ostree/.github/workflows/tests.yml
Dan Nicholson de1870df8c github: Workaround glib/seccomp issue on Ubuntu impish
The ubuntu-latest VMs are currently based on 20.04 (focal). In focal,
libseccomp2 doesn't know about the close_range syscall[1], but
g_spawn_sync in impish tries to use close_range since it's defined in
glibc. That causes libseccomp2 to return EPERM as it does for any
unknown syscalls. g_spawn_sync carries on silently instead of falling
back to other means of setting CLOEXEC on open FDs. Eventually it causes
some tests to hang since once side of a pipe is never closed. Remove
this when libseccomp2 in focal is updated or glib in impish handles the
EPERM better.

1. https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436

Fixes: #2495
2022-01-12 21:59:23 -07:00

156 lines
5.5 KiB
YAML

---
name: Tests
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
tests:
# Distro configuration matrix
#
# Each build is run in a Docker container specific to the distro.
# When adding a new distro, handle the dependency installation in
# `ci/gh-install.sh`. The matrix configuration options are:
#
# name: A friendly name to use for the job.
#
# image: The Docker image to use.
#
# container-options: Additional Docker command line options.
#
# pre-checkout-setup: Commands to run before the git repo checkout.
# If git is not in the Docker image, it must be installed here.
# Otherwise, the checkout action uses the GitHub REST API, which
# doesn't result in an actual git repo. A real git repo is
# required to checkout the submodules.
#
# extra-packages: Packages to install in addition to those in
# `ci/gh-install.sh`. This can be used to support features from
# additional `configure` options.
#
# configure-options: Options to pass to `configure`.
strategy:
# Let other configurations continue if one fails.
fail-fast: false
matrix:
include:
# Debian builds. Currently stable and testing are tested.
# Other options would be stable-backports, oldstable,
# oldstable-backports and unstable.
#
# https://hub.docker.com/_/debian
- name: Debian Stable with sign-ed25519 and FUSE 2
image: debian:stable-slim
pre-checkout-setup: |
apt-get update
apt-get install -y git
extra-packages: >-
libfuse-dev
libsodium-dev
configure-options: >-
--with-ed25519-libsodium
- name: Debian Stable with curl, sign-ed25519, no gpgme, FUSE 3
image: debian:stable-slim
pre-checkout-setup: |
apt-get update
apt-get install -y git
extra-packages: >-
libfuse3-dev
libsodium-dev
configure-options: >-
--with-curl
--with-ed25519-libsodium
--without-gpgme
# A 32 bit build to act as a proxy for frequently deployed 32
# bit armv7
- name: Debian Stable 32 bit
image: i386/debian:stable-slim
# This is pretty nasty. The checkout action uses an x86_64
# node binary in the container, so we need to provide an
# x86_64 ld.so and libstdc++.
pre-checkout-setup: |
dpkg --add-architecture amd64
apt-get update
apt-get install -y git libc6:amd64 libstdc++6:amd64
- name: Debian Testing
image: debian:testing-slim
pre-checkout-setup: |
apt-get update
apt-get install -y git
# Ubuntu builds. Unfortunately, when the latest release is
# also the latest LTS, latest and rolling are the same. Other
# options would be to test the previous LTS by name or to test
# the devel tag, which is the unreleased version.
#
# https://hub.docker.com/_/ubuntu
- name: Ubuntu Latest LTS
image: ubuntu:latest
pre-checkout-setup: |
apt-get update
apt-get install -y git
- name: Ubuntu Latest Release
image: ubuntu:rolling
# FIXME: The ubuntu-latest VMs are currently based on 20.04
# (focal). In focal, libseccomp2 doesn't know about the
# close_range syscall, but g_spawn_sync in impish tries to
# use close_range since it's defined in glibc. That causes
# libseccomp2 to return EPERM as it does for any unknown
# syscalls. g_spawn_sync carries on silently instead of
# falling back to other means of setting CLOEXEC on open
# FDs. Eventually it causes some tests to hang since once
# side of a pipe is never closed. Remove this when
# libseccomp2 in focal is updated or glib in impish handles
# the EPERM better.
#
# https://github.com/ostreedev/ostree/issues/2495
# https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436
container-options: --security-opt seccomp=unconfined
pre-checkout-setup: |
apt-get update
apt-get install -y git
name: ${{ matrix.name }}
runs-on: ubuntu-latest
container:
image: ${{ matrix.image }}
# An empty string isn't valid, so a dummy --label option is always
# added.
options: --label ostree ${{ matrix.container-options }}
steps:
- name: Pre-checkout setup
run: ${{ matrix.pre-checkout-setup }}
if: ${{ matrix.pre-checkout-setup }}
- name: Checkout repository
uses: actions/checkout@v2
with:
submodules: true
- name: Install dependencies
run: ./ci/gh-install.sh ${{ matrix.extra-packages }}
- name: Add non-root user
run: "useradd builder && chown -R -h builder: ."
- name: Build and test
run: runuser -u builder -- ./ci/gh-build.sh ${{ matrix.configure-options }}
env:
# GitHub hosted runners currently have 2 CPUs, so run 2
# parallel make jobs.
#
# https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
MAKEFLAGS: -j2