diff --git a/CODEOWNERS b/.github/CODEOWNERS similarity index 100% rename from CODEOWNERS rename to .github/CODEOWNERS diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 4a0f0046..eede1be9 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -25,3 +25,156 @@ jobs: name: docker-logs path: | *.log + + android-build: + name: Android ${{ matrix.build-type }} ${{ matrix.swift-version }} ${{ matrix.arch }} ${{ matrix.runner }} (compiler=${{ matrix.build-compiler }}) + strategy: + fail-fast: false + matrix: + include: + - swift-version: 'tag:swift-DEVELOPMENT-SNAPSHOT-2026-02-06-a' + build-type: 'docker' + build-compiler: '1' + runner: 'ubuntu-24.04' + - swift-version: 'tag:swift-6.3-DEVELOPMENT-SNAPSHOT-2026-01-29-a' + build-type: 'local' + build-compiler: '1' + runner: 'ubuntu-24.04' + runs-on: ${{ matrix.runner }} + # 16 hour timeout + timeout-minutes: 1080 + steps: + - name: Free Disk Space + run: | + df -h + # brings available space from 25G to 32G + # otherwise we sometimes run out of space during the build + sudo rm -rf /usr/share/miniconda /usr/share/az* /usr/share/glade* /usr/local/share/chromium /usr/local/share/powershell /usr/share/dotnet /opt/ghc /opt/hostedtoolcache /usr/local/graalvm/ /usr/local/.ghcup/ /usr/local/lib/node_modules /usr/local/share/boost + sudo docker image prune --all --force + sudo docker builder prune -a + df -h + - name: Setup + id: config + run: | + # these variabes are used by build-docker and build-local + # to determine which Swift version to build for + echo "SWIFT_VERSION=${{ matrix.swift-version }}" >> $GITHUB_ENV + # pass the build-compiler matrix through to the build script + echo "BUILD_COMPILER=${{ matrix.build-compiler }}" >> $GITHUB_ENV + echo "TARGET_ARCHS=${{ matrix.arch }}" >> $GITHUB_ENV + echo "WORKDIR=${{ runner.temp }}/swift-android-sdk" >> $GITHUB_ENV + - name: Checkout repository + uses: actions/checkout@v4 + - name: Build Android SDK (Local) + if: ${{ matrix.build-type == 'local' }} + working-directory: swift-ci/sdks/android + run: | + sudo apt install -q patchelf build-essential cmake ninja-build python3 golang git gnupg2 libcurl4-openssl-dev libedit-dev libicu-dev libncurses5-dev libpython3-dev libsqlite3-dev libxml2-dev rsync uuid-dev uuid-runtime tzdata curl unzip + ./build-local ${SWIFT_VERSION} ${WORKDIR} + - name: Build Android SDK (Docker) + if: ${{ matrix.build-type == 'docker' }} + working-directory: swift-ci/sdks/android + run: | + ./build-docker ${SWIFT_VERSION} ${WORKDIR} + - name: Install Host Toolchain + if: ${{ matrix.build-type == 'docker' }} + working-directory: swift-ci/sdks/android + run: | + # when building in a Docker container, we don't have a local host toolchain, + # but we need one in order to run the SDK validation tests, so we install it now + HOST_OS=ubuntu$(lsb_release -sr) + source ./scripts/toolchain-vars.sh + mkdir -p ${WORKDIR}/host-toolchain + ./scripts/install-swift.sh ${WORKDIR}/host-toolchain/$SWIFT_BASE/usr + ls ${WORKDIR}/host-toolchain + ${WORKDIR}/host-toolchain/*/usr/bin/swift --version + - name: Get artifact info + id: info + shell: bash + run: | + set -ex + SWIFT_ROOT=$(dirname ${WORKDIR}/host-toolchain/*/usr) + echo "swift-root=${SWIFT_ROOT}" >> $GITHUB_OUTPUT + echo "swift-path=${SWIFT_ROOT}/usr/bin/swift" >> $GITHUB_OUTPUT + + ARTIFACT_PATH=$(realpath ${WORKDIR}/products/*.artifactbundle.tar.gz) + echo "artifact-path=${ARTIFACT_PATH}" >> $GITHUB_OUTPUT + echo "sdk-id=x86_64-unknown-linux-android28" >> $GITHUB_OUTPUT + + ARTIFACT_EXT=".artifactbundle.tar.gz" + ARTIFACT_NAME="$(basename ${ARTIFACT_PATH} ${ARTIFACT_EXT})" + # depending on whether we are building locally or in a container, add a maker to the name + if [[ "${{ matrix.build-type }}" == 'local' ]]; then + ARTIFACT_NAME="${ARTIFACT_NAME}-local" + fi + if [[ "${{ matrix.build-compiler }}" == '1' ]]; then + ARTIFACT_NAME="${ARTIFACT_NAME}-hostbuild" + fi + # artifacts need a unique name so we suffix with the matrix arch(s) + if [[ ! -z "${{ matrix.arch }}" ]]; then + ARTIFACT_NAME="${ARTIFACT_NAME}-$(echo ${{ matrix.arch }} | tr ',' '-')" + fi + ARTIFACT_NAME="${ARTIFACT_NAME}${ARTIFACT_EXT}" + + # There is no way to prevent even a single-file artifact from being zipped: + # https://github.com/actions/upload-artifact?tab=readme-ov-file#zip-archives + # so the actual artifact download will look like: + # swift-6.1-RELEASE_android-0.1-x86_64.artifactbundle.tar.gz.zip + echo "artifact-name=${ARTIFACT_NAME}" >> $GITHUB_OUTPUT + - name: Upload SDK artifactbundle + uses: actions/upload-artifact@v4 + with: + compression-level: 0 + name: ${{ steps.info.outputs.artifact-name }} + path: ${{ steps.info.outputs.artifact-path }} + - name: Cleanup + run: | + # need to free up some space or else when installing we get: No space left on device + df -h + rm -rf ${WORKDIR}/{build,source} + sudo docker image prune --all --force + sudo docker builder prune -a + df -h + - name: Install artifactbundle + shell: bash + run: | + set -ex + ${{ steps.info.outputs.swift-path }} sdk install ${{ steps.info.outputs.artifact-path }} + ${{ steps.info.outputs.swift-path }} sdk configure --show-configuration $(${{ steps.info.outputs.swift-path }} sdk list | head -n 1) ${{ steps.info.outputs.sdk-id }} + # recent releases require that ANDROID_NDK_ROOT *not* be set + # see https://github.com/swiftlang/swift-driver/pull/1879 + echo "ANDROID_NDK_ROOT=" >> $GITHUB_ENV + + - name: Create Demo Project + run: | + cd ${{ runner.temp }} + mkdir DemoProject + cd DemoProject + ${{ steps.info.outputs.swift-path }} --version + ${{ steps.info.outputs.swift-path }} package init + echo 'import Foundation' >> Sources/DemoProject/DemoProject.swift + echo 'import FoundationEssentials' >> Sources/DemoProject/DemoProject.swift + echo 'import FoundationXML' >> Sources/DemoProject/DemoProject.swift + echo 'import FoundationNetworking' >> Sources/DemoProject/DemoProject.swift + echo 'import Dispatch' >> Sources/DemoProject/DemoProject.swift + echo 'import Android' >> Sources/DemoProject/DemoProject.swift + - name: Test Demo Project on Android + uses: skiptools/swift-android-action@main + with: + # only test for the complete arch SDK build to speed up CI + #run-tests: ${{ matrix.arch == '' }} + package-path: ${{ runner.temp }}/DemoProject + installed-sdk: ${{ steps.info.outputs.sdk-id }} + installed-swift: ${{ steps.info.outputs.swift-root }} + + - name: Checkout swift-algorithms + uses: actions/checkout@v4 + with: + repository: apple/swift-algorithms + path: swift-algorithms + - name: Test swift-algorithms + uses: skiptools/swift-android-action@main + with: + package-path: swift-algorithms + installed-sdk: ${{ steps.info.outputs.sdk-id }} + installed-swift: ${{ steps.info.outputs.swift-root }} diff --git a/nightly-6.3/fedora/41/Dockerfile b/nightly-6.3/fedora/41/Dockerfile new file mode 100644 index 00000000..34db8ff8 --- /dev/null +++ b/nightly-6.3/fedora/41/Dockerfile @@ -0,0 +1,70 @@ +FROM fedora:41 +LABEL maintainer="Swift Infrastructure " +LABEL description="Docker Container for the Swift programming language" + +RUN yum -y install \ + binutils \ + gcc \ + git \ + zip \ + unzip \ + libcurl-devel \ + libedit-devel \ + libicu-devel \ + sqlite-devel \ + libuuid-devel \ + libxml2-devel \ + python3-devel \ + libstdc++-devel \ + libstdc++-static \ + gnupg + + +ARG SWIFT_SIGNING_KEY=E813C892820A6FA13755B268F167DF1ACF9CE069 +ARG SWIFT_PLATFORM=fedora41 +ARG SWIFT_VERSION=6.3 +ARG SWIFT_BRANCH=swift-${SWIFT_VERSION}-release +ARG SWIFT_TAG=swift-${SWIFT_VERSION}-RELEASE +ARG SWIFT_WEBROOT=https://download.swift.org/swift-6.3-branch +ARG SWIFT_WEBROOT="$SWIFT_WEBROOT/$SWIFT_PLATFORM" +ARG SWIFT_PREFIX=/opt/swift/${SWIFT_VERSION} + +ENV SWIFT_SIGNING_KEY=$SWIFT_SIGNING_KEY \ + SWIFT_PLATFORM=$SWIFT_PLATFORM \ + SWIFT_VERSION=$SWIFT_VERSION \ + SWIFT_BRANCH=$SWIFT_BRANCH \ + SWIFT_TAG=$SWIFT_TAG \ + SWIFT_WEBROOT=$SWIFT_WEBROOT \ + SWIFT_PREFIX=$SWIFT_PREFIX + +RUN set -e; \ + ARCH_NAME="$(rpm --eval '%{_arch}')"; \ + url=; \ + case "${ARCH_NAME##*-}" in \ + 'x86_64') \ + OS_ARCH_SUFFIX=''; \ + ;; \ + 'aarch64') \ + OS_ARCH_SUFFIX='-aarch64'; \ + ;; \ + *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \ + esac; \ + export $(curl -s ${SWIFT_WEBROOT}${OS_ARCH_SUFFIX}/latest-build.yml | grep 'download:' | sed 's/:[^:\/\/]/=/g') \ + && export $(curl -s ${SWIFT_WEBROOT}${OS_ARCH_SUFFIX}/latest-build.yml | grep 'download_signature:' | sed 's/:[^:\/\/]/=/g') \ + && export DOWNLOAD_DIR=$(echo $download | sed "s/-${SWIFT_PLATFORM}${OS_ARCH_SUFFIX}.tar.gz//g") \ + && echo $DOWNLOAD_DIR > .swift_tag \ + # - Download the GPG keys, Swift toolchain, and toolchain signature, and verify. + && export GNUPGHOME="$(mktemp -d)" \ + && curl -fsSL ${SWIFT_WEBROOT}${OS_ARCH_SUFFIX}/${DOWNLOAD_DIR}/${download} -o latest_toolchain.tar.gz \ + ${SWIFT_WEBROOT}${OS_ARCH_SUFFIX}/${DOWNLOAD_DIR}/${download} -o latest_toolchain.tar.gz.sig \ + && curl -fSsL --compressed https://swift.org/keys/all-keys.asc | gpg --import - \ + # - Unpack the toolchain, set libs permissions, and clean up. + && mkdir -p $SWIFT_PREFIX \ + && tar -xzf latest_toolchain.tar.gz --directory $SWIFT_PREFIX --strip-components=1 \ + && chmod -R o+r $SWIFT_PREFIX/usr/lib/swift \ + && rm -rf "$GNUPGHOME" latest_toolchain.tar.gz.sig latest_toolchain.tar.gz + +ENV PATH="${SWIFT_PREFIX}/usr/bin:${PATH}" + +# Print Installed Swift Version +RUN swift --version \ No newline at end of file diff --git a/nightly-6.3/fedora/41/buildx/Dockerfile b/nightly-6.3/fedora/41/buildx/Dockerfile new file mode 100644 index 00000000..f8132ce8 --- /dev/null +++ b/nightly-6.3/fedora/41/buildx/Dockerfile @@ -0,0 +1,80 @@ +FROM fedora:41 AS base +LABEL maintainer="Swift Infrastructure " +LABEL description="Docker Container for the Swift programming language" + +RUN yum -y install \ + binutils \ + gcc \ + git \ + zip \ + unzip \ + libcurl-devel \ + libedit-devel \ + libicu-devel \ + sqlite-devel \ + libuuid-devel \ + libxml2-devel \ + python3-devel \ + libstdc++-devel \ + libstdc++-static \ + gnupg + + +ARG SWIFT_SIGNING_KEY=E813C892820A6FA13755B268F167DF1ACF9CE069 +ARG SWIFT_PLATFORM=fedora41 +ARG SWIFT_VERSION=6.3 +ARG SWIFT_BRANCH=swift-${SWIFT_VERSION}-release +ARG SWIFT_TAG=swift-${SWIFT_VERSION}-RELEASE +ARG SWIFT_WEBROOT=https://download.swift.org/swift-6.3-branch +ARG SWIFT_WEBROOT="$SWIFT_WEBROOT/$SWIFT_PLATFORM" +ARG SWIFT_PREFIX=/opt/swift/${SWIFT_VERSION} + +# This is a small trick to enable if/else for arm64 and amd64. +# Because of https://bugs.swift.org/browse/SR-14872 we need adjust tar options. +FROM base AS base-amd64 +ARG OS_ARCH_SUFFIX= + +FROM base AS base-arm64 +ARG OS_ARCH_SUFFIX=-aarch64 + +FROM base-$TARGETARCH AS final + +ENV SWIFT_SIGNING_KEY=$SWIFT_SIGNING_KEY \ + SWIFT_PLATFORM=$SWIFT_PLATFORM \ + SWIFT_VERSION=$SWIFT_VERSION \ + SWIFT_BRANCH=$SWIFT_BRANCH \ + SWIFT_TAG=$SWIFT_TAG \ + SWIFT_WEBROOT=$SWIFT_WEBROOT \ + SWIFT_PREFIX=$SWIFT_PREFIX + +RUN set -e; \ + ARCH_NAME="$(rpm --eval '%{_arch}')"; \ + url=; \ + case "${ARCH_NAME##*-}" in \ + 'x86_64') \ + OS_ARCH_SUFFIX=''; \ + ;; \ + 'aarch64') \ + OS_ARCH_SUFFIX='-aarch64'; \ + ;; \ + *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \ + esac; \ + export $(curl -s ${SWIFT_WEBROOT}${OS_ARCH_SUFFIX}/latest-build.yml | grep 'download:' | sed 's/:[^:\/\/]/=/g') \ + && export $(curl -s ${SWIFT_WEBROOT}${OS_ARCH_SUFFIX}/latest-build.yml | grep 'download_signature:' | sed 's/:[^:\/\/]/=/g') \ + && export DOWNLOAD_DIR=$(echo $download | sed "s/-${SWIFT_PLATFORM}${OS_ARCH_SUFFIX}.tar.gz//g") \ + && echo $DOWNLOAD_DIR > .swift_tag \ + # - Download the GPG keys, Swift toolchain, and toolchain signature, and verify. + && export GNUPGHOME="$(mktemp -d)" \ + && curl -fsSL ${SWIFT_WEBROOT}${OS_ARCH_SUFFIX}/${DOWNLOAD_DIR}/${download} -o latest_toolchain.tar.gz \ + ${SWIFT_WEBROOT}${OS_ARCH_SUFFIX}/${DOWNLOAD_DIR}/${download} -o latest_toolchain.tar.gz.sig \ + && curl -fSsL --compressed https://swift.org/keys/all-keys.asc | gpg --import - \ + # - Unpack the toolchain, set libs permissions, and clean up. + && mkdir -p $SWIFT_PREFIX \ + && tar -xzf latest_toolchain.tar.gz --directory $SWIFT_PREFIX --strip-components=1 \ + && chmod -R o+r $SWIFT_PREFIX/usr/lib/swift \ + && rm -rf "$GNUPGHOME" latest_toolchain.tar.gz.sig latest_toolchain.tar.gz + +ENV PATH="${SWIFT_PREFIX}/usr/bin:${PATH}" + +# Print Installed Swift Version +RUN swift --version \ No newline at end of file diff --git a/swift-ci/main/amazon-linux/2023/Verification/6.2/Dockerfile b/swift-ci/main/amazon-linux/2023/Verification/6.2/Dockerfile new file mode 100644 index 00000000..2e085787 --- /dev/null +++ b/swift-ci/main/amazon-linux/2023/Verification/6.2/Dockerfile @@ -0,0 +1,78 @@ +FROM amazonlinux:2023 + +RUN yum install shadow-utils -y + +RUN groupadd -g 998 build-user && \ + useradd -m -r -u 42 -g build-user build-user + +RUN yum -y group install "development tools" +RUN yum -y install \ + cmake \ + ninja-build \ + curl-devel \ + gcc-c++ \ + clang \ + git \ + libbsd-devel \ + libedit-devel \ + libicu-devel \ + libuuid-devel \ + libxml2-devel \ + ncurses-devel \ + pkgconfig \ + procps-ng \ + python3 \ + python3-devel \ + python3-distro \ + python3-setuptools \ + python-pip \ + rsync \ + sqlite-devel \ + swig \ + tzdata \ + unzip \ + zip \ + lld \ + diffutils \ + which + +RUN mkdir -p /usr/local/lib/python3.7/site-packages/ + +COPY swift-ci/dependencies/requirements.txt /dependencies/ +RUN pip3 install -r /dependencies/requirements.txt +RUN pip3 install six + +ARG SWIFT_PLATFORM=amazon-linux2023 +ARG SWIFT_VERSION=6.2 +ARG SWIFT_WEBROOT=https://download.swift.org +ARG SWIFT_PREFIX=/opt/swift/${SWIFT_VERSION} + +ENV SWIFT_PLATFORM=$SWIFT_PLATFORM \ + SWIFT_VERSION=$SWIFT_VERSION \ + SWIFT_WEBROOT=$SWIFT_WEBROOT \ + SWIFT_PREFIX=$SWIFT_PREFIX + +RUN set -e; \ + ARCH_NAME="$(rpm --eval '%{_arch}')"; \ + url=; \ + case "${ARCH_NAME##*-}" in \ + 'x86_64') \ + OS_ARCH_SUFFIX=''; \ + ;; \ + 'aarch64') \ + OS_ARCH_SUFFIX='-aarch64'; \ + ;; \ + *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \ + esac; \ + SWIFT_BIN_URL="$SWIFT_WEBROOT/tmp-ci-nightly/development/swift-6.2-bootstrap/amazonlinux2023$OS_ARCH_SUFFIX/latest.tar.gz" \ + && curl -fsSL "$SWIFT_BIN_URL" -o swift.tar.gz \ + && mkdir -p $SWIFT_PREFIX \ + && tar -xzf swift.tar.gz --directory $SWIFT_PREFIX \ + && ls -la $SWIFT_PREFIX/usr/lib/ \ + && chmod -R o+r $SWIFT_PREFIX/usr/lib/swift \ + && rm -rf "$GNUPGHOME" swift.tar.gz + +ENV PATH="${SWIFT_PREFIX}/usr/bin:${PATH}" + +USER build-user +WORKDIR /home/build-user diff --git a/swift-ci/main/ubuntu/24.04/Verification/6.2/Dockerfile b/swift-ci/main/ubuntu/24.04/Verification/6.2/Dockerfile new file mode 100644 index 00000000..d23df390 --- /dev/null +++ b/swift-ci/main/ubuntu/24.04/Verification/6.2/Dockerfile @@ -0,0 +1,78 @@ +# This docker image is used to verify the output of the 6.2 bootstrap artifacts by building +# swift on the main branch. They are not bootstrapping a branches source directly +FROM ubuntu:24.04 + +RUN groupadd -g 998 build-user && \ + useradd -m -r -u 998 -g build-user build-user + +ENV DEBIAN_FRONTEND="noninteractive" + +RUN apt-get -y update && apt-get -y install \ + build-essential \ + cmake \ + git \ + icu-devtools \ + libc++-18-dev \ + libc++abi-18-dev \ + libcurl4-openssl-dev \ + libedit-dev \ + libicu-dev \ + libncurses5-dev \ + libpython3-dev \ + libsqlite3-dev \ + libxml2-dev \ + ninja-build \ + pkg-config \ + python3-six \ + python3-pip \ + python3-pkg-resources \ + python3-psutil \ + python3-setuptools \ + rsync \ + swig \ + systemtap-sdt-dev \ + tzdata \ + uuid-dev \ + zip + +COPY swift-ci/dependencies/requirements.txt /dependencies/ +RUN pip3 install -r /dependencies/requirements.txt --break-system-packages + +ARG SWIFT_PLATFORM=ubuntu24.04 +ARG SWIFT_VERSION=6.2 +ARG SWIFT_WEBROOT=https://download.swift.org +ARG SWIFT_PREFIX=/opt/swift/${SWIFT_VERSION} + +ENV SWIFT_PLATFORM=$SWIFT_PLATFORM \ + SWIFT_VERSION=$SWIFT_VERSION \ + SWIFT_WEBROOT=$SWIFT_WEBROOT \ + SWIFT_PREFIX=$SWIFT_PREFIX + +RUN set -e; \ + ARCH_NAME="$(dpkg --print-architecture)"; \ + url=; \ + case "${ARCH_NAME##*-}" in \ + 'amd64') \ + OS_ARCH_SUFFIX=''; \ + ;; \ + 'arm64') \ + OS_ARCH_SUFFIX='-aarch64'; \ + ;; \ + *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \ + esac; \ + SWIFT_BIN_URL="$SWIFT_WEBROOT/tmp-ci-nightly/development/swift-6.2-bootstrap/ubuntu2404$OS_ARCH_SUFFIX/latest.tar.gz" \ + && export DEBIAN_FRONTEND=noninteractive \ + && apt-get -q update && apt-get -q install -y curl && rm -rf /var/lib/apt/lists/* \ + && curl -fsSL "$SWIFT_BIN_URL" -o swift.tar.gz \ + && mkdir -p $SWIFT_PREFIX \ + && tar -xzf swift.tar.gz --directory $SWIFT_PREFIX \ + && ls -la $SWIFT_PREFIX/usr/lib/ \ + && chmod -R o+r $SWIFT_PREFIX/usr/lib/swift \ + && rm -rf "$GNUPGHOME" swift.tar.gz \ + && apt-get purge --auto-remove -y curl + +ENV PATH="${SWIFT_PREFIX}/usr/bin:${PATH}" + +USER build-user + +WORKDIR /home/build-user diff --git a/swift-ci/sdks/android/build-docker b/swift-ci/sdks/android/build-docker index 3b88952c..ba177336 100755 --- a/swift-ci/sdks/android/build-docker +++ b/swift-ci/sdks/android/build-docker @@ -17,8 +17,8 @@ # default architectures to build for TARGET_ARCHS=${TARGET_ARCHS:-aarch64,x86_64,armv7} -ANDROID_NDK_VERSION=android-ndk-r27d -ANDROID_API=28 +ANDROID_NDK_VERSION=android-ndk-r28c +ANDROID_API=24 BASEPATH=$(dirname $(realpath $0)) cd ${BASEPATH} diff --git a/swift-ci/sdks/android/build-local b/swift-ci/sdks/android/build-local index b5f078c5..3e84ff7d 100755 --- a/swift-ci/sdks/android/build-local +++ b/swift-ci/sdks/android/build-local @@ -17,8 +17,8 @@ # default architectures to build for TARGET_ARCHS=${TARGET_ARCHS:-aarch64,x86_64,armv7} -ANDROID_NDK_VERSION=android-ndk-r27d -ANDROID_API=28 +ANDROID_NDK_VERSION=android-ndk-r28c +ANDROID_API=24 BASEPATH=$(dirname $(realpath $0)) cd ${BASEPATH} diff --git a/swift-ci/sdks/android/scripts/build.sh b/swift-ci/sdks/android/scripts/build.sh index 4b0e0159..5d9e796d 100755 --- a/swift-ci/sdks/android/scripts/build.sh +++ b/swift-ci/sdks/android/scripts/build.sh @@ -410,6 +410,7 @@ for arch in $archs; do -DCURL_USE_OPENSSL=ON \ -DCURL_USE_LIBSSH2=OFF \ -DCURL_USE_LIBPSL=OFF \ + -DENABLE_WEBSOCKETS=ON \ -DTHREADS_PREFER_PTHREAD_FLAG=OFF \ -DCMAKE_THREAD_PREFER_PTHREAD=OFF \ -DCMAKE_THREADS_PREFER_PTHREAD_FLAG=OFF \ @@ -483,7 +484,7 @@ for arch in $archs; do ${build_cmark} \ ${local_build} \ --host-test \ - --skip-test-linux \ + --skip-test-linux --skip-clean-libdispatch --skip-clean-foundation --skip-clean-xctest --skip-clean-testing \ --skip-test-xctest --skip-test-foundation \ --build-swift-static-stdlib \ --swift-install-components='compiler;clang-resource-dir-symlink;license;stdlib;sdk-overlay' \ diff --git a/swift-ci/sdks/static-linux/resources/patches/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch b/swift-ci/sdks/static-linux/resources/patches/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch new file mode 100644 index 00000000..e62d28d4 --- /dev/null +++ b/swift-ci/sdks/static-linux/resources/patches/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch @@ -0,0 +1,38 @@ +>From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001 +From: Rich Felker +Date: Sun, 9 Feb 2025 10:07:19 -0500 +Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder + +as a result of incorrect bounds checking on the lead byte being +decoded, certain invalid inputs which should produce an encoding +error, such as "\xc8\x41", instead produced out-of-bounds loads from +the ksc table. + +in a worst case, the loaded value may not be a valid unicode scalar +value, in which case, if the output encoding was UTF-8, wctomb would +return (size_t)-1, causing an overflow in the output pointer and +remaining buffer size which could clobber memory outside of the output +buffer. + +bug report was submitted in private by Nick Wellnhofer on account of +potential security implications. +--- + src/locale/iconv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/locale/iconv.c b/src/locale/iconv.c +index 9605c8e9..008c93f0 100644 +--- a/src/locale/iconv.c ++++ b/src/locale/iconv.c +@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri + if (c >= 93 || d >= 94) { + c += (0xa1-0x81); + d += 0xa1; +- if (c >= 93 || c>=0xc6-0x81 && d>0x52) ++ if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52) + goto ilseq; + if (d-'A'<26) d = d-'A'; + else if (d-'a'<26) d = d-'a'+26; +-- +2.21.0 + diff --git a/swift-ci/sdks/static-linux/resources/patches/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch b/swift-ci/sdks/static-linux/resources/patches/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch new file mode 100644 index 00000000..9b64508c --- /dev/null +++ b/swift-ci/sdks/static-linux/resources/patches/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch @@ -0,0 +1,38 @@ +>From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001 +From: Rich Felker +Date: Wed, 12 Feb 2025 17:06:30 -0500 +Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder + bugs + +the UTF-8 output code was written assuming an invariant that iconv's +decoders only emit valid Unicode Scalar Values which wctomb can encode +successfully, thereby always returning a value between 1 and 4. + +if this invariant is not satisfied, wctomb returns (size_t)-1, and the +subsequent adjustments to the output buffer pointer and remaining +output byte count overflow, moving the output position backwards, +potentially past the beginning of the buffer, without storing any +bytes. +--- + src/locale/iconv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/locale/iconv.c b/src/locale/iconv.c +index 008c93f0..52178950 100644 +--- a/src/locale/iconv.c ++++ b/src/locale/iconv.c +@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri + if (*outb < k) goto toobig; + memcpy(*out, tmp, k); + } else k = wctomb_utf8(*out, c); ++ /* This failure condition should be unreachable, but ++ * is included to prevent decoder bugs from translating ++ * into advancement outside the output buffer range. */ ++ if (k>4) goto ilseq; + *out += k; + *outb -= k; + break; +-- +2.21.0 + + diff --git a/swift-ci/sdks/static-linux/scripts/build.sh b/swift-ci/sdks/static-linux/scripts/build.sh index 22c3a966..1ce2f3d7 100755 --- a/swift-ci/sdks/static-linux/scripts/build.sh +++ b/swift-ci/sdks/static-linux/scripts/build.sh @@ -97,7 +97,7 @@ function declare_package } declare_package static_linux_sdk \ - "Swift statically linked SDK for Linux" \ + "Swift Static SDK for Linux" \ "Apache-2.0" "https://swift.org/install/sdk" declare_package swift "swift" "Apache-2.0" "https://swift.org" declare_package musl "musl" "MIT" "https://musl.org" @@ -109,9 +109,13 @@ declare_package curl "curl" "MIT" "https://curl.se" declare_package boringssl "boringssl" "OpenSSL AND ISC AND MIT" \ "https://boringssl.googlesource.com/boringssl/" declare_package zlib "zlib" "Zlib" "https://zlib.net" +declare_package bzip2 "bzip2" "bzip2-1.0.6" "https://sourceware.org/bzip2/" +declare_package xz "XZ Utils" "0BSD" "https://tukaani.org/xz" +declare_package libarchive "libarchive" "BSD-2-Clause" "https://www.libarchive.org" +declare_package mimalloc "mimalloc" "MIT" "https://microsoft.github.io/mimalloc/" # Parse command line arguments -static_linux_sdk_version=0.0.1 +static_linux_sdk_version=0.1.0 sdk_name= archs=x86_64,aarch64 build_type=RelWithDebInfo @@ -233,6 +237,15 @@ boringssl_version=$(describe ${source_dir}/boringssl) zlib_version=$(versionFromTag ${source_dir}/zlib) +bzip2_desc=$(describe ${source_dir}/bzip2) +bzip2_version=${bzip2_desc#bzip2-} + +libarchive_version=$(versionFromTag ${source_dir}/libarchive) + +mimalloc_version=$(versionFromTag ${source_dir}/mimalloc) + +xz_version=$(versionFromTag ${source_dir}/xz) + function quiet_pushd { pushd "$1" >/dev/null 2>&1 } @@ -258,6 +271,10 @@ echo " - libxml2 ${libxml2_version}" echo " - curl ${curl_version}" echo " - BoringSSL ${boringssl_version}" echo " - zlib ${zlib_version}" +echo " - bzip2 ${bzip2_version}" +echo " - xz ${xz_version}" +echo " - libarchive ${libarchive_version}" +echo " - mimalloc ${mimalloc_version}" function run() { echo "$@" @@ -297,6 +314,19 @@ else exit 1 fi +echo "Applying Musl security patches... " +for patch in $(realpath "${resource_dir}/patches/musl")/*; do + echo -n " $(basename $patch)..." + if git -C ${source_dir}/musl apply --reverse --check "$patch" >/dev/null 2>&1; then + echo "already patched" + elif git -C ${source_dir}/musl apply "$patch" >/dev/null 2>&1; then + echo "done" + else + echo "failed" + exit 1 + fi +done + # ----------------------------------------------------------------------- header "Patching BoringSSL" @@ -367,7 +397,7 @@ for arch in $archs; do cat > $sdk_root/SDKSettings.json < info.json <|--swift-tag |--swift-version ] - [--musl-version ] [--libxml2-version ] - [--curl-version ] [--boringssl-version ] + [--bzip2-version ] + [--curl-version ] + [--libarchive-version ] + [--libxml2-version ] + [--mimalloc-version ] + [--musl-version ] + [--xz-version ] [--zlib-version ] [--clone-with-ssh] [--source-dir ] @@ -72,10 +77,14 @@ SDK for Swift. Options are: If starts with "scheme:" or "tag:", it will select a scheme or tag; otherwise it will be treated as a version number. - --musl-version - --libxml2-version - --curl-version --boringssl-version + --bzip2-version + --curl-version + --libarchive-version + --libxml2-version + --mimalloc-version + --musl-version + --xz-version --zlib-version Select the versions of other dependencies. EOF @@ -89,17 +98,29 @@ if [[ -z "${MUSL_VERSION}" ]]; then MUSL_VERSION=1.2.5 fi if [[ -z "${LIBXML2_VERSION}" ]]; then - LIBXML2_VERSION=2.12.7 + LIBXML2_VERSION=2.14.5 fi if [[ -z "${CURL_VERSION}" ]]; then - CURL_VERSION=8.7.1 + CURL_VERSION=8.15.0 fi if [[ -z "${BORINGSSL_VERSION}" ]]; then - BORINGSSL_VERSION=fips-20220613 + BORINGSSL_VERSION=817ab07ebb53da35afea409ab9328f578492832d fi if [[ -z "${ZLIB_VERSION}" ]]; then ZLIB_VERSION=1.3.1 fi +if [[ -z "${BZIP2_VERSION}" ]]; then + BZIP2_VERSION=1.0.8 +fi +if [[ -z "${LIBARCHIVE_VERSION}" ]]; then + LIBARCHIVE_VERSION=3.8.1 +fi +if [[ -z "${MIMALLOC_VERSION}" ]]; then + MIMALLOC_VERSION=2.2.4 +fi +if [[ -z "${XZ_VERSION}" ]]; then + XZ_VERSION=5.8.1 +fi clone_with_ssh=false while [ "$#" -gt 0 ]; do @@ -120,6 +141,14 @@ while [ "$#" -gt 0 ]; do BORINGSSL_VERSION="$2"; shift ;; --zlib-version) ZLIB_VERSION="$2"; shift ;; + --bzip2-version) + BZIP2_VERSION="$2"; shift ;; + --libarchive-version) + LIBARCHIVE_VERSION="$2"; shift ;; + --mimalloc-version) + MIMALLOC_VERSION="$2"; shift ;; + --xz-version) + XZ_VERSION="$2"; shift ;; --clone-with-ssh) clone_with_ssh=true ;; --source-dir) @@ -208,3 +237,35 @@ header "Fetching zlib" pushd zlib >/dev/null 2>&1 git checkout v${ZLIB_VERSION} popd >/dev/null 2>&1 + +# Fetch bzip2 +header "Fetching bzip2" + +[[ -d bzip2 ]] | git clone git://sourceware.org/git/bzip2.git +pushd bzip2 >/dev/null 2>&1 +git checkout bzip2-${BZIP2_VERSION} +popd >/dev/null 2>&1 + +# Fetch libarchive +header "Fetching libarchive" + +[[ -d libarchive ]] | git clone ${github}libarchive/libarchive.git +pushd libarchive >/dev/null 2>&1 +git checkout v${LIBARCHIVE_VERSION} +popd >/dev/null 2>&1 + +# Fetch mimalloc +header "Fetching mimalloc" + +[[ -d mimalloc ]] | git clone ${github}microsoft/mimalloc.git +pushd mimalloc >/dev/null 2>&1 +git checkout v${MIMALLOC_VERSION} +popd + +# Fetch xz-utils +header "Fetching xz" + +[[ -d xz ]] | git clone ${github}tukaani-project/xz.git +pushd xz >/dev/null 2>&1 +git checkout v${XZ_VERSION} +popd