Frantisek Sumsal
72af88f231
github: mention the systemd-devel ML in the new issue tab
2021-12-07 16:28:56 +01:00
Frantisek Sumsal
a3f0533ffc
ci: pack-ify our custom CodeQL queries and enable them in Actions
...
Unlike LGTM, the CodeQL Action requires the custom queries to have their
own qlpack.yml file, so let's provide one.
2021-12-07 14:57:09 +01:00
Frantisek Sumsal
a6319961c9
ci: run the CodeQL action also when its configuration changes
...
Just to make sure we didn't break anything.
2021-12-07 14:45:06 +01:00
Frantisek Sumsal
64f625a212
ci: sync the list of CodeQL queries with LGTM
2021-12-07 14:45:04 +01:00
Evgeny Vereshchagin
4997d1b965
ci: pin python dependencies and let Dependabot keep track of them
2021-12-07 09:08:26 +00:00
dependabot[bot]
7285145dfc
build(deps): bump github/codeql-action from 1.0.24 to 1.0.25
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 1.0.24 to 1.0.25.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](e095058bfa...546b30f35a
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-12-07 02:20:53 +03:00
Frantisek Sumsal
ab9e3bfef6
ci: consider cryptolib
in the group identifier
...
otherwise we end up with more than one job with the same identifier in
one run, causing some of them to get cancelled unexpectedly.
A quick follow-up to 85bd394df5
.
2021-12-03 20:25:06 +00:00
Frantisek Sumsal
9371d44afe
ci: install libbpf
2021-12-03 16:30:56 +01:00
Zbigniew Jędrzejewski-Szmek
85bd394df5
ci: expand the test framework to cover openssl
2021-12-02 11:31:20 +01:00
dependabot[bot]
68181cf8a7
build(deps): bump github/codeql-action from 1.0.23 to 1.0.24
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 1.0.23 to 1.0.24.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](a627e9fa50...e095058bfa
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-11-25 05:13:11 +03:00
dependabot[bot]
d59d6cc154
build(deps): bump github/codeql-action from 1.0.22 to 1.0.23
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 1.0.22 to 1.0.23.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](5581e08a65...a627e9fa50
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-11-18 01:17:19 +03:00
Evgeny Vereshchagin
0da6973c17
ci: switch to weekly dependabot updates
...
Apparently some dependencies get updated much more often
than I would have exepected.
It can always be triggered manually at https://github.com/systemd/systemd/network/dependencies
if there are any urgent updates
2021-11-17 12:16:57 +00:00
dependabot[bot]
eb37ed701b
build(deps): bump github/super-linter from 4.8.3 to 4.8.4
...
Bumps [github/super-linter](https://github.com/github/super-linter ) from 4.8.3 to 4.8.4.
- [Release notes](https://github.com/github/super-linter/releases )
- [Changelog](https://github.com/github/super-linter/blob/main/docs/release-process.md )
- [Commits](7d5dc989c5...563be7dc55
)
---
updated-dependencies:
- dependency-name: github/super-linter
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-11-17 10:59:41 +00:00
Evgeny Vereshchagin
7e7e31521a
ci: run codeql on PRs from Dependabot
...
To make sure PRs like https://github.com/systemd/systemd/pull/21409
don't break anything.
2021-11-17 10:14:33 +00:00
Evgeny Vereshchagin
e6ace91eb7
ci: pin mkosi to SHAs as well
2021-11-15 20:52:51 +00:00
dependabot[bot]
f356ad7cf8
build(deps): bump github/super-linter from 4.8.1 to 4.8.3
...
Bumps [github/super-linter](https://github.com/github/super-linter ) from 4.8.1 to 4.8.3.
- [Release notes](https://github.com/github/super-linter/releases )
- [Changelog](https://github.com/github/super-linter/blob/main/docs/release-process.md )
- [Commits](fd9c4286d3...7d5dc989c5
)
---
updated-dependencies:
- dependency-name: github/super-linter
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-11-15 18:20:56 +00:00
Evgeny Vereshchagin
510afa460a
ci: tighten codeql and labeler even more
...
by moving the read permissions to the top level and
granting additional permissions to the specific jobs.
It should help to prevent new jobs that could be added
there eventually from having write access to resources they
most likely would never need.
2021-11-14 10:51:07 +00:00
Evgeny Vereshchagin
b3a1fb795a
ci: LGPLv2+ify dependapot config and codeql action
2021-11-14 09:48:22 +00:00
Evgeny Vereshchagin
e44a47d186
ci: pin the codeql action to SHAs
...
It's a follow-up to https://github.com/systemd/systemd/pull/21316 .
Judging by https://github.com/evverx/systemd/pull/36 , Dependabot
supports their release cycle
2021-11-14 10:42:04 +00:00
Evgeny Vereshchagin
e7a966915d
ci: mimic the "restricted" mode
...
Judging by https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
it should be enough to grant the "read contents" permission to
most of our actions. The "read metadata" permission is set impliciclty
somewhere and can't be set via the "permissions" setting:
```
The workflow is not valid. .github/workflows/linter.yml (Line: 14, Col: 3): Unexpected value 'metadata'
```
2021-11-14 10:41:06 +00:00
Evgeny Vereshchagin
311956ccd9
ci: tighten several GHActions a bit more
...
with https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions
2021-11-13 22:17:21 +03:00
dependabot[bot]
5ae4964028
build(deps): bump actions/checkout from 2 to 2.4.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 2 to 2.4.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v2...ec3a7ce113134d7a93b817d10a8272cb61118579 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-11-13 16:45:32 +03:00
Frantisek Sumsal
66a41360b4
Merge pull request #21342 from evverx/dependabot-error
...
ci: try to fix a Dependabot error
2021-11-13 09:35:51 +00:00
Frantisek Sumsal
c76a838589
ci: run the unit_tests and mkosi jobs on stable branches as well
...
To provide more coverage for the systemd-stable repo.
See: https://github.com/systemd/systemd-stable/issues/24
2021-11-13 09:09:54 +09:00
Evgeny Vereshchagin
38ac3ab10a
ci: allow Dependabot to open up to 2 PRs
...
Apparently version updates aren't always disabled on old forks,
which leads to new PRs opened there. To somewhat mitigate the
issue let's limit the number of PRs Dependabot can create.
It was reported in https://github.com/yuwata/systemd/pull/2#issuecomment-967737195
2021-11-11 17:20:30 +00:00
Evgeny Vereshchagin
4e296232e4
try to fix a Dependabot error
...
```
updater | ERROR <job_232492775> Error processing actions/checkout (RuntimeError)
updater | ERROR <job_232492775> No files changed!
updater | ERROR <job_232492775> /home/dependabot/dependabot-updater/vendor/ruby/2.7.0/gems/dependabot-github_actions-0.166.0/lib/dependabot/github_actions/file_updater.rb:28:in `updated_dependency_files'
updater | ERROR <job_232492775> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:676:in `generate_dependency_files_for'
updater | ERROR <job_232492775> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:274:in `check_and_create_pull_request'
updater | ERROR <job_232492775> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:82:in `check_and_create_pr_with_error_handling'
updater | ERROR <job_232492775> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:56:in `block in run'
updater | ERROR <job_232492775> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:56:in `each'
updater | ERROR <job_232492775> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:56:in `run'
updater | ERROR <job_232492775> /home/dependabot/dependabot-updater/lib/dependabot/update_files_job.rb:17:in `perform_job'
updater | ERROR <job_232492775> /home/dependabot/dependabot-updater/lib/dependabot/base_job.rb:28:in `run'
updater | ERROR <job_232492775> bin/update_files.rb:21:in `<main>`
```
2021-11-11 16:08:17 +00:00
Evgeny Vereshchagin
3fec0e6cbf
ci: pin some workflows to SHAs
...
to let Dependabot keep track of them using SHAs
codeql-actions doesn't point to SHAs because it isn't clear
whether Dependabot supports their release cycle mentioned
at https://github.com/github/codeql-action/issues/307
2021-11-11 10:32:02 +00:00
Evgeny Vereshchagin
5570313421
ci: pin labeler
...
Turns out GHActions where `pull_request_target` is used are capable
of pwning repositories: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
labeler doesn't check out the source code or build anything so
it's safe in its current form but to avoid surprises let's just pin
it to the latest version. It's annoying to manage dependencies like this
manually so additionally dependabot.yml is introduced to make it
easier to keep GHActions up to date more or less automatically:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
2021-11-11 10:19:06 +00:00
Evgeny Vereshchagin
33796123bc
ci: run codeql-analysis daily
...
https://github.com/github/codeql-action
Apparently to judge from a couple of warnings I haven't seen
before it's a bit different from LGTM.
2021-11-12 15:47:15 +00:00
Frantisek Sumsal
8b212f3596
ci: take CIFuzz's matrix into consideration
...
Otherwise the jobs will try to cancel each other out.
Follow-up to 3884837610
.
2021-11-10 20:44:24 +00:00
Frantisek Sumsal
3884837610
ci: cancel previous jobs on ref update
...
Let's save the environment (and reduce the number of jobs in GH Actions
queues) by cancelling old jobs on a ref update (force push).
See: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#concurrency
2021-11-10 17:15:35 +01:00
Frantisek Sumsal
46573ee131
ci: fix indentation
2021-11-10 17:15:35 +01:00
Frantisek Sumsal
b8c94ee372
Revert "CI: run GCC unit test job on push to main"
...
This reverts commit c1036042f5
.
Follow-up to 0ad536c16a
.
2021-11-10 17:15:35 +01:00
Michal Koutný
7a0895c2eb
Revert "CI: disable opensuse mkosi CI"
...
This reverts commit ab6df52083
.
The image build failed during kernel RPM installation (bug in %post
scriptlet). This has been fixed in the package suse-module-tools 16.0.13
[1]. The fix is in openSUSE Tumbleweed repos so the tests can be enabled
again.
[1] https://github.com/openSUSE/suse-module-tools/pull/53
Fixes : #21019
2021-11-09 10:57:03 +00:00
Luca Boccassi
0ad536c16a
CI: disable code coverage in GH Action
...
It is now ran on the nightly CentOS build, so that it can cover
integration tests too, and not just unit tests. It's nightly as
it considerably increases the integration test runtime, so it's
not appropriate for all PRs.
2021-10-21 00:10:52 +01:00
Daan De Meyer
ab6df52083
CI: disable opensuse mkosi CI
...
Until https://github.com/systemd/systemd/issues/21019 is fixed,
there's no point in running the opensuse CI job so let's disable
it for now.
2021-10-19 17:21:29 +01:00
Frantisek Sumsal
1c71302f70
ci: use the system llvm-11 package on Focal
...
ATTOW llvm-11 got into focal-updates, which conflicts with llvm-11
provided by the apt.llvm.org repositories. Let's use the system
llvm package if available in such cases to avoid that.
2021-10-12 08:17:56 +02:00
Zbigniew Jędrzejewski-Szmek
186b9041ae
ci: use LGPLv2+ for all our ci configuration
2021-10-01 14:45:00 +02:00
Zbigniew Jędrzejewski-Szmek
43d6fcc09f
github: use the same headers on yaml files
...
Also adjust the mention of location of mkosi files,
follow-up for d55ad7fe96
.
2021-10-01 14:45:00 +02:00
Zbigniew Jędrzejewski-Szmek
d8aaa71699
licensing: say that our github docs are LGPLv2.1+
...
This mirros what 0aff7b7584
did for docs/.
2021-10-01 14:45:00 +02:00
Frantisek Sumsal
1c46b3c24d
ci: introduce Super-Linter for shell scripts
...
See: https://github.com/marketplace/actions/super-linter
2021-09-30 12:27:08 +02:00
Frantisek Sumsal
8370da9ea6
ci: shellcheck-ify CI scripts
2021-09-29 22:24:12 +02:00
Yu Watanabe
6d350f7d82
Revert "CI: run unit tests in a network namespace"
...
This reverts commit 8b036b223a
.
2021-09-29 20:50:37 +09:00
Luca Boccassi
c1036042f5
CI: run GCC unit test job on push to main
...
Allows to get coverage data on coveralls.io
2021-09-29 14:10:42 +03:00
Luca Boccassi
3bf94dac91
CI: do manpages build only on the clang unit test run
...
It's slow and unaffected by compiler/flags, so no point in repeating it
2021-09-27 12:24:48 +01:00
Luca Boccassi
1f1d48f96e
CI: add code coverage reports via lcov and coveralls.io
2021-09-27 12:22:22 +01:00
Luca Boccassi
8b036b223a
CI: run unit tests in a network namespace
...
It seems some of the tests break network connectivity on the host,
as the code coverage upload fails to establish a connection.
Run them in a network namespace with 'unshare -n'.
2021-09-27 12:22:22 +01:00
Daan De Meyer
7e99216c1d
mkosi: Fix CI
...
\#20629 moved the mkosi configs to mkosi.default.d/ so we were building
for the host distro (Ubuntu) in each CI configuration. To fix it, we
write the distro we want to test to a mkosi.default file and mkosi
will apply the other necessary configs automatically from mkosi.default.d/<distro>
This commit also removes unnecessary CLI options that are already handled
by the config files.
2021-09-21 17:39:00 +01:00
Frantisek Sumsal
bd8ea741a4
ci: build with clang-13
...
Also, drop clang-10 builds to conserve resources.
2021-09-14 19:06:01 +02:00
Michal Koutný
3ec4fccb37
ci: Add openSUSE Tumbleweed among tested distros
2021-08-04 11:16:48 +02:00