summaryrefslogtreecommitdiffstats
path: root/.github/workflows
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 03:50:42 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 03:50:42 +0000
commit78e9bb837c258ac0ec7712b3d612cc2f407e731e (patch)
treef515d16b6efd858a9aeb5b0ef5d6f90bf288283d /.github/workflows
parentAdding debian version 255.5-1. (diff)
downloadsystemd-78e9bb837c258ac0ec7712b3d612cc2f407e731e.tar.xz
systemd-78e9bb837c258ac0ec7712b3d612cc2f407e731e.zip
Merging upstream version 256.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '.github/workflows')
-rwxr-xr-x.github/workflows/build_test.sh32
-rw-r--r--.github/workflows/build_test.yml8
-rw-r--r--.github/workflows/cflite_pr.yml2
-rw-r--r--.github/workflows/cifuzz.yml7
-rw-r--r--.github/workflows/codeql.yml10
-rw-r--r--.github/workflows/coverity.yml4
-rw-r--r--.github/workflows/development_freeze.yml51
-rw-r--r--.github/workflows/differential-shellcheck.yml13
-rw-r--r--.github/workflows/gather-pr-metadata.yml23
-rw-r--r--.github/workflows/issue_labeler.yml8
-rw-r--r--.github/workflows/labeler.yml93
-rw-r--r--.github/workflows/linter.yml7
-rw-r--r--.github/workflows/make_release.yml4
-rw-r--r--.github/workflows/mkosi.yml182
-rw-r--r--.github/workflows/requirements.txt6
-rw-r--r--.github/workflows/scorecards.yml6
-rwxr-xr-x.github/workflows/unit_tests.sh26
-rw-r--r--.github/workflows/unit_tests.yml4
18 files changed, 288 insertions, 198 deletions
diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh
index c550046..f9bbdce 100755
--- a/.github/workflows/build_test.sh
+++ b/.github/workflows/build_test.sh
@@ -10,9 +10,9 @@ success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
ARGS=(
"--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Ddns-over-tls=gnutls -Dtpm=true -Dtpm2=enabled"
"--optimization=s -Dutmp=false"
+ "--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
"--optimization=3 -Db_lto=true -Ddns-over-tls=false"
"--optimization=3 -Db_lto=false -Dtpm2=disabled -Dlibfido2=disabled -Dp11kit=disabled"
- "--optimization=3 -Ddns-over-tls=openssl"
"--optimization=3 -Dfexecve=true -Dstandalone-binaries=true -Dstatic-libsystemd=true -Dstatic-libudev=true"
"-Db_ndebug=true"
)
@@ -84,6 +84,14 @@ if [[ "$COMPILER" == clang ]]; then
CXX="clang++-$COMPILER_VERSION"
AR="llvm-ar-$COMPILER_VERSION"
+ if systemd-analyze compare-versions "$COMPILER_VERSION" ge 17; then
+ CFLAGS="-fno-sanitize=function"
+ CXXFLAGS="-fno-sanitize=function"
+ else
+ CFLAGS=""
+ CXXFLAGS=""
+ fi
+
# Prefer the distro version if available
if ! apt-get -y install --dry-run "llvm-$COMPILER_VERSION" >/dev/null; then
# Latest LLVM stack deb packages provided by https://apt.llvm.org/
@@ -99,6 +107,8 @@ elif [[ "$COMPILER" == gcc ]]; then
CC="gcc-$COMPILER_VERSION"
CXX="g++-$COMPILER_VERSION"
AR="gcc-ar-$COMPILER_VERSION"
+ CFLAGS=""
+ CXXFLAGS=""
if ! apt-get -y install --dry-run "gcc-$COMPILER_VERSION" >/dev/null; then
# Latest gcc stack deb packages provided by
@@ -111,9 +121,12 @@ else
fatal "Unknown compiler: $COMPILER"
fi
-# PPA with some newer build dependencies (like zstd)
-sudo add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci
-sudo add-apt-repository -y --no-update --enable-source
+# This is added by default, and it is often broken, but we don't need anything from it
+sudo rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
+# add-apt-repository --enable-source does not work on deb822 style sources.
+for f in /etc/apt/sources.list.d/*.sources; do
+ sudo sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
+done
sudo apt-get -y update
sudo apt-get -y build-dep systemd
sudo apt-get -y install "${PACKAGES[@]}"
@@ -121,7 +134,7 @@ sudo apt-get -y install "${PACKAGES[@]}"
# always support all the features we need (like --optimization=). Since the build-dep
# command above installs the distro versions, let's install the pip ones just
# locally and add the local bin directory to the $PATH.
-pip3 install --user -r .github/workflows/requirements.txt --require-hashes
+pip3 install --user -r .github/workflows/requirements.txt --require-hashes --break-system-packages
export PATH="$HOME/.local/bin:$PATH"
$CC --version
@@ -131,11 +144,16 @@ ninja --version
for args in "${ARGS[@]}"; do
SECONDS=0
+ if [[ "$COMPILER" == clang && "$args" =~ Wmaybe-uninitialized ]]; then
+ # -Wmaybe-uninitialized is not implemented in clang
+ continue
+ fi
+
info "Checking build with $args"
# shellcheck disable=SC2086
if ! AR="$AR" \
- CC="$CC" CC_LD="$LINKER" CFLAGS="-Werror" \
- CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="-Werror" \
+ CC="$CC" CC_LD="$LINKER" CFLAGS="$CFLAGS" \
+ CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \
meson setup \
-Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \
-Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index f91ac03..164b3a0 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -17,7 +17,7 @@ permissions:
jobs:
build:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ toJSON(matrix.env) }}-${{ github.ref }}
cancel-in-progress: true
@@ -28,11 +28,11 @@ jobs:
- { COMPILER: "gcc", COMPILER_VERSION: "11", LINKER: "bfd", CRYPTOLIB: "gcrypt" }
- { COMPILER: "gcc", COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "openssl" }
- { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold", CRYPTOLIB: "gcrypt" }
- - { COMPILER: "clang", COMPILER_VERSION: "15", LINKER: "bfd", CRYPTOLIB: "openssl" }
- - { COMPILER: "clang", COMPILER_VERSION: "17", LINKER: "lld", CRYPTOLIB: "auto" }
+ - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd", CRYPTOLIB: "openssl" }
+ - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld", CRYPTOLIB: "auto" }
env: ${{ matrix.env }}
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- name: Build check
run: .github/workflows/build_test.sh
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
index 707ea0b..f0d3217 100644
--- a/.github/workflows/cflite_pr.yml
+++ b/.github/workflows/cflite_pr.yml
@@ -13,7 +13,7 @@ permissions: read-all
jobs:
PR:
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
if: github.repository != 'systemd/systemd' || github.event.pull_request.user.login == 'dependabot[bot]'
concurrency:
group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 66714c2..9b91740 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -22,7 +22,8 @@ on:
- main
jobs:
Fuzzing:
- runs-on: ubuntu-latest
+ # FIXME: Figure out why 32-bit applications fail to run in docker on Ubuntu 24.04.
+ runs-on: ubuntu-22.04
if: github.repository == 'systemd/systemd'
concurrency:
group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }}
@@ -60,14 +61,14 @@ jobs:
sanitizer: ${{ matrix.sanitizer }}
output-sarif: true
- name: Upload Crash
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
if: failure() && steps.build.outcome == 'success'
with:
name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts
path: ./out/artifacts
- name: Upload Sarif
if: always() && steps.build.outcome == 'success'
- uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75
+ uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c
with:
# Path to SARIF file relative to the root of the repository
sarif_file: cifuzz-sarif/results.sarif
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2c02ef5..0d284f7 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,7 +27,7 @@ jobs:
analyze:
name: Analyze
if: github.repository != 'systemd/systemd-security'
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
cancel-in-progress: true
@@ -42,10 +42,10 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- name: Initialize CodeQL
- uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75
+ uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql-config.yml
@@ -53,7 +53,7 @@ jobs:
- run: sudo -E .github/workflows/unit_tests.sh SETUP
- name: Autobuild
- uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75
+ uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75
+ uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 1545d59..ad7a5d2 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -14,7 +14,7 @@ permissions:
jobs:
build:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
if: github.repository == 'systemd/systemd'
env:
# Set in repo settings -> secrets -> actions
@@ -22,7 +22,7 @@ jobs:
COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
# Reuse the setup phase of the unit test script to avoid code duplication
- name: Install build dependencies
run: sudo -E .github/workflows/unit_tests.sh SETUP
diff --git a/.github/workflows/development_freeze.yml b/.github/workflows/development_freeze.yml
index e371e19..c2360a3 100644
--- a/.github/workflows/development_freeze.yml
+++ b/.github/workflows/development_freeze.yml
@@ -8,10 +8,6 @@ on:
types:
- completed
-env:
- PULL_REQUEST_METADATA_DIR: pull_request
- PULL_REQUEST_METADATA_FILE: metadata
-
permissions:
contents: read
@@ -21,54 +17,27 @@ jobs:
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' &&
github.repository == 'systemd/systemd'
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
permissions:
pull-requests: write
steps:
- - name: Download Pull Request Metadata artifact
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
- with:
- script: |
- const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
- owner: context.repo.owner,
- repo: context.repo.repo,
- run_id: ${{ github.event.workflow_run.id }},
- });
-
- const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
- return artifact.name == "${{ env.PULL_REQUEST_METADATA_FILE }}"
- })[0];
-
- const download = await github.rest.actions.downloadArtifact({
- owner: context.repo.owner,
- repo: context.repo.repo,
- artifact_id: matchArtifact.id,
- archive_format: 'zip',
- });
-
- const fs = require('fs');
- fs.writeFileSync('${{ github.workspace }}/${{ env.PULL_REQUEST_METADATA_FILE }}.zip', Buffer.from(download.data));
-
- - run: unzip ${{ env.PULL_REQUEST_METADATA_FILE }}.zip
-
- - name: 'Get Pull Request number'
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+ - id: artifact
+ name: Download Pull Request Metadata artifact
+ uses: redhat-plumbers-in-action/download-artifact@463ae626ac2dd333491c7beccaa24c12c5c259b8
with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- script: |
- const fs = require('fs');
- const pr_number = Number(fs.readFileSync('./${{ env.PULL_REQUEST_METADATA_FILE }}'));
- core.exportVariable('pr_number', pr_number);
+ name: Pull Request Metadata
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
fetch-depth: 0
- name: Development Freezer
- uses: redhat-plumbers-in-action/devel-freezer@67aec4a153bd9fca5322e1c4dd4d7c419fb36362
+ uses: redhat-plumbers-in-action/devel-freezer@ad766eafd555b28d2cb8e27937835983f9c3d173
with:
- pr-number: ${{ env.pr_number }}
+ pr-number: ${{ fromJSON(steps.artifact.outputs.pr-metadata-json).number }}
+ # delay start of validation to allow for some milestone/labels tweaking
+ delay: 20
token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
index b04aabb..244f5d5 100644
--- a/.github/workflows/differential-shellcheck.yml
+++ b/.github/workflows/differential-shellcheck.yml
@@ -16,20 +16,25 @@ permissions:
jobs:
lint:
if: github.event.repository.name != 'systemd-security'
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
permissions:
security-events: write
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
fetch-depth: 0
- name: Differential ShellCheck
- uses: redhat-plumbers-in-action/differential-shellcheck@91e2582e40236f831458392d905578d680baa138
+ uses: redhat-plumbers-in-action/differential-shellcheck@60c9f2b924a9c5a2ddbb25e7b23e8e11b56faab9
with:
# exclude all `.in` files because they may contain unsupported syntax, and they have to be preprocessed first
- exclude-path: '**/*.in'
+ # TEMPORARY: exclude bash completion files, they would generate too many defects in Code scanning dashboard (600+)
+ # exclude zsh completion files, zsh is not supported by ShellCheck
+ exclude-path: |
+ '**/*.in'
+ 'shell-completion/bash/*'
+ 'shell-completion/zsh/*'
token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml
index 5b3c360..e4a0caf 100644
--- a/.github/workflows/gather-pr-metadata.yml
+++ b/.github/workflows/gather-pr-metadata.yml
@@ -6,32 +6,25 @@ on:
pull_request:
branches: [ main ]
-env:
- PULL_REQUEST_METADATA_DIR: pull_request
- PULL_REQUEST_METADATA_FILE: metadata
-
permissions:
contents: read
jobs:
gather-metadata:
if: github.repository == 'systemd/systemd'
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- with:
- fetch-depth: 0
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- - name: Store PR number in file
- run: |
- mkdir -p ./${{ env.PULL_REQUEST_METADATA_DIR }}
- echo ${{ github.event.number }} >./${{ env.PULL_REQUEST_METADATA_DIR }}/${{ env.PULL_REQUEST_METADATA_FILE }}
+ - id: metadata
+ name: Gather Pull Request Metadata
+ uses: redhat-plumbers-in-action/gather-pull-request-metadata@17821d3bc27c1efed339595898c2e622accc5a1b
- name: Upload Pull Request Metadata artifact
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
with:
- name: ${{ env.PULL_REQUEST_METADATA_FILE }}
- path: ${{ env.PULL_REQUEST_METADATA_DIR }}
+ name: Pull Request Metadata
+ path: ${{ steps.metadata.outputs.metadata-file }}
retention-days: 1
diff --git a/.github/workflows/issue_labeler.yml b/.github/workflows/issue_labeler.yml
index d8ba0a5..4bedf0d 100644
--- a/.github/workflows/issue_labeler.yml
+++ b/.github/workflows/issue_labeler.yml
@@ -10,7 +10,7 @@ permissions:
jobs:
label-component:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
permissions:
issues: write
@@ -20,16 +20,16 @@ jobs:
template: [ bug_report.yml, feature_request.yml ]
steps:
- - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- name: Parse issue form
- uses: stefanbuck/github-issue-parser@c1a559d78bfb8dd05216dab9ffd2b91082ff5324
+ uses: stefanbuck/github-issue-parser@1e5bdee70d4b3e066a33aa0669ab782943825f94
id: issue-parser
with:
template-path: .github/ISSUE_TEMPLATE/${{ matrix.template }}
- name: Set labels based on component field
- uses: redhat-plumbers-in-action/advanced-issue-labeler@71bcf99aef4b9ea844db9a43755e8ac02c8e661e
+ uses: redhat-plumbers-in-action/advanced-issue-labeler@d498805e5c7c0658e336948b3363480bcfd68da6
with:
issue-form: ${{ steps.issue-parser.outputs.jsonString }}
template: ${{ matrix.template }}
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 7f66a53..241b581 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -7,6 +7,14 @@ name: "Pull Request Labeler"
on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review, closed]
+ paths-ignore:
+ - '.github/labeler.yml'
+ - '.github/workflows/labeler.yml'
+ # Allow testing changes made to the labeler configuration
+ pull_request:
+ paths:
+ - '.github/labeler.yml'
+ - '.github/workflows/labeler.yml'
issue_comment:
types: [created]
@@ -16,22 +24,26 @@ permissions:
jobs:
triage:
if: github.repository == 'systemd/systemd'
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
permissions:
pull-requests: write
steps:
+ - name: Repository checkout
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+ if: github.event_name == 'pull_request'
+
- name: Label PR based on policy in labeler.yml
- uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594
- if: github.event_name == 'pull_request_target' && github.event.action != 'closed'
+ uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9
+ if: startsWith(github.event_name, 'pull_request') && github.event.action != 'closed'
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
configuration-path: .github/labeler.yml
- sync-labels: "" # This is a workaround for issue 18671
+ sync-labels: false
- name: Set or remove labels based on systemd development workflow
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
- if: github.event_name == 'pull_request_target' && github.event.action != 'closed' && !github.event.pull_request.draft
+ if: startsWith(github.event_name, 'pull_request') && github.event.action != 'closed' && !github.event.pull_request.draft
with:
script: |
response = await github.rest.issues.listLabelsOnIssue({
@@ -40,38 +52,34 @@ jobs:
repo: context.repo.repo,
});
- good_to_merge = [
+ original = new Set(response.data.map(l => l.name));
+ labels = new Set(original);
+
+ good_to_merge = new Set([
"good-to-merge/waiting-for-ci 👍",
"good-to-merge/after-next-release",
"good-to-merge/with-minor-suggestions",
"good-to-merge/waiting-for-reporter-feedback 👍",
- ];
+ ]);
- if (response.data.every(l => !good_to_merge.includes(l.name))) {
- await github.rest.issues.addLabels({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- labels: ["please-review"]
- });
+ if (Array.from(labels).filter(l => good_to_merge.has(l)).length == 0) {
+ labels.add("please-review");
}
for (const label of ["reviewed/needs-rework 🔨",
"ci-fails/needs-rework 🔥",
"ci-failure-appears-unrelated",
"needs-rebase"]) {
- try {
- await github.rest.issues.removeLabel({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- name: label,
- });
- } catch (err) {
- if (err.status != 404) {
- throw err;
- }
- }
+ labels.delete(label);
+ }
+
+ if (labels.size != original.size || Array.from(labels).some(l => !original.has(l))) {
+ await github.rest.issues.setLabels({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ labels: Array.from(labels),
+ });
}
- name: Add please-review label on command in issue comment
@@ -88,9 +96,18 @@ jobs:
- name: Remove specific labels when PR is closed or merged
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
- if: github.event_name == 'pull_request_target' && github.event.action == 'closed'
+ if: startsWith(github.event_name, 'pull_request') && github.event.action == 'closed'
with:
script: |
+ response = await github.rest.issues.listLabelsOnIssue({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ });
+
+ original = new Set(response.data.map(l => l.name));
+ labels = new Set(original);
+
for (const label of ["please-review",
"reviewed/needs-rework 🔨",
"ci-fails/needs-rework 🔥",
@@ -104,16 +121,14 @@ jobs:
"dont-merge 💣",
"squash-on-merge",
"quick-review 🏃‍♂️"]) {
- try {
- await github.rest.issues.removeLabel({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- name: label,
- });
- } catch (err) {
- if (err.status != 404) {
- throw err;
- }
- }
+ labels.delete(label);
+ }
+
+ if (labels.size != original.size || Array.from(labels).some(l => !original.has(l))) {
+ await github.rest.issues.setLabels({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ labels: Array.from(labels),
+ });
}
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index fd1a7a4..cf0bc09 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -16,21 +16,22 @@ permissions:
jobs:
build:
name: Lint Code Base
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
steps:
- name: Repo checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
# We need a full repo clone
fetch-depth: 0
- name: Lint Code Base
- uses: github/super-linter/slim@45fc0d88288beee4701c62761281edfee85655d7
+ uses: super-linter/super-linter/slim@88ea3923a7e1f89dd485d079f6eb5f5e8f937589
env:
DEFAULT_BRANCH: main
+ MULTI_STATUS: false
VALIDATE_ALL_CODEBASE: false
VALIDATE_GITHUB_ACTIONS: true
diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml
index 9902a6c..dc7de69 100644
--- a/.github/workflows/make_release.yml
+++ b/.github/workflows/make_release.yml
@@ -11,14 +11,14 @@ permissions:
jobs:
release:
if: github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable'
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
permissions:
contents: write
steps:
- name: Release
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
+ uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87
with:
prerelease: ${{ contains(github.ref_name, '-rc') }}
draft: ${{ github.repository == 'systemd/systemd' }}
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 8b32ec8..425d737 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -46,7 +46,7 @@ permissions:
jobs:
ci:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }}
cancel-in-progress: true
@@ -56,76 +56,94 @@ jobs:
include:
- distro: arch
release: rolling
+ sanitizers: ""
+ llvm: 0
+ cflags: "-O2 -D_FORTIFY_SOURCE=3"
- distro: debian
release: testing
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
- distro: ubuntu
- release: jammy
+ release: noble
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
- distro: fedora
- release: "39"
+ release: "40"
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
- distro: fedora
release: rawhide
+ sanitizers: address,undefined
+ llvm: 1
+ cflags: "-Og"
- distro: opensuse
release: tumbleweed
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
- distro: centos
release: "9"
- - distro: centos
- release: "8"
-
- env:
- SYSTEMD_LOG_LEVEL: debug
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
steps:
- - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- - uses: systemd/mkosi@bbe715f42911f9660712377a5b39335b9391ae22
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+ - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf
+
+ # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
+ # immediately, we remove the files in the background. However, we first move them to a different location
+ # so that nothing tries to use anything in these directories anymore while we're busy deleting them.
+ - name: Free disk space
+ run: |
+ sudo mv /usr/local /usr/local.trash
+ sudo mv /opt/hostedtoolcache /opt/hostedtoolcache.trash
+ sudo systemd-run rm -rf /usr/local.trash /opt/hostedtoolcache.trash
+
+ - name: Btrfs
+ run: |
+ truncate --size=100G btrfs.raw
+ mkfs.btrfs btrfs.raw
+ sudo mkdir /mnt/mkosi
+ LOOP="$(sudo losetup --find --show --direct-io=on btrfs.raw)"
+ sudo mount "$LOOP" /mnt/mkosi --options compress=zstd:1,user_subvol_rm_allowed,noatime,discard=async,space_cache=v2
+ sudo chown "$(id -u):$(id -g)" /mnt/mkosi
+ mkdir /mnt/mkosi/tmp
+ echo "TMPDIR=/mnt/mkosi/tmp" >>"$GITHUB_ENV"
+ ln -s /mnt/mkosi/build build
- name: Configure
run: |
- tee mkosi.local.conf <<- EOF
+ tee mkosi.local.conf <<EOF
[Distribution]
Distribution=${{ matrix.distro }}
Release=${{ matrix.release }}
- EOF
-
- tee mkosi.conf.d/99-ci.conf <<- EOF
- [Content]
- Environment=CI_BUILD=1
- SLOW_TESTS=true
- [Host]
- KernelCommandLineExtra=systemd.unit=mkosi-check-and-shutdown.service
- systemd.journald.max_level_console=debug
- # udev's debug log output is very verbose, so up it to info in CI.
- udev.log_level=info
- # Root device can take a long time to appear, so let's bump the timeout.
- systemd.default_device_timeout_sec=180
- QemuVsock=yes
- # Sometimes we run on a host with /dev/kvm, but it is broken, so explicitly disable it
- QemuKvm=no
- Ephemeral=yes
- EOF
+ [Output]
+ # Build a disk image in CI as this logic is much more prone to breakage.
+ Format=disk
+ UseSubvolumes=yes
- # For erofs, we have to install linux-modules-extra-azure, but that doesn't match the running kernel
- # version, so we can't load the erofs module. squashfs is a builtin module so we use that instead.
+ WorkspaceDirectory=$TMPDIR
+ PackageCacheDirectory=$TMPDIR/cache
- mkdir -p mkosi.images/system/mkosi.repart/10-usr.conf.d
- tee mkosi.images/system/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF
- [Partition]
- Format=squashfs
- EOF
+ [Content]
+ Environment=
+ # Build debuginfo packages since we'll be publishing the packages as artifacts.
+ WITH_DEBUG=1
+ CFLAGS="${{ matrix.cflags }}"
+ SANITIZERS=${{ matrix.sanitizers }}
+ MESON_OPTIONS=--werror
+ LLVM=${{ matrix.llvm }}
- # The emergency shell is not useful in the CI, as it just blocks for a long time before the job
- # eventually times out. Override it to just shutdown immediately.
- mkdir -p mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
- mkdir -p mkosi.images/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
- tee mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf <<- EOF
- [Unit]
- FailureAction=exit
- [Service]
- ExecStartPre=
- ExecStart=
- ExecStart=false
+ [Host]
+ QemuMem=4G
+ # We build with debuginfo so there's no point in mounting the sources into the machine.
+ RuntimeBuildSources=no
EOF
- cp mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf mkosi.images/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf
- name: Generate secure boot key
run: mkosi --debug genkey
@@ -133,11 +151,63 @@ jobs:
- name: Show image summary
run: mkosi summary
- - name: Build
- run: mkosi --debug
-
- - name: Boot systemd-nspawn
- run: test "$(sudo mkosi --debug boot 1>&2; echo $?)" -eq 123
-
- - name: Boot QEMU
- run: timeout -k 30 10m test "$(mkosi --debug qemu 1>&2; echo $?)" -eq 123
+ - name: Install dependencies
+ run: |
+ mkosi dependencies |
+ xargs -d '\n' sudo apt-get install \
+ gperf \
+ libblkid-dev \
+ libcap-dev \
+ libcryptsetup-dev \
+ libcurl4-openssl-dev \
+ libfdisk-dev \
+ libmicrohttpd-dev \
+ libmount-dev \
+ libtss2-dev \
+ meson
+
+ - name: Configure meson
+ run: |
+ meson setup build \
+ --buildtype=debugoptimized \
+ -Dintegration-tests=true \
+ -Dremote=enabled \
+ -Dopenssl=enabled \
+ -Dblkid=enabled \
+ -Dtpm2=enabled \
+ -Dlibcryptsetup=enabled \
+ -Dlibcurl=enabled \
+ -Drepart=enabled \
+ -Dfirstboot=true \
+ -Dsysusers=true \
+ -Dtmpfiles=true \
+ -Dhwdb=true \
+ -Dvmspawn=enabled
+
+ - name: Build image
+ run: meson compile -C build mkosi
+
+ - name: Run integration tests
+ run: sudo --preserve-env meson test -C build --no-rebuild --suite integration-tests --print-errorlogs --no-stdsplit --num-processes "$(($(nproc) - 1))"
+
+ - name: Archive failed test journals
+ uses: actions/upload-artifact@v4
+ if: failure() && (github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable')
+ with:
+ name: ci-mkosi-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.distro }}-${{ matrix.release }}-failed-test-journals
+ path: |
+ build/test/journal/*.journal
+ build/meson-logs/*
+ retention-days: 7
+
+ - name: Archive packages
+ uses: actions/upload-artifact@v4
+ if: (success() || failure()) && (github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable')
+ with:
+ name: ci-mkosi-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.distro }}-${{ matrix.release }}-packages
+ path: |
+ build/mkosi.output/*.rpm
+ build/mkosi.output/*.deb
+ build/mkosi.output/*.ddeb
+ build/mkosi.output/*.pkg.tar
+ retention-days: 4
diff --git a/.github/workflows/requirements.txt b/.github/workflows/requirements.txt
index b42b98e..a073aaf 100644
--- a/.github/workflows/requirements.txt
+++ b/.github/workflows/requirements.txt
@@ -1,6 +1,6 @@
-meson==1.3.0 \
- --hash=sha256:4ba253ef60e454e23234696119cbafa082a0aead0bd3bbf6991295054795f5dc \
- --hash=sha256:e9f54046ce5b9a1f3024f7a7d52f19f085fd57c9d26a5db0cfcf0750572a8fd8
+meson==1.4.1 \
+ --hash=sha256:1b8aad738a5f6ae64294cc8eaba9a82988c1c420204484ac02ef782e5bba5f49 \
+ --hash=sha256:d5acc3abae2dad3c70ddcbd10acac92b78b144d34d43f40f5b8ac31dfd8a826a
ninja==1.11.1.1 \
--hash=sha256:18302d96a5467ea98b68e1cae1ae4b4fb2b2a56a82b955193c637557c7273dbd \
--hash=sha256:185e0641bde601e53841525c4196278e9aaf4463758da6dd1e752c0a0f54136a \
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index e2a9f27..44ee6f1 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -23,18 +23,18 @@ jobs:
analysis:
name: Scorecards analysis
if: github.repository == 'systemd/systemd'
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
permissions:
id-token: write # Used to receive a badge.
steps:
- name: Checkout code
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
persist-credentials: false
- name: Run analysis
- uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+ uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
with:
results_file: results.sarif
results_format: sarif
diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh
index c1a5ede..4433d84 100755
--- a/.github/workflows/unit_tests.sh
+++ b/.github/workflows/unit_tests.sh
@@ -42,22 +42,38 @@ set -ex
MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto})
+# (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_
+# its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the
+# score is explicitly changed after sudo. No idea what's going on, but it breaks
+# exec-oomscoreadjust-negative.service from test-execute when running unprivileged.
+choom -p $$ -n 0
+
for phase in "${PHASES[@]}"; do
case $phase in
SETUP)
info "Setup phase"
- # PPA with some newer build dependencies
- add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci
- add-apt-repository -y --no-update --enable-source
+ # This is added by default, and it is often broken, but we don't need anything from it
+ rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
+ # add-apt-repository --enable-source does not work on deb822 style sources.
+ for f in /etc/apt/sources.list.d/*.sources; do
+ sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
+ done
apt-get -y update
apt-get -y build-dep systemd
apt-get -y install "${ADDITIONAL_DEPS[@]}"
- pip3 install -r .github/workflows/requirements.txt --require-hashes
+ pip3 install -r .github/workflows/requirements.txt --require-hashes --break-system-packages
+
+ # Make sure the build dir is accessible even when drop privileges, otherwise the unprivileged
+ # part of test-execute gets skipped, since it can't run systemd-executor
+ chmod o+x /home/runner
+ capsh --drop=all -- -c "stat $PWD/meson.build"
;;
RUN|RUN_GCC|RUN_CLANG|RUN_CLANG_RELEASE)
if [[ "$phase" =~ ^RUN_CLANG ]]; then
export CC=clang
export CXX=clang++
+ export CFLAGS="-fno-sanitize=function"
+ export CXXFLAGS="-fno-sanitize=function"
if [[ "$phase" == RUN_CLANG ]]; then
# The docs build is slow and is not affected by compiler/flags, so do it just once
MESON_ARGS+=(-Dman=enabled)
@@ -82,6 +98,8 @@ for phase in "${PHASES[@]}"; do
if [[ "$phase" =~ ^RUN_CLANG_ASAN_UBSAN ]]; then
export CC=clang
export CXX=clang++
+ export CFLAGS="-fno-sanitize=function"
+ export CXXFLAGS="-fno-sanitize=function"
# Build fuzzer regression tests only with clang (for now),
# see: https://github.com/systemd/systemd/pull/15886#issuecomment-632689604
# -Db_lundef=false: See https://github.com/mesonbuild/meson/issues/764
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index d2164cc..895068c 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -14,7 +14,7 @@ permissions:
jobs:
build:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }}
cancel-in-progress: true
@@ -30,7 +30,7 @@ jobs:
cryptolib: gcrypt
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- name: Install build dependencies
run: |
# Drop XDG_* stuff from /etc/environment, so we don't get the user