Use PRoot with mksquashfs to preserve file owner/group #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| pull_request: | |
| jobs: | |
| check_go_mod: | |
| name: check_go_mod | |
| runs-on: ubuntu-22.04 | |
| container: golang:1.25.6 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check go.mod | |
| run: | | |
| git config --global --add safe.directory $(pwd) | |
| ./scripts/check-go.mod | |
| lint_markdown: | |
| name: lint_markdown | |
| runs-on: ubuntu-22.04 | |
| container: node:20-slim | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install markdownlint | |
| run: npm install -g markdownlint-cli | |
| - name: Check for Lint | |
| run: markdownlint --ignore LICENSE_DEPENDENCIES.md . | |
| check_source: | |
| name: check_source | |
| runs-on: ubuntu-22.04 | |
| container: golangci/golangci-lint:v2.6 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check apptainer source | |
| run: | | |
| git config --global --add safe.directory $(pwd) | |
| ./mconfig -v -p /usr/local --with-suid | |
| make -C ./builddir check | |
| shellcheck: | |
| name: shellcheck | |
| runs-on: ubuntu-22.04 | |
| container: koalaman/shellcheck-alpine | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: shellcheck files that appear to be sh or bash scripts (or some cousin thereof) | |
| run: | | |
| shellcheck $( ./scripts/get-shell-files.sh ) | |
| alpine: | |
| name: alpine | |
| runs-on: ubuntu-22.04 | |
| container: golang:1.25.6-alpine | |
| steps: | |
| - name: Fetch deps | |
| run: apk add -q --no-cache git bash alpine-sdk automake libtool linux-headers libarchive-dev util-linux-dev libuuid openssl-dev gawk sed cryptsetup | |
| - uses: actions/checkout@v4 | |
| - name: Build Apptainer | |
| run: | | |
| git config --global --add safe.directory $(pwd) | |
| ./mconfig -v -p /usr/local --with-suid | |
| make -C ./builddir all | |
| oldgo: | |
| name: oldgo | |
| runs-on: ubuntu-22.04 | |
| # match the minimum version required by mconfig | |
| container: golang:1.25.6-alpine | |
| steps: | |
| - name: Fetch deps | |
| run: apk add -q --no-cache git bash alpine-sdk automake libtool linux-headers libarchive-dev util-linux-dev libuuid openssl-dev gawk sed cryptsetup | |
| - uses: actions/checkout@v4 | |
| - name: Build Apptainer | |
| run: | | |
| git config --global --add safe.directory $(pwd) | |
| ./mconfig -v -p /usr/local --with-suid | |
| make -C ./builddir all | |
| check_test_corpus: | |
| name: check_test_corpus | |
| runs-on: ubuntu-22.04 | |
| container: golang:1.25.6 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Generate Certificates | |
| run: | | |
| git config --global --add safe.directory $(pwd) | |
| cd test/certs/ && go run ./gen_certs.go && cd ../.. | |
| - name: Check Test Corpus Tidiness | |
| run: git diff --exit-code -- | |
| check_license_dependencies: | |
| name: check_license_dependencies | |
| runs-on: ubuntu-22.04 | |
| container: golang:1.25.6 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Update LICENSE_DEPENDENCIES.md | |
| run: | | |
| git config --global --add safe.directory $(pwd) | |
| ./scripts/update-license-dependencies.sh | |
| - name: Check License Changes | |
| run: git diff --exit-code -- LICENSE_DEPENDENCIES.md | |
| debbuild-debian11: | |
| name: debbuild-debian11 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build and test deb under docker | |
| env: | |
| OS_TYPE: debian | |
| OS_VERSION: 11 | |
| # setting GO_ARCH speeds things by using go binaries instead of source | |
| GO_ARCH: linux-amd64 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/ci-docker-run | |
| debbuild-debian12: | |
| name: debbuild-debian12 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build and test deb under docker | |
| env: | |
| OS_TYPE: debian | |
| OS_VERSION: 12 | |
| # setting GO_ARCH speeds things by using go binaries instead of source | |
| GO_ARCH: linux-amd64 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/ci-docker-run | |
| debbuild-ubuntu22: | |
| name: debbuild-ubuntu22 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build and test deb under docker | |
| env: | |
| OS_TYPE: ubuntu | |
| OS_VERSION: '22.04' | |
| GO_ARCH: linux-amd64 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/ci-docker-run | |
| debbuild-ubuntu24: | |
| name: debbuild-ubuntu24 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build and test deb under docker | |
| env: | |
| OS_TYPE: ubuntu | |
| OS_VERSION: 24.04 | |
| GO_ARCH: linux-amd64 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/ci-docker-run | |
| rpmbuild-rocky8: | |
| name: rpmbuild-rocky8 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build and test rpm under docker | |
| env: | |
| OS_TYPE: rockylinux | |
| OS_VERSION: 8 | |
| GO_ARCH: linux-amd64 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for rocky 8 | |
| env: | |
| OS_TYPE: rockylinux | |
| OS_VERSION: 8 | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for rocky 9 with rocky 8 container | |
| env: | |
| OS_TYPE: rockylinux | |
| OS_VERSION: 9 | |
| CONTAINER_VERS: rockylinux:8 | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for ubuntu 20.04 | |
| env: | |
| OS_TYPE: ubuntu | |
| OS_VERSION: 20.04 | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for debian 11 | |
| env: | |
| OS_TYPE: debian | |
| OS_VERSION: 11 | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for openSUSE leap | |
| env: | |
| OS_TYPE: opensuse/leap | |
| OS_VERSION: latest | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for openSUSE tumbleweed | |
| env: | |
| OS_TYPE: opensuse/tumbleweed | |
| OS_VERSION: latest | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| rpmbuild-rocky9: | |
| name: rpmbuild-rocky9 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build and test rpm under docker | |
| env: | |
| OS_TYPE: rockylinux | |
| OS_VERSION: 9 | |
| GO_ARCH: linux-amd64 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for rocky 9 | |
| env: | |
| OS_TYPE: rockylinux | |
| OS_VERSION: 9 | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for ubuntu 22.04 | |
| env: | |
| OS_TYPE: ubuntu | |
| OS_VERSION: 22.04 | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| rpmbuild-rocky10: | |
| name: rpmbuild-rocky10 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build and test rpm under docker | |
| env: | |
| OS_TYPE: rockylinux/rockylinux | |
| OS_VERSION: 10 | |
| GO_ARCH: linux-amd64 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for rocky 10 | |
| env: | |
| OS_TYPE: rockylinux/rockylinux | |
| OS_VERSION: 10 | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| rpmbuild-opensuse-leap: | |
| name: rpmbuild-opensuse-leap | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build and test rpm under docker | |
| env: | |
| OS_TYPE: opensuse/leap | |
| OS_VERSION: latest | |
| GO_ARCH: linux-amd64 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for openSUSE leap | |
| env: | |
| OS_TYPE: opensuse/leap | |
| OS_VERSION: latest | |
| INS_OPTS: -o -d suse15 | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| rpmbuild-opensuse-tumbleweed: | |
| name: rpmbuild-opensuse-tumbleweed | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build and test rpm under docker | |
| env: | |
| OS_TYPE: opensuse/tumbleweed | |
| OS_VERSION: latest | |
| GO_ARCH: linux-amd64 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/ci-docker-run | |
| - name: Install and test unprivileged for openSUSE tumbleweed | |
| env: | |
| OS_TYPE: opensuse/tumbleweed | |
| OS_VERSION: latest | |
| INS_OPTS: -o -d opensuse-tumbleweed | |
| TEST_TYPE: unpriv | |
| run: ./scripts/ci-docker-run | |
| unit_tests: | |
| name: unit_tests | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| uses: actions/setup-go@v2 | |
| with: | |
| go-version: 1.25.6 | |
| - name: Fetch deps | |
| run: | | |
| set -e | |
| sudo apt-get -q update | |
| sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential libseccomp-dev libtalloc-dev libattr1-dev libprotobuf-c-dev fakeroot cryptsetup dbus-user-session | |
| sudo DEBIAN_FRONTEND=noninteractive apt-get install -y autoconf automake libtool pkg-config libfuse3-dev zlib1g-dev liblzo2-dev liblz4-dev liblzma-dev libzstd-dev | |
| - uses: actions/cache/restore@v4 | |
| id: cache | |
| with: | |
| path: cache | |
| key: ${{ hashFiles('dist/rpm/apptainer.spec.in') }} | |
| - name: Download dependent packages | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| run: | | |
| set -ex | |
| mkdir -p cache | |
| ./scripts/download-dependencies cache | |
| - uses: actions/cache/save@v4 | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| with: | |
| path: cache | |
| key: ${{ hashFiles('dist/rpm/apptainer.spec.in') }} | |
| - name: Compile and install dependent packages | |
| run: | | |
| set -ex | |
| ./scripts/compile-dependencies cache | |
| sudo mkdir -p /usr/local/libexec/apptainer/bin | |
| sudo ./scripts/install-dependencies /usr/local/libexec | |
| - name: Build and install Apptainer | |
| run: | | |
| ./mconfig -v -p /usr/local --with-suid | |
| make -C ./builddir all && sudo make -C ./builddir install | |
| - name: Run unit tests | |
| run: make -C ./builddir unit-test | |
| - name: Check NFPM | |
| run: | | |
| go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.10.0 | |
| go run ./dist/nfpm/generate.go -version $(./scripts/get-version) -prefix /usr/local | \ | |
| $HOME/go/bin/nfpm package -f /dev/stdin -p deb -t ./builddir | |
| integration_tests: | |
| name: integration_tests | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| uses: actions/setup-go@v2 | |
| with: | |
| go-version: 1.25.6 | |
| - name: Fetch deps | |
| run: sudo apt-get -q update && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential libseccomp-dev libtalloc-dev libattr1-dev libprotobuf-c-dev cryptsetup dbus-user-session | |
| - name: Build and install Apptainer | |
| run: | | |
| ./mconfig -v -p /usr/local --with-suid | |
| make -C ./builddir all && sudo make -C ./builddir install | |
| - name: Run integration tests | |
| run: make -C ./builddir integration-test | |
| e2e_tests: | |
| name: e2e_tests | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check changes | |
| env: | |
| PROJECT_REF: ${{ github.ref }} | |
| PROJECT_REPOSITORY: ${{ github.repository }} | |
| PROJECT_PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| git config --global --add safe.directory $(pwd) | |
| rc=0 | |
| ./scripts/should-e2e-run "${PROJECT_REPOSITORY}" "${PROJECT_REF##*/}" "${PROJECT_PR_NUMBER}" || rc=$? | |
| case $rc in | |
| 0) | |
| echo "Verifying critical changes" | |
| echo "run_tests=true" >> $GITHUB_ENV ;; | |
| 1) | |
| echo "No critical changes, skipping tests" ;; | |
| *) | |
| echo "E: ./scripts/should-e2e-run returned with exit code $rc. Abort." | |
| exit $rc ;; | |
| esac | |
| - name: Setup Go | |
| if: env.run_tests | |
| uses: actions/setup-go@v2 | |
| with: | |
| go-version: 1.25.6 | |
| - name: Fetch deps | |
| if: env.run_tests | |
| run: | | |
| set -e | |
| sudo apt-get -q update | |
| sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential libseccomp-dev libtalloc-dev libattr1-dev libprotobuf-c-dev uidmap fakeroot cryptsetup dbus-user-session | |
| sudo DEBIAN_FRONTEND=noninteractive apt-get install -y autoconf automake libtool pkg-config libfuse3-dev zlib1g-dev liblzo2-dev liblz4-dev liblzma-dev libzstd-dev | |
| - name: Download, compile, and install dependent packages | |
| if: env.run_tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -ex | |
| ./scripts/download-dependencies | |
| ./scripts/compile-dependencies | |
| sudo mkdir -p /usr/local/libexec/apptainer/bin | |
| sudo ./scripts/install-dependencies /usr/local/libexec | |
| - name: Enable full cgroups v2 delegation | |
| if: env.run_tests | |
| run: | | |
| sudo mkdir -p /etc/systemd/system/user@.service.d | |
| cat <<EOF | sudo tee /etc/systemd/system/user@.service.d/delegate.conf | |
| [Service] | |
| Delegate=cpu cpuset io memory pids | |
| EOF | |
| sudo systemctl daemon-reload | |
| - name: Build and install Apptainer | |
| if: env.run_tests | |
| run: | | |
| ./mconfig -v -p /usr/local --with-suid | |
| make -C ./builddir all && sudo make -C ./builddir install | |
| - name: Pull and run qemu-user-static | |
| if: env.run_tests | |
| run: | | |
| sudo apptainer run docker://multiarch/qemu-user-static --reset -p yes | |
| supported_misc=`ls -al /proc/sys/fs/binfmt_misc/qemu-* | wc -l` | |
| if [ "$supported_misc" -le 1 ]; then | |
| echo "binfmt_misc registerred failed" | |
| exit 1 | |
| fi | |
| - name: Run E2E tests | |
| if: env.run_tests | |
| env: | |
| E2E_PARALLEL: 8 | |
| run: | | |
| # Set up systemd for the rootless cgroups tests | |
| systemctl --user daemon-reload | |
| systemctl --user start dbus | |
| export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$UID/bus" | |
| systemd-run --user --scope make -C ./builddir e2e-test | |
| - name: Upload artifacts | |
| if: env.run_tests | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: e2e-artifact | |
| path: builddir/e2e-cmd-report.txt | |
| retention-days: 7 | |
| check_pkg_no_buildcfg: | |
| name: check_pkg_no_buildcfg | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| uses: actions/setup-go@v2 | |
| with: | |
| go-version: 1.25.6 | |
| - name: Check pkg/... doesn't depend on buildcfg | |
| run: | | |
| if $(/usr/local/go/bin/go list -f '{{.Deps}}' ./pkg/... | grep -q buildcfg) | |
| then | |
| echo "Prohibited buildcfg dependency found in pkg/:" | |
| echo | |
| /usr/local/go/bin/go list -f '{{.ImportPath}} - {{.Deps}}' ./pkg/... | grep buildcfg | |
| exit 1 | |
| fi |