launch/policy: prevent linking policies on invalid gids #110
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Meson Test Suite | |
| # | |
| # This workflow builds the project via meson, configures a suitable test | |
| # environment, and then runs the test-suite defined in meson. | |
| # | |
| # We run the test-suite multiple times in parallel, each run with a different | |
| # setup, ranging from release builds to non-standard configuration flags. We | |
| # do not test the fully expanded matrix, but instead test a pre-defined set | |
| # of setups, to reduce burden on the CI systems. | |
| # | |
| name: "Meson Test Suite" | |
| on: | |
| pull_request: | |
| push: | |
| branches-ignore: ["pr/**"] | |
| tags: ["**"] | |
| workflow_dispatch: | |
| defaults: | |
| run: | |
| shell: "bash" | |
| jobs: | |
| unittest: | |
| name: "Unittest - ${{ matrix.id }} - ${{ matrix.name }}" | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # Test a release build as recommended by upstream. This picks clang as | |
| # compiler with debug-optimized as build-target. We do not run valgrind | |
| # since it clashes with sd-bus used by the launcher. This test also | |
| # builds documentation and related resources. | |
| - id: "release" | |
| name: "RELEASE @ CLANG-X86_64 @ +TEST -VALGRIND @ -APPARMOR +AUDIT +DOCS +LAUNCHER +SELINUX" | |
| # Explicitly set all options here to document them. | |
| buildtype: "debugoptimized" | |
| cc: "clang" | |
| cflags: "-Werror" | |
| image: "ghcr.io/bus1/dbrk-ci-fedora:latest" | |
| m32: "no" | |
| setupargs: "-Daudit=true -Ddocs=true -Dlauncher=true -Dselinux=true" | |
| test: "yes" | |
| valgrind: "no" | |
| warnlevel: "2" | |
| # A release build with `-m32` to test on 32-bit. | |
| - id: "32bit" | |
| name: "RELEASE @ CLANG-I686 @ +TEST -VALGRIND @ -APPARMOR +AUDIT -DOCS +LAUNCHER -SELINUX" | |
| buildtype: "debugoptimized" | |
| cc: "clang" | |
| cflags: "-m32 -Werror" | |
| image: "ghcr.io/bus1/dbrk-ci-fedora:latest" | |
| m32: "yes" | |
| setupargs: "-Daudit=true -Dlauncher=true" | |
| test: "yes" | |
| warnlevel: "2" | |
| # A release build running through valgrind. We disable all features | |
| # that currently do not support valgrind runs (in particular sd-bus in | |
| # the launcher). | |
| - id: "valgrind" | |
| name: "RELEASE @ CLANG-X86_64 @ +TEST +VALGRIND @ -APPARMOR +AUDIT -DOCS -LAUNCHER -SELINUX" | |
| buildtype: "debugoptimized" | |
| cc: "clang" | |
| cflags: "-Werror" | |
| image: "ghcr.io/bus1/dbrk-ci-fedora:latest" | |
| setupargs: "-Daudit=true -Dlauncher=false" | |
| test: "yes" | |
| valgrind: "yes" | |
| warnlevel: "2" | |
| # A reduced build with `-O0` to verify we do not rely on dead-code | |
| # elimination. | |
| - id: "O0-PLAIN" | |
| name: "PLAIN @ GCC-X86_64 @ +TEST -VALGRIND @ -APPARMOR +AUDIT -DOCS +LAUNCHER +SELINUX" | |
| buildtype: "plain" | |
| cc: "gcc" | |
| cflags: "-O0 -Werror" | |
| image: "ghcr.io/bus1/dbrk-ci-fedora:latest" | |
| setupargs: "-Daudit=true -Dlauncher=true -Dselinux=true" | |
| test: "yes" | |
| warnlevel: "2" | |
| # An aggressive -O3 -DNDEBUG build that verfies that we properly | |
| # follow strict aliasing rules and do not rely on debug builds. | |
| - id: "O3-NDEBUG" | |
| name: "OPTIMIZED @ GCC-X86_64 @ +TEST -VALGRIND @ -APPARMOR +AUDIT -DOCS +LAUNCHER +SELINUX" | |
| buildtype: "release" | |
| cc: "gcc" | |
| cflags: "-O3 -Werror -DNDEBUG" | |
| image: "ghcr.io/bus1/dbrk-ci-fedora:latest" | |
| setupargs: "-Daudit=true -Dlauncher=true -Dselinux=true" | |
| test: "yes" | |
| warnlevel: "2" | |
| # Disable all options to compile-test their fallbacks. Run the test | |
| # suite to run basic fallback verification. | |
| - id: "fallback" | |
| name: "OPTIMIZED @ CLANG-X86_64 @ +TEST -VALGRIND @ -APPARMOR -AUDIT -DOCS -LAUNCHER -SELINUX" | |
| buildtype: "debugoptimized" | |
| cc: "clang" | |
| cflags: "-Werror" | |
| image: "ghcr.io/bus1/dbrk-ci-fedora:latest" | |
| setupargs: "-Dlauncher=false" | |
| test: "yes" | |
| warnlevel: "2" | |
| - id: "ubuntu" | |
| name: "RELEASE @ CLANG-X86_64 @ +TEST -VALGRIND @ +APPARMOR +AUDIT -DOCS +LAUNCHER -SELINUX" | |
| buildtype: "debugoptimized" | |
| cc: "clang" | |
| cflags: "-Werror" | |
| image: "ghcr.io/bus1/dbrk-ci-ubuntu:latest" | |
| setupargs: "-Dapparmor=true -Daudit=true -Dlauncher=true" | |
| test: "yes" | |
| warnlevel: "2" | |
| container: | |
| image: ${{ matrix.image }} | |
| env: | |
| CC: ${{ matrix.cc }} | |
| CFLAGS: ${{ matrix.cflags }} | |
| runs-on: "ubuntu-latest" | |
| steps: | |
| - name: "Fetch Sources" | |
| uses: actions/checkout@v4 | |
| - name: "Setup 32-bit Environment" | |
| if: matrix.m32 == 'yes' | |
| run: | | |
| echo \ | |
| "PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/share/pkgconfig" \ | |
| >> $GITHUB_ENV | |
| - name: "Setup Meson" | |
| run: | | |
| meson setup \ | |
| --buildtype "${{ matrix.buildtype }}" \ | |
| --warnlevel "${{ matrix.warnlevel }}" \ | |
| ${{ matrix.setupargs }} \ | |
| "./build" \ | |
| "." | |
| - name: "Compile Project" | |
| run: | | |
| meson compile \ | |
| -C "./build" | |
| - name: "Run Tests" | |
| if: matrix.test == 'yes' | |
| run: | | |
| meson test \ | |
| -C "./build" \ | |
| --print-errorlogs | |
| - name: "Run Valgrind" | |
| if: matrix.valgrind == 'yes' | |
| run: | | |
| args=( | |
| "--gen-suppressions=all" | |
| "--trace-children=yes" | |
| "--leak-check=full" | |
| "--error-exitcode=1" | |
| ) | |
| meson test \ | |
| -C "./build" \ | |
| --print-errorlogs \ | |
| --timeout-multiplier=16 \ | |
| --wrapper="valgrind ${args[*]}" |