mirror of
https://github.com/containers/bootc.git
synced 2026-02-05 06:45:13 +01:00
62e56b62de
Due to https://bugzilla.redhat.com/show_bug.cgi?id=2429501 This reverts the prior change to make the test non gating because the problem is we'd consistently fail to do a bootc install *for each test* which dramatically slowed down that job. We could fix that but it's easier to just disable the job. Signed-off-by: Colin Walters <walters@verbum.org>
272 lines
9.5 KiB
YAML
272 lines
9.5 KiB
YAML
# CI Workflow for bootc
|
|
#
|
|
# Core principles:
|
|
# - Everything done here should be easy to replicate locally. Most tasks
|
|
# should invoke `just <something>`. Read the Justfile for more explanation
|
|
# of this.
|
|
# - Most additions to this should be extending existing tasks; e.g.
|
|
# there's places for unit and integration tests already.
|
|
name: CI
|
|
|
|
permissions:
|
|
actions: read
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
workflow_dispatch: {}
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
# Something seems to be setting this in the default GHA runners, which breaks bcvk
|
|
# as the default runner user doesn't have access
|
|
LIBVIRT_DEFAULT_URI: "qemu:///session"
|
|
DEV_IMAGE: ghcr.io/bootc-dev/dev-bootc
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
# Run basic validation checks (linting, formatting, etc)
|
|
validate:
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Bootc Ubuntu Setup
|
|
uses: bootc-dev/actions/bootc-ubuntu-setup@main
|
|
- name: Validate (default)
|
|
run: just validate
|
|
# Check for security vulnerabilities and license compliance
|
|
cargo-deny:
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- uses: EmbarkStudios/cargo-deny-action@v2
|
|
with:
|
|
log-level: warn
|
|
command: check -A duplicate bans sources licenses
|
|
# Test bootc installation scenarios and fsverity support
|
|
# TODO convert to be an integration test
|
|
install-tests:
|
|
name: "Test install"
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v6
|
|
- name: Bootc Ubuntu Setup
|
|
uses: bootc-dev/actions/bootc-ubuntu-setup@main
|
|
- name: Enable fsverity for /
|
|
run: sudo tune2fs -O verity $(findmnt -vno SOURCE /)
|
|
- name: Install utils
|
|
run: sudo apt -y install fsverity just
|
|
- name: Integration tests
|
|
run: |
|
|
set -xeu
|
|
# Build images to test; TODO investigate doing single container builds
|
|
# via GHA and pushing to a temporary registry to share among workflows?
|
|
sudo just build
|
|
sudo just build-install-test-image
|
|
sudo podman build -t localhost/bootc-fsverity -f ci/Containerfile.install-fsverity
|
|
|
|
# Grant permission
|
|
sudo chown -R "$(id -u):$(id -g)" /home/runner/work/bootc/bootc
|
|
# TODO move into a container, and then have this tool run other containers
|
|
cargo build --release -p tests-integration
|
|
|
|
df -h /
|
|
sudo install -m 0755 target/release/tests-integration /usr/bin/bootc-integration-tests
|
|
sudo rm target -rf
|
|
df -h /
|
|
# The ostree-container tests
|
|
sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \
|
|
--tmpfs /var/lib/containers \
|
|
-v /run/dbus:/run/dbus -v /run/systemd:/run/systemd localhost/bootc /src/crates/ostree-ext/ci/priv-integration.sh
|
|
# Nondestructive but privileged tests
|
|
sudo bootc-integration-tests host-privileged localhost/bootc-install
|
|
# Install tests
|
|
sudo bootc-integration-tests install-alongside localhost/bootc-install
|
|
|
|
# system-reinstall-bootc tests
|
|
cargo build --release -p system-reinstall-bootc
|
|
|
|
# not sure why this is missing in the ubuntu image but just creating this directory allows the tests to pass
|
|
sudo mkdir -p /run/sshd
|
|
|
|
sudo install -m 0755 target/release/system-reinstall-bootc /usr/bin/system-reinstall-bootc
|
|
# These tests may mutate the system live so we can't run in parallel
|
|
sudo bootc-integration-tests system-reinstall localhost/bootc --test-threads=1
|
|
|
|
# And the fsverity case
|
|
sudo podman run --privileged --pid=host localhost/bootc-fsverity bootc install to-existing-root --stateroot=other \
|
|
--acknowledge-destructive --skip-fetch-check
|
|
# Crude cross check
|
|
sudo find /ostree/repo/objects -name '*.file' -type f | while read f; do
|
|
sudo fsverity measure $f >/dev/null
|
|
done
|
|
# Test that we can build documentation
|
|
docs:
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Bootc Ubuntu Setup
|
|
uses: bootc-dev/actions/bootc-ubuntu-setup@main
|
|
- name: Build mdbook
|
|
run: just build-mdbook
|
|
# Build packages for each test OS
|
|
package:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
test_os: [fedora-42, fedora-43, fedora-44, centos-9, centos-10]
|
|
|
|
runs-on: ubuntu-24.04
|
|
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Bootc Ubuntu Setup
|
|
uses: bootc-dev/actions/bootc-ubuntu-setup@main
|
|
|
|
- name: Setup env
|
|
run: |
|
|
BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
|
|
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
|
|
|
|
- name: Build packages (and verify build system)
|
|
run: just check-buildsys
|
|
|
|
- name: Upload package artifacts
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
name: packages-${{ matrix.test_os }}
|
|
path: target/packages/*.rpm
|
|
retention-days: 1
|
|
|
|
# Build bootc from source into a container image FROM each specified base `test_os`
|
|
# running unit and integration tests (using TMT, leveraging the support for nested virtualization
|
|
# in the GHA runners)
|
|
test-integration:
|
|
needs: package
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
# No fedora-44 due to https://bugzilla.redhat.com/show_bug.cgi?id=2429501
|
|
test_os: [fedora-42, fedora-43, centos-9, centos-10]
|
|
variant: [ostree, composefs-sealeduki-sdboot]
|
|
exclude:
|
|
# centos-9 UKI is experimental/broken (https://github.com/bootc-dev/bootc/issues/1812)
|
|
- test_os: centos-9
|
|
variant: composefs-sealeduki-sdboot
|
|
|
|
runs-on: ubuntu-24.04
|
|
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Bootc Ubuntu Setup
|
|
uses: bootc-dev/actions/bootc-ubuntu-setup@main
|
|
with:
|
|
libvirt: true
|
|
- name: Install tmt
|
|
run: pip install --user "tmt[provision-virtual]"
|
|
|
|
- name: Setup env
|
|
run: |
|
|
BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
|
|
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
|
|
echo "BOOTC_variant=${{ matrix.variant }}" >> $GITHUB_ENV
|
|
|
|
if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
|
|
BUILDROOTBASE=$(just pullspec-for-os buildroot-base ${{ matrix.test_os }})
|
|
echo "BOOTC_buildroot_base=${BUILDROOTBASE}" >> $GITHUB_ENV
|
|
fi
|
|
|
|
- name: Download package artifacts
|
|
uses: actions/download-artifact@v7
|
|
with:
|
|
name: packages-${{ matrix.test_os }}
|
|
path: target/packages/
|
|
|
|
- name: Build container
|
|
run: |
|
|
BOOTC_SKIP_PACKAGE=1 just build
|
|
# Extra cross-check (duplicating the integration test) that we're using the right base
|
|
used_vid=$(podman run --rm localhost/bootc bash -c '. /usr/lib/os-release && echo ${ID}-${VERSION_ID}')
|
|
test ${{ matrix.test_os }} = "${used_vid}"
|
|
|
|
- name: Unit and container integration tests
|
|
run: just test-container
|
|
|
|
- name: Run TMT integration tests
|
|
run: |
|
|
if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
|
|
just test-composefs
|
|
else
|
|
just test-tmt integration
|
|
fi
|
|
just clean-local-images
|
|
|
|
- name: Archive TMT logs
|
|
if: always()
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ matrix.variant }}-${{ env.ARCH }}
|
|
path: /var/tmp/tmt
|
|
|
|
# Test bootc install on Fedora CoreOS (separate job to avoid disk space issues
|
|
# when run in the same job as test-integration).
|
|
# Uses fedora-43 as it's the current stable Fedora release matching CoreOS.
|
|
test-coreos:
|
|
needs: package
|
|
runs-on: ubuntu-24.04
|
|
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Bootc Ubuntu Setup
|
|
uses: bootc-dev/actions/bootc-ubuntu-setup@main
|
|
with:
|
|
libvirt: true
|
|
- name: Install tmt
|
|
run: pip install --user "tmt[provision-virtual]"
|
|
|
|
- name: Setup env
|
|
run: |
|
|
BASE=$(just pullspec-for-os base fedora-43)
|
|
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
|
|
echo "BOOTC_variant=ostree" >> $GITHUB_ENV
|
|
|
|
- name: Download package artifacts
|
|
uses: actions/download-artifact@v7
|
|
with:
|
|
name: packages-fedora-43
|
|
path: target/packages/
|
|
|
|
- name: Build container and test on CoreOS
|
|
run: |
|
|
BOOTC_SKIP_PACKAGE=1 just build
|
|
just build-testimage-coreos target/packages
|
|
just test-tmt-on-coreos plan-bootc-install-on-coreos
|
|
just clean-local-images
|
|
|
|
- name: Archive TMT logs
|
|
if: always()
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
name: tmt-log-PR-${{ github.event.number }}-fedora-43-coreos-${{ env.ARCH }}
|
|
path: /var/tmp/tmt
|
|
|
|
# Sentinel job for required checks - configure this job name in repository settings
|
|
required-checks:
|
|
if: always()
|
|
needs: [cargo-deny, validate, package, test-integration, test-coreos]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: exit 1
|
|
if: >-
|
|
needs.cargo-deny.result != 'success' ||
|
|
needs.validate.result != 'success' ||
|
|
needs.package.result != 'success' ||
|
|
needs.test-integration.result != 'success' ||
|
|
needs.test-coreos.result != 'success'
|