diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh index c1a5ede3833..cf9dd19151e 100755 --- a/.github/workflows/unit_tests.sh +++ b/.github/workflows/unit_tests.sh @@ -42,6 +42,12 @@ set -ex MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto}) +# (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_ +# its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the +# score is explicitly changed after sudo. No idea what's going on, but it breaks +# exec-oomscoreadjust-negative.service from test-execute when running unprivileged. +choom -p $$ -n 0 + for phase in "${PHASES[@]}"; do case $phase in SETUP) @@ -53,6 +59,11 @@ for phase in "${PHASES[@]}"; do apt-get -y build-dep systemd apt-get -y install "${ADDITIONAL_DEPS[@]}" pip3 install -r .github/workflows/requirements.txt --require-hashes + + # Make sure the build dir is accessible even when drop privileges, otherwise the unprivileged + # part of test-execute gets skipped, since it can't run systemd-executor + chmod o+x /home/runner + capsh --drop=all -- -c "stat $PWD/meson.build" ;; RUN|RUN_GCC|RUN_CLANG|RUN_CLANG_RELEASE) if [[ "$phase" =~ ^RUN_CLANG ]]; then