Configure Electron fuses, document others #7180
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| - merge_group | |
| - push | |
| - pull_request | |
| # Only build for latest push/PR unless it's main or release/ | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) && !startsWith( github.ref, 'refs/heads/gh-readonly-queue/' ) }} | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| env: | |
| POETRY_VERSION: 2.1.3 | |
| jobs: | |
| lint-apparmor: | |
| strategy: | |
| matrix: | |
| debian_version: | |
| - bookworm | |
| runs-on: ubuntu-latest | |
| container: debian:${{ matrix.debian_version }} | |
| steps: | |
| - run: | | |
| apt-get update && apt-get install --yes git make apparmor | |
| - uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Lint AppArmor profiles | |
| run: | | |
| make lint-apparmor | |
| lint-desktop: | |
| strategy: | |
| matrix: | |
| debian_version: | |
| - bookworm | |
| runs-on: ubuntu-latest | |
| container: debian:${{ matrix.debian_version }} | |
| steps: | |
| - run: | | |
| apt-get update && apt-get install --yes git make desktop-file-utils | |
| - uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Lint .desktop files | |
| run: | | |
| make lint-desktop | |
| lint: | |
| strategy: | |
| matrix: | |
| debian_version: | |
| - bookworm | |
| runs-on: ubuntu-latest | |
| container: debian:${{ matrix.debian_version }} | |
| steps: | |
| - run: | | |
| apt-get update && apt-get install --yes git make file pipx | |
| pipx install poetry==$POETRY_VERSION | |
| pipx ensurepath | |
| echo "${HOME}/.local/bin" >> ${GITHUB_PATH} | |
| - uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Configure git permissions (needed by semgrep) | |
| run: | | |
| git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
| - name: Install dependencies | |
| run: | | |
| poetry install | |
| - name: Run lint | |
| run: make lint | |
| # Run `make lint` across all components | |
| component-lint: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # proxy has no `make lint` because it is covered by `rust-lint`. | |
| component: | |
| - client | |
| - export | |
| - log | |
| debian_version: | |
| - bookworm | |
| runs-on: ubuntu-latest | |
| container: debian:${{ matrix.debian_version }} | |
| steps: | |
| - run: | | |
| apt-get update && apt-get install --yes git make gnupg pipx | |
| pipx install poetry==$POETRY_VERSION | |
| pipx ensurepath | |
| echo "${HOME}/.local/bin" >> ${GITHUB_PATH} | |
| - uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Install dependencies | |
| run: | | |
| poetry -C ${{ matrix.component }} install | |
| if [[ "${{ matrix.component }}" == "client" || "${{ matrix.component }}" == "export" ]]; then | |
| make -C ${{ matrix.component }} ci-install-deps | |
| fi | |
| - name: Run lint | |
| run: make -C ${{ matrix.component }} lint | |
| rust: | |
| runs-on: ubuntu-latest | |
| # Keep version in sync with rust-toolchain.toml | |
| container: rust:1.90.0 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Configure Qubes repository | |
| run: | | |
| cp scripts/qubes_42.sources /etc/apt/sources.list.d/ | |
| source /etc/os-release | |
| sed -i s/##VERSION_CODENAME##/${VERSION_CODENAME}/ /etc/apt/sources.list.d/qubes_42.sources | |
| apt-get update && apt-get install --yes libclang-dev qubesdb-dev | |
| - name: Install dependencies | |
| run: | | |
| rustup component add rustfmt | |
| rustup component add clippy | |
| - name: Lint and test Rust code | |
| run: | | |
| make rust-lint | |
| make rust-test |