libpam migauthhandler buffers (#312) #44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow will install Python C-extension dependencies, run tests and | |
| # lint with a single version of Python. | |
| # For more information see: | |
| # https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python | |
| name: Python C-Extension Sanity Checks | |
| on: | |
| # Triggers the workflow on push or pull request events but only for this git branch | |
| push: | |
| paths-ignore: | |
| - 'README' | |
| - 'COPYING' | |
| - 'NEWS' | |
| - '*.txt' | |
| - 'doc/**' | |
| - 'doc-src/**' | |
| - 'user-projects/**' | |
| - 'state/**' | |
| - 'certs/**' | |
| - 'MiG-certificates/**' | |
| - 'mig/images/**' | |
| - 'mig/assets/**' | |
| - 'mig/apache/**' | |
| - 'mig/bin/**' | |
| - 'mig/java-bin/**' | |
| - '**/*.py' | |
| - '**/*.js' | |
| branches: | |
| - experimental | |
| - next | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| - ready_for_review | |
| paths-ignore: | |
| - 'README' | |
| - 'COPYING' | |
| - 'NEWS' | |
| - '*.txt' | |
| - 'doc/**' | |
| - 'doc-src/**' | |
| - 'user-projects/**' | |
| - 'state/**' | |
| - 'certs/**' | |
| - 'MiG-certificates/**' | |
| - 'mig/images/**' | |
| - 'mig/assets/**' | |
| - 'mig/apache/**' | |
| - 'mig/bin/**' | |
| - 'mig/java-bin/**' | |
| - '**/*.py' | |
| - '**/*.js' | |
| branches: | |
| - experimental | |
| - next | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint-c-ext-python3-latest: | |
| name: Sanity check c-extension module code in latest stable python3 | |
| # TODO: enable once we have figured out how to install matching headers here | |
| if: ${{ false }} # Disabled until we figure out how to fix system headers | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set up latest stable python 3.x | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.x" | |
| - name: Set up git, findutils and make with apt | |
| run: | | |
| sudo apt install -y git findutils make | |
| - name: Install dependencies | |
| run: | | |
| sudo apt install -y libnss3-dev libpam-dev splint | |
| # We may need git installed to get a full repo clone rather than unpacked archive | |
| - name: Check out source repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # This is necessary to get the commits | |
| - name: Lint with splint | |
| run: | | |
| # NOTE: we only run splint error check for changed C files to limit noise | |
| # NOTE: point splint to Ubuntu's custom /usr/include/python3.x for Python.h | |
| echo "Lint changed code files: $(git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.c$')" | |
| # NOTE: show splint warnings but don't fail unless it found critical errors | |
| git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.c$' | xargs -r splint +posixlib -D__gnuc_va_list=va_list $(python3-config --includes) &> splint.log || true | |
| [ ! -e splint.log ] || cat splint.log | |
| [ ! -e splint.log ] || ! grep -q ' Cannot continue' splint.log | |
| lint-c-ext-python3-ubuntu-lts: | |
| # For a consistent python and header environment when the above job doesn't work | |
| name: Sanity check c-extension module code in latest Ubuntu LTS python3 | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Set up git, findutils and make with apt | |
| run: | | |
| sudo apt install -y git findutils make | |
| - name: Install dependencies | |
| run: | | |
| sudo apt install -y python3-dev libnss3-dev libpam-dev splint | |
| # We may need git installed to get a full repo clone rather than unpacked archive | |
| - name: Check out source repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # This is necessary to get the commits | |
| - name: Lint with splint | |
| run: | | |
| # NOTE: we only run splint error check for changed C files to limit noise | |
| # NOTE: point splint to Ubuntu's custom /usr/include/python3.x for Python.h | |
| echo "Lint changed code files: $(git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.c$')" | |
| # NOTE: splint complains about NATIVE_TSS_KEY_T in system header here | |
| # NOTE: show splint warnings but don't fail unless it found critical errors | |
| git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.c$' | xargs -r splint +posixlib -D__gnuc_va_list=va_list -DNATIVE_TSS_KEY_T=char $(python3-config --includes) &> splint.log || true | |
| [ ! -e splint.log ] || cat splint.log | |
| [ ! -e splint.log ] || ! grep -q ' Cannot continue' splint.log | |
| lint-c-ext-python3-rocky9: | |
| name: Sanity check c-extension module code in default python3 on Rocky9 | |
| # TODO: figure out how to get splint installed on rocky where it's not in repos | |
| # - ancient upstream static binary doesn't work ('no such file') | |
| # - installing fedora rpm fails with glibc incompatibility | |
| # - building from git clone fails (autoconf and configure failures) | |
| # TODO: enable once we have figured out how to install splint on rocky | |
| if: ${{ false }} # Disabled until we figure out how to run splint on rocky | |
| runs-on: ubuntu-latest | |
| container: | |
| image: rockylinux/rockylinux:9 | |
| steps: | |
| - name: Set up git, findutils, make and python3 with dnf and make the latter default | |
| run: | | |
| dnf install -y git findutils make python3 python3-pip python-unversioned-command | |
| - name: Install dependencies | |
| run: | | |
| dnf install -y python3-devel nss-devel pam-devel | |
| wget https://www.splint.org/downloads/binaries/splint-3.1.1.Linux.tgz | |
| tar -xzf splint-3.1.1.Linux.tgz | |
| cp splint-3.1.1/bin/splint /bin/ | |
| chmod 755 /bin/splint | |
| rm -rf splint-3.1.1.Linux.tgz splint-3.1.1 | |
| # We need git installed to get a full repo clone rather than unpacked archive | |
| - name: Check out source repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # This is necessary to get the commits | |
| - name: Lint with splint | |
| run: | | |
| # NOTE: perms are not right inside container so repeat what checkout module does. | |
| git config --global --add safe.directory "$PWD" | |
| # NOTE: we only run splint error check for changed C files to limit noise | |
| echo "Lint changed code files: $(git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.c$')" | |
| echo "with splint from $(which splint)" | |
| ls -l /bin/splint | |
| # NOTE: show splint warnings but don't fail unless it found critical errors | |
| git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.c$' | xargs -r splint +posixlib -D__gnuc_va_list=va_list &> splint.log || true | |
| [ ! -e splint.log ] || cat splint.log | |
| [ ! -e splint.log ] || ! grep -q ' Cannot continue' splint.log |