suricata/.github/workflows/builds.yml

name: builds

on:
  - push
  - pull_request

env:
  DEFAULT_SV_REPO: https://github.com/OISF/suricata-verify
  DEFAULT_SV_BRANCH: master

  DEFAULT_CFLAGS: "-Wall -Wextra -Werror -Wno-unused-parameter -Wno-unused-function"

  # Apt sometimes likes to ask for user input, this will prevent that.
  DEBIAN_FRONTEND: "noninteractive"

  # A recent version of stable Rust that is known to pass build, test and other
  # verification steps in this workflow. This was added because using "stable"
  # could cause some steps to fail.
  RUST_VERSION_KNOWN: "1.49.0"

  # The minimum version of Rust supported.
  RUST_VERSION_MIN: 1.41.1
jobs:

  prepare-deps:
    name: Prepare dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Cache ~/.cargo
        uses: actions/cache@v1
        with:
          path: ~/.cargo
          key: cargo
      - run: sudo apt update && sudo apt -y install jq curl
      - name: Parse repo and branch information
        env:
          # We fetch the actual pull request to get the latest body as
          # github.event.pull_request.body has the body from the
          # initial pull request.
          PR_HREF: ${{ github.event.pull_request._links.self.href }}
        run: |
          if test "${PR_HREF}"; then
              body=$(curl -s "${PR_HREF}" | jq -r .body | tr -d '\r')

              echo "Parsing branch and PR info from:"
              echo "${body}"

              LIBHTP_REPO=$(echo "${body}" | awk -F = '/^LIBHTP_REPO=/ { print $2 }')
              LIBHTP_BRANCH=$(echo "${body}" | awk -F = '/^LIBHTP_BRANCH=/ { print $2 }')

              SU_REPO=$(echo "${body}" | awk -F = '/^SU_REPO=/ { print $2 }')
              SU_BRANCH=$(echo "${body}" | awk -F = '/^SU_BRANCH=/ { print $2 }')

              SV_REPO=$(echo "${body}" | awk -F = '/^SV_REPO=/ { print $2 }')
              SV_BRANCH=$(echo "${body}" | awk -F = '/^SV_BRANCH=/ { print $2 }')
          else
              echo "No pull request body, will use defaults."
          fi

          echo LIBHTP_REPO=${LIBHTP_REPO} | tee -a ${GITHUB_ENV}
          echo LIBHTP_BRANCH=${LIBHTP_BRANCH} | tee -a ${GITHUB_ENV}

          echo SU_REPO=${SU_REPO} | tee -a ${GITHUB_ENV}
          echo SU_BRANCH=${SU_BRANCH} | tee -a ${GITHUB_ENV}

          echo SV_REPO=${SV_REPO:-${DEFAULT_SV_REPO}} | tee -a ${GITHUB_ENV}
          echo SV_BRANCH=${SV_BRANCH:-${DEFAULT_SV_BRANCH}} | tee -a ${GITHUB_ENV}          

      - name: Annotate output
        run: |
          echo "::notice:: LIBHTP_REPO=${LIBHTP_REPO}"
          echo "::notice:: LIBHTP_BRANCH=${LIBHTP_BRANCH}"
          echo "::notice:: SU_REPO=${SU_REPO}"
          echo "::notice:: SU_BRANCH=${SU_BRANCH}"
          echo "::notice:: SV_REPO=${SV_REPO}"
          echo "::notice:: SV_BRANCH=${SV_BRANCH}"          

      # Now checkout Suricata for the bundle script.
      - name: Checking out Suricata
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

      - name: Fetching libhtp
        run: |
          DESTDIR=./bundle ./scripts/bundle.sh libhtp
          tar zcf libhtp.tar.gz -C bundle libhtp          
      - name: Fetching suricata-update
        run: |
          DESTDIR=./bundle ./scripts/bundle.sh suricata-update
          tar zcf suricata-update.tar.gz -C bundle suricata-update          

      - name: Fetching suricata-verify
        run: |
          pr=$(echo "${SV_BRANCH}" | sed -n 's/^pr\/\([[:digit:]]\+\)$/\1/p')
          if [ "${pr}" ]; then
              SV_BRANCH="refs/pull/${pr}/head"
              echo "Using suricata-verify pull-request ${SV_BRANCH}"
          else
              echo "Using suricata-verify branch ${SV_BRANCH}"
          fi
          git clone --depth 1 ${SV_REPO} suricata-verify
          cd suricata-verify
          git fetch --depth 1 origin ${SV_BRANCH}
          git -c advice.detachedHead=false checkout FETCH_HEAD
          cd ..
          tar zcf suricata-verify.tar.gz suricata-verify          
      - name: Uploading prep archive
        uses: actions/upload-artifact@v2
        with:
          name: prep
          path: |
            libhtp.tar.gz
            suricata-update.tar.gz
            suricata-verify.tar.gz            

  prepare-cbindgen:
    name: Prepare cbindgen
    runs-on: ubuntu-latest
    steps:
      - name: Cache ~/.cargo
        uses: actions/cache@v1
        with:
          path: ~/.cargo
          key: cbindgen
      - name: Installing Rust
        run: |
          curl https://sh.rustup.rs -sSf | sh -s -- -y
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
          rustup target add x86_64-unknown-linux-musl          
      - name: Buliding static cbindgen for Linux
        run: |
          cargo install --target x86_64-unknown-linux-musl --debug cbindgen
          cp $HOME/.cargo/bin/cbindgen .          
      - name: Uploading prep archive
        uses: actions/upload-artifact@v2
        with:
          name: prep
          path: .

  almalinux-9:
    name: AlmaLinux 9
    runs-on: ubuntu-latest
    container: almalinux:9
    needs: [prepare-deps, prepare-cbindgen]
    steps:
      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@0865c47f36e68161719c5b124609996bb5c40129
        with:
          path: ~/.cargo/registry
          key: cargo-registry

      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

      # Download and extract dependency archives created during prep
      # job.
      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
        with:
          name: prep
          path: prep
      - run: tar xvf prep/libhtp.tar.gz
      - run: tar xvf prep/suricata-update.tar.gz
      - run: tar xvf prep/suricata-verify.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - name: Install system packages
        run: |
          dnf -y install dnf-plugins-core
          dnf config-manager --set-enabled crb
          dnf -y install \
                autoconf \
                automake \
                cargo-vendor \
                diffutils \
                numactl-devel \
                dpdk-devel \
                file-devel \
                gcc \
                gcc-c++ \
                git \
                jansson-devel \
                jq \
                lua-devel \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                libtool \
                lz4-devel \
                make \
                nss-devel \
                pcre-devel \
                pkgconfig \
                python3-devel \
                python3-sphinx \
                python3-yaml \
                rust-toolset \
                sudo \
                which \
                zlib-devel
          # These packages required to build the PDF.
          dnf -y install \
                texlive-latex \
                texlive-cmap \
                texlive-collection-latexrecommended \
                texlive-fncychap \
                texlive-titlesec \
                texlive-tabulary \
                texlive-framed \
                texlive-wrapfig \
                texlive-upquote \
                texlive-capt-of \
                texlive-needspace          
      - name: Configuring
        run: |
          ./autogen.sh
          CFLAGS="${DEFAULT_CFLAGS}" ./configure          
      - run: make -j2 distcheck
        env:
          DISTCHECK_CONFIGURE_FLAGS: "--enable-unittests --enable-debug --enable-lua --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk"
      - run: test -e doc/userguide/suricata.1
      - name: Building Rust documentation
        run: make doc
        working-directory: rust
      - run: make install
      - run: suricatasc -h
      - run: suricata-update -V
      - name: Check if Suricata-Update example configuration files are installed
        run: |
          test -e /usr/local/lib/suricata/python/suricata/update/configs/disable.conf
          test -e /usr/local/lib/suricata/python/suricata/update/configs/drop.conf
          test -e /usr/local/lib/suricata/python/suricata/update/configs/enable.conf
          test -e /usr/local/lib/suricata/python/suricata/update/configs/modify.conf
          test -e /usr/local/lib/suricata/python/suricata/update/configs/threshold.in
          test -e /usr/local/lib/suricata/python/suricata/update/configs/update.yaml          

  # This build also creates the distribution package that some other builds
  # depend on.
  alma-8:
    name: AlmaLinux 8
    runs-on: ubuntu-latest
    container: almalinux:8.4
    needs: [prepare-deps, prepare-cbindgen]
    steps:
      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@v1
        with:
          path: ~/.cargo/registry
          key: cargo-registry

      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748

      # Prebuild check for duplicat SIDs
      - name: Check for duplicate SIDs
        run: |
          dups=$(sed -n 's/^alert.*sid:\([[:digit:]]*\);.*/\1/p' ./rules/*.rules|sort|uniq -d|tr '\n' ' ')
          if [[ "${dups}" != "" ]]; then
            echo "::error::Duplicate SIDs found:${dups}"
            exit 1
          fi          

      # Download and extract dependency archives created during prep
      # job.
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xvf prep/libhtp.tar.gz
      - run: tar xvf prep/suricata-update.tar.gz
      - run: tar xvf prep/suricata-verify.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - name: Install system packages
        run: |
          yum -y install dnf-plugins-core
          yum config-manager --set-enabled powertools
          yum -y install \
                autoconf \
                automake \
                cargo-vendor \
                diffutils \
                file-devel \
                gcc \
                gcc-c++ \
                git \
                jansson-devel \
                jq \
                lua-devel \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                libtool \
                lz4-devel \
                make \
                nss-devel \
                pcre-devel \
                pkgconfig \
                python3-devel \
                python3-sphinx \
                python3-yaml \
                rust-toolset \
                sudo \
                which \
                zlib-devel
          # These packages required to build the PDF.
          yum -y install \
                texlive-latex \
                texlive-cmap \
                texlive-collection-latexrecommended \
                texlive-fncychap \
                texlive-titlesec \
                texlive-tabulary \
                texlive-framed \
                texlive-wrapfig \
                texlive-upquote \
                texlive-capt-of \
                texlive-needspace          
      - name: Configuring
        run: |
          ./autogen.sh
          CFLAGS="${DEFAULT_CFLAGS}" ./configure          
      - run: make -j2 distcheck
        env:
          DISTCHECK_CONFIGURE_FLAGS: "--enable-unittests --enable-debug --enable-lua --enable-geoip --enable-profiling --enable-profiling-locks"
      - run: test -e doc/userguide/suricata.1
      - name: Building Rust documentation
        run: make doc
        working-directory: rust
      - run: make install
      - run: suricatasc -h
      - run: suricata-update -V
      - name: Preparing distribution
        run: |
          mkdir dist
          mv suricata-*.tar.gz dist          
      - uses: actions/upload-artifact@v1
        name: Uploading distribution
        with:
          name: dist
          path: dist

  centos-7:
    name: CentOS 7
    runs-on: ubuntu-latest
    container: centos:7
    needs: [prepare-deps, alma-8]
    steps:
      - name: Install system dependencies
        run: |
          yum -y install epel-release
          yum -y install \
                autoconf \
                automake \
                cargo \
                diffutils \
                file-devel \
                gcc \
                gcc-c++ \
                jansson-devel \
                jq \
                lua-devel \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                lz4-devel \
                make \
                nss-devel \
                pcre-devel \
                pkgconfig \
                python36-PyYAML \
                rust \
                sudo \
                which \
                zlib-devel          
      - name: Download suricata.tar.gz
        uses: actions/download-artifact@v2
        with:
          name: dist
      - run: tar zxvf suricata-*.tar.gz --strip-components=1
      # This isn't really needed as we are building from a prepared
      # package, but some package managers like RPM and Debian like to
      # run this command even on prepared packages, so make sure it
      # works.
      - name: Test autoreconf
        run: autoreconf -fv --install
      - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure
      - run: make -j2
      - run: make install
      - run: make install-conf
      - run: make distcheck
      - run: make clean
      - run: make -j2
      - run: suricata-update -V
      - run: suricatasc -h

  # Fedora 38 build using Clang.
  fedora-38-clang:
    name: Fedora 38 (clang, debug, asan, wshadow, rust-strict, systemd)
    runs-on: ubuntu-latest
    container: fedora:38
    needs: [prepare-deps]
    steps:

      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7
        with:
          path: ~/.cargo
          key: ${{ github.job }}-cargo

      - name: Cache RPMs
        uses: actions/cache@v3
        with:
          path: /var/cache/dnf
          key: ${{ github.job }}-dnf
      - run: echo "keepcache=1" >> /etc/dnf/dnf.conf

      - run: |
          dnf -y install \
                autoconf \
                automake \
                cargo \
                cbindgen \
                ccache \
                clang \
                diffutils \
                file-devel \
                gcc \
                gcc-c++ \
                git \
                hiredis-devel \
                jansson-devel \
                jq \
                lua-devel \
                libasan \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                libxdp-devel \
                libbpf-devel \
                libtool \
                lz4-devel \
                make \
                nss-softokn-devel \
                pcre-devel \
                pkgconfig \
                python3-yaml \
                sudo \
                systemd-devel \
                which \
                zlib-devel          
      - uses: actions/checkout@v3.3.0
      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - run: tar xf prep/suricata-update.tar.gz
      - run: ./autogen.sh
      - run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue --enable-lua
        env:
          LDFLAGS: "-fsanitize=address"
          ac_cv_func_realloc_0_nonnull: "yes"
          ac_cv_func_malloc_0_nonnull: "yes"
      - run: make -j2
      - run: ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l .
      - name: Extracting suricata-verify
        run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py -q
      # Now install and make sure headers and libraries aren't
      # installed until requested.
      - run: make install
      - run: suricata-update -V
      - run: suricatasc -h

  # Fedora 38 build using GCC.
  fedora-38-gcc:
    name: Fedora 38 (gcc, debug, asan, wshadow, rust-strict)
    runs-on: ubuntu-latest
    container: fedora:38
    needs: [prepare-deps]
    steps:

      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77
        with:
          path: ~/.cargo/registry
          key: cargo-registry

      - run: |
          dnf -y install \
                autoconf \
                automake \
                cargo \
                cbindgen \
                ccache \
                diffutils \
                file-devel \
                gcc \
                gcc-c++ \
                git \
                hiredis-devel \
                jansson-devel \
                jq \
                lua-devel \
                libasan \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                libtool \
                lz4-devel \
                make \
                nss-softokn-devel \
                pcre-devel \
                pkgconfig \
                python3-yaml \
                sudo \
                which \
                zlib-devel          
      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - run: tar xf prep/suricata-update.tar.gz
      - run: ./autogen.sh
      - run: ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue
        env:
          CFLAGS: "${{ env.DEFAULT_CFLAGS }} -Wshadow -fsanitize=address -fno-omit-frame-pointer"
          LDFLAGS: "-fsanitize=address"
          ac_cv_func_realloc_0_nonnull: "yes"
          ac_cv_func_malloc_0_nonnull: "yes"
      - run: make -j2
      - run: ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l .
      - name: Extracting suricata-verify
        run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py -q
      - run: make install
      - run: suricata-update -V
      - run: suricatasc -h

  # Fedora 37 build using Clang.
  fedora-37-clang:
    name: Fedora 37 (clang, debug, asan, wshadow, rust-strict, systemd)
    runs-on: ubuntu-latest
    container: fedora:37
    needs: [prepare-deps, prepare-cbindgen]
    steps:

      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7
        with:
          path: ~/.cargo
          key: ${{ github.job }}-cargo

      - name: Cache RPMs
        uses: actions/cache@v3
        with:
          path: /var/cache/dnf
          key: ${{ github.job }}-dnf
      - run: echo "keepcache=1" >> /etc/dnf/dnf.conf

      - run: |
          dnf -y install \
                autoconf \
                automake \
                cargo \
                ccache \
                clang \
                diffutils \
                file-devel \
                gcc \
                gcc-c++ \
                git \
                hiredis-devel \
                jansson-devel \
                jq \
                lua-devel \
                libasan \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                libxdp-devel \
                libbpf-devel \
                libtool \
                lz4-devel \
                make \
                nss-softokn-devel \
                pcre-devel \
                pkgconfig \
                python3-yaml \
                sudo \
                systemd-devel \
                which \
                zlib-devel          
      - uses: actions/checkout@v3.3.0
      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - run: tar xf prep/suricata-update.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - run: ./autogen.sh
      - run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue --enable-lua
        env:
          LDFLAGS: "-fsanitize=address"
          ac_cv_func_realloc_0_nonnull: "yes"
          ac_cv_func_malloc_0_nonnull: "yes"
      - run: make -j2
      - run: ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l .
      - name: Extracting suricata-verify
        run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py -q
      - run: make install
      - run: suricata-update -V
      - run: suricatasc -h

  # Fedora 37 build using GCC.
  fedora-37-gcc:
    name: Fedora 37 (gcc, debug, asan, wshadow, rust-strict)
    runs-on: ubuntu-latest
    container: fedora:37
    needs: [prepare-deps, prepare-cbindgen]
    steps:

      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77
        with:
          path: ~/.cargo/registry
          key: cargo-registry

      - run: |
          dnf -y install \
                autoconf \
                automake \
                cargo \
                ccache \
                diffutils \
                file-devel \
                gcc \
                gcc-c++ \
                git \
                hiredis-devel \
                jansson-devel \
                jq \
                lua-devel \
                libasan \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                libtool \
                lz4-devel \
                make \
                nss-softokn-devel \
                pcre-devel \
                pkgconfig \
                python3-yaml \
                sudo \
                which \
                zlib-devel          
      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - run: tar xf prep/suricata-update.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - run: ./autogen.sh
      - run: ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue
        env:
          CFLAGS: "${{ env.DEFAULT_CFLAGS }} -Wshadow -fsanitize=address -fno-omit-frame-pointer"
          LDFLAGS: "-fsanitize=address"
          ac_cv_func_realloc_0_nonnull: "yes"
          ac_cv_func_malloc_0_nonnull: "yes"
      - run: make -j2
      - run: ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l .
      - name: Extracting suricata-verify
        run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py -q
      - run: make install
      - run: suricata-update -V
      - run: suricatasc -h

  fedora-36:
    name: Fedora 36 (debug, clang, asan, wshadow, rust-strict)
    runs-on: ubuntu-latest
    container: fedora:36
    needs: [prepare-deps, prepare-cbindgen]
    steps:

      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@v1
        with:
          path: ~/.cargo/registry
          key: cargo-registry

      - run: |
          dnf -y install \
                autoconf \
                automake \
                cargo \
                ccache \
                clang \
                diffutils \
                file-devel \
                gcc \
                gcc-c++ \
                git \
                hiredis-devel \
                jansson-devel \
                jq \
                lua-devel \
                libasan \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                libtool \
                lz4-devel \
                make \
                nspr-devel \
                nss-devel \
                nss-softokn-devel \
                pcre-devel \
                pkgconfig \
                python3-yaml \
                sudo \
                which \
                zlib-devel          
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - run: tar xf prep/suricata-update.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - run: ./autogen.sh
      - run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis
        env:
          ac_cv_func_realloc_0_nonnull: "yes"
          ac_cv_func_malloc_0_nonnull: "yes"
      - run: make -j2
      - run: ASAN_OPTIONS="detect_leaks=0" ./src/suricata -u -l .
      - name: Extracting suricata-verify
        run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py
      - run: make install
      - run: suricata-update -V
      - run: suricatasc -h

  ubuntu-20-04:
    name: Ubuntu 20.04 (no nss, no nspr)
    runs-on: ubuntu-latest
    container: ubuntu:20.04
    needs: [prepare-deps, prepare-cbindgen]
    steps:
      - name: Install dependencies
        run: |
          apt update
          apt -y install \
                libpcre3 \
                libpcre3-dev \
                build-essential \
                autoconf \
                automake \
                cargo \
                git \
                jq \
                libtool \
                libpcap-dev \
                libnet1-dev \
                libyaml-0-2 \
                libyaml-dev \
                libcap-ng-dev \
                libcap-ng0 \
                libmagic-dev \
                libnetfilter-queue-dev \
                libnetfilter-queue1 \
                libnfnetlink-dev \
                libnfnetlink0 \
                libhiredis-dev \
                libjansson-dev \
                libevent-dev \
                libevent-pthreads-2.1-7 \
                libjansson-dev \
                libpython2.7 \
                make \
                parallel \
                python3-yaml \
                rustc \
                software-properties-common \
                zlib1g \
                zlib1g-dev \
                exuberant-ctags          
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - run: ./autogen.sh
      - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests --disable-nss --disable-nspr
      - run: make -j2
      - run: make dist
      - name: Extracting suricata-verify
        run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py

  ubuntu-20-04-ndebug:
    name: Ubuntu 20.04 (-DNDEBUG)
    runs-on: ubuntu-latest
    container: ubuntu:20.04
    needs: [prepare-deps, prepare-cbindgen]
    steps:

      - name: Install dependencies
        run: |
          apt update
          apt -y install \
                build-essential \
                autoconf \
                automake \
                cargo \
                git \
                jq \
                libtool \
                libpcap-dev \
                libnet1-dev \
                libyaml-0-2 \
                libyaml-dev \
                libcap-ng-dev \
                libcap-ng0 \
                libmagic-dev \
                libnetfilter-queue-dev \
                libnetfilter-queue1 \
                libnfnetlink-dev \
                libnfnetlink0 \
                libhiredis-dev \
                libjansson-dev \
                libevent-dev \
                libevent-pthreads-2.1-7 \
                libjansson-dev \
                libpython2.7 \
                libpcre3 \
                libpcre3-dev \
                make \
                parallel \
                python3-yaml \
                rustc \
                software-properties-common \
                zlib1g \
                zlib1g-dev \
                exuberant-ctags          
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - run: tar xf prep/suricata-update.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - run: ./autogen.sh
      - run: CFLAGS="$DEFAULT_CFLAGS -DNDEBUG" ./configure --enable-unittests --enable-http2-decompression
      - run: make -j2
      - run: make check
      - run: make dist
      - name: Extracting suricata-verify
        run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py
      - run: make install
      - run: suricata-update -V
      - run: suricatasc -h

  ubuntu-20-04-too-old-rust:
    name: Ubuntu 20.04 (unsupported rust)
    runs-on: ubuntu-latest
    container: ubuntu:20.04
    needs: alma-8
    steps:
      - name: Install dependencies
        run: |
          apt update
          apt -y install \
                build-essential \
                curl \
                libtool \
                libpcap-dev \
                libnet1-dev \
                libyaml-0-2 \
                libyaml-dev \
                libcap-ng-dev \
                libcap-ng0 \
                libmagic-dev \
                libnetfilter-queue-dev \
                libnetfilter-queue1 \
                libnfnetlink-dev \
                libnfnetlink0 \
                libhiredis-dev \
                libjansson-dev \
                libevent-dev \
                libevent-pthreads-2.1-7 \
                libjansson-dev \
                libpython2.7 \
                libpcre3 \
                libpcre3-dev \
                make \
                python3-yaml \
                software-properties-common \
                zlib1g \
                zlib1g-dev \          
      - run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain 1.33.0 -y
      - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH
      - name: Download suricata.tar.gz
        uses: actions/download-artifact@v2
        with:
          name: dist
      - run: tar zxvf suricata-*.tar.gz --strip-components=1
      - run: |
          if ./configure; then
            echo "error: configure should have failed"
            exit 1
          else
            exit 0
          fi          

  ubuntu-22-04-debug-validation:
    name: Ubuntu 22.04 (Debug Validation)
    runs-on: ubuntu-22.04
    container: ubuntu:22.04
    needs: [prepare-deps, prepare-cbindgen]
    steps:

      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@v1
        with:
          path: ~/.cargo/registry
          key: cargo-registry

      - name: Install dependencies
        run: |
          apt update
          apt -y install \
                libpcre3 \
                libpcre3-dev \
                build-essential \
                autoconf \
                automake \
                cargo \
                git \
                jq \
                libtool \
                libpcap-dev \
                libnet1-dev \
                libyaml-0-2 \
                libyaml-dev \
                libcap-ng-dev \
                libcap-ng0 \
                libmagic-dev \
                libnetfilter-queue-dev \
                libnetfilter-queue1 \
                libnfnetlink-dev \
                libnfnetlink0 \
                libhiredis-dev \
                libjansson-dev \
                libevent-dev \
                libevent-pthreads-2.1-7 \
                libjansson-dev \
                libpython2.7 \
                make \
                parallel \
                python3-yaml \
                rustc \
                software-properties-common \
                zlib1g \
                zlib1g-dev \
                exuberant-ctags          
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - run: ./autogen.sh
      - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-debug-validation
      - run: make -j2
      - run: make check
      - name: Extracting suricata-verify
        run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py

  ubuntu-22-04:
    name: Ubuntu 22.04 (Cocci)
    runs-on: ubuntu-22.04
    container: ubuntu:22.04
    needs: [prepare-deps, prepare-cbindgen]
    steps:

      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@v1
        with:
          path: ~/.cargo/registry
          key: cargo-registry

      - name: Install dependencies
        run: |
          apt update
          apt -y install \
                libpcre3 \
                libpcre3-dev \
                build-essential \
                autoconf \
                automake \
                cargo \
                git \
                jq \
                libtool \
                libpcap-dev \
                libnet1-dev \
                libyaml-0-2 \
                libyaml-dev \
                libcap-ng-dev \
                libcap-ng0 \
                libmagic-dev \
                libnetfilter-queue-dev \
                libnetfilter-queue1 \
                libnfnetlink-dev \
                libnfnetlink0 \
                libhiredis-dev \
                libjansson-dev \
                libevent-dev \
                libevent-pthreads-2.1-7 \
                libjansson-dev \
                libpython2.7 \
                libpython3.10 \
                make \
                parallel \
                python3-yaml \
                python-is-python3 \
                rustc \
                software-properties-common \
                zlib1g \
                zlib1g-dev \
                exuberant-ctags          
      - name: Install packages for generating documentation
        run: |
          DEBIAN_FRONTEND=noninteractive apt -y install \
                sphinx-doc \
                sphinx-common \
                texlive-latex-base \
                texlive-fonts-recommended \
                texlive-fonts-extra \
                texlive-latex-extra          
      - name: Install Coccinelle
        run: |
          add-apt-repository -y ppa:npalix/coccinelle
          apt -y install coccinelle          
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - run: ./autogen.sh
      - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests --enable-coccinelle
      - run: make -j2
      - run: make tags
      - name: Running unit tests and cocci checks
        # Set the concurrency level for cocci.
        run: CONCURRENCY_LEVEL=2 make check
      - run: make dist
      - name: Checking that documentation was built
        run: |
          test -e doc/devguide/devguide.pdf
          test -e doc/userguide/userguide.pdf
          test -e doc/userguide/suricata.1          
      - name: Extracting suricata-verify
        run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py

  # test build with afl and fuzztargets
  ubuntu-22-04-fuzz:
    name: Ubuntu 22.04 (Fuzz)
    runs-on: ubuntu-22.04
    container: ubuntu:22.04
    needs: [prepare-deps, prepare-cbindgen]
    steps:

      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@v1
        with:
          path: ~/.cargo/registry
          key: cargo-registry

      - name: Install dependencies
        run: |
          apt update
          apt -y install \
                afl \
                afl-clang \
                libpcre3 \
                libpcre3-dev \
                build-essential \
                autoconf \
                automake \
                cargo \
                git \
                libtool \
                libpcap-dev \
                libnet1-dev \
                libyaml-0-2 \
                libyaml-dev \
                libcap-ng-dev \
                libcap-ng0 \
                libmagic-dev \
                libnetfilter-queue-dev \
                libnetfilter-queue1 \
                libnfnetlink-dev \
                libnfnetlink0 \
                libhiredis-dev \
                libjansson-dev \
                libjansson-dev \
                libpython2.7 \
                make \
                rustc \
                software-properties-common \
                zlib1g \
                zlib1g-dev          
      - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH      - run: tar xf prep/libhtp.tar.gz          
      - run: ./autogen.sh
      - run: AFL_HARDEN=1 ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes CFLAGS="-fsanitize=address -fno-omit-frame-pointer" CXXFLAGS=$CFLAGS CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --enable-fuzztargets --disable-shared
      - run: AFL_HARDEN=1 make -j2

  # An Ubuntu 20.04 build using the tarball generated in the CentOS 8
  # build above also testing the minimum supported Rust version.
  ubuntu-20-04-msrv:
    name: Ubuntu 20.04 (MSRV)
    runs-on: ubuntu-latest
    container: ubuntu:20.04
    needs: alma-8
    steps:
      - name: Install dependencies
        run: |
          apt update
          apt -y install \
                build-essential \
                curl \
                libcap-ng-dev \
                libcap-ng0 \
                libevent-dev \
                libhiredis-dev \
                libjansson-dev \
                libmagic-dev \
                libnet1-dev \
                libnetfilter-queue-dev \
                libnetfilter-queue1 \
                libnfnetlink-dev \
                libnfnetlink0 \
                libnss3-dev \
                libpcre3 \
                libpcre3-dev \
                libpcap-dev \
                libyaml-0-2 \
                libyaml-dev \
                make \
                python3-distutils \
                python3-yaml \
                zlib1g \
                zlib1g-dev          
      - name: Install Rust
        run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain ${RUST_VERSION_MIN} -y
      - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH
      - name: Download suricata.tar.gz
        uses: actions/download-artifact@v2
        with:
          name: dist
      - name: Extract
        run: tar zxvf suricata-*.tar.gz --strip-components=1
      - name: Configure
        run: CFLAGS="${DEFAULT_CFLAGS}" ./configure
      - name: Build
        run: make -j2
      - name: Testing
        run: make check
      - run: make install
      - run: make install-conf
      - run: make install-rules

  debian-10:
    name: Debian 10
    runs-on: ubuntu-latest
    container: debian:10
    needs: [prepare-deps, prepare-cbindgen]
    steps:
      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@v1
        with:
          path: ~/.cargo/registry
          key: cargo-registry

      - run: |
          apt update
          apt -y install \
                automake \
                autoconf \
                build-essential \
                ccache \
                curl \
                git \
                gosu \
                jq \
                libpcre3 \
                libpcre3-dbg \
                libpcre3-dev \
                libpcap-dev   \
                libnet1-dev \
                libyaml-0-2 \
                libyaml-dev \
                libcap-ng-dev \
                libcap-ng0 \
                libmagic-dev \
                libjansson-dev \
                libnss3-dev \
                libgeoip-dev \
                liblua5.1-dev \
                libhiredis-dev \
                libevent-dev \
                libtool \
                m4 \
                make \
                python3-yaml \
                pkg-config \
                sudo \
                zlib1g \
                zlib1g-dev          
      - name: Install Rust
        run: curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain $RUST_VERSION_KNOWN -y
      - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - run: tar xf prep/suricata-update.tar.gz
      - name: Setup cbindgen
        run: |
          mkdir -p $HOME/.cargo/bin
          cp prep/cbindgen $HOME/.cargo/bin
          chmod 755 $HOME/.cargo/bin/cbindgen          
      - run: ./autogen.sh
      - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests --enable-fuzztargets
      - run: make -j2
      - run: make check
      - run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py
      - run: make install
      - run: suricata-update -V
      - run: suricatasc -h

  macos-latest:
    name: MacOS Latest
    # use 10.15 for now. Build fails on macos-11 (aka macos-latest)
    runs-on: macos-10.15
    needs: [prepare-deps]
    steps:
      # Cache Rust stuff.
      - name: Cache cargo registry
        uses: actions/cache@v1
        with:
          path: ~/.cargo/registry
          key: cargo-registry
      - run: |
         brew install \
          autoconf \
          automake \
          curl \
          hiredis \
          jansson \
          jq \
          libmagic \
          libnet \
          libtool \
          libyaml \
          lua \
          nss \
          nspr \
          pcre \
          pkg-config \
          python \
          rust \
          xz         
      - name: Install cbindgen
        run: cargo install --force --debug --version 0.14.1 cbindgen
      - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH
      - run: pip3 install PyYAML
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - name: Downloading prep archive
        uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xvf prep/libhtp.tar.gz
      - run: tar xvf prep/suricata-update.tar.gz
      - run: ./autogen.sh
      - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests
      - run: make -j2
      - run: make check
      - run: tar xf prep/suricata-verify.tar.gz
      - name: Running suricata-verify
        run: python3 ./suricata-verify/run.py
      - run: make install
      - run: suricata-update -V
      - run: suricatasc -h

  windows-msys2-mingw64-npcap:
    name: Windows MSYS2 MINGW64 (NPcap)
    runs-on: windows-latest
    needs: [prepare-deps]
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - uses: msys2/setup-msys2@v2
        with:
          msystem: MINGW64
          update: true
          install: git mingw-w64-x86_64-toolchain automake1.16 automake-wrapper autoconf libtool libyaml-devel pcre-devel jansson-devel make mingw-w64-x86_64-libyaml mingw-w64-x86_64-pcre mingw-w64-x86_64-rust mingw-w64-x86_64-jansson mingw-w64-x86_64-nss mingw-w64-x86_64-nspr unzip p7zip python-setuptools mingw-w64-x86_64-python-yaml mingw-w64-x86_64-jq
      # hack: install our own cbindgen system wide as we can't get the
      # preinstalled one to be picked up by configure
      - name: cbindgen
        run: cargo install --root /usr --force --debug --version 0.14.1 cbindgen
      - uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - run: tar xf prep/suricata-update.tar.gz
      - name: Npcap DLL
        run: |
          curl -sL -O https://nmap.org/npcap/dist/npcap-1.00.exe
          7z -y x -o/npcap-bin npcap-1.00.exe
          # hack: place dlls in cwd
          cp /npcap-bin/*.dll .          
      - name: Npcap SDK
        run: |
          curl -sL -O https://nmap.org/npcap/dist/npcap-sdk-1.06.zip
          unzip npcap-sdk-1.06.zip -d /npcap
          cp /npcap/Lib/x64/* /usr/lib/          
      - run: tar xf prep/suricata-verify.tar.gz
      - name: Build
        run: |
          ./autogen.sh
          CFLAGS="-ggdb -Werror" ./configure --enable-unittests --enable-gccprotect --disable-gccmarch-native --disable-shared --with-libpcap-includes=/npcap/Include --with-libpcap-libraries=/npcap/Lib/x64
          make -j3          
      - name: Run
        run: |
          ./src/suricata --build-info
          ./src/suricata -u -l /tmp/
          # need cwd in path due to npcap dlls (see above)
          PATH="$PATH:$(pwd)" python3 ./suricata-verify/run.py          
      - run: make install
      - run: suricata-update -V

  windows-msys2-mingw64-libpcap:
    name: Windows MSYS2 MINGW64 (libpcap)
    runs-on: windows-latest
    needs: [prepare-deps]
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - uses: actions/checkout@v2
      - uses: msys2/setup-msys2@v2
        with:
          msystem: MINGW64
          update: true
          install: git mingw-w64-x86_64-toolchain automake1.16 automake-wrapper autoconf libtool libyaml-devel pcre-devel jansson-devel make mingw-w64-x86_64-libyaml mingw-w64-x86_64-pcre mingw-w64-x86_64-rust mingw-w64-x86_64-jansson unzip p7zip python-setuptools mingw-w64-x86_64-python-yaml mingw-w64-x86_64-jq mingw-w64-x86_64-libxml2 libpcap-devel mingw-w64-x86_64-libpcap
      # hack: install our own cbindgen system wide as we can't get the
      # preinstalled one to be picked up by configure
      - name: cbindgen
        run: cargo install --root /usr --force --debug --version 0.14.1 cbindgen
      - uses: actions/checkout@v2
      - uses: actions/download-artifact@v2
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - run: tar xf prep/suricata-update.tar.gz
      - run: tar xf prep/suricata-verify.tar.gz
      - name: Build
        run: |
          ./autogen.sh
          CFLAGS="-ggdb -Werror" ./configure --enable-unittests --enable-gccprotect --disable-gccmarch-native --disable-shared --with-libpcap-includes=/npcap/Include --with-libpcap-libraries=/npcap/Lib/x64
          make -j3          
      - name: Run
        run: |
          ./src/suricata --build-info
          ./src/suricata -u -l /tmp/
          python3 ./suricata-verify/run.py -q          

  windows-msys2-mingw64-windivert:
    name: Windows MSYS2 MINGW64 (WinDivert)
    runs-on: windows-latest
    needs: [prepare-deps]
    defaults:
      run:
        shell: msys2 {0}
    steps:
      - name: Cache ~/.cargo
        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7
        with:
          path: ~/.cargo
          key: ${{ github.job }}-cargo
      - uses: actions/checkout@v3.3.0
      - uses: msys2/setup-msys2@fa138fa56e2558760b9f2205135313c7345c5f3f
        with:
          msystem: MINGW64
          update: true
          install: git mingw-w64-x86_64-toolchain automake1.16 automake-wrapper autoconf libtool libyaml-devel pcre-devel jansson-devel make mingw-w64-x86_64-libyaml mingw-w64-x86_64-pcre mingw-w64-x86_64-rust mingw-w64-x86_64-jansson unzip p7zip python-setuptools mingw-w64-x86_64-python-yaml mingw-w64-x86_64-jq mingw-w64-x86_64-libxml2 libpcap-devel mingw-w64-x86_64-libpcap
      # hack: install our own cbindgen system wide as we can't get the
      # preinstalled one to be picked up by configure
      - name: cbindgen
        run: cargo install --root /usr --force --debug --version 0.24.3 cbindgen
      - uses: actions/checkout@v3.3.0
      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
        with:
          name: prep
          path: prep
      - run: tar xf prep/libhtp.tar.gz
      - name: WinDivert
        run: |
          curl -sL -O https://github.com/basil00/Divert/releases/download/v1.4.3/WinDivert-1.4.3-A.zip
          unzip WinDivert-1.4.3-A.zip -d /windivert
          cp /windivert/WinDivert-1.4.3-A/x86_64/* /usr/lib/
          # hack: place dlls in cwd
          cp /windivert/WinDivert-1.4.3-A/x86_64/*.dll .          
      - name: Build
        run: |
          ./autogen.sh
          CFLAGS="-ggdb -Werror" ./configure --enable-gccprotect --disable-gccmarch-native --disable-shared --enable-windivert --with-windivert-include=/windivert/WinDivert-1.4.3-A/include --with-windivert-libraries=/windivert/WinDivert-1.4.3-A/x86_64
          make -j3          
      - name: Run
        run: |
          # need cwd in path due to dlls (see above)
          PATH="$PATH:$(pwd)" ./src/suricata --build-info          
      - run: make install