From: Kirill Isakov Date: Mon, 26 Jul 2021 08:52:42 +0000 (+0600) Subject: GitHub CI: run most tests as a non-privileged user. X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=commitdiff_plain;h=402170d78f4413d0b95a5ac194db4f638021961a GitHub CI: run most tests as a non-privileged user. We don't really care about the throwaway container running in a throwaway VM, but it's still better to run tests that do not require elevated privileges as a normal user, at least to be sure that the ability to do this is working. Also, some tests (like the new command-fsck.test) can perform more checks with a restricted user account. --- diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7463c8ff..4a250d4d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -107,20 +107,21 @@ jobs: container: image: ${{ matrix.os }} options: --privileged - + env: + CI: 1 steps: - name: Install deps (Alpine) run: > apk add git binutils make autoconf automake gcc linux-headers libtool diffutils texinfo procps openssl-dev zlib-dev lzo-dev ncurses-dev - readline-dev musl-dev lz4-dev socat + readline-dev musl-dev lz4-dev socat shadow sudo if: startsWith(matrix.os, 'alpine') - name: Install deps (Debian and Ubuntu) shell: bash run: | apt-get update - apt-get install -y git binutils make autoconf automake gcc diffutils \ + apt-get install -y git binutils make autoconf automake gcc diffutils sudo \ texinfo netcat procps socat zlib1g-dev lib{ssl,lzo2,lz4,ncurses,readline}-dev env: DEBIAN_FRONTEND: noninteractive @@ -134,7 +135,7 @@ jobs: dnf config-manager --enable powertools fi yum install -y epel-release - yum install -y git binutils make autoconf automake gcc diffutils \ + yum install -y git binutils make autoconf automake gcc diffutils sudo \ texinfo netcat procps socat {lzo,zlib,lz4,ncurses,readline}-devel yum install -y openssl11-devel || yum install -y openssl-devel if: startsWith(matrix.os, 'centos') || startsWith(matrix.os, 'alma') @@ -142,7 +143,7 @@ jobs: - name: Install deps (SUSE) shell: bash run: > - zypper install -y tar git binutils make autoconf automake gcc procps + zypper install -y tar git binutils make autoconf automake gcc procps sudo makeinfo diffutils gzip socat {openssl,zlib,lzo,liblz4,ncurses,readline}-devel if: startsWith(matrix.os, 'opensuse') @@ -154,11 +155,17 @@ jobs: - name: Assign name for test results artifact run: echo TEST_ARTIFACT="$(echo '${{ matrix.os }}' | sed 's|[:/]|_|g')" >>"$GITHUB_ENV" + - name: Create a non-privileged user + run: | + useradd --user-group build + chown -R build:build . + echo 'build ALL=(ALL) NOPASSWD: ALL' >/etc/sudoers.d/build + - name: Run tests with default settings - run: sh .github/workflows/test/run.sh default + run: sudo -u build CI=1 sh .github/workflows/test/run.sh default - name: Run tests without legacy protocol - run: sh .github/workflows/test/run.sh nolegacy + run: sudo -u build CI=1 sh .github/workflows/test/run.sh nolegacy - name: Upload test results uses: actions/upload-artifact@v2 diff --git a/.github/workflows/test/run.sh b/.github/workflows/test/run.sh index 778d5d3f..9f397f98 100644 --- a/.github/workflows/test/run.sh +++ b/.github/workflows/test/run.sh @@ -20,11 +20,12 @@ run_tests() { header "Cleaning up leftovers from previous runs" for name in tinc tincd; do - pkill -TERM -x "$name" || true - pkill -KILL -x "$name" || true + sudo pkill -TERM -x "$name" || true + sudo pkill -KILL -x "$name" || true done - git clean -dfx + sudo git clean -dfx + sudo chown -R build:build . header "Running test flavor $flavor" @@ -44,7 +45,7 @@ run_tests() { code=0 make check -j2 VERBOSE=1 || code=$? - tar -c -z -f "/tmp/tests.$flavor.tar.gz" test/ + sudo tar -c -z -f "/tmp/tests.$flavor.tar.gz" test/ return $code }