Task 60832491706

security: harden CI actions and subprocess calls

2026-01-19 14:41:09 completed security-hardening-ci-scripts a89391d6a6cfa53067b21566857eae8f6312905e

ccache_hitrate:1m39s
configure_duration:10s
docker_build_cached:true
docker_build_duration:27s

Commands that took longer than 1 second (total 9m2s)

line	duration	percentage	command
953	27s	4%	`docker buildx build --file=/home/admin/actions-runner/_work/bitcoin/bitcoin/ci/test_imagefile --build-arg=CI_IMAGE_NAME_TAG=mirror.gcr.io/ubuntu:24.04 --build-arg=FILE_ENV=./ci/test/00_setup_env_native_tidy.sh --build-arg=BASE_ROOT_DIR=/home/admin/actions-runner/_work/_temp --platform=linux --label=bitcoin-ci-test --tag=ci_native_tidy --cache-from type=gha,url=http://127.0.0.1:12321/,url_v2=http://127.0.0.1:12321/,scope=ci_native_tidy --load /home/admin/actions-runner/_work/bitcoin/bitcoin`
1044	1s	0%	docker run --rm --interactive --detach --tty --cap-add=LINUX_IMMUTABLE --mount=type=bind,src=/home/admin/actions-runner/_work/bitcoin/bitcoin,dst=/home/admin/actions-runner/_work/bitcoin/bitcoin,readonly --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/ccache_dir,dst=/home/admin/actions-runner/_work/_temp/ccache_dir --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/depends/built,dst=/home/admin/actions-runner/_work/_temp/depends/built --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/depends/sources,dst=/home/admin/actions-runner/_work/_temp/depends/sources --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/previous_releases,dst=/home/admin/actions-runner/_work/_temp/previous_releases --mount=type=bind,src=/home/admin/actions-runner/_work/_temp/build,dst=/home/admin/actions-runner/_work/_temp/build --env-file=/tmp/env-admin-cinativetidy --name=ci_native_tidy --network=ci-ip6net --platform=linux ci_native_tidy
1241	10s	1%	`cmake -S /home/admin/actions-runner/_work/_temp -B /home/admin/actions-runner/_work/_temp/build -DBUILD_BENCH=ON -DBUILD_FUZZ_BINARY=ON -DWERROR=ON -DCMAKE_INSTALL_PREFIX=/home/admin/actions-runner/_work/_temp/ci/scratch/out -Werror=dev -DCMAKE_EXPORT_COMPILE_COMMANDS=ON --preset dev-mode -DCMAKE_C_COMPILER=clang-21 -DCMAKE_CXX_COMPILER=clang++-21 '-DCMAKE_C_FLAGS_RELWITHDEBINFO=-O0 -g0' '-DCMAKE_CXX_FLAGS_RELWITHDEBINFO=-O0 -g0'`
1601	12s	2%	`cmake --build /home/admin/actions-runner/_work/_temp/build -j8 --target all install`
2814	2s	0%	`/home/admin/actions-runner/_work/_temp/contrib/devtools/check-deps.sh /home/admin/actions-runner/_work/_temp/build`
2846	5s	0%	`cmake --build /tidy-build -j8`
2863	7m28s	82%	`tee tmp.tidy-out.txt`
5083	7s	1%	`docker container kill 15cb56850124c8988f358f3407d1464dae0840db7d1f6b480d94db92be8153be`

Tags

security-hardening-ci-scripts