Add SECURITY.md #240
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# brian's standard GitHub Actions Ubuntu config for Perl 5 modules | |
# version 20240923.001 | |
# https://github.com/briandfoy/github_workflows | |
# https://github.com/features/actions | |
# This file is licensed under the Artistic License 2.0 | |
# | |
# This uses the AUTOMATED_TESTING environment that you can set up | |
# in your repo settings. Or not. It still works if it isn't defined. | |
# In that environment, add whatever environment variables or secrets | |
# that you want. | |
--- | |
name: ubuntu | |
# https://github.com/actions/checkout/issues/1590 | |
env: | |
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | |
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-concurrency | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }} | |
cancel-in-progress: true | |
on: | |
push: | |
branches: | |
- '**' | |
- '!**appveyor**' | |
- '!**circleci**' | |
- '!**macos**' | |
- '!**notest**' | |
- '!**release**' | |
- '!**windows**' | |
tags-ignore: | |
# I tag release pushes but those should have already been tested | |
- 'release-*' | |
paths-ignore: | |
# list all the files which are irrelevant to the tests | |
# non-code, support files, docs, etc | |
- '.appveyor.yml' | |
- '.circleci' | |
- '.gitattributes' | |
- '.github/workflows/macos.yml' | |
- '.github/workflows/release.yml' | |
- '.github/workflows/windows.yml' | |
- '.gitignore' | |
- '.releaserc' | |
- 'Changes' | |
- 'LICENSE' | |
- 'README.pod' | |
pull_request: | |
# weekly build on the master branch just to see what CPAN is doing | |
schedule: | |
- cron: "37 3 * * 0" | |
jobs: | |
perl: | |
environment: automated_testing | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: | |
- ubuntu-22.04 | |
perl-version: | |
- '5.20-buster' | |
- '5.22-buster' | |
- '5.24-buster' | |
- '5.26-buster' | |
- '5.28-buster' | |
- '5.30-bullseye' | |
- '5.32-bullseye' | |
- '5.34-bullseye' | |
- '5.36-bookworm' | |
- '5.38-bookworm' | |
- 'latest' | |
container: | |
image: perl:${{ matrix.perl-version }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Platform check | |
run: uname -a | |
- name: Perl version check | |
run: | | |
perl -V | |
perl -v | perl -0777 -ne 'm/(v5\.\d+)/ && print "PERL_VERSION=$1"' >> $GITHUB_ENV | |
# Some older versions of Perl have trouble with hostnames in certs. I | |
# haven't figured out why. | |
- name: Setup environment | |
run: | | |
echo "PERL_LWP_SSL_VERIFY_HOSTNAME=0" >> $GITHUB_ENV | |
# HTML::Tagset bumped its minimum version to v5.10 for no good reason | |
# but this is a prereq to LWP, which runs on v5.8. To get around this, | |
# download the tarball and fix it for v5.8. Install it before we try | |
# to install things that depend on it. More recent versions will | |
# install it normally. | |
# 1. remove the META files which have references to v5.10 and ignore | |
# the warnings | |
# 2. fix Makefile.PL to remove two references to v5.10 | |
# https://github.com/libwww-perl/HTML-Tagset/pull/14 | |
- name: fix html-tagset for v5.8 | |
if: env.PERL_VERSION == 'v5.8' | |
run: | | |
curl -L -O https://cpan.metacpan.org/authors/id/P/PE/PETDANCE/HTML-Tagset-3.24.tar.gz | |
tar -xzf HTML-Tagset-3.24.tar.gz | |
cd HTML-Tagset-3.24 | |
rm META.* | |
mv Makefile.PL Makefile.PL.orig | |
perl -n -e 'next if /(^use 5)|(MIN_PERL)/; print' Makefile.PL.orig > Makefile.PL | |
cpan -T . | |
cd .. | |
# I had some problems with openssl on Ubuntu, so I punted by installing | |
# cpanm first, which is easy. I can install IO::Socket::SSL with that, | |
# then switch back to cpan. I didn't explore this further, but what you | |
# see here hasn't caused problems for me. | |
# Need HTTP::Tiny 0.055 or later. | |
- name: Install cpanm and multiple modules | |
run: | | |
curl -L https://cpanmin.us | perl - App::cpanminus | |
cpanm --notest IO::Socket::SSL LWP::Protocol::https App::Cpan HTTP::Tiny ExtUtils::MakeMaker Test::Manifest Test::More | |
# Install the dependencies, again not testing them. This installs the | |
# module in the current directory, so we end up installing the module, | |
# but that's not a big deal. | |
- name: Install dependencies | |
run: | | |
cpanm --notest --installdeps --with-suggests --with-recommends . | |
- name: Show cpanm failures | |
if: ${{ failure() }} | |
run: | | |
cat /github/home/.cpanm/work/*/build.log | |
- name: Run tests | |
run: | | |
perl Makefile.PL | |
make test | |
# Run author tests, but only if there's an xt/ directory | |
- name: Author tests | |
if: hashFiles('xt') != '' | |
run: | | |
cpanm --notest Test::CPAN::Changes | |
prove -r -b xt | |
# Running tests in parallel should be faster, but it's also more | |
# tricky in cases where different tests share a feature, such as a | |
# file they want to write to. Parallel tests can stomp on each other. | |
# Test in parallel to catch that, because other people will test your | |
# stuff in parallel. | |
- name: Run tests in parallel | |
run: | | |
perl Makefile.PL | |
HARNESS_OPTIONS=j10 make test | |
# The disttest target creates the distribution, unwraps it, changes | |
# into the dist dir, then runs the tests there. That checks that | |
# everything that should be in the dist is in the dist. If you forget | |
# to update MANIFEST with new modules, data files, and so on, you | |
# should notice the error. | |
- name: Run distribution tests | |
run: | | |
perl Makefile.PL | |
make disttest | |
make clean | |
# And, coverage reports, but only under 5.12 and later since modern | |
# Devel::Cover instances don't work with earlier versions as of | |
# Devel::Cover 1.39 | |
- name: Run coverage tests | |
if: env.PERL_VERSION != 'v5.8' && env.PERL_VERSION != 'v5.10' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
cpanm --notest Devel::Cover Devel::Cover::Report::Coveralls | |
perl Makefile.PL | |
cover -test -report coveralls |