Github supports immutable releases. They can't be changed once
published. This is great, but the release action was broken and created
an immutable release, published it, and then tried to upload the dist
artifacts.
Upgrade to the latest version and explicitly create an immutable
release. In this version, the release action creates a draft release,
uploads the dist artifacts, and then publishes it.
Instead of doing meson dist on the developers machine and uploading it,
and creating the release in github, we can let the CI take care of it.
Closes#6404
A few years ago there was a very painful attempt at porting from
libsoup2 to libsoup3. Flatpak libsoup3 support never landed and it seems
like a large amount of distros have switched over to libcurl instead.
This commit removes libsoup2 support completely instead of growing
libsoup3 support.
Closes#5915Closes#4582
We require jobs to succeed before a PR can be merged. If a PR only
touches files which match `paths-ignore`, the jobs won't run and the PR
can't be merged.
The number of PRs which only touch those files is small, and the extra
CI runs resulting from that can be ignored.
If the internal_tests option is enabled we build some internal tests
into the binary. These are added to the tests we run in testlibrary.
This is not intended to be enabled in production, as it adds size to
the real binary, but is useful for CI and development.
CI currently skips a lot of tests. This is due to AppArmor restricting
user namespacing to specific executables with a profile. We however
build bwrap ourselves and that makes it hard to have a profile for it.
Let's just turn the restriction off entirely.
Docker and podman can be configured to use mutual TLS authentication
to the registry by dropping files into system-wide and user
directories. Implement this in a largely compatible way.
(Because of the limitations of our underlying libraries, we
can't support multiple certificates within the same host config,
but I don't expect anybody actually needs that.)
The certs.d handling is extended so that certificates are separately
looked up when downloading the look-aside index. This is mostly
to simplify our tests, so we can use one web server for both -
in actual operation, we expect the indexes to be unauthenticated.
Also for testing purposes, FLATPAK_CONTAINER_CERTS_D is supported
to override the standard search path.
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
We already build and test with asan with the newer
toolchain in the ubuntu 24.04 job. Sometimes the older
toolchain found in 22.04 or the asan version will
trigger issues that are either false positive or that
have been already against in newer versions.
CodeQL and merge queues don't play along very well. That's because
CodeQL doesn't report status to the merge queue, which ends up blocking
the queue forever.
Add this small workaround which allows us to turn on the merge queue
again.
Before commits 97768cea and cb655ab3, we were upgrading GLib to a
post-Ubuntu-18.04 version before running tests, to work around a GLib
bug. We no longer need to do that now that we're running everything on
Ubuntu 20.04 or later.
Fixes: cb655ab3 "check.yml: remove glib260 ppa"
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is somewhat faster than Autotools. We still use Autotools for
the alt, clang and valgrind builds, to make sure we cover both.
As a bonus, the use of undefined behaviour and address sanitizers here
actually works (unlike in Autotools, see #4844) so we're getting test
coverage with detection of common issues like use-after-free.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This avoids a race condition in versions older than 2.60, while still
verifying that we can compile successfully with GLib 2.56.
Not having GLib 2.60 means we can't compile libmalcontent on Ubuntu 18.04,
so move the libmalcontent dependency to the main build job (on Ubuntu
22.04, which is new enough). This also means we don't have to compile
it from source every time.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This adds a separate, more modern CI build running on ubuntu 22.04
using curl, and leaves the old one around building against soup.
In addition, the modern one uses the system bwrap and dbus-proxy so
that we test these configurations too (and because the modern system
has good versions of these).
I also enabled running parallel make check again, hoping that
whatever made this hang is now fixed. We'll see.
