diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 88a6352baf..0000000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,191 +0,0 @@ -name: Build Tvheadend Repo - -on: - push: - branches: [ master ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build-raspberry: - runs-on: ubuntu-latest - continue-on-error: true - name: Build on Raspberry Pi ${{ matrix.arch }} - env: - GITHUB_ENV: CLOUDSMITH_API_KEY - CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_KEY }} - strategy: - matrix: - arch: [armv6l, armv7l, aarch64] - include: - - arch: armv6l - cpu: arm1176 - base_image: raspios_lite:latest - cpu_info: cpuinfo/raspberrypi_zero_w - - arch: armv7l - cpu: cortex-a7 - base_image: raspios_lite:latest - cpu_info: cpuinfo/raspberrypi_3b - - arch: aarch64 - cpu: cortex-a53 - base_image: raspios_lite_arm64:latest - cpu_info: cpuinfo/raspberrypi_zero2_w_arm64 - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - uses: pguyot/arm-runner-action@v2 - with: - base_image: ${{ matrix.base_image }} - cpu: ${{ matrix.cpu }} - cpu_info: ${{ matrix.cpu_info }} - image_additional_mb: 10000 - copy_artifact_path: ../tvheadend*.deb - import_github_env: true - commands: | - sudo apt-get update -y - sudo apt-get install --force-yes -y cmake git build-essential pkg-config gettext libavahi-client-dev libssl-dev zlib1g-dev wget bzip2 git-core liburiparser-dev libdvbcsa-dev python3 python3-requests debhelper ccache lsb-release - DEBIAN_FRONTEND=noninteractive apt-get install --force-yes -y libpcre3-dev || DEBIAN_FRONTEND=noninteractive apt-get install --force-yes -y libpcre2-dev - AUTOBUILD_CONFIGURE_EXTRA=--enable-ccache\ --enable-ffmpeg_static\ --enable-hdhomerun_static\ --python=python3 ./Autobuild.sh -p raspios - support/cloudsmith.sh -p raspios -f '../tvheadend*.deb' - - uses: actions/upload-artifact@v3 - with: - name: Tvheadend-deb - path: tvheadend*.deb - if-no-files-found: error - - build-crosscompile: - # The host should always be linux - runs-on: ubuntu-latest - continue-on-error: true - name: Build on ${{ matrix.distro }} ${{ matrix.arch }} - # Run steps on a matrix - strategy: - matrix: - arch: [ armv7, aarch64] - distro: [ stretch, buster, bullseye, ubuntu16.04, ubuntu18.04, ubuntu20.04, ubuntu22.04 ] - include: - - arch: armv6 - distro: jessie - - arch: armv6 - distro: stretch - - arch: armv6 - distro: buster - - arch: armv6 - distro: bullseye - - arch: armv7 - distro: jessie - - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - uses: uraimo/run-on-arch-action@v2 - name: Build artifact - id: build - with: - arch: ${{ matrix.arch }} - distro: ${{ matrix.distro }} - - # Not required, but speeds up builds - githubToken: ${{ github.token }} - - # Create an artifacts directory - setup: | - mkdir -p "${PWD}/artifacts" - - # Mount the artifacts directory as /artifacts in the container - dockerRunArgs: | - --volume "${PWD}/artifacts:/artifacts" - - # Pass some environment variables to the container - env: | # YAML, but pipe character is necessary - artifact_name: git-${{ matrix.distro }}_${{ matrix.arch }} - CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_KEY }} - - - # The shell to run commands with in the container - shell: /bin/sh - - # Install some dependencies in the container. This speeds up builds if - # you are also using githubToken. Any dependencies installed here will - # be part of the container image that gets cached, so subsequent - # builds don't have to re-install them. The image layer is cached - # publicly in your project's package repository, so it is vital that - # no secrets are present in the container state or logs. - install: | - if [ '${{ matrix.distro }}' = 'jessie' ]; then sed -i 's/archive.raspbian.org/legacy.raspbian.org/g' /etc/apt/sources.list; fi - case "${{ matrix.distro }}" in - ubuntu*|jessie|stretch|buster|bullseye) - apt-get update -y - DEBIAN_FRONTEND=noninteractive apt-get install --force-yes -y cmake git build-essential pkg-config gettext libavahi-client-dev libssl-dev zlib1g-dev wget bzip2 git-core liburiparser-dev libdvbcsa-dev python3 python3-requests debhelper ccache lsb-release - DEBIAN_FRONTEND=noninteractive apt-get install --force-yes -y libpcre3-dev || DEBIAN_FRONTEND=noninteractive apt-get install --force-yes -y libpcre2-dev - ;; - fedora*) - dnf -y update - dnf -y install git which - ;; - alpine*) - apk update - apk add git - ;; - esac - - # Produce a binary artifact - run: | - git config --global --add safe.directory /home/runner/work/tvheadend/tvheadend || true - AUTOBUILD_CONFIGURE_EXTRA=--enable-ccache\ --enable-ffmpeg_static\ --enable-hdhomerun_static\ --python=python3 ./Autobuild.sh - cp ../tvheadend*.deb /artifacts/ - support/cloudsmith.sh -f '../tvheadend*.deb' - - uses: actions/upload-artifact@v3 - with: - name: Tvheadend-deb - path: artifacts/tvheadend*.deb - if-no-files-found: error - - build-deb-native: - runs-on: ubuntu-latest - continue-on-error: true - name: Build on native ${{ matrix.container }} - strategy: - matrix: - container: ["ubuntu:bionic", "ubuntu:focal", "ubuntu:jammy", "ubuntu:kinetic", "ubuntu:trusty", "ubuntu:xenial", "i386/ubuntu:trusty", "i386/ubuntu:xenial", "debian:bookworm", "debian:bullseye", "debian:buster", "debian:sid", "debian:stretch", "i386/debian:bookworm", "i386/debian:bullseye", "i386/debian:buster", "i386/debian:sid", "i386/debian:stretch"] - container: - image: ${{ matrix.container }} - steps: - - name: Add git ppa - if: startsWith(matrix.container, 'ubuntu') || startsWith(matrix.container, 'i386/ubuntu') - run: | - apt-get update -y - DEBIAN_FRONTEND=noninteractive apt-get install --force-yes -y software-properties-common - add-apt-repository ppa:git-core/ppa -y - - name: dependencies - run: | - apt-get update -y - DEBIAN_FRONTEND=noninteractive apt-get install --force-yes -y cmake git build-essential pkg-config gettext libavahi-client-dev libssl-dev zlib1g-dev wget bzip2 git-core liburiparser-dev libdvbcsa-dev python3 python3-requests debhelper ccache lsb-release - - name: pcre-dependency - run: | - DEBIAN_FRONTEND=noninteractive apt-get install --force-yes -y libpcre3-dev || DEBIAN_FRONTEND=noninteractive apt-get install --force-yes -y libpcre2-dev - - uses: actions/checkout@v3 - if: startsWith(matrix.container, 'i386') != true && matrix.container != 'debian:stretch' - with: - fetch-depth: 0 - - uses: actions/checkout@v1 - if: startsWith(matrix.container, 'i386') || matrix.container == 'debian:stretch' - - name: Workaround safe directory - run: git config --global --add safe.directory /__w/tvheadend/tvheadend - - name: build - run: AUTOBUILD_CONFIGURE_EXTRA=--enable-ccache\ --enable-ffmpeg_static\ --enable-hdhomerun_static\ --python=python3 ./Autobuild.sh ${{ (startsWith(matrix.container, 'i386') && '-a i386') || '' }} - - name: copy-result - run: cp ../tvheadend*.deb . - - uses: actions/upload-artifact@v3 - if: startsWith(matrix.container, 'i386') != true - with: - name: Tvheadend-deb - path: tvheadend*.deb - if-no-files-found: error - - name: upload-cloudsmith - run: support/cloudsmith.sh -f 'tvheadend*.deb' - env: - CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_KEY }} diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml deleted file mode 100644 index 7dbcf4533d..0000000000 --- a/.github/workflows/coverity.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Coverity Scan - -# We only want to test official release code, not every pull request. -on: -# Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - coverity: - runs-on: ubuntu-latest - environment: Coverity - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: dependencies - run: | - sudo apt-get update - sudo apt-get install -y cmake git build-essential pkg-config gettext libavahi-client-dev libssl-dev zlib1g-dev wget bzip2 git-core liburiparser-dev libpcre2-dev libdvbcsa-dev python3 python3-requests debhelper ccache libomxil-bellagio-dev libva-dev nvidia-cuda-dev - - name: Configure - run: ./configure --disable-dvbcscan --enable-slow_memoryinfo --enable-libfdkaac --enable-nvenc --enable-vaapi --enable-omx - - name: Download Coverity Build Tool - run: | - wget -q https://scan.coverity.com/download/linux64 --post-data "token=$TOKEN&project=tvheadend%2Ftvheadend" -O cov-analysis-linux64.tar.gz - mkdir cov-analysis-linux64 - tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 - env: - TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} - - name: Build with cov-build - run: | - export PATH=`pwd`/cov-analysis-linux64/bin:$PATH - cov-build --dir cov-int make - - name: Submit the result to Coverity Scan - run: | - tar czvf tvheadend.tgz cov-int - curl \ - --form token=$TOKEN \ - --form email=$EMAIL \ - --form file=@tvheadend.tgz \ - --form version="`./build.linux/tvheadend -v | awk -F ' ' '{print $3}'`" \ - --form description="`./build.linux/tvheadend -v | awk -F ' ' '{print $3}'`" \ - https://scan.coverity.com/builds?project=tvheadend%2Ftvheadend - env: - TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} - EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }} diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000000..c4d72008ea --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,23 @@ +on: + pull_request: {} + push: + branches: + - main + - master + paths: + - .github/workflows/semgrep.yml + schedule: + # random HH:MM to avoid a load spike on GitHub Actions at 00:00 + - cron: 51 20 * * * +name: Semgrep +jobs: + semgrep: + name: Scan + runs-on: ubuntu-20.04 + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + container: + image: returntocorp/semgrep + steps: + - uses: actions/checkout@v3 + - run: semgrep ci --suppress-errors diff --git a/.github/workflows/test-compile.yml b/.github/workflows/test-compile.yml deleted file mode 100644 index e210eefa02..0000000000 --- a/.github/workflows/test-compile.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Build Tvheadend CI - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build-ubuntu-latest: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: dependencies - run: | - sudo apt-get update - sudo apt-get install -y cmake git build-essential pkg-config gettext libavahi-client-dev libssl-dev zlib1g-dev wget bzip2 git-core liburiparser-dev libpcre2-dev libdvbcsa-dev python3 python3-requests debhelper ccache - - name: build - run: AUTOBUILD_CONFIGURE_EXTRA=--enable-ccache\ --enable-ffmpeg_static\ --enable-hdhomerun_static\ --python=python3 ./Autobuild.sh diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 0000000000..0151df7311 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,2 @@ +## ignored +--exclude src/parsers/parser_teletext.c diff --git a/Makefile.ffmpeg b/Makefile.ffmpeg index 6ed6eaa3c2..dfb8502c35 100644 --- a/Makefile.ffmpeg +++ b/Makefile.ffmpeg @@ -566,14 +566,14 @@ endif ifeq (yes,$(CONFIG_NVENC)) -## YOU MUST INSTALL CUDA from NVIDIA for "libnpp" +## YOU MUST INSTALL CUDA from NVIDIA for "libnpp" EXTLIBS += nvenc cuvid libnpp ENCODERS += h264_nvenc hevc_nvenc DECODERS += h264_cuvid hevc_cuvid HWACCELS += h264_nvdec hevc_nvdec vp8_nvdec vp9_nvdec mjpeg_nvdec mpeg1_nvdec mpeg2_nvdec mpeg4_nvdec ECFLAGS += -I/usr/local/cuda/include -## NVIDIA LIB for "libnpp" +## NVIDIA LIB for "libnpp" CONFIGURE_FFMPEG += --extra-ldflags=-L/usr/local/cuda/lib64 $(LIB_ROOT)/$(FFNVCODEC)/.tvh_download: diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..034e848032 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc.