Merge 2ba247e09c into 68f8338d20

Revert "Disable gVisor's DirectFS feature."
This reverts commit 73b0f8b7d4. Unfortunately, disabling DirectFS causes a problem in Linux systems that enable Yama mode 2. Turns out that Tails is such a system, so we have to revert this change, if we want to support it. Refs #982
2025-05-03 20:21:49 +02:00 · 2024-10-30 19:11:07 +01:00 · 2024-10-30 19:10:26 +01:00 · 2024-10-30 16:45:45 +01:00 · 2024-10-30 16:43:50 +01:00 · 2024-10-30 17:41:15 +02:00
11 changed files with 56 additions and 35 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -1,6 +1,6 @@
 name: Build dev environments
 on:
-  push:
+  pull_request:
  schedule:
    - cron: "0 0 * * *" # Run every day at 00:00 UTC.

@ -33,8 +33,6 @@ jobs:
            version: "20.04"
          - distro: ubuntu
            version: "22.04"
-          - distro: ubuntu
-            version: "23.10"
          - distro: ubuntu
            version: "24.04"
          - distro: ubuntu
--- a/.github/workflows/check_push.yml
+++ b/.github/workflows/check_push.yml
@ -1,6 +1,6 @@
 name: Check branch conformity
 on:
-  push:
+  pull_request:

 jobs:
  prevent-fixup-commits:
--- a/.github/workflows/check_repos.yml
+++ b/.github/workflows/check_repos.yml
@ -23,8 +23,6 @@ jobs:
            version: "24.10"  # oracular
          - distro: ubuntu
            version: "24.04"  # noble
-          - distro: ubuntu
-            version: "23.10"  # mantic
          - distro: ubuntu
            version: "22.04"  # jammy
          - distro: ubuntu
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,8 +1,9 @@
 name: Tests
 on:
  push:
+    branches:
+      - main
  pull_request:
-    branches: [main]
  schedule:
    - cron: "2 0 * * *" # Run every day at 02:00 UTC.
  workflow_dispatch:
@ -24,7 +25,24 @@ concurrency:
  cancel-in-progress: true

 jobs:
+  should-run:
+    runs-on: ubuntu-latest
+    outputs:
+      run-workflow: ${{ steps.check.outputs.run-workflow }}
+    steps:
+      - id: check
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "run-workflow=true" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" != "refs/heads/main" ]]; then
+            echo "run-workflow=true" >> $GITHUB_OUTPUT
+          else
+            echo "run-workflow=false" >> $GITHUB_OUTPUT
+          fi
+
  run-lint:
+    needs: should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
    runs-on: ubuntu-latest
    container:
      image: debian:bookworm
@ -43,6 +61,8 @@ jobs:
  # This is already built daily by the "build.yml" file
  # But we also want to include this in the checks that run on each push.
  build-container-image:
+    needs: should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
@ -67,6 +87,8 @@ jobs:
          python3 ./install/common/build-image.py

  download-tessdata:
+    needs: should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
    name: Download and cache Tesseract data
    runs-on: ubuntu-latest
    steps:
@ -91,7 +113,10 @@ jobs:

  windows:
    runs-on: windows-latest
-    needs: download-tessdata
+    needs:
+      - download-tessdata
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
    env:
      DUMMY_CONVERSION: 1
    steps:
@ -121,7 +146,10 @@ jobs:
  macOS:
    name: "macOS (${{ matrix.arch }})"
    runs-on: ${{ matrix.runner }}
-    needs: download-tessdata
+    needs:
+      - download-tessdata
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
    strategy:
      matrix:
        include:
@ -149,9 +177,12 @@ jobs:
        run: poetry run make test

  build-deb:
+    needs:
+      - should-run
+      - build-container-image
+    if: needs.should-run.outputs.run-workflow == 'true'
    name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
    runs-on: ubuntu-latest
-    needs: build-container-image
    strategy:
      matrix:
        include:
@ -159,8 +190,6 @@ jobs:
            version: "20.04"
          - distro: ubuntu
            version: "22.04"
-          - distro: ubuntu
-            version: "23.10"
          - distro: ubuntu
            version: "24.04"
          - distro: ubuntu
@ -221,7 +250,10 @@ jobs:
  install-deb:
    name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
    runs-on: ubuntu-latest
-    needs: build-deb
+    needs: 
+      - build-deb
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
    strategy:
      matrix:
        include:
@ -229,8 +261,6 @@ jobs:
            version: "20.04"
          - distro: ubuntu
            version: "22.04"
-          - distro: ubuntu
-            version: "23.10"
          - distro: ubuntu
            version: "24.04"
          - distro: ubuntu
@ -277,7 +307,10 @@ jobs:
  build-install-rpm:
    name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
    runs-on: ubuntu-latest
-    needs: build-container-image
+    needs:
+      - build-container-image
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
    strategy:
      matrix:
        distro: ["fedora"]
@ -343,6 +376,8 @@ jobs:
    needs:
      - build-container-image
      - download-tessdata
+      - should-run
+    if: needs.should-run.outputs.run-workflow == 'true'
    strategy:
      matrix:
        include:
@ -350,8 +385,6 @@ jobs:
            version: "20.04"
          - distro: ubuntu
            version: "22.04"
-          - distro: ubuntu
-            version: "23.10"
          - distro: ubuntu
            version: "24.04"
          - distro: ubuntu
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@ -1,8 +1,9 @@
 name: Scan latest app and container
 on:
  push:
+    branches:
+      - main
  pull_request:
-    branches: [ main ]
  schedule:
    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
  workflow_dispatch:
--- a/INSTALL.md
+++ b/INSTALL.md
@ -11,7 +11,6 @@ an isolated environment. It will be installed automatically when installing Dang
 Dangerzone is available for:
 - Ubuntu 24.10 (oracular)
 - Ubuntu 24.04 (noble)
- Ubuntu 23.10 (mantic)
 - Ubuntu 22.04 (jammy)
 - Ubuntu 20.04 (focal)
 - Debian 13 (trixie)
--- a/dangerzone/gvisor_wrapper/entrypoint.py
+++ b/dangerzone/gvisor_wrapper/entrypoint.py
@ -142,9 +142,6 @@ runsc_argv = [
    "--rootless=true",
    "--network=none",
    "--root=/home/dangerzone/.containers",
-    # Disable DirectFS for to make the seccomp filter even stricter,
-    # at some performance cost.
-    "--directfs=false",
 ]
 if os.environ.get("RUNSC_DEBUG"):
    runsc_argv += ["--debug=true", "--alsologtostderr=true"]
--- a/dev_scripts/env.py
+++ b/dev_scripts/env.py
@ -696,8 +696,6 @@ class Env:
                    DOCKERFILE_CONMON_UPDATE + DOCKERFILE_BUILD_DEV_DEBIAN_DEPS
                )
            elif self.distro == "ubuntu" and self.version in (
-                "23.10",
-                "mantic",
                "24.04",
                "noble",
                "24.10",
@ -784,8 +782,6 @@ class Env:
                # package (see https://github.com/freedomofpress/dangerzone/issues/685)
                install_deps = DOCKERFILE_CONMON_UPDATE + DOCKERFILE_BUILD_DEBIAN_DEPS
            elif self.distro == "ubuntu" and self.version in (
-                "23.10",
-                "mantic",
                "24.04",
                "noble",
                "24.10",
--- a/dev_scripts/qa.py
+++ b/dev_scripts/qa.py
@ -978,11 +978,6 @@ class QAUbuntu2204(QADebianBased):
    VERSION = "22.04"


-class QAUbuntu2310(QADebianBased):
-    DISTRO = "ubuntu"
-    VERSION = "23.10"
-
-
 class QAUbuntu2404(QADebianBased):
    DISTRO = "ubuntu"
    VERSION = "24.04"
--- a/setup-windows.py
+++ b/setup-windows.py
@ -4,7 +4,6 @@ from cx_Freeze import Executable, setup
 with open("share/version.txt") as f:
    version = f.read().strip()

-packages = ["dangerzone", "dangerzone.gui"]

 setup(
    name="dangerzone",
@ -12,10 +11,13 @@ setup(
    # On Windows description will show as the app's name in the "Open With" menu. See:
    # https://github.com/freedomofpress/dangerzone/issues/283#issuecomment-1365148805
    description="Dangerzone",
-    packages=packages,
    options={
        "build_exe": {
-            "packages": packages,
+            # Explicitly specify pymupdf.util module to fix building the executables
+            # with cx_freeze. See https://github.com/marcelotduarte/cx_Freeze/issues/2653
+            # for more details.
+            # TODO: Upgrade to cx_freeze 7.3.0 which should include a fix.
+            "packages": ["dangerzone", "dangerzone.gui", "pymupdf.utils"],
            "excludes": ["test", "tkinter"],
            "include_files": [("share", "share"), ("LICENSE", "LICENSE")],
            "include_msvcr": True,
--- a/tests/isolation_provider/base.py
+++ b/tests/isolation_provider/base.py
@ -164,6 +164,7 @@ class IsolationProviderTermination:
        terminate_proc_mock = mocker.patch.object(
            provider, "terminate_doc_to_pixels_proc", return_value=None
        )
+        kill_pg_orig = base.kill_process_group
        kill_pg_mock = mocker.patch(
            "dangerzone.isolation_provider.base.kill_process_group", return_value=None
        )
@ -178,6 +179,7 @@ class IsolationProviderTermination:

        # Reset the function to the original state.
        provider.terminate_doc_to_pixels_proc = terminate_proc_orig  # type: ignore [method-assign]
+        base.kill_process_group = kill_pg_orig

        # Really kill the spawned process, so that it doesn't linger after the tests
        # complete.
Author	SHA1	Message	Date
Alexis Métaireau	b6bdf43983	Merge `2ba247e09c` into `68f8338d20`	2024-10-30 19:11:07 +01:00
Alex Pyrgiotis	68f8338d20	Revert "Disable gVisor's DirectFS feature." This reverts commit `73b0f8b7d4`. Unfortunately, disabling DirectFS causes a problem in Linux systems that enable Yama mode 2. Turns out that Tails is such a system, so we have to revert this change, if we want to support it. Refs #982	2024-10-30 19:10:26 +01:00
Alex Pyrgiotis	d561878e03	tests: Restore previously mocked function Restore the `isolation_provider.base.kill_process_group()` function, which was previously mocked, at the end of the `test_linger_unkillable()` test. This function is initially mocked, in order to simulate a hang process. After the mocking completes, the test needs the original function once more, in order to actually kill the spawned process.	2024-10-30 16:45:45 +01:00
Alexis Métaireau	59e1666c28	Drop support for Ubuntu Mantic (23.10), which is EOL since 11 Jul 2024.	2024-10-30 16:43:50 +01:00
jkarasti	95d7d8a4d9	Fix: Error with cx_freeze when building the windows executables	2024-10-30 17:41:15 +02:00
jkarasti	ed2791bbbc	Revert: "fix win build failure due to package autodiscovery" This reverts commit `4d9f729654`. The error described in #178 doesen't happen anymore so this workaround is not needed.	2024-10-30 17:41:15 +02:00
Alexis Métaireau	2ba247e09c	CI: Only run the CI on pull requests, and on the "main" branch Previously, the actions were duplicated, due to the fact when developing we often create feature branches and open pull requests. This new setup requires us to open pull requests to trigger the CI.	2024-10-29 00:33:32 +01:00