diff --git a/.github/workflows/auto-updates.yaml b/.github/workflows/auto-updates.yaml deleted file mode 100644 index 3939e598d7..0000000000 --- a/.github/workflows/auto-updates.yaml +++ /dev/null @@ -1,112 +0,0 @@ -name: Update translations and Rust packaging related files in main -on: - push: - branches: - - main - paths-ignore: - - 'debian/control' -concurrency: auto-update - -permissions: - pull-requests: write - contents: write - -# Jobs in this action must not run concurrently, as they modify the repository. -# When adding more jobs, make sure to use the "needs:" attribute to make sure they run sequentially. -jobs: - update-rust-packaging: - strategy: - fail-fast: false - matrix: - branch: [main] - ubuntu-version: [devel] - include: - - branch: noble - ubuntu-version: noble - - name: Update ${{ matrix.ubuntu-version }} packaging related Rust files - runs-on: ubuntu-latest - container: - image: ubuntu:${{ matrix.ubuntu-version }} - env: - CARGO_VENDOR_DIR: ${{ github.workspace }}/vendor_rust - UPDATE_BRANCH: auto-update-rust-packaging-${{ matrix.ubuntu-version }} - steps: - - name: Install dependencies - env: - DEBIAN_FRONTEND: noninteractive - CARGO_VENDOR_FILTERER_NOBLE_VERSION: 0.5.16 - shell: bash - run: | - set -euo pipefail - - apt-get update -y - apt-get install -y dh-cargo git - - if [ "${{ matrix.ubuntu-version }}" = "noble" ]; then - # Special behavior on noble as dh-cargo is not new enough there - apt-get install -y libssl-dev pkg-config - cargo install --locked --root=/usr \ - cargo-vendor-filterer@${{ env.CARGO_VENDOR_FILTERER_NOBLE_VERSION }} - else - apt-get install -y cargo-vendor-filterer - fi - - - name: Checkout the code - uses: actions/checkout@v5 - with: - ref: ${{ matrix.branch }} - - - name: Vendor the dependencies - env: - CARGO_PATH: /usr/share/cargo/bin/cargo - shell: bash - run: | - set -euo pipefail - - sh -x debian/vendor-rust.sh - - - name: Update XS-Vendored-Sources-Rust - shell: bash - run: | - set -euo pipefail - - VENDORED_SOURCES=$(/usr/share/cargo/bin/dh-cargo-vendored-sources 2>&1) \ - || cmd_status=$? - OUTPUT=$(echo "$VENDORED_SOURCES" | grep ^XS-Vendored-Sources-Rust: || true) - if [ -z "${OUTPUT}" ]; then - if [ "${cmd_status:-0}" -ne 0 ]; then - # dh-cargo-vendored-sources failed because of other reason, so let's fail with it! - echo "dh-cargo-vendored-sources failed:" - echo "${VENDORED_SOURCES}" - exit "${cmd_status}" - fi - - echo "XS-Vendored-Sources-Rust is up to date. No change is needed."; - exit 0 - fi - sed -i "s/^XS-Vendored-Sources-Rust:.*/$OUTPUT/" debian/control - - echo "modified=true" >> "${GITHUB_ENV}" - echo "update_branch=${UPDATE_BRANCH}" >> "${GITHUB_ENV}" - - - name: Create Pull Request - if: ${{ env.modified == 'true' }} - uses: peter-evans/create-pull-request@v7 - with: - commit-message: Auto update packaging related Rust files - title: | - [${{ matrix.ubuntu-version }}] Auto update packaging related Rust files - labels: control, automated pr - branch: ${{ env.update_branch }} - delete-branch: true - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Push branch - if: ${{ env.modified == 'true' }} - shell: bash - run: | - set -eu - - git config --system --add safe.directory "${PWD}" - git push origin ${{ env.update_branch }}:${{ matrix.branch }} diff --git a/.github/workflows/automatic-doc-checks.yml b/.github/workflows/automatic-doc-checks.yml deleted file mode 100644 index 9f44eead32..0000000000 --- a/.github/workflows/automatic-doc-checks.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Main Documentation Checks - -on: - push: - branches: [main] - paths: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - pull_request: - paths: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - schedule: - - cron: '0 12 * * MON' - # Manual trigger - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - documentation-checks: - uses: canonical/documentation-workflows/.github/workflows/documentation-checks.yaml@main - with: - working-directory: "./docs" diff --git a/.github/workflows/build-deb.yaml b/.github/workflows/build-deb.yaml deleted file mode 100644 index 56e2053cfb..0000000000 --- a/.github/workflows/build-deb.yaml +++ /dev/null @@ -1,280 +0,0 @@ -name: Build debian packages - -on: - push: - branches: - - main - paths-ignore: - - .github/workflows/automatic-doc-checks.yml - - .readthedocs.yaml - - docs/** - tags: - - "*" - pull_request: - paths-ignore: - - .github/workflows/automatic-doc-checks.yml - - .readthedocs.yaml - - docs/** - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -env: - UBUNTU_VERSIONS: | - ["noble", "plucky", "devel"] - CARGO_VENDOR_FILTERER_VERSION: 0.5.16 - -jobs: - define-versions: - name: Define build versions - runs-on: ubuntu-latest - outputs: - ubuntu-versions: ${{ env.UBUNTU_VERSIONS }} - steps: - - run: 'true' - - build-deb-package: - name: Build ubuntu package - runs-on: ubuntu-latest - needs: define-versions - strategy: - fail-fast: false - matrix: - ubuntu-version: ${{ fromJSON(needs.define-versions.outputs.ubuntu-versions) }} - outputs: - run-id: ${{ github.run_id }} - # FIXME: Use dynamic outputs when possible: https://github.com/actions/runner/pull/2477 - pkg-dsc-devel: ${{ steps.outputs.outputs.pkg-dsc-devel }} - pkg-dsc-plucky: ${{ steps.outputs.outputs.pkg-dsc-plucky }} - pkg-dsc-noble: ${{ steps.outputs.outputs.pkg-dsc-noble }} - pkg-src-changes-devel: ${{ steps.outputs.outputs.pkg-src-changes-devel }} - pkg-src-changes-plucky: ${{ steps.outputs.outputs.pkg-src-changes-plucky }} - pkg-src-changes-noble: ${{ steps.outputs.outputs.pkg-src-changes-noble }} - - steps: - - name: Checkout authd code - uses: actions/checkout@v5 - - - name: Build debian packages and sources - uses: canonical/desktop-engineering/gh-actions/common/build-debian@main - with: - docker-image: ubuntu:${{ matrix.ubuntu-version }} - # Add the Go backports PPA, so that we can build with a newer - # version of Go than the one available in the archive. - extra-apt-repositories: ppa:ubuntu-enterprise-desktop/golang - # Extra build dependencies: - # - systemd-dev: Required to read compile time variables from systemd via pkg-config. - extra-source-build-deps: | - ca-certificates - git - libssl-dev - systemd-dev - extra-source-build-script: | - if [ "${{ matrix.ubuntu-version }}" == noble ]; then - cargo install --locked --root=/usr \ - cargo-vendor-filterer@${{ env.CARGO_VENDOR_FILTERER_VERSION }} - command -v cargo-vendor-filterer - fi - - # FIXME: Use dynamic outputs when possible: https://github.com/actions/runner/pull/2477 - - name: Generate outputs - id: outputs - run: | - ( - echo "pkg-dsc-${{ matrix.ubuntu-version }}=${{ env.PKG_DSC }}" - echo "pkg-src-changes-${{ matrix.ubuntu-version }}=${{ env.PKG_SOURCE_CHANGES }}" - ) >> "${GITHUB_OUTPUT}" - - check-modified-files: - name: Check modified files - runs-on: ubuntu-latest - needs: - - build-deb-package - outputs: - list: ${{ fromJSON(steps.git-diff.outputs.modified_files) }} - - steps: - - name: Checkout authd code - uses: actions/checkout@v5 - with: - fetch-depth: 100 - - - id: git-diff - name: Check modified files - run: | - set -ue - - base_ref=${{ github.event.pull_request.base.sha }} - if [ -z "${base_ref}" ]; then - base_ref=${{ github.event.before }} - fi - if [ -z "${base_ref}" ]; then - base_ref=$(git log --root --reverse -n1 --format=%H) - fi - - # Build a JSON array of modified paths. - modified_files=$(git diff --name-only "${base_ref}" HEAD | \ - while read line; do - jq -n --arg path "$line" '$path' - done | jq -n '. |= [inputs]') - echo "${modified_files}" - - escaped_json=$(echo "${modified_files}" | jq '.| tostring') - echo "modified_files=${escaped_json}" >> "${GITHUB_OUTPUT}" - - synchronize-packaging-branches: - name: Update packaging branch - runs-on: ubuntu-latest - needs: - - define-versions - - build-deb-package - permissions: - contents: write - strategy: - fail-fast: false - matrix: - ubuntu-version: ${{ fromJSON(needs.define-versions.outputs.ubuntu-versions) }} - env: - PACKAGING_BRANCH: ubuntu-packaging-${{ matrix.ubuntu-version }} - - # Run only on: - # - Push events to main - # - On github release - if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || - github.event_name == 'release' }} - - steps: - # FIXME: Use dynamic outputs when possible: https://github.com/actions/runner/pull/2477 - - name: Setup job variables - run: | - set -exuo pipefail - - json_output='${{ toJSON(needs.build-deb-package.outputs) }}' - for var in $(echo "${json_output}" | jq -r 'keys | .[]'); do - if [[ "${var}" != *"-${{ matrix.ubuntu-version }}" ]]; then - continue; - fi - - v=$(echo "${json_output}" | jq -r ".\"${var}\"") - var="${var%-${{ matrix.ubuntu-version }}}" - echo "${var//-/_}=${v}" >> "${GITHUB_ENV}" - done - - - name: Download artifacts - uses: actions/download-artifact@v5 - with: - run-id: ${{ needs.build-deb-package.outputs.run-id }} - merge-multiple: true - - - name: Install dependencies - run: | - set -euo pipefail - - sudo apt-get update -y - sudo apt-get install -y --no-install-suggests --no-install-recommends \ - dpkg-dev devscripts - - - name: Checkout code - uses: actions/checkout@v5 - with: - fetch-depth: 100 - path: repo - - - name: Extract the debian sources - run: | - set -euo pipefail - - dpkg-source -x ${{ env.pkg_dsc }} sources - - - name: Commit packaging sources - run: | - set -exuo pipefail - - # Create or switch to the packaging branch - if git -C repo fetch --depth=1 origin "${{ env.PACKAGING_BRANCH }}:${{ env.PACKAGING_BRANCH }}"; then - git -C repo checkout "${{ env.PACKAGING_BRANCH }}" - else - git -C repo checkout -b "${{ env.PACKAGING_BRANCH }}" - fi - - # Replace the repository content with the package sources - mv repo/.git sources/ - cd sources - - # Drop the ubuntu version, as the PPA recipe will add it anyways - version=$(dpkg-parsechangelog -SVersion) - sanitized_version=$(echo "${version}" | sed "s,~[0-9.]\+\$,,") - perl -pe "s|\Q${version}\E|${sanitized_version}|" debian/changelog > \ - debian/changelog.sanitized - mv debian/changelog.sanitized debian/changelog - dpkg-parsechangelog - - git config --global user.name "Ubuntu Enterprise Desktop" - git config --global user.email "ubuntu-devel-discuss@lists.ubuntu.com" - - git add --all - git commit \ - --allow-empty \ - -m "Update ubuntu ${{ matrix.ubuntu-version }} package sources" \ - -m "Use upstream commit ${GITHUB_SHA}" - - - name: Push to packaging branch - run: | - set -exuo pipefail - - git -C sources push origin "${{ env.PACKAGING_BRANCH }}:${{ env.PACKAGING_BRANCH }}" - - run-autopkgtests: - name: Run autopkgtests - runs-on: ubuntu-latest - needs: - - define-versions - - build-deb-package - - check-modified-files - strategy: - fail-fast: false - matrix: - ubuntu-version: ${{ fromJSON(needs.define-versions.outputs.ubuntu-versions) }} - - # Run autopkgtests only on: - # - Push events to main - # - When a file in the debian subdir is modified - # - When this file is modified - # - On new tags - # - On github release - if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || - contains(needs.check-modified-files.outputs.list, 'debian/') || - contains(needs.check-modified-files.outputs.list, '.github/workflows/build-deb.yaml') || - startsWith(github.ref, 'refs/tags/') || - github.event_name == 'release' }} - - steps: - # FIXME: Use dynamic outputs when possible: https://github.com/actions/runner/pull/2477 - - name: Setup job variables - run: | - set -exuo pipefail - - json_output='${{ toJSON(needs.build-deb-package.outputs) }}' - for var in $(echo "${json_output}" | jq -r 'keys | .[]'); do - if [[ "${var}" != *"-${{ matrix.ubuntu-version }}" ]]; then - continue; - fi - - v=$(echo "${json_output}" | jq -r ".\"${var}\"") - var="${var%-${{ matrix.ubuntu-version }}}" - echo "${var//-/_}=${v}" >> "${GITHUB_ENV}" - done - - - name: Download artifacts - uses: actions/download-artifact@v5 - with: - run-id: ${{ needs.build-deb-package.outputs.run-id }} - merge-multiple: true - - - name: Run autopkgtests - uses: canonical/desktop-engineering/gh-actions/common/run-autopkgtest@main - with: - lxd-image: ubuntu:${{ matrix.ubuntu-version }} - source-changes: ${{ env.pkg_src_changes }} - autopkgtest-args: --add-apt-source=ppa:ubuntu-enterprise-desktop/golang diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml deleted file mode 100644 index 566269953a..0000000000 --- a/.github/workflows/cla-check.yaml +++ /dev/null @@ -1,16 +0,0 @@ -name: Check if CLA is signed -on: [pull_request_target] - -jobs: - cla-check: - name: Check if CLA is signed - runs-on: ubuntu-latest - steps: - - name: Check if CLA signed - uses: canonical/has-signed-canonical-cla@v2 - with: - accept-existing-contributors: true - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true \ No newline at end of file diff --git a/.github/workflows/git.yml b/.github/workflows/git.yml deleted file mode 100644 index 6751c84506..0000000000 --- a/.github/workflows/git.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Git Checks - -on: [pull_request] - -jobs: - block-fixup: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v5 - - name: Block Fixup Commit Merge - uses: 13rac1/block-fixup-merge-action@v2.0.0 - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true \ No newline at end of file diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml index d456e8ada8..e3e4021b82 100644 --- a/.github/workflows/qa.yaml +++ b/.github/workflows/qa.yaml @@ -57,7 +57,7 @@ jobs: sudo apt-get install -y ${{ env.go_build_dependencies }} - uses: actions/checkout@v5 - name: Go code sanity check - uses: canonical/desktop-engineering/gh-actions/go/code-sanity@v2 + uses: canonical/desktop-engineering/gh-actions/go/code-sanity@tmp-protoc-go-tool with: golangci-lint-configfile: ".golangci.yaml" tools-directory: "tools" @@ -84,307 +84,3 @@ jobs: go generate -C pam -x -tags pam_debug test -e pam/pam_authd.so test -e pam/go-exec/pam_authd_exec.so - - rust-sanity: - name: "Rust: Code sanity" - permissions: {} - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - # In Rust the grpc stubs are generated at build time - # so we always need to install the protobuf compilers - # when building the NSS crate. - sudo apt-get install -y protobuf-compiler - - uses: actions/checkout@v5 - - name: Rust code sanity check - uses: canonical/desktop-engineering/gh-actions/rust/code-sanity@main - with: - token: ${{ secrets.GITHUB_TOKEN }} - - c-sanity: - name: "C Code sanity" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - env: - CFLAGS: "-Werror" - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.c_build_dependencies }} - - name: Prepare report dir - run: | - set -eu - - scan_build_dir=$(mktemp -d --tmpdir scan-build-dir-XXXXXX) - echo SCAN_BUILD_REPORTS_PATH="${scan_build_dir}" >> $GITHUB_ENV - - uses: actions/checkout@v5 - - name: Run scan build on GDM extensions - run: | - set -eu - - scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \ - -Wno-gnu-variable-sized-type-not-at-end \ - pam/internal/gdm/extension.h - - name: Run scan build on go-exec module - run: | - set -eu - - scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \ - -DAUTHD_TEST_MODULE=1 \ - $(pkg-config --cflags --libs gio-unix-2.0 gio-2.0) \ - -lpam -shared -fPIC \ - pam/go-exec/module.c - - name: Upload scan build reports - uses: actions/upload-artifact@v4 - with: - name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }} - path: ${{ env.SCAN_BUILD_REPORTS_PATH }} - - go-tests: - name: "Go: Tests" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - strategy: - fail-fast: false - matrix: - test: ["coverage", "race", "asan"] - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - - # The integration tests build the NSS crate, so we need the cargo build dependencies in order to run them. - sudo apt-get install -y protobuf-compiler - - sudo apt-get install -y ${{ env.go_build_dependencies }} ${{ env.go_test_dependencies}} - - # Load the apparmor profile for bubblewrap. - sudo ln -s /usr/share/apparmor/extra-profiles/bwrap-userns-restrict /etc/apparmor.d/ - sudo apparmor_parser /etc/apparmor.d/bwrap-userns-restrict - - - name: Install glibc, PAM and GLib debug symbols - continue-on-error: true - run: | - set -eu - sudo apt-get install -y ubuntu-dbgsym-keyring libc6-dbg - echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse - deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse - deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \ - sudo tee -a /etc/apt/sources.list.d/ddebs.list - # Sometimes ddebs archive is stuck, so in case of failure we need to go manual - sudo apt-get update -y || true - if ! sudo apt-get install -y libpam-modules-dbgsym libpam0*-dbgsym libglib2.0-0*-dbgsym; then - sudo apt-get install -y ubuntu-dev-tools - for pkg in pam glib2.0; do - pull-lp-debs "${pkg}" $(lsb_release -cs) - pull-lp-ddebs "${pkg}" $(lsb_release -cs) - done - sudo apt-get install -y ./libpam0*.*deb ./libpam-modules*.*deb ./libglib2.0-0*-dbgsym*.ddeb - sudo apt-get remove -y ubuntu-dev-tools - sudo apt-get autoremove -y - fi - - uses: actions/checkout@v5 - - uses: actions/setup-go@v5 - with: - go-version-file: go.mod - - - name: Install gotestfmt and our wrapper script - uses: canonical/desktop-engineering/gh-actions/go/gotestfmt@main - - - name: Install VHS and ttyd for integration tests - run: | - set -eu - go install github.com/charmbracelet/vhs@latest - - # VHS requires ttyd >= 1.7.2 to work properly. - wget https://github.com/tsl0922/ttyd/releases/download/1.7.7/ttyd.x86_64 - chmod +x ttyd.x86_64 - sudo mv ttyd.x86_64 /usr/bin/ttyd - - # VHS doesn't really use ffmpeg anymore now, but it still checks for it. - # Drop this when https://github.com/charmbracelet/vhs/pull/591 is released. - sudo ln -s /usr/bin/true /usr/local/bin/ffmpeg - - - name: Install latest Rust version - run: rustup update stable - - - name: Install grcov - if: matrix.test == 'coverage' - uses: baptiste0928/cargo-install@v3 - with: - crate: grcov - - name: Prepare tests artifacts path - run: | - set -eu - - artifacts_dir=$(mktemp -d --tmpdir authd-test-artifacts-XXXXXX) - echo AUTHD_TESTS_ARTIFACTS_PATH="${artifacts_dir}" >> $GITHUB_ENV - - echo ASAN_OPTIONS="log_path=${artifacts_dir}/asan.log:print_stats=true" >> $GITHUB_ENV - - - name: Install coverage collection dependencies - if: matrix.test == 'coverage' - run: | - set -eu - - # Dependendencies for C coverage collection - sudo apt-get install -y gcovr - - # Dependendencies for Go coverage collection - go install github.com/AlekSi/gocov-xml@latest - go install github.com/axw/gocov/gocov@latest - dotnet tool install -g dotnet-reportgenerator-globaltool - - - name: Run tests (with coverage collection) - if: matrix.test == 'coverage' - env: - G_DEBUG: "fatal-criticals" - run: | - set -euo pipefail - - # The coverage is not written if the output directory does not exist, so we need to create it. - cov_dir=${PWD}/coverage - codecov_dir=${cov_dir}/codecov - raw_cov_dir=${cov_dir}/raw - mkdir -p "${raw_cov_dir}" "${codecov_dir}" - - # Print executed commands to ease debugging - set -x - - # Work around https://github.com/golang/go/issues/75031 - go env -w GOTOOLCHAIN="$(go version | awk '{ print $3 }')+auto" - - # Overriding the default coverage directory is not an exported flag of go test (yet), so - # we need to override it using the test.gocoverdir flag instead. - #TODO: Update when https://go-review.googlesource.com/c/go/+/456595 is merged. - go test -json -timeout ${GO_TESTS_TIMEOUT} -cover -covermode=set ./... -coverpkg=./... \ - -shuffle=on -failfast -args -test.gocoverdir="${raw_cov_dir}" | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.cover.log" - - # Convert the raw coverage data into textfmt so we can merge the Rust one into it - go tool covdata textfmt -i="${raw_cov_dir}" -o="${cov_dir}/coverage.out" - - # Append the Rust coverage data to the Go one - cat "${raw_cov_dir}/rust-cov/rust2go_coverage" >>"${cov_dir}/coverage.out" - - # Filter out the testutils package and the pb.go file - grep -v -e "testutils" -e "pb.go" -e "testsdetection" "${cov_dir}/coverage.out" >"${cov_dir}/coverage.out.filtered" - - # Generate the Cobertura report for Go and Rust - gocov convert "${cov_dir}/coverage.out.filtered" | gocov-xml > "${cov_dir}/coverage.xml" - reportgenerator -reports:"${cov_dir}/coverage.xml" -targetdir:"${cov_dir}" -reporttypes:Cobertura - - # Generate the Cobertura report for C - gcovr --cobertura "${cov_dir}/Cobertura_C.xml" "${raw_cov_dir}" - - # Merge Cobertura reports into a single one - reportgenerator -reports:"${cov_dir}/Cobertura.xml;${cov_dir}/Cobertura_C.xml" \ - -targetdir:"${codecov_dir}" -reporttypes:Cobertura - - # Store the coverage directory for the next steps - echo COVERAGE_DIR="${codecov_dir}" >> ${GITHUB_ENV} - - - name: Run tests (with race detector) - if: matrix.test == 'race' - env: - GO_TESTS_TIMEOUT: 35m - AUTHD_TESTS_SLEEP_MULTIPLIER: 3 - GORACE: log_path=${{ env.AUTHD_TESTS_ARTIFACTS_PATH }}/gorace.log - run: | - go test -json -timeout ${GO_TESTS_TIMEOUT} -race -failfast ./... | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.race.log" || exit_code=$? - - if [ "${exit_code:-0}" -ne 0 ]; then - cat "${AUTHD_TESTS_ARTIFACTS_PATH}"/gorace.log* || true - exit ${exit_code} - fi - - - name: Run PAM tests (with Address Sanitizer) - if: matrix.test == 'asan' - env: - # Do not optimize, keep debug symbols and frame pointer for better - # stack trace information in case of ASAN errors. - CGO_CFLAGS: "-O0 -g3 -fno-omit-frame-pointer" - G_DEBUG: "fatal-criticals" - GO_TESTS_TIMEOUT: 30m - AUTHD_TESTS_SLEEP_MULTIPLIER: 1.5 - # Use these flags to give ASAN a better time to unwind the stack trace - GO_GC_FLAGS: -N -l - run: | - # Print executed commands to ease debugging - set -x - - # For llvm-symbolizer - sudo apt-get install -y llvm - - go test -C ./pam/internal -json -asan -gcflags=all="${GO_GC_FLAGS}" -failfast -timeout ${GO_TESTS_TIMEOUT} ./... | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.pam-internal-asan.log" || exit_code=$? - if [ -n "${exit_code:-}" ]; then - cat "${AUTHD_TESTS_ARTIFACTS_PATH}"/asan.log* || true - exit ${exit_code} - fi - - echo "Running PAM integration tests" - pushd ./pam/integration-tests - go test -asan -gcflags=all="${GO_GC_FLAGS}" -c - go tool test2json -p pam/integrations-test ./integration-tests.test \ - -test.v=test2json \ - -test.failfast \ - -test.timeout ${GO_TESTS_TIMEOUT} | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.pam-integration-tests-asan.log" || \ - exit_code=$? - popd - - # We don't need the xtrace output after this point - set +x - - # We're logging to a file, and this is useful for having artifacts, but we still may want to see it in logs: - for f in "${AUTHD_TESTS_ARTIFACTS_PATH}"/asan.log*; do - if ! [ -e "${f}" ]; then - continue - fi - if [ -s "${f}" ]; then - echo "::group::${f} ($(wc -l < "${f}") lines)" - cat "${f}" - echo "::endgroup::" - else - echo "${f}: empty" - fi - done - - exit ${exit_code} - - - name: Upload coverage to Codecov - if: matrix.test == 'coverage' - uses: codecov/codecov-action@v5 - with: - directory: ${{ env.COVERAGE_DIR }} - files: ${{ env.COVERAGE_DIR }}/Cobertura.xml - token: ${{ secrets.CODECOV_TOKEN }} - - - name: Upload coverage artifacts - if: matrix.test == 'coverage' && github.ref == 'refs/heads/main' - uses: actions/upload-artifact@v4 - with: - name: coverage - path: ${{ env.COVERAGE_DIR }} - - - name: Upload test artifacts - if: always() - uses: actions/upload-artifact@v4 - with: - name: authd-${{ github.job }}-${{ matrix.test }}-artifacts-${{ github.run_attempt }} - path: ${{ env.AUTHD_TESTS_ARTIFACTS_PATH }} diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml deleted file mode 100644 index a350f29387..0000000000 --- a/.github/workflows/tics-run.yaml +++ /dev/null @@ -1,79 +0,0 @@ -name: TICS QA Analysis - -on: - schedule: - - cron: '0 0 * * 1' # Runs every Monday at midnight - workflow_dispatch: - - -env: - DEBIAN_FRONTEND: noninteractive - build_dependencies: >- - clang-tools - clang - libglib2.0-dev - libpam-dev - libpwquality-dev - -jobs: - tics: - name: TIOBE TICS Framework - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - - name: Update Rust version - run: | - rustup update stable - - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.build_dependencies }} - - go install honnef.co/go/tools/cmd/staticcheck@latest - - - name: Fetch last successful QA run id - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - set -eu - echo "LAST_QA_ID=$(gh run list --workflow 'QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV - - - name: Download coverage artifact - uses: actions/download-artifact@v4 - with: - github-token: ${{ github.token }} - path: .artifacts/ - run-id: ${{ env.LAST_QA_ID }} - - - name: TICS Scan - env: - TICSAUTHTOKEN: ${{ secrets.TICSAUTHTOKEN }} - GH_TOKEN: ${{ github.token }} - run: | - set -e - - # Move coverage to expected directory - mkdir coverage - mv .artifacts/coverage/Cobertura.xml coverage/coverage.xml - - # Install TICS - . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=GoProjects&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/') - - # TICS needs to build the artifacts in order to run the analysis. - # Since it uses the GOTOOLCHAIN=local stanza, it's better if we prebuild it to make sure that the Go - # toolchain setup by the action is properly updated to the one we defined in go.mod. Prebuilding also - # helps to speed up the TICS analysis, as we would already have the build cache populated. - find pam -name '*.so' -print -delete - go generate -C pam -x - go build ./cmd/authd - - TICSQServer -project authd -tmpdir /tmp/tics -branchdir . diff --git a/.github/workflows/validate-dependabot.yaml b/.github/workflows/validate-dependabot.yaml deleted file mode 100644 index 47d398272f..0000000000 --- a/.github/workflows/validate-dependabot.yaml +++ /dev/null @@ -1,23 +0,0 @@ -name: dependabot validate - -on: - pull_request: - paths: - - '.github/dependabot.yml' - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - uses: marocchino/validate-dependabot@v3 - id: validate - - uses: marocchino/sticky-pull-request-comment@v2 - if: always() - with: - header: validate-dependabot - message: ${{ steps.validate.outputs.markdown }} - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true \ No newline at end of file