diff options
Diffstat (limited to '.github/workflows')
| -rwxr-xr-x | .github/workflows/build_test.sh | 165 | ||||
| -rw-r--r-- | .github/workflows/build_test.yml | 38 | ||||
| -rw-r--r-- | .github/workflows/cflite_pr.yml | 39 | ||||
| -rw-r--r-- | .github/workflows/cifuzz.yml | 62 | ||||
| -rw-r--r-- | .github/workflows/codeql.yml | 58 | ||||
| -rw-r--r-- | .github/workflows/coverity.yml | 30 | ||||
| -rw-r--r-- | .github/workflows/differential-shellcheck.yml | 31 | ||||
| -rw-r--r-- | .github/workflows/issue_labeler.yml | 36 | ||||
| -rw-r--r-- | .github/workflows/labeler.yml | 24 | ||||
| -rw-r--r-- | .github/workflows/make_release.yml | 24 | ||||
| -rw-r--r-- | .github/workflows/mkosi.yml | 95 | ||||
| -rw-r--r-- | .github/workflows/requirements.txt | 18 | ||||
| -rw-r--r-- | .github/workflows/scorecards.yml | 70 | ||||
| -rwxr-xr-x | .github/workflows/unit_tests.sh | 129 | ||||
| -rw-r--r-- | .github/workflows/unit_tests.yml | 45 |
15 files changed, 864 insertions, 0 deletions
diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh new file mode 100755 index 0000000..e08f470 --- /dev/null +++ b/.github/workflows/build_test.sh @@ -0,0 +1,165 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later + +set -ex + +info() { echo -e "\033[33;1m$1\033[0m"; } +fatal() { echo >&2 -e "\033[31;1m$1\033[0m"; exit 1; } +success() { echo >&2 -e "\033[32;1m$1\033[0m"; } + +ARGS=( + "--optimization=0" + "--optimization=s -Dgnu-efi=true -Defi-cflags=-m32 -Defi-libdir=/usr/lib32" + "--optimization=3 -Db_lto=true -Ddns-over-tls=false" + "--optimization=3 -Db_lto=false -Dtpm2=false -Dlibfido2=false -Dp11kit=false" + "--optimization=3 -Ddns-over-tls=openssl" + "--optimization=3 -Dfexecve=true -Dstandalone-binaries=true -Dstatic-libsystemd=true -Dstatic-libudev=true" + "-Db_ndebug=true" +) +PACKAGES=( + cryptsetup-bin + expect + fdisk + gettext + iputils-ping + isc-dhcp-client + itstool + kbd + libblkid-dev + libbpf-dev + libc6-dev-i386 + libcap-dev + libcurl4-gnutls-dev + libfdisk-dev + libfido2-dev + libgpg-error-dev + liblz4-dev + liblzma-dev + libmicrohttpd-dev + libmount-dev + libp11-kit-dev + libpwquality-dev + libqrencode-dev + libssl-dev + libtss2-dev + libxkbcommon-dev + libxtables-dev + libzstd-dev + mold + mount + net-tools + perl + python3-evdev + python3-jinja2 + python3-lxml + python3-pip + python3-pyparsing + python3-setuptools + quota + strace + unifont + util-linux + zstd +) +COMPILER="${COMPILER:?}" +COMPILER_VERSION="${COMPILER_VERSION:?}" +LINKER="${LINKER:?}" +CRYPTOLIB="${CRYPTOLIB:?}" +RELEASE="$(lsb_release -cs)" + +bash -c "echo 'deb-src http://archive.ubuntu.com/ubuntu/ $RELEASE main restricted universe multiverse' >>/etc/apt/sources.list" + +# Note: As we use postfixed clang/gcc binaries, we need to override $AR +# as well, otherwise meson falls back to ar from binutils which +# doesn't work with LTO +if [[ "$COMPILER" == clang ]]; then + CC="clang-$COMPILER_VERSION" + CXX="clang++-$COMPILER_VERSION" + AR="llvm-ar-$COMPILER_VERSION" + + # Prefer the distro version if available + if ! apt install --dry-run "llvm-$COMPILER_VERSION" >/dev/null; then + # Latest LLVM stack deb packages provided by https://apt.llvm.org/ + # Following snippet was partly borrowed from https://apt.llvm.org/llvm.sh + wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --yes --dearmor --output /usr/share/keyrings/apt-llvm-org.gpg + printf "deb [signed-by=/usr/share/keyrings/apt-llvm-org.gpg] http://apt.llvm.org/%s/ llvm-toolchain-%s-%s main\n" \ + "$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list + fi + + PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION") +elif [[ "$COMPILER" == gcc ]]; then + CC="gcc-$COMPILER_VERSION" + CXX="g++-$COMPILER_VERSION" + AR="gcc-ar-$COMPILER_VERSION" + + if ! apt install --dry-run "gcc-$COMPILER_VERSION" >/dev/null; then + # Latest gcc stack deb packages provided by + # https://launchpad.net/~ubuntu-toolchain-r/+archive/ubuntu/test + add-apt-repository -y ppa:ubuntu-toolchain-r/test + fi + + PACKAGES+=("gcc-$COMPILER_VERSION" "gcc-$COMPILER_VERSION-multilib") +else + fatal "Unknown compiler: $COMPILER" +fi + +# PPA with some newer build dependencies (like zstd) +add-apt-repository -y ppa:upstream-systemd-ci/systemd-ci +apt-get -y update +apt-get -y build-dep systemd +apt-get -y install "${PACKAGES[@]}" +# Install more or less recent meson and ninja with pip, since the distro versions don't +# always support all the features we need (like --optimization=). Since the build-dep +# command above installs the distro versions, let's install the pip ones just +# locally and add the local bin directory to the $PATH. +pip3 install --user -r .github/workflows/requirements.txt --require-hashes +export PATH="$HOME/.local/bin:$PATH" + +$CC --version +meson --version +ninja --version + +for args in "${ARGS[@]}"; do + SECONDS=0 + + # The install_tag feature introduced in 0.60 causes meson to fail with fatal-meson-warnings + # "Project targeting '>= 0.53.2' but tried to use feature introduced in '0.60.0': install_tag arg in custom_target" + # It can be safely removed from the CI since it isn't actually used anywhere to test anything. + find . -type f -name meson.build -exec sed -i '/install_tag/d' '{}' '+' + + # mold < 1.1 does not support LTO. + if dpkg --compare-versions "$(dpkg-query --showformat='${Version}' --show mold)" ge 1.1; then + fatal "Newer mold version detected, please remove this workaround." + elif [[ "$args" == *"-Db_lto=true"* ]]; then + LD="gold" + else + LD="$LINKER" + fi + + info "Checking build with $args" + # shellcheck disable=SC2086 + if ! AR="$AR" \ + CC="$CC" CC_LD="$LD" CFLAGS="-Werror" \ + CXX="$CXX" CXX_LD="$LD" CXXFLAGS="-Werror" \ + meson -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \ + -Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" \ + $args build; then + + cat build/meson-logs/meson-log.txt + fatal "meson failed with $args" + fi + + if ! meson compile -C build -v; then + fatal "'meson compile' failed with $args" + fi + + for loader in build/src/boot/efi/*.efi; do + if sbverify --list "$loader" |& grep -q "gap in section table"; then + fatal "$loader: Gaps found in section table" + fi + done + + git clean -dxf + + success "Build with $args passed in $SECONDS seconds" +done diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml new file mode 100644 index 0000000..cd6937e --- /dev/null +++ b/.github/workflows/build_test.yml @@ -0,0 +1,38 @@ +--- +# vi: ts=2 sw=2 et: +# SPDX-License-Identifier: LGPL-2.1-or-later +# +name: Build test +on: + pull_request: + paths: + - '**/meson.build' + - '.github/workflows/**' + - 'meson_options.txt' + - 'src/**' + - 'test/fuzz/**' + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-22.04 + concurrency: + group: ${{ github.workflow }}-${{ toJSON(matrix.env) }}-${{ github.ref }} + cancel-in-progress: true + strategy: + fail-fast: false + matrix: + env: + - { COMPILER: "gcc", COMPILER_VERSION: "11", LINKER: "bfd", CRYPTOLIB: "gcrypt" } + - { COMPILER: "gcc", COMPILER_VERSION: "12", LINKER: "gold", CRYPTOLIB: "openssl" } + - { COMPILER: "clang", COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "gcrypt" } + - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "lld", CRYPTOLIB: "openssl" } + - { COMPILER: "clang", COMPILER_VERSION: "15", LINKER: "bfd", CRYPTOLIB: "auto" } + env: ${{ matrix.env }} + steps: + - name: Repository checkout + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + - name: ${{ format('Build check ({0}-{1}-{2}-{3})', env.COMPILER, env.COMPILER_VERSION, env.LINKER, env.CRYPTOLIB) }} + run: sudo -E .github/workflows/build_test.sh diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml new file mode 100644 index 0000000..a35a97f --- /dev/null +++ b/.github/workflows/cflite_pr.yml @@ -0,0 +1,39 @@ +--- +# vi: ts=2 sw=2 et: +# SPDX-License-Identifier: LGPL-2.1-or-later +# +name: ClusterFuzzLite PR fuzzing +on: + pull_request: + branches: + - main + - v[0-9]+-stable + +permissions: read-all + +jobs: + PR: + runs-on: ubuntu-latest + if: github.repository != 'systemd/systemd' || github.event.pull_request.user.login == 'dependabot[bot]' + concurrency: + group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }} + cancel-in-progress: true + strategy: + fail-fast: false + matrix: + sanitizer: [address, undefined, memory] + steps: + - name: Build Fuzzers (${{ matrix.sanitizer }}) + id: build + uses: google/clusterfuzzlite/actions/build_fuzzers@v1 + with: + sanitizer: ${{ matrix.sanitizer }} + github-token: ${{ secrets.GITHUB_TOKEN }} + - name: Run Fuzzers (${{ matrix.sanitizer }}) + id: run + uses: google/clusterfuzzlite/actions/run_fuzzers@v1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + fuzz-seconds: 1200 + mode: 'code-change' + sanitizer: ${{ matrix.sanitizer }} diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml new file mode 100644 index 0000000..25731ab --- /dev/null +++ b/.github/workflows/cifuzz.yml @@ -0,0 +1,62 @@ +--- +# vi: ts=2 sw=2 et: +# SPDX-License-Identifier: LGPL-2.1-or-later +# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ + +name: CIFuzz + +permissions: + contents: read + +on: + pull_request: + paths: + - '**/meson.build' + - '.github/workflows/**' + - 'meson_options.txt' + - 'src/**' + - 'test/fuzz/**' + - 'tools/oss-fuzz.sh' + push: + branches: + - main +jobs: + Fuzzing: + runs-on: ubuntu-latest + if: github.repository == 'systemd/systemd' + concurrency: + group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }} + cancel-in-progress: true + strategy: + fail-fast: false + matrix: + sanitizer: [address, undefined, memory] + architecture: [x86_64] + include: + - sanitizer: address + architecture: i386 + steps: + - name: Build Fuzzers (${{ matrix.sanitizer }}) + id: build + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + with: + oss-fuzz-project-name: 'systemd' + dry-run: false + allowed-broken-targets-percentage: 0 + # keep-unaffected-fuzz-targets should be removed once https://github.com/google/oss-fuzz/issues/7011 is fixed + keep-unaffected-fuzz-targets: true + sanitizer: ${{ matrix.sanitizer }} + architecture: ${{ matrix.architecture }} + - name: Run Fuzzers (${{ matrix.sanitizer }}) + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + with: + oss-fuzz-project-name: 'systemd' + fuzz-seconds: 600 + dry-run: false + sanitizer: ${{ matrix.sanitizer }} + - name: Upload Crash + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 + if: failure() && steps.build.outcome == 'success' + with: + name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts + path: ./out/artifacts diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..b531753 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,58 @@ +--- +# vi: ts=2 sw=2 et: +# SPDX-License-Identifier: LGPL-2.1-or-later +# +name: "CodeQL" + +on: + pull_request: + branches: + - main + - v[0-9]+-stable + paths: + - '**/meson.build' + - '.github/**/codeql*' + - 'src/**' + - 'test/**' + - 'tools/**' + push: + branches: + - main + - v[0-9]+-stable + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-22.04 + concurrency: + group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }} + cancel-in-progress: true + permissions: + actions: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ['cpp', 'python'] + + steps: + - name: Checkout repository + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + + - name: Initialize CodeQL + uses: github/codeql-action/init@0c670bbf0414f39666df6ce8e718ec5662c21e03 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql-config.yml + + - run: sudo -E .github/workflows/unit_tests.sh SETUP + + - name: Autobuild + uses: github/codeql-action/autobuild@0c670bbf0414f39666df6ce8e718ec5662c21e03 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@0c670bbf0414f39666df6ce8e718ec5662c21e03 diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 0000000..3fbebc6 --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,30 @@ +--- +# vi: ts=2 sw=2 et: +# SPDX-License-Identifier: LGPL-2.1-or-later +# +name: Coverity + +on: + schedule: + # Run Coverity daily at midnight + - cron: '0 0 * * *' + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-22.04 + if: github.repository == 'systemd/systemd' + env: + # Set in repo settings -> secrets -> actions + COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}" + COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}" + steps: + - name: Repository checkout + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + # Reuse the setup phase of the unit test script to avoid code duplication + - name: Install build dependencies + run: sudo -E .github/workflows/unit_tests.sh SETUP + - name: Build & upload the results + run: tools/coverity.sh diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml new file mode 100644 index 0000000..20ce681 --- /dev/null +++ b/.github/workflows/differential-shellcheck.yml @@ -0,0 +1,31 @@ +--- +# https://github.com/redhat-plumbers-in-action/differential-shellcheck#readme + +name: Differential ShellCheck +on: + pull_request: + branches: + - main + +permissions: + contents: read + +jobs: + lint: + if: github.event.repository.name != 'systemd-security' + runs-on: ubuntu-latest + + permissions: + security-events: write + pull-requests: write + + steps: + - name: Repository checkout + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + with: + fetch-depth: 0 + + - name: Differential ShellCheck + uses: redhat-plumbers-in-action/differential-shellcheck@1b1b75e42f0694c1012228513b21617a748c866e + with: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/issue_labeler.yml b/.github/workflows/issue_labeler.yml new file mode 100644 index 0000000..0a97bf4 --- /dev/null +++ b/.github/workflows/issue_labeler.yml @@ -0,0 +1,36 @@ +--- + +name: Issue labeler +on: + issues: + types: [ opened ] + +permissions: + contents: read + +jobs: + label-component: + runs-on: ubuntu-22.04 + + permissions: + issues: write + + strategy: + matrix: + template: [ bug_report.yml, feature_request.yml ] + + steps: + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + + - name: Parse issue form + uses: stefanbuck/github-issue-parser@f80b14f78892a66d7a35bba44f0a7d63bee03602 + id: issue-parser + with: + template-path: .github/ISSUE_TEMPLATE/${{ matrix.template }} + + - name: Set labels based on component field + uses: redhat-plumbers-in-action/advanced-issue-labeler@fe9c43b7d77bd8bd7fbe86c2c217e74ebeea71f2 + with: + issue-form: ${{ steps.issue-parser.outputs.jsonString }} + template: ${{ matrix.template }} + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 0000000..35766df --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,24 @@ +--- +# vi: ts=2 sw=2 et: +# SPDX-License-Identifier: LGPL-2.1-or-later +# +name: "Pull Request Labeler" + +on: +- pull_request_target + +permissions: + contents: read + +jobs: + triage: + if: github.event.repository.name != 'systemd-security' + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - uses: actions/labeler@e54e5b338fbd6e6cdb5d60f51c22335fc57c401e + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" + configuration-path: .github/labeler.yml + sync-labels: "" # This is a workaround for issue 18671 diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml new file mode 100644 index 0000000..9902a6c --- /dev/null +++ b/.github/workflows/make_release.yml @@ -0,0 +1,24 @@ +name: Make a Github release + +on: + push: + tags: + - "v*" + +permissions: + contents: read + +jobs: + release: + if: github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable' + runs-on: ubuntu-latest + + permissions: + contents: write + + steps: + - name: Release + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 + with: + prerelease: ${{ contains(github.ref_name, '-rc') }} + draft: ${{ github.repository == 'systemd/systemd' }} diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml new file mode 100644 index 0000000..4bb361b --- /dev/null +++ b/.github/workflows/mkosi.yml @@ -0,0 +1,95 @@ +--- +# vi: ts=2 sw=2 et: +# SPDX-License-Identifier: LGPL-2.1-or-later +# Simple boot tests that build and boot the mkosi images generated by the mkosi config files in mkosi.default.d/. +name: mkosi + +on: + push: + branches: + - main + - v[0-9]+-stable + pull_request: + branches: + - main + - v[0-9]+-stable + +permissions: + contents: read + +env: + # Enable debug logging in systemd, but keep udev's log level to info, + # since it's _very_ verbose in the QEMU task + # Disable the ISC DHCP servers, as they are failing in Ubuntu + KERNEL_CMDLINE: "systemd.unit=mkosi-check-and-shutdown.service !quiet systemd.log_level=debug systemd.log_target=console udev.log_level=info systemd.default_standard_output=journal+console systemd.mask=isc-dhcp-server6.service systemd.mask=isc-dhcp-server.service" + +jobs: + ci: + runs-on: ubuntu-22.04 + concurrency: + group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }} + cancel-in-progress: true + strategy: + fail-fast: false + matrix: + include: + - distro: arch + release: rolling + - distro: debian + release: testing + - distro: ubuntu + release: jammy + - distro: opensuse + release: tumbleweed + - distro: centos_epel + release: 9-stream + + steps: + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + - uses: systemd/mkosi@792cbc60eb2dc4a58d66bb3c212bf92f8d50f6ea + + # FIXME: temporary workaround for a file conflict between systemd (C9S) and + # systemd-boot (EPEL9). Drop this once systemd in C9S is updated to v252 + # (should be done by the end of 2022). + - name: Fix C9S/EPEL9 + if: ${{ matrix.release == '9-stream' }} + run: sudo sed -i '/add_packages/s/systemd-boot/systemd/g' /usr/local/lib/python3.10/dist-packages/mkosi/__init__.py + + - name: Install + run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2 + + - name: Configure + run: | + tee mkosi.default <<- EOF + [Distribution] + Distribution=${{ matrix.distro }} + Release=${{ matrix.release }} + + [Content] + Environment=CI_BUILD=1 + + [Output] + KernelCommandLine=${{ env.KERNEL_CMDLINE }} + + [Host] + # Sometimes we run on a host with /dev/kvm, but it is broken, so explicitly disable it + QemuKvm=no + EOF + + - name: Build ${{ matrix.distro }} + run: sudo python3 -m mkosi build + + - name: Show ${{ matrix.distro }} image summary + run: sudo python3 -m mkosi summary + + - name: Boot ${{ matrix.distro }} systemd-nspawn + run: sudo python3 -m mkosi boot ${{ env.KERNEL_CMDLINE }} + + - name: Check ${{ matrix.distro }} systemd-nspawn + run: sudo python3 -m mkosi shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" + + - name: Boot ${{ matrix.distro }} QEMU + run: sudo timeout -k 30 10m python3 -m mkosi qemu + + - name: Check ${{ matrix.distro }} QEMU + run: sudo python3 -m mkosi shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" diff --git a/.github/workflows/requirements.txt b/.github/workflows/requirements.txt new file mode 100644 index 0000000..edb1748 --- /dev/null +++ b/.github/workflows/requirements.txt @@ -0,0 +1,18 @@ +meson==0.63.2 \ + --hash=sha256:16222f17ef76be0542c91c07994f9676ae879f46fc21c0c786a21ef2cb518bbf \ + --hash=sha256:64a83ef257b2962b52c8b07ad9ec536c2de1b72fd9f14bcd9c21fe45730edd46 +ninja==1.10.2.4 \ + --hash=sha256:24e3bc4713667a9a1d15484ad2bb77bbaedb1e6d45254cb03f7964b8b497231a \ + --hash=sha256:251fb21cd6691accd0d95e28721ad8a50a6ec0ace97f9a8de3976f39301686f6 \ + --hash=sha256:327c319176c5a4af21908b727b776e9f5caf275680403da632821ba071fd6296 \ + --hash=sha256:3300f3f37d62dcc7bdd19284dff9eaed7d629f4ed2725019a6ce3291c655fb83 \ + --hash=sha256:34c8e44f6e2e35ff9444994bfc7bf451c8d4bf15e31ad1e3ef7b06f78647b35b \ + --hash=sha256:3fa6e69838613815c80abcaca34681c5b7cf15bf921543e518f5c918d7098bb7 \ + --hash=sha256:5b973b1ce7075e9091db290adbbf93ba9066a94f97c369d0ff631251c633e81b \ + --hash=sha256:685daebd1bc21480256351000a01dfb520636832fa65efc9f121474ff640e3df \ + --hash=sha256:b0350784b37c5080223ec1bedc507153cc714b502c17dd5a64552e930b0dca25 \ + --hash=sha256:b12cfed6382e510a597b3d08d7eec96664f7c8b8ee436eef645736c453d1c135 \ + --hash=sha256:b264085e409533aecb57040c5e90fbfb64db91a61575c7e637411780446412fa \ + --hash=sha256:b86a4e4ba2ed999d8b10f2b3f2ed56d7457ff647268f4098dd0b63dd145ede32 \ + --hash=sha256:da7a6d9b2ed2018165fbf90068e2c64da08f2568c700fdb8abea07a245dc4664 \ + --hash=sha256:ea245943a9849e5b1ebd74c1a4c1edd2c9801b62c0386165c7ac47623e353627 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..911ac5a --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,70 @@ +--- +# vi: ts=2 sw=2 et: +# SPDX-License-Identifier: LGPL-2.1-or-later +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + - cron: '15 21 * * 6' + push: + branches: + - main + pull_request: + branches: + - main + paths: + - '.github/workflows/scorecards.yml' + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + if: github.repository == 'systemd/systemd' + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Used to receive a badge. + id-token: write + + steps: + - name: Checkout code + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # tag=v2.0.4 + with: + results_file: results.sarif + results_format: sarif + # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: ${{ github.event_name != 'pull_request' }} + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: Upload artifact + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: Upload to code-scanning + if: github.event_name != 'pull_request' + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 + with: + sarif_file: results.sarif diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh new file mode 100755 index 0000000..9a9fbb3 --- /dev/null +++ b/.github/workflows/unit_tests.sh @@ -0,0 +1,129 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later + +# shellcheck disable=SC2206 +PHASES=(${@:-SETUP RUN RUN_ASAN_UBSAN CLEANUP}) +RELEASE="$(lsb_release -cs)" +ADDITIONAL_DEPS=( + clang + expect + fdisk + jekyll + libbpf-dev + libfdisk-dev + libfido2-dev + libp11-kit-dev + libpwquality-dev + libqrencode-dev + libssl-dev + libtss2-dev + libxkbcommon-dev + libzstd-dev + perl + python3-libevdev + python3-pyparsing + rpm + zstd +) + +function info() { + echo -e "\033[33;1m$1\033[0m" +} + +function run_meson() { + if ! meson "$@"; then + find . -type f -name meson-log.txt -exec cat '{}' + + return 1 + fi +} + +set -ex + +MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto}) + +for phase in "${PHASES[@]}"; do + case $phase in + SETUP) + info "Setup phase" + bash -c "echo 'deb-src http://archive.ubuntu.com/ubuntu/ $RELEASE main restricted universe multiverse' >>/etc/apt/sources.list" + # PPA with some newer build dependencies + add-apt-repository -y ppa:upstream-systemd-ci/systemd-ci + apt-get -y update + apt-get -y build-dep systemd + apt-get -y install "${ADDITIONAL_DEPS[@]}" + pip3 install -r .github/workflows/requirements.txt --require-hashes + ;; + RUN|RUN_GCC|RUN_CLANG|RUN_CLANG_RELEASE) + if [[ "$phase" =~ ^RUN_CLANG ]]; then + export CC=clang + export CXX=clang++ + if [[ "$phase" == RUN_CLANG ]]; then + # The docs build is slow and is not affected by compiler/flags, so do it just once + MESON_ARGS+=(-Dman=true) + else + MESON_ARGS+=(-Dmode=release --optimization=2) + fi + + # Some variation: remove machine-id, like on Debian builders to ensure unit tests still work. + if [ -w /etc/machine-id ]; then + mv /etc/machine-id /etc/machine-id.bak + fi + fi + # The install_tag feature introduced in 0.60 causes meson to fail with fatal-meson-warnings + # "Project targeting '>= 0.53.2' but tried to use feature introduced in '0.60.0': install_tag arg in custom_target" + # It can be safely removed from the CI since it isn't actually used anywhere to test anything. + find . -type f -name meson.build -exec sed -i '/install_tag/d' '{}' '+' + MESON_ARGS+=(--fatal-meson-warnings) + run_meson -Dnobody-group=nogroup --werror -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true "${MESON_ARGS[@]}" build + ninja -C build -v + meson test -C build --print-errorlogs + ;; + RUN_ASAN_UBSAN|RUN_GCC_ASAN_UBSAN|RUN_CLANG_ASAN_UBSAN|RUN_CLANG_ASAN_UBSAN_NO_DEPS) + MESON_ARGS=(--optimization=1) + + if [[ "$phase" =~ ^RUN_CLANG_ASAN_UBSAN ]]; then + export CC=clang + export CXX=clang++ + # Build fuzzer regression tests only with clang (for now), + # see: https://github.com/systemd/systemd/pull/15886#issuecomment-632689604 + # -Db_lundef=false: See https://github.com/mesonbuild/meson/issues/764 + MESON_ARGS+=(-Db_lundef=false -Dfuzz-tests=true) + + if [[ "$phase" == "RUN_CLANG_ASAN_UBSAN_NO_DEPS" ]]; then + MESON_ARGS+=(-Dskip-deps=true) + fi + fi + # The install_tag feature introduced in 0.60 causes meson to fail with fatal-meson-warnings + # "Project targeting '>= 0.53.2' but tried to use feature introduced in '0.60.0': install_tag arg in custom_target" + # It can be safely removed from the CI since it isn't actually used anywhere to test anything. + find . -type f -name meson.build -exec sed -i '/install_tag/d' '{}' '+' + MESON_ARGS+=(--fatal-meson-warnings) + run_meson -Dnobody-group=nogroup --werror -Dtests=unsafe -Db_sanitize=address,undefined "${MESON_ARGS[@]}" build + ninja -C build -v + + export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1 + # Never remove halt_on_error from UBSAN_OPTIONS. See https://github.com/systemd/systemd/commit/2614d83aa06592aedb. + export UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 + + # FIXME + # For some strange reason the GH Actions VM stops responding after + # executing first ~150 tests, _unless_ there's something producing + # output (either running `meson test` in verbose mode, or something + # else in background). Despite my efforts so far I haven't been able + # to identify the culprit (since the issue is not reproducible + # during debugging, wonderful), so let's at least keep a workaround + # here to make the builds stable for the time being. + (set +x; while :; do echo -ne "\n[WATCHDOG] $(date)\n"; sleep 30; done) & + meson test --timeout-multiplier=3 -C build --print-errorlogs + ;; + CLEANUP) + info "Cleanup phase" + if [ ! -f /etc/machine-id ] && [ -w /etc/machine-id.bak ]; then + mv /etc/machine-id.bak /etc/machine-id + fi + ;; + *) + echo >&2 "Unknown phase '$phase'" + exit 1 + esac +done diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml new file mode 100644 index 0000000..cd6c33e --- /dev/null +++ b/.github/workflows/unit_tests.yml @@ -0,0 +1,45 @@ +--- +# vi: ts=2 sw=2 et: +# SPDX-License-Identifier: LGPL-2.1-or-later +# +name: Unit tests +on: + pull_request: + branches: + - main + - v[0-9]+-stable + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-22.04 + concurrency: + group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }} + cancel-in-progress: true + strategy: + fail-fast: false + matrix: + run_phase: [GCC, GCC_ASAN_UBSAN, CLANG, CLANG_RELEASE, CLANG_ASAN_UBSAN, CLANG_ASAN_UBSAN_NO_DEPS] + cryptolib: [auto] + include: + - run_phase: GCC + cryptolib: openssl + - run_phase: CLANG + cryptolib: gcrypt + steps: + - name: Repository checkout + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + - name: Install build dependencies + run: | + # Drop XDG_* stuff from /etc/environment, so we don't get the user + # XDG_* variables when running under sudo + sudo sed -i '/^XDG_/d' /etc/environment + # Pass only specific env variables through sudo, to avoid having + # the already existing XDG_* stuff on the "other side" + sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP + - name: Build & test (${{ matrix.run_phase }}-${{ matrix.cryptolib }}) + run: sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }} + env: + CRYPTOLIB: ${{ matrix.cryptolib }} |