@@ -29,104 +29,6 @@ permissions:
2929 contents : read
3030
3131jobs :
32- lint :
33-
34- runs-on : ubuntu-22.04
35- timeout-minutes : 5
36-
37- steps :
38- - uses : actions/checkout@v6
39- - uses : astral-sh/ruff-action@v3
40-
41- security :
42-
43- runs-on : ubuntu-24.04
44- timeout-minutes : 5
45-
46- steps :
47- - uses : actions/checkout@v6
48- - name : Set up Python
49- uses : actions/setup-python@v6
50- with :
51- python-version : ' 3.10'
52- - name : Install dependencies
53- run : |
54- python -m pip install --upgrade pip
55- pip install bandit[toml]
56- - name : Run Bandit
57- run : |
58- bandit -r src/borg -c pyproject.toml
59-
60- asan_ubsan :
61-
62- runs-on : ubuntu-24.04
63- timeout-minutes : 25
64- needs : [lint]
65-
66- steps :
67- - uses : actions/checkout@v6
68- with :
69- # Just fetching one commit is not enough for setuptools-scm, so we fetch all.
70- fetch-depth : 0
71- fetch-tags : true
72-
73- - name : Set up Python
74- uses : actions/setup-python@v6
75- with :
76- python-version : ' 3.12'
77-
78- - name : Install system packages
79- run : |
80- sudo apt-get update
81- sudo apt-get install -y pkg-config build-essential
82- sudo apt-get install -y libssl-dev libacl1-dev liblz4-dev
83-
84- - name : Install Python dependencies
85- run : |
86- python -m pip install --upgrade pip
87- pip install -r requirements.d/development.lock.txt
88-
89- - name : Build Borg with ASan/UBSan
90- # Build the C/Cython extensions with AddressSanitizer and UndefinedBehaviorSanitizer enabled.
91- # How this works:
92- # - The -fsanitize=address,undefined flags inject runtime checks into our native code. If a bug is hit
93- # (e.g., buffer overflow, use-after-free, out-of-bounds, or undefined behavior), the sanitizer prints
94- # a detailed error report to stderr, including a stack trace, and forces the process to exit with
95- # non-zero status. In CI, this will fail the step/job so you will notice.
96- # - ASAN_OPTIONS/UBSAN_OPTIONS configure the sanitizers' runtime behavior (see below for meanings).
97- env :
98- CFLAGS : " -O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined"
99- CXXFLAGS : " -O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined"
100- LDFLAGS : " -fsanitize=address,undefined"
101- # ASAN_OPTIONS controls AddressSanitizer runtime tweaks:
102- # - detect_leaks=0: Disable LeakSanitizer to avoid false positives with CPython/pymalloc in short-lived tests.
103- # - strict_string_checks=1: Make invalid string operations (e.g., over-reads) more likely to be detected.
104- # - check_initialization_order=1: Catch uses that depend on static initialization order (C++).
105- # - detect_stack_use_after_return=1: Detect stack-use-after-return via stack poisoning (may increase overhead).
106- ASAN_OPTIONS : " detect_leaks=0:strict_string_checks=1:check_initialization_order=1:detect_stack_use_after_return=1"
107- # UBSAN_OPTIONS controls UndefinedBehaviorSanitizer runtime:
108- # - print_stacktrace=1: Include a stack trace for UB reports to ease debugging.
109- # Note: UBSan is recoverable by default (process may continue after reporting). If you want CI to
110- # abort immediately and fail on the first UB, add `halt_on_error=1` (e.g., UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1").
111- UBSAN_OPTIONS : " print_stacktrace=1"
112- # PYTHONDEVMODE enables additional Python runtime checks and warnings.
113- PYTHONDEVMODE : " 1"
114- run : pip install -e .
115-
116- - name : Run tests under sanitizers
117- env :
118- ASAN_OPTIONS : " detect_leaks=0:strict_string_checks=1:check_initialization_order=1:detect_stack_use_after_return=1"
119- UBSAN_OPTIONS : " print_stacktrace=1"
120- PYTHONDEVMODE : " 1"
121- # Ensure the ASan runtime is loaded first to avoid "ASan runtime does not come first" warnings.
122- # We discover libasan/libubsan paths via gcc and preload them for the Python test process.
123- # the remote tests are slow and likely won't find anything useful
124- run : |
125- set -euo pipefail
126- export LD_PRELOAD="$(gcc -print-file-name=libasan.so):$(gcc -print-file-name=libubsan.so)"
127- echo "Using LD_PRELOAD=$LD_PRELOAD"
128- pytest -v --benchmark-skip -k "not remote"
129-
13032 native_tests :
13133
13234 needs : [lint]
@@ -141,21 +43,10 @@ jobs:
14143 ${{ fromJSON(
14244 github.event_name == 'pull_request' && '{
14345 "include": [
144- {"os": "ubuntu-22.04", "python-version": "3.10", "toxenv": "mypy"},
145- {"os": "ubuntu-22.04", "python-version": "3.11", "toxenv": "docs"},
146- {"os": "ubuntu-22.04", "python-version": "3.10", "toxenv": "py310-llfuse"},
147- {"os": "ubuntu-24.04", "python-version": "3.12", "toxenv": "py312-pyfuse3"},
148- {"os": "ubuntu-24.04", "python-version": "3.14", "toxenv": "py314-mfusepy"}
46+ {"os": "macos-15", "python-version": "3.11", "toxenv": "py311-none", "binary": "borg-macos-15-arm64-gh"},
14947 ]
15048 }' || '{
15149 "include": [
152- {"os": "ubuntu-22.04", "python-version": "3.11", "toxenv": "py311-pyfuse3", "binary": "borg-linux-glibc235-x86_64-gh"},
153- {"os": "ubuntu-22.04-arm", "python-version": "3.11", "toxenv": "py311-pyfuse3", "binary": "borg-linux-glibc235-arm64-gh"},
154- {"os": "ubuntu-24.04", "python-version": "3.12", "toxenv": "py312-llfuse"},
155- {"os": "ubuntu-24.04", "python-version": "3.13", "toxenv": "py313-pyfuse3"},
156- {"os": "ubuntu-24.04", "python-version": "3.14", "toxenv": "py314-mfusepy"},
157- {"os": "macos-15", "python-version": "3.11", "toxenv": "py311-none", "binary": "borg-macos-15-arm64-gh"},
158- {"os": "macos-15-intel", "python-version": "3.11", "toxenv": "py311-none", "binary": "borg-macos-15-x86_64-gh"}
15950 ]
16051 }'
16152 ) }}
0 commit comments