Merge pull request #2275 from cgwalters/ci-rework

CI: run as non-root and add sanitizer build+check
2025-03-16 10:50:43 +03:00 · 2021-02-03 09:58:42 -05:00 · 2021-02-03 09:58:42 -05:00 · f0b619dfb9
commit f0b619dfb9
parent 38ba9a66c8 6b5aef7612
2 changed files with 13 additions and 1 deletions
--- a/ci/build-check-sanitized.sh
+++ b/ci/build-check-sanitized.sh
@ -0,0 +1,12 @@
+#!/usr/bin/bash
+# Build with ASAN and UBSAN + unit tests.
+
+set -xeuo pipefail
+
+dn=$(dirname $0)
+. ${dn}/libbuild.sh
+export CFLAGS='-fsanitize=address -fsanitize=undefined -fsanitize-undefined-trap-on-error'
+# We leak global state in a few places, fixing that is hard.
+export ASAN_OPTIONS='detect_leaks=0'
+${dn}/build.sh
+make check
--- a/ci/installdeps.sh
+++ b/ci/installdeps.sh
@ -7,7 +7,7 @@ set -xeuo pipefail
 # cosa buildroot container
 # https://github.com/coreos/coreos-assembler/pull/730
 # And using `yum` at all means we can flake on fetching rpm metadata
-if [ -n "${SKIP_INSTALLDEPS:-}" ]; then
+if [ -n "${SKIP_INSTALLDEPS:-}" ] || test "$(id -u)" != 0; then
    exit 0
 fi