github: Minimize permissions granted to automated workflows / jobs #252
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: [ push, pull_request ] | |
permissions: | |
contents: read | |
env: | |
CFLAGS: -Werror | |
UBUNTU_PACKAGES: | | |
xutils-dev xserver-xorg-dev libx11-dev libxi-dev libxrandr-dev libxinerama-dev libudev-dev | |
libgirepository1.0-dev libevdev-dev | |
python3-pip python3-gi python3-pytest | |
PIP_PACKAGES: meson ninja libevdev pytest pyyaml attrs | |
MESON_REQUIRED_VERSION: 0.51.0 | |
jobs: | |
compile-with-autotools: | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: | |
compiler: [ gcc, clang ] | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@v3 | |
- uses: linuxwacom/libwacom/.github/actions/pkginstall@master | |
with: | |
apt: $UBUNTU_PACKAGES | |
- name: Build the driver | |
run: | | |
mkdir -p _build | |
pushd _build > /dev/null | |
# We don't want our CFLAGS (especially -Werror) to apply at `configure` | |
# time so short-circuit our environment at that moment and provide the | |
# flags to `make` instead. Not doing so results in an incorrect config: | |
# 'checking for rint in -lm... no' because of a builtin-declaration-mismatch | |
# warning (error) in the auto-generated feature test. | |
CFLAGS="" CC="${{ matrix.compiler }}" ../autogen.sh --disable-silent-rules | |
make CFLAGS="$CFLAGS" | |
popd > /dev/null | |
- name: Run unit tests | |
run: | | |
pushd _build > /dev/null | |
make check || (cat **/test-suite.log && false) | |
popd > /dev/null | |
- name: Run distcheck | |
run: | | |
pushd _build > /dev/null | |
make distcheck | |
popd > /dev/null | |
- name: move tarball to top level | |
run: | | |
mv _build/xf86-input-wacom-*tar.bz2 . | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: tarball | |
path: xf86-input-wacom-*tar.bz2 | |
compile-with-meson: | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: | |
compiler: | |
- gcc | |
- clang | |
meson_options: | |
- '' | |
- '-Ddebug-messages=false' | |
# clang requires b_lundef=false for b_santize, see | |
# https://github.com/mesonbuild/meson/issues/764 | |
- '-Db_sanitize=address,undefined -Db_lundef=false' | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: linuxwacom/libwacom/.github/actions/pkginstall@master | |
with: | |
apt: $UBUNTU_PACKAGES | |
pip: $PIP_PACKAGES | |
- name: meson test ${{matrix.meson_options}} | |
uses: linuxwacom/libwacom/./.github/actions/meson@master | |
with: | |
meson_args: -Dauto_features=enabled ${{matrix.meson_options}} | |
env: | |
CC: ${{matrix.compiler}} | |
# Capture all the meson logs, even if we failed | |
- uses: actions/upload-artifact@v3 | |
if: ${{ always() }} # even if we fail | |
with: | |
name: meson-test-logs-${{github.job}}-${{matrix.compiler}}-${{matrix.meson_options}} | |
path: | | |
builddir/meson-logs/testlog*.txt | |
builddir/meson-logs/meson-log.txt | |
compile-with-meson-exact-version: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: linuxwacom/libwacom/.github/actions/pkginstall@master | |
with: | |
apt: $UBUNTU_PACKAGES | |
pip: $PIP_PACKAGES | |
- name: install exact meson version | |
run: pip install "meson == $MESON_REQUIRED_VERSION" | |
- name: meson test | |
uses: linuxwacom/libwacom/./.github/actions/meson@master | |
with: | |
meson_args: -Dauto_features=enabled | |
# Capture all the meson logs, even if we failed | |
- uses: actions/upload-artifact@v3 | |
if: ${{ always() }} # even if we fail | |
with: | |
name: meson-test-logs-${{github.job}} | |
path: | | |
builddir/meson-logs/testlog*.txt | |
builddir/meson-logs/meson-log.txt | |
### | |
# | |
# tarball verification | |
# | |
build-from-tarball-autotools: | |
needs: compile-with-autotools | |
runs-on: ubuntu-20.04 | |
env: | |
TARBALLDIR: '_tarball_dir' | |
INSTALLDIR: '/tmp/_inst' | |
steps: | |
- uses: linuxwacom/libwacom/.github/actions/pkginstall@master | |
with: | |
apt: $UBUNTU_PACKAGES | |
- name: fetch tarball from previous job(s) | |
uses: actions/download-artifact@v3 | |
with: | |
name: tarball | |
- name: extract tarball | |
run: | | |
mkdir -p "$TARBALLDIR" | |
tar xf xf86-input-wacom-*.tar.bz2 -C "$TARBALLDIR" | |
- run: mkdir -p "$INSTALLDIR" | |
- name: build from tarball with autotools | |
run: | | |
pushd "$TARBALLDIR"/xf86-input-wacom*/ | |
autoreconf -ivf | |
# See comment in compile-with-autotools | |
CFLAGS="" ./configure --disable-silent-rules --prefix="$INSTALLDIR" | |
make CFLAGS="$CFLAGS" | |
make check || (cat **/test-suite.log && false) | |
popd > /dev/null | |
build-from-tarball-meson: | |
needs: compile-with-autotools | |
runs-on: ubuntu-20.04 | |
env: | |
TARBALLDIR: '_tarball_dir' | |
INSTALLDIR: '/tmp/_inst' | |
steps: | |
- uses: linuxwacom/libwacom/.github/actions/pkginstall@master | |
with: | |
apt: $UBUNTU_PACKAGES | |
pip: $PIP_PACKAGES | |
- name: fetch tarball from previous job(s) | |
uses: actions/download-artifact@v3 | |
with: | |
name: tarball | |
- name: extract tarball | |
run: | | |
mkdir -p "$TARBALLDIR" | |
tar xf xf86-input-wacom-*.tar.bz2 -C "$TARBALLDIR" | |
- run: mkdir -p "$INSTALLDIR" | |
- name: build from tarball with meson | |
uses: linuxwacom/libwacom/.github/actions/meson@master | |
with: | |
srcdir: $TARBALLDIR/xf86-input-wacom-*/ | |
meson_args: -Dauto_features=enabled --prefix="$INSTALLDIR" | |
ninja_args: test | |
# Capture all the meson logs, even if we failed | |
- uses: actions/upload-artifact@v3 | |
if: ${{ always() }} # even if we fail | |
with: | |
name: tarball-build-meson-test-logs | |
path: | | |
builddir/meson-logs/testlog*.txt | |
builddir/meson-logs/meson-log.txt | |
check-tarball-files: | |
needs: compile-with-autotools | |
runs-on: ubuntu-20.04 | |
env: | |
TARBALLDIR: '_tarball_dir' | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@v3 | |
- name: fetch tarball from previous job(s) | |
uses: actions/download-artifact@v3 | |
with: | |
name: tarball | |
- name: list git files | |
run: git ls-files | grep -v -e '.gitignore' -e '.github' -e '.editorconfig' -e 'release.sh' -e 'git-version-gen' > files-in-git.txt | |
- name: list tarball files | |
run: | | |
tar ft xf86-input-wacom-*.tar.bz2 | sed -e 's|^[^/]*/||' | sort > files-in-tarball.txt | |
- name: check for missing files | |
run: | | |
rm -f missing-files.txt | |
for filename in $(cat files-in-git.txt); do | |
if ! grep -q "$filename" files-in-tarball.txt; then | |
echo "$filename" >> missing-files.txt | |
fi | |
done | |
if [[ -e missing-files.txt ]]; then | |
echo "Files missing from tarball:" | |
cat missing-files.txt | |
exit 1 | |
fi |