github: Migrate from Travis CI to Github Actions
authorTobias Brunner <tobias@strongswan.org>
Thu, 26 Nov 2020 09:53:45 +0000 (10:53 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 15 Dec 2020 09:42:43 +0000 (10:42 +0100)
On travis-ci.com (travis-ci.org will be discontinued by the end of the
year) we are now charged for each minute.  We only got 10000 credits in
a trial plan, which we used up with a few builds.  Minutes also cost a
different amount of credits on different platforms: 10 on Linux,
but 50 on macOS (installing the dependencies on macOS alone took 12-15
minutes on Travis for some reason, takes about half on Github's runners).

No native Windows build yet as we have the same issue as on AppVeyor where
threading/streaming tests might get stuck.  And there is also only a
single Windows platform to test on.  Plus building/testing on Windows is
very slow (and getting ccache to work seems tricky).

The 'sw_collector' test case had to be disabled because we can't access
/usr/local/share on the Github build hosts (the process is just blocked
in readdir() and eventually times out).

Unfortunately, we can't test on different architectures anymore (in
particular ARM and the big-endian IBM Z/x390x).

.cirrus.yml
.github/actions/default/action.yml [new file with mode: 0644]
.github/workflows/android.yml [new file with mode: 0644]
.github/workflows/lgtm.yml [new file with mode: 0644]
.github/workflows/linux.yml [new file with mode: 0644]
.github/workflows/macos.yml [new file with mode: 0644]
.github/workflows/sonarcloud.yml [new file with mode: 0644]
.github/workflows/windows.yml [new file with mode: 0644]
.travis.yml [deleted file]
scripts/test.sh

index 674d065..c4c5228 100644 (file)
@@ -6,7 +6,7 @@ env:
   LEAK_DETECTIVE: no
   MONOLITHIC: no
   TEST: freebsd
-  TRAVIS_OS_NAME: freebsd
+  OS_NAME: freebsd
 
 task:
   install_script: ./scripts/test.sh deps
diff --git a/.github/actions/default/action.yml b/.github/actions/default/action.yml
new file mode 100644 (file)
index 0000000..d8d6bad
--- /dev/null
@@ -0,0 +1,16 @@
+name: "Default CI Build Steps"
+runs:
+  using: "composite"
+  steps:
+    - name: "Install Dependencies"
+      run: ./scripts/test.sh deps
+      shell: bash
+    - name: "Install Python Dependencies"
+      run: ./scripts/test.sh deps
+      shell: bash
+    - name: "Build Dependencies"
+      run: ./scripts/test.sh build-deps
+      shell: bash
+    - name: "Build/Tests"
+      run: ./scripts/test.sh
+      shell: bash
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
new file mode 100644 (file)
index 0000000..567c507
--- /dev/null
@@ -0,0 +1,43 @@
+name: Android
+
+on: [push, pull_request]
+
+env:
+  CCACHE_BASEDIR: ${{ github.workspace }}
+  CCACHE_COMPRESS: true
+  CCACHE_MAXSIZE: 400M
+  CC: gcc
+  OS_NAME: linux
+
+jobs:
+  android:
+    runs-on: ubuntu-latest
+    env:
+      TEST: android
+      # since the NDK is newly installed every time, we have to use this to avoid cache misses
+      CCACHE_COMPILERCHECK: content
+    steps:
+      # even though we don't specify a specific version in our gradle files, the
+      # build fails without this because some arbitrary NDK version, that's
+      # weirdly not installed, is requested
+      - name: Install NDK
+        run: yes | sudo ${ANDROID_HOME}/tools/bin/sdkmanager --install 'ndk;21.0.6113669'
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/.ccache
+          key: ccache-android-${{ github.ref }}:${{ github.sha }}
+          restore-keys: |
+            ccache-android-${{ github.ref }}:
+            ccache-android-
+      - run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+      - uses: ./.github/actions/default
+      - run: ccache -s
+      - if: ${{ success() }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: Lint Results
+          path: src/frontends/android/app/build/reports/lint-results.xml
diff --git a/.github/workflows/lgtm.yml b/.github/workflows/lgtm.yml
new file mode 100644 (file)
index 0000000..8d6fd54
--- /dev/null
@@ -0,0 +1,24 @@
+name: lgtm.com
+
+on: [push]
+
+env:
+  OS_NAME: linux
+
+jobs:
+  lgtm:
+    runs-on: ubuntu-latest
+    env:
+      TEST: lgtm
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      # we don't use github/codeql-action because we can't exclude queries there,
+      # so we continue to use the approach we used on Travis
+      - env:
+          LGTM_TOKEN: ${{ secrets.LGTM_TOKEN }}
+          BUILD_NUMBER: ${{ github.run_id }}
+          COMMIT_ID: ${{ github.sha }}
+          COMMIT_BASE: ${{ github.event.before }}
+        uses: ./.github/actions/default
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
new file mode 100644 (file)
index 0000000..fc51cd3
--- /dev/null
@@ -0,0 +1,148 @@
+name: Linux
+
+on: [push, pull_request]
+
+env:
+  # this test case does not actually test anything but tries to access system
+  # directories that might be inaccessible on build hosts
+  TESTS_CASES_EXCLUDE: sw_collector
+  TESTS_REDUCED_KEYLENGTHS: yes
+  CCACHE_BASEDIR: ${{ github.workspace }}
+  CCACHE_COMPRESS: true
+  CCACHE_MAXSIZE: 200M
+  OS_NAME: linux
+
+jobs:
+  latest:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        test: [ all, default, printf-builtin ]
+        compiler: [ gcc, clang ]
+        leak-detective: [ no, yes ]
+        monolithic: [ no, yes ]
+        exclude:
+          # leaks will show up whether we build monolithic or not
+          - leak-detective: yes
+            monolithic: yes
+          # monolithic builds don't affect the printf-hook implementation
+          - test: printf-builtin
+            monolithic: yes
+        include:
+          - test: apidoc
+          - test: coverage
+          - test: dist
+          - test: nm
+          - test: nm-no-glib
+          - test: fuzzing
+            compiler: clang
+            monolithic: yes
+    env:
+      LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
+      MONOLITHIC: ${{ matrix.monolithic || 'no' }}
+      CC: ${{ matrix.compiler || 'gcc' }}
+      TEST: ${{ matrix.test }}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/.ccache
+          # with regards to ccache, monolithic builds don't differ from regular
+          # builds and, similarly, builds with leak-detective only differ in two
+          # files (LD itself and library.c); but different tests build different
+          # dependencies, so different caches are needed
+          key: ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.ref }}:${{ github.sha }}
+          restore-keys: |
+            ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.ref }}:
+            ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-
+            ccache-${{ runner.os }}-${{ env.CC }}-
+      - run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+      - uses: ./.github/actions/default
+      - run: ccache -s
+      - if: ${{ success() && matrix.test == 'coverage' }}
+        run: bash <(curl -s https://codecov.io/bash)
+      - if: ${{ failure() }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: Logs ${{ github.job }}
+          path: config.log
+          retention-days: 5
+
+  crypto-plugins:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        test: [ botan, wolfssl, openssl, gcrypt ]
+        leak-detective: [ no, yes ]
+    env:
+      LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
+      TEST: ${{ matrix.test }}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/.ccache
+          key: ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.ref }}:${{ github.sha }}
+          restore-keys: |
+            ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.ref }}:
+            ccache-${{ runner.os }}-${{ env.CC }}-${{ matrix.test }}-
+            ccache-${{ runner.os }}-${{ env.CC }}-
+            ccache-${{ runner.os }}-${{ env.CC }}-all-${{ github.ref }}:${{ github.sha }}
+            ccache-${{ runner.os }}-${{ env.CC }}-all-${{ github.ref }}:
+            ccache-${{ runner.os }}-${{ env.CC }}-all-
+            ccache-${{ runner.os }}-${{ env.CC }}-
+      - run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+      - uses: ./.github/actions/default
+      - run: ccache -s
+      - if: ${{ failure() }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: Logs ${{ github.job }}
+          path: config.log
+          retention-days: 5
+
+  xenial:
+    runs-on: ubuntu-16.04
+    strategy:
+      matrix:
+        test: [ all ]
+        compiler: [ gcc, clang ]
+        include:
+          - test: openssl-1.0
+          - test: openssl-1.0
+            leak-detective: yes
+    env:
+      LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
+      CC: ${{ matrix.compiler || 'gcc' }}
+      TEST: ${{ matrix.test }}
+      UBUNTU_XENIAL: yes
+      # this is the default with newer versions and fixes builds with clang
+      CCACHE_CPP2: true
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/.ccache
+          key: ccache-xenial-${{ env.CC }}-${{ matrix.test }}-${{ github.ref }}:${{ github.sha }}
+          restore-keys: |
+            ccache-xenial-${{ env.CC }}-${{ matrix.test }}-${{ github.ref }}:
+            ccache-xenial-${{ env.CC }}-${{ matrix.test }}-
+            ccache-xenial-${{ env.CC }}-
+      - run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+      - uses: ./.github/actions/default
+      - run: ccache -s
+      - if: ${{ failure() }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: Logs ${{ github.job }}
+          path: config.log
+          retention-days: 5
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
new file mode 100644 (file)
index 0000000..1528f3f
--- /dev/null
@@ -0,0 +1,37 @@
+name: macOS
+
+on: [push, pull_request]
+
+env:
+  TESTS_REDUCED_KEYLENGTHS: yes
+  CCACHE_BASEDIR: ${{ github.workspace }}
+  CCACHE_COMPRESS: true
+  CCACHE_MAXSIZE: 100M
+  OS_NAME: macos
+
+jobs:
+  macos:
+    runs-on: macos-latest
+    env:
+      TEST: macos
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/Library/Caches/ccache
+          key: ccache-${{ runner.os }}-${{ github.ref }}:${{ github.sha }}
+          restore-keys: |
+            ccache-${{ runner.os }}-${{ github.ref }}:
+            ccache-${{ runner.os }}-
+      - run: |
+          brew install ccache
+          echo "PATH=$(brew --prefix)/opt/ccache/libexec:$PATH" >> $GITHUB_ENV
+          ccache -z
+      - uses: ./.github/actions/default
+      - run: ccache -s
+      - if: ${{ failure() }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: Logs ${{ github.job }}
+          path: config.log
+          retention-days: 5
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
new file mode 100644 (file)
index 0000000..aa6a411
--- /dev/null
@@ -0,0 +1,53 @@
+name: SonarCloud
+
+on: [push]
+
+env:
+  CCACHE_BASEDIR: ${{ github.workspace }}
+  CCACHE_COMPRESS: true
+  CCACHE_MAXSIZE: 200M
+  OS_NAME: linux
+
+jobs:
+  sonarcloud:
+    runs-on: ubuntu-latest
+    env:
+      TEST: sonarcloud
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/.ccache
+            ~/.sonar-cache
+          key: ccache-sonarcloud-${{ github.ref }}:${{ github.sha }}
+          restore-keys: |
+            ccache-sonarcloud-${{ github.ref }}:
+            ccache-sonarcloud-
+      - run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+      # using SonarSource/sonarcloud-github-action is currently not recommended
+      # for C builds, so we follow the "any CI" instructions
+      - name: Install sonar-scanner
+        env:
+          SONAR_SCANNER_VERSION: 4.4.0.2170
+        run: |
+          export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux
+          curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
+          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
+          echo "SONAR_SCANNER_OPTS=-server" >> $GITHUB_ENV
+          curl --create-dirs -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip
+          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
+          echo "PATH=$HOME/.sonar/build-wrapper-linux-x86:$SONAR_SCANNER_HOME/bin:$PATH" >> $GITHUB_ENV
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BUILD_NUMBER: ${{ github.run_id }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_PROJECT: ${{ secrets.SONAR_PROJECT }}
+          SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
+        uses: ./.github/actions/default
+      - run: ccache -s
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
new file mode 100644 (file)
index 0000000..073bd27
--- /dev/null
@@ -0,0 +1,44 @@
+name: Windows
+
+on: [push, pull_request]
+
+env:
+  TESTS_REDUCED_KEYLENGTHS: yes
+  CCACHE_BASEDIR: ${{ github.workspace }}
+  CCACHE_COMPRESS: true
+  CCACHE_MAXSIZE: 200M
+  # since the compilers are newly installed every time, we have to use this to
+  # avoid cache misses
+  CCACHE_COMPILERCHECK: content
+  MONOLITHIC: yes
+
+jobs:
+  cross-compile:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        test: [ win64, win32 ]
+    env:
+      OS_NAME: linux
+      TEST: ${{ matrix.test }}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/.ccache
+          key: ccache-${{ runner.os }}-${{ matrix.test }}-${{ github.ref }}:${{ github.sha }}
+          restore-keys: |
+            ccache-${{ runner.os }}-${{ matrix.test }}-${{ github.ref }}:
+            ccache-${{ runner.os }}-${{ matrix.test }}-
+      - run: |
+          sudo apt-get install -qq ccache
+          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
+          ccache -z
+      - uses: ./.github/actions/default
+      - run: ccache -s
+      - if: ${{ failure() }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: Logs ${{ github.job }}
+          path: config.log
+          retention-days: 5
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644 (file)
index 41a1637..0000000
+++ /dev/null
@@ -1,145 +0,0 @@
-language: c
-
-os: linux
-dist: bionic
-
-# don't build tags separately
-if: tag IS blank
-
-compiler: gcc
-
-cache: ccache
-
-before_install:
-  - travis_retry ./scripts/test.sh deps
-  - travis_retry ./scripts/test.sh pydeps
-  - travis_retry ./scripts/test.sh build-deps
-
-before_script:
-  - sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0 || true
-
-script:
-  - ./scripts/test.sh
-
-after_success:
-  if [ "$TEST" == "coverage" ]; then
-    bash <(curl -s https://codecov.io/bash);
-  fi
-
-after_failure:
-  - cat config.log
-  - sleep 1
-
-env:
-  global:
-    - TESTS_REDUCED_KEYLENGTHS=yes
-    - LEAK_DETECTIVE=no
-    - MONOLITHIC=no
-
-jobs:
-  include:
-    - env: TEST=sonarcloud
-      if: |
-        type = push AND env(SONAR_TOKEN) IS present AND \
-        env(SONAR_PROJECT) IS present AND \
-        env(SONAR_ORGANIZATION) IS present
-      git:
-        depth: false
-      cache:
-        directories:
-          - $HOME/.sonar-cache
-      addons:
-        sonarcloud: true
-    - env: TEST=lgtm
-      if: type = push AND env(LGTM_TOKEN) IS present
-      git:
-        depth: false
-    - env: TEST=osx
-      compiler: clang
-      os: osx
-    - env: TEST=android
-      install:
-        # see https://developer.android.com/studio#command-tools
-        - export ANDROID_TOOLS=commandlinetools-linux-6200805_latest.zip
-        - export ANDROID_HOME=$HOME/android-sdk
-        - wget -nv https://dl.google.com/android/repository/$ANDROID_TOOLS
-        - unzip -q $ANDROID_TOOLS -d $ANDROID_HOME && rm $ANDROID_TOOLS
-        - export PATH=$PATH:$ANDROID_HOME/tools/bin
-        # sdkmanager only works with Java 8
-        - export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
-        - yes | sdkmanager --sdk_root=$ANDROID_HOME --licenses >/dev/null
-        - yes | sdkmanager --sdk_root=$ANDROID_HOME --install 'ndk;20.0.5594570'
-        - mkdir -p $HOME/.gradle
-        - echo "org.gradle.daemon=false" >> $HOME/.gradle/gradle.properties
-        - echo "org.gradle.console=plain" >> $HOME/.gradle/gradle.properties
-        # since the NDK is newly installed everytime, we have to use this to avoid cache misses
-        - export CCACHE_COMPILERCHECK=content
-      after_success:
-        - cat src/frontends/android/app/build/reports/lint-results.xml
-      before_cache:
-        - rm -f  $HOME/.gradle/caches/modules-2/modules-2.lock
-        - rm -fr $HOME/.gradle/caches/*/plugin-resolution/
-      cache:
-        ccache: true
-        directories:
-          - $HOME/.gradle/caches/
-          - $HOME/.gradle/wrapper/
-          - $HOME/.android/build-cache
-    - env: TEST=all
-    - env: TEST=all
-      compiler: clang
-    - env: TEST=all
-      arch: arm64
-    - env: TEST=all
-      arch: ppc64le
-    - env: TEST=all
-      arch: s390x
-    - env: TEST=all UBUNTU_XENIAL=yes
-      dist: xenial
-    - env: TEST=all UBUNTU_XENIAL=yes
-      dist: xenial
-      compiler: clang
-    - env: TEST=all MONOLITHIC=yes
-    - env: TEST=all MONOLITHIC=yes
-      compiler: clang
-    - env: TEST=all LEAK_DETECTIVE=yes
-    - env: TEST=all LEAK_DETECTIVE=yes
-      compiler: clang
-    - env: TEST=coverage
-    - env: TEST=fuzzing MONOLITHIC=yes
-      compiler: clang
-    - env: TEST=win64 MONOLITHIC=yes
-    - env: TEST=win32 MONOLITHIC=yes
-    - env: TEST=dist
-    # "default" with GCC is already tested with "dist" above
-    - env: TEST=default
-      compiler: clang
-    - env: TEST=default MONOLITHIC=yes
-    - env: TEST=default MONOLITHIC=yes
-      compiler: clang
-    - env: TEST=default LEAK_DETECTIVE=yes
-    - env: TEST=default LEAK_DETECTIVE=yes
-      compiler: clang
-    # we can't test Vstr as negative int args are not properly passed to CBs
-    - env: TEST=printf-builtin
-    - env: TEST=printf-builtin
-      compiler: clang
-    - env: TEST=printf-builtin LEAK_DETECTIVE=yes
-    - env: TEST=printf-builtin LEAK_DETECTIVE=yes
-      compiler: clang
-    - env: TEST=nm
-    - env: TEST=nm-no-glib
-    # the crypto plugins are build-tested with clang via "all" above
-    - env: TEST=botan
-    - env: TEST=botan LEAK_DETECTIVE=yes
-    - env: TEST=wolfssl
-    - env: TEST=wolfssl LEAK_DETECTIVE=yes
-    - env: TEST=openssl
-    - env: TEST=openssl LEAK_DETECTIVE=yes
-    - env: TEST=openssl-1.0 UBUNTU_XENIAL=yes
-      dist: xenial
-    - env: TEST=openssl-1.0 LEAK_DETECTIVE=yes UBUNTU_XENIAL=yes
-      dist: xenial
-    - env: TEST=gcrypt
-    - env: TEST=gcrypt LEAK_DETECTIVE=yes
-    - env: TEST=apidoc
index 6a63f46..8285401 100755 (executable)
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Build script for Travis CI
+# Build script for CI
 
 build_botan()
 {
@@ -88,8 +88,8 @@ build_tss2()
        cd -
 }
 
-: ${TRAVIS_BUILD_DIR=$PWD}
-: ${DEPS_BUILD_DIR=$TRAVIS_BUILD_DIR/..}
+: ${BUILD_DIR=$PWD}
+: ${DEPS_BUILD_DIR=$BUILD_DIR/..}
 : ${DEPS_PREFIX=/usr/local}
 
 TARGET=check
@@ -140,26 +140,25 @@ all|coverage|sonarcloud)
                        --disable-osx-attr --disable-tkm --disable-uci
                        --disable-unwind-backtraces
                        --disable-svc --disable-dbghelp-backtraces --disable-socket-win
-                       --disable-kernel-wfp --disable-kernel-iph --disable-winhttp"
+                       --disable-kernel-wfp --disable-kernel-iph --disable-winhttp
+                       --disable-python-eggs-install"
        # not enabled on the build server
        CONFIG="$CONFIG --disable-af-alg"
-       if test "$TRAVIS_CPU_ARCH" != "amd64"; then
-               CONFIG="$CONFIG --disable-aesni --disable-rdrand"
-       fi
        if test "$TEST" != "coverage"; then
                CONFIG="$CONFIG --disable-coverage"
        else
                # not actually required but configure checks for it
                DEPS="$DEPS lcov"
        fi
-       # Botan requires GCC 5.0, so disable it on Ubuntu 16.04
+       # Botan requires newer compilers, so disable it on Ubuntu 16.04
        if test -n "$UBUNTU_XENIAL"; then
                CONFIG="$CONFIG --disable-botan"
        fi
        DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
                  libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
-                 libpcsclite-dev libpam0g-dev binutils-dev libnm-dev libgcrypt20-dev
-                 libjson-c-dev iptables-dev python-pip libtspi-dev libsystemd-dev"
+                 libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
+                 libgcrypt20-dev libjson-c-dev iptables-dev python-pip libtspi-dev
+                 libsystemd-dev"
        PYDEPS="tox"
        if test "$1" = "build-deps"; then
                if test -z "$UBUNTU_XENIAL"; then
@@ -183,7 +182,6 @@ win*)
        # no make check for Windows binaries unless we run on a windows host
        if test "$APPVEYOR" != "True"; then
                TARGET=
-               CCACHE=ccache
        else
                CONFIG="$CONFIG --enable-openssl"
                CFLAGS="$CFLAGS -I/c/OpenSSL-$TEST/include"
@@ -196,24 +194,23 @@ win*)
        win64)
                CONFIG="--host=x86_64-w64-mingw32 $CONFIG --enable-dbghelp-backtraces"
                DEPS="gcc-mingw-w64-x86-64 binutils-mingw-w64-x86-64 mingw-w64-x86-64-dev $DEPS"
-               CC="$CCACHE x86_64-w64-mingw32-gcc"
+               CC="x86_64-w64-mingw32-gcc"
                ;;
        win32)
                CONFIG="--host=i686-w64-mingw32 $CONFIG"
                DEPS="gcc-mingw-w64-i686 binutils-mingw-w64-i686 mingw-w64-i686-dev $DEPS"
-               CC="$CCACHE i686-w64-mingw32-gcc"
+               CC="i686-w64-mingw32-gcc"
                ;;
        esac
        ;;
 android)
-       DEPS="$DEPS openjdk-8-jdk"
        if test "$1" = "deps"; then
                git clone git://git.strongswan.org/android-ndk-boringssl.git -b ndk-static \
                        src/frontends/android/app/src/main/jni/openssl
        fi
        TARGET=distdir
        ;;
-osx)
+macos)
        # this causes a false positive in ip-packet.c since Xcode 8.3
        CFLAGS="$CFLAGS -Wno-address-of-packed-member"
        # use the same options as in the Homebrew Formula
@@ -227,7 +224,7 @@ osx)
                        --enable-scepclient --enable-socket-default --enable-sshkey
                        --enable-stroke --enable-swanctl --enable-unity --enable-updown
                        --enable-x509 --enable-xauth-generic"
-       DEPS="bison gettext openssl curl"
+       DEPS="automake autoconf libtool bison gettext openssl curl"
        BREW_PREFIX=$(brew --prefix)
        export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
        export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
@@ -271,7 +268,7 @@ fuzzing)
        if test -z "$1"; then
                if test -z "$FUZZING_CORPORA"; then
                        git clone --depth 1 https://github.com/strongswan/fuzzing-corpora.git fuzzing-corpora
-                       export FUZZING_CORPORA=$TRAVIS_BUILD_DIR/fuzzing-corpora
+                       export FUZZING_CORPORA=$BUILD_DIR/fuzzing-corpora
                fi
                # these are about the same as those on OSS-Fuzz (except for the
                # symbolize options and strip_path_prefix)
@@ -306,26 +303,22 @@ lgtm)
        DEPS="jq"
 
        if test -z "$1"; then
-               # fall back to the parent of the latest commit (on new branches we might
-               # not have a range, also on duplicate branches)
-               base="${TRAVIS_COMMIT}^"
-               if test -n "$TRAVIS_COMMIT_RANGE"; then
-                       base="${TRAVIS_COMMIT_RANGE%...*}"
-                       # after rebases, the first commit ID in the range might not be valid
-                       git rev-parse -q --verify $base
-                       if [ $? != 0 ]; then
-                               # this will always compare against master, while the range
-                               # otherwise only contains "new" commits
-                               base=$(git merge-base origin/master ${TRAVIS_COMMIT})
-                       fi
+               base=$COMMIT_BASE
+               # after rebases or for new/duplicate branches, the passed base commit
+               # ID might not be valid
+               git rev-parse -q --verify $base^{commit}
+               if [ $? != 0 ]; then
+                       # this will always compare against master, while via base we
+                       # otherwise only contains "new" commits
+                       base=$(git merge-base origin/master ${COMMIT_ID})
                fi
                base=$(git rev-parse $base)
                project_id=1506185006272
 
-               echo "Starting code review for $TRAVIS_COMMIT (base $base) on lgtm.com"
+               echo "Starting code review for $COMMIT_ID (base $base) on lgtm.com"
                git diff --binary $base > lgtm.patch || exit $?
                curl -s -X POST --data-binary @lgtm.patch \
-                       "https://lgtm.com/api/v1.0/codereviews/${project_id}?base=${base}&external-id=${TRAVIS_BUILD_NUMBER}" \
+                       "https://lgtm.com/api/v1.0/codereviews/${project_id}?base=${base}&external-id=${BUILD_NUMBER}" \
                        -H 'Content-Type: application/octet-stream' \
                        -H 'Accept: application/json' \
                        -H "Authorization: Bearer ${LGTM_TOKEN}" > lgtm.res || exit $?
@@ -373,12 +366,12 @@ esac
 
 case "$1" in
 deps)
-       case "$TRAVIS_OS_NAME" in
+       case "$OS_NAME" in
        linux)
                sudo apt-get update -qq && \
                sudo apt-get install -qq bison flex gperf gettext $DEPS
                ;;
-       osx)
+       macos)
                brew update && \
                brew install $DEPS
                ;;
@@ -423,12 +416,6 @@ esac
 echo "$ make $TARGET"
 case "$TEST" in
 sonarcloud)
-       # there is an issue with the platform detection that causes sonarqube to
-       # fail on bionic with "ERROR: ld.so: object '...libinterceptor-${PLATFORM}.so'
-       # from LD_PRELOAD cannot be preloaded (cannot open shared object file)"
-       # https://jira.sonarsource.com/browse/CPP-2027
-       BW_PATH=$(dirname $(which build-wrapper-linux-x86-64))
-       cp $BW_PATH/libinterceptor-x86_64.so $BW_PATH/libinterceptor-haswell.so
        # without target, coverage is currently not supported anyway because
        # sonarqube only supports gcov, not lcov
        build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
@@ -448,9 +435,11 @@ apidoc)
        ;;
 sonarcloud)
        sonar-scanner \
+               -Dsonar.host.url=https://sonarcloud.io \
                -Dsonar.projectKey=${SONAR_PROJECT} \
                -Dsonar.organization=${SONAR_ORGANIZATION} \
-               -Dsonar.projectVersion=$(git describe)+${TRAVIS_BUILD_NUMBER} \
+               -Dsonar.login=${SONAR_TOKEN} \
+               -Dsonar.projectVersion=$(git describe)+${BUILD_NUMBER} \
                -Dsonar.sources=. \
                -Dsonar.cfamily.threads=2 \
                -Dsonar.cfamily.cache.enabled=true \
@@ -462,7 +451,7 @@ android)
        rm -r strongswan-*
        cd src/frontends/android
        echo "$ ./gradlew build"
-       NDK_CCACHE=ccache ./gradlew build
+       NDK_CCACHE=ccache ./gradlew build || exit $?
        ;;
 *)
        ;;