubusercontent.com/sysprog21/rv32emu-prebuilt/doom-artifact/shareware_doom_iwad.zip"
59+
curl -fSsL -o build/shareware_doom_iwad.zip "https://raw.githubusercontent.com/sysprog21/rv32emu-prebuilt/doom-artifact/shareware_doom_iwad.zip"
6160
unzip -d build/ build/shareware_doom_iwad.zip
6261
- name: build with emcc and move application files to /tmp
6362
if: ${{ steps.changed-files.outputs.any_modified == 'true' ||
@@ -152,7 +151,7 @@ jobs:
152151
run: |
153152
make artifact
154153
# get from rv32emu-prebuilt
155-
wget -O build/shareware_doom_iwad.zip "https://raw.githubusercontent.com/sysprog21/rv32emu-prebuilt/doom-artifact/shareware_doom_iwad.zip"
154+
curl -fSsL -o build/shareware_doom_iwad.zip "https://raw.githubusercontent.com/sysprog21/rv32emu-prebuilt/doom-artifact/shareware_doom_iwad.zip"
156155
unzip -d build/ build/shareware_doom_iwad.zip
157156
- name: build with emcc and move application files to /tmp
158157
if: ${{ steps.changed-files.outputs.any_modified == 'true' ||

0 commit comments

Comments
 (0)