[CI] Add new workflow for hardening check (#17938)

KornevNikita · web-flow · commit fc114b0c6cee · 2025-04-11T09:42:50.000+01:00
We need to perform the hardening check of our binaries (executables and
dynamic libs). This patch adds a workflow to perform these checks on
linux and windows.
diff --git a/.github/workflows/sycl-hardening-check.yml b/.github/workflows/sycl-hardening-check.yml
@@ -0,0 +1,90 @@
+name: SYCL hardening check
+
+permissions: read-all
+
+on:
+  workflow_call:
+    inputs:
+      sycl_linux_artifact:
+        type: string
+      sycl_linux_archive:
+        type: string
+      sycl_linux_decompress_command:
+        type: string
+
+      sycl_windows_artifact:
+        type: string
+      sycl_windows_archive:
+        type: string
+
+jobs:
+  hardening_check:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Install hardening-check
+      run: |
+        sudo apt update
+        sudo apt install -y devscripts
+
+    - name: Download SYCL toolchain
+      uses: actions/download-artifact@v4
+      with:
+        name: ${{ inputs.sycl_linux_artifact }}
+
+    - name: Extract SYCL toolchain
+      run: |
+        mkdir toolchain
+        tar -I '${{ inputs.sycl_linux_decompress_command }}' -xf ${{ inputs.sycl_linux_archive }} -C toolchain
+
+    - name: Perform checks
+      run: |
+        for file in ./toolchain/bin/*; do
+            hardening-check "$file" | tee -a "./hardening-check.txt"
+        done
+
+        for file in $(find ./toolchain/lib/ -type f -name "*.so*"); do
+            hardening-check "$file" | tee -a "./hardening-check.txt"
+        done
+
+    - uses: actions/upload-artifact@v4
+      with:
+        name: hardening-check
+        path: hardening-check.txt
+
+  winchecksec:
+    runs-on: windows-latest
+
+    steps:
+    - name: Install winchecksec
+      run: |
+        curl -LO https://github.com/trailofbits/winchecksec/releases/download/v3.1.0/windows.x64.Release.zip
+        mkdir winchecksec
+        unzip "windows.x64.Release.zip" -d winchecksec
+
+    - name: Download SYCL toolchain
+      uses: actions/download-artifact@v4
+      with:
+        name: ${{ inputs.sycl_windows_artifact }}
+
+    - name: Extract SYCL toolchain
+      shell: bash
+      run: |
+        mkdir toolchain
+        tar -xf ${{ inputs.sycl_windows_archive }} -C toolchain
+
+    - name: Download and check Windows artifacts
+      shell: bash
+      run: |
+        for file in $(find ./toolchain/bin/ -type f -name "*.exe"); do
+            ./winchecksec/build/Release/winchecksec.exe "$file" | tee -a "./winchecksec.txt"
+        done
+
+        for file in $(find ./toolchain/bin/ -type f -name "*.dll"); do
+            ./winchecksec/build/Release/winchecksec.exe "$file" | tee -a "./winchecksec.txt"
+        done
+
+    - uses: actions/upload-artifact@v4
+      with:
+        name: winchecksec
+        path: winchecksec.txt
diff --git a/.github/workflows/sycl-rel-nightly.yml b/.github/workflows/sycl-rel-nightly.yml
@@ -47,6 +47,7 @@ jobs:
       build_configure_extra_args: '--disable-jit --no-assertions --add_security_flags=sanitize --hip --cuda'
       build_image: ghcr.io/intel/llvm/ubuntu2204_build:latest
       build_ref: ${{ inputs.testing_branch || 'sycl-rel-6_1_0'  }}
+      pack_release: 'true'
 
       # We upload the build for people to download/use, override its name and
       # prefer widespread gzip compression.
@@ -106,6 +107,7 @@ jobs:
     with:
       ref: ${{ inputs.testing_branch || 'sycl-rel-6_1_0'  }}
       build_configure_extra_args: '--disable-jit --no-assertions --add_security_flags=sanitize'
+      pack_release: 'true'
 
       # We upload both Linux/Windows build via Github's "Releases"
       # functionality, make sure Linux/Windows names follow the same pattern.
@@ -220,3 +222,19 @@ jobs:
       sycl_toolchain_archive: ${{ needs.ubuntu2204_build.outputs.artifact_archive_name }}
       sycl_toolchain_decompress_command: ${{ needs.ubuntu2204_build.outputs.artifact_decompress_command }}
       sycl_cts_artifact: sycl_cts_bin_linux
+
+  hardening-check:
+    needs: [ubuntu2204_build, build-win]
+    if: |
+      always()
+      && !cancelled()
+      && needs.ubuntu2204_build.outputs.build_conclusion == 'success'
+      && needs.build-win.outputs.build_conclusion == 'success'
+    uses: ./.github/workflows/hardening-check.yml
+    with:
+      sycl_linux_artifact: sycl_linux_release
+      sycl_linux_archive: ${{ needs.ubuntu2204_build.outputs.artifact_archive_name }}
+      sycl_linux_decompress_command: ${{ needs.ubuntu2204_build.outputs.artifact_decompress_command }}
+
+      sycl_windows_artifact: sycl_windows_release
+      sycl_windows_archive: ${{ needs.build-win.outputs.artifact_archive_name }}
