CI currently skips a lot of tests. This is due to AppArmor restricting
user namespacing to specific executables with a profile. We however
build bwrap ourselves and that makes it hard to have a profile for it.
Let's just turn the restriction off entirely.
Docker and podman can be configured to use mutual TLS authentication
to the registry by dropping files into system-wide and user
directories. Implement this in a largely compatible way.
(Because of the limitations of our underlying libraries, we
can't support multiple certificates within the same host config,
but I don't expect anybody actually needs that.)
The certs.d handling is extended so that certificates are separately
looked up when downloading the look-aside index. This is mostly
to simplify our tests, so we can use one web server for both -
in actual operation, we expect the indexes to be unauthenticated.
Also for testing purposes, FLATPAK_CONTAINER_CERTS_D is supported
to override the standard search path.
Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com>
We already build and test with asan with the newer
toolchain in the ubuntu 24.04 job. Sometimes the older
toolchain found in 22.04 or the asan version will
trigger issues that are either false positive or that
have been already against in newer versions.
CodeQL and merge queues don't play along very well. That's because
CodeQL doesn't report status to the merge queue, which ends up blocking
the queue forever.
Add this small workaround which allows us to turn on the merge queue
again.
Before commits 97768cea and cb655ab3, we were upgrading GLib to a
post-Ubuntu-18.04 version before running tests, to work around a GLib
bug. We no longer need to do that now that we're running everything on
Ubuntu 20.04 or later.
Fixes: cb655ab3 "check.yml: remove glib260 ppa"
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is somewhat faster than Autotools. We still use Autotools for
the alt, clang and valgrind builds, to make sure we cover both.
As a bonus, the use of undefined behaviour and address sanitizers here
actually works (unlike in Autotools, see #4844) so we're getting test
coverage with detection of common issues like use-after-free.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This avoids a race condition in versions older than 2.60, while still
verifying that we can compile successfully with GLib 2.56.
Not having GLib 2.60 means we can't compile libmalcontent on Ubuntu 18.04,
so move the libmalcontent dependency to the main build job (on Ubuntu
22.04, which is new enough). This also means we don't have to compile
it from source every time.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This adds a separate, more modern CI build running on ubuntu 22.04
using curl, and leaves the old one around building against soup.
In addition, the modern one uses the system bwrap and dbus-proxy so
that we test these configurations too (and because the modern system
has good versions of these).
I also enabled running parallel make check again, hoping that
whatever made this hang is now fixed. We'll see.
This lets us verify that our ability to do releases hasn't regressed.
Run this as part of the "valgrind" build, since we want to enable
gtk-doc for distcheck, and it's this build that already enables gtk-doc.
We don't want to do this in the main Autotools build, since
that enables AddressSanitizer, which often works badly with the
"scanner" tools in gtk-doc and GObject-Introspection - although this
is currently mitigated by --enable-asan not actually working as
intended (see #4844).
Signed-off-by: Simon McVittie <smcv@collabora.com>
For the build that uses --enable-asan, explicitly disable introspection,
since the GObject-Introspection scanner works poorly with libtool
and AddressSanitizer (see #4844); the only reason this worked until
now is that --enable-asan doesn't currently do anything (again,
see #4844).
For the build that runs tests under valgrind, we already can't use
AddressSanitizer, making this a good place to explicitly enable
introspection, so that we have at least one build with it enabled.
Signed-off-by: Simon McVittie <smcv@collabora.com>
We want to have gtk-doc enabled in the build that will run
`make distcheck`, but the clang/CodeQL build seems like a poor fit for
that, since it runs twice (for C and Python) and has extra
instrumentation. Move it to the build where we will run tests under
valgrind, which is already somewhat slow.
Signed-off-by: Simon McVittie <smcv@collabora.com>
We explicitly enable gtk-doc for one of our builds (the one that uses
clang on Ubuntu 18.04). There's no real need to enable it for more than
one build.
Signed-off-by: Simon McVittie <smcv@collabora.com>
libappstream-glib is mostly unmaintained, and libappstream is more
actively developed (and up to date with the AppStream specification).
Port from libappstream-glib to libappstream. Handily, a lot of the APIs
are exactly the same. The main changes are:
* `AsApp` → `AsComponent`
* `AsStore` → `AsMetadata`
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
(Mostly done by Philip, then Phaedrus finished this)
