From b589045b0fde572b892b8fe9333e2148f6b28452 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 19:51:27 -0300 Subject: [PATCH 01/11] ci: use path whitelists instead of blacklists That is, replace `paths-ignore` with `paths`. This should reduce the number of unnecessary workflow executions and the frequency at which paths are changed. It also reduces the overall number of paths used. Also, add the missing ci/printenv.sh to the path whitelists. --- .github/workflows/build-extra.yml | 70 ++++++++++----------------- .github/workflows/build.yml | 63 +++++++++++++----------- .github/workflows/codeql-analysis.yml | 70 ++++++++++----------------- .github/workflows/profile-checks.yml | 2 + Makefile | 1 + 5 files changed, 90 insertions(+), 116 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 3fc71a299dd..f35a7d3d350 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -2,51 +2,33 @@ name: Build-extra CI on: push: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - 'contrib/syntax/**' - - 'contrib/vim/**' - - 'etc/**' - - 'src/man/*.in' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build.yml - - .github/workflows/codeql-analysis.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md - - COPYING - - README - - README.md - - RELNOTES - - SECURITY.md - - src/firecfg/firecfg.config + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/build-extra.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac pull_request: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - 'contrib/syntax/**' - - 'contrib/vim/**' - - 'etc/**' - - 'src/man/*.in' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build.yml - - .github/workflows/codeql-analysis.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md - - COPYING - - README - - README.md - - RELNOTES - - SECURITY.md - - src/firecfg/firecfg.config + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/build-extra.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 489ed433582..12df3876282 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,42 +1,49 @@ name: Build CI +# Note: Keep this list in sync with DISTFILES in ../../Makefile. on: push: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build-extra.yml - - .github/workflows/codeql-analysis.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md + paths: + - 'contrib/**' + - 'etc/**' + - 'm4/**' + - 'platform/**' + - 'src/**' + - 'test/**' + - .github/workflows/build.yml - COPYING + - Makefile - README - - README.md - RELNOTES - - SECURITY.md + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + - install.sh + - mkdeb.sh + - mketc.sh pull_request: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build-extra.yml - - .github/workflows/codeql-analysis.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md + paths: + - 'contrib/**' + - 'etc/**' + - 'm4/**' + - 'platform/**' + - 'src/**' + - 'test/**' + - .github/workflows/build.yml - COPYING + - Makefile - README - - README.md - RELNOTES - - SECURITY.md + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + - install.sh + - mkdeb.sh + - mketc.sh permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 344090cfde8..a4c4a1146ac 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -7,51 +7,33 @@ name: "CodeQL" on: push: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - 'contrib/syntax/**' - - 'contrib/vim/**' - - 'etc/**' - - 'src/man/*.txt' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build-extra.yml - - .github/workflows/build.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md - - COPYING - - README - - README.md - - RELNOTES - - SECURITY.md - - src/firecfg/firecfg.config + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/codeql-analysis.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac pull_request: - paths-ignore: - - '.github/ISSUE_TEMPLATE/*' - - 'contrib/syntax/**' - - 'contrib/vim/**' - - 'etc/**' - - 'src/man/*.txt' - - .git-blame-ignore-revs - - .github/dependabot.yml - - .github/pull_request_template.md - - .github/workflows/build-extra.yml - - .github/workflows/build.yml - - .github/workflows/codespell.yml - - .github/workflows/profile-checks.yml - - .gitignore - - .gitlab-ci.yml - - CONTRIBUTING.md - - COPYING - - README - - README.md - - RELNOTES - - SECURITY.md - - src/firecfg/firecfg.config + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/codeql-analysis.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac schedule: - cron: '0 7 * * 2' diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index c440127683a..4768c91a172 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml @@ -6,6 +6,7 @@ on: - 'ci/check/profiles/**' - 'etc/**' - .github/workflows/profile-checks.yml + - ci/printenv.sh - contrib/sort.py - src/firecfg/firecfg.config pull_request: @@ -13,6 +14,7 @@ on: - 'ci/check/profiles/**' - 'etc/**' - .github/workflows/profile-checks.yml + - ci/printenv.sh - contrib/sort.py - src/firecfg/firecfg.config diff --git a/Makefile b/Makefile index 043c491c66b..450b8a0b450 100644 --- a/Makefile +++ b/Makefile @@ -299,6 +299,7 @@ uninstall: config.mk rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." +# Note: Keep this list in sync with `paths` in .github/workflows/build.yml. DISTFILES = \ COPYING \ Makefile \ From 2f1b352e4e4fcc9c44fa618dfaf7e04b6f972caf Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 22:30:29 -0300 Subject: [PATCH 02/11] ci: rename profile-checks.yml to check-profiles.yml --- .../workflows/{profile-checks.yml => check-profiles.yml} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename .github/workflows/{profile-checks.yml => check-profiles.yml} (92%) diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/check-profiles.yml similarity index 92% rename from .github/workflows/profile-checks.yml rename to .github/workflows/check-profiles.yml index 4768c91a172..5167516e829 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/check-profiles.yml @@ -1,11 +1,11 @@ -name: Profile Checks +name: Check-Profiles on: push: paths: - 'ci/check/profiles/**' - 'etc/**' - - .github/workflows/profile-checks.yml + - .github/workflows/check-profiles.yml - ci/printenv.sh - contrib/sort.py - src/firecfg/firecfg.config @@ -13,7 +13,7 @@ on: paths: - 'ci/check/profiles/**' - 'etc/**' - - .github/workflows/profile-checks.yml + - .github/workflows/check-profiles.yml - ci/printenv.sh - contrib/sort.py - src/firecfg/firecfg.config From 055d74ee9b579f4e0bc09cf120c535d7aa2e5e79 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 04:27:32 -0300 Subject: [PATCH 03/11] ci: trim comments in codeql-analysis.yml Note: When generating a new workflow, the permissions are not commented anymore. --- .github/workflows/codeql-analysis.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a4c4a1146ac..bb43f7d5031 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,9 +1,4 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL" +name: CodeQL on: push: @@ -43,9 +38,9 @@ permissions: # added using https://github.com/step-security/secure-workflows jobs: analyze: permissions: - actions: read # for github/codeql-action/init to get workflow details - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/autobuild to send a status report + actions: read + contents: read + security-events: write name: Analyze runs-on: ubuntu-latest @@ -82,10 +77,6 @@ jobs: uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 with: languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) From dea6e0f8fa3b11ffa948a7a87cb5576b897251b5 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 04:28:03 -0300 Subject: [PATCH 04/11] ci: move codeql python job into its own workflow Only run the CodeQL Python analysis if a .py file is changed. --- .github/workflows/check-python.yml | 53 +++++++++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 12 +----- 2 files changed, 54 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/check-python.yml diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml new file mode 100644 index 00000000000..91b87650f51 --- /dev/null +++ b/.github/workflows/check-python.yml @@ -0,0 +1,53 @@ +name: Check-Python + +on: + push: + paths: + - '**.py' + - .github/workflows/check-python.yml + pull_request: + paths: + - '**.py' + - .github/workflows/check-python.yml + schedule: + - cron: '0 7 * * 2' + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + +jobs: + codeql-python: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + uploads.github.com:443 + + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + + - name: print env + run: ./ci/printenv.sh + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 + with: + languages: python + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bb43f7d5031..c16fd732c26 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -44,14 +44,6 @@ jobs: name: Analyze runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - language: [ 'cpp', 'python' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed - steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 @@ -60,10 +52,8 @@ jobs: egress-policy: block allowed-endpoints: > api.github.com:443 - files.pythonhosted.org:443 github.com:443 objects.githubusercontent.com:443 - pypi.org:443 uploads.github.com:443 - name: Checkout repository @@ -76,7 +66,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 with: - languages: ${{ matrix.language }} + languages: cpp # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) From dadd4b9f0384dd814cd1f803fd8e89e3a7102281 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 19:28:54 -0300 Subject: [PATCH 05/11] ci: remove "CI" from workflow names All of the current workflows are used for CI. --- .github/workflows/build-extra.yml | 2 +- .github/workflows/build.yml | 2 +- README.md | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index f35a7d3d350..b6e8e902bfc 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -1,4 +1,4 @@ -name: Build-extra CI +name: Build-extra on: push: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 12df3876282..c898c34f544 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,4 @@ -name: Build CI +name: Build # Note: Keep this list in sync with DISTFILES in ../../Makefile. on: diff --git a/README.md b/README.md index 78130445198..1e3ce7564ce 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # Firejail -[![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) -[![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) -[![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) +[![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) +[![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild) +[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) Firejail is a SUID sandbox program that reduces the risk of security breaches From 5099adf1b1b33cc9edb29682211a6fa485dcd988 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 19:42:33 -0300 Subject: [PATCH 06/11] ci: split build and test into separate workflows Testing takes significantly longer than building, so this makes the default build check faster. --- .github/workflows/build.yml | 24 +--------- .github/workflows/test.yml | 96 +++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+), 23 deletions(-) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c898c34f544..aa91936710a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -49,27 +49,21 @@ permissions: # added using https://github.com/step-security/secure-workflows contents: read jobs: - build_and_test: + build: runs-on: ubuntu-22.04 - env: - SHELL: /bin/bash steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 with: egress-policy: block allowed-endpoints: > - 1.1.1.1:1025 azure.archive.ubuntu.com:80 debian.org:80 - dns.quad9.net:53 github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 - whois.pir.org:43 www.debian.org:443 www.debian.org:80 - yahoo.com:1025 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - name: update package information run: sudo apt-get update -qy @@ -91,19 +85,3 @@ jobs: run: sudo make install - name: print firejail version run: command -V firejail && firejail --version - - run: make lab-setup - - run: make test-seccomp-extra - - run: make test-firecfg - - run: make test-capabilities - - run: make test-apparmor - - run: make test-appimage - - run: make test-chroot - - run: make test-sysutils - - run: make test-private-etc - - run: make test-profiles - - run: make test-fcopy - - run: make test-fnetfilter - - run: make test-fs - - run: make test-utils - - run: make test-environment - - run: make test-network diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000000..83c9a578a25 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,96 @@ +name: Test + +on: + push: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - 'test/**' + - .github/workflows/test.yml + - Makefile + - config.mk.in + - config.sh.in + - configure + - configure.ac + - src/firecfg/firecfg.config + pull_request: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - 'test/**' + - .github/workflows/test.yml + - Makefile + - config.mk.in + - config.sh.in + - configure + - configure.ac + - src/firecfg/firecfg.config + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + +jobs: + test: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + 1.1.1.1:1025 + azure.archive.ubuntu.com:80 + debian.org:80 + dns.quad9.net:53 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + whois.pir.org:43 + www.debian.org:443 + www.debian.org:80 + yahoo.com:1025 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois + bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-seccomp-extra + - run: make test-firecfg + - run: make test-capabilities + - run: make test-apparmor + - run: make test-appimage + - run: make test-chroot + - run: make test-sysutils + - run: make test-private-etc + - run: make test-profiles + - run: make test-fcopy + - run: make test-fnetfilter + - run: make test-fs + - run: make test-utils + - run: make test-environment + - run: make test-network From d6f20ef8d272072113ddb976064956060eae3219 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 22:52:30 -0300 Subject: [PATCH 07/11] ci: run make in parallel where applicable Do so when the output of the given job is not important. For example, when the output of another job can be used for debugging build-related issues. --- .github/workflows/codeql-analysis.yml | 18 ++++-------------- .github/workflows/test.yml | 2 +- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c16fd732c26..b4a5b55ddea 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -68,21 +68,11 @@ jobs: with: languages: cpp - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@5b6282e01c62d02e720b81eb8a51204f527c3624 + - name: configure + run: ./configure - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release + - name: make + run: make -j "$(nproc)" - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 83c9a578a25..e716c32cfa0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -73,7 +73,7 @@ jobs: --enable-analyzer --enable-apparmor --enable-selinux || (cat config.log; exit 1) - name: make - run: make + run: make -j "$(nproc)" - name: make install run: sudo make install - name: print firejail version From 98b691ec8e56b17f41735c0bd59e3041508f4c90 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 16 Aug 2023 03:04:42 -0300 Subject: [PATCH 08/11] ci: move main code checks into new check-c.yml Move scan-build, cppcheck and CodeQL (cpp). This is similar to build-extra.yml, but for jobs that check for issues in the code rather than checking for build failures. --- .github/workflows/build-extra.yml | 79 ------------- .github/workflows/check-c.yml | 159 ++++++++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 72 ++---------- README.md | 2 +- 4 files changed, 169 insertions(+), 143 deletions(-) create mode 100644 .github/workflows/check-c.yml diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index b6e8e902bfc..b538fde68a0 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -68,82 +68,3 @@ jobs: run: sudo make install - name: print version run: command -V firejail && firejail --version - scan-build: - runs-on: ubuntu-22.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install clang-tools-14 and dependencies - run: > - sudo apt-get install -qy - clang-tools-14 libapparmor-dev libselinux1-dev - - name: print env - run: ./ci/printenv.sh - - name: configure - run: > - CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor - --enable-selinux - || (cat config.log; exit 1) - - name: scan-build - run: scan-build-14 --status-bugs make - cppcheck: - runs-on: ubuntu-22.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - run: cppcheck --version - - name: cppcheck - run: > - cppcheck -q --force --error-exitcode=1 --enable=warning,performance - -i src/firejail/checkcfg.c -i src/firejail/main.c . - # new cppcheck version currently chokes on checkcfg.c and main.c, therefore - # scan all files also with older cppcheck version from ubuntu 20.04. - cppcheck_old: - runs-on: ubuntu-20.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - egress-policy: block - allowed-endpoints: > - archive.ubuntu.com:80 - azure.archive.ubuntu.com:80 - github.com:443 - packages.microsoft.com:443 - ppa.launchpad.net:80 - ppa.launchpadcontent.net:443 - security.ubuntu.com:80 - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: update package information - run: sudo apt-get update -qy - - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - run: cppcheck --version - - name: cppcheck - run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml new file mode 100644 index 00000000000..472238ff01d --- /dev/null +++ b/.github/workflows/check-c.yml @@ -0,0 +1,159 @@ +name: Check-C + +on: + push: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/check-c.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + pull_request: + paths: + - 'm4/**' + - 'src/**.c' + - 'src/**.h' + - 'src/**.mk' + - 'src/**Makefile' + - .github/workflows/check-c.yml + - Makefile + - ci/printenv.sh + - config.mk.in + - config.sh.in + - configure + - configure.ac + schedule: + - cron: '0 7 * * 2' + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + +jobs: + scan-build: + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install clang-tools-14 and dependencies + run: > + sudo apt-get install -qy + clang-tools-14 libapparmor-dev libselinux1-dev + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor + --enable-selinux + || (cat config.log; exit 1) + - name: scan-build + run: scan-build-14 --status-bugs make + + cppcheck: + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install cppcheck + run: sudo apt-get install -qy cppcheck + - run: cppcheck --version + - name: cppcheck + run: > + cppcheck -q --force --error-exitcode=1 --enable=warning,performance + -i src/firejail/checkcfg.c -i src/firejail/main.c . + + # new cppcheck version currently chokes on checkcfg.c and main.c, therefore + # scan all files also with older cppcheck version from ubuntu 20.04. + cppcheck_old: + runs-on: ubuntu-20.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpad.net:80 + ppa.launchpadcontent.net:443 + security.ubuntu.com:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install cppcheck + run: sudo apt-get install -qy cppcheck + - run: cppcheck --version + - name: cppcheck + run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . + + codeql-cpp: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + uploads.github.com:443 + + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + + - name: print env + run: ./ci/printenv.sh + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 + with: + languages: cpp + + - name: configure + run: ./configure + + - name: make + run: make -j "$(nproc)" + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b4a5b55ddea..70449c603ca 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,78 +1,24 @@ -name: CodeQL +# Dummy file to avoid warnings on GitHub; see the CodeQL jobs in the following +# workflows: +# +# - check-c.yml +# - check-python.yml + +name: CodeQL-Dummy on: push: paths: - - 'm4/**' - - 'src/**.c' - - 'src/**.h' - - 'src/**.mk' - - 'src/**Makefile' - .github/workflows/codeql-analysis.yml - - Makefile - - ci/printenv.sh - - config.mk.in - - config.sh.in - - configure - - configure.ac pull_request: paths: - - 'm4/**' - - 'src/**.c' - - 'src/**.h' - - 'src/**.mk' - - 'src/**Makefile' - .github/workflows/codeql-analysis.yml - - Makefile - - ci/printenv.sh - - config.mk.in - - config.sh.in - - configure - - configure.ac - schedule: - - cron: '0 7 * * 2' permissions: # added using https://github.com/step-security/secure-workflows contents: read jobs: - analyze: - permissions: - actions: read - contents: read - security-events: write - name: Analyze + hello: runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - uploads.github.com:443 - - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - - name: print env - run: ./ci/printenv.sh - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 - with: - languages: cpp - - - name: configure - run: ./configure - - - name: make - run: make -j "$(nproc)" - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 + - run: echo hello diff --git a/README.md b/README.md index 1e3ce7564ce..1a797cfbc3a 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) [![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild) -[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) +[![Check-C](https://github.com/netblue30/firejail/workflows/Check-C/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-C) [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) Firejail is a SUID sandbox program that reduces the risk of security breaches From 17203303f9ebef2feae5a1055372e38a61fd878e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 14 Aug 2023 22:36:31 -0300 Subject: [PATCH 09/11] docs: add missing CI badges to README.md --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 1a797cfbc3a..c5113780848 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,12 @@ [![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines) [![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild) +[![Build-extra](https://github.com/netblue30/firejail/workflows/Build-extra/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild-extra) +[![Test](https://github.com/netblue30/firejail/workflows/Test/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ATest) [![Check-C](https://github.com/netblue30/firejail/workflows/Check-C/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-C) +[![Check-Profiles](https://github.com/netblue30/firejail/workflows/Check-Profiles/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Profiles) +[![Check-Python](https://github.com/netblue30/firejail/workflows/Check-Python/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Python) +[![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell) [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) Firejail is a SUID sandbox program that reduces the risk of security breaches From 5040438c774f46356d49dcede979d37ce34b40f6 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Tue, 15 Aug 2023 23:23:28 -0300 Subject: [PATCH 10/11] ci: split test jobs for faster checks Considering the most recent runs, this reduces the total amount of time it takes to run the tests from about 9-10 minutes to about 3 minutes. Note: Which jobs are split is mostly determined by how long each test takes. --- .github/workflows/test.yml | 183 ++++++++++++++++++++++++++++++++++--- 1 file changed, 169 insertions(+), 14 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e716c32cfa0..771e7ce4cf4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -35,8 +35,175 @@ on: permissions: # added using https://github.com/step-security/secure-workflows contents: read +# +# Faster tests +# + jobs: - test: + test-main: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make -j "$(nproc)" + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-seccomp-extra + - run: make test-firecfg + - run: make test-capabilities + - run: make test-apparmor + - run: make test-appimage + - run: make test-chroot + - run: make test-fcopy + +# +# Slower tests +# + + test-fs: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make -j "$(nproc)" + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-private-etc + - run: make test-fs + + test-environment: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make -j "$(nproc)" + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-environment + - run: make test-profiles + + test-utils: + runs-on: ubuntu-22.04 + env: + SHELL: /bin/bash + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 + with: + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + debian.org:80 + github.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + www.debian.org:443 + www.debian.org:80 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + - name: update package information + run: sudo apt-get update -qy + - name: install dependencies + run: > + sudo apt-get install -qy + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + - name: print env + run: ./ci/printenv.sh + - name: configure + run: > + CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings + --enable-analyzer --enable-apparmor --enable-selinux + || (cat config.log; exit 1) + - name: make + run: make -j "$(nproc)" + - name: make install + run: sudo make install + - name: print firejail version + run: command -V firejail && firejail --version + - run: make lab-setup + - run: make test-utils + + test-network: runs-on: ubuntu-22.04 env: SHELL: /bin/bash @@ -79,18 +246,6 @@ jobs: - name: print firejail version run: command -V firejail && firejail --version - run: make lab-setup - - run: make test-seccomp-extra - - run: make test-firecfg - - run: make test-capabilities - - run: make test-apparmor - - run: make test-appimage - - run: make test-chroot - - run: make test-sysutils - - run: make test-private-etc - - run: make test-profiles - - run: make test-fcopy - run: make test-fnetfilter - - run: make test-fs - - run: make test-utils - - run: make test-environment + - run: make test-sysutils - run: make test-network From a88c4d970a00f0e5ec6156a4833ab717355cfbc9 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 19 Aug 2023 16:18:37 -0300 Subject: [PATCH 11/11] ci: document the intended purpose of each workflow --- .github/workflows/build-extra.yml | 2 ++ .github/workflows/build.yml | 3 +++ .github/workflows/check-c.yml | 2 ++ .github/workflows/check-profiles.yml | 2 ++ .github/workflows/check-python.yml | 2 ++ .github/workflows/codespell.yml | 2 ++ .github/workflows/test.yml | 2 ++ 7 files changed, 15 insertions(+) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index b538fde68a0..1629733aef5 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -1,3 +1,5 @@ +# Builds the project with alternative tools. + name: Build-extra on: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index aa91936710a..316feb6b01b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,6 @@ +# Checks that `make dist` works and builds the project with the default +# configuration. + name: Build # Note: Keep this list in sync with DISTFILES in ../../Makefile. diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 472238ff01d..d8751ddc712 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -1,3 +1,5 @@ +# Checks for potential issues in the source code. + name: Check-C on: diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index 5167516e829..193cfcb9f58 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml @@ -1,3 +1,5 @@ +# Lints and checks for potential issues in the profiles. + name: Check-Profiles on: diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 91b87650f51..50ddf566918 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml @@ -1,3 +1,5 @@ +# Lints and checks for potential issues in Python files. + name: Check-Python on: diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index e39755dbdfc..4eacfb244cb 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -1,3 +1,5 @@ +# Checks the spelling on all non-third-party files. + name: Codespell on: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 771e7ce4cf4..0b679c1c8d0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,3 +1,5 @@ +# Checks that the tests are passing. + name: Test on: