From 73152f9b6359b0ca44f797a54770c87b6ec50ac7 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Mon, 1 Sep 2025 23:59:35 +0200 Subject: [PATCH 1/7] Bump go toolchain to 1.25.0 Some of our dependencies now require a newer Go version than 1.23. Go 1.25 also allows us to use the new Output method of testing.T, making our test output easier to read. --- go.mod | 2 +- tools/go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 2cf8019efd..ec8ebdb06c 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/ubuntu/authd go 1.23.0 -toolchain go1.23.12 +toolchain go1.25.0 require ( github.com/charmbracelet/bubbles v0.20.0 diff --git a/tools/go.mod b/tools/go.mod index 629ac18c08..13565f95ed 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -2,7 +2,7 @@ module github.com/ubuntu/authd/tools go 1.24.0 -toolchain go1.24.2 +toolchain go1.25.0 require ( github.com/golang/protobuf v1.5.4 From 68744fd3e909c8c68c9338c8aa0553191dbc8146 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Mon, 1 Sep 2025 16:05:51 +0200 Subject: [PATCH 2/7] ci: Work around `go test -cover` issue in Go 1.25 --- .github/workflows/qa.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml index 3c81c0468b..34d7e97112 100644 --- a/.github/workflows/qa.yaml +++ b/.github/workflows/qa.yaml @@ -260,6 +260,9 @@ jobs: # Print executed commands to ease debugging set -x + # Work around https://github.com/golang/go/issues/75031 + go env -w GOTOOLCHAIN="$(go version | awk '{ print $3 }')+auto" + # Overriding the default coverage directory is not an exported flag of go test (yet), so # we need to override it using the test.gocoverdir flag instead. #TODO: Update when https://go-review.googlesource.com/c/go/+/456595 is merged. From 73421aff69d897dce16449b54333ebfb405fcb8e Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Tue, 2 Sep 2025 18:59:08 +0200 Subject: [PATCH 3/7] Fix misaligned pointer conversion With Go 1.25, `go test -race` failed with: fatal error: checkptr: misaligned pointer conversion goroutine 72 gp=0xc0002281c0 m=8 mp=0xc00018a008 [running]: runtime.throw({0x16ece45?, 0x0?}) /home/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/src/runtime/panic.go:1094 +0x48 fp=0xc0002f7150 sp=0xc0002f7120 pc=0x489cc8 runtime.checkptrAlignment(0xc0005fec1e, 0x1586820, 0x1) /home/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/src/runtime/checkptr.go:20 +0x9a fp=0xc0002f7170 sp=0xc0002f7150 pc=0x41b8da github.com/ubuntu/authd/internal/users/localentries.strvToSlice(0xc0005fec1e) --- internal/users/localentries/getgrent_c.go | 26 +++++++++++++++-------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/internal/users/localentries/getgrent_c.go b/internal/users/localentries/getgrent_c.go index cec36f9148..ad06c3b1fb 100644 --- a/internal/users/localentries/getgrent_c.go +++ b/internal/users/localentries/getgrent_c.go @@ -7,6 +7,14 @@ package localentries #include #include #include + +// Return the length of a NULL-terminated array of strings. +size_t strv_len(const char * const * strv) { + size_t n = 0; + while (strv[n]) n++; + return n; +} + */ import "C" @@ -74,15 +82,15 @@ func getGroupEntries() (entries []types.GroupEntry, err error) { } func strvToSlice(strv **C.char) []string { - var users []string - for i := C.uint(0); ; i++ { - s := *(**C.char)(unsafe.Pointer(uintptr(unsafe.Pointer(strv)) + - uintptr(i)*unsafe.Sizeof(*strv))) - if s == nil { - break - } + if strv == nil { + return nil + } + n := C.strv_len(strv) - users = append(users, C.GoString(s)) + out := make([]string, int(n)) + for i := 0; i < int(n); i++ { + p := *(**C.char)(unsafe.Add(unsafe.Pointer(strv), uintptr(i)*unsafe.Sizeof(*strv))) + out[i] = C.GoString(p) } - return users + return out } From b510d21f8adb040d9dc28202f549e8c921bee358 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Sat, 13 Sep 2025 06:30:18 +0200 Subject: [PATCH 4/7] ci: Use Go backports PPA --- .github/workflows/build-deb.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-deb.yaml b/.github/workflows/build-deb.yaml index b7a70a854c..69e70cc434 100644 --- a/.github/workflows/build-deb.yaml +++ b/.github/workflows/build-deb.yaml @@ -56,6 +56,9 @@ jobs: uses: canonical/desktop-engineering/gh-actions/common/build-debian@main with: docker-image: ubuntu:${{ matrix.ubuntu-version }} + # Add the Go backports PPA, so that we can build with a newer + # version of Go than the one available in the archive. + extra-apt-repositories: ppa:ubuntu-enterprise-desktop/golang # Extra build dependencies: # - systemd-dev: Required to read compile time variables from systemd via pkg-config. extra-source-build-deps: | @@ -270,3 +273,4 @@ jobs: with: lxd-image: ubuntu:${{ matrix.ubuntu-version }} source-changes: ${{ env.pkg_src_changes }} + autopkgtest-args: --add-apt-source=ppa:ubuntu-enterprise-desktop/golang From 6edf81ea39eefbc505402552e38a88fa13e4e2b3 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Sat, 13 Sep 2025 06:32:18 +0200 Subject: [PATCH 5/7] debian/control: Bump Go dependency to 1.25 --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 398c2424f1..1a2e7e8940 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Build-Depends: debhelper-compat (= 13), # so workaround it, making it kind of optional, and requiring it only on versions after # noble (controlled via base-files version that matches the one in noble). cargo-vendor-filterer | base-files (<< 13.5), - golang-go (>= 2:1.23~) | golang-1.23-go, + golang-go (>= 2:1.25~) | golang-1.25-go, libc6-dev (>= 2.35), libglib2.0-dev, libpam0g-dev, From 661b97af6a00c9a62aad56340fe7e8c2210a2251 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Mon, 15 Sep 2025 20:13:10 +0200 Subject: [PATCH 6/7] XXX: Use action from branch pre-deps-commands --- .github/workflows/build-deb.yaml | 4 ++-- .github/workflows/qa.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-deb.yaml b/.github/workflows/build-deb.yaml index 69e70cc434..06855e2f76 100644 --- a/.github/workflows/build-deb.yaml +++ b/.github/workflows/build-deb.yaml @@ -53,7 +53,7 @@ jobs: uses: actions/checkout@v5 - name: Build debian packages and sources - uses: canonical/desktop-engineering/gh-actions/common/build-debian@main + uses: canonical/desktop-engineering/gh-actions/common/build-debian@pre-deps-commands with: docker-image: ubuntu:${{ matrix.ubuntu-version }} # Add the Go backports PPA, so that we can build with a newer @@ -269,7 +269,7 @@ jobs: merge-multiple: true - name: Run autopkgtests - uses: canonical/desktop-engineering/gh-actions/common/run-autopkgtest@main + uses: canonical/desktop-engineering/gh-actions/common/run-autopkgtest@pre-deps-commands with: lxd-image: ubuntu:${{ matrix.ubuntu-version }} source-changes: ${{ env.pkg_src_changes }} diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml index 34d7e97112..9e6af12ee0 100644 --- a/.github/workflows/qa.yaml +++ b/.github/workflows/qa.yaml @@ -53,7 +53,7 @@ jobs: sudo apt-get install -y ${{ env.go_build_dependencies }} - uses: actions/checkout@v5 - name: Go code sanity check - uses: canonical/desktop-engineering/gh-actions/go/code-sanity@v2 + uses: canonical/desktop-engineering/gh-actions/go/code-sanity@pre-deps-commands with: golangci-lint-configfile: ".golangci.yaml" tools-directory: "tools" From 25c855718d5734eea3e7d9c3feb4433f99b5816e Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Tue, 16 Sep 2025 12:37:47 +0200 Subject: [PATCH 7/7] XXX: Remove other CI jobs --- .github/workflows/auto-updates.yaml | 112 ------ .github/workflows/automatic-doc-checks.yml | 28 -- .github/workflows/cla-check.yaml | 12 - .github/workflows/git.yml | 12 - .github/workflows/qa.yaml | 386 --------------------- .github/workflows/tics-run.yaml | 79 ----- .github/workflows/validate-dependabot.yaml | 19 - 7 files changed, 648 deletions(-) delete mode 100644 .github/workflows/auto-updates.yaml delete mode 100644 .github/workflows/automatic-doc-checks.yml delete mode 100644 .github/workflows/cla-check.yaml delete mode 100644 .github/workflows/git.yml delete mode 100644 .github/workflows/qa.yaml delete mode 100644 .github/workflows/tics-run.yaml delete mode 100644 .github/workflows/validate-dependabot.yaml diff --git a/.github/workflows/auto-updates.yaml b/.github/workflows/auto-updates.yaml deleted file mode 100644 index 3939e598d7..0000000000 --- a/.github/workflows/auto-updates.yaml +++ /dev/null @@ -1,112 +0,0 @@ -name: Update translations and Rust packaging related files in main -on: - push: - branches: - - main - paths-ignore: - - 'debian/control' -concurrency: auto-update - -permissions: - pull-requests: write - contents: write - -# Jobs in this action must not run concurrently, as they modify the repository. -# When adding more jobs, make sure to use the "needs:" attribute to make sure they run sequentially. -jobs: - update-rust-packaging: - strategy: - fail-fast: false - matrix: - branch: [main] - ubuntu-version: [devel] - include: - - branch: noble - ubuntu-version: noble - - name: Update ${{ matrix.ubuntu-version }} packaging related Rust files - runs-on: ubuntu-latest - container: - image: ubuntu:${{ matrix.ubuntu-version }} - env: - CARGO_VENDOR_DIR: ${{ github.workspace }}/vendor_rust - UPDATE_BRANCH: auto-update-rust-packaging-${{ matrix.ubuntu-version }} - steps: - - name: Install dependencies - env: - DEBIAN_FRONTEND: noninteractive - CARGO_VENDOR_FILTERER_NOBLE_VERSION: 0.5.16 - shell: bash - run: | - set -euo pipefail - - apt-get update -y - apt-get install -y dh-cargo git - - if [ "${{ matrix.ubuntu-version }}" = "noble" ]; then - # Special behavior on noble as dh-cargo is not new enough there - apt-get install -y libssl-dev pkg-config - cargo install --locked --root=/usr \ - cargo-vendor-filterer@${{ env.CARGO_VENDOR_FILTERER_NOBLE_VERSION }} - else - apt-get install -y cargo-vendor-filterer - fi - - - name: Checkout the code - uses: actions/checkout@v5 - with: - ref: ${{ matrix.branch }} - - - name: Vendor the dependencies - env: - CARGO_PATH: /usr/share/cargo/bin/cargo - shell: bash - run: | - set -euo pipefail - - sh -x debian/vendor-rust.sh - - - name: Update XS-Vendored-Sources-Rust - shell: bash - run: | - set -euo pipefail - - VENDORED_SOURCES=$(/usr/share/cargo/bin/dh-cargo-vendored-sources 2>&1) \ - || cmd_status=$? - OUTPUT=$(echo "$VENDORED_SOURCES" | grep ^XS-Vendored-Sources-Rust: || true) - if [ -z "${OUTPUT}" ]; then - if [ "${cmd_status:-0}" -ne 0 ]; then - # dh-cargo-vendored-sources failed because of other reason, so let's fail with it! - echo "dh-cargo-vendored-sources failed:" - echo "${VENDORED_SOURCES}" - exit "${cmd_status}" - fi - - echo "XS-Vendored-Sources-Rust is up to date. No change is needed."; - exit 0 - fi - sed -i "s/^XS-Vendored-Sources-Rust:.*/$OUTPUT/" debian/control - - echo "modified=true" >> "${GITHUB_ENV}" - echo "update_branch=${UPDATE_BRANCH}" >> "${GITHUB_ENV}" - - - name: Create Pull Request - if: ${{ env.modified == 'true' }} - uses: peter-evans/create-pull-request@v7 - with: - commit-message: Auto update packaging related Rust files - title: | - [${{ matrix.ubuntu-version }}] Auto update packaging related Rust files - labels: control, automated pr - branch: ${{ env.update_branch }} - delete-branch: true - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Push branch - if: ${{ env.modified == 'true' }} - shell: bash - run: | - set -eu - - git config --system --add safe.directory "${PWD}" - git push origin ${{ env.update_branch }}:${{ matrix.branch }} diff --git a/.github/workflows/automatic-doc-checks.yml b/.github/workflows/automatic-doc-checks.yml deleted file mode 100644 index 9f44eead32..0000000000 --- a/.github/workflows/automatic-doc-checks.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Main Documentation Checks - -on: - push: - branches: [main] - paths: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - pull_request: - paths: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - schedule: - - cron: '0 12 * * MON' - # Manual trigger - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - documentation-checks: - uses: canonical/documentation-workflows/.github/workflows/documentation-checks.yaml@main - with: - working-directory: "./docs" diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml deleted file mode 100644 index c9fc001af5..0000000000 --- a/.github/workflows/cla-check.yaml +++ /dev/null @@ -1,12 +0,0 @@ -name: Check if CLA is signed -on: [pull_request_target] - -jobs: - cla-check: - name: Check if CLA is signed - runs-on: ubuntu-latest - steps: - - name: Check if CLA signed - uses: canonical/has-signed-canonical-cla@v2 - with: - accept-existing-contributors: true diff --git a/.github/workflows/git.yml b/.github/workflows/git.yml deleted file mode 100644 index 6416b56897..0000000000 --- a/.github/workflows/git.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: Git Checks - -on: [pull_request] - -jobs: - block-fixup: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v5 - - name: Block Fixup Commit Merge - uses: 13rac1/block-fixup-merge-action@v2.0.0 diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml deleted file mode 100644 index 9e6af12ee0..0000000000 --- a/.github/workflows/qa.yaml +++ /dev/null @@ -1,386 +0,0 @@ -name: QA & sanity checks -on: - push: - branches: - - main - paths-ignore: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - tags: - - "*" - pull_request: - paths-ignore: - - '.github/workflows/automatic-doc-checks.yml' - - '.readthedocs.yaml' - - 'docs/**' - -env: - DEBIAN_FRONTEND: noninteractive - GO_TESTS_TIMEOUT: 20m - c_build_dependencies: >- - clang-tools - clang - libglib2.0-dev - libpam-dev - - go_build_dependencies: >- - libglib2.0-dev - libpam-dev - libpwquality-dev - - go_test_dependencies: >- - apparmor-profiles - bubblewrap - cracklib-runtime - git-delta - openssh-client - openssh-server - -jobs: - go-sanity: - name: "Go: Code sanity" - permissions: {} - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.go_build_dependencies }} - - uses: actions/checkout@v5 - - name: Go code sanity check - uses: canonical/desktop-engineering/gh-actions/go/code-sanity@pre-deps-commands - with: - golangci-lint-configfile: ".golangci.yaml" - tools-directory: "tools" - token: ${{ secrets.GITHUB_TOKEN }} - - name: Build cmd/authd with withexamplebroker tag - run: | - set -eu - go build -tags withexamplebroker ./cmd/authd - - name: Run PAM client for interactive testing purposes - run: | - set -eu - go run -tags withpamrunner ./pam/tools/pam-runner login --exec-debug - - name: Generate PAM module - run: | - set -eu - find pam -name '*.so' -print -delete - go generate -C pam -x - test -e pam/pam_authd.so - test -e pam/go-exec/pam_authd_exec.so - - name: Generate PAM module with pam_debug tag - run: | - set -eu - find pam -name '*.so' -print -delete - go generate -C pam -x -tags pam_debug - test -e pam/pam_authd.so - test -e pam/go-exec/pam_authd_exec.so - - rust-sanity: - name: "Rust: Code sanity" - permissions: {} - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - # In Rust the grpc stubs are generated at build time - # so we always need to install the protobuf compilers - # when building the NSS crate. - sudo apt-get install -y protobuf-compiler - - uses: actions/checkout@v5 - - name: Rust code sanity check - uses: canonical/desktop-engineering/gh-actions/rust/code-sanity@main - with: - token: ${{ secrets.GITHUB_TOKEN }} - - c-sanity: - name: "C Code sanity" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - env: - CFLAGS: "-Werror" - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.c_build_dependencies }} - - name: Prepare report dir - run: | - set -eu - - scan_build_dir=$(mktemp -d --tmpdir scan-build-dir-XXXXXX) - echo SCAN_BUILD_REPORTS_PATH="${scan_build_dir}" >> $GITHUB_ENV - - uses: actions/checkout@v5 - - name: Run scan build on GDM extensions - run: | - set -eu - - scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \ - -Wno-gnu-variable-sized-type-not-at-end \ - pam/internal/gdm/extension.h - - name: Run scan build on go-exec module - run: | - set -eu - - scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \ - -DAUTHD_TEST_MODULE=1 \ - $(pkg-config --cflags --libs gio-unix-2.0 gio-2.0) \ - -lpam -shared -fPIC \ - pam/go-exec/module.c - - name: Upload scan build reports - uses: actions/upload-artifact@v4 - with: - name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }} - path: ${{ env.SCAN_BUILD_REPORTS_PATH }} - - go-tests: - name: "Go: Tests" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - strategy: - fail-fast: false - matrix: - test: ["coverage", "race", "asan"] - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - - # The integration tests build the NSS crate, so we need the cargo build dependencies in order to run them. - sudo apt-get install -y protobuf-compiler - - sudo apt-get install -y ${{ env.go_build_dependencies }} ${{ env.go_test_dependencies}} - - # Load the apparmor profile for bubblewrap. - sudo ln -s /usr/share/apparmor/extra-profiles/bwrap-userns-restrict /etc/apparmor.d/ - sudo apparmor_parser /etc/apparmor.d/bwrap-userns-restrict - - - name: Install glibc, PAM and GLib debug symbols - continue-on-error: true - run: | - set -eu - sudo apt-get install -y ubuntu-dbgsym-keyring libc6-dbg - echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse - deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse - deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \ - sudo tee -a /etc/apt/sources.list.d/ddebs.list - # Sometimes ddebs archive is stuck, so in case of failure we need to go manual - sudo apt-get update -y || true - if ! sudo apt-get install -y libpam-modules-dbgsym libpam0*-dbgsym libglib2.0-0*-dbgsym; then - sudo apt-get install -y ubuntu-dev-tools - for pkg in pam glib2.0; do - pull-lp-debs "${pkg}" $(lsb_release -cs) - pull-lp-ddebs "${pkg}" $(lsb_release -cs) - done - sudo apt-get install -y ./libpam0*.*deb ./libpam-modules*.*deb ./libglib2.0-0*-dbgsym*.ddeb - sudo apt-get remove -y ubuntu-dev-tools - sudo apt-get autoremove -y - fi - - uses: actions/checkout@v5 - - uses: actions/setup-go@v5 - with: - go-version-file: go.mod - - - name: Install gotestfmt and our wrapper script - uses: canonical/desktop-engineering/gh-actions/go/gotestfmt@main - - - name: Install VHS and ttyd for integration tests - run: | - set -eu - go install github.com/charmbracelet/vhs@latest - - # VHS requires ttyd >= 1.7.2 to work properly. - wget https://github.com/tsl0922/ttyd/releases/download/1.7.7/ttyd.x86_64 - chmod +x ttyd.x86_64 - sudo mv ttyd.x86_64 /usr/bin/ttyd - - # VHS doesn't really use ffmpeg anymore now, but it still checks for it. - # Drop this when https://github.com/charmbracelet/vhs/pull/591 is released. - sudo ln -s /usr/bin/true /usr/local/bin/ffmpeg - - - name: Install latest Rust version - run: rustup update stable - - - name: Install grcov - if: matrix.test == 'coverage' - uses: baptiste0928/cargo-install@v3 - with: - crate: grcov - - name: Prepare tests artifacts path - run: | - set -eu - - artifacts_dir=$(mktemp -d --tmpdir authd-test-artifacts-XXXXXX) - echo AUTHD_TESTS_ARTIFACTS_PATH="${artifacts_dir}" >> $GITHUB_ENV - - echo ASAN_OPTIONS="log_path=${artifacts_dir}/asan.log:print_stats=true" >> $GITHUB_ENV - - - name: Install coverage collection dependencies - if: matrix.test == 'coverage' - run: | - set -eu - - # Dependendencies for C coverage collection - sudo apt-get install -y gcovr - - # Dependendencies for Go coverage collection - go install github.com/AlekSi/gocov-xml@latest - go install github.com/axw/gocov/gocov@latest - dotnet tool install -g dotnet-reportgenerator-globaltool - - - name: Run tests (with coverage collection) - if: matrix.test == 'coverage' - env: - G_DEBUG: "fatal-criticals" - run: | - set -euo pipefail - - # The coverage is not written if the output directory does not exist, so we need to create it. - cov_dir=${PWD}/coverage - codecov_dir=${cov_dir}/codecov - raw_cov_dir=${cov_dir}/raw - mkdir -p "${raw_cov_dir}" "${codecov_dir}" - - # Print executed commands to ease debugging - set -x - - # Work around https://github.com/golang/go/issues/75031 - go env -w GOTOOLCHAIN="$(go version | awk '{ print $3 }')+auto" - - # Overriding the default coverage directory is not an exported flag of go test (yet), so - # we need to override it using the test.gocoverdir flag instead. - #TODO: Update when https://go-review.googlesource.com/c/go/+/456595 is merged. - go test -json -timeout ${GO_TESTS_TIMEOUT} -cover -covermode=set ./... -coverpkg=./... \ - -shuffle=on -failfast -args -test.gocoverdir="${raw_cov_dir}" | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.cover.log" - - # Convert the raw coverage data into textfmt so we can merge the Rust one into it - go tool covdata textfmt -i="${raw_cov_dir}" -o="${cov_dir}/coverage.out" - - # Append the Rust coverage data to the Go one - cat "${raw_cov_dir}/rust-cov/rust2go_coverage" >>"${cov_dir}/coverage.out" - - # Filter out the testutils package and the pb.go file - grep -v -e "testutils" -e "pb.go" -e "testsdetection" "${cov_dir}/coverage.out" >"${cov_dir}/coverage.out.filtered" - - # Generate the Cobertura report for Go and Rust - gocov convert "${cov_dir}/coverage.out.filtered" | gocov-xml > "${cov_dir}/coverage.xml" - reportgenerator -reports:"${cov_dir}/coverage.xml" -targetdir:"${cov_dir}" -reporttypes:Cobertura - - # Generate the Cobertura report for C - gcovr --cobertura "${cov_dir}/Cobertura_C.xml" "${raw_cov_dir}" - - # Merge Cobertura reports into a single one - reportgenerator -reports:"${cov_dir}/Cobertura.xml;${cov_dir}/Cobertura_C.xml" \ - -targetdir:"${codecov_dir}" -reporttypes:Cobertura - - # Store the coverage directory for the next steps - echo COVERAGE_DIR="${codecov_dir}" >> ${GITHUB_ENV} - - - name: Run tests (with race detector) - if: matrix.test == 'race' - env: - GO_TESTS_TIMEOUT: 35m - AUTHD_TESTS_SLEEP_MULTIPLIER: 3 - GORACE: log_path=${{ env.AUTHD_TESTS_ARTIFACTS_PATH }}/gorace.log - run: | - go test -json -timeout ${GO_TESTS_TIMEOUT} -race -failfast ./... | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.race.log" || exit_code=$? - - if [ "${exit_code:-0}" -ne 0 ]; then - cat "${AUTHD_TESTS_ARTIFACTS_PATH}"/gorace.log* || true - exit ${exit_code} - fi - - - name: Run PAM tests (with Address Sanitizer) - if: matrix.test == 'asan' - env: - # Do not optimize, keep debug symbols and frame pointer for better - # stack trace information in case of ASAN errors. - CGO_CFLAGS: "-O0 -g3 -fno-omit-frame-pointer" - G_DEBUG: "fatal-criticals" - GO_TESTS_TIMEOUT: 30m - AUTHD_TESTS_SLEEP_MULTIPLIER: 1.5 - # Use these flags to give ASAN a better time to unwind the stack trace - GO_GC_FLAGS: -N -l - run: | - # Print executed commands to ease debugging - set -x - - # For llvm-symbolizer - sudo apt-get install -y llvm - - go test -C ./pam/internal -json -asan -gcflags=all="${GO_GC_FLAGS}" -failfast -timeout ${GO_TESTS_TIMEOUT} ./... | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.pam-internal-asan.log" || exit_code=$? - if [ -n "${exit_code:-}" ]; then - cat "${AUTHD_TESTS_ARTIFACTS_PATH}"/asan.log* || true - exit ${exit_code} - fi - - echo "Running PAM integration tests" - pushd ./pam/integration-tests - go test -asan -gcflags=all="${GO_GC_FLAGS}" -c - go tool test2json -p pam/integrations-test ./integration-tests.test \ - -test.v=test2json \ - -test.failfast \ - -test.timeout ${GO_TESTS_TIMEOUT} | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.pam-integration-tests-asan.log" || \ - exit_code=$? - popd - - # We don't need the xtrace output after this point - set +x - - # We're logging to a file, and this is useful for having artifacts, but we still may want to see it in logs: - for f in "${AUTHD_TESTS_ARTIFACTS_PATH}"/asan.log*; do - if ! [ -e "${f}" ]; then - continue - fi - if [ -s "${f}" ]; then - echo "::group::${f} ($(wc -l < "${f}") lines)" - cat "${f}" - echo "::endgroup::" - else - echo "${f}: empty" - fi - done - - exit ${exit_code} - - - name: Upload coverage to Codecov - if: matrix.test == 'coverage' - uses: codecov/codecov-action@v5 - with: - directory: ${{ env.COVERAGE_DIR }} - files: ${{ env.COVERAGE_DIR }}/Cobertura.xml - token: ${{ secrets.CODECOV_TOKEN }} - - - name: Upload coverage artifacts - if: matrix.test == 'coverage' && github.ref == 'refs/heads/main' - uses: actions/upload-artifact@v4 - with: - name: coverage - path: ${{ env.COVERAGE_DIR }} - - - name: Upload test artifacts - if: always() - uses: actions/upload-artifact@v4 - with: - name: authd-${{ github.job }}-${{ matrix.test }}-artifacts-${{ github.run_attempt }} - path: ${{ env.AUTHD_TESTS_ARTIFACTS_PATH }} diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml deleted file mode 100644 index a350f29387..0000000000 --- a/.github/workflows/tics-run.yaml +++ /dev/null @@ -1,79 +0,0 @@ -name: TICS QA Analysis - -on: - schedule: - - cron: '0 0 * * 1' # Runs every Monday at midnight - workflow_dispatch: - - -env: - DEBIAN_FRONTEND: noninteractive - build_dependencies: >- - clang-tools - clang - libglib2.0-dev - libpam-dev - libpwquality-dev - -jobs: - tics: - name: TIOBE TICS Framework - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - - name: Update Rust version - run: | - rustup update stable - - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.build_dependencies }} - - go install honnef.co/go/tools/cmd/staticcheck@latest - - - name: Fetch last successful QA run id - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - set -eu - echo "LAST_QA_ID=$(gh run list --workflow 'QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV - - - name: Download coverage artifact - uses: actions/download-artifact@v4 - with: - github-token: ${{ github.token }} - path: .artifacts/ - run-id: ${{ env.LAST_QA_ID }} - - - name: TICS Scan - env: - TICSAUTHTOKEN: ${{ secrets.TICSAUTHTOKEN }} - GH_TOKEN: ${{ github.token }} - run: | - set -e - - # Move coverage to expected directory - mkdir coverage - mv .artifacts/coverage/Cobertura.xml coverage/coverage.xml - - # Install TICS - . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=GoProjects&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/') - - # TICS needs to build the artifacts in order to run the analysis. - # Since it uses the GOTOOLCHAIN=local stanza, it's better if we prebuild it to make sure that the Go - # toolchain setup by the action is properly updated to the one we defined in go.mod. Prebuilding also - # helps to speed up the TICS analysis, as we would already have the build cache populated. - find pam -name '*.so' -print -delete - go generate -C pam -x - go build ./cmd/authd - - TICSQServer -project authd -tmpdir /tmp/tics -branchdir . diff --git a/.github/workflows/validate-dependabot.yaml b/.github/workflows/validate-dependabot.yaml deleted file mode 100644 index 770bb18e3b..0000000000 --- a/.github/workflows/validate-dependabot.yaml +++ /dev/null @@ -1,19 +0,0 @@ -name: dependabot validate - -on: - pull_request: - paths: - - '.github/dependabot.yml' - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - uses: marocchino/validate-dependabot@v3 - id: validate - - uses: marocchino/sticky-pull-request-comment@v2 - if: always() - with: - header: validate-dependabot - message: ${{ steps.validate.outputs.markdown }}