GitHub CI: run most tests as a non-privileged user.

We don't really care about the throwaway container running in a throwaway
VM, but it's still better to run tests that do not require elevated
privileges as a normal user, at least to be sure that the ability to do
this is working.

Also, some tests (like the new command-fsck.test) can perform more checks
with a restricted user account.

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7463c8f..4a250d4 100644 (file)
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -107,20 +107,21 @@ jobs:
     container:
       image: ${{ matrix.os }}
       options: --privileged
-
+      env:
+        CI: 1
     steps:
       - name: Install deps (Alpine)
         run: >
           apk add git binutils make autoconf automake gcc linux-headers libtool
           diffutils texinfo procps openssl-dev zlib-dev lzo-dev ncurses-dev
-          readline-dev musl-dev lz4-dev socat
+          readline-dev musl-dev lz4-dev socat shadow sudo
         if: startsWith(matrix.os, 'alpine')
 
       - name: Install deps (Debian and Ubuntu)
         shell: bash
         run: |
           apt-get update
-          apt-get install -y git binutils make autoconf automake gcc diffutils \
+          apt-get install -y git binutils make autoconf automake gcc diffutils sudo \
             texinfo netcat procps socat zlib1g-dev lib{ssl,lzo2,lz4,ncurses,readline}-dev
         env:
           DEBIAN_FRONTEND: noninteractive
@@ -134,7 +135,7 @@ jobs:
             dnf config-manager --enable powertools
           fi
           yum install -y epel-release
-          yum install -y git binutils make autoconf automake gcc diffutils \
+          yum install -y git binutils make autoconf automake gcc diffutils sudo \
             texinfo netcat procps socat {lzo,zlib,lz4,ncurses,readline}-devel
           yum install -y openssl11-devel || yum install -y openssl-devel
         if: startsWith(matrix.os, 'centos') || startsWith(matrix.os, 'alma')
@@ -142,7 +143,7 @@ jobs:
       - name: Install deps (SUSE)
         shell: bash
         run: >
-          zypper install -y tar git binutils make autoconf automake gcc procps
+          zypper install -y tar git binutils make autoconf automake gcc procps sudo
           makeinfo diffutils gzip socat {openssl,zlib,lzo,liblz4,ncurses,readline}-devel
         if: startsWith(matrix.os, 'opensuse')
 
@@ -154,11 +155,17 @@ jobs:
       - name: Assign name for test results artifact
         run: echo TEST_ARTIFACT="$(echo '${{ matrix.os }}' | sed 's|[:/]|_|g')" >>"$GITHUB_ENV"
 
+      - name: Create a non-privileged user
+        run: |
+          useradd --user-group build
+          chown -R build:build .
+          echo 'build ALL=(ALL) NOPASSWD: ALL' >/etc/sudoers.d/build
+
       - name: Run tests with default settings
-        run: sh .github/workflows/test/run.sh default
+        run: sudo -u build CI=1 sh .github/workflows/test/run.sh default
 
       - name: Run tests without legacy protocol
-        run: sh .github/workflows/test/run.sh nolegacy
+        run: sudo -u build CI=1 sh .github/workflows/test/run.sh nolegacy
 
       - name: Upload test results
         uses: actions/upload-artifact@v2

diff --git a/.github/workflows/test/run.sh b/.github/workflows/test/run.sh
index 778d5d3..9f397f9 100644 (file)
--- a/.github/workflows/test/run.sh
+++ b/.github/workflows/test/run.sh
@@ -20,11 +20,12 @@ run_tests() {
   header "Cleaning up leftovers from previous runs"
 
   for name in tinc tincd; do
-    pkill -TERM -x "$name" || true
-    pkill -KILL -x "$name" || true
+    sudo pkill -TERM -x "$name" || true
+    sudo pkill -KILL -x "$name" || true
   done
 
-  git clean -dfx
+  sudo git clean -dfx
+  sudo chown -R build:build .
 
   header "Running test flavor $flavor"
 
@@ -44,7 +45,7 @@ run_tests() {
   code=0
   make check -j2 VERBOSE=1 || code=$?
 
-  tar -c -z -f "/tmp/tests.$flavor.tar.gz" test/
+  sudo tar -c -z -f "/tmp/tests.$flavor.tar.gz" test/
 
   return $code
 }