mirror of
https://github.com/containers/bootc.git
synced 2026-02-05 15:45:53 +01:00
fc057e6a1b
This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
160 lines
6.8 KiB
YAML
160 lines
6.8 KiB
YAML
name: CI
|
|
|
|
permissions:
|
|
actions: read
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
workflow_dispatch: {}
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
tests:
|
|
if: ${{ !contains(github.event.pull_request.labels.*.name, 'control/skip-ci') }}
|
|
runs-on: ubuntu-latest
|
|
container: quay.io/coreos-assembler/fcos-buildroot:testing-devel
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Install deps
|
|
run: ./ci/installdeps.sh
|
|
- name: Mark git checkout as safe
|
|
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
|
|
# xref containers/containers-image-proxy-rs
|
|
- name: Cache Dependencies
|
|
uses: Swatinem/rust-cache@v2
|
|
with:
|
|
key: "tests"
|
|
- name: make validate-rust
|
|
# the ruff checks are covered via a dedicated action
|
|
run: make validate-rust
|
|
- name: Run tests
|
|
run: cargo test -- --nocapture --quiet
|
|
- name: Manpage generation
|
|
run: mkdir -p target/man && cargo run --features=docgen -- man --directory target/man
|
|
- name: Clippy (gate on correctness and suspicous)
|
|
run: make validate-rust
|
|
fedora-container-tests:
|
|
if: ${{ !contains(github.event.pull_request.labels.*.name, 'control/skip-ci') }}
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- name: Get a newer podman for heredoc support (from debian testing)
|
|
run: |
|
|
set -eux
|
|
echo 'deb [trusted=yes] https://ftp.debian.org/debian/ testing main' | sudo tee /etc/apt/sources.list.d/testing.list
|
|
sudo apt update
|
|
sudo apt install -y crun/testing podman/testing skopeo/testing
|
|
- name: Installdeps
|
|
run: sudo apt update && sudo apt install just
|
|
- uses: actions/checkout@v4
|
|
- name: Build and run container integration tests
|
|
run: sudo just run-container-integration
|
|
cargo-deny:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: EmbarkStudios/cargo-deny-action@v2
|
|
with:
|
|
log-level: warn
|
|
command: check -A duplicate bans sources licenses
|
|
install-tests:
|
|
if: ${{ !contains(github.event.pull_request.labels.*.name, 'control/skip-ci') }}
|
|
name: "Test install"
|
|
# For a not-ancient podman
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- name: Get a newer podman for heredoc support (from debian testing)
|
|
run: |
|
|
set -eux
|
|
echo 'deb [trusted=yes] https://ftp.debian.org/debian/ testing main' | sudo tee /etc/apt/sources.list.d/testing.list
|
|
sudo apt update
|
|
sudo apt install -y crun/testing podman/testing skopeo/testing
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
- name: Free up disk space on runner
|
|
run: sudo ./ci/clean-gha-runner.sh
|
|
- name: Enable fsverity for /
|
|
run: sudo tune2fs -O verity $(findmnt -vno SOURCE /)
|
|
- name: Install utils
|
|
run: sudo apt -y install fsverity just
|
|
- name: Integration tests
|
|
run: |
|
|
set -xeu
|
|
# Build images to test; TODO investigate doing single container builds
|
|
# via GHA and pushing to a temporary registry to share among workflows?
|
|
sudo just build-integration-test-image
|
|
sudo podman build -t localhost/bootc-fsverity -f ci/Containerfile.install-fsverity
|
|
|
|
# TODO move into a container, and then have this tool run other containers
|
|
export CARGO_INCREMENTAL=0 # because we aren't caching the test runner bits
|
|
cargo build --release -p tests-integration
|
|
|
|
df -h /
|
|
sudo install -m 0755 target/release/tests-integration /usr/bin/bootc-integration-tests
|
|
rm target -rf
|
|
df -h /
|
|
# The ostree-container tests
|
|
sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \
|
|
-v /run/dbus:/run/dbus -v /run/systemd:/run/systemd localhost/bootc /src/ostree-ext/ci/priv-integration.sh
|
|
# Nondestructive but privileged tests
|
|
sudo bootc-integration-tests host-privileged localhost/bootc-integration
|
|
# Install tests
|
|
sudo bootc-integration-tests install-alongside localhost/bootc-integration
|
|
|
|
# system-reinstall-bootc tests
|
|
cargo build --release -p system-reinstall-bootc
|
|
|
|
# not sure why this is missing in the ubuntu image but just creating this directory allows the tests to pass
|
|
sudo mkdir -p /run/sshd
|
|
|
|
sudo install -m 0755 target/release/system-reinstall-bootc /usr/bin/system-reinstall-bootc
|
|
# These tests may mutate the system live so we can't run in parallel
|
|
sudo bootc-integration-tests system-reinstall localhost/bootc-integration --test-threads=1
|
|
|
|
# And the fsverity case
|
|
sudo podman run --privileged --pid=host localhost/bootc-fsverity bootc install to-existing-root --stateroot=other \
|
|
--acknowledge-destructive --skip-fetch-check
|
|
# Crude cross check
|
|
sudo find /ostree/repo/objects -name '*.file' -type f | while read f; do
|
|
sudo fsverity measure $f >/dev/null
|
|
done
|
|
docs:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'documentation') }}
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
MDBOOK_VERSION: 0.4.37
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Install mdBook
|
|
run: |
|
|
tag=$(curl 'https://api.github.com/repos/rust-lang/mdbook/releases/latest' | jq -r '.tag_name')
|
|
url="https://github.com/rust-lang/mdbook/releases/download/${tag}/mdbook-${tag}-x86_64-unknown-linux-gnu.tar.gz"
|
|
mkdir mdbook
|
|
curl -sSL $url | tar -xz --directory=./mdbook
|
|
echo `pwd`/mdbook >> $GITHUB_PATH
|
|
- name: Install mdbook-mermaid
|
|
run: |
|
|
tag=$(curl 'https://api.github.com/repos/badboy/mdbook-mermaid/releases/latest' | jq -r '.tag_name')
|
|
url="https://github.com/badboy/mdbook-mermaid/releases/download/${tag}/mdbook-mermaid-${tag}-x86_64-unknown-linux-gnu.tar.gz"
|
|
mkdir mdbook-mermaid
|
|
curl -sSL $url | tar -xz --directory=./mdbook-mermaid
|
|
echo `pwd`/mdbook-mermaid >> $GITHUB_PATH
|
|
- name: Install mdbook-linkcheck
|
|
run: |
|
|
tag=$(curl 'https://api.github.com/repos/Michael-F-Bryan/mdbook-linkcheck/releases/latest' | jq -r '.tag_name')
|
|
archive="mdbook-linkcheck.x86_64-unknown-linux-gnu.zip"
|
|
url="https://github.com/Michael-F-Bryan/mdbook-linkcheck/releases/download/${tag}/${archive}"
|
|
mkdir mdbook-linkcheck
|
|
curl -sSL -O $url && unzip ${archive} -d ./mdbook-linkcheck && chmod +x ./mdbook-linkcheck/mdbook-linkcheck
|
|
echo `pwd`/mdbook-linkcheck >> $GITHUB_PATH
|
|
- name: Build with mdBook
|
|
run: cd docs && mdbook-mermaid install && mdbook build
|