name: CI on: push: branches-ignore: - coverity_scan pull_request: env: PANIC_ACTION: "gdb -batch -x raddb/panic.gdb %e %p 1>&0 2>&0" ALT_OPENSSL: "3.0.2" CI: 1 GH_ACTIONS: 1 DEBIAN_FRONTEND: noninteractive APT_OPTS: "-y --no-install-recommends" LDAP_TEST_SERVER: 127.0.0.1 LDAP_TEST_SERVER_PORT: 3890 # # Update between running in a container (GitHub runner and # self-hosted runner), or directly on the VM (currently GitHub # runner only, as our runners don't get root access). Remember to # comment/uncomment other sections below as well. # # Container: USE_DOCKER: 1 SQL_MYSQL_TEST_SERVER: mariadb SQL_POSTGRESQL_TEST_SERVER: postgres # Hosted: # USE_DOCKER: 0 # SQL_MYSQL_TEST_SERVER: 127.0.0.1 # SQL_POSTGRESQL_TEST_SERVER: 127.0.0.1 jobs: ci: runs-on: ${{ matrix.os.runs_on }} # Comment out when not using containers: container: image: ${{ matrix.os.docker }} strategy: fail-fast: false matrix: os: # # runs_on - where GitHub will spin up the runner, either # "self-hosted", or the name of a GitHub VM image. # code - the name/version of the OS (for step evaluations below) # docker - the docker image name, if containers are being used # name - used in the job name only # # Self-hosted runner (must set USE_DOCKER=1 above): - { runs_on: "${{ github.repository_owner == 'FreeRADIUS' && 'self-hosted' || 'ubuntu-20.04' }}", code: "ubuntu2004", docker: "ubuntu:20.04", name: "${{ github.repository_owner == 'FreeRADIUS' && 'self' || 'gh' }}-ubuntu20" } # GitHub runner (may set USE_DOCKER=0 or 1 above): # - { runs_on: "ubuntu-20.04", code: "ubuntu2004", docker: "ubuntu:20.04", name: "gh20-ubuntu20" } env: - { CC: gcc, DO_BUILD: yes, LIBS_OPTIONAL: no, LIBS_ALT: no, REPRODUCIBLE: no, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", NAME: linux-gcc-lean } - { CC: gcc, DO_BUILD: yes, LIBS_OPTIONAL: yes, LIBS_ALT: no, REPRODUCIBLE: no, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", NAME: linux-gcc } - { CC: gcc, DO_BUILD: yes, LIBS_OPTIONAL: yes, LIBS_ALT: no, REPRODUCIBLE: yes, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", NAME: linux-gcc-reproducible } - { CC: gcc, DO_BUILD: yes, LIBS_OPTIONAL: yes, LIBS_ALT: no, REPRODUCIBLE: no, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", NAME: linux-gcc-O2-g3 } - { CC: clang, DO_BUILD: yes, LIBS_OPTIONAL: no, LIBS_ALT: no, REPRODUCIBLE: no, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", NAME: linux-clang-lean } - { CC: clang, DO_BUILD: yes, LIBS_OPTIONAL: yes, LIBS_ALT: no, REPRODUCIBLE: no, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", NAME: linux-clang } - { CC: clang, DO_BUILD: yes, LIBS_OPTIONAL: yes, LIBS_ALT: yes, REPRODUCIBLE: no, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", NAME: linux-clang-altlibs } - { CC: clang, DO_BUILD: yes, LIBS_OPTIONAL: yes, LIBS_ALT: no, REPRODUCIBLE: yes, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", NAME: linux-clang-reproducible } - { CC: clang, DO_BUILD: yes, LIBS_OPTIONAL: yes, LIBS_ALT: no, REPRODUCIBLE: no, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", NAME: linux-clang-O2-g3 } env: ${{ matrix.env }} # Test names are used in the branch protection rules in GitHub # If you change the names here, or add additional matrix entries, you # must also amend the branch protection fules. name: "v3.2.x-${{ matrix.os.name }}-${{ matrix.env.NAME }}" # The standard GitHub environment contains PostgreSQL and # MySQL already. However when running on hosted GitHub runners # we need to run separate database containers to provide these. # # Comment out the "services" section when USE_DOCKER=0 # services: mariadb: image: mariadb env: MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: yes ports: - 3306:3306 options: --health-cmd="mysqladmin ping" --health-interval 10s --health-timeout 5s --health-retries 10 postgres: image: postgres env: POSTGRES_HOST_AUTH_METHOD: trust ports: - 5432:5432 options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 steps: - name: Self-hosted runner container fixes if: ${{ env.USE_DOCKER == 1 }} run: | ln -fs /usr/bin/env /usr/local/bin/sudo - name: Package manager performance improvements run: | sudo sh -c 'echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/02speedup' if command -v mandb >/dev/null; then echo 'man-db man-db/auto-update boolean false' | sudo debconf-set-selections sudo dpkg-reconfigure man-db fi - name: Freshen APT repo metadata run: | sudo apt-get update - name: Install common build dependencies run: | sudo apt-get install ${APT_OPTS} \ autoconf \ build-essential \ debhelper \ devscripts \ dh-make \ fakeroot \ firebird-dev \ freetds-dev \ gawk \ git \ gnupg \ libcap-dev \ libcollectdclient-dev \ libcurl4-openssl-dev \ libgdbm-dev \ libhiredis-dev \ libidn11-dev \ libiodbc2 \ libiodbc2-dev \ libjson-c-dev \ libkqueue-dev \ libkrb5-dev \ libldap2-dev \ libmemcached-dev \ libmysqlclient-dev \ libnl-3-dev \ libnl-genl-3-dev \ libpam0g-dev \ libpcap-dev \ libpcre3-dev \ libperl-dev \ libpq-dev \ libreadline-dev \ libruby \ libsnmp-dev \ libsqlite3-dev \ libssl-dev \ libtalloc-dev \ libunbound-dev \ libwbclient-dev \ libykclient-dev \ libyubikey-dev \ lintian \ pbuilder \ python-dev \ python3-dev \ ruby-dev \ snmp \ software-properties-common \ quilt - name: Install LLVM 10 for 18.04 if: ${{ matrix.os.code == 'ubuntu1804' && matrix.env.CC == 'clang' }} run: | wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add sudo apt-add-repository "deb http://apt.llvm.org/bionic/ llvm-toolchain-bionic-10 main" sudo apt-get install ${APT_OPTS} clang-10 llvm-10 gdb sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-10 60 && sudo update-alternatives --set clang /usr/bin/clang-10 sudo update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer /usr/bin/llvm-symbolizer-10 60 && sudo update-alternatives --set llvm-symbolizer /usr/bin/llvm-symbolizer-10 - name: Install LLVM 10 for 20.04 if: ${{ matrix.os.code == 'ubuntu2004' && matrix.env.CC == 'clang' }} run: | wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add sudo apt-add-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-10 main" sudo apt-get install ${APT_OPTS} clang-10 llvm-10 gdb sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-10 60 && sudo update-alternatives --set clang /usr/bin/clang-10 sudo update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer /usr/bin/llvm-symbolizer-10 60 && sudo update-alternatives --set llvm-symbolizer /usr/bin/llvm-symbolizer-10 - name: Install GCC if: ${{ matrix.env.CC == 'gcc' }} run: | sudo apt-get install ${APT_OPTS} gcc gdb # # Build using some alternative libraries # # MIT Kerberos -> HEIMDAL Kerberos # OpenSSL 1.0 -> OpenSSL 3.0 # - name: 'Fetch OpenSSL 3.0 SHA' id: opensslshasum if: ${{ matrix.env.LIBS_ALT == 'yes' }} run: | wget -qO- http://www.openssl.org/source/openssl-$ALT_OPENSSL.tar.gz.sha256 | sed -ne 's/^\s\+/::set-output name=shasum::/p' - name: 'Restore OpenSSL 3.0 from the cache' if: ${{ matrix.env.LIBS_ALT == 'yes' }} uses: actions/cache@v2 id: openssl-cache with: path: /opt/openssl/ key: openssl3-${{ steps.opensslshasum.outputs.shasum }} - name: 'Build OpenSSL 3.0 (if cache stale)' if: ${{ matrix.env.LIBS_ALT == 'yes' && steps.openssl-cache.outputs.cache-hit != 'true' }} run: | cd ~ wget https://www.openssl.org/source/openssl-$ALT_OPENSSL.tar.gz tar xzf openssl-$ALT_OPENSSL.tar.gz cd openssl-$ALT_OPENSSL ./Configure --prefix=/opt/openssl --openssldir=. make -j `nproc` make install - name: Use alternative libraries if: ${{ matrix.env.LIBS_ALT == 'yes' }} run: | echo /opt/openssl/lib64 | sudo tee /etc/ld.so.conf.d/openssl3.conf >/dev/null sudo ldconfig sudo apt-get install ${APT_OPTS} heimdal-dev - name: Show versions run: | $CC --version make --version krb5-config --all || : [ -d /opt/openssl ] && export PATH=/opt/openssl/bin:$PATH openssl version - uses: actions/checkout@v2 - name: Build eapol_test run: | if [ -d /opt/openssl ]; then # Used by scripts/ci/eapol_test-build.sh export PATH=/opt/openssl/bin:$PATH export EAPOL_TEST_CFLAGS="-I/opt/openssl/include" export EAPOL_TEST_LDFLAGS="-L/opt/openssl/lib64" fi ./scripts/ci/eapol_test-build.sh - name: Build FreeRADIUS run: | export PATH=$(echo "$PATH" | sed -e 's#:/home/linuxbrew/[^:]\+##g') if [ -d /opt/openssl ]; then export PATH=/opt/openssl/bin:$PATH CONFIG_OPENSSL="--with-openssl-lib-dir=/opt/openssl/lib64 --with-openssl-include-dir=/opt/openssl/include" fi CFLAGS="${BUILD_CFLAGS}" ./configure -C --enable-developer --enable-werror --prefix=$HOME/freeradius --with-threads=$LIBS_OPTIONAL --with-udpfromto=$LIBS_OPTIONAL --with-openssl=$LIBS_OPTIONAL --with-pcre=$LIBS_OPTIONAL --enable-reproducible-builds=${REPRODUCIBLE} $CONFIG_OPENSSL make -j $(($(nproc) + 1)) - name: clang scan run: | make -j $(($(nproc) + 1)) scan && [ "$(find build/plist/ -name *.html)" = '' ] if: ${{ matrix.env.CC == 'clang' }} - name: "Clang Static Analyzer: Store assets on failure" uses: actions/upload-artifact@v2 with: name: clang-scan.tgz path: build/plist/**/*.html if: ${{ matrix.env.CC == 'clang' && failure() }} - name: Install test requisites run: | # Temporarily replace ucf (for config merge) with cp since it's # terribly slow! sudo mv /usr/bin/ucf /usr/bin/ucf.disabled sudo sh -c 'echo "#!/bin/sh" > /usr/bin/ucf' sudo sh -c 'echo "shift && cp -v \$@" >> /usr/bin/ucf' sudo chmod +x /usr/bin/ucf sudo apt-get install ${APT_OPTS} \ apparmor-utils \ ldap-utils \ slapd sudo mv -f /usr/bin/ucf.disabled /usr/bin/ucf - name: Database dependencies (GitHub runner) if: ${{ env.USE_DOCKER != 1 }} run: | export PG_VER=$(cd /etc/postgresql ; ls | head ) sudo sh -c "echo host all all 127.0.0.1/32 trust > /etc/postgresql/$PG_VER/main/pg_hba.conf" sudo sh -c "echo local all all trust >> /etc/postgresql/$PG_VER/main/pg_hba.conf" sudo systemctl stop slapd sudo aa-complain /usr/sbin/slapd sudo systemctl start mysql postgresql sudo mysql -h 127.0.0.1 -uroot -proot -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '';" - name: Database dependencies (containers) if: ${{ env.USE_DOCKER == 1 }} run: | sudo apt-get install ${APT_OPTS} \ mariadb-client \ postgresql-client slapd - name: Setup test databases run: | for i in \ postgresql-setup.sh \ mysql-setup.sh \ ldap-setup.sh \ ldap2-setup.sh; do script="./scripts/ci/$i" echo "Calling $i" $script done - name: Configure test database access (containers) if: ${{ env.USE_DOCKER == 1 }} run: | mysql -h mariadb -uroot -e "CREATE USER 'radius'@'%' IDENTIFIED BY 'radpass';" mysql -u root -h mariadb -e "GRANT ALL ON radius.* TO 'radius'; FLUSH PRIVILEGES;" - name: Run tests run: | [ -d /opt/openssl ] && export PATH=/opt/openssl/bin:$PATH openssl dhparam -out ./raddb/certs/dh -2 128 || \ openssl dhparam -out ./raddb/certs/dh -2 512 || \ true make ci-test - name: Show debug logs on failure if: ${{ failure() }} run: | cat src/tests/radius.log || : # # If the CI has failed and the branch is ci-debug then start a tmate # session. SSH rendezvous point is emited continuously in the job output. # - name: "Debug: Start tmate" uses: mxschmitt/action-tmate@v3 with: limit-access-to-actor: true if: ${{ github.ref == 'refs/heads/ci-debug' && failure() }} ########################################################################################## # FREERADIUS CORE DEVELOPERS ONLY ########################################################################################## # # Direct push access to the main freeradius-server repo has been disabled in an attempt # to keep CI passing reliably. # # The code below will automatically push to the main repository if a commit passes CI in # your fork on a branch that exists in the main repository. # # The code below will only run if PERSONAL_ACCESS_TOKEN is defined in the repository # secrets for your fork of the freeradius-server repo. # # If the above CI checks pass then we auto-merge into the same branch in the # main FR repo (only on push) if the PERSONAL_ACCESS_TOKEN secret is defined, i.e. when # the actor claims to be a FreeRADIUS developer with push access. # # Personal access tokens can be generated via the GitHub website: # # - Click on the Profile menu (top right) # > Settings # > Developer settings # > Personal access tokens # > Generate New Token # - Next, add the following settings and scopes: # Note: FreeRADIUS CI Push # public_repo (checked) # # This will allow any git operations using this PERSONAL_ACCESS_TOKEN to commit code to any # public repository you have access to. # # As this PERSONAL_ACCESS_TOKEN will only ever be accessible from GitHub actions when they are # running from your fork of the FreeRADIUS repo, this shouldn't be a security issue. # # After generating your PERSONAL_ACCESS_TOKEN you will need to add it as a secret to your # repository. # # - Copy your new token # - Click on the Profile menu (top right) # > Your repositories # - Search for freeradius-server # > Click freeradius-server # - Click settings in the tabs on the left # - Click secrets in the menu items on the left # - Click New repository secret # - Name: PERSONAL_ACCESS_TOKEN # Value: # - Click Add secret # # Needed because secrets are not available for evaluation in if conditions # at the job level, so we evaluate the existence of the PERSONAL_ACCESS_TOKEN secret # within a step and export the result instead. We also extract the short # branch name here because it's convenient to do so. # merge-preflight: needs: - ci if: ( github.event_name == 'push' ) && ( github.repository_owner != 'FreeRADIUS' ) && ( github.ref == 'refs/heads/master' || github.ref == 'refs/heads/v3.2.x' ) name: "Merge preflight" runs-on: ubuntu-latest steps: - name: "Report whether PERSONAL_ACCESS_TOKEN secret exists" id: merge-preflight run: | [ -z "$PERSONAL_ACCESS_TOKEN" ] || echo "::set-output name=PERSONAL_ACCESS_TOKEN_EXISTS::1" env: PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} outputs: PERSONAL_ACCESS_TOKEN_EXISTS: ${{ steps.merge-preflight.outputs.PERSONAL_ACCESS_TOKEN_EXISTS }} merge-upstream: needs: - ci - merge-preflight if: needs.merge-preflight.outputs.PERSONAL_ACCESS_TOKEN_EXISTS == '1' runs-on: ubuntu-latest name: "Merge into upstream" steps: - uses: actions/checkout@v2 with: fetch-depth: 0 lfs: false persist-credentials: false # Note: This also opportunistically updates the developer's branch with commits from # the main repository. # This update may fail if the developer has pushed additional commits since the # workflow started. This is normal, and we ignore the failure. - name: "Merge into upstream dev branch and update local branch" run: | BRANCH=${GITHUB_REF#refs/heads/} git remote add upstream https://$USERNAME:$REPO_KEY@github.com/FreeRADIUS/freeradius-server.git git fetch --no-recurse-submodules upstream +refs/heads/*:refs/remotes/upstream/* +refs/tags/*:refs/tags/upstream/* git checkout --progress --force -B upstream-branch "refs/remotes/upstream/$BRANCH" git merge "$BRANCH" --ff-only git push upstream "upstream-branch:$BRANCH" git push origin "$BRANCH" || true env: USERNAME: ${{ github.actor }} REPO_KEY: ${{ secrets.PERSONAL_ACCESS_TOKEN }}