diff --git a/.github/workflows/auto-updates.yaml b/.github/workflows/auto-updates.yaml deleted file mode 100644 index 5d0a1067bd..0000000000 --- a/.github/workflows/auto-updates.yaml +++ /dev/null @@ -1,112 +0,0 @@ -name: Update translations and Rust packaging related files in main -on: - push: - branches: - - main - paths-ignore: - - 'debian/control' -concurrency: auto-update - -permissions: - pull-requests: write - contents: write - -# Jobs in this action must not run concurrently, as they modify the repository. -# When adding more jobs, make sure to use the "needs:" attribute to make sure they run sequentially. -jobs: - update-rust-packaging: - strategy: - fail-fast: false - matrix: - branch: [main] - ubuntu-version: [devel] - include: - - branch: noble - ubuntu-version: noble - - name: Update ${{ matrix.ubuntu-version }} packaging related Rust files - runs-on: ubuntu-latest - container: - image: ubuntu:${{ matrix.ubuntu-version }} - env: - CARGO_VENDOR_DIR: ${{ github.workspace }}/vendor_rust - UPDATE_BRANCH: auto-update-rust-packaging-${{ matrix.ubuntu-version }} - steps: - - name: Install dependencies - env: - DEBIAN_FRONTEND: noninteractive - CARGO_VENDOR_FILTERER_NOBLE_VERSION: 0.5.16 - shell: bash - run: | - set -euo pipefail - - apt-get update -y - apt-get install -y dh-cargo git - - if [ "${{ matrix.ubuntu-version }}" = "noble" ]; then - # Special behavior on noble as dh-cargo is not new enough there - apt-get install -y libssl-dev pkg-config - cargo install --locked --root=/usr \ - cargo-vendor-filterer@${{ env.CARGO_VENDOR_FILTERER_NOBLE_VERSION }} - else - apt-get install -y cargo-vendor-filterer - fi - - - name: Checkout the code - uses: actions/checkout@v6 - with: - ref: ${{ matrix.branch }} - - - name: Vendor the dependencies - env: - CARGO_PATH: /usr/share/cargo/bin/cargo - shell: bash - run: | - set -euo pipefail - - sh -x debian/vendor-rust.sh - - - name: Update XS-Vendored-Sources-Rust - shell: bash - run: | - set -euo pipefail - - VENDORED_SOURCES=$(/usr/share/cargo/bin/dh-cargo-vendored-sources 2>&1) \ - || cmd_status=$? - OUTPUT=$(echo "$VENDORED_SOURCES" | grep ^XS-Vendored-Sources-Rust: || true) - if [ -z "${OUTPUT}" ]; then - if [ "${cmd_status:-0}" -ne 0 ]; then - # dh-cargo-vendored-sources failed because of other reason, so let's fail with it! - echo "dh-cargo-vendored-sources failed:" - echo "${VENDORED_SOURCES}" - exit "${cmd_status}" - fi - - echo "XS-Vendored-Sources-Rust is up to date. No change is needed."; - exit 0 - fi - sed -i "s/^XS-Vendored-Sources-Rust:.*/$OUTPUT/" debian/control - - echo "modified=true" >> "${GITHUB_ENV}" - echo "update_branch=${UPDATE_BRANCH}" >> "${GITHUB_ENV}" - - - name: Create Pull Request - if: ${{ env.modified == 'true' }} - uses: peter-evans/create-pull-request@v8 - with: - commit-message: Auto update packaging related Rust files - title: | - [${{ matrix.ubuntu-version }}] Auto update packaging related Rust files - labels: control, automated pr - branch: ${{ env.update_branch }} - delete-branch: true - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Push branch - if: ${{ env.modified == 'true' }} - shell: bash - run: | - set -eu - - git config --system --add safe.directory "${PWD}" - git push origin ${{ env.update_branch }}:${{ matrix.branch }} diff --git a/.github/workflows/automatic-doc-checks.yml b/.github/workflows/automatic-doc-checks.yml deleted file mode 100644 index 9f44eead32..0000000000 --- a/.github/workflows/automatic-doc-checks.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Main Documentation Checks - -on: - push: - branches: [main] - paths: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - pull_request: - paths: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - schedule: - - cron: '0 12 * * MON' - # Manual trigger - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - documentation-checks: - uses: canonical/documentation-workflows/.github/workflows/documentation-checks.yaml@main - with: - working-directory: "./docs" diff --git a/.github/workflows/build-deb.yaml b/.github/workflows/build-deb.yaml index ce75b62c3a..b2e6a0754e 100644 --- a/.github/workflows/build-deb.yaml +++ b/.github/workflows/build-deb.yaml @@ -64,7 +64,7 @@ jobs: uses: actions/checkout@v6 - name: Build debian packages and sources - uses: canonical/desktop-engineering/gh-actions/common/build-debian@main + uses: canonical/desktop-engineering/gh-actions/common/build-debian@licenserecon with: docker-image: ubuntu:${{ matrix.ubuntu-version }} # Add the Go backports PPA if we're testing a Ubuntu release which @@ -94,197 +94,3 @@ jobs: echo "pkg-dsc-${{ matrix.ubuntu-version }}=${{ env.PKG_DSC }}" echo "pkg-src-changes-${{ matrix.ubuntu-version }}=${{ env.PKG_SOURCE_CHANGES }}" ) >> "${GITHUB_OUTPUT}" - - check-modified-files: - name: Check modified files - runs-on: ubuntu-latest - needs: - - build-deb-package - outputs: - list: ${{ fromJSON(steps.git-diff.outputs.modified_files) }} - - steps: - - name: Checkout authd code - uses: actions/checkout@v6 - with: - fetch-depth: 100 - - - id: git-diff - name: Check modified files - run: | - set -ue - - base_ref=${{ github.event.pull_request.base.sha }} - if [ -z "${base_ref}" ]; then - base_ref=${{ github.event.before }} - fi - if [ -z "${base_ref}" ]; then - base_ref=$(git log --root --reverse -n1 --format=%H) - fi - - # Build a JSON array of modified paths. - modified_files=$(git diff --name-only "${base_ref}" HEAD | \ - while read line; do - jq -n --arg path "$line" '$path' - done | jq -n '. |= [inputs]') - echo "${modified_files}" - - escaped_json=$(echo "${modified_files}" | jq '.| tostring') - echo "modified_files=${escaped_json}" >> "${GITHUB_OUTPUT}" - - synchronize-packaging-branches: - name: Update packaging branch - runs-on: ubuntu-latest - needs: - - define-versions - - build-deb-package - permissions: - contents: write - strategy: - fail-fast: false - matrix: - ubuntu-version: ${{ fromJSON(needs.define-versions.outputs.ubuntu-versions) }} - env: - PACKAGING_BRANCH: ubuntu-packaging-${{ matrix.ubuntu-version }} - - # Run only on: - # - Push events to main - # - On github release - if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || - github.event_name == 'release' }} - - steps: - # FIXME: Use dynamic outputs when possible: https://github.com/actions/runner/pull/2477 - - name: Setup job variables - run: | - set -exuo pipefail - - json_output='${{ toJSON(needs.build-deb-package.outputs) }}' - for var in $(echo "${json_output}" | jq -r 'keys | .[]'); do - if [[ "${var}" != *"-${{ matrix.ubuntu-version }}" ]]; then - continue; - fi - - v=$(echo "${json_output}" | jq -r ".\"${var}\"") - var="${var%-${{ matrix.ubuntu-version }}}" - echo "${var//-/_}=${v}" >> "${GITHUB_ENV}" - done - - - name: Download artifacts - uses: actions/download-artifact@v7 - with: - run-id: ${{ needs.build-deb-package.outputs.run-id }} - merge-multiple: true - - - name: Install dependencies - run: | - set -euo pipefail - - sudo apt-get update -y - sudo apt-get install -y --no-install-suggests --no-install-recommends \ - dpkg-dev devscripts - - - name: Checkout code - uses: actions/checkout@v6 - with: - fetch-depth: 100 - path: repo - - - name: Extract the debian sources - run: | - set -euo pipefail - - dpkg-source -x ${{ env.pkg_dsc }} sources - - - name: Commit packaging sources - run: | - set -exuo pipefail - - # Create or switch to the packaging branch - if git -C repo fetch --depth=1 origin "${{ env.PACKAGING_BRANCH }}:${{ env.PACKAGING_BRANCH }}"; then - git -C repo checkout "${{ env.PACKAGING_BRANCH }}" - else - git -C repo checkout -b "${{ env.PACKAGING_BRANCH }}" - fi - - # Replace the repository content with the package sources - mv repo/.git sources/ - cd sources - - # Drop the ubuntu version, as the PPA recipe will add it anyways - version=$(dpkg-parsechangelog -SVersion) - sanitized_version=$(echo "${version}" | sed "s,~[0-9.]\+\$,,") - perl -pe "s|\Q${version}\E|${sanitized_version}|" debian/changelog > \ - debian/changelog.sanitized - mv debian/changelog.sanitized debian/changelog - dpkg-parsechangelog - - git config --global user.name "Ubuntu Enterprise Desktop" - git config --global user.email "ubuntu-devel-discuss@lists.ubuntu.com" - - git add --all - git commit \ - --allow-empty \ - -m "Update ubuntu ${{ matrix.ubuntu-version }} package sources" \ - -m "Use upstream commit ${GITHUB_SHA}" - - - name: Push to packaging branch - run: | - set -exuo pipefail - - git -C sources push origin "${{ env.PACKAGING_BRANCH }}:${{ env.PACKAGING_BRANCH }}" - - run-autopkgtests: - name: Run autopkgtests - runs-on: ubuntu-latest - needs: - - define-versions - - build-deb-package - - check-modified-files - strategy: - fail-fast: false - matrix: - ubuntu-version: ${{ fromJSON(needs.define-versions.outputs.ubuntu-versions) }} - - # Run autopkgtests only on: - # - Push events to main - # - When a file in the debian subdir is modified - # - When this file is modified - # - On new tags - # - On github release - if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || - contains(needs.check-modified-files.outputs.list, 'debian/') || - contains(needs.check-modified-files.outputs.list, '.github/workflows/build-deb.yaml') || - startsWith(github.ref, 'refs/tags/') || - github.event_name == 'release' }} - - steps: - # FIXME: Use dynamic outputs when possible: https://github.com/actions/runner/pull/2477 - - name: Setup job variables - run: | - set -exuo pipefail - - json_output='${{ toJSON(needs.build-deb-package.outputs) }}' - for var in $(echo "${json_output}" | jq -r 'keys | .[]'); do - if [[ "${var}" != *"-${{ matrix.ubuntu-version }}" ]]; then - continue; - fi - - v=$(echo "${json_output}" | jq -r ".\"${var}\"") - var="${var%-${{ matrix.ubuntu-version }}}" - echo "${var//-/_}=${v}" >> "${GITHUB_ENV}" - done - - - name: Download artifacts - uses: actions/download-artifact@v7 - with: - run-id: ${{ needs.build-deb-package.outputs.run-id }} - pattern: ${{ needs.build-deb-package.outputs.pkg-name }}_${{ env.pkg_version }}-* - merge-multiple: true - - - name: Run autopkgtests - uses: canonical/desktop-engineering/gh-actions/common/run-autopkgtest@main - with: - lxd-image: ubuntu:${{ matrix.ubuntu-version }} - source-changes: ${{ env.pkg_src_changes }} - autopkgtest-args: --add-apt-source=ppa:ubuntu-enterprise-desktop/golang diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml deleted file mode 100644 index 566269953a..0000000000 --- a/.github/workflows/cla-check.yaml +++ /dev/null @@ -1,16 +0,0 @@ -name: Check if CLA is signed -on: [pull_request_target] - -jobs: - cla-check: - name: Check if CLA is signed - runs-on: ubuntu-latest - steps: - - name: Check if CLA signed - uses: canonical/has-signed-canonical-cla@v2 - with: - accept-existing-contributors: true - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true \ No newline at end of file diff --git a/.github/workflows/git.yml b/.github/workflows/git.yml deleted file mode 100644 index 2555375d76..0000000000 --- a/.github/workflows/git.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: Git Checks - -on: [pull_request] - -jobs: - block-fixup: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v6 - - name: Block Fixup Commit Merge - run: | - PR_REF="${GITHUB_REF%/merge}/head" - BASE_REF="${GITHUB_BASE_REF}" - git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin "${BASE_REF}:__ci_base" - git fetch --no-tags --prune --progress --no-recurse-submodules --shallow-exclude="${BASE_REF}" origin "${PR_REF}:__ci_pr" - COMMIT_LIST=$(/usr/bin/git log --pretty=format:%s __ci_base..__ci_pr) - echo "Fixup commits:" - if echo "${COMMIT_LIST}" | grep -iE '^(fixup|squash|wip)'; then - exit 1 - fi - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml deleted file mode 100644 index 0f422e1e95..0000000000 --- a/.github/workflows/qa.yaml +++ /dev/null @@ -1,375 +0,0 @@ -name: QA & sanity checks -on: - push: - branches: - - main - paths-ignore: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - tags: - - "*" - pull_request: - paths-ignore: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -env: - DEBIAN_FRONTEND: noninteractive - GO_TESTS_TIMEOUT: 20m - AUTHD_SSHD_STDERR_LOG_ALL_PAM_MESSAGES: true - c_build_dependencies: >- - clang-tools - clang - libglib2.0-dev - libpam-dev - - go_build_dependencies: >- - libglib2.0-dev - libpam-dev - libpwquality-dev - - go_test_dependencies: >- - apparmor-profiles - bubblewrap - cracklib-runtime - git-delta - openssh-client - openssh-server - -jobs: - go-sanity: - name: "Go: Code sanity" - permissions: {} - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.go_build_dependencies }} - - uses: actions/checkout@v6 - - name: Go code sanity check - uses: canonical/desktop-engineering/gh-actions/go/code-sanity@v2 - with: - golangci-lint-configfile: ".golangci.yaml" - tools-directory: "tools" - token: ${{ secrets.GITHUB_TOKEN }} - - name: Build cmd/authd with withexamplebroker tag - run: | - set -eu - go build -tags withexamplebroker ./cmd/authd - - name: Run PAM client for interactive testing purposes - run: | - set -eu - go run -tags withpamrunner ./pam/tools/pam-runner login --exec-debug - - name: Generate PAM module - run: | - set -eu - find pam -name '*.so' -print -delete - go generate -C pam -x - test -e pam/pam_authd.so - test -e pam/go-exec/pam_authd_exec.so - - name: Generate PAM module with pam_debug tag - run: | - set -eu - find pam -name '*.so' -print -delete - go generate -C pam -x -tags pam_debug - test -e pam/pam_authd.so - test -e pam/go-exec/pam_authd_exec.so - - rust-sanity: - name: "Rust: Code sanity" - permissions: {} - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - # In Rust the grpc stubs are generated at build time - # so we always need to install the protobuf compilers - # when building the NSS crate. - sudo apt-get install -y protobuf-compiler - - uses: actions/checkout@v6 - - name: Rust code sanity check - uses: canonical/desktop-engineering/gh-actions/rust/code-sanity@main - with: - token: ${{ secrets.GITHUB_TOKEN }} - - c-sanity: - name: "C Code sanity" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - env: - CFLAGS: "-Werror" - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.c_build_dependencies }} - - name: Prepare report dir - run: | - set -eu - - scan_build_dir=$(mktemp -d --tmpdir scan-build-dir-XXXXXX) - echo SCAN_BUILD_REPORTS_PATH="${scan_build_dir}" >> $GITHUB_ENV - - uses: actions/checkout@v6 - - name: Run scan build on GDM extensions - run: | - set -eu - - scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \ - -Wno-gnu-variable-sized-type-not-at-end \ - pam/internal/gdm/extension.h - - name: Run scan build on go-exec module - run: | - set -eu - - scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \ - -DAUTHD_TEST_MODULE=1 \ - $(pkg-config --cflags --libs gio-unix-2.0 gio-2.0) \ - -lpam -shared -fPIC \ - pam/go-exec/module.c - - name: Upload scan build reports - uses: actions/upload-artifact@v6 - with: - name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }} - path: ${{ env.SCAN_BUILD_REPORTS_PATH }} - - go-tests-coverage: - name: "Go Tests with Coverage Collection" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - env: - RAW_COVERAGE_DIR: ${{ github.workspace }}/raw-coverage - COVERAGE_DIR: ${{ github.workspace }}/coverage - steps: - - uses: actions/checkout@v6 - - uses: ./.github/actions/setup-go-tests - - uses: ./.github/actions/setup-go-coverage-tests - # Installation of debug symbols takes a long time (and fails currently), - # so we skip it for now. Enable on demand. - # - uses: ./.github/actions/install-debug-symbols - # continue-on-error: true - - - name: Run tests with coverage collection - env: - G_DEBUG: "fatal-criticals" - run: | - set -euo pipefail - - # The coverage is not written if the output directory does not exist, so we need to create it. - mkdir -p "${RAW_COVERAGE_DIR}" - - # Print executed commands to ease debugging - set -x - - # Work around https://github.com/golang/go/issues/75031 - go env -w GOTOOLCHAIN="$(go version | awk '{ print $3 }')+auto" - - # Overriding the default coverage directory is not an exported flag of go test (yet), so - # we need to override it using the test.gocoverdir flag instead. - #TODO: Update when https://go-review.googlesource.com/c/go/+/456595 is merged. - go test -json -timeout ${GO_TESTS_TIMEOUT} -cover -covermode=set ./... -coverpkg=./... \ - -shuffle=on -args -test.gocoverdir="${RAW_COVERAGE_DIR}" | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.cover.log" - - # Upload the test output for the go-tests-coverage-retry job which retries - # the failed tests. - - name: Upload JSON test output on failure - if: failure() - uses: actions/upload-artifact@v6 - with: - name: coverage-test-output - path: ${{ env.AUTHD_TESTS_ARTIFACTS_PATH }}/gotestfmt.cover.stdout - - # Upload the raw coverage data so that the go-tests-coverage-retry job has - # all the data to generate the coverage report (if the tests succeed on - # retry). - - name: Upload raw coverage on failure - if: failure() - uses: actions/upload-artifact@v6 - with: - name: raw-coverage-data - path: ${{ env.RAW_COVERAGE_DIR }} - - - uses: ./.github/actions/generate-coverage-report - with: - codecov-token: ${{ secrets.CODECOV_TOKEN }} - - - uses: ./.github/actions/upload-test-artifacts - if: always() - - go-tests-coverage-retry: - name: "Retry Go Tests with Coverage Collection" - needs: go-tests-coverage - if: always() && needs.go-tests-coverage.result == 'failure' - runs-on: ubuntu-24.04 - env: - RAW_COVERAGE_DIR: ${{ github.workspace }}/raw-coverage - COVERAGE_DIR: ${{ github.workspace }}/coverage - steps: - - uses: actions/checkout@v6 - - uses: ./.github/actions/setup-go-tests - - uses: ./.github/actions/setup-go-coverage-tests - # Installation of debug symbols takes a long time (and fails currently), - # so we skip it for now. Enable on demand. - # - uses: ./.github/actions/install-debug-symbols - # continue-on-error: true - - - name: Download JSON output of failed tests - uses: actions/download-artifact@v7 - with: - name: coverage-test-output - path: /tmp/coverage-test-output - - - name: Download raw coverage data - uses: actions/download-artifact@v7 - with: - name: raw-coverage-data - path: ${{ env.RAW_COVERAGE_DIR }} - - - name: Install gotest-rerun-failed - run: go install github.com/adombeck/gotest-rerun-failed@latest - - - name: Retry failed tests with coverage collection - run: | - set -euo pipefail - - # Print executed commands to ease debugging - set -x - - test_output="/tmp/coverage-test-output/gotestfmt.cover.stdout" - for i in $(seq 1 3); do - echo "Retrying failed tests (attempt ${i})" - gotest-rerun-failed -json -timeout ${GO_TESTS_TIMEOUT} -cover -covermode=set -- -coverpkg=./... \ - -shuffle=on -args -test.gocoverdir="${RAW_COVERAGE_DIR}" \ - < "${test_output}" \ - | gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.cover.retry-$i.log" \ - && exit_code=0 || exit_code=$? - if [ "${exit_code}" -eq 0 ]; then - break - fi - if [ "${i}" -eq 3 ]; then - echo "Tests failed 3 times, giving up" - exit ${exit_code} - fi - test_output="${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.cover.retry-$i.stdout" - done - - - uses: ./.github/actions/generate-coverage-report - with: - codecov-token: ${{ secrets.CODECOV_TOKEN }} - - - uses: ./.github/actions/upload-test-artifacts - if: always() - - go-tests-race: - name: "Go Tests with Race Detector" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: actions/checkout@v6 - - uses: ./.github/actions/setup-go-tests - # Installation of debug symbols takes a long time (and fails currently), - # so we skip it for now. Enable on demand. - # - uses: ./.github/actions/install-debug-symbols - # continue-on-error: true - - - name: Run tests with race detector - env: - GO_TESTS_TIMEOUT: 35m - AUTHD_TESTS_SLEEP_MULTIPLIER: 3 - GORACE: log_path=${{ env.AUTHD_TESTS_ARTIFACTS_PATH }}/gorace.log - run: | - go test -json -timeout ${GO_TESTS_TIMEOUT} -race -failfast ./... | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.race.log" || exit_code=$? - - if [ "${exit_code:-0}" -ne 0 ]; then - cat "${AUTHD_TESTS_ARTIFACTS_PATH}"/gorace.log* || true - exit ${exit_code} - fi - - - uses: ./.github/actions/upload-test-artifacts - if: always() - - go-tests-asan: - name: "Go PAM tests with Address Sanitizer" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: actions/checkout@v6 - - uses: ./.github/actions/setup-go-tests - # Installation of debug symbols takes a long time (and fails currently), - # so we skip it for now. Enable on demand. - # - uses: ./.github/actions/install-debug-symbols - # continue-on-error: true - - - name: Run PAM tests with Address Sanitizer - env: - # Do not optimize, keep debug symbols and frame pointer for better - # stack trace information in case of ASAN errors. - CGO_CFLAGS: "-O0 -g3 -fno-omit-frame-pointer" - G_DEBUG: "fatal-criticals" - GO_TESTS_TIMEOUT: 30m - AUTHD_TESTS_SLEEP_MULTIPLIER: 1.5 - # Use these flags to give ASAN a better time to unwind the stack trace - GO_GC_FLAGS: -N -l - run: | - # Print executed commands to ease debugging - set -x - - # For llvm-symbolizer - sudo apt-get install -y llvm - - go test -C ./pam/internal -json -asan -gcflags=all="${GO_GC_FLAGS}" -failfast -timeout ${GO_TESTS_TIMEOUT} ./... | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.pam-internal-asan.log" || exit_code=$? - if [ -n "${exit_code:-}" ]; then - cat "${AUTHD_TESTS_ARTIFACTS_PATH}"/asan.log* || true - exit ${exit_code} - fi - - echo "Running PAM integration tests" - pushd ./pam/integration-tests - go test -asan -gcflags=all="${GO_GC_FLAGS}" -c - go tool test2json -p pam/integrations-test ./integration-tests.test \ - -test.v=test2json \ - -test.failfast \ - -test.timeout ${GO_TESTS_TIMEOUT} | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.pam-integration-tests-asan.log" || \ - exit_code=$? - popd - - # We don't need the xtrace output after this point - set +x - - # We're logging to a file, and this is useful for having artifacts, but we still may want to see it in logs: - for f in "${AUTHD_TESTS_ARTIFACTS_PATH}"/asan.log*; do - if ! [ -e "${f}" ]; then - continue - fi - if [ -s "${f}" ]; then - echo "::group::${f} ($(wc -l < "${f}") lines)" - cat "${f}" - echo "::endgroup::" - else - echo "${f}: empty" - fi - done - - exit ${exit_code} - - - uses: ./.github/actions/upload-test-artifacts - if: always() diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml deleted file mode 100644 index 348948b372..0000000000 --- a/.github/workflows/tics-run.yaml +++ /dev/null @@ -1,79 +0,0 @@ -name: TICS QA Analysis - -on: - schedule: - - cron: '0 0 * * 1' # Runs every Monday at midnight - workflow_dispatch: - - -env: - DEBIAN_FRONTEND: noninteractive - build_dependencies: >- - clang-tools - clang - libglib2.0-dev - libpam-dev - libpwquality-dev - -jobs: - tics: - name: TIOBE TICS Framework - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - - name: Update Rust version - run: | - rustup update stable - - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.build_dependencies }} - - go install honnef.co/go/tools/cmd/staticcheck@latest - - - name: Fetch last successful QA run id - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - set -eu - echo "LAST_QA_ID=$(gh run list --workflow 'QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV - - - name: Download coverage artifact - uses: actions/download-artifact@v7 - with: - github-token: ${{ github.token }} - path: .artifacts/ - run-id: ${{ env.LAST_QA_ID }} - - - name: TICS Scan - env: - TICSAUTHTOKEN: ${{ secrets.TICSAUTHTOKEN }} - GH_TOKEN: ${{ github.token }} - run: | - set -e - - # Move coverage to expected directory - mkdir coverage - mv .artifacts/coverage/Cobertura.xml coverage/coverage.xml - - # Install TICS - . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=GoProjects&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/') - - # TICS needs to build the artifacts in order to run the analysis. - # Since it uses the GOTOOLCHAIN=local stanza, it's better if we prebuild it to make sure that the Go - # toolchain setup by the action is properly updated to the one we defined in go.mod. Prebuilding also - # helps to speed up the TICS analysis, as we would already have the build cache populated. - find pam -name '*.so' -print -delete - go generate -C pam -x - go build ./cmd/authd - - TICSQServer -project authd -tmpdir /tmp/tics -branchdir . diff --git a/.github/workflows/validate-dependabot.yaml b/.github/workflows/validate-dependabot.yaml deleted file mode 100644 index 56ffdd6dae..0000000000 --- a/.github/workflows/validate-dependabot.yaml +++ /dev/null @@ -1,23 +0,0 @@ -name: dependabot validate - -on: - pull_request: - paths: - - '.github/dependabot.yml' - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - - uses: marocchino/validate-dependabot@v3 - id: validate - - uses: marocchino/sticky-pull-request-comment@v2 - if: always() - with: - header: validate-dependabot - message: ${{ steps.validate.outputs.markdown }} - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true \ No newline at end of file