forked from bootc-dev/bootc
-
Notifications
You must be signed in to change notification settings - Fork 0
226 lines (199 loc) · 7.99 KB
/
ci.yml
File metadata and controls
226 lines (199 loc) · 7.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
# CI Workflow for bootc
#
# Core principles:
# - Everything done here should be easy to replicate locally. Most tasks
# should invoke `just <something>`. Read the Justfile for more explanation
# of this.
# - Most additions to this should be extending existing tasks; e.g.
# there's places for unit and integration tests already.
name: CI
permissions:
actions: read
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch: {}
env:
CARGO_TERM_COLOR: always
# Something seems to be setting this in the default GHA runners, which breaks bcvk
# as the default runner user doesn't have access
LIBVIRT_DEFAULT_URI: "qemu:///session"
DEV_IMAGE: ghcr.io/bootc-dev/dev-bootc
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
# Run basic validation checks (linting, formatting, etc)
validate:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: ./.github/actions/bootc-ubuntu-setup
- name: Validate (default)
run: just validate
# Check for security vulnerabilities and license compliance
cargo-deny:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- uses: EmbarkStudios/cargo-deny-action@v2
with:
log-level: warn
command: check -A duplicate bans sources licenses
# Test bootc installation scenarios and fsverity support
# TODO convert to be an integration test
install-tests:
name: "Test install"
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: ./.github/actions/bootc-ubuntu-setup
- name: Enable fsverity for /
run: sudo tune2fs -O verity $(findmnt -vno SOURCE /)
- name: Install utils
run: sudo apt -y install fsverity just
- name: Integration tests
run: |
set -xeu
# Build images to test; TODO investigate doing single container builds
# via GHA and pushing to a temporary registry to share among workflows?
sudo just build
sudo just build-install-test-image
sudo podman build -t localhost/bootc-fsverity -f ci/Containerfile.install-fsverity
# Grant permission
sudo chown -R "$(id -u):$(id -g)" /home/runner/work/bootc/bootc
# TODO move into a container, and then have this tool run other containers
cargo build --release -p tests-integration
df -h /
sudo install -m 0755 target/release/tests-integration /usr/bin/bootc-integration-tests
sudo rm target -rf
df -h /
# The ostree-container tests
sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \
--tmpfs /var/lib/containers \
-v /run/dbus:/run/dbus -v /run/systemd:/run/systemd localhost/bootc /src/crates/ostree-ext/ci/priv-integration.sh
# Nondestructive but privileged tests
sudo bootc-integration-tests host-privileged localhost/bootc-integration-install
# Install tests
sudo bootc-integration-tests install-alongside localhost/bootc-integration-install
# system-reinstall-bootc tests
cargo build --release -p system-reinstall-bootc
# not sure why this is missing in the ubuntu image but just creating this directory allows the tests to pass
sudo mkdir -p /run/sshd
sudo install -m 0755 target/release/system-reinstall-bootc /usr/bin/system-reinstall-bootc
# These tests may mutate the system live so we can't run in parallel
sudo bootc-integration-tests system-reinstall localhost/bootc-integration --test-threads=1
# And the fsverity case
sudo podman run --privileged --pid=host localhost/bootc-fsverity bootc install to-existing-root --stateroot=other \
--acknowledge-destructive --skip-fetch-check
# Crude cross check
sudo find /ostree/repo/objects -name '*.file' -type f | while read f; do
sudo fsverity measure $f >/dev/null
done
# Test that we can build documentation
docs:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: ./.github/actions/bootc-ubuntu-setup
- name: Build mdbook
run: just build-mdbook
# Build packages for each test OS
package:
strategy:
fail-fast: false
matrix:
test_os: [fedora-42, fedora-43, fedora-44, centos-9, centos-10]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: ./.github/actions/bootc-ubuntu-setup
- name: Setup env
run: |
BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
- name: Build packages
run: just package
- name: Upload package artifacts
uses: actions/upload-artifact@v5
with:
name: packages-${{ matrix.test_os }}
path: target/packages/*.rpm
retention-days: 1
# Build bootc from source into a container image FROM each specified base `test_os`
# running unit and integration tests (using TMT, leveraging the support for nested virtualization
# in the GHA runners)
test-integration:
needs: package
strategy:
fail-fast: false
matrix:
test_os: [fedora-42, fedora-43, fedora-44, centos-9, centos-10]
variant: [ostree, composefs-sealeduki-sdboot]
exclude:
# centos-9 UKI is experimental/broken (https://github.com/bootc-dev/bootc/issues/1812)
- test_os: centos-9
variant: composefs-sealeduki-sdboot
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: ./.github/actions/bootc-ubuntu-setup
with:
libvirt: true
- name: Install tmt
run: pip install --user "tmt[provision-virtual]"
- name: Setup env
run: |
BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
echo "BOOTC_variant=${{ matrix.variant }}" >> $GITHUB_ENV
if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
BUILDROOTBASE=$(just pullspec-for-os buildroot-base ${{ matrix.test_os }})
echo "BOOTC_buildroot_base=${BUILDROOTBASE}" >> $GITHUB_ENV
fi
- name: Download package artifacts
uses: actions/download-artifact@v6
with:
name: packages-${{ matrix.test_os }}
path: target/packages/
- name: Build container
run: |
just build-integration-test-image-from-package target/packages
# Extra cross-check (duplicating the integration test) that we're using the right base
used_vid=$(podman run --rm localhost/bootc-integration bash -c '. /usr/lib/os-release && echo ${ID}-${VERSION_ID}')
test ${{ matrix.test_os }} = "${used_vid}"
- name: Unit and container integration tests
run: just test-container
- name: Run TMT tests
run: |
if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
just test-composefs
else
just test-tmt
fi
- name: Archive TMT logs
if: always()
uses: actions/upload-artifact@v5
with:
name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ matrix.variant }}-${{ env.ARCH }}
path: /var/tmp/tmt
# Sentinel job for required checks - configure this job name in repository settings
required-checks:
if: always()
needs: [cargo-deny, validate, package, test-integration]
runs-on: ubuntu-latest
steps:
- run: exit 1
if: >-
needs.cargo-deny.result != 'success' ||
needs.validate.result != 'success' ||
needs.package.result != 'success' ||
needs.test-integration.result != 'success'