Kelvin M. Klann
f2df11ae37
ci: make all main make steps parallel and sync output ( #7162 )
...
Build-extra / build-gcc (push) Has been cancelled
Build-extra / build-clang (push) Has been cancelled
Build / build (push) Has been cancelled
Check-C / scan-build (push) Has been cancelled
Check-C / cppcheck (push) Has been cancelled
Check-C / codeql-cpp (push) Has been cancelled
Check-Profiles / profile-checks (push) Has been cancelled
Codespell / codespell (push) Has been cancelled
Test / test-main (push) Has been cancelled
Test / test-fs (push) Has been cancelled
Test / test-environment (push) Has been cancelled
Test / test-utils (push) Has been cancelled
Test / test-network (push) Has been cancelled
Changes:
* Use `scan-build make` instead of running `scan-build` inside of `make`
(this appears to be necessary for the output synchronization to work)
* Use `-j "$(nproc)"` and `-Orecurse` for the main `make` step in all
jobs (including where this step is currently not parallel)
The main drawback of using parallel make (`-j`) is that the output of
different jobs may be printed interspersed, which makes the output
harder to read and less stable across multiple executions.
Example:
job1: line1
job1: line2
job2: line1
job3: line1
job1: line3
Using `-Orecurse` should fix this by ensuring that the output of all
jobs is still printed sequentially in the order that the jobs were
executed (that is, as if `-j` was not used), even if the jobs themselves
are executed in parallel.
This should ensure that the main `make` step in each job runs its
targets in parallel and has a stable output at the same time, making it
easier to compare the logs of the same job across different CI runs.
Note: The `-O` flag is specific to GNU make and was added in version 4.0
(2013-10-09).
Related commits:
* 500d8f2d6#5960
* 1f6400bd8#6222
2026-05-11 14:33:36 +00:00
dependabot[bot]
b97fc172c2
build(deps): bump step-security/harden-runner from 2.16.1 to 2.19.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.16.1 to 2.19.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](fe10465874...8d3c67de8e
2026-05-01 12:09:35 +00:00
dependabot[bot]
4b9779f741
build(deps): bump github/codeql-action from 4.35.1 to 4.35.2
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.35.1 to 4.35.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c10b8064de...95e58e9a2c
2026-05-01 12:08:31 +00:00
For compliance reasons, we're required
e07510100f
build: remove unused install.sh ( #7124 )
...
install.sh was used for AC_PROG_INSTALL, which was removed in
4421517c55#5133 )
From the manual of GNU Autoconf (version 2.73):
> Autoconf comes with a copy of ‘install-sh’ that you can use. If
> you use ‘AC_PROG_INSTALL’, you must include ‘install-sh’ in your
> distribution; otherwise ‘autoreconf’ and ‘configure’ will produce
> an error message saying they can’t find it—even if the system
> you’re on has a good ‘install’ program. This check is a safety
> measure to prevent you from accidentally leaving that file out,
> which would prevent your package from installing on systems that
> don’t have a BSD-compatible ‘install’ program.
If install-sh wasn't found, configure would check for install.sh in
srcdir. install.sh is a placeholder that does nothing, without it
configure would abort.
2026-04-02 11:55:42 +00:00
dependabot[bot]
ca88d166da
build(deps): bump step-security/harden-runner from 2.15.0 to 2.16.1
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.15.0 to 2.16.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](a90bcbc653...fe10465874
2026-04-01 15:46:56 +00:00
dependabot[bot]
21d5bd728f
build(deps): bump github/codeql-action from 4.32.4 to 4.35.1
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.32.4 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](89a39a4e59...c10b8064de
2026-04-01 15:46:38 +00:00
Kelvin M. Klann
811e0fb0a0
docs: update supported version to 0.9.80
...
Relates to #7016 .
2026-03-15 03:06:35 -03:00
dependabot[bot]
39b4fa7149
build(deps): bump github/codeql-action from 4.32.0 to 4.32.4
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.32.0 to 4.32.4.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](b20883b0cd...89a39a4e59
2026-03-01 13:44:43 +00:00
dependabot[bot]
a5e5cf2485
build(deps): bump step-security/harden-runner from 2.14.1 to 2.15.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.14.1 to 2.15.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](e3f713f2d8...a90bcbc653
2026-03-01 13:43:35 +00:00
dependabot[bot]
e7844285f8
build(deps): bump actions/checkout from 6.0.1 to 6.0.2
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](8e8c483db8...de0fac2e45
2026-02-01 19:26:27 +00:00
dependabot[bot]
6cd5b9e62c
build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.14.0 to 2.14.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](20cf305ff2...e3f713f2d8
2026-02-01 19:26:09 +00:00
dependabot[bot]
44fb777308
build(deps): bump github/codeql-action from 4.31.9 to 4.32.0
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.9 to 4.32.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](5d4e8d1aca...b20883b0cd
2026-02-01 19:25:57 +00:00
netblue30
de15fa0c7c
adding make test-filters to ci
2026-01-19 20:34:27 -05:00
netblue30
e6b240b3fa
remove make test-sysutlis
2026-01-16 13:16:34 -05:00
netblue30
7136c6697c
make test-fnettrace
2026-01-15 08:03:50 -05:00
netblue30
b6752fc57f
--profile=FILE rework ( #6896 ) - fix make test-profiles
2026-01-05 13:03:44 -05:00
Kelvin M. Klann
e02d8f0058
docs: update supported version to 0.9.78
...
Relates to #6965 .
2026-01-03 00:52:56 -03:00
dependabot[bot]
7131f4c5ea
build(deps): bump actions/checkout from 6.0.0 to 6.0.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](1af3b93b68...8e8c483db8
2026-01-01 13:21:52 +00:00
dependabot[bot]
e2d6a1b5f0
build(deps): bump step-security/harden-runner from 2.13.2 to 2.14.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.13.2 to 2.14.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](95d9a5deda...20cf305ff2
2026-01-01 13:16:49 +00:00
dependabot[bot]
f47084ee46
build(deps): bump github/codeql-action from 4.31.5 to 4.31.9
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.5 to 4.31.9.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](fdbfb4d275...5d4e8d1aca
2026-01-01 13:16:40 +00:00
Kelvin M. Klann
4fa7a64f18
build: add sort-profiles target for sort.py
...
And use it in CI.
Note: The target currently always runs sort.py for all profiles.
Before:
$ ./ci/check/profiles/sort.py etc/inc/*.inc etc/profile*/*.profile
After:
$ make sort-profiles
2025-12-28 19:15:34 -03:00
Kelvin M. Klann
f9769ecbde
build: use simpler shell wildcards for profiles
2025-12-28 18:27:55 -03:00
Kelvin M. Klann
d692ddea70
ci: codeql-cpp: print config.log if configure fails ( #7003 )
...
For consistency with the other `./configure` invocations.
This amends commit 500d8f2d6#5960 .
See also commit dc826cba3#5857 .
2025-12-28 21:27:04 +00:00
Kelvin M. Klann
e92d25656a
docs: github: specify the supported version directly
...
Bug reports were opened by multiple users with the item checked even
when using version 0.9.74 or earlier.
So be explicit and write "0.9.76 or later" in the item, which should
help clarify that earlier versions are not supported.
This amends commit be065d130#6965 )", 2025-11-15).
2025-12-15 09:59:24 -03:00
dependabot[bot]
599960144d
build(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.13.1 to 2.13.2.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](f4a75cfd61...95d9a5deda
2025-12-01 16:13:03 +00:00
dependabot[bot]
48035653de
build(deps): bump github/codeql-action from 4.31.2 to 4.31.5
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.2 to 4.31.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](0499de31b9...fdbfb4d275
2025-12-01 16:12:55 +00:00
dependabot[bot]
2891fc6956
build(deps): bump actions/checkout from 5.0.0 to 6.0.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](08c6903cd8...1af3b93b68
2025-12-01 16:12:45 +00:00
Kelvin M. Klann
491b46cfa3
docs: always use full path to program in examples ( #6963 )
...
And add it to the bug report template checklist.
To avoid potential issues due to firejail-in-firejail.
Commands used to search and replace:
perl -pi -e '
s/(firejail)( .*)? (blobby|dig|firefox|galculator|gedit|gimp|handbrake|icecat|iceweasel|mc|openbox|transmission|vlc|warzone2100|wget|xed|xterm)/$1$2 \/usr\/bin\/$3/;
' README.md src/firejail/usage.c src/man/*.in
perl -pi -e 's/^\s*(firefox \\?-)/\/usr\/bin\/$1/' \
src/man/firejail.1.in
Note: Some parts were edited manually.
Note: Most tests still use the program basename.
Relates to #2877 .
2025-11-16 08:39:05 +00:00
Kelvin M. Klann
be065d1301
docs: clarify that only latest and dev versions are supported ( #6965 )
...
To avoid wasting time due to (for example):
* Bugs that were already fixed
* Old versions with different/missing verbosity in the output
* Behavior that only affects (or differs in) old versions
* Copying and pasting profile lines which contain commands that are
unsupported in old versions (or that depend on other changes to
profiles in the current version)
This is a follow-up to #6964 .
2025-11-15 04:53:08 +00:00
dependabot[bot]
f0b8d485b4
build(deps): bump github/codeql-action from 3.30.5 to 4.31.2
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.30.5 to 4.31.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3599b3baa1...0499de31b9
2025-11-01 10:52:22 +00:00
dependabot[bot]
f6b666d9d5
build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.13.0 to 2.13.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](ec9f2d5744...f4a75cfd61
2025-10-01 22:48:14 +00:00
dependabot[bot]
fc2ffe73d7
build(deps): bump github/codeql-action from 3.29.11 to 3.30.5
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.29.11 to 3.30.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3c3833e0f8...3599b3baa1
2025-10-01 22:43:00 +00:00
dependabot[bot]
d3e5ef823a
build(deps): bump github/codeql-action from 3.29.7 to 3.29.11
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.29.7 to 3.29.11.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](51f77329af...3c3833e0f8
2025-09-04 11:34:21 +00:00
dependabot[bot]
b67b2db74e
build(deps): bump actions/checkout from 4.2.2 to 5.0.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](11bd71901b...08c6903cd8
2025-09-04 11:33:37 +00:00
netblue30
062f5d871e
Merge pull request #6873 from kmk3/ci-codespell-ubuntu-2404
...
ci: codespell: upgrade ubuntu-22.04 to ubuntu-24.04
2025-08-20 06:55:59 -04:00
Kelvin M. Klann
ebb368780d
ci: cppcheck: upgrade ubuntu-22.04 to ubuntu-24.04
...
Relevant software changes:
* cppcheck 2.7 -> 2.13
This is a follow-up to #6873 .
See also [1] and [2].
Fixes CI breakage in #6856[3]:
$ cppcheck --version
Cppcheck 2.7
$ make cppcheck
cppcheck -q -j '4' --force --error-exitcode=1 --enable=warning,performance \
--max-ctu-depth=40 \
-i src/firejail/checkcfg.c \
-i src/firejail/main.c \
-i src/lib/syscall.c \
.
src/firemon/procevent.c:306:6: error: syntax error [syntaxError]
debug_prctl("event fork\n");
^
make: *** [Makefile:379: cppcheck] Error 1
[1] https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md
[2] https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md
[3] https://github.com/netblue30/firejail/actions/runs/17047583642/job/48327251189
2025-08-20 07:18:17 -03:00
Kelvin M. Klann
d145db7522
ci: codespell: upgrade ubuntu-22.04 to ubuntu-24.04
...
Relevant software changes:
* codespell 2.1.0 -> 2.2.6
See also [1] and [2].
[1] https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md
[2] https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md
2025-08-20 07:02:54 -03:00
Kelvin M. Klann
dbf4b9a22b
ci: drop apt dependencies from main build
...
Disable apparmor/selinux and use the default compiler version (currently
gcc 11.4.0-1ubuntu1~22.04).
Note that these configuration options are are still enabled in the
`build-gcc` job, so the code coverage should remain unaffected.
This allows dropping the apt-get update/install commands, which can take
a significant amount of time (sometimes even most of the job runtime),
depending on the state of the CI infrastructure.
For a relatively recent example of this, see the build of commit
a31f74165#6806 )", 2025-07-10) [1]:
* `apt-get update`: 12s
* `apt-get install`: 64s
* `make`: 40s
When comparing master (8bccd686fhttps://github.com/netblue30/firejail/actions/runs/16141617993/job/45550207173
[2] https://github.com/netblue30/firejail/actions/runs/17019049268/job/48245518988
[3] https://github.com/netblue30/firejail/actions/runs/17019049268/job/48245547046
[4] https://github.com/netblue30/firejail/actions/runs/17019049268/job/48245579009
[5] https://github.com/netblue30/firejail/actions/runs/17019030502/job/48245478097
[6] https://github.com/netblue30/firejail/actions/runs/17019030502/job/48245617867
[7] https://github.com/netblue30/firejail/actions/runs/17019030502/job/48245626724
2025-08-18 05:00:36 -03:00
Kelvin M. Klann
47811cb6da
ci: run main build in parallel
...
To make it faster.
See also commit 500d8f2d6#5960 .
2025-08-18 05:00:36 -03:00
Kelvin M. Klann
0d2b949a85
ci: copy build to build-gcc & remove --enable-analyzer
...
Changes:
* Copy the `build` job from build.yml to `build-gcc` in build-extra.yml
* Remove `--enable-analyzer` in the main build
`-fanalyzer` increases the chance of false positives (compared to using
just the normal warning flags), so leave it just in build-extra to make
it clearer why the main build fails (that is, build errors, normal
warnings or analyzer warnings).
2025-08-18 05:00:36 -03:00
Kelvin M. Klann
8bccd686fd
ci: standardize "apt-get install" step name ( #6862 )
...
For consistency and simplicity, name the `apt-get install` step just
"install dependencies" in all jobs.
Affected jobs:
* check-c.yml: scan-build
* check-c.yml: cppcheck
Related commits:
* 94e2ce275#3651 )", 2020-10-01)
* 0fa11826b
2025-08-16 13:47:34 +00:00
Kelvin M. Klann
c902890cd1
docs: github: clarify how to attach logs ( #6858 )
...
Link to the GitHub docs for attaching a file[1].
This should be more straightforward in most cases and would avoid
polluting the user profile with gists unnecessarily (which might get in
the way of using/managing other gists), especially over time when
dealing with many projects/issues/comments.
Keep the gist as a fallback option just in case the file attachment
feature randomly gets broken for an extended period of time, as the
GitHub web UI overall keeps getting slower and jankier over time.
Note: It seems that in both cases (attachment/gist), the file size limit
in the web UI is 25MB[2].
Relates to #5398 .
Misc: This was noticed on #5611 .
[1] https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/attaching-files
[2] https://docs.github.com/en/repositories/working-with-files/managing-large-files/about-large-files-on-github#file-size-limits
2025-08-16 11:42:58 +00:00
dependabot[bot]
ada8475dc9
build(deps): bump github/codeql-action from 3.29.2 to 3.29.5
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.29.2 to 3.29.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](181d5eefc2...51f77329af
2025-08-01 08:09:17 +00:00
dependabot[bot]
8120e87d48
build(deps): bump step-security/harden-runner from 2.12.2 to 2.13.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.12.2 to 2.13.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](6c439dc8bd...ec9f2d5744
2025-08-01 08:09:01 +00:00
Kelvin M. Klann
ab605f26e2
ci: allow new github domain for codeql download ( #6845 )
...
The `codeql-cpp` CI job for #6844 is failing[1]:
##[group]Setup CodeQL tools
[...]
Did not find CodeQL tools version 2.22.2 in the toolcache.
Using CodeQL CLI version 2.22.2 sourced from https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.2/codeql-bundle-linux64.tar.zst .
Downloading CodeQL tools from https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.2/codeql-bundle-linux64.tar.zst . This may take a while.
Streaming the extraction of the CodeQL bundle.
node:events:502
throw er; // Unhandled 'error' event
^
Error: connect ECONNREFUSED 54.185.253.63:443
at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1611:16)
[...]
errno: -111,
code: 'ECONNREFUSED',
syscall: 'connect',
address: '54.185.253.63',
port: 443
}
Node.js v20.19.3
Post job cleanup.
[...]
Allow `release-assets.githubusercontent.com:443`, which is what the
download link above resolves to.
[1] https://github.com/netblue30/firejail/actions/runs/16638865345/job/47085091964
2025-07-31 05:22:52 +00:00
dependabot[bot]
4505abf1b8
build(deps): bump step-security/harden-runner from 2.12.0 to 2.12.2
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.12.0 to 2.12.2.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](0634a2670c...6c439dc8bd
2025-07-07 18:52:03 +00:00
dependabot[bot]
9bc9b8af4e
build(deps): bump github/codeql-action from 3.28.18 to 3.29.2
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.28.18 to 3.29.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](ff0a06e83c...181d5eefc2
2025-07-01 12:53:01 +00:00
dependabot[bot]
8fb210bb7c
build(deps): bump github/codeql-action from 3.28.16 to 3.28.18
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.28.16 to 3.28.18.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](28deaeda66...ff0a06e83c
2025-06-01 20:37:57 +00:00
dependabot[bot]
2f1b51ab35
build(deps): bump step-security/harden-runner from 2.11.0 to 2.12.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.11.0 to 2.12.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](4d991eb9b9...0634a2670c
2025-05-02 07:56:13 +00:00
dependabot[bot]
c95f036476
build(deps): bump github/codeql-action from 3.28.13 to 3.28.16
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.28.13 to 3.28.16.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](1b549b9259...28deaeda66
2025-05-02 07:56:04 +00:00
