Skip to content

ci: add binary dependency verification for Linux, macOS, and Flatpak #770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lklimek merged 3 commits into from
Mar 18, 2026
Merged

ci: add binary dependency verification for Linux, macOS, and Flatpak #770

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1bad487
ci: add binary dependency verification for Linux, macOS, and Flatpak
lklimek Mar 18, 2026
0978aee
fix(ci): prevent grep exit code 1 from failing dependency checks
lklimek Mar 18, 2026
ea10ca2
fix(ci): run Flatpak ldd check inside sandbox, not on host
lklimek Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/flatpak.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,25 @@ jobs:
run: |
flatpak-builder --force-clean --repo=flatpak-repo build-dir flatpak/org.dash.DashEvoTool.yml


- name: Verify Flatpak binary dependencies
run: |
BINARY="build-dir/files/bin/dash-evo-tool"
if [ ! -f "$BINARY" ]; then
echo "::error::Binary not found at $BINARY"
exit 1
fi
echo "Checking shared library dependencies..."
DEPS=$(ldd "$BINARY" 2>&1 || true)
echo "$DEPS"
# Fail on missing libraries (not found = will crash at runtime)
if echo "$DEPS" | grep -q "not found"; then
echo "::error::Binary has missing shared library dependencies"
echo "$DEPS" | grep "not found"
exit 1
fi
Comment thread
lklimek marked this conversation as resolved.
echo "✅ Flatpak binary dependencies look clean"

- name: Create Flatpak bundle
run: |
flatpak build-bundle flatpak-repo dash-evo-tool-linux-${{ matrix.arch }}.flatpak org.dash.DashEvoTool
Expand Down
62 changes: 62 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,26 @@ jobs:
done
echo "✅ Binary is self-contained — no MinGW runtime or null DLL dependencies"

- name: Verify Linux binary dependencies
if: ${{ contains(matrix.target, 'linux') }}
run: |
echo "Checking shared library dependencies..."
DEPS=$(ldd dash-evo-tool/dash-evo-tool)
Comment thread
lklimek marked this conversation as resolved.
echo "$DEPS"
# Allowlist: only standard system libraries should appear
UNEXPECTED=$(echo "$DEPS" | grep "=>" | grep -v "not found" | awk '{print $1}' | grep -Ev "^(linux-vdso|libm|libc|libdl|librt|libpthread|libgcc_s|libstdc\+\+|ld-linux|libz|libssl|libcrypto)\.so" || true)
if [ -n "$UNEXPECTED" ]; then
echo "::warning::Unexpected shared dependencies found:"
echo "$UNEXPECTED"
fi
# Fail on missing libraries
if echo "$DEPS" | grep -q "not found"; then
echo "::error::Binary has missing shared library dependencies"
echo "$DEPS" | grep "not found"
exit 1
fi
echo "✅ Linux binary dependencies look clean"

- name: Package release
run: |
zip -r dash-evo-tool-${{ matrix.platform }}.zip dash-evo-tool/
Expand Down Expand Up @@ -252,6 +272,27 @@ jobs:
</plist>
EOF


- name: Verify macOS binary dependencies
run: |
echo "Checking dynamic library dependencies..."
DEPS=$(otool -L build/dash-evo-tool)
echo "$DEPS"
# Only system libraries (/usr/lib/) and frameworks (/System/Library/) are allowed
UNEXPECTED=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep -Ev "^(/usr/lib/|/System/Library/|@rpath/)" || true)
if [ -n "$UNEXPECTED" ]; then
echo "::error::Binary links non-system libraries:"
echo "$UNEXPECTED"
exit 1
fi
# Warn on @rpath dependencies (acceptable for frameworks but worth noting)
RPATH=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep "^@rpath/" || true)
if [ -n "$RPATH" ]; then
echo "::warning::Binary has @rpath dependencies (verify these are bundled):"
echo "$RPATH"
fi
echo "✅ macOS binary dependencies look clean"

- name: Import signing certificates
uses: Apple-Actions/import-codesign-certs@v3
with:
Expand Down Expand Up @@ -520,6 +561,27 @@ jobs:
</plist>
EOF


- name: Verify macOS binary dependencies
run: |
echo "Checking dynamic library dependencies..."
DEPS=$(otool -L build/dash-evo-tool)
echo "$DEPS"
# Only system libraries (/usr/lib/) and frameworks (/System/Library/) are allowed
UNEXPECTED=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep -Ev "^(/usr/lib/|/System/Library/|@rpath/)" || true)
if [ -n "$UNEXPECTED" ]; then
echo "::error::Binary links non-system libraries:"
echo "$UNEXPECTED"
exit 1
fi
# Warn on @rpath dependencies (acceptable for frameworks but worth noting)
RPATH=$(echo "$DEPS" | tail -n +2 | awk '{print $1}' | grep "^@rpath/" || true)
if [ -n "$RPATH" ]; then
echo "::warning::Binary has @rpath dependencies (verify these are bundled):"
echo "$RPATH"
fi
echo "✅ macOS binary dependencies look clean"

- name: Import signing certificates
uses: Apple-Actions/import-codesign-certs@v3
with:
Expand Down
Loading