ci: add binary dependency verification for Linux, macOS, and Flatpak

lklimek · claude · lklimek · commit 1bad4879ab76 · 2026-03-18T18:06:50.000+01:00
Add post-build sanity checks to catch missing or unexpected shared library dependencies before release artifacts are published: - Linux: ldd check with allowlist, fail on "not found" - macOS (ARM64 + x86): otool -L check, fail on non-system libs - Flatpak: ldd check inside build-dir, fail on "not found" Complements the Windows PE verification from #769. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/flatpak.yml b/.github/workflows/flatpak.yml
@@ -90,6 +90,25 @@ jobs:
         run: |
           flatpak-builder --force-clean --repo=flatpak-repo build-dir flatpak/org.dash.DashEvoTool.yml
 
+
+      - name: Verify Flatpak binary dependencies
+        run: |
+          BINARY="build-dir/files/bin/dash-evo-tool"
+          if [ ! -f "$BINARY" ]; then
+            echo "::error::Binary not found at $BINARY"
+            exit 1
+          fi
+          echo "Checking shared library dependencies..."
+          DEPS=$(ldd "$BINARY" 2>&1 || true)
+          echo "$DEPS"
+          # Fail on missing libraries (not found = will crash at runtime)
+          if echo "$DEPS" | grep -q "not found"; then
+            echo "::error::Binary has missing shared library dependencies"
+            echo "$DEPS" | grep "not found"
+            exit 1
+          fi
+          echo "✅ Flatpak binary dependencies look clean"
+
       - name: Create Flatpak bundle
         run: |
           flatpak build-bundle flatpak-repo dash-evo-tool-linux-${{ matrix.arch }}.flatpak org.dash.DashEvoTool
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -121,6 +121,26 @@ jobs:
           done
           echo "✅ Binary is self-contained — no MinGW runtime or null DLL dependencies"
 
+      - name: Verify Linux binary dependencies
+        if: ${{ contains(matrix.target, 'linux') }}
+        run: |
+          echo "Checking shared library dependencies..."
+          DEPS=$(ldd dash-evo-tool/dash-evo-tool)
+          echo "$DEPS"
+          # Allowlist: only standard system libraries should appear
+          UNEXPECTED=$(echo "$DEPS" | grep "=>" | grep -v "not found" | awk '{print $1}' | grep -Ev "^(linux-vdso|libm|libc|libdl|librt|libpthread|libgcc_s|libstdc\+\+|ld-linux|libz|libssl|libcrypto)\.so")
+          if [ -n "$UNEXPECTED" ]; then
+            echo "::warning::Unexpected shared dependencies found:"
+            echo "$UNEXPECTED"
+          fi
+          # Fail on missing libraries
+          if echo "$DEPS" | grep -q "not found"; then
+            echo "::error::Binary has missing shared library dependencies"
+            echo "$DEPS" | grep "not found"
+            exit 1
+          fi
+          echo "✅ Linux binary dependencies look clean"
+
       - name: Package release
         run: |
           zip -r dash-evo-tool-${{ matrix.platform }}.zip dash-evo-tool/
@@ -252,6 +272,27 @@ jobs:
           </plist>
           EOF
 
+
+      - name: Verify macOS binary dependencies
+        run: |
+          echo "Checking dynamic library dependencies..."
+          DEPS=$(otool -L build/dash-evo-tool)
+          echo "$DEPS"
+          # Only system libraries (/usr/lib/) and frameworks (/System/Library/) are allowed
+          UNEXPECTED=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep -Ev "^(/usr/lib/|/System/Library/|@rpath/)")
+          if [ -n "$UNEXPECTED" ]; then
+            echo "::error::Binary links non-system libraries:"
+            echo "$UNEXPECTED"
+            exit 1
+          fi
+          # Warn on @rpath dependencies (acceptable for frameworks but worth noting)
+          RPATH=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep "^@rpath/")
+          if [ -n "$RPATH" ]; then
+            echo "::warning::Binary has @rpath dependencies (verify these are bundled):"
+            echo "$RPATH"
+          fi
+          echo "✅ macOS binary dependencies look clean"
+
       - name: Import signing certificates
         uses: Apple-Actions/import-codesign-certs@v3
         with:
@@ -520,6 +561,27 @@ jobs:
           </plist>
           EOF
 
+
+      - name: Verify macOS binary dependencies
+        run: |
+          echo "Checking dynamic library dependencies..."
+          DEPS=$(otool -L build/dash-evo-tool)
+          echo "$DEPS"
+          # Only system libraries (/usr/lib/) and frameworks (/System/Library/) are allowed
+          UNEXPECTED=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep -Ev "^(/usr/lib/|/System/Library/|@rpath/)")
+          if [ -n "$UNEXPECTED" ]; then
+            echo "::error::Binary links non-system libraries:"
+            echo "$UNEXPECTED"
+            exit 1
+          fi
+          # Warn on @rpath dependencies (acceptable for frameworks but worth noting)
+          RPATH=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep "^@rpath/")
+          if [ -n "$RPATH" ]; then
+            echo "::warning::Binary has @rpath dependencies (verify these are bundled):"
+            echo "$RPATH"
+          fi
+          echo "✅ macOS binary dependencies look clean"
+
       - name: Import signing certificates
         uses: Apple-Actions/import-codesign-certs@v3
         with:
