Kelvin M. Klann
f2df11ae37
ci: make all main make steps parallel and sync output ( #7162 )
...
Build-extra / build-gcc (push) Has been cancelled
Build-extra / build-clang (push) Has been cancelled
Build / build (push) Has been cancelled
Check-C / scan-build (push) Has been cancelled
Check-C / cppcheck (push) Has been cancelled
Check-C / codeql-cpp (push) Has been cancelled
Check-Profiles / profile-checks (push) Has been cancelled
Codespell / codespell (push) Has been cancelled
Test / test-main (push) Has been cancelled
Test / test-fs (push) Has been cancelled
Test / test-environment (push) Has been cancelled
Test / test-utils (push) Has been cancelled
Test / test-network (push) Has been cancelled
Changes:
* Use `scan-build make` instead of running `scan-build` inside of `make`
(this appears to be necessary for the output synchronization to work)
* Use `-j "$(nproc)"` and `-Orecurse` for the main `make` step in all
jobs (including where this step is currently not parallel)
The main drawback of using parallel make (`-j`) is that the output of
different jobs may be printed interspersed, which makes the output
harder to read and less stable across multiple executions.
Example:
job1: line1
job1: line2
job2: line1
job3: line1
job1: line3
Using `-Orecurse` should fix this by ensuring that the output of all
jobs is still printed sequentially in the order that the jobs were
executed (that is, as if `-j` was not used), even if the jobs themselves
are executed in parallel.
This should ensure that the main `make` step in each job runs its
targets in parallel and has a stable output at the same time, making it
easier to compare the logs of the same job across different CI runs.
Note: The `-O` flag is specific to GNU make and was added in version 4.0
(2013-10-09).
Related commits:
* 500d8f2d6#5960
* 1f6400bd8#6222
2026-05-11 14:33:36 +00:00
dependabot[bot]
b97fc172c2
build(deps): bump step-security/harden-runner from 2.16.1 to 2.19.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.16.1 to 2.19.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](fe10465874...8d3c67de8e
2026-05-01 12:09:35 +00:00
dependabot[bot]
4b9779f741
build(deps): bump github/codeql-action from 4.35.1 to 4.35.2
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.35.1 to 4.35.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c10b8064de...95e58e9a2c
2026-05-01 12:08:31 +00:00
For compliance reasons, we're required
e07510100f
build: remove unused install.sh ( #7124 )
...
install.sh was used for AC_PROG_INSTALL, which was removed in
4421517c55#5133 )
From the manual of GNU Autoconf (version 2.73):
> Autoconf comes with a copy of ‘install-sh’ that you can use. If
> you use ‘AC_PROG_INSTALL’, you must include ‘install-sh’ in your
> distribution; otherwise ‘autoreconf’ and ‘configure’ will produce
> an error message saying they can’t find it—even if the system
> you’re on has a good ‘install’ program. This check is a safety
> measure to prevent you from accidentally leaving that file out,
> which would prevent your package from installing on systems that
> don’t have a BSD-compatible ‘install’ program.
If install-sh wasn't found, configure would check for install.sh in
srcdir. install.sh is a placeholder that does nothing, without it
configure would abort.
2026-04-02 11:55:42 +00:00
dependabot[bot]
ca88d166da
build(deps): bump step-security/harden-runner from 2.15.0 to 2.16.1
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.15.0 to 2.16.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](a90bcbc653...fe10465874
2026-04-01 15:46:56 +00:00
dependabot[bot]
21d5bd728f
build(deps): bump github/codeql-action from 4.32.4 to 4.35.1
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.32.4 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](89a39a4e59...c10b8064de
2026-04-01 15:46:38 +00:00
dependabot[bot]
39b4fa7149
build(deps): bump github/codeql-action from 4.32.0 to 4.32.4
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.32.0 to 4.32.4.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](b20883b0cd...89a39a4e59
2026-03-01 13:44:43 +00:00
dependabot[bot]
a5e5cf2485
build(deps): bump step-security/harden-runner from 2.14.1 to 2.15.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.14.1 to 2.15.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](e3f713f2d8...a90bcbc653
2026-03-01 13:43:35 +00:00
dependabot[bot]
e7844285f8
build(deps): bump actions/checkout from 6.0.1 to 6.0.2
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](8e8c483db8...de0fac2e45
2026-02-01 19:26:27 +00:00
dependabot[bot]
6cd5b9e62c
build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.14.0 to 2.14.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](20cf305ff2...e3f713f2d8
2026-02-01 19:26:09 +00:00
dependabot[bot]
44fb777308
build(deps): bump github/codeql-action from 4.31.9 to 4.32.0
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.9 to 4.32.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](5d4e8d1aca...b20883b0cd
2026-02-01 19:25:57 +00:00
netblue30
de15fa0c7c
adding make test-filters to ci
2026-01-19 20:34:27 -05:00
netblue30
e6b240b3fa
remove make test-sysutlis
2026-01-16 13:16:34 -05:00
netblue30
7136c6697c
make test-fnettrace
2026-01-15 08:03:50 -05:00
netblue30
b6752fc57f
--profile=FILE rework ( #6896 ) - fix make test-profiles
2026-01-05 13:03:44 -05:00
dependabot[bot]
7131f4c5ea
build(deps): bump actions/checkout from 6.0.0 to 6.0.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](1af3b93b68...8e8c483db8
2026-01-01 13:21:52 +00:00
dependabot[bot]
e2d6a1b5f0
build(deps): bump step-security/harden-runner from 2.13.2 to 2.14.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.13.2 to 2.14.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](95d9a5deda...20cf305ff2
2026-01-01 13:16:49 +00:00
dependabot[bot]
f47084ee46
build(deps): bump github/codeql-action from 4.31.5 to 4.31.9
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.5 to 4.31.9.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](fdbfb4d275...5d4e8d1aca
2026-01-01 13:16:40 +00:00
Kelvin M. Klann
4fa7a64f18
build: add sort-profiles target for sort.py
...
And use it in CI.
Note: The target currently always runs sort.py for all profiles.
Before:
$ ./ci/check/profiles/sort.py etc/inc/*.inc etc/profile*/*.profile
After:
$ make sort-profiles
2025-12-28 19:15:34 -03:00
Kelvin M. Klann
f9769ecbde
build: use simpler shell wildcards for profiles
2025-12-28 18:27:55 -03:00
Kelvin M. Klann
d692ddea70
ci: codeql-cpp: print config.log if configure fails ( #7003 )
...
For consistency with the other `./configure` invocations.
This amends commit 500d8f2d6#5960 .
See also commit dc826cba3#5857 .
2025-12-28 21:27:04 +00:00
dependabot[bot]
599960144d
build(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.13.1 to 2.13.2.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](f4a75cfd61...95d9a5deda
2025-12-01 16:13:03 +00:00
dependabot[bot]
48035653de
build(deps): bump github/codeql-action from 4.31.2 to 4.31.5
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.2 to 4.31.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](0499de31b9...fdbfb4d275
2025-12-01 16:12:55 +00:00
dependabot[bot]
2891fc6956
build(deps): bump actions/checkout from 5.0.0 to 6.0.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](08c6903cd8...1af3b93b68
2025-12-01 16:12:45 +00:00
dependabot[bot]
f0b8d485b4
build(deps): bump github/codeql-action from 3.30.5 to 4.31.2
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.30.5 to 4.31.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3599b3baa1...0499de31b9
2025-11-01 10:52:22 +00:00
dependabot[bot]
f6b666d9d5
build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.13.0 to 2.13.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](ec9f2d5744...f4a75cfd61
2025-10-01 22:48:14 +00:00
dependabot[bot]
fc2ffe73d7
build(deps): bump github/codeql-action from 3.29.11 to 3.30.5
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.29.11 to 3.30.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3c3833e0f8...3599b3baa1
2025-10-01 22:43:00 +00:00
dependabot[bot]
d3e5ef823a
build(deps): bump github/codeql-action from 3.29.7 to 3.29.11
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.29.7 to 3.29.11.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](51f77329af...3c3833e0f8
2025-09-04 11:34:21 +00:00
dependabot[bot]
b67b2db74e
build(deps): bump actions/checkout from 4.2.2 to 5.0.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](11bd71901b...08c6903cd8
2025-09-04 11:33:37 +00:00
netblue30
062f5d871e
Merge pull request #6873 from kmk3/ci-codespell-ubuntu-2404
...
ci: codespell: upgrade ubuntu-22.04 to ubuntu-24.04
2025-08-20 06:55:59 -04:00
Kelvin M. Klann
ebb368780d
ci: cppcheck: upgrade ubuntu-22.04 to ubuntu-24.04
...
Relevant software changes:
* cppcheck 2.7 -> 2.13
This is a follow-up to #6873 .
See also [1] and [2].
Fixes CI breakage in #6856[3]:
$ cppcheck --version
Cppcheck 2.7
$ make cppcheck
cppcheck -q -j '4' --force --error-exitcode=1 --enable=warning,performance \
--max-ctu-depth=40 \
-i src/firejail/checkcfg.c \
-i src/firejail/main.c \
-i src/lib/syscall.c \
.
src/firemon/procevent.c:306:6: error: syntax error [syntaxError]
debug_prctl("event fork\n");
^
make: *** [Makefile:379: cppcheck] Error 1
[1] https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md
[2] https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md
[3] https://github.com/netblue30/firejail/actions/runs/17047583642/job/48327251189
2025-08-20 07:18:17 -03:00
Kelvin M. Klann
d145db7522
ci: codespell: upgrade ubuntu-22.04 to ubuntu-24.04
...
Relevant software changes:
* codespell 2.1.0 -> 2.2.6
See also [1] and [2].
[1] https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md
[2] https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md
2025-08-20 07:02:54 -03:00
Kelvin M. Klann
dbf4b9a22b
ci: drop apt dependencies from main build
...
Disable apparmor/selinux and use the default compiler version (currently
gcc 11.4.0-1ubuntu1~22.04).
Note that these configuration options are are still enabled in the
`build-gcc` job, so the code coverage should remain unaffected.
This allows dropping the apt-get update/install commands, which can take
a significant amount of time (sometimes even most of the job runtime),
depending on the state of the CI infrastructure.
For a relatively recent example of this, see the build of commit
a31f74165#6806 )", 2025-07-10) [1]:
* `apt-get update`: 12s
* `apt-get install`: 64s
* `make`: 40s
When comparing master (8bccd686fhttps://github.com/netblue30/firejail/actions/runs/16141617993/job/45550207173
[2] https://github.com/netblue30/firejail/actions/runs/17019049268/job/48245518988
[3] https://github.com/netblue30/firejail/actions/runs/17019049268/job/48245547046
[4] https://github.com/netblue30/firejail/actions/runs/17019049268/job/48245579009
[5] https://github.com/netblue30/firejail/actions/runs/17019030502/job/48245478097
[6] https://github.com/netblue30/firejail/actions/runs/17019030502/job/48245617867
[7] https://github.com/netblue30/firejail/actions/runs/17019030502/job/48245626724
2025-08-18 05:00:36 -03:00
Kelvin M. Klann
47811cb6da
ci: run main build in parallel
...
To make it faster.
See also commit 500d8f2d6#5960 .
2025-08-18 05:00:36 -03:00
Kelvin M. Klann
0d2b949a85
ci: copy build to build-gcc & remove --enable-analyzer
...
Changes:
* Copy the `build` job from build.yml to `build-gcc` in build-extra.yml
* Remove `--enable-analyzer` in the main build
`-fanalyzer` increases the chance of false positives (compared to using
just the normal warning flags), so leave it just in build-extra to make
it clearer why the main build fails (that is, build errors, normal
warnings or analyzer warnings).
2025-08-18 05:00:36 -03:00
Kelvin M. Klann
8bccd686fd
ci: standardize "apt-get install" step name ( #6862 )
...
For consistency and simplicity, name the `apt-get install` step just
"install dependencies" in all jobs.
Affected jobs:
* check-c.yml: scan-build
* check-c.yml: cppcheck
Related commits:
* 94e2ce275#3651 )", 2020-10-01)
* 0fa11826b
2025-08-16 13:47:34 +00:00
dependabot[bot]
ada8475dc9
build(deps): bump github/codeql-action from 3.29.2 to 3.29.5
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.29.2 to 3.29.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](181d5eefc2...51f77329af
2025-08-01 08:09:17 +00:00
dependabot[bot]
8120e87d48
build(deps): bump step-security/harden-runner from 2.12.2 to 2.13.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.12.2 to 2.13.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](6c439dc8bd...ec9f2d5744
2025-08-01 08:09:01 +00:00
Kelvin M. Klann
ab605f26e2
ci: allow new github domain for codeql download ( #6845 )
...
The `codeql-cpp` CI job for #6844 is failing[1]:
##[group]Setup CodeQL tools
[...]
Did not find CodeQL tools version 2.22.2 in the toolcache.
Using CodeQL CLI version 2.22.2 sourced from https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.2/codeql-bundle-linux64.tar.zst .
Downloading CodeQL tools from https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.2/codeql-bundle-linux64.tar.zst . This may take a while.
Streaming the extraction of the CodeQL bundle.
node:events:502
throw er; // Unhandled 'error' event
^
Error: connect ECONNREFUSED 54.185.253.63:443
at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1611:16)
[...]
errno: -111,
code: 'ECONNREFUSED',
syscall: 'connect',
address: '54.185.253.63',
port: 443
}
Node.js v20.19.3
Post job cleanup.
[...]
Allow `release-assets.githubusercontent.com:443`, which is what the
download link above resolves to.
[1] https://github.com/netblue30/firejail/actions/runs/16638865345/job/47085091964
2025-07-31 05:22:52 +00:00
dependabot[bot]
4505abf1b8
build(deps): bump step-security/harden-runner from 2.12.0 to 2.12.2
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.12.0 to 2.12.2.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](0634a2670c...6c439dc8bd
2025-07-07 18:52:03 +00:00
dependabot[bot]
9bc9b8af4e
build(deps): bump github/codeql-action from 3.28.18 to 3.29.2
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.28.18 to 3.29.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](ff0a06e83c...181d5eefc2
2025-07-01 12:53:01 +00:00
dependabot[bot]
8fb210bb7c
build(deps): bump github/codeql-action from 3.28.16 to 3.28.18
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.28.16 to 3.28.18.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](28deaeda66...ff0a06e83c
2025-06-01 20:37:57 +00:00
dependabot[bot]
2f1b51ab35
build(deps): bump step-security/harden-runner from 2.11.0 to 2.12.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.11.0 to 2.12.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](4d991eb9b9...0634a2670c
2025-05-02 07:56:13 +00:00
dependabot[bot]
c95f036476
build(deps): bump github/codeql-action from 3.28.13 to 3.28.16
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.28.13 to 3.28.16.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](1b549b9259...28deaeda66
2025-05-02 07:56:04 +00:00
dependabot[bot]
c66588df8a
build(deps): bump github/codeql-action from 3.28.10 to 3.28.13
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.28.10 to 3.28.13.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](b56ba49b26...1b549b9259
2025-04-01 16:03:11 +00:00
Kelvin M. Klann
e98395b9aa
build: remove cppcheck-old target/job ( #6676 )
...
To avoid CI failures.
From the first run of `cppcheck_old` on commit 8f69e9841#6674 )", 2025-03-04)
[1]:
> This is a scheduled Ubuntu 20.04 brownout. Ubuntu 20.04 LTS runner
> will be removed on 2025-04-01. For more details, see
> https://github.com/actions/runner-images/issues/11101
The target depends on the cppcheck version from Ubuntu 20.04 in order to
work properly and this distribution will become EOL next month (April
2025), so just remove the target.
Added on commit 53f0b3950https://github.com/netblue30/firejail/actions/runs/13658953453/job/38185280665
2025-03-07 03:54:19 +00:00
dependabot[bot]
0bb0c808a2
build(deps): bump github/codeql-action from 3.28.8 to 3.28.10
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.28.8 to 3.28.10.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](dd746615b3...b56ba49b26
2025-03-01 13:24:41 +00:00
dependabot[bot]
c7b7478ad3
build(deps): bump step-security/harden-runner from 2.10.4 to 2.11.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.10.4 to 2.11.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](cb605e52c2...4d991eb9b9
2025-03-01 13:24:28 +00:00
dependabot[bot]
5a6e52d936
build(deps): bump step-security/harden-runner from 2.10.2 to 2.10.4
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.10.2 to 2.10.4.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](0080882f6c...cb605e52c2
2025-02-01 14:26:08 +00:00
dependabot[bot]
d009b83d5a
build(deps): bump github/codeql-action from 3.28.0 to 3.28.8
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.28.0 to 3.28.8.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](48ab28a6f5...dd746615b3
2025-02-01 14:26:01 +00:00
