mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-05-03 04:01:49 +02:00
fd5aafdde9
Remove the installation steps for Xvfb, since it's already included in
GitHub actions, and fire up an Xvfb server with disabled host-based
access control.
Initially, we tried to wrap our CI tests with `xvfb-run`, but any
X11 client within our Podman container failed with the following error
message:
Authorization required, but no authorization protocol specified.
This error message is usually thrown when the X11 client does not
provide the magic cookie in the Xauthority file back to the X11 server.
In our case though, we can verify that commands in our Podman container
read the Xauthority file successfully:
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path=@"/tmp/.X11-unix/X99"}, 21) = -1 ECONNREFUSED (Connection refused)
close(3) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
getsockopt(3, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0
connect(3, {sa_family=AF_UNIX, sun_path="/tmp/.X11-unix/X99"}, 110) = 0
getpeername(3, {sa_family=AF_UNIX, sun_path="/tmp/.X11-unix/X99"}, [124->21]) = 0
uname({sysname="Linux", nodename="dangerzone-dev", ...}) = 0
access("/home/runner/work/dangerzone/dangerzone/cookie", R_OK) = 0
openat(AT_FDCWD, "/home/runner/work/dangerzone/dangerzone/cookie", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0600, st_size=59, ...}) = 0
read(4, "\1\0\0\rfv-az1915-957\0\299\0\22MIT-MAGIC"..., 4096) = 59
read(4, "", 4096) = 0
close(4) = 0
fcntl(3, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{iov_base="l\0\v\0\0\0\0\0\0\0\0\0", iov_len=12}, {iov_base="", iov_len=0}], 2) = 12
recvfrom(3, 0x55a5635c0050, 8, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, "\0@\v\0\0\0\20\0", 8, 0, NULL, NULL) = 8
recvfrom(3, "Authorization required, but no a"..., 64, 0, NULL, NULL) = 64
write(2, "Authorization required, but no a"..., 64Authorization required, but no authorization protocol specified
) = 64
The line with the magic cookie is:
read(4, "\1\0\0\rfv-az1915-957\0\299\0\22MIT-MAGIC"..., 4096) = 59
Since we are not sure why we are not allowed access to the X11 server
from the Podman container, we decided to disable host-based access
controls altogether. This is not a security concern, since this X11
session is a remote one. However, we shouldn't run tests this way in dev
machines.
Fixes #949
374 lines
12 KiB
YAML
374 lines
12 KiB
YAML
name: Tests
|
|
on:
|
|
push:
|
|
pull_request:
|
|
branches: [main]
|
|
schedule:
|
|
- cron: "2 0 * * *" # Run every day at 02:00 UTC.
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
packages: write
|
|
|
|
env:
|
|
REGISTRY_USER: ${{ github.actor }}
|
|
REGISTRY_PASSWORD: ${{ github.token }}
|
|
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
|
|
QT_SELECT: "qt6"
|
|
|
|
# Disable multiple concurrent runs on the same branch
|
|
# When a new CI build is triggered, it will cancel the
|
|
# other in-progress ones (for the same branch)
|
|
concurrency:
|
|
group: ${{ github.head_ref || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
run-lint:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: debian:bookworm
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Install dev. dependencies
|
|
run: |-
|
|
apt-get update
|
|
apt-get install -y git make python3 python3-poetry --no-install-recommends
|
|
poetry install --only lint,test
|
|
- name: Run linters to enforce code style
|
|
run: poetry run make lint
|
|
- name: Check that the QA script is up to date with the docs
|
|
run: "./dev_scripts/qa.py --check-refs"
|
|
|
|
# This is already built daily by the "build.yml" file
|
|
# But we also want to include this in the checks that run on each push.
|
|
build-container-image:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Get current date
|
|
id: date
|
|
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
|
|
|
|
- name: Cache container image
|
|
id: cache-container-image
|
|
uses: actions/cache@v4
|
|
with:
|
|
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
|
|
path: |-
|
|
share/container.tar.gz
|
|
share/image-id.txt
|
|
|
|
- name: Build Dangerzone container image
|
|
if: ${{ steps.cache-container-image.outputs.cache-hit != 'true' }}
|
|
run: |
|
|
sudo apt-get install -y python3-poetry
|
|
python3 ./install/common/build-image.py
|
|
|
|
windows:
|
|
runs-on: windows-latest
|
|
env:
|
|
DUMMY_CONVERSION: 1
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- run: pip install poetry
|
|
- run: poetry install
|
|
- name: Run CLI tests
|
|
run: poetry run make test
|
|
# Taken from: https://github.com/orgs/community/discussions/27149#discussioncomment-3254829
|
|
- name: Set path for candle and light
|
|
run: echo "C:\Program Files (x86)\WiX Toolset v3.14\bin" >> $GITHUB_PATH
|
|
shell: bash
|
|
- name: Build the MSI installer
|
|
# NOTE: This also builds the .exe internally.
|
|
run: poetry run .\install\windows\build-app.bat
|
|
|
|
macOS:
|
|
name: "macOS (${{ matrix.arch }})"
|
|
runs-on: ${{ matrix.runner }}
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- runner: macos-latest # CPU type: Apple Silicon (M1)
|
|
arch: arch64
|
|
- runner: macos-13 # CPU type: Intel x86_64
|
|
arch: x86_64
|
|
env:
|
|
DUMMY_CONVERSION: 1
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- run: pip install poetry
|
|
- run: poetry install
|
|
- name: Run CLI tests
|
|
run: poetry run make test
|
|
|
|
build-deb:
|
|
name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
|
|
runs-on: ubuntu-latest
|
|
needs: build-container-image
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- distro: ubuntu
|
|
version: "20.04"
|
|
- distro: ubuntu
|
|
version: "22.04"
|
|
- distro: ubuntu
|
|
version: "23.10"
|
|
- distro: ubuntu
|
|
version: "24.04"
|
|
- distro: debian
|
|
version: bullseye
|
|
- distro: debian
|
|
version: bookworm
|
|
- distro: debian
|
|
version: trixie
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
|
|
- name: Login to GHCR
|
|
run: |
|
|
echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
|
|
|
|
- name: Get the dev environment
|
|
run: |
|
|
./dev_scripts/env.py \
|
|
--distro ${{ matrix.distro }} \
|
|
--version ${{ matrix.version }} \
|
|
build-dev --sync
|
|
|
|
- name: Get current date
|
|
id: date
|
|
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
|
|
|
|
- name: Restore container cache
|
|
uses: actions/cache/restore@v4
|
|
with:
|
|
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
|
|
path: |-
|
|
share/container.tar.gz
|
|
share/image-id.txt
|
|
fail-on-cache-miss: true
|
|
|
|
- name: Build Dangerzone .deb
|
|
run: |
|
|
./dev_scripts/env.py --distro ${{ matrix.distro }} \
|
|
--version ${{ matrix.version }} \
|
|
run --dev --no-gui ./dangerzone/install/linux/build-deb.py
|
|
|
|
- name: Upload Dangerzone .deb
|
|
if: matrix.distro == 'debian' && matrix.version == 'bookworm'
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: dangerzone.deb
|
|
path: "deb_dist/dangerzone_*_*.deb"
|
|
if-no-files-found: error
|
|
compression-level: 0
|
|
|
|
install-deb:
|
|
name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
|
|
runs-on: ubuntu-latest
|
|
needs: build-deb
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- distro: ubuntu
|
|
version: "20.04"
|
|
- distro: ubuntu
|
|
version: "22.04"
|
|
- distro: ubuntu
|
|
version: "23.10"
|
|
- distro: ubuntu
|
|
version: "24.04"
|
|
- distro: debian
|
|
version: bullseye
|
|
- distro: debian
|
|
version: bookworm
|
|
- distro: debian
|
|
version: trixie
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
|
|
- name: Download Dangerzone .deb
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: dangerzone.deb
|
|
path: "deb_dist/"
|
|
|
|
- name: Build end-user environment
|
|
run: |
|
|
./dev_scripts/env.py --distro ${{ matrix.distro }} \
|
|
--version ${{ matrix.version }} \
|
|
build
|
|
|
|
- name: Run a test command
|
|
run: |
|
|
./dev_scripts/env.py --distro ${{ matrix.distro }} \
|
|
--version ${{ matrix.version }} \
|
|
run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf
|
|
|
|
- name: Check that the Dangerzone GUI imports work
|
|
run: |
|
|
./dev_scripts/env.py --distro ${{ matrix.distro }} \
|
|
--version ${{ matrix.version }} \
|
|
run dangerzone --help
|
|
|
|
build-install-rpm:
|
|
name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
|
|
runs-on: ubuntu-latest
|
|
needs: build-container-image
|
|
strategy:
|
|
matrix:
|
|
distro: ["fedora"]
|
|
version: ["39", "40"]
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Login to GHCR
|
|
run: |
|
|
echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
|
|
|
|
- name: Get the dev environment
|
|
run: |
|
|
./dev_scripts/env.py \
|
|
--distro ${{ matrix.distro }} \
|
|
--version ${{ matrix.version }} \
|
|
build-dev --sync
|
|
|
|
- name: Get current date
|
|
id: date
|
|
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
|
|
|
|
- name: Restore container image
|
|
uses: actions/cache/restore@v4
|
|
with:
|
|
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
|
|
path: |-
|
|
share/container.tar.gz
|
|
share/image-id.txt
|
|
fail-on-cache-miss: true
|
|
|
|
- name: Build Dangerzone .rpm
|
|
run: |
|
|
./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
|
|
run --dev --no-gui ./dangerzone/install/linux/build-rpm.py
|
|
|
|
# Reclaim some space in this step, now that the dev environment is no
|
|
# longer necessary. Previously, we encountered out-of-space issues while
|
|
# running this CI job.
|
|
- name: Reclaim some storage space
|
|
run: podman system reset -f
|
|
|
|
- name: Build end-user environment
|
|
run: |
|
|
./dev_scripts/env.py --distro ${{ matrix.distro }} \
|
|
--version ${{ matrix.version }} \
|
|
build --download-pyside6
|
|
|
|
- name: Run a test command
|
|
run: |
|
|
./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
|
|
run dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf
|
|
|
|
- name: Check that the Dangerzone GUI imports work
|
|
run: |
|
|
./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} \
|
|
run dangerzone --help
|
|
|
|
run-tests:
|
|
name: "run tests (${{ matrix.distro }} ${{ matrix.version }})"
|
|
runs-on: ubuntu-latest
|
|
needs: build-container-image
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- distro: ubuntu
|
|
version: "20.04"
|
|
- distro: ubuntu
|
|
version: "22.04"
|
|
- distro: ubuntu
|
|
version: "23.10"
|
|
- distro: ubuntu
|
|
version: "24.04"
|
|
- distro: debian
|
|
version: bullseye
|
|
- distro: debian
|
|
version: bookworm
|
|
- distro: debian
|
|
version: trixie
|
|
- distro: fedora
|
|
version: "39"
|
|
- distro: fedora
|
|
version: "40"
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
|
|
- name: Login to GHCR
|
|
run: |
|
|
echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
|
|
|
|
- name: Get current date
|
|
id: date
|
|
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
|
|
|
|
- name: Get the dev environment
|
|
run: |
|
|
./dev_scripts/env.py \
|
|
--distro ${{ matrix.distro }} \
|
|
--version ${{ matrix.version }} \
|
|
build-dev --sync
|
|
|
|
- name: Restore container image
|
|
uses: actions/cache/restore@v4
|
|
with:
|
|
key: v2-${{ steps.date.outputs.date }}-${{ hashFiles('Dockerfile', 'dangerzone/conversion/common.py', 'dangerzone/conversion/doc_to_pixels.py', 'dangerzone/conversion/pixels_to_pdf.py', 'poetry.lock', 'gvisor_wrapper/entrypoint.py') }}
|
|
path: |-
|
|
share/container.tar.gz
|
|
share/image-id.txt
|
|
fail-on-cache-miss: true
|
|
|
|
- name: Run CI tests
|
|
run: |-
|
|
# Pass the -ac Xserver flag, to disable host-based access controls.
|
|
# This should be used ONLY for testing [1]. If we don't pass this
|
|
# flag, the Podman container is not authorized [2] to access the Xvfb
|
|
# server.
|
|
#
|
|
# [1] From https://www.x.org/releases/X11R6.7.0/doc/Xserver.1.html#sect4:
|
|
#
|
|
# disables host-based access control mechanisms. Enables access by
|
|
# any host, and permits any host to modify the access control
|
|
# list. Use with extreme caution. This option exists primarily for
|
|
# running test suites remotely.
|
|
#
|
|
# [2] Fails with "Authorization required, but no authorization
|
|
# protocol specified". However, we have verified with strace(1)
|
|
# that the command in the Podman container can read the Xauthority
|
|
# file successfully.
|
|
xvfb-run -s '-ac' ./dev_scripts/env.py --distro ${{ matrix.distro }} --version ${{ matrix.version }} run --dev \
|
|
bash -c 'cd dangerzone; poetry run make test'
|