dependabot[bot]
62773e758a
build(deps): bump github/codeql-action from 2.22.3 to 2.22.4
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.22.3 to 2.22.4.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](0116bc2df5...49abf0ba24
2023-10-23 16:47:44 +00:00
dependabot[bot]
c4b0d88fad
build(deps): bump actions/checkout from 4.1.0 to 4.1.1
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](8ade135a41...b4ffde65f4
2023-10-23 16:46:42 +00:00
dependabot[bot]
3f641c04a1
build(deps): bump github/codeql-action from 2.22.0 to 2.22.3
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.22.0 to 2.22.3.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](2cb752a87e...0116bc2df5
2023-10-16 12:56:08 +00:00
dependabot[bot]
16edbd8268
build(deps): bump github/codeql-action from 2.21.9 to 2.22.0
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.21.9 to 2.22.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](ddccb87388...2cb752a87e
2023-10-09 08:08:13 +00:00
dependabot[bot]
202a079115
build(deps): bump step-security/harden-runner from 2.5.1 to 2.6.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.5.1 to 2.6.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](8ca2b8b2ec...1b05615854
2023-10-09 08:07:54 +00:00
netblue30
0617a70f4d
Merge pull request #6026 from kmk3/ci-allow-manual-run
...
ci: allow running workflows manually
2023-10-05 09:05:10 -04:00
dependabot[bot]
f3fc98499f
build(deps): bump github/codeql-action from 2.21.8 to 2.21.9
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.21.8 to 2.21.9.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](6a28655e3d...ddccb87388
2023-10-02 16:22:06 +00:00
Kelvin M. Klann
e796ba1349
ci: allow running workflows manually
...
Add `on.workflow_dispatch`.
See:
* https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatch
* https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
2023-09-26 12:24:14 -03:00
dependabot[bot]
91533c4394
build(deps): bump github/codeql-action from 2.21.7 to 2.21.8
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.21.7 to 2.21.8.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](04daf014b5...6a28655e3d
2023-09-25 17:22:34 +00:00
dependabot[bot]
bfacd86527
build(deps): bump actions/checkout from 4.0.0 to 4.1.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](3df4ab11eb...8ade135a41
2023-09-25 17:22:23 +00:00
dependabot[bot]
8a82e400e8
build(deps): bump github/codeql-action from 2.21.5 to 2.21.7
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.21.5 to 2.21.7.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](00e563ead9...04daf014b5
2023-09-18 13:29:44 +00:00
dependabot[bot]
8caf747ab8
build(deps): bump actions/checkout from 3.6.0 to 4.0.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.6.0 to 4.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](f43a0e5ff2...3df4ab11eb
2023-09-11 17:48:10 +00:00
Kelvin M. Klann
0cc56a71a5
ci: fix dependabot duplicated workflow runs
...
Every workflow is being executed twice for dependabot: Once when its
branch is pushed to this repository and again when a PR is opened for
it.
For example, see the checks in #5979 ("29 checks passed").
This happens because both `on.push` and `on.pull_request` are specified
in the workflow files.
There does not seem to be a simple and generic way to avoid such
duplicated runs directly in GitHub Actions (such as preventing the same
check from running for the same exact commit)[1], so just ignore the
dependabot branches on push for now.
See also and commit 5871b08a4#5815 .
[1] https://github.com/orgs/community/discussions/26276
2023-08-28 20:47:35 -03:00
dependabot[bot]
f235c8f6c7
build(deps): bump actions/checkout from 3.5.3 to 3.6.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.5.3 to 3.6.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](c85c95e3d7...f43a0e5ff2
2023-08-28 22:22:25 +00:00
dependabot[bot]
e4e215340e
build(deps): bump github/codeql-action from 2.21.2 to 2.21.5
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.21.2 to 2.21.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/v2.21.2...00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 22:16:21 +00:00
Kelvin M. Klann
72c6df3af5
tests: properly fix fs/kmsg test
...
It was broken likely due to `private-dev` being added to default.profile
on commit 307dad54275cefd5b1
2023-08-23 12:02:24 -03:00
Kelvin M. Klann
b4346f0f19
ci: document the intended purpose of each workflow
2023-08-22 04:58:21 -03:00
Kelvin M. Klann
23a289a666
ci: split test jobs for faster checks
...
Considering the most recent runs, this reduces the total amount of time
it takes to run the tests from about 9-10 minutes to about 3 minutes.
Note: Which jobs are split is mostly determined by how long each test
takes.
For example, this is the time each test step took in a run of
`build_and_test` (10m17s total for the job) on commit bfcf8bc31#5956 from kmk3/build-fix-dep-syntax", 2023-08-14)[1]:
* 17s test-seccomp-extra
* 1s test-firecfg
* 16s test-capabilities
* 6s test-apparmor
* 10s test-appimage
* 10s test-chroot
* 41s test-sysutils
* 24s test-private-etc
* 40s test-profiles
* 4s test-fcopy
* 2s test-fnetfilter
* 98s test-fs
* 103s test-utils
* 57s test-environment
* 69s test-network
[1]: https://github.com/netblue30/firejail/actions/runs/5860927500/job/15890009169
2023-08-22 04:58:21 -03:00
Kelvin M. Klann
1c9af28611
ci: move main code checks into new check-c.yml
...
Move scan-build, cppcheck and CodeQL (cpp).
This is similar to build-extra.yml, but for jobs that check for issues
in the code rather than checking for build failures.
Note: As this deletes codeql-analysis.yml, its configuration also has to
be deleted in the GitHub web UI to prevent it from warning about the
file being missing:
* Security -> Code scanning -> Tool status -> (Setup Types) CodeQL ->
(Configurations) language:python -> Delete configuration
Misc: The above was clarified by @topimiettinen[1].
[1] https://github.com/netblue30/firejail/pull/5960#issuecomment-1685262643
2023-08-22 04:58:21 -03:00
Kelvin M. Klann
500d8f2d69
ci: run make in parallel where applicable
...
Do so when the output of the given job is not important.
For example, when the output of another job can be used for debugging
build-related issues.
2023-08-22 04:58:21 -03:00
Kelvin M. Klann
82d28795a7
ci: split build and test into separate workflows
...
Testing takes significantly longer than building, so this makes the
default build check faster.
2023-08-22 04:52:55 -03:00
Kelvin M. Klann
29f7a94610
ci: remove "CI" from workflow names
...
All of the current workflows are used for CI.
2023-08-20 12:31:14 -03:00
Kelvin M. Klann
8d53acbbb2
ci: move codeql python job into its own workflow
...
Only run the CodeQL Python analysis if a .py file is changed.
2023-08-20 12:31:14 -03:00
Kelvin M. Klann
5995a69e2c
ci: trim comments in codeql-analysis.yml
...
Note: When generating a new workflow, the permissions do not have
comments anymore.
2023-08-20 12:31:07 -03:00
Kelvin M. Klann
2f1b352e4e
ci: rename profile-checks.yml to check-profiles.yml
2023-08-20 06:21:42 -03:00
Kelvin M. Klann
b589045b0f
ci: use path whitelists instead of blacklists
...
That is, replace `paths-ignore` with `paths`.
This should reduce the number of unnecessary workflow executions and the
frequency at which paths are changed. It also reduces the overall
number of paths used.
Also, add the missing ci/printenv.sh to the path whitelists.
2023-08-20 06:20:40 -03:00
Kelvin M. Klann
fd05c9a37a
Merge pull request #5955 from kmk3/build-codespell-improvements
...
build: codespell improvements
2023-08-14 21:37:17 +00:00
Kelvin M. Klann
b2821a3448
build: run codespell on almost all files
...
Ignore only third-party/vendored files (such as license files and files
in m4/).
And ignore more words to fix the following errors:
$ make codespell
Running codespell...
./README:484: als ==> also
./README:646: Shotcut ==> Shortcut
./RELNOTES:516: als ==> also
./etc/inc/disable-common.inc:506: chage ==> change, charge
./etc/apparmor/firejail-default:35: readby ==> read, read by
./etc/apparmor/firejail-default:36: readby ==> read, read by
./etc/profile-a-l/als.profile:1: als ==> also
./etc/profile-a-l/als.profile:5: als ==> also
make: *** [Makefile:374: codespell] Error 65
$ codespell --version
2.2.5
2023-08-14 04:32:51 -03:00
Kelvin M. Klann
894b1456a8
ci: run ./configure in codespell
...
Since it runs through make, the target may depend on variables that are
defined by ./configure (such as the ones in config.mk).
2023-08-14 04:32:51 -03:00
Kelvin M. Klann
f3948a895f
ci: move codespell job into its own workflow
...
Split the spellchecking job from the build-related jobs to make
debugging easier.
2023-08-14 04:32:36 -03:00
dependabot[bot]
e6b7fdfa16
build(deps): bump github/codeql-action from 2.21.2 to 2.21.3
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.21.2 to 2.21.3.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](0ba4244466...5b6282e01c
2023-08-14 06:30:37 +00:00
Kelvin M. Klann
b7820492f9
build: fix wrong man page paths
...
Change the old .txt paths into the new .in paths.
This amends commit 76bd5ad0f#5898 .
2023-08-12 20:04:41 -03:00
Varun Sharma
7facc386cd
Update allowed endpoints
...
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
2023-08-12 03:56:47 -03:00
Varun Sharma
8d923fc586
build(deps): bump step-security/harden-runner from 2.5.0 to 2.5.1
...
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
2023-08-12 03:56:47 -03:00
dependabot[bot]
5986fe1ae4
build(deps): bump github/codeql-action from 2.21.0 to 2.21.2
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.21.0 to 2.21.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](1813ca74c3...0ba4244466
2023-07-31 11:08:25 +00:00
dependabot[bot]
b4cef6dfbd
build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.4.1 to 2.5.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](55d479fb1c...cba0d00b1f
2023-07-31 11:08:20 +00:00
dependabot[bot]
6fd85f4e58
build(deps): bump github/codeql-action from 2.20.4 to 2.21.0
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.20.4 to 2.21.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](489225d82a...1813ca74c3
2023-07-24 13:57:20 +00:00
dependabot[bot]
dcb5bc0e45
build(deps): bump github/codeql-action from 2.20.3 to 2.20.4
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.20.3 to 2.20.4.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](46ed16ded9...489225d82a
2023-07-17 09:19:14 +00:00
dependabot[bot]
036ce27fee
build(deps): bump github/codeql-action from 2.20.1 to 2.20.3
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.20.1 to 2.20.3.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](f6e388ebf0...46ed16ded9
2023-07-12 04:33:21 +00:00
dependabot[bot]
8ccff4af04
build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](128a63446a...55d479fb1c
2023-06-26 09:36:21 +00:00
dependabot[bot]
55322931af
build(deps): bump github/codeql-action from 2.20.0 to 2.20.1
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.20.0 to 2.20.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](6c089f53dd...f6e388ebf0
2023-06-26 09:35:54 +00:00
Kelvin M. Klann
a8f01a383a
Merge pull request #5859 from kmk3/build-remove-retpoline
...
build: remove -mretpoline and NO_EXTRA_CFLAGS
2023-06-20 05:26:23 +00:00
dependabot[bot]
eaf13450c4
build(deps): bump github/codeql-action from 2.3.6 to 2.20.0
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.3.6 to 2.20.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](83f0fe6c49...6c089f53dd
2023-06-19 07:49:15 +00:00
dependabot[bot]
f72b78cab0
build(deps): bump actions/checkout from 3.5.2 to 3.5.3
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.5.2 to 3.5.3.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](8e5e7e5ab8...c85c95e3d7
2023-06-19 07:48:42 +00:00
Kelvin M. Klann
63f1a045ba
build: remove -mretpoline and NO_EXTRA_CFLAGS
...
The -mretpoline flag is not documented in the current versions of gcc
and clang and it is what causes scan-build to fail:
$ ./configure CC=clang | grep retpoline
checking whether C compiler accepts -mretpoline... yes
EXTRA_CFLAGS: -mretpoline -fstack-clash-protection -fstack-protector-strong
$ scan-build --status-bugs make
scan-build: Using '/usr/bin/clang-15' for static analysis
make -C src/lib
make[1]: Entering directory '/tmp/firejail/src/lib'
/usr/bin/../lib/clang/ccc-analyzer [...] -mretpoline [...] -c common.c -o common.o
gcc: error: unrecognized command-line option ‘-mretpoline’
make[1]: *** [../../src/prog.mk:16: common.o] Error 1
make[1]: Leaving directory '/tmp/firejail/src/lib'
make: *** [Makefile:59: src/lib] Error 2
scan-build: Analysis run complete.
scan-build: Removing directory '/tmp/scan-build-[...]' because it contains no reports.
scan-build: No bugs found.
Environment: clang 15.0.7-9 and gcc 13.1.1-1 on Artix Linux.
Note: NO_EXTRA_CFLAGS was added to work around this issue by causing all
of the flags in EXTRA_CFLAGS to be ignored.
Note2: -mretpoline was added on commit 4a99c8aa2490918c352c64d1fddCloses #5509 .
Kind of relates to #2661 .
2023-06-18 13:43:55 -03:00
Kelvin M. Klann
15e40e9ae4
ci: standardize apt-get update/install
...
General changes:
* Use a single -q on update, as the output is not too long
* Use a single -q on install, to show all packages at once
GitLab-specific changes:
* Use `DEBIAN_FRONTEND=noninteractive` to reduce noise
* Use --no-install-recommends to avoid installing unnecessary packages
* Filter out uninteresting lines on install
Note: `DEBIAN_FRONTEND` does not appear to be needed in the default
GitHub runner container and not many packages are currently being
downloaded/installed in them, so do the above changes only jobs that use
custom Docker images.
2023-06-14 18:54:49 -03:00
Kelvin M. Klann
dc826cba31
ci: print config.log if configure fails
...
Example log of it failing:
$ ./configure
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/tmp/build':
configure: error: C compiler cannot create executables
See `config.log' for more details
2023-06-14 17:30:51 -03:00
dependabot[bot]
a7dff2521f
build(deps): bump github/codeql-action from 2.3.5 to 2.3.6
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](0225834cc5...83f0fe6c49
2023-06-05 17:06:28 +00:00
dependabot[bot]
f1218ef1e5
build(deps): bump github/codeql-action from 2.3.3 to 2.3.5
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.3.3 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](29b1f65c5e...0225834cc5
2023-05-29 15:02:15 +00:00
dependabot[bot]
9d9114ca59
build(deps): bump step-security/harden-runner from 2.3.1 to 2.4.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.3.1 to 2.4.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](6b3083af28...128a63446a
2023-05-08 14:06:12 +00:00
