ci: Add Windows, macOS, Linux, iOS, and Android

And improve the FreeBSD and QNX jobs to also upload artifacts.

.cirrus.yml

@@ -3,16 +3,14 @@ task:
   freebsd_instance:
     image_family: freebsd-13-1
   environment:
-    GITHUB_TOKEN: ENCRYPTED[affc51741bf633ccffe369e8c58c0896cff87afb4a640351ca8df9c64b9dc7d8a386bb65c5cf39132bb57f823184b258]
     S3_ACCESS_KEY: ENCRYPTED[2f368bef589e43779394e459191eaad2fc4cc50dc36c6f03168a1e8e43897476e8bf596fd4dd0d988bcbab8fa8e171f8]
     S3_SECRET_KEY: ENCRYPTED[45f352473433a1053622a662ce8d57bc7421bce5772c9c5caf4a0e54f63944bd420f71101e014876e038f0c66c134ac2]
     CF_EMAIL: ENCRYPTED[a9f0dcd0ee83fa111c36f092f34b3d5660acafe0d07804d6b6a89bfa70a127ef8305f21089408959c51e23ecd2fd3622]
     CF_TOKEN: ENCRYPTED[4f9f3f7c8603fd32978b825d65f34b06fce8e51bedb4303744c799d21fc38266173a6be5a7a46b5e616573d27c9f6e91]
-    TWINE_USERNAME: ENCRYPTED[216cb54746e1fa5d4cbf85736dc1830d4b3a0eaa99cf13fc5cf9e3b09feed5db23d44ab1e26b7023c72eeec7ca5749f6]
-    TWINE_PASSWORD: ENCRYPTED[df19e51426faf8b60a18e42c96541431438335612c18506c319cd775ffba984d9cf89b0faaedbde8d4eff94d4b94066c]
-    NPM_TOKEN: ENCRYPTED[e47a7de1c1fb59ab9c9fa09e7b0593b272441d28a70d06b6a0bedf13a969fdae8014af17982b3144214333181f70c22b]
     PYTHON: /usr/local/bin/python3.9
     PYTHON3: /usr/local/bin/python3.9
+    NODE_TARGETS_FREEBSD: '14.0.0 16.0.0 17.0.1'
+    ELECTRON_TARGETS_FREEBSD: '16.0.0'
   timeout_in: 2h
   install_dependencies_script: |
     pkg install -y \
@@ -22,13 +20,28 @@ task:
       git \
       npm \
       py39-pip \
-      py39-requests \
-      py39-setuptools \
-      py39-twine
-    pip install agithub
+      py39-setuptools
     npm install -g cloudflare-cli
-  initialize_credentials_script: |
-    mkdir ~/.aws
+  clone_script: |
+    if [ -z "$CIRRUS_PR" ]; then
+      git clone --recurse-submodules --branch=$CIRRUS_BRANCH https://x-access-token:${CIRRUS_REPO_CLONE_TOKEN}@github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
+    else
+      git clone --recurse-submodules https://x-access-token:${CIRRUS_REPO_CLONE_TOKEN}@github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
+      git fetch origin pull/$CIRRUS_PR/head:pull/$CIRRUS_PR
+    fi
+    git reset --hard $CIRRUS_CHANGE_IN_REPO
+    git submodule update
+  setup_environment_script: |
+    (
+      echo "FRIDA=$CIRRUS_WORKING_DIR"
+      echo "FRIDA_VERSION=$(releng/frida_version.py)"
+      echo "npm_config_jobs=max"
+    ) >> $CIRRUS_ENV
+    mkdir -p ~/.aws
+    (
+      echo "[default]"
+      echo "region = us-east-1"
+    ) > ~/.aws/config
     (
       echo "[default]"
       echo "aws_access_key_id = $S3_ACCESS_KEY"
@@ -40,24 +53,53 @@ task:
       echo "    email: $CF_EMAIL"
       echo "    token: $CF_TOKEN"
     ) > ~/.cfcli.yml
-    echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/.npmrc
-  clone_script: |
-    if [ -z "$CIRRUS_PR" ]; then
-      git clone --recurse-submodules --branch=$CIRRUS_BRANCH https://x-access-token:${CIRRUS_REPO_CLONE_TOKEN}@github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
-      git reset --hard $CIRRUS_CHANGE_IN_REPO
-    else
-      git clone --recurse-submodules https://x-access-token:${CIRRUS_REPO_CLONE_TOKEN}@github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
-      git fetch origin pull/$CIRRUS_PR/head:pull/$CIRRUS_PR
-      git reset --hard $CIRRUS_CHANGE_IN_REPO
-    fi
   roll_toolchain_script: $PYTHON releng/deps.py roll toolchain freebsd-x86_64 --activate
   roll_sdk_script: $PYTHON releng/deps.py roll sdk freebsd-x86_64
-  build_gum_script: make gum
+  build_gum_script: |
+    make gum
+    $PYTHON releng/devkit.py frida-gum freebsd-x86_64 build/devkits/gum
+    $PYTHON releng/devkit.py frida-gumjs freebsd-x86_64 build/devkits/gumjs
+  frida_gum_devkit_freebsd_x86_64_artifacts:
+    path: "build/devkits/gum/*"
+  frida_gumjs_devkit_freebsd_x86_64_artifacts:
+    path: "build/devkits/gumjs/*"
   test_gum_script: make check-gum
-  build_core_script: make core
+  build_core_script: |
+    make core
+    $PYTHON releng/devkit.py frida-core freebsd-x86_64 build/devkits/core
+  frida_core_devkit_freebsd_x86_64_artifacts:
+    path: "build/devkits/core/*"
+  frida_server_freebsd_x86_64_artifacts:
+    path: "build/frida-freebsd-x86_64/bin/frida-server"
+  frida_portal_freebsd_x86_64_artifacts:
+    path: "build/frida-freebsd-x86_64/bin/frida-portal"
+  frida_inject_freebsd_x86_64_artifacts:
+    path: "build/frida-freebsd-x86_64/bin/frida-inject"
+  frida_gadget_freebsd_x86_64_artifacts:
+    path: "build/frida-freebsd-x86_64/lib/frida/64/frida-gadget.so"
   test_core_script: make check-core || true
-  build_python_script: make python
+  build_python_script: |
+    make python
+    export FRIDA_EXTENSION=$PWD/build/frida-freebsd-x86_64/lib/python3.9/site-packages/_frida.so
+    cd frida-python
+    pip wheel -w ../build/wheels --no-deps .
+  frida_python_freebsd_x86_64_artifacts:
+    path: "build/wheels/frida-*.whl"
   test_python_script: make check-python
-  build_node_script: make node
-  test_node_script: make check-node
-  release_script: $PYTHON releng/release.py freebsd-x86_64
+  build_node_script: |
+    cd frida-node
+    npm version $FRIDA_VERSION
+    npm install
+    for target in $NODE_TARGETS_FREEBSD; do
+      npm run prebuild -- -r node -t $target
+    done
+    for target in $ELECTRON_TARGETS_FREEBSD; do
+      npm run prebuild -- -r electron -t $target
+    done
+  frida_node_freebsd_x86_64_artifacts:
+    path: "frida-node/prebuilds/*"
+  test_node_script: |
+    cd frida-node
+    rm -rf build prebuilds
+    node_modules/.bin/node-gyp rebuild
+    npm run test

.github/actions/package-artifact-file/action.yml

@@ -0,0 +1,36 @@
+name: Package single-file artifact
+description: Downloads an artifact and uploads a compressed version of its file
+inputs:
+  name:
+    required: true
+    description: Artifact name
+runs:
+  using: composite
+  steps:
+    - name: Download
+      uses: actions/download-artifact@v3
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ inputs.name }}
+    - name: Compress
+      run: |
+        readarray -t files < <(ls -1 ${{ inputs.name }})
+        n=${#files[@]}
+        if [ $n -ne 1 ]; then
+          echo "Artifact may only contain a single file" > /dev/stderr
+          exit 1
+        fi
+        file=${files[0]}
+        if echo $file | grep -q '\.'; then
+          extension=".$(echo $file | cut -d'.' -f2-).xz"
+        else
+          extension=".xz"
+        fi
+        xz -c -T 0 ${{ inputs.name }}/$file > ${{ inputs.name }}/${{ inputs.name }}$extension
+        rm ${{ inputs.name }}/$file
+      shell: bash
+    - name: Upload
+      uses: actions/upload-artifact@v3
+      with:
+        name: release-assets
+        path: ${{ inputs.name }}/*

.github/actions/package-artifact-files-as-sfx/action.yml

@@ -0,0 +1,24 @@
+name: Package artifact files as SFX
+description: Downloads a specific artifact and uploads a packaged version of it
+inputs:
+  name:
+    required: true
+    description: Artifact name
+runs:
+  using: composite
+  steps:
+    - name: Download
+      uses: actions/download-artifact@v3
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ inputs.name }}
+    - name: Compress
+      run: |
+        cd ${{ inputs.name }}
+        7z a -sfx -r ..\${{ inputs.name }}.exe .
+      shell: pwsh
+    - name: Upload
+      uses: actions/upload-artifact@v3
+      with:
+        name: release-assets
+        path: ${{ inputs.name }}.exe

.github/actions/package-artifact-files-as-tarball/action.yml

@@ -0,0 +1,24 @@
+name: Package artifact files as tarball
+description: Downloads a specific artifact and uploads a packaged version of it
+inputs:
+  name:
+    required: true
+    description: Artifact name
+runs:
+  using: composite
+  steps:
+    - name: Download
+      uses: actions/download-artifact@v3
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ inputs.name }}
+    - name: Compress
+      run: tar -C ${{ inputs.name }} -cJf ${{ inputs.name }}.tar.xz .
+      env:
+        XZ_OPT: "-T 0"
+      shell: bash
+    - name: Upload
+      uses: actions/upload-artifact@v3
+      with:
+        name: release-assets
+        path: ${{ inputs.name }}.tar.xz

.github/actions/package-ios-assets/action.yml

@@ -0,0 +1,18 @@
+name: Package iOS assets
+description: Downloads iOS assets and packages them
+runs:
+  using: composite
+  steps:
+    - name: Download iOS assets
+      uses: actions/download-artifact@v3
+      with:
+        name: ios-assets
+        path: build/ios-assets/
+    - name: Create frida-server iOS .deb
+      run: |
+        mkdir -p build/release-assets
+        cd build
+        ../frida-core/tools/package-server-ios.sh \
+            ios-assets \
+            release-assets/frida_${FRIDA_VERSION}_iphoneos-arm.deb
+      shell: bash

.github/actions/publish-ios-debs/action.yml

@@ -0,0 +1,77 @@
+name: Publish iOS packages
+description: Publishes already packaged iOS debs
+inputs:
+  site:
+    required: true
+    path: Where to publish; set to either “production” or “development”
+runs:
+  using: composite
+  steps:
+    - name: Create iOS repo metadata
+      run: |
+        cd build
+        rm -rf ios-repo-config
+        mkdir ios-repo-config
+        (
+          echo "Origin: Cydia/Frida"
+          echo "Label: frida"
+          echo "Suite: stable"
+          echo "Version: 1.0"
+          echo "Codename: stable"
+          echo "Architectures: iphoneos-arm"
+          echo "Components: main"
+          echo "Description: Frida for iOS"
+        ) > ios-repo-config/distributions
+        rm -rf ios-repo
+        mkdir -p ios-repo/debs
+        cd ios-repo
+        (
+          echo "Origin: Frida"
+          echo "Label: Frida"
+          echo "Suite: stable"
+          echo "Version: 1.0"
+          echo "Codename: ios"
+          echo "Architectures: iphoneos-arm"
+          echo "Components: main"
+          echo "Description: Official Frida Repo"
+        ) > Release
+        for file in frida_${FRIDA_VERSION}_iphoneos-arm.deb; do
+          cp $GITHUB_WORKSPACE/build/release-assets/$file debs/
+          reprepro \
+              -Vb . \
+              --confdir $GITHUB_WORKSPACE/build/ios-repo-config \
+              --ignore=forbiddenchar \
+              includedeb \
+              stable \
+              debs/$file
+        done
+        cp dists/stable/main/binary-iphoneos-arm/Packages.gz .
+        gunzip -k Packages.gz
+      shell: bash
+    - name: Upload iOS package and repo metadata
+      run: |
+        cd build/ios-repo
+        case ${{ inputs.site }} in
+          production)
+            prefix=
+            ;;
+          development)
+            prefix=/dev
+           ;;
+          *)
+            echo "Invalid repo specified" > /dev/stderr
+            exit 1
+        esac
+        aws s3 sync --delete pool/ s3://build.frida.re${prefix}/pool/
+        for file in Release Packages Packages.gz; do
+          aws s3 cp $file s3://build.frida.re${prefix}/
+        done
+        for file in Packages Packages.gz; do
+          aws s3 cp $file s3://build.frida.re${prefix}/./
+        done
+        urls_to_invalidate=()
+        for file in Release Packages Packages.gz ./Packages ./Packages.gz; do
+          urls_to_invalidate+=("https://build.frida.re${prefix}/${file}")
+        done
+        cfcli purge ${urls_to_invalidate[@]}
+      shell: bash

.github/actions/publish-python-bindings/action.yml

@@ -0,0 +1,73 @@
+name: Publish Python bindings
+description: Publishes Python source distribution and wheels to PyPI
+inputs:
+  site:
+    required: true
+    path: Where to publish; set to either “production” or “development”
+  pypi-token:
+    required: true
+    description: The token used to authenticate with pypi.org
+  testpypi-token:
+    required: true
+    description: The token used to authenticate with test.pypi.org
+runs:
+  using: composite
+  steps:
+    - name: Create source distribution
+      run: |
+        cd frida-python
+        python setup.py sdist --dist-dir ../build/python-packages
+      shell: bash
+    - name: Download wheel for Windows/x86
+      uses: actions/download-artifact@v3
+      with:
+        name: frida-python-windows-x86
+        path: build/python-packages/
+    - name: Download wheel for Windows/x86_64
+      uses: actions/download-artifact@v3
+      with:
+        name: frida-python-windows-x86_64
+        path: build/python-packages/
+    - name: Download wheel for macOS/x86_64
+      uses: actions/download-artifact@v3
+      with:
+        name: frida-python-macos-x86_64
+        path: build/python-packages/
+    - name: Download wheel for macOS/arm64
+      uses: actions/download-artifact@v3
+      with:
+        name: frida-python-macos-arm64
+        path: build/python-packages/
+    - name: Download wheel for Linux/x86
+      uses: actions/download-artifact@v3
+      with:
+        name: frida-python-linux-x86
+        path: build/python-packages/
+    - name: Download wheel for Linux/x86_64
+      uses: actions/download-artifact@v3
+      with:
+        name: frida-python-linux-x86_64
+        path: build/python-packages/
+    - name: Download wheel for Linux/armhf
+      uses: actions/download-artifact@v3
+      with:
+        name: frida-python-linux-armhf
+        path: build/python-packages/
+    - name: Download wheel for Linux/arm64
+      uses: actions/download-artifact@v3
+      with:
+        name: frida-python-linux-arm64
+        path: build/python-packages/
+    - name: Publish to pypi.org
+      if: inputs.site == 'production'
+      uses: pypa/gh-action-pypi-publish@release/v1.5
+      with:
+        password: ${{ inputs.pypi-token }}
+        packages_dir: build/python-packages/
+    - name: Publish to test.pypi.org
+      if: inputs.site == 'development'
+      uses: pypa/gh-action-pypi-publish@release/v1.5
+      with:
+        password: ${{ inputs.testpypi-token }}
+        repository_url: https://test.pypi.org/legacy/
+        packages_dir: build/python-packages/