feat(ci): use a VM to build flatpak bundle (#307)

In order to be able to test the package, we need to build the image outside of a Docker container. Both snap and flatpak cannot run correctly inside a Docker container. Our infrastructure at Gitlab is focused on Docker. So add a VM that allows us to create and test the flatpak bundle. Signed-off-by: Claudio André <[email protected]>
openwall · Nov 7, 2024 · 40f02e0 · 40f02e0
1 parent 0359b7d
commit 40f02e0
Show file tree

Hide file tree

Showing 2 changed files with 123 additions and 0 deletions.
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -27,16 +27,19 @@ basekit
 bestpractices
 bigfiles
 bugtracker
+builddir
 BUILDID
 buildlog
 buildsystem
+ccache
 CCO
 CFLAGS
 cflite
 CHECKOV
 cidr
 circleci
 cirruslabs
+ciscobinary
 claudio
 claudioandre
 clinfo
@@ -123,6 +126,7 @@ keyring
 kvm
 LASTEXITCODE
 Lauchpad
+launchpadcontent
 LDFLAGS
 len
 libasan
@@ -148,6 +152,7 @@ markdownlint
 metainfo
 mfb
 misconfig
+microsoft
 mktemp
 mrsp
 nproc
@@ -159,6 +164,7 @@ ocl
 oidc
 omp
 oneapi
+openh
 openmp
 oss
 osv
@@ -214,6 +220,7 @@ subdir
 sys
 tarball
 tcp
+tcpdump
 templatefile
 terraform
 tfstate

diff --git a/.github/workflows/flatpak-bundle.yml b/.github/workflows/flatpak-bundle.yml
@@ -0,0 +1,116 @@
+###############################################################################
+#        _       _             _   _            _____  _
+#       | |     | |           | | | |          |  __ \(_)
+#       | | ___ | |__  _ __   | |_| |__   ___  | |__) |_ _ __  _ __   ___ _ __
+#   _   | |/ _ \| '_ \| '_ \  | __| '_ \ / _ \ |  _  /| | '_ \| '_ \ / _ \ '__|
+#  | |__| | (_) | | | | | | | | |_| | | |  __/ | | \ \| | |_) | |_) |  __/ |
+#   \____/ \___/|_| |_|_| |_|  \__|_| |_|\___| |_|  \_\_| .__/| .__/ \___|_|
+#                                                       | |   | |
+#                                                       |_|   |_|
+#
+# Copyright (c) 2024 Claudio André <[email protected]>
+#
+# This program comes with ABSOLUTELY NO WARRANTY; express or implied.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, as expressed in version 2, seen at
+# http://www.gnu.org/licenses/gpl-2.0.html
+###############################################################################
+# GitHub Action to build John the Ripper's flatpak bundle
+# More info at https://github.com/openwall/john-packages
+
+---
+name: Flatpak Bundle
+
+on:
+  workflow_dispatch:
+
+  push:
+    branches:
+      - "flatpak"
+
+env:
+  DISPLAY: ":0.0"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build bundle
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            azure.archive.ubuntu.com:80
+            ciscobinary.openh264.org:80
+            dl.flathub.org:443
+            esm.ubuntu.com:443
+            flathub.org:443
+            github.com:443
+            motd.ubuntu.com:443
+            packages.microsoft.com:443
+            ppa.launchpadcontent.net:443
+            raw.githubusercontent.com:443
+            www.tcpdump.org:443
+
+      - name: Check out the repo
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+      - name: Get data
+        id: data
+        run: |
+          {
+            echo "now=$(date -u)"
+            echo "revision=$(git rev-parse --short=7 HEAD 2>/dev/null)"
+            echo "version=1.9.$(date +%Y%m%d)"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Dependencies
+        run: |
+          sudo apt-get update -yq
+          sudo apt-get install -y flatpak dbus-x11
+
+      - name: Build
+        run: |
+          wget https://github.com/openwall/john-packages/archive/refs/heads/release.zip -O main.zip #TODO undo Me
+          unzip main.zip
+          cp -r scripts/ john-packages-release/deploy/ #TODO undo Me
+
+          # To build the package, go to the place the recipe lives
+          cd john-packages-release/deploy/flatpak
+
+          flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+          flatpak install -y --user flathub org.flatpak.Builder
+          dbus-launch flatpak run org.flatpak.Builder --force-clean --user --install --install-deps-from=flathub \
+            --ccache --mirror-screenshots-url=https://dl.flathub.org/media/ --repo=repo builddir com.openwall.John.json
+          flatpak build-bundle repo john.flatpak com.openwall.John
+
+          flatpak run com.openwall.John
+
+          cp john.flatpak "$GITHUB_WORKSPACE"
+          sha256sum john.flatpak
+        shell: bash
+
+      - name: "Upload Artifact"
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: bundle
+          path: john.flatpak
+          retention-days: 15
+
+      - name: Test
+        run: |
+          # Required defines
+          export FLATPAK='true'
+          export JTR_BIN='john'
+          export TEST=';full;extra;OpenCL-info;' # Controls how the test will happen
+
+          wget https://raw.githubusercontent.com/openwall/john-packages/main/scripts/run_tests.sh
+          source run_tests.sh
+        shell: bash