Skip to content

i/p/requestrules,o/i/apparmorprompting: move request matching logic into requestrules #33052

i/p/requestrules,o/i/apparmorprompting: move request matching logic into requestrules

i/p/requestrules,o/i/apparmorprompting: move request matching logic into requestrules #33052

Workflow file for this run

name: Tests
on:
pull_request:
branches: [ "master", "release/**", "core-snap-security-release/**", "security-release/**" ]
push:
branches: [ "master", "release/**", "core-snap-security-release/**", "security-release/**" ]
concurrency:
group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
go-channels:
runs-on: ubuntu-latest
outputs:
go-channels: ${{ steps.resolve-go-channels.outputs.go-channels }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Resolve Go snap channels
id: resolve-go-channels
uses: ./.github/actions/resolve-go-channels
with:
include-snapd-build-go-channel: true
include-snapd-build-fips-go-channel: true
include-latest-go-channel: true
snap-builds:
uses: ./.github/workflows/snap-builds.yaml
with:
runs-on: ${{ matrix.runs-on }}
toolchain: ${{ matrix.toolchain }}
variant: ${{ matrix.variant }}
strategy:
matrix:
runs-on:
- '["ubuntu-22.04"]'
# Tags to identify the self-hosted runners to use from
# internal runner collection. See internal self-hosted
# runners doc for the complete list of options.
- '["self-hosted", "Linux", "jammy", "ARM64", "large"]'
toolchain:
- default
- FIPS
variant:
# test version is a build of snapd with test keys and should
# only be installed by test runners. The pristine versions
# are the build that should be installed by human users.
- pristine
- test
# Exclude building everything for ARM but the version for testing
# to keep the number of builds down as we currently don't have a
# clear need for these excluded builds.
exclude:
- runs-on: '["self-hosted", "Linux", "jammy", "ARM64", "large"]'
toolchain: FIPS
- runs-on: '["self-hosted", "Linux", "jammy", "ARM64", "large"]'
variant: pristine
cache-build-deps:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download Debian dependencies
run: |
sudo apt clean
sudo apt update
sudo apt build-dep -d -y ${{ github.workspace }}
# for indent
sudo apt install texinfo autopoint
- name: Copy dependencies
run: |
sudo tar cvf cached-apt.tar /var/cache/apt
- name: upload Debian dependencies
uses: actions/upload-artifact@v4
with:
name: debian-dependencies
path: ./cached-apt.tar
static-checks:
uses: ./.github/workflows/static-checks.yaml
needs:
- go-channels
- cache-build-deps
with:
runs-on: ubuntu-latest
gochannel: ${{ matrix.gochannel }}
strategy:
# we cache successful runs so it's fine to keep going
fail-fast: false
matrix:
gochannel: ${{ fromJson(needs.go-channels.outputs.go-channels) }}
branch-static-checks:
runs-on: ubuntu-latest
needs: [cache-build-deps]
if: github.ref != 'refs/heads/master'
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
# needed for git commit history
fetch-depth: 0
- name: check-branch-ubuntu-daily-spread
run: |
# Compare the daily system in master and in the current branch
wget -q -O test_master.yaml https://raw.githubusercontent.com/snapcore/snapd/master/.github/workflows/test.yaml
system_daily="$(yq '.jobs.spread.strategy.matrix.include.[] | select(.group == "ubuntu-daily") | .systems' test_master.yaml)"
current_daily="$(yq '.jobs.spread.strategy.matrix.include.[] | select(.group == "ubuntu-daily") | .systems' .github/workflows/test.yaml)"
test "$system_daily" == "$current_daily"
shell: bash
# The required-static-checks job was introduced to maintain a consistent
# status check name, regardless of changes to the Go channel used for static
# checks. This avoids the need to update required status checks whenever the
# Go channel changes.
required-static-checks:
runs-on: ubuntu-latest
needs:
- static-checks
- branch-static-checks
if: always()
steps:
- name: Filter out branch-static-checks from needs
run: |
# The branch-static-checks job is skipped when testing on the master
# branch. The combine-results action treats skipped jobs as failed
# because a failure earlier in the chain (e.g., in cache-build-deps)
# would also cause branch-static-checks to be skipped, which
# constitutes a legitimate failure. To handle this, when
# branch-static-checks is skipped during testing on the master branch
# we remove it from the list of dependencies whose results are checked.
if [[ "${GITHUB_REF}" == "refs/heads/master" ]]; then
filtered_needs=$(echo '${{ toJSON(needs) }}' | jq 'del(.["branch-static-checks"])')
echo "NEEDS_FILTERED=$(echo $filtered_needs | jq -c)" >> $GITHUB_ENV
else
echo "NEEDS_FILTERED=$(echo '${{ toJSON(needs) }}' | jq -c)" >> $GITHUB_ENV
fi
shell: bash
- name: Checkout code
uses: actions/checkout@v4
- name: Confirm required static checks passed
uses: ./.github/actions/combine-results
with:
needs-json: ${{ env.NEEDS_FILTERED }}
unit-tests:
uses: ./.github/workflows/unit-tests.yaml
needs:
- go-channels
- static-checks
name: "unit-tests default ${{ matrix.gochannel }}"
with:
runs-on: ubuntu-22.04
gochannel: ${{ matrix.gochannel }}
skip-coverage: ${{ matrix.gochannel == 'latest/stable' }}
strategy:
# we cache successful runs so it's fine to keep going
fail-fast: false
matrix:
gochannel: ${{ fromJson(needs.go-channels.outputs.go-channels) }}
# TODO run unit tests of C code
unit-tests-special:
uses: ./.github/workflows/unit-tests.yaml
needs:
- go-channels
- static-checks
name: "unit-tests (${{ matrix.gochannel }} ${{ matrix.test-case.go-build-tags }}
${{ matrix.test-case.go-test-race && ' test-race' || ''}}
${{ matrix.test-case.snapd-debug && ' snapd-debug' || ''}})"
with:
runs-on: ubuntu-22.04
gochannel: ${{ matrix.gochannel }}
skip-coverage: ${{ matrix.gochannel == 'latest/stable' || matrix.test-case.skip-coverage }}
go-build-tags: ${{ matrix.test-case.go-build-tags }}
go-test-race: ${{ matrix.test-case.go-test-race }}
snapd-debug: ${{ matrix.test-case.snapd-debug }}
strategy:
# we cache successful runs so it's fine to keep going
fail-fast: false
matrix:
gochannel: ${{ fromJson(needs.go-channels.outputs.go-channels) }}
test-case:
- { go-build-tags: snapd_debug, skip-coverage: false, snapd-debug: true, go-test-race: false}
- { go-build-tags: withbootassetstesting, skip-coverage: false, snapd-debug: false, go-test-race: false}
- { go-build-tags: nosecboot, skip-coverage: false, snapd-debug: false, go-test-race: false}
- { go-build-tags: faultinject, skip-coverage: false, snapd-debug: false, go-test-race: false}
- { go-build-tags: snapdusergo, skip-coverage: false, snapd-debug: false, go-test-race: false}
- { go-build-tags: "", skip-coverage: true, snapd-debug: false, go-test-race: true }
unit-tests-cross-distro:
uses: ./.github/workflows/unit-tests-cross-distro.yaml
needs: [static-checks]
with:
runs-on: ubuntu-latest
distro: ${{ matrix.distro }}
strategy:
fail-fast: false
matrix:
distro:
# TODO add arch?
- fedora:latest
- opensuse/tumbleweed
# The required-unit-tests job was introduced to maintain a consistent
# status check name, regardless of changes to the Go channel used for unit
# tests. This avoids the need to update required status checks whenever the
# Go channel changes.
required-unit-tests:
runs-on: ubuntu-latest
needs:
- unit-tests
- unit-tests-special
- unit-tests-cross-distro
if: always()
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Confirm required unit tests passed
uses: ./.github/actions/combine-results
with:
needs-json: ${{ toJSON(needs) }}
code-coverage:
needs: [unit-tests, unit-tests-special]
runs-on: ubuntu-20.04
env:
GOPATH: ${{ github.workspace }}
# Set PATH to ignore the load of magic binaries from /usr/local/bin And
# to use the go snap automatically. Note that we install go from the
# snap in a step below. Without this we get the GitHub-controlled latest
# version of go.
PATH: /snap/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:${{ github.workspace }}/bin
GOROOT: ""
steps:
- name: Download the coverage files
uses: actions/download-artifact@v4
with:
pattern: coverage-files-*
path: .coverage/
merge-multiple: true
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
# uploading to codecov occasionally fails, so continue running the test
# workflow regardless of the upload
continue-on-error: true
with:
fail_ci_if_error: true
flags: unittests
name: codecov-umbrella
files: .coverage/coverage-*.cov
verbose: true
spread:
uses: ./.github/workflows/spread-tests.yaml
needs: [unit-tests, snap-builds]
name: "spread ${{ matrix.group }}"
with:
# Github doesn't support passing sequences as parameters.
# Instead here we create a json array and pass it as a string.
# Then in the spread workflow it turns it into a sequence
# using the fromJSON expression.
runs-on: '["self-hosted", "spread-enabled"]'
group: ${{ matrix.group }}
backend: ${{ matrix.backend }}
systems: ${{ matrix.systems }}
tasks: ${{ matrix.tasks }}
rules: ${{ matrix.rules }}
strategy:
# FIXME: enable fail-fast mode once spread can cancel an executing job.
# Disable fail-fast mode as it doesn't function with spread. It seems
# that cancelling tasks requires short, interruptible actions and
# interrupting spread, notably, does not work today. As such disable
# fail-fast while we tackle that problem upstream.
fail-fast: false
matrix:
include:
- group: amazon-linux
backend: google-distro-1
systems: 'amazon-linux-2-64 amazon-linux-2023-64'
tasks: 'tests/...'
rules: 'main'
- group: arch-linux
backend: google-distro-2
systems: 'arch-linux-64'
tasks: 'tests/...'
rules: 'main'
- group: centos
backend: openstack
systems: 'centos-9-64'
tasks: 'tests/...'
rules: 'main'
- group: debian-req
backend: google-distro-1
systems: 'debian-11-64'
tasks: 'tests/...'
rules: 'main'
- group: debian-not-req
backend: openstack
systems: 'debian-12-64 debian-sid-64'
tasks: 'tests/...'
rules: 'main'
- group: fedora
backend: openstack
systems: 'fedora-40-64 fedora-41-64'
tasks: 'tests/...'
rules: 'main'
- group: opensuse
backend: openstack
systems: 'opensuse-15.5-64 opensuse-15.6-64 opensuse-tumbleweed-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-trusty
backend: google
systems: 'ubuntu-14.04-64'
tasks: 'tests/smoke/ tests/main/canonical-livepatch tests/main/canonical-livepatch-14.04'
rules: 'trusty'
- group: ubuntu-xenial-bionic
backend: google
systems: 'ubuntu-16.04-64 ubuntu-18.04-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-focal-jammy
backend: google
systems: 'ubuntu-20.04-64 ubuntu-22.04-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-noble
backend: google
systems: 'ubuntu-24.04-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-no-lts
backend: google
systems: 'ubuntu-24.10-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-daily
backend: google
systems: 'ubuntu-25.04-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-core-18
backend: google-core
systems: 'ubuntu-core-18-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-core-20
backend: google-core
systems: 'ubuntu-core-20-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-core-22
backend: google-core
systems: 'ubuntu-core-22-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-core-24
backend: google-core
systems: 'ubuntu-core-24-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-arm64
backend: google-arm
systems: 'ubuntu-20.04-arm-64 ubuntu-core-22-arm-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-secboot
backend: google
systems: 'ubuntu-secboot-20.04-64'
tasks: 'tests/...'
rules: 'main'
- group: ubuntu-fips
backend: google-pro
systems: 'ubuntu-fips-22.04-64'
tasks: 'tests/fips/...'
# XXX fips test suite comes with separate ruless file
rules: 'fips'
- group: nested-ubuntu-18.04
backend: google-nested
systems: 'ubuntu-18.04-64'
tasks: 'tests/nested/...'
rules: 'nested'
- group: nested-ubuntu-20.04
backend: google-nested
systems: 'ubuntu-20.04-64'
tasks: 'tests/nested/...'
rules: 'nested'
- group: nested-ubuntu-22.04
backend: google-nested
systems: 'ubuntu-22.04-64'
tasks: 'tests/nested/...'
rules: 'nested'
- group: nested-ubuntu-24.04
backend: google-nested
systems: 'ubuntu-24.04-64'
tasks: 'tests/nested/...'
rules: 'nested'