Enable stack protection (CI release executables)

nicowilliams · nicowilliams · commit c4fa2ac607db · 2023-08-02T11:06:39.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -92,14 +92,16 @@ jobs:
             --disable-valgrind \
             --with-oniguruma=builtin \
             --enable-static \
-            --enable-all-static
+            --enable-all-static \
+            CFLAGS="-O2 -pthread -fstack-protector-all"
           make -j"$(nproc)"
           file ./jq
           cp ./jq jq-${{ env.SUFFIX }}
       - name: Test
         # Only run tests for amd64 matching the CI machine arch
         if: ${{ matrix.arch == 'amd64' }}
         run: |
+          nm jq | grep __stack_chk_fail
           make check VERBOSE=yes
           git diff --exit-code
       - name: Upload Test Logs
@@ -157,7 +159,8 @@ jobs:
             --disable-valgrind \
             --with-oniguruma=builtin \
             --enable-static \
-            --enable-all-static
+            --enable-all-static \
+            CFLAGS="-O2 -pthread -fstack-protector-all"
           make -j"$(nproc)"
           strip ./jq
           file ./jq
@@ -234,9 +237,11 @@ jobs:
             --with-oniguruma=builtin \
             --disable-shared \
             --enable-static \
-            --enable-all-static
+            --enable-all-static \
+            CFLAGS="-O2 -pthread -fstack-protector-all"
           make -j$(nproc)
           file ./jq.exe
+          nm ./jq.exe | grep __stack_chk_fail
           cp ./jq.exe jq-${{ env.SUFFIX }}.exe
       - name: Test
         # Only run tests for amd64 matching the CI machine arch
