[RFC] Hide /sysroot in a private mount namespace #2522
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Tests | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
permissions: | |
contents: read | |
jobs: | |
codestyle: | |
name: "Code style" | |
runs-on: ubuntu-latest | |
container: quay.io/coreos-assembler/fcos-buildroot:testing-devel | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
submodules: true | |
# https://github.com/actions/checkout/issues/760 | |
- name: Mark git checkout as safe | |
run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Test style | |
run: ./ci/ci-commitmessage-submodules.sh | |
clang-format: | |
name: "clang-format" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
submodules: true | |
# https://github.com/actions/checkout/issues/760 | |
- name: Mark git checkout as safe | |
run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- run: sudo apt install clang-format | |
- name: Test style | |
run: ./ci/clang-format.sh | |
build-integration: | |
runs-on: ubuntu-latest | |
container: quay.io/coreos-assembler/fcos-buildroot:testing-devel | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Cache Dependencies | |
uses: Swatinem/rust-cache@ce325b60658c1b38465c06cc965b79baf32c1e72 | |
with: | |
key: "integration" | |
- name: Build | |
run: cd tests/inst && cargo build --verbose --release | |
- name: Upload binary | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ostree-test | |
path: tests/inst/target/release/ostree-test | |
minimal: | |
name: "Build - FCOS minimal" | |
runs-on: ubuntu-latest | |
container: quay.io/coreos-assembler/fcos-buildroot:testing-devel | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
# https://github.com/actions/checkout/issues/760 | |
- name: Mark git checkout as safe | |
run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Build | |
run: | | |
env NOCONFIGURE=1 ./autogen.sh && | |
./configure --without-curl --without-soup --disable-gtk-doc --disable-man \ | |
--disable-rust --without-libarchive --without-selinux --without-smack \ | |
--without-openssl --without-avahi --without-libmount --disable-rofiles-fuse \ | |
--without-libsodium && | |
make | |
build-c: | |
name: "Build (Fedora)" | |
runs-on: ubuntu-latest | |
container: quay.io/coreos-assembler/fcos-buildroot:testing-devel | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
# https://github.com/actions/checkout/issues/760 | |
- name: Mark git checkout as safe | |
run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Build | |
run: | | |
env NOCONFIGURE=1 ./autogen.sh && | |
./configure --with-curl --with-selinux --with-dracut=yesbutnoconf --with-composefs && | |
make -j 4 && make install DESTDIR=$(pwd)/install && tar -c -C install --zstd -f inst.tar.zst . | |
- name: Upload binary | |
uses: actions/upload-artifact@v4 | |
with: | |
name: inst.tar.zst | |
path: inst.tar.zst | |
privtest: | |
name: "Privileged testing" | |
needs: [build-c, build-integration] | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/fedora/fedora-coreos:testing-devel | |
options: "--privileged --pid=host -v /run/systemd:/run/systemd -v /:/run/host" | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Download install tree | |
uses: actions/download-artifact@v4 | |
with: | |
name: inst.tar.zst | |
- name: Install | |
run: tar -C / -xvf inst.tar.zst && rm -f inst.tar.zst | |
- name: Download test binary | |
uses: actions/download-artifact@v4 | |
with: | |
name: ostree-test | |
- name: Install | |
run: install ostree-test /usr/bin | |
- name: Setup | |
# https://github.com/ostreedev/ostree-rs-ext/issues/417 | |
run: mkdir -p /var/tmp | |
- name: Integration tests (unit) | |
run: ostree-test | |
tests: | |
# Distro configuration matrix | |
# | |
# Each build is run in a Docker container specific to the distro. | |
# When adding a new distro, handle the dependency installation in | |
# `ci/gh-install.sh`. The matrix configuration options are: | |
# | |
# name: A friendly name to use for the job. | |
# | |
# image: The Docker image to use. | |
# | |
# container-options: Additional Docker command line options. | |
# | |
# pre-checkout-setup: Commands to run before the git repo checkout. | |
# If git is not in the Docker image, it must be installed here. | |
# Otherwise, the checkout action uses the GitHub REST API, which | |
# doesn't result in an actual git repo. A real git repo is | |
# required to checkout the submodules. | |
# | |
# extra-packages: Packages to install in addition to those in | |
# `ci/gh-install.sh`. This can be used to support features from | |
# additional `configure` options. | |
# | |
# configure-options: Options to pass to `configure`. | |
strategy: | |
# Let other configurations continue if one fails. | |
fail-fast: false | |
matrix: | |
include: | |
# Debian builds. Currently stable and testing are tested. | |
# Other options would be stable-backports, oldstable, | |
# oldstable-backports and unstable. | |
# | |
# https://hub.docker.com/_/debian | |
- name: Debian Stable with sign-ed25519 and FUSE 2 | |
image: debian:stable-slim | |
pre-checkout-setup: | | |
apt-get update | |
apt-get install -y git | |
extra-packages: >- | |
libfuse-dev | |
libsodium-dev | |
configure-options: >- | |
--with-ed25519-libsodium | |
- name: Debian Stable with curl, sign-ed25519, no gpgme, FUSE 3 | |
image: debian:stable-slim | |
pre-checkout-setup: | | |
apt-get update | |
apt-get install -y git | |
extra-packages: >- | |
libfuse3-dev | |
libsodium-dev | |
configure-options: >- | |
--with-curl | |
--with-ed25519-libsodium | |
--without-gpgme | |
# A 32 bit build to act as a proxy for frequently deployed 32 | |
# bit armv7 | |
- name: Debian Stable 32 bit | |
image: i386/debian:stable-slim | |
# This is pretty nasty. The checkout action uses an x86_64 | |
# node binary in the container, so we need to provide an | |
# x86_64 ld.so and libstdc++. | |
pre-checkout-setup: | | |
dpkg --add-architecture amd64 | |
apt-get update | |
apt-get install -y git libc6:amd64 libstdc++6:amd64 | |
# A build without libsystemd support, similar to what flatpak-builder does. | |
- name: Debian Stable without libsystemd | |
image: debian:stable-slim | |
pre-checkout-setup: | | |
apt-get update | |
apt-get install -y git | |
configure-options: >- | |
--without-libsystemd | |
- name: Debian Testing | |
image: debian:testing-slim | |
container-options: --security-opt seccomp=unconfined | |
pre-checkout-setup: | | |
apt-get update | |
apt-get install -y git | |
extra-packages: >- | |
libssl-dev | |
configure-options: >- | |
--with-crypto=openssl | |
# A build using libsoup3. After bookworm is released, this can | |
# be switched to Debian Stable. | |
- name: Debian Testing with libsoup3 | |
image: debian:testing-slim | |
container-options: --security-opt seccomp=unconfined | |
pre-checkout-setup: | | |
apt-get update | |
apt-get install -y git | |
extra-packages: >- | |
libsoup-3.0-dev | |
configure-options: >- | |
--with-soup3 | |
# A build using static prepareorot | |
- name: Debian stable + static-prepareroot | |
image: debian:stable-slim | |
container-options: --security-opt seccomp=unconfined | |
pre-checkout-setup: | | |
apt-get update | |
apt-get install -y git | |
configure-options: >- | |
--with-static-compiler="gcc" | |
# Ubuntu builds. Unfortunately, when the latest release is | |
# also the latest LTS, latest and rolling are the same. Other | |
# options would be to test the previous LTS by name or to test | |
# the devel tag, which is the unreleased version. | |
# | |
# https://hub.docker.com/_/ubuntu | |
# For now, this is disabled because its glib version is too old. | |
# - name: Ubuntu Latest LTS | |
# image: ubuntu:latest | |
# pre-checkout-setup: | | |
# apt-get update | |
# apt-get install -y git | |
- name: Ubuntu Latest Release | |
image: ubuntu:rolling | |
# FIXME: The ubuntu-latest VMs are currently based on 20.04 | |
# (focal). In focal, libseccomp2 doesn't know about the | |
# close_range syscall, but g_spawn_sync in impish tries to | |
# use close_range since it's defined in glibc. That causes | |
# libseccomp2 to return EPERM as it does for any unknown | |
# syscalls. g_spawn_sync carries on silently instead of | |
# falling back to other means of setting CLOEXEC on open | |
# FDs. Eventually it causes some tests to hang since once | |
# side of a pipe is never closed. Remove this when | |
# libseccomp2 in focal is updated or glib in impish handles | |
# the EPERM better. | |
# | |
# https://github.com/ostreedev/ostree/issues/2495 | |
# https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436 | |
container-options: --security-opt seccomp=unconfined | |
pre-checkout-setup: | | |
apt-get update | |
apt-get install -y git | |
name: ${{ matrix.name }} | |
runs-on: ubuntu-latest | |
container: | |
image: ${{ matrix.image }} | |
# An empty string isn't valid, so a dummy --label option is always | |
# added. | |
options: --label ostree ${{ matrix.container-options }} | |
# make sure tests are performed on a non-overlayfs filesystem | |
volumes: | |
- tmp_dir:/test-tmp | |
env: | |
TEST_TMPDIR: /test-tmp | |
steps: | |
- name: Pre-checkout setup | |
run: ${{ matrix.pre-checkout-setup }} | |
if: ${{ matrix.pre-checkout-setup }} | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
with: | |
submodules: true | |
- name: Install dependencies | |
run: ./ci/gh-install.sh ${{ matrix.extra-packages }} | |
- name: Add non-root user | |
run: "useradd builder && chown -R -h builder: . $TEST_TMPDIR" | |
- name: Build and test | |
run: runuser -u builder -- ./ci/gh-build.sh ${{ matrix.configure-options }} | |
env: | |
# GitHub hosted runners currently have 2 CPUs, so run 2 | |
# parallel make jobs. | |
# | |
# https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners | |
MAKEFLAGS: -j2 |