Move sample certificate checking policy #33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches-ignore: | |
| - coverity_scan | |
| - run-fuzzer** | |
| - debug-fuzzer-** | |
| pull_request: | |
| env: | |
| ASAN_OPTIONS: symbolize=1 detect_leaks=1 detect_stack_use_after_return=1 | |
| LSAN_OPTIONS: fast_unwind_on_malloc=0:malloc_context_size=50 | |
| UBSAN_OPTIONS: print_stacktrace=1 | |
| M_PERTURB: "0x42" | |
| PANIC_ACTION: "gdb -batch -x raddb/panic.gdb %e %p 1>&0 2>&0" | |
| # Stops the utilities forking on every call to check if they're running under GDB/LLDB | |
| DEBUGGER_ATTACHED: no | |
| ANALYZE_C_DUMP: 1 | |
| FR_GLOBAL_POOL: 4M | |
| TEST_CERTS: yes | |
| NO_PERFORMANCE_TESTS: yes | |
| DO_BUILD: yes | |
| HOSTAPD_BUILD_DIR: eapol_test.ci | |
| HOSTAPD_GIT_TAG: hostap_2_11 | |
| DEBIAN_FRONTEND: noninteractive | |
| CI: 1 | |
| GH_ACTIONS: 1 | |
| jobs: | |
| pre-ci: | |
| runs-on: ubuntu-latest | |
| # Map a step output to a job output | |
| outputs: | |
| should_skip: ${{ steps.skip_check.outputs.should_skip }} | |
| selfhosted: ${{ github.repository_owner == 'FreeRADIUS' && '1' || '0' }} | |
| docker_prefix: ${{ github.repository_owner == 'FreeRADIUS' && 'docker.internal.networkradius.com/' || '' }} | |
| steps: | |
| - id: skip_check | |
| uses: fkirc/skip-duplicate-actions@master | |
| ci: | |
| timeout-minutes: 150 | |
| needs: pre-ci | |
| if: ${{ needs.pre-ci.outputs.should_skip != 'true' }} | |
| runs-on: ${{ matrix.os.runs_on }} | |
| container: | |
| image: ${{ matrix.os.docker }} | |
| # "privileged" is needed for Samba install | |
| # "memory-swap -1" enables full use of host swap and may help | |
| # with containers randomly quitting with "The operation was | |
| # canceled" | |
| options: >- | |
| --privileged | |
| --memory-swap -1 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # runs_on - where GitHub will spin up the runner, either | |
| # "self-hosted", or the name of a GitHub VM image | |
| # e.g. ubuntu-20.04 or ubuntu-latest | |
| # see: https://github.com/actions/runner-images | |
| # code - the name/version of the OS (for step evaluations below) | |
| # docker - the docker image name, if containers are being used | |
| # name - used in the job name only | |
| os: | |
| - runs_on: "${{ needs.pre-ci.outputs.selfhosted == '1' && 'self-hosted' || 'ubuntu-20.04' }}" | |
| docker: "${{ needs.pre-ci.outputs.selfhosted == '1' && 'docker.internal.networkradius.com/self-hosted' || 'ubuntu:24.04' }}" | |
| name: "${{ needs.pre-ci.outputs.selfhosted == '1' && 'self' || 'gh' }}-ubuntu24" | |
| code: "ubuntu2004" | |
| imageos: "ubuntu24" | |
| env: | |
| - { CC: gcc, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: no, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc-lean } | |
| - { CC: gcc, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc } | |
| - { CC: gcc, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc-O2-g3 } | |
| - { CC: gcc, BUILD_CFLAGS: "-DNDEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc-ndebug } | |
| - { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: no, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang-lean } | |
| - { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang } | |
| - { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang-O2-g3 } | |
| - { CC: clang, BUILD_CFLAGS: "-DNDEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang-ndebug } | |
| - { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: yes, TEST_TYPE: fixtures, NAME: linux-clang-altlibs } | |
| - { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fuzzing, NAME: linux-fuzzer } | |
| env: ${{ matrix.env }} | |
| # If branch protection is in place with status checks enabled, ensure | |
| # names are updated if new matrix entries are added or the name format | |
| # changes. | |
| name: "master-${{ matrix.os.name }}-${{ matrix.env.NAME}}" | |
| # The standard GitHub environment contains PostgreSQL and | |
| # MySQL already. However when running on hosted GitHub runners | |
| # we need to run separate database containers to provide these. | |
| services: | |
| mariadb: | |
| image: ${{ needs.pre-ci.outputs.docker_prefix }}mariadb | |
| env: | |
| MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: yes | |
| ports: | |
| - 3306:3306 | |
| options: >- | |
| --health-cmd="mariadb-admin ping" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 10 | |
| postgres: | |
| image: ${{ needs.pre-ci.outputs.docker_prefix }}postgres | |
| env: | |
| POSTGRES_HOST_AUTH_METHOD: trust | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| threeds: | |
| image: ${{ needs.pre-ci.outputs.docker_prefix }}4teamwork/389ds | |
| ports: | |
| - 3389:3389 | |
| - 3636:3636 | |
| options: >- | |
| -e SUFFIX_NAME=dc=example,dc=com | |
| -e DS_DM_PASSWORD=secret123 | |
| --health-cmd "dsctl localhost healthcheck --check backends:localhost:search" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| # Need git installed for checkout to behave normally | |
| - name: Install checkout prerequisites | |
| run: apt-get update && apt-get install -y --no-install-recommends git git-lfs ca-certificates | |
| # Checkout, but defer pulling LFS objects until we've restored the cache | |
| - uses: actions/checkout@v4 | |
| with: | |
| lfs: false | |
| # Docker image does not have same environment as the | |
| # standard GitHub actions image, so use this to bring them | |
| # more in line. | |
| - name: Prepare Docker environment | |
| uses: ./.github/actions/docker-prep | |
| - name: Install build dependencies | |
| uses: ./.github/actions/freeradius-deps | |
| with: | |
| use_docker: true | |
| cc: ${{ matrix.env.CC }} | |
| fuzzing: ${{ matrix.env.TEST_TYPE == 'fuzzing' }} | |
| - name: Install alternative dependencies | |
| if: ${{ matrix.env.LIBS_ALT == 'yes' }} | |
| uses: ./.github/actions/freeradius-alt-deps | |
| - name: Build FreeRADIUS | |
| uses: ./.github/actions/build-freeradius | |
| with: | |
| use_sanitizers: false | |
| cc: ${{ matrix.env.CC }} | |
| test_type: ${{ matrix.env.TEST_TYPE }} | |
| platform: ${{ matrix.os.imageos }} | |
| - name: Run main CI tests | |
| uses: ./.github/actions/ci-tests | |
| if: ${{ matrix.env.TEST_TYPE == 'fixtures' }} | |
| with: | |
| use_docker: true | |
| sql_mysql_test_server: mariadb | |
| sql_postgresql_test_server: postgres | |
| redis_test_server: 127.0.0.1 | |
| ldap_test_server: 127.0.0.1 | |
| ldap_test_server_port: 3890 | |
| ldaps_test_server_port: 6361 | |
| ldap389_test_server: threeds | |
| ldap389_test_server_port: 3389 | |
| active_directory_test_server: 127.0.0.1 | |
| rest_test_server: 127.0.0.1 | |
| rest_test_port: 8080 | |
| rest_test_ssl_port: 8443 | |
| imap_test_server: 127.0.0.1 | |
| imap_test_server_port: 1430 | |
| imap_test_server_ssl_port: 1432 | |
| smtp_test_server: 127.0.0.1 | |
| smtp_test_server_port: 2525 | |
| - name: Run fuzzer | |
| uses: ./.github/actions/fuzzer | |
| # | |
| # If the CI has failed and the branch is ci-debug then we start a tmate | |
| # session to provide interactive shell access to the session. | |
| # | |
| # The SSH rendezvous point will be emited continuously in the job output, | |
| # which will look something like: | |
| # | |
| # SSH: ssh [email protected] | |
| # | |
| # For example: | |
| # | |
| # git push origin ci-debug --force | |
| # | |
| # Look at the job output in: https://github.com/FreeRADIUS/freeradius-server/actions | |
| # | |
| # ssh [email protected] | |
| # | |
| # Access requires that you have the private key corresponding to the | |
| # public key of the GitHub user that initiated the job. | |
| # | |
| - name: "Debug: Start tmate" | |
| uses: mxschmitt/action-tmate@v3 | |
| with: | |
| limit-access-to-actor: true | |
| if: ${{ github.ref == 'refs/heads/ci-debug' && failure() }} | |
| ########################################################################################## | |
| # FREERADIUS CORE DEVELOPERS ONLY | |
| ########################################################################################## | |
| # | |
| # If the above CI checks pass on a branch named after the developer, then the branch will | |
| # automatically be merged into master. | |
| # | |
| # This allows developers to access the significantly faster self-hosted runners, with | |
| # minimal additional work. It also prevents them inadvertently from introducing changes | |
| # that break the CI for everyone else. | |
| # | |
| # Note: Changes will ONLY be merged into master if CI passes. | |
| # | |
| # Multiple automatic-merge behaviours are supported: | |
| # - If the branch name ends in '/merge', then the branch will be merged into master, potentially | |
| # creating a merge commit. | |
| # - If the branch name ends in '/ff', then master will be fast forwarded to the HEAD commit of | |
| # the branch. This is the default if no suffix is provided. | |
| # | |
| merge-upstream: | |
| needs: | |
| - ci | |
| if: ( github.event_name == 'push' ) && ( github.repository_owner == FreeRADIUS' ) && (startsWith(github.ref, "refs/heads/developer/${{ github.actor }}")) | |
| runs-on: ubuntu-latest | |
| name: "Merge into upstream" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| lfs: false | |
| persist-credentials: false | |
| - name: Set up Git with `GITHUB_TOKEN` | |
| run: | | |
| git config --global url."https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/" | |
| git config --global user.name "GitHub Actions" | |
| git config --global user.email "[email protected]" | |
| git config --global commit.gpgSign true | |
| git config --global gpg.format ssh | |
| # First, as this was a shallow checkout, and only the user's branch was fetched, we need | |
| # to fetch the rest of the branches, and more history. | |
| # | |
| # Then, we attempt to checkout the master branch, and merge the user's branch into it. | |
| - name: "Merge into upstream dev branch and update local branch" | |
| if: endsWith(github.ref, '/merge') | |
| run: | | |
| git fetch --depth=1000 --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* | |
| echo "Merging master into user branch: ${GITHUB_REF_NAME}" | |
| git checkout --progress --force -B master origin/master | |
| git merge --no-commit --no-edit "${GITHUB_REF_NAME}" | |
| echo "Pushing to user branch: ${GITHUB_REF_NAME}" | |
| git push origin "HEAD:${GITHUB_REF_NAME}" | |
| echo "Pushing to master" | |
| git push origin HEAD:master | |
| - name: "Fast forward upstream" | |
| if: endsWith(github.ref, "/${{ github.actor }}") || endsWith(github.ref, '/ff') | |
| run: | | |
| git fetch --depth=1000 --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* | |
| echo "Fast forwarding local copy of master to match developer's branch: ${GITHUB_REF_NAME}" | |
| git checkout --progress --force -B master origin/master | |
| git merge --ff-only "${GITHUB_REF_NAME}" | |
| echo "Pushing to master" | |
| git push origin HEAD:master |