Skip to content

chore: upgrade to llgo v0.11.6 and simplify CI setup #590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
luoliwoshang wants to merge 5 commits into from
Closed

chore: upgrade to llgo v0.11.6 and simplify CI setup #590

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fc2bd18
chore: upgrade to llgo v0.11.6 and simplify CI setup
luoliwoshang Nov 17, 2025
9335418
fix: correct llgo release filename format in download script
luoliwoshang Nov 17, 2025
996fe88
fix: remove --strip-components from tar extraction
luoliwoshang Nov 17, 2025
bcabafb
chore: update gentest.yml to use llgo v0.11.6
luoliwoshang Nov 17, 2025
f6b3f6d
fix: add LLVM tools to PATH from llgo release
luoliwoshang Nov 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 15 additions & 22 deletions .github/actions/setup-llcppg/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,16 @@
name: "Setup llcppg"
description: "Install dependencies, set up Go, set up LLGo, install llcppg"
description: "Install dependencies, set up Go, download LLGo release, install llcppg"
inputs:
go:
description: "Go version to install"
default: "1.23"
llvm:
description: "LLVM version to install (e.g. 18)"
default: "19"
llgo:
description: "LLGo git ref or tag"
default: "e4218f90d7926d31c1ffae3965a4e36228d38fd2"
description: "LLGo version to download (e.g. v0.11.6)"
default: "v0.11.6"
runs:
using: "composite"
steps:
- uses: actions/checkout@v4
- name: Checkout LLGo
uses: actions/checkout@v4
with:
repository: 'goplus/llgo'
path: '.llgo'
ref: ${{inputs.llgo}}
- name: Set up Go
uses: actions/setup-go@v4
with:
Expand All @@ -28,28 +19,30 @@ runs:
if: runner.os == 'macOS'
shell: bash
run: |
brew install llvm@${{inputs.llvm}} bdw-gc openssl libffi libuv lld@${{inputs.llvm}}
brew install bdw-gc openssl libffi libuv
brew install zlib # for llgo test .
brew link --force zlib # for llgo test .
brew link --force libffi
echo "$(brew --prefix llvm@${{inputs.llvm}})/bin" >> $GITHUB_PATH
echo "$(brew --prefix lld@${{inputs.llvm}})/bin" >> $GITHUB_PATH
- name: Install dependencies
shell: bash
if: runner.os == 'Linux'
run: |
echo "deb http://apt.llvm.org/$(lsb_release -cs)/ llvm-toolchain-$(lsb_release -cs)-${{inputs.llvm}} main" | sudo tee /etc/apt/sources.list.d/llvm.list
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
sudo apt-get update
sudo apt-get install -y llvm-${{inputs.llvm}}-dev clang-${{inputs.llvm}} libclang-${{inputs.llvm}}-dev lld-${{inputs.llvm}} libunwind-${{inputs.llvm}}-dev libc++-${{inputs.llvm}}-dev pkg-config libgc-dev libssl-dev zlib1g-dev libffi-dev libuv1-dev
echo "/usr/lib/llvm-${{inputs.llvm}}/bin" >> $GITHUB_PATH
- name: Install LLGo
sudo apt-get install -y pkg-config libgc-dev libssl-dev zlib1g-dev libffi-dev libuv1-dev
- name: Download LLGo release
shell: bash
working-directory: .llgo
run: |
go install -v ./cmd/llgo/...
bash .github/actions/setup-llcppg/download-llgo.sh ${{inputs.llgo}} .llgo
echo "$GITHUB_WORKSPACE/.llgo/bin" >> $GITHUB_PATH
echo "$GITHUB_WORKSPACE/.llgo/crosscompile/clang/bin" >> $GITHUB_PATH
export LLGO_ROOT=$GITHUB_WORKSPACE/.llgo
echo "LLGO_ROOT=$LLGO_ROOT" >> $GITHUB_ENV
Comment on lines 38 to 39
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The export command is not necessary here. A simple variable assignment is sufficient since $LLGO_ROOT is used in the next line within the same run step. Removing export makes the intent clearer that the variable is only used locally within this script block before being passed to the GitHub Actions environment.

      LLGO_ROOT=$GITHUB_WORKSPACE/.llgo
      echo "LLGO_ROOT=$LLGO_ROOT" >> $GITHUB_ENV

- name: Verify LLGo installation
shell: bash
run: |
echo "LLGO_ROOT: $LLGO_ROOT"
llgo version
llvm-nm --version
- name: Build
shell: bash
run: go build -v ./...
Expand Down
65 changes: 65 additions & 0 deletions .github/actions/setup-llcppg/download-llgo.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#!/bin/bash

# Script to download and extract LLGo release
# Usage: ./download-llgo.sh <version> <install_dir>
# Example: ./download-llgo.sh v0.11.6 ./llgo

set -e
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

For more robust error handling in shell scripts, it's a good practice to use set -euo pipefail instead of just set -e.

  • e: Exit immediately if a command exits with a non-zero status.
  • u: Treat unset variables as an error when substituting.
  • o pipefail: The return value of a pipeline is the status of the last command to exit with a non-zero status, or zero if no command exited with a non-zero status. This is particularly useful when piping commands.
Suggested change
set -e
set -euo pipefail


VERSION=$1
Copy link
Copy Markdown
Contributor

@fennoai fennoai Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add input validation for VERSION parameter

The VERSION parameter is interpolated into URLs without validation, creating potential for injection attacks if this script is used outside the controlled CI environment.

Recommended:

VERSION=$1
INSTALL_DIR=$2

if [ -z "$VERSION" ] || [ -z "$INSTALL_DIR" ]; then
    echo "Usage: $0 <version> <install_dir>"
    echo "Example: $0 v0.11.6 ./llgo"
    exit 1
fi

# Validate VERSION format
if ! [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?$ ]]; then
    echo "Error: Invalid version format: $VERSION"
    echo "Expected format: vX.Y.Z (e.g., v0.11.6)"
    exit 1
fi

INSTALL_DIR=$2

if [ -z "$VERSION" ] || [ -z "$INSTALL_DIR" ]; then
echo "Usage: $0 <version> <install_dir>"
echo "Example: $0 v0.11.6 ./llgo"
exit 1
Comment on lines +12 to +15
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

It's a best practice to print usage and error messages to standard error (stderr) instead of standard output (stdout). This allows users to redirect script output without capturing error messages.

Suggested change
if [ -z "$VERSION" ] || [ -z "$INSTALL_DIR" ]; then
echo "Usage: $0 <version> <install_dir>"
echo "Example: $0 v0.11.6 ./llgo"
exit 1
if [ -z "$VERSION" ] || [ -z "$INSTALL_DIR" ]; then
echo "Usage: $0 <version> <install_dir>" >&2
echo "Example: $0 v0.11.6 ./llgo" >&2
exit 1
fi

fi

# Detect OS and architecture
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m)

# Map architecture names
case $ARCH in
x86_64)
ARCH="amd64"
;;
aarch64|arm64)
ARCH="arm64"
;;
*)
Comment on lines +23 to +30
Copy link
Copy Markdown
Contributor

@fennoai fennoai Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add OS validation

Consider validating the OS as well to provide clear error messages for unsupported platforms:

# Map architecture names
case $ARCH in
    x86_64)
        ARCH="amd64"
        ;;
    aarch64|arm64)
        ARCH="arm64"
        ;;
    *)
        echo "Error: Unsupported architecture: $ARCH"
        echo "Supported architectures: amd64, arm64"
        echo "Detected: $(uname -m) on $(uname -s)"
        exit 1
        ;;
esac

# Validate OS
case $OS in
    darwin|linux)
        # Supported
        ;;
    *)
        echo "Error: Unsupported operating system: $OS"
        echo "Supported systems: darwin (macOS), linux"
        exit 1
        ;;
esac

echo "Unsupported architecture: $ARCH"
exit 1
;;
Comment on lines +30 to +33
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Error messages should be printed to standard error (stderr) to separate them from normal script output.

Suggested change
*)
echo "Unsupported architecture: $ARCH"
exit 1
;;
*)
echo "Unsupported architecture: $ARCH" >&2
exit 1
;;

esac

# Construct download URL
# Format: llgo{version}.{os}-{arch}.tar.gz
# Example: llgo0.11.6.darwin-arm64.tar.gz or llgo0.11.6.linux-amd64.tar.gz
# Remove 'v' prefix from version if present
VERSION_NUMBER="${VERSION#v}"
FILENAME="llgo${VERSION_NUMBER}.${OS}-${ARCH}.tar.gz"
URL="https://github.com/goplus/llgo/releases/download/${VERSION}/${FILENAME}"

echo "Downloading LLGo ${VERSION} for ${OS}-${ARCH}..."
echo "URL: $URL"

# Create install directory
mkdir -p "$INSTALL_DIR"

Copy link
Copy Markdown
Contributor

@fennoai fennoai Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL: Missing checksum verification

The script downloads and executes prebuilt binaries without any integrity verification. This is a significant supply chain security risk.

Recommended fix:

# Add -f flag to fail on HTTP errors, and add retry logic
curl -fL --retry 3 --retry-delay 2 --max-time 300 -o "/tmp/${FILENAME}" "$URL" || {
    echo "Error: Failed to download LLGo from $URL"
    exit 1
}

# Download and verify checksum (if available)
curl -fL -o "/tmp/${FILENAME}.sha256" "${URL}.sha256" 2>/dev/null && {
    cd /tmp
    sha256sum -c "${FILENAME}.sha256" || {
        echo "Error: Checksum verification failed"
        exit 1
    }
}

Security concerns:

  • Without checksums, there's no way to verify the binary hasn't been tampered with
  • Missing -f flag means curl won't fail on HTTP errors (404, 500)
  • No retry logic for transient network failures

See CWE-494: Download of Code Without Integrity Check

Comment on lines +46 to +49
Copy link
Copy Markdown
Contributor

@fennoai fennoai Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use mktemp for secure temporary file handling

Using predictable filenames in /tmp/ can lead to race conditions and symlink attacks.

Recommended:

# Create secure temporary file
TEMP_FILE=$(mktemp /tmp/llgo-download.XXXXXXXXXX)
trap "rm -f '$TEMP_FILE'" EXIT

mkdir -p "$INSTALL_DIR"

echo "Downloading LLGo ${VERSION} for ${OS}-${ARCH}..."
echo "URL: $URL"

curl -fL --retry 3 --retry-delay 2 --max-time 300 -o "$TEMP_FILE" "$URL"
tar -xzf "$TEMP_FILE" -C "$INSTALL_DIR" --strip-components=1

This provides atomic temporary file creation and automatic cleanup.

# Download and extract
curl -L -o "/tmp/${FILENAME}" "$URL"
tar -xzf "/tmp/${FILENAME}" -C "$INSTALL_DIR"
rm "/tmp/${FILENAME}"
Comment on lines +51 to +53
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The download and extraction process can be simplified and made more robust.

  1. Piping curl to tar avoids creating a temporary file on disk, which is more efficient.
  2. Using curl -fsSL provides better error handling: -f fails on HTTP server errors, -s silences progress output, -S shows errors even with -s, and -L follows redirects.

This approach is cleaner and more idiomatic for shell scripting.

Suggested change
curl -L -o "/tmp/${FILENAME}" "$URL"
tar -xzf "/tmp/${FILENAME}" -C "$INSTALL_DIR" --strip-components=1
rm "/tmp/${FILENAME}"
curl -fsSL "$URL" | tar -xz -C "$INSTALL_DIR" --strip-components=1


echo "LLGo ${VERSION} has been installed to ${INSTALL_DIR}"
echo "Binary location: ${INSTALL_DIR}/bin/llgo"

Comment on lines +56 to +57
Copy link
Copy Markdown
Contributor

@fennoai fennoai Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enhance post-installation validation

The current check only verifies file existence. Consider adding:

# Verify installation
if [ ! -f "${INSTALL_DIR}/bin/llgo" ]; then
    echo "Error: llgo binary not found at ${INSTALL_DIR}/bin/llgo"
    exit 1
fi

# Verify it's executable
if [ ! -x "${INSTALL_DIR}/bin/llgo" ]; then
    echo "Error: llgo binary is not executable"
    exit 1
fi

# Verify it's a valid binary
if ! file "${INSTALL_DIR}/bin/llgo" | grep -qE "(executable|ELF|Mach-O)"; then
    echo "Error: llgo is not a valid binary executable"
    exit 1
fi

echo "Installation verified successfully"
ls -lh "${INSTALL_DIR}/bin/llgo"

# Verify installation
if [ -f "${INSTALL_DIR}/bin/llgo" ]; then
echo "Installation verified successfully"
ls -lh "${INSTALL_DIR}/bin/llgo"
else
echo "Error: llgo binary not found at ${INSTALL_DIR}/bin/llgo"
exit 1
fi
Comment on lines +62 to +65
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Error messages should be printed to standard error (stderr) to separate them from normal script output.

Suggested change
else
echo "Error: llgo binary not found at ${INSTALL_DIR}/bin/llgo"
exit 1
fi
else
echo "Error: llgo binary not found at ${INSTALL_DIR}/bin/llgo" >&2
exit 1
fi

4 changes: 1 addition & 3 deletions .github/workflows/end2end.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@ jobs:
- macos-latest
- ubuntu-latest
- ubuntu-24.04-arm
llvm: [19]
llgo: [e4218f90d7926d31c1ffae3965a4e36228d38fd2]
llgo: [v0.11.6]
go: [1.23]
fail-fast: false
runs-on: ${{matrix.os}}
Expand All @@ -31,7 +30,6 @@ jobs:
uses: ./.github/actions/setup-llcppg
with:
go: ${{ matrix.go }}
llvm: ${{ matrix.llvm }}
llgo: ${{ matrix.llgo }}

- name: Install Conan
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/gentest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@ jobs:
- macos-latest
- ubuntu-latest
- ubuntu-24.04-arm
llvm: [19]
llgo: [e4218f90d7926d31c1ffae3965a4e36228d38fd2]
llgo: [v0.11.6]
go: [1.23]
fail-fast: false
runs-on: ${{matrix.os}}
Expand All @@ -31,7 +30,6 @@ jobs:
uses: ./.github/actions/setup-llcppg
with:
go: ${{ matrix.go }}
llvm: ${{ matrix.llvm }}
llgo: ${{ matrix.llgo }}
- name: Setup Log directory
run: echo "LLCPPG_TEST_LOG_DIR=$(mktemp -d)" >> $GITHUB_ENV
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,7 @@ jobs:
os:
- macos-latest
- ubuntu-latest
llvm: [19]
llgo: [e4218f90d7926d31c1ffae3965a4e36228d38fd2]
llgo: [v0.11.6]
go: [1.23]
fail-fast: false
runs-on: ${{matrix.os}}
Expand All @@ -32,7 +31,6 @@ jobs:
uses: ./.github/actions/setup-llcppg
with:
go: ${{ matrix.go }}
llvm: ${{ matrix.llvm }}
llgo: ${{ matrix.llgo }}

- name: Setup Test Dependencies
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ go 1.23.0
require (
github.com/goplus/gogen v1.19.5
github.com/goplus/lib v0.3.1
github.com/goplus/llgo v0.11.6-0.20250824004317-e4218f90d792
github.com/goplus/llgo v0.11.6
github.com/goplus/mod v0.17.1
github.com/qiniu/x v1.15.1
)
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ github.com/goplus/gogen v1.19.5 h1:YWPwpRA1PusPhptv9jKg/XiN+AQGiAD9r6I86mJ3lR4=
github.com/goplus/gogen v1.19.5/go.mod h1:owX2e1EyU5WD+Nm6oH2m/GXjLdlBYcwkLO4wN8HHXZI=
github.com/goplus/lib v0.3.1 h1:Xws4DBVvgOMu58awqB972wtvTacDbk3nqcbHjdx9KSg=
github.com/goplus/lib v0.3.1/go.mod h1:SgJv3oPqLLHCu0gcL46ejOP3x7/2ry2Jtxu7ta32kp0=
github.com/goplus/llgo v0.11.6-0.20250824004317-e4218f90d792 h1:EbF48QxuTaklX5MPwSuskZhu+dI9CHDIPW9S05uyhsM=
github.com/goplus/llgo v0.11.6-0.20250824004317-e4218f90d792/go.mod h1:GeJLuuvv1yU+XBX+45SITayPgj7tsHVntEY+LEFPx+I=
github.com/goplus/llgo v0.11.6 h1:XRFlSCXsy+XRQgNj4AcBP3JT5QYIEENl1m6l8TVIQ/Y=
github.com/goplus/llgo v0.11.6/go.mod h1:dWPl+e8vI+jQSzgiqf67YWVfLFb/Dn7VBhpH2IEcW2M=
github.com/goplus/mod v0.17.1 h1:ITovxDcc5zbURV/Wrp3/SBsYLgC1KrxY6pq1zMM2V94=
github.com/goplus/mod v0.17.1/go.mod h1:iXEszBKqi38BAyQApBPyQeurLHmQN34YMgC2ZNdap50=
github.com/qiniu/x v1.15.1 h1:avE+YQaowp8ZExjylOeSM73rUo3MQKBAYVxh4NJ8dY8=
Expand Down
Loading