Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • pkg/systemd
  • em/systemd
  • wlozano/systemd
  • pkg-rebase-trixie/systemd
4 results
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 1749 additions and 0 deletions
.github/labeler.yml 0 → 100644
View file @ 368bca83
# SPDX-License-Identifier: LGPL-2.1-or-later
# vi: sw=2 ts=2 et:
analyze:
- changed-files:
- any-glob-to-any-file: 'src/analyze/*'
apparmor:
- changed-files:
- any-glob-to-any-file: '**/*apparmor*'
ask-password:
- changed-files:
- any-glob-to-any-file: '**/*ask-password*'
backlight:
- changed-files:
- any-glob-to-any-file: '**/*backlight*'
battery-check 🪫:
- changed-files:
- any-glob-to-any-file: '**/*battery*'
binfmt:
- changed-files:
- any-glob-to-any-file: '**/*binfmt*'
bsod:
- changed-files:
- any-glob-to-any-file: '**/*bsod*'
btrfs:
- changed-files:
- any-glob-to-any-file: '**/*btrfs*'
build-system:
- changed-files:
- any-glob-to-any-file: ['meson_options.txt', '**/meson.build']
busctl:
- changed-files:
- any-glob-to-any-file: '**/*busctl*'
catalog:
- changed-files:
- any-glob-to-any-file: 'catalog/*'
cgls:
- changed-files:
- any-glob-to-any-file: '**/*cgls*'
cgroups:
- changed-files:
- any-glob-to-any-file: ['src/basic/cgroup*', 'src/cgroups-agent/*', 'src/core/cgroup*', 'src/shared/cgroup*']
cgtop:
- changed-files:
- any-glob-to-any-file: '**/*cgtop*'
ci:
- changed-files:
- any-glob-to-any-file: '.github/*'
coccinelle:
- changed-files:
- any-glob-to-any-file: 'coccinelle/*'
coredump:
- changed-files:
- any-glob-to-any-file: '**/*coredump*'
creds:
- changed-files:
- any-glob-to-any-file: ['src/core/*cred*', 'src/creds/*', 'src/shared/*cred*', 'units/*cred*']
cryptsetup:
- changed-files:
- any-glob-to-any-file: ['src/cryptenroll/*', 'src/cryptsetup/*', 'units/*crypt*']
debug-generator:
- changed-files:
- any-glob-to-any-file: '**/*debug-generator*'
delta:
- changed-files:
- any-glob-to-any-file: '**/*delta*'
detect-virt:
- changed-files:
- any-glob-to-any-file: '**/*virt*'
dissect:
- changed-files:
- any-glob-to-any-file: '**/*dissect*'
documentation:
- changed-files:
- any-glob-to-any-file: ['NEWS', 'README*', 'docs/*', 'man/*']
env-generator:
- changed-files:
- any-glob-to-any-file: '**/*environment*generator*'
escape:
- changed-files:
- any-glob-to-any-file: 'src/escape/*'
firstboot:
- changed-files:
- any-glob-to-any-file: '**/*firstboot*'
fsck:
- changed-files:
- any-glob-to-any-file: '**/*fsck*'
fstab-generator:
- changed-files:
- any-glob-to-any-file: '**/*fstab-generator*'
gpt-auto:
- changed-files:
- any-glob-to-any-file: '**/*gpt-auto*'
growfs:
- changed-files:
- any-glob-to-any-file: '**/*growfs*'
hibernate-resume:
- changed-files:
- any-glob-to-any-file: '**/*hibernate-resume*'
homed:
- changed-files:
- any-glob-to-any-file: ['src/home*', 'units/*home*']
hostname:
- changed-files:
- any-glob-to-any-file: ['src/hostname/*', 'src/shared/*hostname*', 'units/*hostname*']
hwdb:
- changed-files:
- any-glob-to-any-file: '**/*hwdb*'
import:
- changed-files:
- any-glob-to-any-file: '**/*import*'
integritysetup:
- changed-files:
- any-glob-to-any-file: '**/*integrity*'
journal:
- changed-files:
- any-glob-to-any-file: ['src/journal/*', 'src/libsystemd/sd-journal/*', 'units/systemd-journal-catalog*', 'units/systemd-journal-flush*', 'units/systemd-journald*']
journal-remote:
- changed-files:
- any-glob-to-any-file: ['src/journal-remote/*', 'units/systemd-journal-gateway*', 'units/systemd-journal-remote*']
kernel-install:
- changed-files:
- any-glob-to-any-file: '**/*kernel-install*'
l10n 🌍:
- changed-files:
- any-glob-to-any-file: 'po/*'
locale:
- changed-files:
- any-glob-to-any-file: '**/*locale*'
login:
- changed-files:
- any-glob-to-any-file: ['src/login/*', '**/sd-login*/**']
machine:
- changed-files:
- any-glob-to-any-file: ['src/machine/*', 'units/*machine*']
meson:
- changed-files:
- any-glob-to-any-file: ['meson_options.txt', '**/meson.build']
mkosi:
- changed-files:
- any-glob-to-any-file: '**/*mkosi*'
modules-load:
- changed-files:
- any-glob-to-any-file: ['**/*modules-load*', 'modprobe.d/*']
mount:
- changed-files:
- any-glob-to-any-file: ['src/basic/*mount*', 'src/core/*mount*', 'src/mount/*', 'src/shared/*mount*']
mountfsd:
- changed-files:
- any-glob-to-any-file: '**/*mountfsd*'
network:
- changed-files:
- any-glob-to-any-file: ['src/libsystemd-network/**/*', 'src/network/**/*', 'network/*', 'test/networkd-test.py', 'test/test-network*']
notify:
- changed-files:
- any-glob-to-any-file: 'src/notify/*'
nspawn:
- changed-files:
- any-glob-to-any-file: '**/*nspawn*'
nsresource:
- changed-files:
- any-glob-to-any-file: '**/*nsresource*'
nss-myhostname:
- changed-files:
- any-glob-to-any-file: '**/*nss-myhostname*'
portable:
- changed-files:
- any-glob-to-any-file: 'src/portable/**/*'
pstore:
- changed-files:
- any-glob-to-any-file: '**/*pstore*'
random-seed:
- changed-files:
- any-glob-to-any-file: '**/*random-seed*'
rc-local-generator:
- changed-files:
- any-glob-to-any-file: 'src/rc-local-generator/*'
remount-fs:
- changed-files:
- any-glob-to-any-file: '**/*remount-fs*'
repart:
- changed-files:
- any-glob-to-any-file: '**/*repart*'
resolve:
- changed-files:
- any-glob-to-any-file: '**/*resolve*'
rfkill:
- changed-files:
- any-glob-to-any-file: '**/*rfkill*'
rpm:
- changed-files:
- any-glob-to-any-file: 'src/rpm/*'
run:
- changed-files:
- any-glob-to-any-file: ['src/run/*', 'man/systemd-run*']
sd-boot/sd-stub/bootctl:
- changed-files:
- any-glob-to-any-file: ['src/boot/**/*', 'man/bootctl*', 'man/systemd-boot.xml']
sd-bus:
- changed-files:
- any-glob-to-any-file: '**/sd-bus*/**'
sd-daemon:
- changed-files:
- any-glob-to-any-file: '**/sd-daemon*/**'
sd-device:
- changed-files:
- any-glob-to-any-file: '**/sd-device*/**'
sd-event:
- changed-files:
- any-glob-to-any-file: '**/sd-event*/**'
sd-hwdb:
- changed-files:
- any-glob-to-any-file: '**/sd-hwdb*/**'
sd-id128:
- changed-files:
- any-glob-to-any-file: '**/sd-id128*/**'
sd-netlink:
- changed-files:
- any-glob-to-any-file: '**/sd-netlink*/**'
sd-path:
- changed-files:
- any-glob-to-any-file: '**/sd-path*/**'
sd-resolve:
- changed-files:
- any-glob-to-any-file: '**/sd-resolve*/**'
selinux:
- changed-files:
- any-glob-to-any-file: '**/*selinux*'
shell-completion:
- changed-files:
- any-glob-to-any-file: 'shell-completion/*'
shutdown:
- changed-files:
- any-glob-to-any-file: ['src/shutdown/*', 'units/**/*shutdown*']
sleep:
- changed-files:
- any-glob-to-any-file: ['src/shared/*sleep*', 'src/sleep/*']
smack:
- changed-files:
- any-glob-to-any-file: '**/*smack*'
socket-proxy:
- changed-files:
- any-glob-to-any-file: '**/*socket-proxy*'
ssh-generator:
- changed-files:
- any-glob-to-any-file: '**/*ssh-generator*'
storagetm:
- changed-files:
- any-glob-to-any-file: '**/*storagetm*'
sulogin:
- changed-files:
- any-glob-to-any-file: '**/*sulogin*'
sysctl:
- changed-files:
- any-glob-to-any-file: '**/*sysctl*'
sysext:
- changed-files:
- any-glob-to-any-file: '**/*sysext*'
systemctl:
- changed-files:
- any-glob-to-any-file: '**/*systemctl*'
sysupdate:
- changed-files:
- any-glob-to-any-file: '**/*sysupdate*'
sysusers:
- changed-files:
- any-glob-to-any-file: '**/*sysusers*'
sysv-generator:
- changed-files:
- any-glob-to-any-file: '**/*sysv-generator*'
sysvcompat:
- changed-files:
- any-glob-to-any-file: '**/*sysv*'
tests:
- changed-files:
- any-glob-to-any-file: [
'src/shared/tests.*',
'src/test/**/*',
'src/fuzz/**/*',
'test/**/*',
'**/test-*',
'**/test_*',
'.github/workflows/*'
]
timedate:
- changed-files:
- any-glob-to-any-file: '**/*timedate*'
timesync:
- changed-files:
- any-glob-to-any-file: '**/*timesync*'
tmpfiles:
- changed-files:
- any-glob-to-any-file: '**/*tmpfiles*'
tpm2:
- changed-files:
- any-glob-to-any-file: ['**/*tpm2*', '**/*tpm-*']
udev:
- changed-files:
- any-glob-to-any-file: ['src/udev/**/*', 'src/libudev/*', 'man/*udev*', 'rules.d/*']
uki:
- changed-files:
- any-glob-to-any-file: '**/ukify*'
units:
- changed-files:
- any-glob-to-any-file: 'units/**/*'
user-session:
- changed-files:
- any-glob-to-any-file: '**/*user-session*'
userdb:
- changed-files:
- any-glob-to-any-file: '**/*userdb*'
util-lib:
- changed-files:
- any-glob-to-any-file: ['src/fundamental/**/*', 'src/basic/**/*', 'src/shared/**/*']
utmp/wtmp:
- changed-files:
- any-glob-to-any-file: '**/*utmp*'
varlink:
- changed-files:
- any-glob-to-any-file: ['src/varlink/*', 'src/libsystemd/sd-varlink/*', 'src/systemd/sd-varlink*']
vconsole:
- changed-files:
- any-glob-to-any-file: '**/*vconsole*'
veritysetup:
- changed-files:
- any-glob-to-any-file: '**/*veritysetup*'
vmspawn:
- changed-files:
- any-glob-to-any-file: '**/*vmspawn*'
volatile:
- changed-files:
- any-glob-to-any-file: '**/*volatile*'
xdg-autostart:
- changed-files:
- any-glob-to-any-file: '**/**xdg-autostart-generator*'
.github/workflows/build_test.sh 0 → 100755
View file @ 368bca83
#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -ex
shopt -s nullglob
info() { echo -e "\033[33;1m$1\033[0m"; }
fatal() { echo >&2 -e "\033[31;1m$1\033[0m"; exit 1; }
success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
ARGS=(
"--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Ddns-over-tls=gnutls -Dtpm=true -Dtpm2=enabled"
"--optimization=s -Dutmp=false"
"--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
"--optimization=3 -Db_lto=true -Ddns-over-tls=false"
"--optimization=3 -Db_lto=false -Dtpm2=disabled -Dlibfido2=disabled -Dp11kit=disabled -Defi=false -Dbootloader=disabled"
"--optimization=3 -Dfexecve=true -Dstandalone-binaries=true -Dstatic-libsystemd=true -Dstatic-libudev=true"
"-Db_ndebug=true"
)
PACKAGES=(
cryptsetup-bin
expect
fdisk
gettext
iputils-ping
isc-dhcp-client
itstool
kbd
libblkid-dev
libbpf-dev
libcap-dev
libcurl4-gnutls-dev
libfdisk-dev
libfido2-dev
libgpg-error-dev
liblz4-dev
liblzma-dev
libmicrohttpd-dev
libmount-dev
libp11-kit-dev
libpwquality-dev
libqrencode-dev
libssl-dev
libtss2-dev
libxen-dev
libxkbcommon-dev
libxtables-dev
libzstd-dev
mold
mount
net-tools
python3-evdev
python3-jinja2
python3-lxml
python3-pefile
python3-pip
python3-pyelftools
python3-pyparsing
python3-setuptools
quota
strace
unifont
util-linux
zstd
)
COMPILER="${COMPILER:?}"
COMPILER_VERSION="${COMPILER_VERSION:?}"
LINKER="${LINKER:?}"
CRYPTOLIB="${CRYPTOLIB:?}"
RELEASE="$(lsb_release -cs)"
# Note: As we use postfixed clang/gcc binaries, we need to override $AR
# as well, otherwise meson falls back to ar from binutils which
# doesn't work with LTO
if [[ "$COMPILER" == clang ]]; then
CC="clang-$COMPILER_VERSION"
CXX="clang++-$COMPILER_VERSION"
AR="llvm-ar-$COMPILER_VERSION"
if systemd-analyze compare-versions "$COMPILER_VERSION" ge 17; then
CFLAGS="-fno-sanitize=function"
CXXFLAGS="-fno-sanitize=function"
else
CFLAGS=""
CXXFLAGS=""
fi
# Prefer the distro version if available
if ! apt-get -y install --dry-run "llvm-$COMPILER_VERSION" >/dev/null; then
# Latest LLVM stack deb packages provided by https://apt.llvm.org/
# Following snippet was partly borrowed from https://apt.llvm.org/llvm.sh
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | \
sudo gpg --yes --dearmor --output /usr/share/keyrings/apt-llvm-org.gpg
echo "deb [signed-by=/usr/share/keyrings/apt-llvm-org.gpg] http://apt.llvm.org/$RELEASE/ llvm-toolchain-$RELEASE-$COMPILER_VERSION main" | \
sudo tee /etc/apt/sources.list.d/llvm-toolchain.list
fi
PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "python3-lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION")
elif [[ "$COMPILER" == gcc ]]; then
CC="gcc-$COMPILER_VERSION"
CXX="g++-$COMPILER_VERSION"
AR="gcc-ar-$COMPILER_VERSION"
CFLAGS=""
CXXFLAGS=""
if ! apt-get -y install --dry-run "gcc-$COMPILER_VERSION" >/dev/null; then
# Latest gcc stack deb packages provided by
# https://launchpad.net/~ubuntu-toolchain-r/+archive/ubuntu/test
sudo add-apt-repository -y --no-update ppa:ubuntu-toolchain-r/test
fi
PACKAGES+=("gcc-$COMPILER_VERSION" "gcc-$COMPILER_VERSION-multilib")
else
fatal "Unknown compiler: $COMPILER"
fi
# This is added by default, and it is often broken, but we don't need anything from it
sudo rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
# add-apt-repository --enable-source does not work on deb822 style sources.
for f in /etc/apt/sources.list.d/*.sources; do
sudo sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
done
sudo apt-get -y update
sudo apt-get -y build-dep systemd
sudo apt-get -y install "${PACKAGES[@]}"
# Install more or less recent meson and ninja with pip, since the distro versions don't
# always support all the features we need (like --optimization=). Since the build-dep
# command above installs the distro versions, let's install the pip ones just
# locally and add the local bin directory to the $PATH.
pip3 install --user -r .github/workflows/requirements.txt --require-hashes --break-system-packages
export PATH="$HOME/.local/bin:$PATH"
$CC --version
meson --version
ninja --version
for args in "${ARGS[@]}"; do
SECONDS=0
if [[ "$COMPILER" == clang && "$args" =~ Wmaybe-uninitialized ]]; then
# -Wmaybe-uninitialized is not implemented in clang
continue
fi
info "Checking build with $args"
# shellcheck disable=SC2086
if ! AR="$AR" \
CC="$CC" CC_LD="$LINKER" CFLAGS="$CFLAGS" \
CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \
meson setup \
-Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \
-Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \
$args build; then
cat build/meson-logs/meson-log.txt
fatal "meson failed with $args"
fi
if ! meson compile -C build -v; then
fatal "'meson compile' failed with '$args'"
fi
for loader in build/src/boot/efi/*{.efi,.efi.stub}; do
if [[ "$(sbverify --list "$loader" 2>&1)" != "No signature table present" ]]; then
fatal "$loader: Gaps found in section table"
fi
done
git clean -dxf
success "Build with '$args' passed in $SECONDS seconds"
done
.github/workflows/build_test.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: Build test
on:
pull_request:
paths:
- '**/meson.build'
- '.github/workflows/**'
- 'meson_options.txt'
- 'src/**'
- 'test/fuzz/**'
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ toJSON(matrix.env) }}-${{ github.ref }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
env:
- { COMPILER: "gcc", COMPILER_VERSION: "11", LINKER: "bfd", CRYPTOLIB: "gcrypt" }
- { COMPILER: "gcc", COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "openssl" }
- { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold", CRYPTOLIB: "gcrypt" }
- { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd", CRYPTOLIB: "openssl" }
- { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld", CRYPTOLIB: "auto" }
env: ${{ matrix.env }}
steps:
- name: Repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Build check
run: .github/workflows/build_test.sh
.github/workflows/cflite_pr.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: ClusterFuzzLite PR fuzzing
on:
pull_request:
branches:
- main
- v[0-9]+-stable
permissions: read-all
jobs:
PR:
runs-on: ubuntu-24.04
if: github.repository != 'systemd/systemd' || github.event.pull_request.user.login == 'dependabot[bot]'
concurrency:
group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
sanitizer: [address, undefined, memory]
steps:
- name: Build Fuzzers
id: build
uses: google/clusterfuzzlite/actions/build_fuzzers@v1
with:
sanitizer: ${{ matrix.sanitizer }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Run Fuzzers
id: run
uses: google/clusterfuzzlite/actions/run_fuzzers@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
fuzz-seconds: 1200
mode: 'code-change'
sanitizer: ${{ matrix.sanitizer }}
.github/workflows/cifuzz.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/
name: CIFuzz
permissions:
contents: read
on:
pull_request:
paths:
- '**/meson.build'
- '.github/workflows/**'
- 'meson_options.txt'
- 'src/**'
- 'test/fuzz/**'
- 'tools/oss-fuzz.sh'
push:
branches:
- main
jobs:
Fuzzing:
# FIXME: Figure out why 32-bit applications fail to run in docker on Ubuntu 24.04.
runs-on: ubuntu-22.04
if: github.repository == 'systemd/systemd'
concurrency:
group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
sanitizer: [address, undefined, memory]
architecture: [x86_64]
include:
- sanitizer: address
architecture: i386
permissions:
security-events: write
steps:
- name: Build Fuzzers
id: build
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
with:
oss-fuzz-project-name: 'systemd'
dry-run: false
allowed-broken-targets-percentage: 0
# keep-unaffected-fuzz-targets should be removed once https://github.com/google/oss-fuzz/issues/7011 is fixed
keep-unaffected-fuzz-targets: true
sanitizer: ${{ matrix.sanitizer }}
architecture: ${{ matrix.architecture }}
output-sarif: true
- name: Run Fuzzers
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
with:
oss-fuzz-project-name: 'systemd'
fuzz-seconds: 600
dry-run: false
sanitizer: ${{ matrix.sanitizer }}
output-sarif: true
- name: Upload Crash
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
if: failure() && steps.build.outcome == 'success'
with:
name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts
path: ./out/artifacts
- name: Upload Sarif
if: always() && steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88
with:
# Path to SARIF file relative to the root of the repository
sarif_file: cifuzz-sarif/results.sarif
checkout_path: cifuzz-sarif
.github/workflows/codeql.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: "CodeQL"
on:
pull_request:
branches:
- main
- v[0-9]+-stable
paths:
- '**/meson.build'
- '.github/**/codeql*'
- 'src/**'
- 'test/**'
- 'tools/**'
push:
branches:
- main
- v[0-9]+-stable
permissions:
contents: read
jobs:
analyze:
name: Analyze
if: github.repository != 'systemd/systemd-security'
runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
cancel-in-progress: true
permissions:
actions: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ['cpp', 'python']
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Initialize CodeQL
uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql-config.yml
- run: sudo -E .github/workflows/unit_tests.sh SETUP
- name: Autobuild
uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88
.github/workflows/coverage.yml 0 → 100644
View file @ 368bca83
---
# SPDX-License-Identifier: LGPL-2.1-or-later
name: coverage
on:
schedule:
# Calculate coverage daily at midnight
- cron: '0 0 * * *'
permissions:
contents: read
jobs:
coverage:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: systemd/mkosi@d501139032aa659fa8d34bdb850f4eb6b5f458ed
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location
# so that nothing tries to use anything in these directories anymore while we're busy deleting them.
- name: Free disk space
run: |
sudo mv /usr/local /usr/local.trash
sudo mv /opt/hostedtoolcache /opt/hostedtoolcache.trash
sudo systemd-run rm -rf /usr/local.trash /opt/hostedtoolcache.trash
- name: Btrfs
run: |
truncate --size=100G btrfs.raw
mkfs.btrfs btrfs.raw
sudo mkdir /mnt/mkosi
LOOP="$(sudo losetup --find --show --direct-io=on btrfs.raw)"
sudo mount "$LOOP" /mnt/mkosi --options compress=zstd:1,user_subvol_rm_allowed,noatime,discard=async,space_cache=v2
sudo chown "$(id -u):$(id -g)" /mnt/mkosi
mkdir /mnt/mkosi/tmp
echo "TMPDIR=/mnt/mkosi/tmp" >>"$GITHUB_ENV"
ln -s /mnt/mkosi/build build
- name: Configure
run: |
# XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved
sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build
tee mkosi.local.conf <<EOF
[Distribution]
Distribution=arch
[Build]
ToolsTreeDistribution=arch
UseSubvolumes=yes
WithTests=no
WorkspaceDirectory=$TMPDIR
PackageCacheDirectory=$TMPDIR/cache
Environment=
# Build debuginfo packages since we'll be publishing the packages as artifacts.
WITH_DEBUG=1
CFLAGS=-Og
MESON_OPTIONS=--werror
COVERAGE=1
[Runtime]
RAM=4G
EOF
- name: Generate secure boot key
run: mkosi --debug genkey
- name: Show image summary
run: mkosi summary
- name: Build tools tree
run: sudo mkosi -f sandbox -- true
- name: Configure meson
run: |
sudo mkosi sandbox -- \
meson setup \
--buildtype=debugoptimized \
-Dintegration-tests=true \
build
- name: Build image
run: sudo mkosi sandbox -- meson compile -C build mkosi
- name: Initial coverage report
run: |
sudo mkdir -p build/test/coverage
sudo mkosi sandbox -- \
lcov \
--directory build/mkosi.builddir/arch~rolling~x86-64 \
--capture \
--initial \
--exclude "*.gperf" \
--output-file build/test/coverage/initial.coverage-info \
--base-directory src/ \
--ignore-errors source \
--no-external \
--substitute "s#src/src#src#g"
- name: Run integration tests
run: |
# --preserve-env makes sure all the github actions environment variables are propagated which are
# used in integration-test-wrapper.py to construct the `gh` command line to download the journals
# of failed tests.
sudo --preserve-env mkosi sandbox -- \
meson test \
-C build \
--no-rebuild \
--suite integration-tests \
--print-errorlogs \
--no-stdsplit \
--num-processes "$(($(nproc) - 1))" \
--timeout-multiplier 2 \
--max-lines 300
- name: Archive failed test journals
uses: actions/upload-artifact@v4
if: failure() && (github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable')
with:
name: ci-coverage-${{ github.run_id }}-${{ github.run_attempt }}-arch-rolling-failed-test-journals
path: |
build/test/journal/*.journal
build/meson-logs/*
retention-days: 7
- name: Combine coverage reports
run: |
lcov_args=()
while read -r file; do
lcov_args+=(--add-tracefile "${file}")
done < <(find build/test/coverage -name "TEST-*.coverage-info")
sudo mkosi sandbox -- lcov --ignore-errors inconsistent,inconsistent "${lcov_args[@]}" --output-file build/test/coverage/everything.coverage-info
- name: List coverage report
run: sudo mkosi sandbox -- lcov --ignore-errors inconsistent,inconsistent --list build/test/coverage/everything.coverage-info
- name: Coveralls
uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b
if: github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable'
with:
file: build/test/coverage/everything.coverage-info
.github/workflows/coverity.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: Coverity
on:
schedule:
# Run Coverity daily at midnight
- cron: '0 0 * * *'
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-24.04
if: github.repository == 'systemd/systemd'
env:
# Set in repo settings -> secrets -> actions
COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}"
COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
steps:
- name: Repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# Reuse the setup phase of the unit test script to avoid code duplication
- name: Install build dependencies
run: sudo -E .github/workflows/unit_tests.sh SETUP
- name: Build & upload the results
run: tools/coverity.sh
.github/workflows/development_freeze.yml 0 → 100644
View file @ 368bca83
# doc: https://github.com/redhat-plumbers-in-action/devel-freezer#readme
---
name: Development Freeze
on:
workflow_run:
workflows: [ Gather Pull Request Metadata ]
types:
- completed
permissions:
contents: read
jobs:
freezer:
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' &&
github.repository == 'systemd/systemd'
runs-on: ubuntu-24.04
permissions:
pull-requests: write
steps:
- id: artifact
name: Download Pull Request Metadata artifact
uses: redhat-plumbers-in-action/download-artifact@463ae626ac2dd333491c7beccaa24c12c5c259b8
with:
name: Pull Request Metadata
- name: Repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
- name: Development Freezer
uses: redhat-plumbers-in-action/devel-freezer@ad766eafd555b28d2cb8e27937835983f9c3d173
with:
pr-number: ${{ fromJSON(steps.artifact.outputs.pr-metadata-json).number }}
# delay start of validation to allow for some milestone/labels tweaking
delay: 20
token: ${{ secrets.GITHUB_TOKEN }}
.github/workflows/differential-shellcheck.yml 0 → 100644
View file @ 368bca83
---
# https://github.com/redhat-plumbers-in-action/differential-shellcheck#readme
name: Differential ShellCheck
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: read
jobs:
lint:
if: github.event.repository.name != 'systemd-security'
runs-on: ubuntu-24.04
permissions:
security-events: write
steps:
- name: Repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
- name: Differential ShellCheck
uses: redhat-plumbers-in-action/differential-shellcheck@cc6721c45a8800cc666de45493545a07a638d121
with:
# exclude all `.in` files because they may contain unsupported syntax, and they have to be preprocessed first
# TEMPORARY: exclude bash completion files, they would generate too many defects in Code scanning dashboard (600+)
# exclude zsh completion files, zsh is not supported by ShellCheck
exclude-path: |
'**/*.in'
'shell-completion/bash/*'
'shell-completion/zsh/*'
token: ${{ secrets.GITHUB_TOKEN }}
.github/workflows/gather-pr-metadata.yml 0 → 100644
View file @ 368bca83
---
name: Gather Pull Request Metadata
on:
pull_request:
branches: [ main ]
permissions:
contents: read
jobs:
gather-metadata:
if: github.repository == 'systemd/systemd'
runs-on: ubuntu-24.04
steps:
- name: Repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- id: metadata
name: Gather Pull Request Metadata
uses: redhat-plumbers-in-action/gather-pull-request-metadata@17821d3bc27c1efed339595898c2e622accc5a1b
- name: Upload Pull Request Metadata artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
with:
name: Pull Request Metadata
path: ${{ steps.metadata.outputs.metadata-file }}
retention-days: 1
.github/workflows/issue_labeler.yml 0 → 100644
View file @ 368bca83
---
name: Issue labeler
on:
issues:
types: [ opened ]
permissions:
contents: read
jobs:
label-component:
runs-on: ubuntu-24.04
permissions:
issues: write
strategy:
matrix:
template: [ bug_report.yml, feature_request.yml ]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Parse issue form
uses: stefanbuck/github-issue-parser@1e5bdee70d4b3e066a33aa0669ab782943825f94
id: issue-parser
with:
template-path: .github/ISSUE_TEMPLATE/${{ matrix.template }}
- name: Set labels based on component field
uses: redhat-plumbers-in-action/advanced-issue-labeler@d498805e5c7c0658e336948b3363480bcfd68da6
with:
issue-form: ${{ steps.issue-parser.outputs.jsonString }}
template: ${{ matrix.template }}
token: ${{ secrets.GITHUB_TOKEN }}
.github/workflows/labeler.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: "Pull Request Labeler"
on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review, closed]
paths-ignore:
- '.github/labeler.yml'
- '.github/workflows/labeler.yml'
# Allow testing changes made to the labeler configuration
pull_request:
paths:
- '.github/labeler.yml'
- '.github/workflows/labeler.yml'
issue_comment:
types: [created]
permissions:
contents: read
jobs:
triage:
if: github.repository == 'systemd/systemd'
runs-on: ubuntu-24.04
permissions:
pull-requests: write
steps:
- name: Repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
if: github.event_name == 'pull_request'
- name: Label PR based on policy in labeler.yml
uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9
if: startsWith(github.event_name, 'pull_request') && github.base_ref == 'main' && github.event.action != 'closed'
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
configuration-path: .github/labeler.yml
sync-labels: false
- name: Set or remove labels based on systemd development workflow
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
if: startsWith(github.event_name, 'pull_request') && github.event.action != 'closed' && !github.event.pull_request.draft
with:
script: |
response = await github.rest.issues.listLabelsOnIssue({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
});
original = new Set(response.data.map(l => l.name));
labels = new Set(original);
good_to_merge = new Set([
"good-to-merge/waiting-for-ci 👍",
"good-to-merge/after-next-release",
"good-to-merge/with-minor-suggestions",
"good-to-merge/waiting-for-reporter-feedback 👍",
]);
if (Array.from(labels).filter(l => good_to_merge.has(l)).length == 0) {
labels.add("please-review");
}
for (const label of ["reviewed/needs-rework 🔨",
"ci-fails/needs-rework 🔥",
"ci-failure-appears-unrelated",
"needs-rebase"]) {
labels.delete(label);
}
if (labels.size != original.size || Array.from(labels).some(l => !original.has(l))) {
await github.rest.issues.setLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: Array.from(labels),
});
}
- name: Add please-review label on command in issue comment
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
if: github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/please-review')
with:
script: |
await github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["please-review"]
})
- name: Remove specific labels when PR is closed or merged
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
if: startsWith(github.event_name, 'pull_request') && github.event.action == 'closed'
with:
script: |
response = await github.rest.issues.listLabelsOnIssue({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
});
original = new Set(response.data.map(l => l.name));
labels = new Set(original);
for (const label of ["please-review",
"reviewed/needs-rework 🔨",
"ci-fails/needs-rework 🔥",
"needs-rebase",
"good-to-merge/waiting-for-ci 👍",
"good-to-merge/after-next-release",
"good-to-merge/with-minor-suggestions",
"good-to-merge/waiting-for-reporter-feedback 👍",
"needs-discussion 🤔",
"needs-reporter-feedback ❓",
"dont-merge 💣",
"squash-on-merge",
"quick-review 🏃‍♂️"]) {
labels.delete(label);
}
if (labels.size != original.size || Array.from(labels).some(l => !original.has(l))) {
await github.rest.issues.setLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: Array.from(labels),
});
}
.github/workflows/linter.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
# https://github.com/marketplace/actions/super-linter
name: Lint Code Base
on:
pull_request:
branches:
- main
- v[0-9]+-stable
permissions:
contents: read
jobs:
build:
name: Lint Code Base
runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
steps:
- name: Repo checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# We need a full repo clone
fetch-depth: 0
- name: Lint Code Base
uses: super-linter/super-linter/slim@85f7611e0f7b53c8573cca84aa0ed4344f6f6a4d
env:
DEFAULT_BRANCH: main
MULTI_STATUS: false
VALIDATE_ALL_CODEBASE: false
VALIDATE_GITHUB_ACTIONS: true
- name: Check that tabs are not used in Python code
run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py test/integration-test-wrapper.py'
- name: Install ruff and mypy
run: |
python3 -m pip install --break-system-packages --upgrade setuptools wheel pip
python3 -m pip install --break-system-packages mypy types-Pillow ruff
- name: Run mypy
run: |
python3 -m mypy --version
python3 -m mypy src/ukify/ukify.py test/integration-test-wrapper.py
- name: Run ruff check
run: |
ruff --version
ruff check src/ukify/ukify.py test/integration-test-wrapper.py
- name: Run ruff format
run: |
ruff --version
ruff format --check src/ukify/ukify.py test/integration-test-wrapper.py
.github/workflows/make_release.yml 0 → 100644
View file @ 368bca83
name: Make a Github release
on:
push:
tags:
- "v*"
permissions:
contents: read
jobs:
release:
if: github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable'
runs-on: ubuntu-24.04
permissions:
contents: write
steps:
- name: Release
uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda
with:
prerelease: ${{ contains(github.ref_name, '-rc') }}
draft: ${{ github.repository == 'systemd/systemd' }}
.github/workflows/mkosi.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
# Simple boot tests that build and boot the mkosi images generated by the mkosi config files in mkosi.conf.d/.
name: mkosi
on:
push:
branches:
- main
- v[0-9]+-stable
paths:
- "**"
- "!README*"
- "!LICENSE*"
- "!LICENSES/**"
- "!TODO"
- "!docs/**"
- "!man/**"
- "!catalog/**"
- "!shell-completion/**"
- "!po/**"
- "!.**"
- ".github/**"
pull_request:
branches:
- main
- v[0-9]+-stable
paths:
- "**"
- "!README*"
- "!LICENSE*"
- "!LICENSES/**"
- "!TODO"
- "!docs/**"
- "!man/**"
- "!catalog/**"
- "!shell-completion/**"
- "!po/**"
- "!.**"
- ".github/**"
permissions:
contents: read
jobs:
ci:
runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
include:
- distro: arch
release: rolling
sanitizers: ""
llvm: 0
cflags: "-O2 -D_FORTIFY_SOURCE=3"
relabel: no
vm: 1
skip: TEST-21-DFUZZER
- distro: debian
release: testing
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: no
vm: 0
skip: TEST-21-DFUZZER
- distro: ubuntu
release: noble
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: no
vm: 0
skip: TEST-21-DFUZZER
- distro: fedora
release: "41"
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: yes
vm: 0
skip: TEST-21-DFUZZER
- distro: fedora
release: rawhide
sanitizers: address,undefined
llvm: 1
cflags: "-Og"
relabel: yes
vm: 0
- distro: opensuse
release: tumbleweed
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: no
vm: 0
skip: TEST-21-DFUZZER
- distro: centos
release: "9"
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: yes
vm: 0
skip: TEST-21-DFUZZER
- distro: centos
release: "10"
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: yes
vm: 0
skip: TEST-21-DFUZZER
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: systemd/mkosi@d501139032aa659fa8d34bdb850f4eb6b5f458ed
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location
# so that nothing tries to use anything in these directories anymore while we're busy deleting them.
- name: Free disk space
run: |
sudo mv /usr/local /usr/local.trash
sudo mv /opt/hostedtoolcache /opt/hostedtoolcache.trash
sudo systemd-run rm -rf /usr/local.trash /opt/hostedtoolcache.trash
- name: Btrfs
run: |
truncate --size=100G btrfs.raw
mkfs.btrfs btrfs.raw
sudo mkdir /mnt/mkosi
LOOP="$(sudo losetup --find --show --direct-io=on btrfs.raw)"
sudo mount "$LOOP" /mnt/mkosi --options compress=zstd:1,user_subvol_rm_allowed,noatime,discard=async,space_cache=v2
sudo chown "$(id -u):$(id -g)" /mnt/mkosi
mkdir /mnt/mkosi/tmp
echo "TMPDIR=/mnt/mkosi/tmp" >>"$GITHUB_ENV"
ln -s /mnt/mkosi/build build
- name: Configure
run: |
# XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved
sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build
tee mkosi.local.conf <<EOF
[Distribution]
Distribution=${{ matrix.distro }}
Release=${{ matrix.release }}
[Output]
# Build a disk image in CI as this logic is much more prone to breakage.
Format=disk
[Build]
UseSubvolumes=yes
ToolsTreeDistribution=${{ matrix.distro }}
ToolsTreeRelease=${{ matrix.release }}
WorkspaceDirectory=$TMPDIR
PackageCacheDirectory=$TMPDIR/cache
Environment=
# Build debuginfo packages since we'll be publishing the packages as artifacts.
WITH_DEBUG=1
CFLAGS="${{ matrix.cflags }}"
SANITIZERS=${{ matrix.sanitizers }}
MESON_OPTIONS=--werror
LLVM=${{ matrix.llvm }}
SYSEXT=1
[Content]
SELinuxRelabel=${{ matrix.relabel }}
[Runtime]
RAM=4G
EOF
- name: Generate secure boot key
run: mkosi --debug genkey
- name: Show image summary
run: mkosi summary
- name: Build tools tree
run: sudo mkosi -f sandbox -- true
- name: Configure meson
run: |
sudo mkosi sandbox -- \
meson setup \
--buildtype=debugoptimized \
-Dintegration-tests=true \
build
- name: Build image
run: sudo mkosi sandbox -- meson compile -C build mkosi
- name: Run integration tests
run: |
if [[ "$(sudo mkosi sandbox -- meson test --help)" == *"--max-lines"* ]]; then
MAX_LINES=(--max-lines 300)
else
MAX_LINES=()
fi
# --preserve-env makes sure all the github actions environment variables are propagated which are
# used in integration-test-wrapper.py to construct the `gh` command line to download the journals
# of failed tests.
sudo --preserve-env mkosi sandbox -- \
env \
TEST_PREFER_QEMU=${{ matrix.vm }} \
TEST_SKIP=${{ matrix.skip }} \
meson test \
-C build \
--no-rebuild \
--suite integration-tests \
--print-errorlogs \
--no-stdsplit \
--num-processes "$(($(nproc) - 1))" \
"${MAX_LINES[@]}"
- name: Archive failed test journals
uses: actions/upload-artifact@v4
if: failure() && (github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable')
with:
name: ci-mkosi-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.distro }}-${{ matrix.release }}-failed-test-journals
path: |
build/test/journal/*.journal
build/meson-logs/*
retention-days: 7
.github/workflows/requirements.txt 0 → 100644
View file @ 368bca83
meson==1.6.0 \
--hash=sha256:234a45f9206c6ee33b473ec1baaef359d20c0b89a71871d58c65a6db6d98fe74 \
--hash=sha256:999b65f21c03541cf11365489c1fad22e2418bb0c3d50ca61139f2eec09d5496
ninja==1.11.1.2 \
--hash=sha256:0bca4179119426a3c3c9d5661c3b244d68781064e50907a1e066bc55edc18e06 \
--hash=sha256:0c9c36f6e6f8946c7271b0ed14d98fc3ea467a0c0954fb73f5f656c42667d943 \
--hash=sha256:1cfbb845095ea09da8c089375a8f999e75f4817d01506297c66181b533175647 \
--hash=sha256:232767144401847db62e8392047866698bb3678158a1ae4400a97111110e90f2 \
--hash=sha256:33d258809c8eda81f9d80e18a081a6eef3215e5fd1ba8902400d786641994e89 \
--hash=sha256:3e815e4147832b17ec38417efcb31df51671ae273f083409304c7cc32a14dd1a \
--hash=sha256:4fbd07b2b4232543726abafdd350453a2fabef4527664ca0e491c578aee5f857 \
--hash=sha256:508fb93395a5c82a4d99d30fce0cbaf5cb2bd33e5c1dc9faaa080e199802dbc9 \
--hash=sha256:52af7f45750c5c288d566fd0c927ed9bb0d8f2e50803709f582a42bcc4ec167b \
--hash=sha256:9200247cf4c1643a67d079836b8dd31a362e34e618b50b5e3a5c0d0171efc442 \
--hash=sha256:949e23cb2e79a33ea37d23a07d26846d2e75464e8e6940f8751fe964bc141dfa \
--hash=sha256:99fc4b87299242e10d7edd1c7737fdfb1269019e32f9f4267630887f6183a49e \
--hash=sha256:ab4068ff7ff1f895485ad604116165b05d6810c802170a7f22c09dd678d5587d \
--hash=sha256:cb6b476eb4e84c0efcfd3ab04f660dedce8adb854b56b043639312f3af176df6 \
--hash=sha256:ecf3df324b56fdfb0872990a71e706efdae286e010310816c72b6bf24431711b \
--hash=sha256:ed25892c16e49e66383a8db6a67a9f33b41230fc485426094d7da51e2255ec2b \
--hash=sha256:ee7b1924c28e6cab5b866f7b229f07777d25d8cfccbbedf3da5ffb4f72f57877
.github/workflows/scorecards.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
- cron: '15 21 * * 6'
push:
branches:
- main
pull_request:
branches:
- main
paths:
- '.github/workflows/scorecards.yml'
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecards analysis
if: github.repository == 'systemd/systemd'
runs-on: ubuntu-24.04
permissions:
id-token: write # Used to receive a badge.
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
publish_results: ${{ github.event_name != 'pull_request' }}
.github/workflows/unit_tests.sh 0 → 100755
View file @ 368bca83
#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
# shellcheck disable=SC2206
PHASES=(${@:-SETUP RUN RUN_ASAN_UBSAN CLEANUP})
ADDITIONAL_DEPS=(
clang
expect
fdisk
jekyll
libbpf-dev
libfdisk-dev
libfido2-dev
libp11-kit-dev
libpwquality-dev
libqrencode-dev
libssl-dev
libtss2-dev
libxkbcommon-dev
libzstd-dev
python3-libevdev
python3-pefile
python3-pyelftools
python3-pyparsing
python3-pytest
rpm
systemd-boot-efi
zstd
)
function info() {
echo -e "\033[33;1m$1\033[0m"
}
function run_meson() {
if ! meson "$@"; then
find . -type f -name meson-log.txt -exec cat '{}' +
return 1
fi
}
set -ex
MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto})
# (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_
# its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the
# score is explicitly changed after sudo. No idea what's going on, but it breaks
# exec-oomscoreadjust-negative.service from test-execute when running unprivileged.
choom -p $$ -n 0
for phase in "${PHASES[@]}"; do
case $phase in
SETUP)
info "Setup phase"
# This is added by default, and it is often broken, but we don't need anything from it
rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
# add-apt-repository --enable-source does not work on deb822 style sources.
for f in /etc/apt/sources.list.d/*.sources; do
sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
done
apt-get -y update
apt-get -y build-dep systemd
apt-get -y install "${ADDITIONAL_DEPS[@]}"
pip3 install -r .github/workflows/requirements.txt --require-hashes --break-system-packages
# Make sure the build dir is accessible even when drop privileges, otherwise the unprivileged
# part of test-execute gets skipped, since it can't run systemd-executor
chmod o+x /home/runner
capsh --drop=all -- -c "stat $PWD/meson.build"
;;
RUN|RUN_GCC|RUN_CLANG|RUN_CLANG_RELEASE)
if [[ "$phase" =~ ^RUN_CLANG ]]; then
export CC=clang
export CXX=clang++
export CFLAGS="-fno-sanitize=function"
export CXXFLAGS="-fno-sanitize=function"
if [[ "$phase" == RUN_CLANG ]]; then
# The docs build is slow and is not affected by compiler/flags, so do it just once
MESON_ARGS+=(-Dman=enabled)
else
MESON_ARGS+=(-Dmode=release --optimization=2)
fi
# Some variation: remove machine-id, like on Debian builders to ensure unit tests still work.
if [ -w /etc/machine-id ]; then
mv /etc/machine-id /etc/machine-id.bak
fi
fi
MESON_ARGS+=(--fatal-meson-warnings)
run_meson -Dnobody-group=nogroup --werror -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true "${MESON_ARGS[@]}" build
ninja -C build -v
# Ensure setting a timezone (like the reproducible build tests do) does not break time/date unit tests
TZ=GMT+12 meson test -C build --print-errorlogs
;;
RUN_ASAN_UBSAN|RUN_GCC_ASAN_UBSAN|RUN_CLANG_ASAN_UBSAN|RUN_CLANG_ASAN_UBSAN_NO_DEPS)
MESON_ARGS=(--optimization=1)
if [[ "$phase" =~ ^RUN_CLANG_ASAN_UBSAN ]]; then
export CC=clang
export CXX=clang++
export CFLAGS="-fno-sanitize=function"
export CXXFLAGS="-fno-sanitize=function"
# Build fuzzer regression tests only with clang (for now),
# see: https://github.com/systemd/systemd/pull/15886#issuecomment-632689604
# -Db_lundef=false: See https://github.com/mesonbuild/meson/issues/764
MESON_ARGS+=(-Db_lundef=false -Dfuzz-tests=true)
if [[ "$phase" == "RUN_CLANG_ASAN_UBSAN_NO_DEPS" ]]; then
MESON_ARGS+=(--auto-features=disabled)
fi
fi
MESON_ARGS+=(--fatal-meson-warnings)
run_meson -Dnobody-group=nogroup --werror -Dtests=unsafe -Db_sanitize=address,undefined "${MESON_ARGS[@]}" build
ninja -C build -v
export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1
# Never remove halt_on_error from UBSAN_OPTIONS. See https://github.com/systemd/systemd/commit/2614d83aa06592aedb.
export UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
# FIXME
# For some strange reason the GH Actions VM stops responding after
# executing first ~150 tests, _unless_ there's something producing
# output (either running `meson test` in verbose mode, or something
# else in background). Despite my efforts so far I haven't been able
# to identify the culprit (since the issue is not reproducible
# during debugging, wonderful), so let's at least keep a workaround
# here to make the builds stable for the time being.
(set +x; while :; do echo -ne "\n[WATCHDOG] $(date)\n"; sleep 30; done) &
meson test --timeout-multiplier=3 -C build --print-errorlogs
;;
CLEANUP)
info "Cleanup phase"
if [ ! -f /etc/machine-id ] && [ -w /etc/machine-id.bak ]; then
mv /etc/machine-id.bak /etc/machine-id
fi
;;
*)
echo >&2 "Unknown phase '$phase'"
exit 1
esac
done
.github/workflows/unit_tests.yml 0 → 100644
View file @ 368bca83
---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: Unit tests
on:
pull_request:
branches:
- main
- v[0-9]+-stable
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
run_phase: [GCC, GCC_ASAN_UBSAN, CLANG, CLANG_RELEASE, CLANG_ASAN_UBSAN, CLANG_ASAN_UBSAN_NO_DEPS]
cryptolib: [auto]
include:
- run_phase: GCC
cryptolib: openssl
- run_phase: CLANG
cryptolib: gcrypt
steps:
- name: Repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install build dependencies
run: |
# Drop XDG_* stuff from /etc/environment, so we don't get the user
# XDG_* variables when running under sudo
sudo sed -i '/^XDG_/d' /etc/environment
# Pass only specific env variables through sudo, to avoid having
# the already existing XDG_* stuff on the "other side"
sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP
- name: Build & test
run: sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
env:
CRYPTOLIB: ${{ matrix.cryptolib }}
Apertis Website Terms of Use Privacy Policy