Skip to content

Add some modifications to CI recommended by SSF #2641

Add some modifications to CI recommended by SSF

Add some modifications to CI recommended by SSF #2641

Workflow file for this run

name: CI
permissions: read-all
on:
push:
branches:
- main
pull_request:
merge_group:
branches:
- main
jobs:
e2e-tests:
runs-on: ubuntu-latest
env:
SUDO_UNDER_TEST: ours
SUDO_TEST_VERBOSE_DOCKER_BUILD: 1
CI: true
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: set up docker buildx
run: docker buildx create --name builder --use
- name: cache docker layers
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a
with:
path: /tmp/.buildx-cache
key: docker-buildx-rs-${{ github.sha }}
restore-keys: docker-buildx-rs-
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: "compliance-tests"
workspaces: |
test-framework
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: Run all E2E tests
working-directory: test-framework
run: cargo test -p e2e-tests
- name: prevent the cache from growing too large
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
compliance-tests-og:
runs-on: ubuntu-latest
env:
SUDO_TEST_VERBOSE_DOCKER_BUILD: 1
CI: true
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: set up docker buildx
run: docker buildx create --name builder --use
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: "compliance-tests"
workspaces: |
test-framework
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: Test sudo-test itself
working-directory: test-framework
run: cargo test -p sudo-test
- name: Run all compliance tests against original sudo
working-directory: test-framework
run: cargo test -p sudo-compliance-tests -- --include-ignored
compliance-tests:
runs-on: ubuntu-latest
timeout-minutes: 20
env:
SUDO_TEST_PROFRAW_DIR: /tmp/profraw
SUDO_TEST_VERBOSE_DOCKER_BUILD: 1
CI: true
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: set up docker buildx
run: docker buildx create --name builder --use
- name: cache docker layers
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a
with:
path: /tmp/.buildx-cache
key: docker-buildx-rs-${{ github.sha }}
restore-keys: docker-buildx-rs-
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: "compliance-tests"
workspaces: |
test-framework
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: Run gated compliance tests against sudo-rs
working-directory: test-framework
env:
SUDO_UNDER_TEST: ours
run: cargo test -p sudo-compliance-tests
- name: Check that we didn't forget to gate a passing compliance test
working-directory: test-framework
env:
SUDO_UNDER_TEST: ours
run: |
tmpfile="$(mktemp)"
cargo test -p sudo-compliance-tests -- --ignored | tee "$tmpfile"
grep 'test result: FAILED. 0 passed' "$tmpfile" || ( echo "expected ALL tests to fail but at least one passed; the passing tests must be un-#[ignore]-d" && exit 1 )
- name: prevent the cache from growing too large
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
compliance-tests-lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: "compliance-tests"
workspaces: |
test-framework
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: clippy sudo-test
working-directory: test-framework
run: cargo clippy -p sudo-test --no-deps -- --deny warnings
- name: clippy compliance-tests
working-directory: test-framework
run: cargo clippy -p sudo-compliance-tests --tests --no-deps -- --deny warnings
- name: Check that all ignored tests are linked to a GH issue
working-directory: test-framework/sudo-compliance-tests
run: |
grep -r '#\[ignore' ./src | grep -v -e '"gh' -e '"wontfix"' && echo 'found ignored tests not linked to a GitHub issue. please like them using the format #[ignore = "gh123"]' && exit 1; true
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install llvm-tools component
run: rustup component add llvm-tools
- name: Add cargo-llvm-cov
uses: taiki-e/install-action@ddaadeb8971af08eaa9bdad7ba96eb721ed2aafd
with:
tool: cargo-llvm-cov
- name: Install dependencies
run: |
sudo apt update
sudo apt install libpam0g-dev
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: "stable"
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: Build
run: cargo build --workspace --all-targets --all-features --release
- name: Run tests
run: cargo llvm-cov --workspace --all-features --all-targets --release --lcov --output-path lcov.info
- name: Upload code coverage
uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a
with:
files: lcov.info
build-and-test-minimal:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install nightly rust
run: |
rustup set profile minimal
rustup override set nightly
- name: Install dependencies
run: |
sudo apt update
sudo apt install libpam0g-dev
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: "nightly"
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: Update to minimal direct dependencies
run: cargo update -Zdirect-minimal-versions
- name: Build
run: cargo build --workspace --all-targets --all-features --release
- name: Run tests
run: cargo test --workspace --all-features --all-targets --release
build-and-test-msrv:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install rust 1.70
run: rustup override set 1.70
- name: Install dependencies
run: |
sudo apt update
sudo apt install libpam0g-dev
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: "msrv"
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: Build
run: cargo build --workspace --all-targets --all-features --release
- name: Run tests
run: cargo test --workspace --all-features --all-targets --release
miri:
needs: build-and-test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install nightly rust and miri
run: |
rustup set profile minimal
rustup override set nightly
rustup component add miri
- name: Install dependencies
run: |
sudo apt update
sudo apt install libpam0g-dev
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: miri
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: Run tests
run: cargo miri test --workspace --all-features miri
check-bindings:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install dependencies
run: |
sudo apt update
sudo apt install libpam0g-dev
- name: Install rust-bindgen
uses: taiki-e/install-action@ddaadeb8971af08eaa9bdad7ba96eb721ed2aafd
with:
tool: [email protected]
- name: Install cargo-minify
run: cargo install --locked --git https://github.com/tweedegolf/cargo-minify cargo-minify
- name: Regenerate bindings
run: make -B pam-sys
- name: Check for differences
run: git diff --exit-code
format:
runs-on: ubuntu-latest
env:
RUSTDOCFLAGS: "-D warnings"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Run rustfmt
run: cargo fmt --all -- --check
clippy:
needs: format
runs-on: ubuntu-latest
env:
RUSTDOCFLAGS: "-D warnings"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: "stable"
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: Run clippy
run: cargo clippy --no-deps --all-targets --all-features -- --deny warnings
docs:
needs: clippy
runs-on: ubuntu-latest
env:
RUSTDOCFLAGS: "-D warnings"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Rust Cache
uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
with:
shared-key: "stable"
- name: Register rust problem matcher
run: echo "::add-matcher::.github/problem-matchers/rust.json"
- name: Build docs
run: cargo doc --no-deps --document-private-items --all-features
audit:
needs: clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install cargo-audit
uses: taiki-e/install-action@ddaadeb8971af08eaa9bdad7ba96eb721ed2aafd
with:
tool: cargo-audit
- name: Run audit
run: cargo audit