diff options
Diffstat (limited to '.github/workflows')
| -rwxr-xr-x | .github/workflows/build_test.sh | 32 | ||||
| -rw-r--r-- | .github/workflows/build_test.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/cflite_pr.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/cifuzz.yml | 7 | ||||
| -rw-r--r-- | .github/workflows/codeql.yml | 10 | ||||
| -rw-r--r-- | .github/workflows/coverity.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/development_freeze.yml | 51 | ||||
| -rw-r--r-- | .github/workflows/differential-shellcheck.yml | 13 | ||||
| -rw-r--r-- | .github/workflows/gather-pr-metadata.yml | 23 | ||||
| -rw-r--r-- | .github/workflows/issue_labeler.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/labeler.yml | 93 | ||||
| -rw-r--r-- | .github/workflows/linter.yml | 7 | ||||
| -rw-r--r-- | .github/workflows/make_release.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/mkosi.yml | 182 | ||||
| -rw-r--r-- | .github/workflows/requirements.txt | 6 | ||||
| -rw-r--r-- | .github/workflows/scorecards.yml | 6 | ||||
| -rwxr-xr-x | .github/workflows/unit_tests.sh | 26 | ||||
| -rw-r--r-- | .github/workflows/unit_tests.yml | 4 |
18 files changed, 288 insertions, 198 deletions
diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh index c550046..f9bbdce 100755 --- a/.github/workflows/build_test.sh +++ b/.github/workflows/build_test.sh @@ -10,9 +10,9 @@ success() { echo >&2 -e "\033[32;1m$1\033[0m"; } ARGS=( "--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Ddns-over-tls=gnutls -Dtpm=true -Dtpm2=enabled" "--optimization=s -Dutmp=false" + "--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl" "--optimization=3 -Db_lto=true -Ddns-over-tls=false" "--optimization=3 -Db_lto=false -Dtpm2=disabled -Dlibfido2=disabled -Dp11kit=disabled" - "--optimization=3 -Ddns-over-tls=openssl" "--optimization=3 -Dfexecve=true -Dstandalone-binaries=true -Dstatic-libsystemd=true -Dstatic-libudev=true" "-Db_ndebug=true" ) @@ -84,6 +84,14 @@ if [[ "$COMPILER" == clang ]]; then CXX="clang++-$COMPILER_VERSION" AR="llvm-ar-$COMPILER_VERSION" + if systemd-analyze compare-versions "$COMPILER_VERSION" ge 17; then + CFLAGS="-fno-sanitize=function" + CXXFLAGS="-fno-sanitize=function" + else + CFLAGS="" + CXXFLAGS="" + fi + # Prefer the distro version if available if ! apt-get -y install --dry-run "llvm-$COMPILER_VERSION" >/dev/null; then # Latest LLVM stack deb packages provided by https://apt.llvm.org/ @@ -99,6 +107,8 @@ elif [[ "$COMPILER" == gcc ]]; then CC="gcc-$COMPILER_VERSION" CXX="g++-$COMPILER_VERSION" AR="gcc-ar-$COMPILER_VERSION" + CFLAGS="" + CXXFLAGS="" if ! apt-get -y install --dry-run "gcc-$COMPILER_VERSION" >/dev/null; then # Latest gcc stack deb packages provided by @@ -111,9 +121,12 @@ else fatal "Unknown compiler: $COMPILER" fi -# PPA with some newer build dependencies (like zstd) -sudo add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci -sudo add-apt-repository -y --no-update --enable-source +# This is added by default, and it is often broken, but we don't need anything from it +sudo rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources} +# add-apt-repository --enable-source does not work on deb822 style sources. +for f in /etc/apt/sources.list.d/*.sources; do + sudo sed -i "s/Types: deb/Types: deb deb-src/g" "$f" +done sudo apt-get -y update sudo apt-get -y build-dep systemd sudo apt-get -y install "${PACKAGES[@]}" @@ -121,7 +134,7 @@ sudo apt-get -y install "${PACKAGES[@]}" # always support all the features we need (like --optimization=). Since the build-dep # command above installs the distro versions, let's install the pip ones just # locally and add the local bin directory to the $PATH. -pip3 install --user -r .github/workflows/requirements.txt --require-hashes +pip3 install --user -r .github/workflows/requirements.txt --require-hashes --break-system-packages export PATH="$HOME/.local/bin:$PATH" $CC --version @@ -131,11 +144,16 @@ ninja --version for args in "${ARGS[@]}"; do SECONDS=0 + if [[ "$COMPILER" == clang && "$args" =~ Wmaybe-uninitialized ]]; then + # -Wmaybe-uninitialized is not implemented in clang + continue + fi + info "Checking build with $args" # shellcheck disable=SC2086 if ! AR="$AR" \ - CC="$CC" CC_LD="$LINKER" CFLAGS="-Werror" \ - CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="-Werror" \ + CC="$CC" CC_LD="$LINKER" CFLAGS="$CFLAGS" \ + CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \ meson setup \ -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \ -Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \ diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index f91ac03..164b3a0 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -17,7 +17,7 @@ permissions: jobs: build: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 concurrency: group: ${{ github.workflow }}-${{ toJSON(matrix.env) }}-${{ github.ref }} cancel-in-progress: true @@ -28,11 +28,11 @@ jobs: - { COMPILER: "gcc", COMPILER_VERSION: "11", LINKER: "bfd", CRYPTOLIB: "gcrypt" } - { COMPILER: "gcc", COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "openssl" } - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold", CRYPTOLIB: "gcrypt" } - - { COMPILER: "clang", COMPILER_VERSION: "15", LINKER: "bfd", CRYPTOLIB: "openssl" } - - { COMPILER: "clang", COMPILER_VERSION: "17", LINKER: "lld", CRYPTOLIB: "auto" } + - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd", CRYPTOLIB: "openssl" } + - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld", CRYPTOLIB: "auto" } env: ${{ matrix.env }} steps: - name: Repository checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 - name: Build check run: .github/workflows/build_test.sh diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml index 707ea0b..f0d3217 100644 --- a/.github/workflows/cflite_pr.yml +++ b/.github/workflows/cflite_pr.yml @@ -13,7 +13,7 @@ permissions: read-all jobs: PR: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 if: github.repository != 'systemd/systemd' || github.event.pull_request.user.login == 'dependabot[bot]' concurrency: group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }} diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 66714c2..9b91740 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -22,7 +22,8 @@ on: - main jobs: Fuzzing: - runs-on: ubuntu-latest + # FIXME: Figure out why 32-bit applications fail to run in docker on Ubuntu 24.04. + runs-on: ubuntu-22.04 if: github.repository == 'systemd/systemd' concurrency: group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }} @@ -60,14 +61,14 @@ jobs: sanitizer: ${{ matrix.sanitizer }} output-sarif: true - name: Upload Crash - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 if: failure() && steps.build.outcome == 'success' with: name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts path: ./out/artifacts - name: Upload Sarif if: always() && steps.build.outcome == 'success' - uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 + uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c with: # Path to SARIF file relative to the root of the repository sarif_file: cifuzz-sarif/results.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2c02ef5..0d284f7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,7 +27,7 @@ jobs: analyze: name: Analyze if: github.repository != 'systemd/systemd-security' - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 concurrency: group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }} cancel-in-progress: true @@ -42,10 +42,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 - name: Initialize CodeQL - uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 + uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c with: languages: ${{ matrix.language }} config-file: ./.github/codeql-config.yml @@ -53,7 +53,7 @@ jobs: - run: sudo -E .github/workflows/unit_tests.sh SETUP - name: Autobuild - uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 + uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 + uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 1545d59..ad7a5d2 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -14,7 +14,7 @@ permissions: jobs: build: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 if: github.repository == 'systemd/systemd' env: # Set in repo settings -> secrets -> actions @@ -22,7 +22,7 @@ jobs: COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}" steps: - name: Repository checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # Reuse the setup phase of the unit test script to avoid code duplication - name: Install build dependencies run: sudo -E .github/workflows/unit_tests.sh SETUP diff --git a/.github/workflows/development_freeze.yml b/.github/workflows/development_freeze.yml index e371e19..c2360a3 100644 --- a/.github/workflows/development_freeze.yml +++ b/.github/workflows/development_freeze.yml @@ -8,10 +8,6 @@ on: types: - completed -env: - PULL_REQUEST_METADATA_DIR: pull_request - PULL_REQUEST_METADATA_FILE: metadata - permissions: contents: read @@ -21,54 +17,27 @@ jobs: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' && github.repository == 'systemd/systemd' - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: pull-requests: write steps: - - name: Download Pull Request Metadata artifact - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea - with: - script: | - const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: ${{ github.event.workflow_run.id }}, - }); - - const matchArtifact = artifacts.data.artifacts.filter((artifact) => { - return artifact.name == "${{ env.PULL_REQUEST_METADATA_FILE }}" - })[0]; - - const download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - - const fs = require('fs'); - fs.writeFileSync('${{ github.workspace }}/${{ env.PULL_REQUEST_METADATA_FILE }}.zip', Buffer.from(download.data)); - - - run: unzip ${{ env.PULL_REQUEST_METADATA_FILE }}.zip - - - name: 'Get Pull Request number' - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea + - id: artifact + name: Download Pull Request Metadata artifact + uses: redhat-plumbers-in-action/download-artifact@463ae626ac2dd333491c7beccaa24c12c5c259b8 with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const fs = require('fs'); - const pr_number = Number(fs.readFileSync('./${{ env.PULL_REQUEST_METADATA_FILE }}')); - core.exportVariable('pr_number', pr_number); + name: Pull Request Metadata - name: Repository checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 with: fetch-depth: 0 - name: Development Freezer - uses: redhat-plumbers-in-action/devel-freezer@67aec4a153bd9fca5322e1c4dd4d7c419fb36362 + uses: redhat-plumbers-in-action/devel-freezer@ad766eafd555b28d2cb8e27937835983f9c3d173 with: - pr-number: ${{ env.pr_number }} + pr-number: ${{ fromJSON(steps.artifact.outputs.pr-metadata-json).number }} + # delay start of validation to allow for some milestone/labels tweaking + delay: 20 token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml index b04aabb..244f5d5 100644 --- a/.github/workflows/differential-shellcheck.yml +++ b/.github/workflows/differential-shellcheck.yml @@ -16,20 +16,25 @@ permissions: jobs: lint: if: github.event.repository.name != 'systemd-security' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: security-events: write steps: - name: Repository checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 with: fetch-depth: 0 - name: Differential ShellCheck - uses: redhat-plumbers-in-action/differential-shellcheck@91e2582e40236f831458392d905578d680baa138 + uses: redhat-plumbers-in-action/differential-shellcheck@60c9f2b924a9c5a2ddbb25e7b23e8e11b56faab9 with: # exclude all `.in` files because they may contain unsupported syntax, and they have to be preprocessed first - exclude-path: '**/*.in' + # TEMPORARY: exclude bash completion files, they would generate too many defects in Code scanning dashboard (600+) + # exclude zsh completion files, zsh is not supported by ShellCheck + exclude-path: | + '**/*.in' + 'shell-completion/bash/*' + 'shell-completion/zsh/*' token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml index 5b3c360..e4a0caf 100644 --- a/.github/workflows/gather-pr-metadata.yml +++ b/.github/workflows/gather-pr-metadata.yml @@ -6,32 +6,25 @@ on: pull_request: branches: [ main ] -env: - PULL_REQUEST_METADATA_DIR: pull_request - PULL_REQUEST_METADATA_FILE: metadata - permissions: contents: read jobs: gather-metadata: if: github.repository == 'systemd/systemd' - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Repository checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - with: - fetch-depth: 0 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 - - name: Store PR number in file - run: | - mkdir -p ./${{ env.PULL_REQUEST_METADATA_DIR }} - echo ${{ github.event.number }} >./${{ env.PULL_REQUEST_METADATA_DIR }}/${{ env.PULL_REQUEST_METADATA_FILE }} + - id: metadata + name: Gather Pull Request Metadata + uses: redhat-plumbers-in-action/gather-pull-request-metadata@17821d3bc27c1efed339595898c2e622accc5a1b - name: Upload Pull Request Metadata artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 with: - name: ${{ env.PULL_REQUEST_METADATA_FILE }} - path: ${{ env.PULL_REQUEST_METADATA_DIR }} + name: Pull Request Metadata + path: ${{ steps.metadata.outputs.metadata-file }} retention-days: 1 diff --git a/.github/workflows/issue_labeler.yml b/.github/workflows/issue_labeler.yml index d8ba0a5..4bedf0d 100644 --- a/.github/workflows/issue_labeler.yml +++ b/.github/workflows/issue_labeler.yml @@ -10,7 +10,7 @@ permissions: jobs: label-component: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: issues: write @@ -20,16 +20,16 @@ jobs: template: [ bug_report.yml, feature_request.yml ] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 - name: Parse issue form - uses: stefanbuck/github-issue-parser@c1a559d78bfb8dd05216dab9ffd2b91082ff5324 + uses: stefanbuck/github-issue-parser@1e5bdee70d4b3e066a33aa0669ab782943825f94 id: issue-parser with: template-path: .github/ISSUE_TEMPLATE/${{ matrix.template }} - name: Set labels based on component field - uses: redhat-plumbers-in-action/advanced-issue-labeler@71bcf99aef4b9ea844db9a43755e8ac02c8e661e + uses: redhat-plumbers-in-action/advanced-issue-labeler@d498805e5c7c0658e336948b3363480bcfd68da6 with: issue-form: ${{ steps.issue-parser.outputs.jsonString }} template: ${{ matrix.template }} diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 7f66a53..241b581 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -7,6 +7,14 @@ name: "Pull Request Labeler" on: pull_request_target: types: [opened, synchronize, reopened, ready_for_review, closed] + paths-ignore: + - '.github/labeler.yml' + - '.github/workflows/labeler.yml' + # Allow testing changes made to the labeler configuration + pull_request: + paths: + - '.github/labeler.yml' + - '.github/workflows/labeler.yml' issue_comment: types: [created] @@ -16,22 +24,26 @@ permissions: jobs: triage: if: github.repository == 'systemd/systemd' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: pull-requests: write steps: + - name: Repository checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 + if: github.event_name == 'pull_request' + - name: Label PR based on policy in labeler.yml - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 - if: github.event_name == 'pull_request_target' && github.event.action != 'closed' + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 + if: startsWith(github.event_name, 'pull_request') && github.event.action != 'closed' with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yml - sync-labels: "" # This is a workaround for issue 18671 + sync-labels: false - name: Set or remove labels based on systemd development workflow uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea - if: github.event_name == 'pull_request_target' && github.event.action != 'closed' && !github.event.pull_request.draft + if: startsWith(github.event_name, 'pull_request') && github.event.action != 'closed' && !github.event.pull_request.draft with: script: | response = await github.rest.issues.listLabelsOnIssue({ @@ -40,38 +52,34 @@ jobs: repo: context.repo.repo, }); - good_to_merge = [ + original = new Set(response.data.map(l => l.name)); + labels = new Set(original); + + good_to_merge = new Set([ "good-to-merge/waiting-for-ci 👍", "good-to-merge/after-next-release", "good-to-merge/with-minor-suggestions", "good-to-merge/waiting-for-reporter-feedback 👍", - ]; + ]); - if (response.data.every(l => !good_to_merge.includes(l.name))) { - await github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ["please-review"] - }); + if (Array.from(labels).filter(l => good_to_merge.has(l)).length == 0) { + labels.add("please-review"); } for (const label of ["reviewed/needs-rework 🔨", "ci-fails/needs-rework 🔥", "ci-failure-appears-unrelated", "needs-rebase"]) { - try { - await github.rest.issues.removeLabel({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - name: label, - }); - } catch (err) { - if (err.status != 404) { - throw err; - } - } + labels.delete(label); + } + + if (labels.size != original.size || Array.from(labels).some(l => !original.has(l))) { + await github.rest.issues.setLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels: Array.from(labels), + }); } - name: Add please-review label on command in issue comment @@ -88,9 +96,18 @@ jobs: - name: Remove specific labels when PR is closed or merged uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea - if: github.event_name == 'pull_request_target' && github.event.action == 'closed' + if: startsWith(github.event_name, 'pull_request') && github.event.action == 'closed' with: script: | + response = await github.rest.issues.listLabelsOnIssue({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + }); + + original = new Set(response.data.map(l => l.name)); + labels = new Set(original); + for (const label of ["please-review", "reviewed/needs-rework 🔨", "ci-fails/needs-rework 🔥", @@ -104,16 +121,14 @@ jobs: "dont-merge 💣", "squash-on-merge", "quick-review 🏃♂️"]) { - try { - await github.rest.issues.removeLabel({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - name: label, - }); - } catch (err) { - if (err.status != 404) { - throw err; - } - } + labels.delete(label); + } + + if (labels.size != original.size || Array.from(labels).some(l => !original.has(l))) { + await github.rest.issues.setLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels: Array.from(labels), + }); } diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index fd1a7a4..cf0bc09 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -16,21 +16,22 @@ permissions: jobs: build: name: Lint Code Base - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true steps: - name: Repo checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 with: # We need a full repo clone fetch-depth: 0 - name: Lint Code Base - uses: github/super-linter/slim@45fc0d88288beee4701c62761281edfee85655d7 + uses: super-linter/super-linter/slim@88ea3923a7e1f89dd485d079f6eb5f5e8f937589 env: DEFAULT_BRANCH: main + MULTI_STATUS: false VALIDATE_ALL_CODEBASE: false VALIDATE_GITHUB_ACTIONS: true diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml index 9902a6c..dc7de69 100644 --- a/.github/workflows/make_release.yml +++ b/.github/workflows/make_release.yml @@ -11,14 +11,14 @@ permissions: jobs: release: if: github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: write steps: - name: Release - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 + uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 with: prerelease: ${{ contains(github.ref_name, '-rc') }} draft: ${{ github.repository == 'systemd/systemd' }} diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml index 8b32ec8..425d737 100644 --- a/.github/workflows/mkosi.yml +++ b/.github/workflows/mkosi.yml @@ -46,7 +46,7 @@ permissions: jobs: ci: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 concurrency: group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }} cancel-in-progress: true @@ -56,76 +56,94 @@ jobs: include: - distro: arch release: rolling + sanitizers: "" + llvm: 0 + cflags: "-O2 -D_FORTIFY_SOURCE=3" - distro: debian release: testing + sanitizers: "" + llvm: 0 + cflags: "-Og" - distro: ubuntu - release: jammy + release: noble + sanitizers: "" + llvm: 0 + cflags: "-Og" - distro: fedora - release: "39" + release: "40" + sanitizers: "" + llvm: 0 + cflags: "-Og" - distro: fedora release: rawhide + sanitizers: address,undefined + llvm: 1 + cflags: "-Og" - distro: opensuse release: tumbleweed + sanitizers: "" + llvm: 0 + cflags: "-Og" - distro: centos release: "9" - - distro: centos - release: "8" - - env: - SYSTEMD_LOG_LEVEL: debug + sanitizers: "" + llvm: 0 + cflags: "-Og" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - uses: systemd/mkosi@bbe715f42911f9660712377a5b39335b9391ae22 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 + - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf + + # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space + # immediately, we remove the files in the background. However, we first move them to a different location + # so that nothing tries to use anything in these directories anymore while we're busy deleting them. + - name: Free disk space + run: | + sudo mv /usr/local /usr/local.trash + sudo mv /opt/hostedtoolcache /opt/hostedtoolcache.trash + sudo systemd-run rm -rf /usr/local.trash /opt/hostedtoolcache.trash + + - name: Btrfs + run: | + truncate --size=100G btrfs.raw + mkfs.btrfs btrfs.raw + sudo mkdir /mnt/mkosi + LOOP="$(sudo losetup --find --show --direct-io=on btrfs.raw)" + sudo mount "$LOOP" /mnt/mkosi --options compress=zstd:1,user_subvol_rm_allowed,noatime,discard=async,space_cache=v2 + sudo chown "$(id -u):$(id -g)" /mnt/mkosi + mkdir /mnt/mkosi/tmp + echo "TMPDIR=/mnt/mkosi/tmp" >>"$GITHUB_ENV" + ln -s /mnt/mkosi/build build - name: Configure run: | - tee mkosi.local.conf <<- EOF + tee mkosi.local.conf <<EOF [Distribution] Distribution=${{ matrix.distro }} Release=${{ matrix.release }} - EOF - - tee mkosi.conf.d/99-ci.conf <<- EOF - [Content] - Environment=CI_BUILD=1 - SLOW_TESTS=true - [Host] - KernelCommandLineExtra=systemd.unit=mkosi-check-and-shutdown.service - systemd.journald.max_level_console=debug - # udev's debug log output is very verbose, so up it to info in CI. - udev.log_level=info - # Root device can take a long time to appear, so let's bump the timeout. - systemd.default_device_timeout_sec=180 - QemuVsock=yes - # Sometimes we run on a host with /dev/kvm, but it is broken, so explicitly disable it - QemuKvm=no - Ephemeral=yes - EOF + [Output] + # Build a disk image in CI as this logic is much more prone to breakage. + Format=disk + UseSubvolumes=yes - # For erofs, we have to install linux-modules-extra-azure, but that doesn't match the running kernel - # version, so we can't load the erofs module. squashfs is a builtin module so we use that instead. + WorkspaceDirectory=$TMPDIR + PackageCacheDirectory=$TMPDIR/cache - mkdir -p mkosi.images/system/mkosi.repart/10-usr.conf.d - tee mkosi.images/system/mkosi.repart/10-usr.conf.d/squashfs.conf <<- EOF - [Partition] - Format=squashfs - EOF + [Content] + Environment= + # Build debuginfo packages since we'll be publishing the packages as artifacts. + WITH_DEBUG=1 + CFLAGS="${{ matrix.cflags }}" + SANITIZERS=${{ matrix.sanitizers }} + MESON_OPTIONS=--werror + LLVM=${{ matrix.llvm }} - # The emergency shell is not useful in the CI, as it just blocks for a long time before the job - # eventually times out. Override it to just shutdown immediately. - mkdir -p mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/ - mkdir -p mkosi.images/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/ - tee mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf <<- EOF - [Unit] - FailureAction=exit - [Service] - ExecStartPre= - ExecStart= - ExecStart=false + [Host] + QemuMem=4G + # We build with debuginfo so there's no point in mounting the sources into the machine. + RuntimeBuildSources=no EOF - cp mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf mkosi.images/system/mkosi.extra/usr/lib/systemd/system/emergency.service.d/poweroff.conf - name: Generate secure boot key run: mkosi --debug genkey @@ -133,11 +151,63 @@ jobs: - name: Show image summary run: mkosi summary - - name: Build - run: mkosi --debug - - - name: Boot systemd-nspawn - run: test "$(sudo mkosi --debug boot 1>&2; echo $?)" -eq 123 - - - name: Boot QEMU - run: timeout -k 30 10m test "$(mkosi --debug qemu 1>&2; echo $?)" -eq 123 + - name: Install dependencies + run: | + mkosi dependencies | + xargs -d '\n' sudo apt-get install \ + gperf \ + libblkid-dev \ + libcap-dev \ + libcryptsetup-dev \ + libcurl4-openssl-dev \ + libfdisk-dev \ + libmicrohttpd-dev \ + libmount-dev \ + libtss2-dev \ + meson + + - name: Configure meson + run: | + meson setup build \ + --buildtype=debugoptimized \ + -Dintegration-tests=true \ + -Dremote=enabled \ + -Dopenssl=enabled \ + -Dblkid=enabled \ + -Dtpm2=enabled \ + -Dlibcryptsetup=enabled \ + -Dlibcurl=enabled \ + -Drepart=enabled \ + -Dfirstboot=true \ + -Dsysusers=true \ + -Dtmpfiles=true \ + -Dhwdb=true \ + -Dvmspawn=enabled + + - name: Build image + run: meson compile -C build mkosi + + - name: Run integration tests + run: sudo --preserve-env meson test -C build --no-rebuild --suite integration-tests --print-errorlogs --no-stdsplit --num-processes "$(($(nproc) - 1))" + + - name: Archive failed test journals + uses: actions/upload-artifact@v4 + if: failure() && (github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable') + with: + name: ci-mkosi-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.distro }}-${{ matrix.release }}-failed-test-journals + path: | + build/test/journal/*.journal + build/meson-logs/* + retention-days: 7 + + - name: Archive packages + uses: actions/upload-artifact@v4 + if: (success() || failure()) && (github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable') + with: + name: ci-mkosi-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.distro }}-${{ matrix.release }}-packages + path: | + build/mkosi.output/*.rpm + build/mkosi.output/*.deb + build/mkosi.output/*.ddeb + build/mkosi.output/*.pkg.tar + retention-days: 4 diff --git a/.github/workflows/requirements.txt b/.github/workflows/requirements.txt index b42b98e..a073aaf 100644 --- a/.github/workflows/requirements.txt +++ b/.github/workflows/requirements.txt @@ -1,6 +1,6 @@ -meson==1.3.0 \ - --hash=sha256:4ba253ef60e454e23234696119cbafa082a0aead0bd3bbf6991295054795f5dc \ - --hash=sha256:e9f54046ce5b9a1f3024f7a7d52f19f085fd57c9d26a5db0cfcf0750572a8fd8 +meson==1.4.1 \ + --hash=sha256:1b8aad738a5f6ae64294cc8eaba9a82988c1c420204484ac02ef782e5bba5f49 \ + --hash=sha256:d5acc3abae2dad3c70ddcbd10acac92b78b144d34d43f40f5b8ac31dfd8a826a ninja==1.11.1.1 \ --hash=sha256:18302d96a5467ea98b68e1cae1ae4b4fb2b2a56a82b955193c637557c7273dbd \ --hash=sha256:185e0641bde601e53841525c4196278e9aaf4463758da6dd1e752c0a0f54136a \ diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index e2a9f27..44ee6f1 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -23,18 +23,18 @@ jobs: analysis: name: Scorecards analysis if: github.repository == 'systemd/systemd' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: id-token: write # Used to receive a badge. steps: - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: results_file: results.sarif results_format: sarif diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh index c1a5ede..4433d84 100755 --- a/.github/workflows/unit_tests.sh +++ b/.github/workflows/unit_tests.sh @@ -42,22 +42,38 @@ set -ex MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto}) +# (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_ +# its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the +# score is explicitly changed after sudo. No idea what's going on, but it breaks +# exec-oomscoreadjust-negative.service from test-execute when running unprivileged. +choom -p $$ -n 0 + for phase in "${PHASES[@]}"; do case $phase in SETUP) info "Setup phase" - # PPA with some newer build dependencies - add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci - add-apt-repository -y --no-update --enable-source + # This is added by default, and it is often broken, but we don't need anything from it + rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources} + # add-apt-repository --enable-source does not work on deb822 style sources. + for f in /etc/apt/sources.list.d/*.sources; do + sed -i "s/Types: deb/Types: deb deb-src/g" "$f" + done apt-get -y update apt-get -y build-dep systemd apt-get -y install "${ADDITIONAL_DEPS[@]}" - pip3 install -r .github/workflows/requirements.txt --require-hashes + pip3 install -r .github/workflows/requirements.txt --require-hashes --break-system-packages + + # Make sure the build dir is accessible even when drop privileges, otherwise the unprivileged + # part of test-execute gets skipped, since it can't run systemd-executor + chmod o+x /home/runner + capsh --drop=all -- -c "stat $PWD/meson.build" ;; RUN|RUN_GCC|RUN_CLANG|RUN_CLANG_RELEASE) if [[ "$phase" =~ ^RUN_CLANG ]]; then export CC=clang export CXX=clang++ + export CFLAGS="-fno-sanitize=function" + export CXXFLAGS="-fno-sanitize=function" if [[ "$phase" == RUN_CLANG ]]; then # The docs build is slow and is not affected by compiler/flags, so do it just once MESON_ARGS+=(-Dman=enabled) @@ -82,6 +98,8 @@ for phase in "${PHASES[@]}"; do if [[ "$phase" =~ ^RUN_CLANG_ASAN_UBSAN ]]; then export CC=clang export CXX=clang++ + export CFLAGS="-fno-sanitize=function" + export CXXFLAGS="-fno-sanitize=function" # Build fuzzer regression tests only with clang (for now), # see: https://github.com/systemd/systemd/pull/15886#issuecomment-632689604 # -Db_lundef=false: See https://github.com/mesonbuild/meson/issues/764 diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index d2164cc..895068c 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -14,7 +14,7 @@ permissions: jobs: build: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 concurrency: group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }} cancel-in-progress: true @@ -30,7 +30,7 @@ jobs: cryptolib: gcrypt steps: - name: Repository checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 - name: Install build dependencies run: | # Drop XDG_* stuff from /etc/environment, so we don't get the user |