From aaa39c55620a61c6c18e5978ab438f565ef31e2e Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Fri, 6 Feb 2026 01:39:58 +0100 Subject: [PATCH 1/3] WIP: try faster lrc --- .github/workflows/build-deb.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-deb.yaml b/.github/workflows/build-deb.yaml index da96eeb5d5..dee351b263 100644 --- a/.github/workflows/build-deb.yaml +++ b/.github/workflows/build-deb.yaml @@ -94,7 +94,7 @@ jobs: uses: actions/checkout@v6 - name: Build debian packages and sources - uses: canonical/desktop-engineering/gh-actions/common/build-debian@main + uses: canonical/desktop-engineering/gh-actions/common/build-debian@faster-lrc with: docker-image: ubuntu:${{ matrix.ubuntu-version }} # Add the Go backports PPA if we're testing a Ubuntu release which From bcfb5cdcedd26f9c9672de39e1f79a7001ddfaf1 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Fri, 6 Feb 2026 01:40:38 +0100 Subject: [PATCH 2/3] XXX: remove other CI jobs --- .github/workflows/auto-updates.yaml | 115 ----- .github/workflows/automatic-doc-checks.yaml | 26 -- .github/workflows/brokers-qa.yaml | 202 --------- .github/workflows/build-deb.yaml | 194 --------- .github/workflows/cla-check.yaml | 16 - .github/workflows/e2e-tests.yaml | 42 -- .github/workflows/git.yaml | 25 -- .../provision-and-run-e2e-tests.yaml | 127 ------ .github/workflows/qa.yaml | 403 ------------------ .github/workflows/run-e2e-tests.yaml | 164 ------- .github/workflows/tics-run.yaml | 116 ----- .../update-broker-variant-branches.yaml | 49 --- .github/workflows/validate-dependabot.yaml | 23 - 13 files changed, 1502 deletions(-) delete mode 100644 .github/workflows/auto-updates.yaml delete mode 100644 .github/workflows/automatic-doc-checks.yaml delete mode 100644 .github/workflows/brokers-qa.yaml delete mode 100644 .github/workflows/cla-check.yaml delete mode 100644 .github/workflows/e2e-tests.yaml delete mode 100644 .github/workflows/git.yaml delete mode 100644 .github/workflows/provision-and-run-e2e-tests.yaml delete mode 100644 .github/workflows/qa.yaml delete mode 100644 .github/workflows/run-e2e-tests.yaml delete mode 100644 .github/workflows/tics-run.yaml delete mode 100644 .github/workflows/update-broker-variant-branches.yaml delete mode 100644 .github/workflows/validate-dependabot.yaml diff --git a/.github/workflows/auto-updates.yaml b/.github/workflows/auto-updates.yaml deleted file mode 100644 index 9884b71e71..0000000000 --- a/.github/workflows/auto-updates.yaml +++ /dev/null @@ -1,115 +0,0 @@ -name: Update Rust packaging related files in main -on: - push: - branches: - - main - paths: - - 'Cargo.lock' - - 'debian/control' -concurrency: auto-update - -permissions: - pull-requests: write - contents: write - -# Jobs in this action must not run concurrently, as they modify the repository. -# When adding more jobs, make sure to use the "needs:" attribute to make sure they run sequentially. -jobs: - update-rust-packaging: - strategy: - fail-fast: false - matrix: - branch: [main] - ubuntu-version: [devel] - include: - - branch: noble - ubuntu-version: noble - - name: Update ${{ matrix.ubuntu-version }} packaging related Rust files - runs-on: ubuntu-latest - container: - image: ubuntu:${{ matrix.ubuntu-version }} - env: - CARGO_VENDOR_DIR: ${{ github.workspace }}/vendor_rust - UPDATE_BRANCH: auto-update-rust-packaging-${{ matrix.ubuntu-version }} - steps: - - name: Install dependencies - env: - DEBIAN_FRONTEND: noninteractive - CARGO_VENDOR_FILTERER_NOBLE_VERSION: 0.5.16 - shell: bash - run: | - set -euo pipefail - - apt-get update -y - apt-get install -y dh-cargo git - - if [ "${{ matrix.ubuntu-version }}" = "noble" ]; then - # Special behavior on noble as dh-cargo is not new enough there - apt-get install -y libssl-dev pkg-config - cargo install --locked --root=/usr \ - cargo-vendor-filterer@${{ env.CARGO_VENDOR_FILTERER_NOBLE_VERSION }} - else - apt-get install -y cargo-vendor-filterer - fi - - - name: Checkout the code - uses: actions/checkout@v6 - with: - ref: ${{ matrix.branch }} - - - name: Vendor the dependencies - env: - CARGO_PATH: /usr/share/cargo/bin/cargo - shell: bash - run: | - set -euo pipefail - - sh -x debian/vendor-rust.sh - - - name: Update XS-Vendored-Sources-Rust - shell: bash - run: | - set -euo pipefail - - echo "Running dh-cargo-vendored-sources" - VENDORED_SOURCES=$(/usr/share/cargo/bin/dh-cargo-vendored-sources 2>&1) \ - || cmd_status=$? - echo "${VENDORED_SOURCES}" - - OUTPUT=$(echo "$VENDORED_SOURCES" | grep ^XS-Vendored-Sources-Rust: || true) - if [ -z "${OUTPUT}" ]; then - if [ "${cmd_status:-0}" -ne 0 ]; then - # dh-cargo-vendored-sources failed because of other reason, so let's fail with it! - echo "dh-cargo-vendored-sources failed unexpectedly (exit code ${cmd_status})" - exit "${cmd_status}" - fi - - echo "XS-Vendored-Sources-Rust is up to date. No change is needed."; - exit 0 - fi - sed -i "s/^XS-Vendored-Sources-Rust:.*/$OUTPUT/" debian/control - - echo "modified=true" >> "${GITHUB_ENV}" - echo "update_branch=${UPDATE_BRANCH}" >> "${GITHUB_ENV}" - - - name: Create Pull Request - if: ${{ env.modified == 'true' }} - uses: peter-evans/create-pull-request@v8 - with: - commit-message: Auto update packaging related Rust files - title: | - [${{ matrix.ubuntu-version }}] Auto update packaging related Rust files - labels: control, automated pr - branch: ${{ env.update_branch }} - delete-branch: true - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Push branch - if: ${{ env.modified == 'true' }} - shell: bash - run: | - set -eu - - git config --system --add safe.directory "${PWD}" - git push origin ${{ env.update_branch }}:${{ matrix.branch }} diff --git a/.github/workflows/automatic-doc-checks.yaml b/.github/workflows/automatic-doc-checks.yaml deleted file mode 100644 index 766c005cfc..0000000000 --- a/.github/workflows/automatic-doc-checks.yaml +++ /dev/null @@ -1,26 +0,0 @@ -name: Main Documentation Checks - -on: - push: - branches: [main] - paths: - - '.github/workflows/automatic-doc-checks.yaml' - - 'docs/**' - pull_request: - paths: - - '.github/workflows/automatic-doc-checks.yaml' - - 'docs/**' - schedule: - - cron: '0 12 * * MON' - # Manual trigger - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - documentation-checks: - uses: canonical/documentation-workflows/.github/workflows/documentation-checks.yaml@main - with: - working-directory: "./docs" diff --git a/.github/workflows/brokers-qa.yaml b/.github/workflows/brokers-qa.yaml deleted file mode 100644 index f09f43e394..0000000000 --- a/.github/workflows/brokers-qa.yaml +++ /dev/null @@ -1,202 +0,0 @@ -name: Brokers QA & sanity checks -on: - push: - branches: - - main - tags: - - "*" - paths: - - "authd-oidc-brokers/**" - - "!authd-oidc-brokers/e2e-tests/**" - - "!authd-oidc-brokers/po/**" - - "!authd-oidc-brokers/.gitignore" - - pull_request: - paths: - - "authd-oidc-brokers/**" - - "!authd-oidc-brokers/e2e-tests/**" - - "!authd-oidc-brokers/po/**" - - "!authd-oidc-brokers/.gitignore" - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -defaults: - run: - working-directory: ./authd-oidc-brokers - -jobs: - go-sanity: - name: "Go: Code sanity" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - submodules: recursive - - - name: Build libhimmelblau - # The code sanity check fails if himmelblau.h does not exist, so we generate it first. - run: go generate --tags withmsentraid ./internal/providers/msentraid/... - - - name: Go code sanity check - uses: canonical/desktop-engineering/gh-actions/go/code-sanity@v2 - with: - golangci-lint-configfile: ".golangci.yaml" - working-directory: "./authd-oidc-brokers" - tools-directory: "./authd-oidc-brokers/tools" - go-tags: "withmsentraid" - - shell-sanity: - name: "Shell: Code sanity" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master - - go-tests: - name: "Go: Tests" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - strategy: - fail-fast: false - matrix: - test: [ "coverage", "asan" ] - steps: - - uses: actions/checkout@v6 - with: - submodules: recursive - - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - set -eu - sudo apt-get update - sudo apt-get install -y git-delta - - - name: Install coverage collection dependencies - if: matrix.test == 'coverage' - run: | - set -eu - - go install github.com/AlekSi/gocov-xml@latest - go install github.com/adombeck/gocov/gocov@latest - dotnet tool install -g dotnet-reportgenerator-globaltool - - - name: Build libhimmelblau - run: go generate --tags withmsentraid ./internal/providers/msentraid/... - - - name: Prepare tests artifacts path - run: | - set -eu - - artifacts_dir=$(mktemp -d --tmpdir authd-test-artifacts-XXXXXX) - echo AUTHD_TEST_ARTIFACTS_DIR="${artifacts_dir}" >> $GITHUB_ENV - - - name: Install gotestfmt and our wrapper script - uses: canonical/desktop-engineering/gh-actions/go/gotestfmt@main - - - name: Run tests (with coverage collection) - if: matrix.test == 'coverage' - run: | - set -euo pipefail - - # The coverage is not written if the output directory does not exist, so we need to create it. - cov_dir=${PWD}/coverage - raw_cov_dir=${cov_dir}/raw_files - codecov_dir=${cov_dir}/codecov - - mkdir -p "${raw_cov_dir}" "${codecov_dir}" - - # Print executed commands to ease debugging - set -x - - # Overriding the default coverage directory is not an exported flag of go test (yet), so - # we need to override it using the test.gocoverdir flag instead. - #TODO: Update when https://go-review.googlesource.com/c/go/+/456595 is merged. - go test -tags withmsentraid -json -cover -covermode=set ./... -shuffle=on -args -test.gocoverdir="${raw_cov_dir}" 2>&1 | \ - gotestfmt --logfile "${AUTHD_TEST_ARTIFACTS_DIR}/gotestfmt.cover.log" - - # Convert the raw coverage data into textfmt so we can merge the Rust one into it - go tool covdata textfmt -i="${raw_cov_dir}" -o="${cov_dir}/coverage.out" - - # Filter out the testutils package - grep -v -e "testutils" "${cov_dir}/coverage.out" >"${cov_dir}/coverage.out.filtered" - - # Generate the Cobertura report for Go - gocov convert "${cov_dir}/coverage.out.filtered" | gocov-xml > "${cov_dir}/coverage.xml" - reportgenerator -reports:"${cov_dir}/coverage.xml" -targetdir:"${codecov_dir}" -reporttypes:Cobertura - - # Store the coverage directory for the next steps - echo COVERAGE_DIR="${codecov_dir}" >> ${GITHUB_ENV} - - - name: Run msentraid tests (with Address Sanitizer) - if: matrix.test == 'asan' - env: - # Do not optimize, keep debug symbols and frame pointer for better - # stack trace information in case of ASAN errors. - CGO_CFLAGS: "-O0 -g3 -fno-omit-frame-pointer" - GO_TESTS_TIMEOUT: 30m - # Use these flags to give ASAN a better time to unwind the stack trace - GO_GC_FLAGS: -N -l - run: | - # Print executed commands to ease debugging - set -x - - # For llvm-symbolizer - sudo apt-get install -y llvm - - # We only run the msentraid tests with ASAN because only these use cgo. - pushd ./internal/providers/msentraid - go test -asan -gcflags=all="${GO_GC_FLAGS}" -c - go tool test2json -p internal/providers/msentraid ./msentraid.test \ - -test.v=test2json \ - -test.failfast \ - -test.timeout ${GO_TESTS_TIMEOUT} | \ - gotestfmt --logfile "${AUTHD_TEST_ARTIFACTS_DIR}/gotestfmt.asan.log" || \ - exit_code=$? - popd - - # We don't need the xtrace output after this point - set +x - - # We're logging to a file, and this is useful for having artifacts, but we still may want to see it in logs: - for f in "${AUTHD_TEST_ARTIFACTS_DIR}"/*asan.log*; do - if ! [ -e "${f}" ]; then - continue - fi - if [ -s "${f}" ]; then - echo "::group::${f} ($(wc -l < "${f}") lines)" - cat "${f}" - echo "::endgroup::" - else - echo "${f}: empty" - fi - done - - exit ${exit_code} - - - name: Upload coverage to Codecov - if: matrix.test == 'coverage' - uses: codecov/codecov-action@v5 - with: - directory: ${{ env.COVERAGE_DIR }} - files: ${{ env.COVERAGE_DIR }}/Cobertura.xml - token: ${{ secrets.CODECOV_TOKEN }} - - - name: Upload coverage report as artifact - if: matrix.test == 'coverage' && github.ref == 'refs/heads/main' - uses: actions/upload-artifact@v6 - with: - name: coverage - path: ${{ env.COVERAGE_DIR }} - - - name: Upload test artifacts - if: failure() - uses: actions/upload-artifact@v6 - with: - name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }} - path: ${{ env.AUTHD_TEST_ARTIFACTS_DIR }} diff --git a/.github/workflows/build-deb.yaml b/.github/workflows/build-deb.yaml index dee351b263..299f7b1349 100644 --- a/.github/workflows/build-deb.yaml +++ b/.github/workflows/build-deb.yaml @@ -124,197 +124,3 @@ jobs: echo "pkg-dsc-${{ matrix.ubuntu-version }}=${{ env.PKG_DSC }}" echo "pkg-src-changes-${{ matrix.ubuntu-version }}=${{ env.PKG_SOURCE_CHANGES }}" ) >> "${GITHUB_OUTPUT}" - - check-modified-files: - name: Check modified files - runs-on: ubuntu-latest - needs: - - build-deb-package - outputs: - list: ${{ fromJSON(steps.git-diff.outputs.modified_files) }} - - steps: - - name: Checkout authd code - uses: actions/checkout@v6 - with: - fetch-depth: 100 - - - id: git-diff - name: Check modified files - run: | - set -ue - - base_ref=${{ github.event.pull_request.base.sha }} - if [ -z "${base_ref}" ]; then - base_ref=${{ github.event.before }} - fi - if [ -z "${base_ref}" ]; then - base_ref=$(git log --root --reverse -n1 --format=%H) - fi - - # Build a JSON array of modified paths. - modified_files=$(git diff --name-only "${base_ref}" HEAD | \ - while read line; do - jq -n --arg path "$line" '$path' - done | jq -n '. |= [inputs]') - echo "${modified_files}" - - escaped_json=$(echo "${modified_files}" | jq '.| tostring') - echo "modified_files=${escaped_json}" >> "${GITHUB_OUTPUT}" - - synchronize-packaging-branches: - name: Update packaging branch - runs-on: ubuntu-latest - needs: - - define-versions - - build-deb-package - permissions: - contents: write - strategy: - fail-fast: false - matrix: - ubuntu-version: ${{ fromJSON(needs.define-versions.outputs.ubuntu-versions) }} - env: - PACKAGING_BRANCH: ubuntu-packaging-${{ matrix.ubuntu-version }} - - # Run only on: - # - Push events to main - # - On github release - if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || - github.event_name == 'release' }} - - steps: - # FIXME: Use dynamic outputs when possible: https://github.com/actions/runner/pull/2477 - - name: Setup job variables - run: | - set -exuo pipefail - - json_output='${{ toJSON(needs.build-deb-package.outputs) }}' - for var in $(echo "${json_output}" | jq -r 'keys | .[]'); do - if [[ "${var}" != *"-${{ matrix.ubuntu-version }}" ]]; then - continue; - fi - - v=$(echo "${json_output}" | jq -r ".\"${var}\"") - var="${var%-${{ matrix.ubuntu-version }}}" - echo "${var//-/_}=${v}" >> "${GITHUB_ENV}" - done - - - name: Download artifacts - uses: actions/download-artifact@v7 - with: - run-id: ${{ needs.build-deb-package.outputs.run-id }} - merge-multiple: true - - - name: Install dependencies - run: | - set -euo pipefail - - sudo apt-get update -y - sudo apt-get install -y --no-install-suggests --no-install-recommends \ - dpkg-dev devscripts - - - name: Checkout code - uses: actions/checkout@v6 - with: - fetch-depth: 100 - path: repo - - - name: Extract the debian sources - run: | - set -euo pipefail - - dpkg-source -x ${{ env.pkg_dsc }} sources - - - name: Commit packaging sources - run: | - set -exuo pipefail - - # Create or switch to the packaging branch - if git -C repo fetch --depth=1 origin "${{ env.PACKAGING_BRANCH }}:${{ env.PACKAGING_BRANCH }}"; then - git -C repo checkout "${{ env.PACKAGING_BRANCH }}" - else - git -C repo checkout -b "${{ env.PACKAGING_BRANCH }}" - fi - - # Replace the repository content with the package sources - mv repo/.git sources/ - cd sources - - # Drop the ubuntu version, as the PPA recipe will add it anyways - version=$(dpkg-parsechangelog -SVersion) - sanitized_version=$(echo "${version}" | sed "s,~[0-9.]\+\$,,") - perl -pe "s|\Q${version}\E|${sanitized_version}|" debian/changelog > \ - debian/changelog.sanitized - mv debian/changelog.sanitized debian/changelog - dpkg-parsechangelog - - git config --global user.name "Ubuntu Enterprise Desktop" - git config --global user.email "ubuntu-devel-discuss@lists.ubuntu.com" - - git add --all - git commit \ - --allow-empty \ - -m "Update ubuntu ${{ matrix.ubuntu-version }} package sources" \ - -m "Use upstream commit ${GITHUB_SHA}" - - - name: Push to packaging branch - run: | - set -exuo pipefail - - git -C sources push origin "${{ env.PACKAGING_BRANCH }}:${{ env.PACKAGING_BRANCH }}" - - run-autopkgtests: - name: Run autopkgtests - runs-on: ubuntu-latest - needs: - - define-versions - - build-deb-package - - check-modified-files - strategy: - fail-fast: false - matrix: - ubuntu-version: ${{ fromJSON(needs.define-versions.outputs.ubuntu-versions) }} - - # Run autopkgtests only on: - # - Push events to main - # - When a file in the debian subdir is modified - # - When this file is modified - # - On new tags - # - On github release - if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || - contains(needs.check-modified-files.outputs.list, 'debian/') || - contains(needs.check-modified-files.outputs.list, '.github/workflows/build-deb.yaml') || - startsWith(github.ref, 'refs/tags/') || - github.event_name == 'release' }} - - steps: - # FIXME: Use dynamic outputs when possible: https://github.com/actions/runner/pull/2477 - - name: Setup job variables - run: | - set -exuo pipefail - - json_output='${{ toJSON(needs.build-deb-package.outputs) }}' - for var in $(echo "${json_output}" | jq -r 'keys | .[]'); do - if [[ "${var}" != *"-${{ matrix.ubuntu-version }}" ]]; then - continue; - fi - - v=$(echo "${json_output}" | jq -r ".\"${var}\"") - var="${var%-${{ matrix.ubuntu-version }}}" - echo "${var//-/_}=${v}" >> "${GITHUB_ENV}" - done - - - name: Download artifacts - uses: actions/download-artifact@v7 - with: - run-id: ${{ needs.build-deb-package.outputs.run-id }} - pattern: ${{ needs.build-deb-package.outputs.pkg-name }}_${{ env.pkg_version }}-* - merge-multiple: true - - - name: Run autopkgtests - uses: canonical/desktop-engineering/gh-actions/common/run-autopkgtest@main - with: - lxd-image: ubuntu:${{ matrix.ubuntu-version }} - source-changes: ${{ env.pkg_src_changes }} - autopkgtest-args: --add-apt-source=ppa:ubuntu-enterprise-desktop/golang diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml deleted file mode 100644 index 566269953a..0000000000 --- a/.github/workflows/cla-check.yaml +++ /dev/null @@ -1,16 +0,0 @@ -name: Check if CLA is signed -on: [pull_request_target] - -jobs: - cla-check: - name: Check if CLA is signed - runs-on: ubuntu-latest - steps: - - name: Check if CLA signed - uses: canonical/has-signed-canonical-cla@v2 - with: - accept-existing-contributors: true - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true \ No newline at end of file diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml deleted file mode 100644 index b80d0cb49e..0000000000 --- a/.github/workflows/e2e-tests.yaml +++ /dev/null @@ -1,42 +0,0 @@ -name: e2e-tests - -on: - workflow_dispatch: - schedule: - - cron: '0 0 * * 1' # Runs every Monday at midnight - pull_request: - paths: - - '**' - - '!.github/workflows/**' - - '.github/workflows/run-e2e-tests.yaml' - - '.github/workflows/provision-and-run-e2e-tests.yaml' - - '.github/workflows/e2e-tests.yaml' - - '!.gitignore' - - '!.golangci.yaml' - - '!AGENTS.md' - - '!CODE_OF_CONDUCT.md' - - '!CONTRIBUTING.md' - - '!COPYING' - - '!COPYING.LESSER' - - '!README.md' - - '!SECURITY.md' - - "!authd-oidc-brokers/po/**" - - "!authd-oidc-brokers/.gitignore" - - '!docs/**' - - '!examplebroker/**' - - '!gotestcov' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - provision-and-run-e2e-tests: - strategy: - matrix: - release: [noble, questing] - fail-fast: false - uses: ./.github/workflows/provision-and-run-e2e-tests.yaml - with: - release: ${{ matrix.release }} - secrets: inherit diff --git a/.github/workflows/git.yaml b/.github/workflows/git.yaml deleted file mode 100644 index 2555375d76..0000000000 --- a/.github/workflows/git.yaml +++ /dev/null @@ -1,25 +0,0 @@ -name: Git Checks - -on: [pull_request] - -jobs: - block-fixup: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v6 - - name: Block Fixup Commit Merge - run: | - PR_REF="${GITHUB_REF%/merge}/head" - BASE_REF="${GITHUB_BASE_REF}" - git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin "${BASE_REF}:__ci_base" - git fetch --no-tags --prune --progress --no-recurse-submodules --shallow-exclude="${BASE_REF}" origin "${PR_REF}:__ci_pr" - COMMIT_LIST=$(/usr/bin/git log --pretty=format:%s __ci_base..__ci_pr) - echo "Fixup commits:" - if echo "${COMMIT_LIST}" | grep -iE '^(fixup|squash|wip)'; then - exit 1 - fi - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true diff --git a/.github/workflows/provision-and-run-e2e-tests.yaml b/.github/workflows/provision-and-run-e2e-tests.yaml deleted file mode 100644 index f08425bb9f..0000000000 --- a/.github/workflows/provision-and-run-e2e-tests.yaml +++ /dev/null @@ -1,127 +0,0 @@ -name: provision-e2e-test (reusable) - -on: - workflow_call: - inputs: - release: - required: true - type: string - secrets: - E2E_VM_SSH_PRIV_KEY: - required: true - E2E_VM_SSH_PUB_KEY: - required: true - -env: - DEBIAN_FRONTEND: noninteractive - VM_NAME_BASE: e2e-runner - ARTIFACTS_DIR: /tmp/e2e-artifacts - E2E_TESTS_DIR: e2e-tests - -jobs: - provision-vm: - name: Provision VM - runs-on: ubuntu-latest - permissions: - contents: read - actions: write - packages: write - steps: - - name: Checkout repo - uses: actions/checkout@v6 - - - name: Restore cached VM image (if available) - id: restore-cache - uses: actions/cache/restore@v4 - with: - path: ${{ env.ARTIFACTS_DIR }}/${{ env.VM_NAME_BASE }}-${{ inputs.release }}.qcow2 - key: >- - e2e-runner-vm-${{ inputs.release }}-${{ hashFiles( - 'e2e-tests/vm/**', - '.github/actions/e2e-tests/set-up-ssh-keys/**', - '.github/workflows/provision-and-run-e2e-tests.yaml' - ) }} - fail-on-cache-miss: false - - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - if: steps.restore-cache.outputs.cache-hit != 'true' - - - name: Install APT dependencies for VM provisioning - if: steps.restore-cache.outputs.cache-hit != 'true' - run: ./${{ env.E2E_TESTS_DIR }}/vm/install-provision-deps.sh - - - name: Set up SSH keys for the VM provisioning - id: set-ssh-keys - if: steps.restore-cache.outputs.cache-hit != 'true' - uses: ./.github/actions/e2e-tests/set-up-ssh-keys - with: - E2E_VM_SSH_PRIV_KEY: ${{ secrets.E2E_VM_SSH_PRIV_KEY }} - E2E_VM_SSH_PUB_KEY: ${{ secrets.E2E_VM_SSH_PUB_KEY }} - - - name: Provision the VM - id: provision-vm - if: steps.restore-cache.outputs.cache-hit != 'true' - run: | - set -eu - export PATH="$(realpath "${{ env.E2E_TESTS_DIR }}/vm/helpers"):${PATH}" - mkdir -p ${{ env.ARTIFACTS_DIR }} - env VM_NAME_BASE="${{ env.VM_NAME_BASE }}" \ - RELEASE="${{ inputs.release }}" \ - ARTIFACTS_DIR="${{ env.ARTIFACTS_DIR }}" \ - SSH_PUBLIC_KEY_FILE="${{ steps.set-ssh-keys.outputs.keys-path }}/id_rsa.pub" \ - ./${{ env.E2E_TESTS_DIR }}/vm/provision-ubuntu.sh - - - name: Clean previous cache - if: always() && steps.provision-vm.outcome == 'success' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - run: | - set -eu - gh cache delete e2e-runner-${{ inputs.release }} || true - echo "Previous cache (if any) deleted" - - - name: Cache the VM image - uses: actions/cache/save@v4 - if: always() && steps.provision-vm.outcome == 'success' - with: - path: ${{ env.ARTIFACTS_DIR }}/${{ env.VM_NAME_BASE }}-${{ inputs.release }}.qcow2 - key: >- - e2e-runner-vm-${{ inputs.release }}-${{ hashFiles( - 'e2e-tests/vm/**', - '.github/actions/e2e-tests/set-up-ssh-keys/**', - '.github/workflows/provision-and-run-e2e-tests.yaml' - ) }} - - - uses: oras-project/setup-oras@v1 - - name: Upload VM image as OCI artifact - if: steps.provision-vm.outcome == 'success' || steps.restore-cache.outputs.cache-hit == 'true' - env: - IMAGE_PATH: ${{ env.ARTIFACTS_DIR }}/${{ env.VM_NAME_BASE }}-${{ inputs.release }}.qcow2 - OCI_REPO: ghcr.io/${{ github.repository }}/e2e-runner - OCI_TAG: ${{ inputs.release }} - run: | - set -euo pipefail - - echo "${{ secrets.GITHUB_TOKEN }}" \ - | oras login ghcr.io -u "${{ github.actor }}" --password-stdin - - # Chunk qcow2 into stable fixed-size layers (64 MiB) - WORKDIR=$(mktemp -d) - split -b 64M "$IMAGE_PATH" "$WORKDIR/chunk-" - - # Push as a layered OCI artifact (each chunk becomes a layer) - cd "$WORKDIR" - oras push "${OCI_REPO}:${OCI_TAG}" chunk-* --artifact-type application/vnd.qemu.qcow2 - - e2e-test: - needs: provision-vm - strategy: - matrix: - broker: [authd-msentraid, authd-google] - fail-fast: false - uses: ./.github/workflows/run-e2e-tests.yaml - with: - release: ${{ inputs.release }} - broker: ${{ matrix.broker }} - secrets: inherit diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml deleted file mode 100644 index c002aec618..0000000000 --- a/.github/workflows/qa.yaml +++ /dev/null @@ -1,403 +0,0 @@ -name: authd QA & sanity checks -on: - push: - branches: - - main - paths: - - '**' - - '!.github/**' - - '.github/workflows/qa.yaml' - - '!.gitignore' - - '!.gitmodules' - - '!AGENTS.md' - - '!CODE_OF_CONDUCT.md' - - '!CONTRIBUTING.md' - - '!COPYING' - - '!COPYING.LESSER' - - '!README.md' - - '!SECURITY.md' - - '!authd-oidc-brokers/**' - - '!docs/**' - - '!examplebroker/**' - - '!gotestcov' - - '!snap/**' - tags: - - "*" - pull_request: - paths: - - '**' - - '!.github/**' - - '.github/workflows/qa.yaml' - - '!.gitignore' - - '!.gitmodules' - - '!AGENTS.md' - - '!CODE_OF_CONDUCT.md' - - '!CONTRIBUTING.md' - - '!COPYING' - - '!COPYING.LESSER' - - '!README.md' - - '!SECURITY.md' - - '!authd-oidc-brokers/**' - - '!docs/**' - - '!examplebroker/**' - - '!gotestcov' - - '!snap/**' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -env: - DEBIAN_FRONTEND: noninteractive - GO_TESTS_TIMEOUT: 20m - AUTHD_SSHD_STDERR_LOG_ALL_PAM_MESSAGES: true - c_build_dependencies: >- - clang-tools - clang - libglib2.0-dev - libpam-dev - - go_build_dependencies: >- - libglib2.0-dev - libpam-dev - libpwquality-dev - - go_test_dependencies: >- - apparmor-profiles - bubblewrap - cracklib-runtime - git-delta - openssh-client - openssh-server - -jobs: - go-sanity: - name: "Go: Code sanity" - permissions: {} - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.go_build_dependencies }} - - uses: actions/checkout@v6 - - name: Go code sanity check - uses: canonical/desktop-engineering/gh-actions/go/code-sanity@v2 - with: - golangci-lint-configfile: ".golangci.yaml" - tools-directory: "tools" - token: ${{ secrets.GITHUB_TOKEN }} - - name: Build cmd/authd with withexamplebroker tag - run: | - set -eu - go build -tags withexamplebroker ./cmd/authd - - name: Run PAM client for interactive testing purposes - run: | - set -eu - go run -tags withpamrunner ./pam/tools/pam-runner login --exec-debug - - name: Generate PAM module - run: | - set -eu - find pam -name '*.so' -print -delete - go generate -C pam -x - test -e pam/pam_authd.so - test -e pam/go-exec/pam_authd_exec.so - - name: Generate PAM module with pam_debug tag - run: | - set -eu - find pam -name '*.so' -print -delete - go generate -C pam -x -tags pam_debug - test -e pam/pam_authd.so - test -e pam/go-exec/pam_authd_exec.so - - rust-sanity: - name: "Rust: Code sanity" - permissions: {} - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - # In Rust the grpc stubs are generated at build time - # so we always need to install the protobuf compilers - # when building the NSS crate. - sudo apt-get install -y protobuf-compiler - - uses: actions/checkout@v6 - - name: Rust code sanity check - uses: canonical/desktop-engineering/gh-actions/rust/code-sanity@main - with: - token: ${{ secrets.GITHUB_TOKEN }} - - c-sanity: - name: "C Code sanity" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - env: - CFLAGS: "-Werror" - steps: - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - # Install dependencies - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.c_build_dependencies }} - - name: Prepare report dir - run: | - set -eu - - scan_build_dir=$(mktemp -d --tmpdir scan-build-dir-XXXXXX) - echo SCAN_BUILD_REPORTS_PATH="${scan_build_dir}" >> $GITHUB_ENV - - uses: actions/checkout@v6 - - name: Run scan build on GDM extensions - run: | - set -eu - - scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \ - -Wno-gnu-variable-sized-type-not-at-end \ - pam/internal/gdm/extension.h - - name: Run scan build on go-exec module - run: | - set -eu - - scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \ - -DAUTHD_TEST_MODULE=1 \ - $(pkg-config --cflags --libs gio-unix-2.0 gio-2.0) \ - -lpam -shared -fPIC \ - pam/go-exec/module.c - - name: Upload scan build reports - uses: actions/upload-artifact@v6 - with: - name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }} - path: ${{ env.SCAN_BUILD_REPORTS_PATH }} - - go-tests-coverage: - name: "Go Tests with Coverage Collection" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - env: - RAW_COVERAGE_DIR: ${{ github.workspace }}/raw-coverage - COVERAGE_DIR: ${{ github.workspace }}/coverage - steps: - - uses: actions/checkout@v6 - - uses: ./.github/actions/setup-go-tests - - uses: ./.github/actions/setup-go-coverage-tests - # Installation of debug symbols takes a long time (and fails currently), - # so we skip it for now. Enable on demand. - # - uses: ./.github/actions/install-debug-symbols - # continue-on-error: true - - - name: Run tests with coverage collection - env: - G_DEBUG: "fatal-criticals" - run: | - set -euo pipefail - - # The coverage is not written if the output directory does not exist, so we need to create it. - mkdir -p "${RAW_COVERAGE_DIR}" - - # Print executed commands to ease debugging - set -x - - # Work around https://github.com/golang/go/issues/75031 - go env -w GOTOOLCHAIN="$(go version | awk '{ print $3 }')+auto" - - # Overriding the default coverage directory is not an exported flag of go test (yet), so - # we need to override it using the test.gocoverdir flag instead. - #TODO: Update when https://go-review.googlesource.com/c/go/+/456595 is merged. - go test -json -timeout ${GO_TESTS_TIMEOUT} -cover -covermode=set ./... -coverpkg=./... \ - -shuffle=on -args -test.gocoverdir="${RAW_COVERAGE_DIR}" | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.cover.log" - - # Upload the test output for the go-tests-coverage-retry job which retries - # the failed tests. - - name: Upload JSON test output on failure - if: failure() - uses: actions/upload-artifact@v6 - with: - name: coverage-test-output - path: ${{ env.AUTHD_TESTS_ARTIFACTS_PATH }}/gotestfmt.cover.stdout - - # Upload the raw coverage data so that the go-tests-coverage-retry job has - # all the data to generate the coverage report (if the tests succeed on - # retry). - - name: Upload raw coverage on failure - if: failure() - uses: actions/upload-artifact@v6 - with: - name: raw-coverage-data - path: ${{ env.RAW_COVERAGE_DIR }} - - - uses: ./.github/actions/generate-coverage-report - with: - codecov-token: ${{ secrets.CODECOV_TOKEN }} - - - uses: ./.github/actions/upload-test-artifacts - if: always() - - go-tests-coverage-retry: - name: "Retry Go Tests with Coverage Collection" - needs: go-tests-coverage - if: always() && needs.go-tests-coverage.result == 'failure' - runs-on: ubuntu-24.04 - env: - RAW_COVERAGE_DIR: ${{ github.workspace }}/raw-coverage - COVERAGE_DIR: ${{ github.workspace }}/coverage - steps: - - uses: actions/checkout@v6 - - uses: ./.github/actions/setup-go-tests - - uses: ./.github/actions/setup-go-coverage-tests - # Installation of debug symbols takes a long time (and fails currently), - # so we skip it for now. Enable on demand. - # - uses: ./.github/actions/install-debug-symbols - # continue-on-error: true - - - name: Download JSON output of failed tests - uses: actions/download-artifact@v7 - with: - name: coverage-test-output - path: /tmp/coverage-test-output - - - name: Download raw coverage data - uses: actions/download-artifact@v7 - with: - name: raw-coverage-data - path: ${{ env.RAW_COVERAGE_DIR }} - - - name: Install gotest-rerun-failed - run: go install github.com/adombeck/gotest-rerun-failed@latest - - - name: Retry failed tests with coverage collection - run: | - set -euo pipefail - - # Print executed commands to ease debugging - set -x - - test_output="/tmp/coverage-test-output/gotestfmt.cover.stdout" - for i in $(seq 1 3); do - echo "Retrying failed tests (attempt ${i})" - gotest-rerun-failed -json -timeout ${GO_TESTS_TIMEOUT} -cover -covermode=set -- -coverpkg=./... \ - -shuffle=on -args -test.gocoverdir="${RAW_COVERAGE_DIR}" \ - < "${test_output}" \ - | gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.cover.retry-$i.log" \ - && exit_code=0 || exit_code=$? - if [ "${exit_code}" -eq 0 ]; then - break - fi - if [ "${i}" -eq 3 ]; then - echo "Tests failed 3 times, giving up" - exit ${exit_code} - fi - test_output="${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.cover.retry-$i.stdout" - done - - - uses: ./.github/actions/generate-coverage-report - with: - codecov-token: ${{ secrets.CODECOV_TOKEN }} - - - uses: ./.github/actions/upload-test-artifacts - if: always() - - go-tests-race: - name: "Go Tests with Race Detector" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: actions/checkout@v6 - - uses: ./.github/actions/setup-go-tests - # Installation of debug symbols takes a long time (and fails currently), - # so we skip it for now. Enable on demand. - # - uses: ./.github/actions/install-debug-symbols - # continue-on-error: true - - - name: Run tests with race detector - env: - GO_TESTS_TIMEOUT: 35m - AUTHD_TESTS_SLEEP_MULTIPLIER: 3 - GORACE: log_path=${{ env.AUTHD_TESTS_ARTIFACTS_PATH }}/gorace.log - run: | - go test -json -timeout ${GO_TESTS_TIMEOUT} -race -failfast ./... | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.race.log" || exit_code=$? - - if [ "${exit_code:-0}" -ne 0 ]; then - cat "${AUTHD_TESTS_ARTIFACTS_PATH}"/gorace.log* || true - exit ${exit_code} - fi - - - uses: ./.github/actions/upload-test-artifacts - if: always() - - go-tests-asan: - name: "Go PAM tests with Address Sanitizer" - runs-on: ubuntu-24.04 # ubuntu-latest-runner - steps: - - uses: actions/checkout@v6 - - uses: ./.github/actions/setup-go-tests - # Installation of debug symbols takes a long time (and fails currently), - # so we skip it for now. Enable on demand. - # - uses: ./.github/actions/install-debug-symbols - # continue-on-error: true - - - name: Run PAM tests with Address Sanitizer - env: - # Do not optimize, keep debug symbols and frame pointer for better - # stack trace information in case of ASAN errors. - CGO_CFLAGS: "-O0 -g3 -fno-omit-frame-pointer" - G_DEBUG: "fatal-criticals" - GO_TESTS_TIMEOUT: 30m - AUTHD_TESTS_SLEEP_MULTIPLIER: 1.5 - # Use these flags to give ASAN a better time to unwind the stack trace - GO_GC_FLAGS: -N -l - run: | - # Print executed commands to ease debugging - set -x - - # For llvm-symbolizer - sudo apt-get install -y llvm - - go test -C ./pam/internal -json -asan -gcflags=all="${GO_GC_FLAGS}" -failfast -timeout ${GO_TESTS_TIMEOUT} ./... | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.pam-internal-asan.log" || exit_code=$? - if [ -n "${exit_code:-}" ]; then - cat "${AUTHD_TESTS_ARTIFACTS_PATH}"/asan.log* || true - exit ${exit_code} - fi - - echo "Running PAM integration tests" - pushd ./pam/integration-tests - go test -asan -gcflags=all="${GO_GC_FLAGS}" -c - go tool test2json -p pam/integrations-test ./integration-tests.test \ - -test.v=test2json \ - -test.failfast \ - -test.timeout ${GO_TESTS_TIMEOUT} | \ - gotestfmt --logfile "${AUTHD_TESTS_ARTIFACTS_PATH}/gotestfmt.pam-integration-tests-asan.log" || \ - exit_code=$? - popd - - # We don't need the xtrace output after this point - set +x - - # We're logging to a file, and this is useful for having artifacts, but we still may want to see it in logs: - for f in "${AUTHD_TESTS_ARTIFACTS_PATH}"/asan.log*; do - if ! [ -e "${f}" ]; then - continue - fi - if [ -s "${f}" ]; then - echo "::group::${f} ($(wc -l < "${f}") lines)" - cat "${f}" - echo "::endgroup::" - else - echo "${f}: empty" - fi - done - - exit ${exit_code} - - - uses: ./.github/actions/upload-test-artifacts - if: always() diff --git a/.github/workflows/run-e2e-tests.yaml b/.github/workflows/run-e2e-tests.yaml deleted file mode 100644 index bbbeba3172..0000000000 --- a/.github/workflows/run-e2e-tests.yaml +++ /dev/null @@ -1,164 +0,0 @@ -name: run-e2e-test (reusable) - -on: - workflow_call: - inputs: - release: - required: true - type: string - broker: - required: true - type: string - secrets: - E2E_VM_SSH_PRIV_KEY: - required: true - E2E_VM_SSH_PUB_KEY: - required: true - E2E_MSENTRA_ISSUER_ID: - required: false - E2E_MSENTRA_CLIENT_ID: - required: false - E2E_MSENTRA_USERNAME: - required: false - E2E_MSENTRA_PASSWORD: - required: false - E2E_MSENTRA_TOTP_SECRET: - required: false - E2E_GOOGLE_CLIENT_ID: - required: false - E2E_GOOGLE_CLIENT_SECRET: - required: false - E2E_GOOGLE_USERNAME: - required: false - E2E_GOOGLE_PASSWORD: - required: false - E2E_GOOGLE_TOTP_SECRET: - required: false - -env: - DEBIAN_FRONTEND: noninteractive - VM_NAME_BASE: e2e-runner - ARTIFACTS_DIR: /tmp/e2e-artifacts - E2E_TESTS_DIR: e2e-tests - OUTPUT_DIR: /tmp/e2e-${{ inputs.broker }}-${{ inputs.release }}/output - -jobs: - run-tests: - name: Run e2e-tests (${{ inputs.broker }}) - runs-on: ubuntu-latest - permissions: - contents: read - actions: write - packages: read - steps: - - uses: oras-project/setup-oras@v1 - - name: Download VM image OCI artifact - env: - OCI_REPO: ghcr.io/${{ github.repository }}/e2e-runner - OCI_TAG: ${{ inputs.release }} - IMAGE_PATH: ${{ env.ARTIFACTS_DIR }}/${{ env.VM_NAME_BASE }}-${{ inputs.release }}.qcow2 - run: | - set -euo pipefail - - mkdir -p "$(dirname "$IMAGE_PATH")" - - echo "${{ secrets.GITHUB_TOKEN }}" \ - | oras login ghcr.io -u "${{ github.actor }}" --password-stdin - - oras pull "${OCI_REPO}:${OCI_TAG}" - cat chunk-* > "$IMAGE_PATH" - rm chunk-* - - - name: Checkout repo - uses: actions/checkout@v6 - - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - - name: Install APT dependencies for provisioning - run: ${{ env.E2E_TESTS_DIR }}/vm/install-provision-deps.sh - - - name: Set up SSH keys for the VM provisioning - id: set-ssh-keys - uses: ./.github/actions/e2e-tests/set-up-ssh-keys - with: - E2E_VM_SSH_PRIV_KEY: ${{ secrets.E2E_VM_SSH_PRIV_KEY }} - E2E_VM_SSH_PUB_KEY: ${{ secrets.E2E_VM_SSH_PUB_KEY }} - - - name: Provision authd and the broker - run: | - set -eux - export PATH="$(realpath "${{ env.E2E_TESTS_DIR }}/vm/helpers"):${PATH}" - - # Generate the libvirt domain XML file - template="${{ env.E2E_TESTS_DIR }}/vm/e2e-runner-template.xml" - env \ - IMAGE_FILE=${{ env.ARTIFACTS_DIR }}/${{ env.VM_NAME_BASE }}-${{ inputs.release }}.qcow2 \ - VM_NAME=${{ env.VM_NAME_BASE }}-${{ inputs.release }} \ - envsubst \ - < "${template}" \ - > "${{ env.ARTIFACTS_DIR }}/${{ env.VM_NAME_BASE }}.xml" - - # Create the provisioning config file - cat > "${{ env.E2E_TESTS_DIR }}/vm/config.sh" <<-EOF - export SSH_PUBLIC_KEY_FILE=${{ steps.set-ssh-keys.outputs.keys-path }}/id_rsa.pub - export VM_NAME_BASE=${{ env.VM_NAME_BASE }} - export RELEASE=${{ inputs.release }} - export BROKERS=${{ inputs.broker }} - - export AUTHD_MSENTRAID_ISSUER_ID=${{ secrets.E2E_MSENTRA_ISSUER_ID }} - export AUTHD_MSENTRAID_CLIENT_ID=${{ secrets.E2E_MSENTRA_CLIENT_ID }} - export AUTHD_MSENTRAID_USER=${{ secrets.E2E_MSENTRA_USERNAME }} - - export AUTHD_GOOGLE_CLIENT_ID=${{ secrets.E2E_GOOGLE_CLIENT_ID }} - export AUTHD_GOOGLE_CLIENT_SECRET=${{ secrets.E2E_GOOGLE_CLIENT_SECRET }} - export AUTHD_GOOGLE_USER=${{ secrets.E2E_GOOGLE_USERNAME }} - EOF - - # Provision the VM - ${{ env.E2E_TESTS_DIR }}/vm/provision-authd.sh - - - name: Checkout YARF repo - uses: actions/checkout@v6 - with: - repository: adombeck/yarf - path: ${{ env.E2E_TESTS_DIR }}/.yarf - - - name: Install APT dependencies for running the E2E tests - run: ${{ env.E2E_TESTS_DIR }}/install-deps.sh - - - name: Configure YARF - run: ${{ env.E2E_TESTS_DIR }}/setup-yarf.sh - - - name: Run tests - id: run-tests - run: | - set -eux - export PATH="$(realpath "${{ env.E2E_TESTS_DIR }}/vm/helpers"):${PATH}" - - # Set the credentials for the broker - if [ "${{ inputs.broker }}" = "authd-msentraid" ]; then - E2E_USER=${{ secrets.E2E_MSENTRA_USERNAME }} - E2E_PASSWORD=${{ secrets.E2E_MSENTRA_PASSWORD }} - TOTP_SECRET=${{ secrets.E2E_MSENTRA_TOTP_SECRET }} - elif [ "${{ inputs.broker }}" = "authd-google" ]; then - E2E_USER=${{ secrets.E2E_GOOGLE_USERNAME }} - E2E_PASSWORD=${{ secrets.E2E_GOOGLE_PASSWORD }} - TOTP_SECRET=${{ secrets.E2E_GOOGLE_TOTP_SECRET }} - fi - - # Run the tests - ${{ env.E2E_TESTS_DIR }}/run-tests.sh \ - --user "${E2E_USER}" \ - --password "${E2E_PASSWORD}" \ - --totp-secret "${TOTP_SECRET}" \ - --release "${{ inputs.release }}" \ - --broker "${{ inputs.broker }}" \ - --output-dir "${{ env.OUTPUT_DIR }}" - - - name: Upload test results - id: upload-results - if: always() - uses: actions/upload-artifact@v6 - with: - name: e2e-${{ inputs.broker }}-output-${{ inputs.release }}-${{ github.run_id }} - path: ${{ env.OUTPUT_DIR }} diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml deleted file mode 100644 index 221e15b25e..0000000000 --- a/.github/workflows/tics-run.yaml +++ /dev/null @@ -1,116 +0,0 @@ -name: TICS QA Analysis - -on: - schedule: - - cron: '0 0 * * 1' # Runs every Monday at midnight - workflow_dispatch: - - -env: - DEBIAN_FRONTEND: noninteractive - build_dependencies: >- - clang-tools - clang - dotnet8 - libglib2.0-dev - libpam-dev - libpwquality-dev - rustup - -jobs: - tics: - name: TIOBE TICS Framework - runs-on: [self-hosted, amd64, tiobe, noble] - steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - - name: Install dependencies - run: | - set -eu - - sudo apt-get update - sudo apt-get install -y ${{ env.build_dependencies }} - - go install honnef.co/go/tools/cmd/staticcheck@latest - - - name: Update Rust version - run: | - rustup update stable - - - uses: canonical/desktop-engineering/gh-actions/go/generate@main - with: - tools-directory: ./tools - - - name: Fetch last successful QA runs ids - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - set -eu - echo "LAST_AUTHD_QA_ID=$(gh run list --workflow 'authd QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV - echo "LAST_BROKERS_QA_ID=$(gh run list --workflow 'Brokers QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV - - - name: Download coverage artifact from authd QA - uses: actions/download-artifact@v7 - with: - github-token: ${{ github.token }} - path: .artifacts/authd - run-id: ${{ env.LAST_AUTHD_QA_ID }} - - - name: Download coverage artifact from brokers QA - uses: actions/download-artifact@v7 - with: - github-token: ${{ github.token }} - path: .artifacts/brokers - run-id: ${{ env.LAST_BROKERS_QA_ID }} - - - name: Merge coverage reports - run: | - set -eu - - dotnet tool install -g dotnet-reportgenerator-globaltool - - export PATH="$PATH:/home/ubuntu/.dotnet/tools" - - mv .artifacts/authd/coverage/Cobertura.xml .artifacts/authd-coverage.xml - mv .artifacts/brokers/Cobertura.xml .artifacts/broker-coverage.xml - - # TICS expects the coverage report to: - # - be in a directory named 'coverage' in the current working directory - mkdir -p coverage - - # - have a single report named coverage.xml - reportgenerator -reports:.artifacts/*.xml -targetdir:coverage -reporttypes:Cobertura - mv coverage/Cobertura.xml coverage/coverage.xml - - - name: Build artifacts - run: | - set -eu - - # TICS needs to build the artifacts in order to run the analysis. - # Since it uses the GOTOOLCHAIN=local stanza, it's better if we prebuild it to make sure that the Go - # toolchain setup by the action is properly updated to the one we defined in go.mod. Prebuilding also - # helps to speed up the TICS analysis, as we would already have the build cache populated. - find pam -name '*.so' -print -delete - go build ./cmd/authd - go -C ./authd-oidc-brokers build -o authd-oidc ./cmd/authd-oidc - go -C ./authd-oidc-brokers build -tags=withgoogle -o authd-google ./cmd/authd-oidc - - # We also need to build libhimmelblau when building the msentraid variant - git submodule update --init - cd ./authd-oidc-brokers - go generate --tags=withmsentraid ./internal/providers/msentraid/... - go build -tags=withmsentraid -o authd-msentraid ./cmd/authd-oidc - - - name: TICS Analysis - uses: tiobe/tics-github-action@v3 - with: - mode: qserver - project: authd - branchdir: . - viewerUrl: https://canonical.tiobe.com/tiobeweb/TICS/api/cfg?name=GoProjects - ticsAuthToken: ${{ secrets.TICSAUTHTOKEN }} - installTics: true diff --git a/.github/workflows/update-broker-variant-branches.yaml b/.github/workflows/update-broker-variant-branches.yaml deleted file mode 100644 index bde03f7d8a..0000000000 --- a/.github/workflows/update-broker-variant-branches.yaml +++ /dev/null @@ -1,49 +0,0 @@ -name: Auto update broker variant branches -on: - push: - branches: - - main - paths: - - "authd-oidc-brokers/**" - - "!authd-oidc-brokers/e2e-tests/**" - - "!authd-oidc-brokers/po/**" - - "!authd-oidc-brokers/.gitignore" - - "snap/**" - workflow_dispatch: - -concurrency: - group: auto-update-broker-variants - cancel-in-progress: true - -permissions: - pull-requests: write - contents: write - -jobs: - update-snap-branches: - name: Update snap branches - strategy: - matrix: - branch_name: ["google","msentraid","oidc"] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Copy broker variant files - # We can't symlink the snapcraft.yaml file here because it causes launchpad to fail with: - # "The top level of snapcraft.yaml from ~ubuntu-enterprise-desktop/authd/+git/authd:oidc is not a mapping" - run: ./scripts/prepare-broker-variant-files --copy --broker ${{ matrix.branch_name }} - - - name: Commit broker variant files - run: | - set -eux - # We have to use --force because we added the broker variant files to .gitignore - git add --force . - git config user.name "github-actions[bot]" - git config user.email "github-actions[bot]@users.noreply.github.com" - git commit -m "Copy ${{ matrix.branch_name }} variant files" - - - name: Push branch - run: git push --force origin HEAD:${{ matrix.branch_name }} diff --git a/.github/workflows/validate-dependabot.yaml b/.github/workflows/validate-dependabot.yaml deleted file mode 100644 index d58c0e89e2..0000000000 --- a/.github/workflows/validate-dependabot.yaml +++ /dev/null @@ -1,23 +0,0 @@ -name: dependabot validate - -on: - pull_request: - paths: - - '.github/dependabot.yaml' - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - - uses: marocchino/validate-dependabot@v3 - id: validate - - uses: marocchino/sticky-pull-request-comment@v2 - if: always() - with: - header: validate-dependabot - message: ${{ steps.validate.outputs.markdown }} - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true \ No newline at end of file From af33929bf2c3a056cb333dd44462090ee461e4a3 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Fri, 6 Feb 2026 01:51:01 +0100 Subject: [PATCH 3/3] WIP: Try removing superfluous file patterns --- debian/copyright | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/debian/copyright b/debian/copyright index d6da4cb2ed..95cb4fa179 100644 --- a/debian/copyright +++ b/debian/copyright @@ -68,18 +68,6 @@ Files: vendor/gopkg.in/yaml.v3/* Copyright: 2011-2019 Canonical Ltd. License: Apache-2.0 -Files: vendor/gopkg.in/yaml.v3/apic.go - vendor/gopkg.in/yaml.v3/emitterc.go - vendor/gopkg.in/yaml.v3/parserc.go - vendor/gopkg.in/yaml.v3/readerc.go - vendor/gopkg.in/yaml.v3/scannerc.go - vendor/gopkg.in/yaml.v3/writerc.go - vendor/gopkg.in/yaml.v3/yamlh.go - vendor/gopkg.in/yaml.v3/yamlprivateh.go -Copyright: 2011-2019 Canonical Ltd. - 2006-2011 Kirill Simonov -License: MIT - Files: vendor/github.com/atotto/clipboard/* Copyright: 2013 Ato Araki. License: BSD-3