Task 60007137039

security: harden CI actions and subprocess calls

2026-01-10 13:23:35 completed security-hardening-ci-scripts 6cc01c12b2e93b5c28ec5461ba8af25a2371b59e

ccache_hitrate:1m39s
configure_duration:13s
docker_build_cached:true
docker_build_duration:6s

Commands that took longer than 1 second (total 10m6s)

line	duration	percentage	command
946	6s	0%	`docker buildx build --file=/home/admin/actions-runner/_work/bitcoin/bitcoin/ci/test_imagefile --build-arg=CI_IMAGE_NAME_TAG=mirror.gcr.io/ubuntu:24.04 --build-arg=FILE_ENV=./ci/test/00_setup_env_native_tidy.sh --build-arg=BASE_ROOT_DIR=/home/admin/actions-runner/_work/_temp --platform=linux --label=bitcoin-ci-test --tag=ci_native_tidy --cache-from type=gha,url=http://127.0.0.1:12321/,url_v2=http://127.0.0.1:12321/,scope=ci_native_tidy --load /home/admin/actions-runner/_work/bitcoin/bitcoin`
1110	2s	0%	`retry -- apt-get update`
1131	3s	0%	`retry -- apt-get install curl -y`
1482	3s	0%	`g++-13 g++-13-x86-64-linux-gnu`
1720	12s	1%	`amd64 4:13.2.0-7ubuntu1 [1100 B]`
2418	13s	2%	`(4:13.2.0-7ubuntu1) ...`
3168	1m1s	10%	`echo -n done`
3198	1s	0%	docker run --rm --interactive --detach --tty --cap-add=LINUX_IMMUTABLE --mount=type=bind,src=/home/admin/actions-runner/_work/bitcoin/bitcoin,dst=/home/admin/actions-runner/_work/bitcoin/bitcoin,readonly --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/ccache_dir,dst=/home/admin/actions-runner/_work/_temp/ccache_dir --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/depends/built,dst=/home/admin/actions-runner/_work/_temp/depends/built --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/depends/sources,dst=/home/admin/actions-runner/_work/_temp/depends/sources --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/previous_releases,dst=/home/admin/actions-runner/_work/_temp/previous_releases --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/build,dst=/home/admin/actions-runner/_work/_temp/build --env-file=/tmp/env-admin-ci_native_tidy --name=ci_native_tidy --network=ci-ip6net --platform=linux ci_native_tidy
3394	13s	2%	`cmake -S /home/admin/actions-runner/_work/_temp -B /home/admin/actions-runner/_work/_temp/build -DBUILD_BENCH=ON -DBUILD_FUZZ_BINARY=ON -DWERROR=ON -DCMAKE_INSTALL_PREFIX=/home/admin/actions-runner/_work/_temp/ci/scratch/out -Werror=dev -DCMAKE_EXPORT_COMPILE_COMMANDS=ON --preset dev-mode -DCMAKE_C_COMPILER=clang-21 -DCMAKE_CXX_COMPILER=clang++-21 '-DCMAKE_C_FLAGS_RELWITHDEBINFO=-O0 -g0' '-DCMAKE_CXX_FLAGS_RELWITHDEBINFO=-O0 -g0'`
3754	13s	2%	`cmake --build /home/admin/actions-runner/_work/_temp/build -j8 --target all install`
4969	2s	0%	`/home/admin/actions-runner/_work/_temp/contrib/devtools/check-deps.sh /home/admin/actions-runner/_work/_temp/build`
5001	6s	0%	`cmake --build /tidy-build -j8`
5018	7m12s	71%	`tee tmp.tidy-out.txt`
7238	6s	0%	`docker container kill 5c87ec0b0d0902c48e02fa76b526e904ab05cc2e2275479d2c5860283256e159`

Tags

security-hardening-ci-scripts