summaryrefslogtreecommitdiffstats
path: root/.github
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 03:50:42 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 03:50:42 +0000
commit78e9bb837c258ac0ec7712b3d612cc2f407e731e (patch)
treef515d16b6efd858a9aeb5b0ef5d6f90bf288283d /.github
parentAdding debian version 255.5-1. (diff)
downloadsystemd-78e9bb837c258ac0ec7712b3d612cc2f407e731e.tar.xz
systemd-78e9bb837c258ac0ec7712b3d612cc2f407e731e.zip
Merging upstream version 256.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '.github')
-rw-r--r--.github/ISSUE_TEMPLATE/bug_report.yml9
-rw-r--r--.github/ISSUE_TEMPLATE/feature_request.yml3
-rw-r--r--.github/advanced-issue-labeler.yml7
-rw-r--r--.github/development-freeze.yml10
-rw-r--r--.github/labeler.yml233
-rwxr-xr-x.github/workflows/build_test.sh32
-rw-r--r--.github/workflows/build_test.yml8
-rw-r--r--.github/workflows/cflite_pr.yml2
-rw-r--r--.github/workflows/cifuzz.yml7
-rw-r--r--.github/workflows/codeql.yml10
-rw-r--r--.github/workflows/coverity.yml4
-rw-r--r--.github/workflows/development_freeze.yml51
-rw-r--r--.github/workflows/differential-shellcheck.yml13
-rw-r--r--.github/workflows/gather-pr-metadata.yml23
-rw-r--r--.github/workflows/issue_labeler.yml8
-rw-r--r--.github/workflows/labeler.yml93
-rw-r--r--.github/workflows/linter.yml7
-rw-r--r--.github/workflows/make_release.yml4
-rw-r--r--.github/workflows/mkosi.yml182
-rw-r--r--.github/workflows/requirements.txt6
-rw-r--r--.github/workflows/scorecards.yml6
-rwxr-xr-x.github/workflows/unit_tests.sh26
-rw-r--r--.github/workflows/unit_tests.yml4
23 files changed, 460 insertions, 288 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 06a8640..f3ba2ca 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -15,10 +15,10 @@ body:
Do not submit bug reports about anything but the two most recently released *major* systemd versions upstream!
If there have been multiple stable releases for that major version, please consider updating to a recent one before reporting an issue.
When using a distro package, please make sure that the version reported is meaningful for upstream.
- If a distro build is used, please just paste the package version, e.g. `systemd-253-6.fc38.x86_64`.
+ If a distro build is used, please just paste the package version, e.g. `systemd-254.7-1.fc39.x86_64`.
See https://github.com/systemd/systemd-stable/tags for the list of most recent releases.
For older version please use distribution trackers (see https://systemd.io/CONTRIBUTING#filing-issues).
- placeholder: '253'
+ placeholder: '255'
validations:
required: true
@@ -27,7 +27,7 @@ body:
attributes:
label: Used distribution
description: Used distribution and its version
- placeholder: Fedora 38
+ placeholder: Fedora 39
validations:
required: false
@@ -37,7 +37,7 @@ body:
label: Linux kernel version used
description: |
Please use `uname -r` to get linux kernel version.
- placeholder: kernel-6.2.5-300.fc38.x86_64
+ placeholder: kernel-6.6.8-200.fc39.x86_64
validations:
required: false
@@ -140,6 +140,7 @@ body:
- 'systemd-udevd'
- 'systemd-userdb'
- 'systemd-veritysetup'
+ - 'systemd-vmspawn'
- 'systemd-xdg-autostart-generator'
- 'timedatectl'
- 'udevadm'
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
index 1413b5f..645cef9 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -81,6 +81,7 @@ body:
- 'systemd-udevd'
- 'systemd-userdb'
- 'systemd-veritysetup'
+ - 'systemd-vmspawn'
- 'systemd-xdg-autostart-generator'
- 'timedatectl'
- 'udevadm'
@@ -120,6 +121,6 @@ body:
attributes:
label: The systemd version you checked that didn't have the feature you are asking for
description: If this is not the most recently released upstream version, then please check first if it has that feature already.
- placeholder: '253'
+ placeholder: '255'
validations:
required: false
diff --git a/.github/advanced-issue-labeler.yml b/.github/advanced-issue-labeler.yml
index e6ae5dc..4d70058 100644
--- a/.github/advanced-issue-labeler.yml
+++ b/.github/advanced-issue-labeler.yml
@@ -64,10 +64,10 @@ policy:
- name: kernel-install
keys: ['kernel-install']
- - name: logind
+ - name: login
keys: ['systemd-logind', 'loginctl', 'pam_systemd']
- - name: machined
+ - name: machine
keys: ['systemd-machined', 'machinectl']
- name: modules-load
@@ -145,5 +145,8 @@ policy:
- name: veritysetup
keys: ['systemd-veritysetup']
+ - name: vmspawn
+ keys: ['systemd-vmspawn']
+
- name: xdg-autostart
keys: ['systemd-xdg-autostart-generator']
diff --git a/.github/development-freeze.yml b/.github/development-freeze.yml
index 564e5f0..b7e7e3b 100644
--- a/.github/development-freeze.yml
+++ b/.github/development-freeze.yml
@@ -4,9 +4,13 @@
policy:
# tags like v253-rc1, v253-rc2, etc.
- tags: ['^\S*-rc\d+$']
+ labels:
+ allow: ['needs-stable-backport', 'dependencies', 'l10n 🌍']
feedback:
frozen-state: |
- An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.
+ > [!IMPORTANT]
+ > An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.
unfreeze-state: |
- We had successfully released a new major release. We are no longer in a development freeze phase.
- We will try our best to get back to your PR as soon as possible. Thank you for your patience.
+ > [!NOTE]
+ > We had successfully released a new major release. We are no longer in a development freeze phase.
+ > We will try our best to get back to your PR as soon as possible. Thank you for your patience.
diff --git a/.github/labeler.yml b/.github/labeler.yml
index fd5fc91..24ff2f0 100644
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -1,140 +1,213 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
+# vi: sw=2 ts=2 et:
apparmor:
- - '**/*apparmor*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*apparmor*'
binfmt:
- - '**/*binfmt*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*binfmt*'
+bsod:
+ - changed-files:
+ - any-glob-to-any-file: '**/*bsod*'
btrfs:
- - '**/*btrfs*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*btrfs*'
build-system:
- - meson_options.txt
- - '**/meson.build'
- - Makefile
- - configure
+ - changed-files:
+ - any-glob-to-any-file: ['meson_options.txt', '**/meson.build', 'Makefile', 'configure']
busctl:
- - '**/*busctl*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*busctl*'
cgls:
- - '**/*cgls*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*cgls*'
cgtop:
- - '**/*cgtop*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*cgtop*'
ci:
- - '.github/*'
+ - changed-files:
+ - any-glob-to-any-file: '.github/*'
coccinelle:
- - coccinelle/*
+ - changed-files:
+ - any-glob-to-any-file: 'coccinelle/*'
coredump:
- - '**/*coredump*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*coredump*'
documentation:
- - NEWS
- - README*
- - docs/*
- - man/*
+ - changed-files:
+ - any-glob-to-any-file: ['NEWS', 'README*', 'docs/*', 'man/*']
env-generator:
- - '**/*environment*generator*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*environment*generator*'
+escape:
+ - changed-files:
+ - any-glob-to-any-file: '**/*escape*'
debug-generator:
- - '**/debug-generator*'
+ - changed-files:
+ - any-glob-to-any-file: '**/debug-generator*'
fstab-generator:
- - '**/*fstab-generator*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*fstab-generator*'
growfs:
- - '**/*growfs*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*growfs*'
+hibernate-resume:
+ - changed-files:
+ - any-glob-to-any-file: '**/*hibernate-resume*'
hwdb:
- - hwdb.d/**/*
+ - changed-files:
+ - any-glob-to-any-file: 'hwdb.d/**/*'
journal:
- - src/journal/*
- - src/libsystemd/sd-journal/*
+ - changed-files:
+ - any-glob-to-any-file: ['src/journal/*', 'src/libsystemd/sd-journal/*']
journal-remote:
- - src/journal-remote/*
+ - changed-files:
+ - any-glob-to-any-file: 'src/journal-remote/*'
+l10n 🌍:
+ - changed-files:
+ - any-glob-to-any-file: 'po/*'
+login:
+ - changed-files:
+ - any-glob-to-any-file: ['src/login/*', '**/sd-login*/**']
meson:
- - meson_options.txt
- - '**/meson.build'
+ - changed-files:
+ - any-glob-to-any-file: ['meson_options.txt', '**/meson.build']
mkosi:
- - .mkosi/*
- - mkosi.build
+ - changed-files:
+ - any-glob-to-any-file: ['.mkosi/*', 'mkosi.build']
+mountfsd:
+ - changed-files:
+ - any-glob-to-any-file: ['src/mountfsd/*']
network:
- - src/libsystemd-network/**/*
- - src/network/**/*
+ - changed-files:
+ - any-glob-to-any-file: ['src/libsystemd-network/**/*', 'src/network/**/*']
+nspawn:
+ - changed-files:
+ - any-glob-to-any-file: '**/*nspawn*'
+nsresource:
+ - changed-files:
+ - any-glob-to-any-file: '**/*nsresource*'
portable:
- - src/portable/**/*
+ - changed-files:
+ - any-glob-to-any-file: 'src/portable/**/*'
rc-local-generator:
- - src/rc-local-generator/*
+ - changed-files:
+ - any-glob-to-any-file: 'src/rc-local-generator/*'
repart:
- - '**/*repart*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*repart*'
resolve:
- - '**/*resolve*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*resolve*'
rfkill:
- - '**/*rfkill*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*rfkill*'
rpm:
- - src/rpm/*
+ - changed-files:
+ - any-glob-to-any-file: 'src/rpm/*'
run:
- - src/run/*
- - man/systemd-run*
+ - changed-files:
+ - any-glob-to-any-file: ['src/run/*', 'man/systemd-run*']
sd-boot/sd-stub/bootctl:
- - src/boot/**/*
- - man/bootctl*
- - man/systemd-boot.xml
+ - changed-files:
+ - any-glob-to-any-file: ['src/boot/**/*', 'man/bootctl*', 'man/systemd-boot.xml']
sd-bus:
- - '**/sd-bus*/**'
+ - changed-files:
+ - any-glob-to-any-file: '**/sd-bus*/**'
sd-daemon:
- - '**/sd-daemon*/**'
+ - changed-files:
+ - any-glob-to-any-file: '**/sd-daemon*/**'
sd-device:
- - '**/sd-device*/**'
+ - changed-files:
+ - any-glob-to-any-file: '**/sd-device*/**'
sd-event:
- - '**/sd-event*/**'
+ - changed-files:
+ - any-glob-to-any-file: '**/sd-event*/**'
sd-hwdb:
- - '**/sd-hwdb*/**'
+ - changed-files:
+ - any-glob-to-any-file: '**/sd-hwdb*/**'
sd-id128:
- - '**/sd-id128*/**'
+ - changed-files:
+ - any-glob-to-any-file: '**/sd-id128*/**'
sd-netlink:
- - '**/sd-netlink*/**'
+ - changed-files:
+ - any-glob-to-any-file: '**/sd-netlink*/**'
sd-path:
- - '**/sd-path*/**'
+ - changed-files:
+ - any-glob-to-any-file: '**/sd-path*/**'
sd-resolve:
- - '**/sd-resolve*/**'
+ - changed-files:
+ - any-glob-to-any-file: '**/sd-resolve*/**'
selinux:
- - '**/*selinux*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*selinux*'
+shell-completion:
+ - changed-files:
+ - any-glob-to-any-file: 'shell-completion/*'
sleep:
- - '**/*sleep*'
+ - changed-files:
+ - any-glob-to-any-file: ['src/shared/*sleep*', 'src/sleep/*']
smack:
- - '**/*smack*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*smack*'
socket-proxy:
- - '**/*socket-proxy*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*socket-proxy*'
sysv-generator:
- - '**/*sysv-generator*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*sysv-generator*'
systemctl:
- - '**/systemctl*'
+ - changed-files:
+ - any-glob-to-any-file: '**/systemctl*'
sysupdate:
- - '**/*sysupdate*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*sysupdate*'
sysvcompat:
- - '**/*sysv*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*sysv*'
sysctl:
- - '**/*sysctl*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*sysctl*'
timedate:
- - '**/*timedate*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*timedate*'
timesync:
- - '**/*timesync*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*timesync*'
tests:
- - src/test/**/*
- - src/fuzz/**/*
- - test/**/*
- - '**/test-*'
- - .github/workflows/*
+ - changed-files:
+ - any-glob-to-any-file: [
+ 'src/test/**/*',
+ 'src/fuzz/**/*',
+ 'test/**/*',
+ '**/test-*',
+ '.github/workflows/*'
+ ]
tpm2:
- - '**/*tpm2*'
- - '**/*tpm-*'
+ - changed-files:
+ - any-glob-to-any-file: ['**/*tpm2*', '**/*tpm-*']
udev:
- - src/udev/**/*
- - src/libudev/*
- - man/*udev*
+ - changed-files:
+ - any-glob-to-any-file: ['src/udev/**/*', 'src/libudev/*', 'man/*udev*']
uki:
- - '**/ukify*'
+ - changed-files:
+ - any-glob-to-any-file: '**/ukify*'
units:
- - units/**/*
+ - changed-files:
+ - any-glob-to-any-file: 'units/**/*'
userdb:
- - '**/*userdb*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*userdb*'
util-lib:
- - src/fundamental/**/*
- - src/basic/**/*
- - src/shared/**/*
+ - changed-files:
+ - any-glob-to-any-file: ['src/fundamental/**/*', 'src/basic/**/*', 'src/shared/**/*']
vconsole:
- - '**/*vconsole*'
+ - changed-files:
+ - any-glob-to-any-file: '**/*vconsole*'
+vmspawn:
+ - changed-files:
+ - any-glob-to-any-file: '**/*vmspawn*'
xdg-autostart:
- - '**/**xdg-autostart-generator*'
+ - changed-files:
+ - any-glob-to-any-file: '**/**xdg-autostart-generator*'
diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh
index c550046..f9bbdce 100755
--- a/.github/workflows/build_test.sh
+++ b/.github/workflows/build_test.sh
@@ -10,9 +10,9 @@ success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
ARGS=(
"--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Ddns-over-tls=gnutls -Dtpm=true -Dtpm2=enabled"
"--optimization=s -Dutmp=false"
+ "--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
"--optimization=3 -Db_lto=true -Ddns-over-tls=false"
"--optimization=3 -Db_lto=false -Dtpm2=disabled -Dlibfido2=disabled -Dp11kit=disabled"
- "--optimization=3 -Ddns-over-tls=openssl"
"--optimization=3 -Dfexecve=true -Dstandalone-binaries=true -Dstatic-libsystemd=true -Dstatic-libudev=true"
"-Db_ndebug=true"
)
@@ -84,6 +84,14 @@ if [[ "$COMPILER" == clang ]]; then
CXX="clang++-$COMPILER_VERSION"
AR="llvm-ar-$COMPILER_VERSION"
+ if systemd-analyze compare-versions "$COMPILER_VERSION" ge 17; then
+ CFLAGS="-fno-sanitize=function"
+ CXXFLAGS="-fno-sanitize=function"
+ else
+ CFLAGS=""
+ CXXFLAGS=""
+ fi
+
# Prefer the distro version if available
if ! apt-get -y install --dry-run "llvm-$COMPILER_VERSION" >/dev/null; then
# Latest LLVM stack deb packages provided by https://apt.llvm.org/
@@ -99,6 +107,8 @@ elif [[ "$COMPILER" == gcc ]]; then
CC="gcc-$COMPILER_VERSION"
CXX="g++-$COMPILER_VERSION"
AR="gcc-ar-$COMPILER_VERSION"
+ CFLAGS=""
+ CXXFLAGS=""
if ! apt-get -y install --dry-run "gcc-$COMPILER_VERSION" >/dev/null; then
# Latest gcc stack deb packages provided by
@@ -111,9 +121,12 @@ else
fatal "Unknown compiler: $COMPILER"
fi
-# PPA with some newer build dependencies (like zstd)
-sudo add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci
-sudo add-apt-repository -y --no-update --enable-source
+# This is added by default, and it is often broken, but we don't need anything from it
+sudo rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
+# add-apt-repository --enable-source does not work on deb822 style sources.
+for f in /etc/apt/sources.list.d/*.sources; do
+ sudo sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
+done
sudo apt-get -y update
sudo apt-get -y build-dep systemd
sudo apt-get -y install "${PACKAGES[@]}"
@@ -121,7 +134,7 @@ sudo apt-get -y install "${PACKAGES[@]}"
# always support all the features we need (like --optimization=). Since the build-dep
# command above installs the distro versions, let's install the pip ones just
# locally and add the local bin directory to the $PATH.
-pip3 install --user -r .github/workflows/requirements.txt --require-hashes
+pip3 install --user -r .github/workflows/requirements.txt --require-hashes --break-system-packages
export PATH="$HOME/.local/bin:$PATH"
$CC --version
@@ -131,11 +144,16 @@ ninja --version
for args in "${ARGS[@]}"; do
SECONDS=0
+ if [[ "$COMPILER" == clang && "$args" =~ Wmaybe-uninitialized ]]; then
+ # -Wmaybe-uninitialized is not implemented in clang
+ continue
+ fi
+
info "Checking build with $args"
# shellcheck disable=SC2086
if ! AR="$AR" \
- CC="$CC" CC_LD="$LINKER" CFLAGS="-Werror" \
- CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="-Werror" \
+ CC="$CC" CC_LD="$LINKER" CFLAGS="$CFLAGS" \
+ CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \
meson setup \
-Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \
-Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index f91ac03..164b3a0 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -17,7 +17,7 @@ permissions:
jobs:
build:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ toJSON(matrix.env) }}-${{ github.ref }}
cancel-in-progress: true
@@ -28,11 +28,11 @@ jobs:
- { COMPILER: "gcc", COMPILER_VERSION: "11", LINKER: "bfd", CRYPTOLIB: "gcrypt" }
- { COMPILER: "gcc", COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "openssl" }
- { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold", CRYPTOLIB: "gcrypt" }
- - { COMPILER: "clang", COMPILER_VERSION: "15", LINKER: "bfd", CRYPTOLIB: "openssl" }
- - { COMPILER: "clang", COMPILER_VERSION: "17", LINKER: "lld", CRYPTOLIB: "auto" }
+ - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd", CRYPTOLIB: "openssl" }
+ - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld", CRYPTOLIB: "auto" }
env: ${{ matrix.env }}
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- name: Build check
run: .github/workflows/build_test.sh
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
index 707ea0b..f0d3217 100644
--- a/.github/workflows/cflite_pr.yml
+++ b/.github/workflows/cflite_pr.yml
@@ -13,7 +13,7 @@ permissions: read-all
jobs:
PR:
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
if: github.repository != 'systemd/systemd' || github.event.pull_request.user.login == 'dependabot[bot]'
concurrency:
group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 66714c2..9b91740 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -22,7 +22,8 @@ on:
- main
jobs:
Fuzzing:
- runs-on: ubuntu-latest
+ # FIXME: Figure out why 32-bit applications fail to run in docker on Ubuntu 24.04.
+ runs-on: ubuntu-22.04
if: github.repository == 'systemd/systemd'
concurrency:
group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }}
@@ -60,14 +61,14 @@ jobs:
sanitizer: ${{ matrix.sanitizer }}
output-sarif: true
- name: Upload Crash
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
if: failure() && steps.build.outcome == 'success'
with:
name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts
path: ./out/artifacts
- name: Upload Sarif
if: always() && steps.build.outcome == 'success'
- uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75
+ uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c
with:
# Path to SARIF file relative to the root of the repository
sarif_file: cifuzz-sarif/results.sarif
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2c02ef5..0d284f7 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,7 +27,7 @@ jobs:
analyze:
name: Analyze
if: github.repository != 'systemd/systemd-security'
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
cancel-in-progress: true
@@ -42,10 +42,10 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- name: Initialize CodeQL
- uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75
+ uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql-config.yml
@@ -53,7 +53,7 @@ jobs:
- run: sudo -E .github/workflows/unit_tests.sh SETUP
- name: Autobuild
- uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75
+ uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75
+ uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 1545d59..ad7a5d2 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -14,7 +14,7 @@ permissions:
jobs:
build:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
if: github.repository == 'systemd/systemd'
env:
# Set in repo settings -> secrets -> actions
@@ -22,7 +22,7 @@ jobs:
COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
# Reuse the setup phase of the unit test script to avoid code duplication
- name: Install build dependencies
run: sudo -E .github/workflows/unit_tests.sh SETUP
diff --git a/.github/workflows/development_freeze.yml b/.github/workflows/development_freeze.yml
index e371e19..c2360a3 100644
--- a/.github/workflows/development_freeze.yml
+++ b/.github/workflows/development_freeze.yml
@@ -8,10 +8,6 @@ on:
types:
- completed
-env:
- PULL_REQUEST_METADATA_DIR: pull_request
- PULL_REQUEST_METADATA_FILE: metadata
-
permissions:
contents: read
@@ -21,54 +17,27 @@ jobs:
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' &&
github.repository == 'systemd/systemd'
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
permissions:
pull-requests: write
steps:
- - name: Download Pull Request Metadata artifact
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
- with:
- script: |
- const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
- owner: context.repo.owner,
- repo: context.repo.repo,
- run_id: ${{ github.event.workflow_run.id }},
- });
-
- const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
- return artifact.name == "${{ env.PULL_REQUEST_METADATA_FILE }}"
- })[0];
-
- const download = await github.rest.actions.downloadArtifact({
- owner: context.repo.owner,
- repo: context.repo.repo,
- artifact_id: matchArtifact.id,
- archive_format: 'zip',
- });
-
- const fs = require('fs');
- fs.writeFileSync('${{ github.workspace }}/${{ env.PULL_REQUEST_METADATA_FILE }}.zip', Buffer.from(download.data));
-
- - run: unzip ${{ env.PULL_REQUEST_METADATA_FILE }}.zip
-
- - name: 'Get Pull Request number'
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+ - id: artifact
+ name: Download Pull Request Metadata artifact
+ uses: redhat-plumbers-in-action/download-artifact@463ae626ac2dd333491c7beccaa24c12c5c259b8
with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- script: |
- const fs = require('fs');
- const pr_number = Number(fs.readFileSync('./${{ env.PULL_REQUEST_METADATA_FILE }}'));
- core.exportVariable('pr_number', pr_number);
+ name: Pull Request Metadata
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
fetch-depth: 0
- name: Development Freezer
- uses: redhat-plumbers-in-action/devel-freezer@67aec4a153bd9fca5322e1c4dd4d7c419fb36362
+ uses: redhat-plumbers-in-action/devel-freezer@ad766eafd555b28d2cb8e27937835983f9c3d173
with:
- pr-number: ${{ env.pr_number }}
+ pr-number: ${{ fromJSON(steps.artifact.outputs.pr-metadata-json).number }}
+ # delay start of validation to allow for some milestone/labels tweaking
+ delay: 20
token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
index b04aabb..244f5d5 100644
--- a/.github/workflows/differential-shellcheck.yml
+++ b/.github/workflows/differential-shellcheck.yml
@@ -16,20 +16,25 @@ permissions:
jobs:
lint:
if: github.event.repository.name != 'systemd-security'
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
permissions:
security-events: write
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
fetch-depth: 0
- name: Differential ShellCheck
- uses: redhat-plumbers-in-action/differential-shellcheck@91e2582e40236f831458392d905578d680baa138
+ uses: redhat-plumbers-in-action/differential-shellcheck@60c9f2b924a9c5a2ddbb25e7b23e8e11b56faab9
with:
# exclude all `.in` files because they may contain unsupported syntax, and they have to be preprocessed first
- exclude-path: '**/*.in'
+ # TEMPORARY: exclude bash completion files, they would generate too many defects in Code scanning dashboard (600+)
+ # exclude zsh completion files, zsh is not supported by ShellCheck
+ exclude-path: |
+ '**/*.in'
+ 'shell-completion/bash/*'
+ 'shell-completion/zsh/*'
token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml
index 5b3c360..e4a0caf 100644
--- a/.github/workflows/gather-pr-metadata.yml
+++ b/.github/workflows/gather-pr-metadata.yml
@@ -6,32 +6,25 @@ on:
pull_request:
branches: [ main ]
-env:
- PULL_REQUEST_METADATA_DIR: pull_request
- PULL_REQUEST_METADATA_FILE: metadata
-
permissions:
contents: read
jobs:
gather-metadata:
if: github.repository == 'systemd/systemd'
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- with:
- fetch-depth: 0
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- - name: Store PR number in file
- run: |
- mkdir -p ./${{ env.PULL_REQUEST_METADATA_DIR }}
- echo ${{ github.event.number }} >./${{ env.PULL_REQUEST_METADATA_DIR }}/${{ env.PULL_REQUEST_METADATA_FILE }}
+ - id: metadata
+ name: Gather Pull Request Metadata
+ uses: redhat-plumbers-in-action/gather-pull-request-metadata@17821d3bc27c1efed339595898c2e622accc5a1b
- name: Upload Pull Request Metadata artifact
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
with:
- name: ${{ env.PULL_REQUEST_METADATA_FILE }}
- path: ${{ env.PULL_REQUEST_METADATA_DIR }}
+ name: Pull Request Metadata
+ path: ${{ steps.metadata.outputs.metadata-file }}
retention-days: 1
diff --git a/.github/workflows/issue_labeler.yml b/.github/workflows/issue_labeler.yml
index d8ba0a5..4bedf0d 100644
--- a/.github/workflows/issue_labeler.yml
+++ b/.github/workflows/issue_labeler.yml
@@ -10,7 +10,7 @@ permissions:
jobs:
label-component:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
permissions:
issues: write
@@ -20,16 +20,16 @@ jobs:
template: [ bug_report.yml, feature_request.yml ]
steps:
- - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- name: Parse issue form
- uses: stefanbuck/github-issue-parser@c1a559d78bfb8dd05216dab9ffd2b91082ff5324
+ uses: stefanbuck/github-issue-parser@1e5bdee70d4b3e066a33aa0669ab782943825f94
id: issue-parser
with:
template-path: .github/ISSUE_TEMPLATE/${{ matrix.template }}
- name: Set labels based on component field
- uses: redhat-plumbers-in-action/advanced-issue-labeler@71bcf99aef4b9ea844db9a43755e8ac02c8e661e
+ uses: redhat-plumbers-in-action/advanced-issue-labeler@d498805e5c7c0658e336948b3363480bcfd68da6
with:
issue-form: ${{ steps.issue-parser.outputs.jsonString }}
template: ${{ matrix.template }}
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 7f66a53..241b581 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -7,6 +7,14 @@ name: "Pull Request Labeler"
on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review, closed]
+ paths-ignore:
+ - '.github/labeler.yml'
+ - '.github/workflows/labeler.yml'
+ # Allow testing changes made to the labeler configuration
+ pull_request:
+ paths:
+ - '.github/labeler.yml'
+ - '.github/workflows/labeler.yml'
issue_comment:
types: [created]
@@ -16,22 +24,26 @@ permissions:
jobs:
triage:
if: github.repository == 'systemd/systemd'
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
permissions:
pull-requests: write
steps:
+ - name: Repository checkout
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+ if: github.event_name == 'pull_request'
+
- name: Label PR based on policy in labeler.yml
- uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594
- if: github.event_name == 'pull_request_target' && github.event.action != 'closed'
+ uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9
+ if: startsWith(github.event_name, 'pull_request') && github.event.action != 'closed'
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
configuration-path: .github/labeler.yml
- sync-labels: "" # This is a workaround for issue 18671
+ sync-labels: false
- name: Set or remove labels based on systemd development workflow
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
- if: github.event_name == 'pull_request_target' && github.event.action != 'closed' && !github.event.pull_request.draft
+ if: startsWith(github.event_name, 'pull_request') && github.event.action != 'closed' && !github.event.pull_request.draft
with:
script: |
response = await github.rest.issues.listLabelsOnIssue({
@@ -40,38 +52,34 @@ jobs:
repo: context.repo.repo,
});
- good_to_merge = [
+ original = new Set(response.data.map(l => l.name));
+ labels = new Set(original);
+
+ good_to_merge = new Set([
"good-to-merge/waiting-for-ci 👍",
"good-to-merge/after-next-release",
"good-to-merge/with-minor-suggestions",
"good-to-merge/waiting-for-reporter-feedback 👍",
- ];
+ ]);
- if (response.data.every(l => !good_to_merge.includes(l.name))) {
- await github.rest.issues.addLabels({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- labels: ["please-review"]
- });
+ if (Array.from(labels).filter(l => good_to_merge.has(l)).length == 0) {
+ labels.add("please-review");
}
for (const label of ["reviewed/needs-rework 🔨",
"ci-fails/needs-rework 🔥",
"ci-failure-appears-unrelated",
"needs-rebase"]) {
- try {
- await github.rest.issues.removeLabel({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- name: label,
- });
- } catch (err) {
- if (err.status != 404) {
- throw err;
- }
- }
+ labels.delete(label);
+ }
+
+ if (labels.size != original.size || Array.from(labels).some(l => !original.has(l))) {
+ await github.rest.issues.setLabels({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ labels: Array.from(labels),
+ });
}
- name: Add please-review label on command in issue comment
@@ -88,9 +96,18 @@ jobs:
- name: Remove specific labels when PR is closed or merged
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
- if: github.event_name == 'pull_request_target' && github.event.action == 'closed'
+ if: startsWith(github.event_name, 'pull_request') && github.event.action == 'closed'
with:
script: |
+ response = await github.rest.issues.listLabelsOnIssue({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ });
+
+ original = new Set(response.data.map(l => l.name));
+ labels = new Set(original);
+
for (const label of ["please-review",
"reviewed/needs-rework 🔨",
"ci-fails/needs-rework 🔥",
@@ -104,16 +121,14 @@ jobs:
"dont-merge 💣",
"squash-on-merge",
"quick-review 🏃‍♂️"]) {
- try {
- await github.rest.issues.removeLabel({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- name: label,
- });
- } catch (err) {
- if (err.status != 404) {
- throw err;
- }
- }
+ labels.delete(label);
+ }
+
+ if (labels.size != original.size || Array.from(labels).some(l => !original.has(l))) {
+ await github.rest.issues.setLabels({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ labels: Array.from(labels),
+ });
}
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index fd1a7a4..cf0bc09 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -16,21 +16,22 @@ permissions:
jobs:
build:
name: Lint Code Base
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
steps:
- name: Repo checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
# We need a full repo clone
fetch-depth: 0
- name: Lint Code Base
- uses: github/super-linter/slim@45fc0d88288beee4701c62761281edfee85655d7
+ uses: super-linter/super-linter/slim@88ea3923a7e1f89dd485d079f6eb5f5e8f937589
env:
DEFAULT_BRANCH: main
+ MULTI_STATUS: false
VALIDATE_ALL_CODEBASE: false
VALIDATE_GITHUB_ACTIONS: true
diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml
index 9902a6c..dc7de69 100644
--- a/.github/workflows/make_release.yml
+++ b/.github/workflows/make_release.yml
@@ -11,14 +11,14 @@ permissions:
jobs:
release:
if: github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable'
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
permissions:
contents: write
steps:
- name: Release
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
+ uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87
with:
prerelease: ${{ contains(github.ref_name, '-rc') }}
draft: ${{ github.repository == 'systemd/systemd' }}
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 8b32ec8..425d737 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -46,7 +46,7 @@ permissions:
jobs:
ci:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }}
cancel-in-progress: true
@@ -56,76 +56,94 @@ jobs:
include:
- distro: arch
release: rolling
+ sanitizers: ""
+ llvm: 0
+ cflags: "-O2 -D_FORTIFY_SOURCE=3"
- distro: debian
release: testing
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
- distro: ubuntu
- release: jammy
+ release: noble
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
- distro: fedora
- release: "39"
+ release: "40"
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
- distro: fedora
release: rawhide
+ sanitizers: address,undefined
+ llvm: 1
+ cflags: "-Og"
- distro: opensuse
release: tumbleweed
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
- distro: centos
release: "9"
- - distro: centos
- release: "8"
-
- env:
- SYSTEMD_LOG_LEVEL: debug
+ sanitizers: ""
+ llvm: 0
+ cflags: "-Og"
steps:
- - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- - uses: systemd/mkosi@bbe715f42911f9660712377a5b39335b9391ae22
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+ - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf
+
+ # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
+ # immediately, we remove the files in the background. However, we first move them to a different location
+ # so that nothing tries to use anything in these directories anymore while we're busy deleting them.
+ - name: Free disk space
+ run: |
+ sudo mv /usr/local /usr/local.trash
+ sudo mv /opt/hostedtoolcache /opt/hostedtoolcache.trash
+ sudo systemd-run rm -rf /usr/local.trash /opt/hostedtoolcache.trash
+
+ - name: Btrfs
+ run: |
+ truncate --size=100G btrfs.raw
+ mkfs.btrfs btrfs.raw
+ sudo mkdir /mnt/mkosi
+ LOOP="$(sudo losetup --find --show --direct-io=on btrfs.raw)"
+ sudo mount "$LOOP" /mnt/mkosi --options compress=zstd:1,user_subvol_rm_allowed,noatime,discard=async,space_cache=v2
+ sudo chown "$(id -u):$(id -g)" /mnt/mkosi
+ mkdir /mnt/mkosi/tmp
+ echo "TMPDIR=/mnt/mkosi/tmp" >>"$GITHUB_ENV"
+ ln -s /mnt/mkosi/build build
- name: Configure
run: |
- tee mkosi.local.conf <<- EOF
+ tee mkosi.local.conf <<EOF
[Distribution]
Distribution=${{ matrix.distro }}
Release=${{ matrix.release }}
- EOF
-
- tee mkosi.conf.d/99-ci.conf <<- EOF
- [Content]
- Environment=CI_BUILD=1
- SLOW_TESTS=true
- [Host]
- KernelCommandLineExtra=systemd.unit=mkosi-check-and-shutdown.service
- systemd.journald.max_level_console=debug
- # udev's debug log output is very verbose, so up it to info in CI.
- udev.log_level=info
- # Root device can take a long time to appear, so let's bump the timeout.
- systemd.default_device_timeout_sec=180
- QemuVsock=yes
- # Sometimes we run on a host with /dev/kvm, but it is broken, so explicitly disable it
- QemuKvm=no
- Ephemeral=yes
- EOF
+ [Output]
+ # Build a disk image in CI as this logic is much more prone to breakage.
+ Format=disk
+ UseSubvolumes=yes
- # For erofs, we have to install linux-modules-extra-azure, but that doesn't match the running kernel
- # version, so we can't load the erofs module. squashfs is a builtin module so we use that instead.
+ WorkspaceDirectory=$TMPDIR
+ PackageCacheDirectory=$TMPDIR/cache
- mkdir -p mkosi.images/system/mkosi.repart/10-usr.conf.d
- tee mkosi.images/system/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF
- [Partition]
- Format=squashfs
- EOF
+ [Content]
+ Environment=
+ # Build debuginfo packages since we'll be publishing the packages as artifacts.
+ WITH_DEBUG=1
+ CFLAGS="${{ matrix.cflags }}"
+ SANITIZERS=${{ matrix.sanitizers }}
+ MESON_OPTIONS=--werror
+ LLVM=${{ matrix.llvm }}
- # The emergency shell is not useful in the CI, as it just blocks for a long time before the job
- # eventually times out. Override it to just shutdown immediately.
- mkdir -p mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
- mkdir -p mkosi.images/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/
- tee mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf <<- EOF
- [Unit]
- FailureAction=exit
- [Service]
- ExecStartPre=
- ExecStart=
- ExecStart=false
+ [Host]
+ QemuMem=4G
+ # We build with debuginfo so there's no point in mounting the sources into the machine.
+ RuntimeBuildSources=no
EOF
- cp mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf mkosi.images/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf
- name: Generate secure boot key
run: mkosi --debug genkey
@@ -133,11 +151,63 @@ jobs:
- name: Show image summary
run: mkosi summary
- - name: Build
- run: mkosi --debug
-
- - name: Boot systemd-nspawn
- run: test "$(sudo mkosi --debug boot 1>&2; echo $?)" -eq 123
-
- - name: Boot QEMU
- run: timeout -k 30 10m test "$(mkosi --debug qemu 1>&2; echo $?)" -eq 123
+ - name: Install dependencies
+ run: |
+ mkosi dependencies |
+ xargs -d '\n' sudo apt-get install \
+ gperf \
+ libblkid-dev \
+ libcap-dev \
+ libcryptsetup-dev \
+ libcurl4-openssl-dev \
+ libfdisk-dev \
+ libmicrohttpd-dev \
+ libmount-dev \
+ libtss2-dev \
+ meson
+
+ - name: Configure meson
+ run: |
+ meson setup build \
+ --buildtype=debugoptimized \
+ -Dintegration-tests=true \
+ -Dremote=enabled \
+ -Dopenssl=enabled \
+ -Dblkid=enabled \
+ -Dtpm2=enabled \
+ -Dlibcryptsetup=enabled \
+ -Dlibcurl=enabled \
+ -Drepart=enabled \
+ -Dfirstboot=true \
+ -Dsysusers=true \
+ -Dtmpfiles=true \
+ -Dhwdb=true \
+ -Dvmspawn=enabled
+
+ - name: Build image
+ run: meson compile -C build mkosi
+
+ - name: Run integration tests
+ run: sudo --preserve-env meson test -C build --no-rebuild --suite integration-tests --print-errorlogs --no-stdsplit --num-processes "$(($(nproc) - 1))"
+
+ - name: Archive failed test journals
+ uses: actions/upload-artifact@v4
+ if: failure() && (github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable')
+ with:
+ name: ci-mkosi-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.distro }}-${{ matrix.release }}-failed-test-journals
+ path: |
+ build/test/journal/*.journal
+ build/meson-logs/*
+ retention-days: 7
+
+ - name: Archive packages
+ uses: actions/upload-artifact@v4
+ if: (success() || failure()) && (github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable')
+ with:
+ name: ci-mkosi-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.distro }}-${{ matrix.release }}-packages
+ path: |
+ build/mkosi.output/*.rpm
+ build/mkosi.output/*.deb
+ build/mkosi.output/*.ddeb
+ build/mkosi.output/*.pkg.tar
+ retention-days: 4
diff --git a/.github/workflows/requirements.txt b/.github/workflows/requirements.txt
index b42b98e..a073aaf 100644
--- a/.github/workflows/requirements.txt
+++ b/.github/workflows/requirements.txt
@@ -1,6 +1,6 @@
-meson==1.3.0 \
- --hash=sha256:4ba253ef60e454e23234696119cbafa082a0aead0bd3bbf6991295054795f5dc \
- --hash=sha256:e9f54046ce5b9a1f3024f7a7d52f19f085fd57c9d26a5db0cfcf0750572a8fd8
+meson==1.4.1 \
+ --hash=sha256:1b8aad738a5f6ae64294cc8eaba9a82988c1c420204484ac02ef782e5bba5f49 \
+ --hash=sha256:d5acc3abae2dad3c70ddcbd10acac92b78b144d34d43f40f5b8ac31dfd8a826a
ninja==1.11.1.1 \
--hash=sha256:18302d96a5467ea98b68e1cae1ae4b4fb2b2a56a82b955193c637557c7273dbd \
--hash=sha256:185e0641bde601e53841525c4196278e9aaf4463758da6dd1e752c0a0f54136a \
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index e2a9f27..44ee6f1 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -23,18 +23,18 @@ jobs:
analysis:
name: Scorecards analysis
if: github.repository == 'systemd/systemd'
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
permissions:
id-token: write # Used to receive a badge.
steps:
- name: Checkout code
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
persist-credentials: false
- name: Run analysis
- uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+ uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
with:
results_file: results.sarif
results_format: sarif
diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh
index c1a5ede..4433d84 100755
--- a/.github/workflows/unit_tests.sh
+++ b/.github/workflows/unit_tests.sh
@@ -42,22 +42,38 @@ set -ex
MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto})
+# (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_
+# its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the
+# score is explicitly changed after sudo. No idea what's going on, but it breaks
+# exec-oomscoreadjust-negative.service from test-execute when running unprivileged.
+choom -p $$ -n 0
+
for phase in "${PHASES[@]}"; do
case $phase in
SETUP)
info "Setup phase"
- # PPA with some newer build dependencies
- add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci
- add-apt-repository -y --no-update --enable-source
+ # This is added by default, and it is often broken, but we don't need anything from it
+ rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
+ # add-apt-repository --enable-source does not work on deb822 style sources.
+ for f in /etc/apt/sources.list.d/*.sources; do
+ sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
+ done
apt-get -y update
apt-get -y build-dep systemd
apt-get -y install "${ADDITIONAL_DEPS[@]}"
- pip3 install -r .github/workflows/requirements.txt --require-hashes
+ pip3 install -r .github/workflows/requirements.txt --require-hashes --break-system-packages
+
+ # Make sure the build dir is accessible even when drop privileges, otherwise the unprivileged
+ # part of test-execute gets skipped, since it can't run systemd-executor
+ chmod o+x /home/runner
+ capsh --drop=all -- -c "stat $PWD/meson.build"
;;
RUN|RUN_GCC|RUN_CLANG|RUN_CLANG_RELEASE)
if [[ "$phase" =~ ^RUN_CLANG ]]; then
export CC=clang
export CXX=clang++
+ export CFLAGS="-fno-sanitize=function"
+ export CXXFLAGS="-fno-sanitize=function"
if [[ "$phase" == RUN_CLANG ]]; then
# The docs build is slow and is not affected by compiler/flags, so do it just once
MESON_ARGS+=(-Dman=enabled)
@@ -82,6 +98,8 @@ for phase in "${PHASES[@]}"; do
if [[ "$phase" =~ ^RUN_CLANG_ASAN_UBSAN ]]; then
export CC=clang
export CXX=clang++
+ export CFLAGS="-fno-sanitize=function"
+ export CXXFLAGS="-fno-sanitize=function"
# Build fuzzer regression tests only with clang (for now),
# see: https://github.com/systemd/systemd/pull/15886#issuecomment-632689604
# -Db_lundef=false: See https://github.com/mesonbuild/meson/issues/764
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index d2164cc..895068c 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -14,7 +14,7 @@ permissions:
jobs:
build:
- runs-on: ubuntu-22.04
+ runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }}
cancel-in-progress: true
@@ -30,7 +30,7 @@ jobs:
cryptolib: gcrypt
steps:
- name: Repository checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- name: Install build dependencies
run: |
# Drop XDG_* stuff from /etc/environment, so we don't get the user