interfaces/seccomp/template: allow epoll_pwait2 in the base template #33157
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
pull_request: | |
branches: [ "master", "release/**", "core-snap-security-release/**", "security-release/**" ] | |
push: | |
branches: [ "master", "release/**", "core-snap-security-release/**", "security-release/**" ] | |
concurrency: | |
group: ${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
go-channels: | |
runs-on: ubuntu-latest | |
outputs: | |
go-channels: ${{ steps.resolve-go-channels.outputs.go-channels }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Resolve Go snap channels | |
id: resolve-go-channels | |
uses: ./.github/actions/resolve-go-channels | |
with: | |
include-snapd-build-go-channel: true | |
include-snapd-build-fips-go-channel: true | |
include-latest-go-channel: true | |
snap-builds: | |
uses: ./.github/workflows/snap-builds.yaml | |
with: | |
runs-on: ${{ matrix.runs-on }} | |
toolchain: ${{ matrix.toolchain }} | |
variant: ${{ matrix.variant }} | |
strategy: | |
matrix: | |
runs-on: | |
- '["ubuntu-22.04"]' | |
# Tags to identify the self-hosted runners to use from | |
# internal runner collection. See internal self-hosted | |
# runners doc for the complete list of options. | |
- '["self-hosted", "Linux", "jammy", "ARM64", "large"]' | |
toolchain: | |
- default | |
- FIPS | |
variant: | |
# test version is a build of snapd with test keys and should | |
# only be installed by test runners. The pristine versions | |
# are the build that should be installed by human users. | |
- pristine | |
- test | |
# Exclude building everything for ARM but the version for testing | |
# to keep the number of builds down as we currently don't have a | |
# clear need for these excluded builds. | |
exclude: | |
- runs-on: '["self-hosted", "Linux", "jammy", "ARM64", "large"]' | |
toolchain: FIPS | |
- runs-on: '["self-hosted", "Linux", "jammy", "ARM64", "large"]' | |
variant: pristine | |
cache-build-deps: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Download Debian dependencies | |
run: | | |
sudo apt clean | |
sudo apt update | |
sudo apt build-dep -d -y ${{ github.workspace }} | |
# for indent | |
sudo apt install texinfo autopoint | |
- name: Copy dependencies | |
run: | | |
sudo tar cvf cached-apt.tar /var/cache/apt | |
- name: upload Debian dependencies | |
uses: actions/upload-artifact@v4 | |
with: | |
name: debian-dependencies | |
path: ./cached-apt.tar | |
static-checks: | |
uses: ./.github/workflows/static-checks.yaml | |
needs: | |
- go-channels | |
- cache-build-deps | |
with: | |
runs-on: ubuntu-latest | |
gochannel: ${{ matrix.gochannel }} | |
strategy: | |
# we cache successful runs so it's fine to keep going | |
fail-fast: false | |
matrix: | |
gochannel: ${{ fromJson(needs.go-channels.outputs.go-channels) }} | |
branch-static-checks: | |
runs-on: ubuntu-latest | |
needs: [cache-build-deps] | |
if: github.ref != 'refs/heads/master' | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
# needed for git commit history | |
fetch-depth: 0 | |
- name: check-branch-ubuntu-daily-spread | |
run: | | |
# Compare the daily system in master and in the current branch | |
wget -q -O test_master.yaml https://raw.githubusercontent.com/snapcore/snapd/master/.github/workflows/test.yaml | |
system_daily="$(yq '.jobs.spread.strategy.matrix.include.[] | select(.group == "ubuntu-daily") | .systems' test_master.yaml)" | |
current_daily="$(yq '.jobs.spread.strategy.matrix.include.[] | select(.group == "ubuntu-daily") | .systems' .github/workflows/test.yaml)" | |
test "$system_daily" == "$current_daily" | |
shell: bash | |
# The required-static-checks job was introduced to maintain a consistent | |
# status check name, regardless of changes to the Go channel used for static | |
# checks. This avoids the need to update required status checks whenever the | |
# Go channel changes. | |
required-static-checks: | |
runs-on: ubuntu-latest | |
needs: | |
- static-checks | |
- branch-static-checks | |
if: always() | |
steps: | |
- name: Filter out branch-static-checks from needs | |
run: | | |
# The branch-static-checks job is skipped when testing on the master | |
# branch. The combine-results action treats skipped jobs as failed | |
# because a failure earlier in the chain (e.g., in cache-build-deps) | |
# would also cause branch-static-checks to be skipped, which | |
# constitutes a legitimate failure. To handle this, when | |
# branch-static-checks is skipped during testing on the master branch | |
# we remove it from the list of dependencies whose results are checked. | |
if [[ "${GITHUB_REF}" == "refs/heads/master" ]]; then | |
filtered_needs=$(echo '${{ toJSON(needs) }}' | jq 'del(.["branch-static-checks"])') | |
echo "NEEDS_FILTERED=$(echo $filtered_needs | jq -c)" >> $GITHUB_ENV | |
else | |
echo "NEEDS_FILTERED=$(echo '${{ toJSON(needs) }}' | jq -c)" >> $GITHUB_ENV | |
fi | |
shell: bash | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Confirm required static checks passed | |
uses: ./.github/actions/combine-results | |
with: | |
needs-json: ${{ env.NEEDS_FILTERED }} | |
unit-tests: | |
uses: ./.github/workflows/unit-tests.yaml | |
needs: | |
- go-channels | |
- static-checks | |
name: "unit-tests default ${{ matrix.gochannel }}" | |
with: | |
runs-on: ubuntu-22.04 | |
gochannel: ${{ matrix.gochannel }} | |
skip-coverage: ${{ matrix.gochannel == 'latest/stable' }} | |
strategy: | |
# we cache successful runs so it's fine to keep going | |
fail-fast: false | |
matrix: | |
gochannel: ${{ fromJson(needs.go-channels.outputs.go-channels) }} | |
# TODO run unit tests of C code | |
unit-tests-special: | |
uses: ./.github/workflows/unit-tests.yaml | |
needs: | |
- go-channels | |
- static-checks | |
name: "unit-tests (${{ matrix.gochannel }} ${{ matrix.test-case.go-build-tags }} | |
${{ matrix.test-case.go-test-race && ' test-race' || ''}} | |
${{ matrix.test-case.snapd-debug && ' snapd-debug' || ''}})" | |
with: | |
runs-on: ubuntu-22.04 | |
gochannel: ${{ matrix.gochannel }} | |
skip-coverage: ${{ matrix.gochannel == 'latest/stable' || matrix.test-case.skip-coverage }} | |
go-build-tags: ${{ matrix.test-case.go-build-tags }} | |
go-test-race: ${{ matrix.test-case.go-test-race }} | |
snapd-debug: ${{ matrix.test-case.snapd-debug }} | |
strategy: | |
# we cache successful runs so it's fine to keep going | |
fail-fast: false | |
matrix: | |
gochannel: ${{ fromJson(needs.go-channels.outputs.go-channels) }} | |
test-case: | |
- { go-build-tags: snapd_debug, skip-coverage: false, snapd-debug: true, go-test-race: false} | |
- { go-build-tags: withbootassetstesting, skip-coverage: false, snapd-debug: false, go-test-race: false} | |
- { go-build-tags: nosecboot, skip-coverage: false, snapd-debug: false, go-test-race: false} | |
- { go-build-tags: faultinject, skip-coverage: false, snapd-debug: false, go-test-race: false} | |
- { go-build-tags: snapdusergo, skip-coverage: false, snapd-debug: false, go-test-race: false} | |
- { go-build-tags: "", skip-coverage: true, snapd-debug: false, go-test-race: true } | |
unit-tests-cross-distro: | |
uses: ./.github/workflows/unit-tests-cross-distro.yaml | |
needs: [static-checks] | |
with: | |
runs-on: ubuntu-latest | |
distro: ${{ matrix.distro }} | |
strategy: | |
fail-fast: false | |
matrix: | |
distro: | |
# TODO add arch? | |
- fedora:latest | |
- opensuse/tumbleweed | |
# The required-unit-tests job was introduced to maintain a consistent | |
# status check name, regardless of changes to the Go channel used for unit | |
# tests. This avoids the need to update required status checks whenever the | |
# Go channel changes. | |
required-unit-tests: | |
runs-on: ubuntu-latest | |
needs: | |
- unit-tests | |
- unit-tests-special | |
- unit-tests-cross-distro | |
if: always() | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Confirm required unit tests passed | |
uses: ./.github/actions/combine-results | |
with: | |
needs-json: ${{ toJSON(needs) }} | |
code-coverage: | |
needs: [unit-tests, unit-tests-special] | |
runs-on: ubuntu-20.04 | |
env: | |
GOPATH: ${{ github.workspace }} | |
# Set PATH to ignore the load of magic binaries from /usr/local/bin And | |
# to use the go snap automatically. Note that we install go from the | |
# snap in a step below. Without this we get the GitHub-controlled latest | |
# version of go. | |
PATH: /snap/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:${{ github.workspace }}/bin | |
GOROOT: "" | |
steps: | |
- name: Download the coverage files | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: coverage-files-* | |
path: .coverage/ | |
merge-multiple: true | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
# uploading to codecov occasionally fails, so continue running the test | |
# workflow regardless of the upload | |
continue-on-error: true | |
with: | |
fail_ci_if_error: true | |
flags: unittests | |
name: codecov-umbrella | |
files: .coverage/coverage-*.cov | |
verbose: true | |
spread: | |
uses: ./.github/workflows/spread-tests.yaml | |
needs: [unit-tests, snap-builds] | |
name: "spread ${{ matrix.group }}" | |
with: | |
# Github doesn't support passing sequences as parameters. | |
# Instead here we create a json array and pass it as a string. | |
# Then in the spread workflow it turns it into a sequence | |
# using the fromJSON expression. | |
runs-on: '["self-hosted", "spread-enabled"]' | |
group: ${{ matrix.group }} | |
backend: ${{ matrix.backend }} | |
systems: ${{ matrix.systems }} | |
tasks: ${{ matrix.tasks }} | |
rules: ${{ matrix.rules }} | |
strategy: | |
# FIXME: enable fail-fast mode once spread can cancel an executing job. | |
# Disable fail-fast mode as it doesn't function with spread. It seems | |
# that cancelling tasks requires short, interruptible actions and | |
# interrupting spread, notably, does not work today. As such disable | |
# fail-fast while we tackle that problem upstream. | |
fail-fast: false | |
matrix: | |
include: | |
- group: amazon-linux | |
backend: google-distro-1 | |
systems: 'amazon-linux-2-64 amazon-linux-2023-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: arch-linux | |
backend: google-distro-2 | |
systems: 'arch-linux-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: centos | |
backend: openstack | |
systems: 'centos-9-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: debian-req | |
backend: google-distro-1 | |
systems: 'debian-11-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: debian-not-req | |
backend: openstack | |
systems: 'debian-12-64 debian-sid-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: fedora | |
backend: openstack | |
systems: 'fedora-40-64 fedora-41-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: opensuse | |
backend: openstack | |
systems: 'opensuse-15.5-64 opensuse-15.6-64 opensuse-tumbleweed-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-trusty | |
backend: google | |
systems: 'ubuntu-14.04-64' | |
tasks: 'tests/smoke/ tests/main/canonical-livepatch tests/main/canonical-livepatch-14.04' | |
rules: 'trusty' | |
- group: ubuntu-xenial-bionic | |
backend: google | |
systems: 'ubuntu-16.04-64 ubuntu-18.04-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-focal-jammy | |
backend: google | |
systems: 'ubuntu-20.04-64 ubuntu-22.04-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-noble | |
backend: google | |
systems: 'ubuntu-24.04-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-no-lts | |
backend: google | |
systems: 'ubuntu-24.10-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-daily | |
backend: google | |
systems: 'ubuntu-25.04-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-core-18 | |
backend: google-core | |
systems: 'ubuntu-core-18-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-core-20 | |
backend: google-core | |
systems: 'ubuntu-core-20-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-core-22 | |
backend: google-core | |
systems: 'ubuntu-core-22-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-core-24 | |
backend: google-core | |
systems: 'ubuntu-core-24-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-arm64 | |
backend: google-arm | |
systems: 'ubuntu-20.04-arm-64 ubuntu-core-22-arm-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-secboot | |
backend: google | |
systems: 'ubuntu-secboot-20.04-64' | |
tasks: 'tests/...' | |
rules: 'main' | |
- group: ubuntu-fips | |
backend: google-pro | |
systems: 'ubuntu-fips-22.04-64' | |
tasks: 'tests/fips/...' | |
# XXX fips test suite comes with separate ruless file | |
rules: 'fips' | |
- group: nested-ubuntu-18.04 | |
backend: google-nested | |
systems: 'ubuntu-18.04-64' | |
tasks: 'tests/nested/...' | |
rules: 'nested' | |
- group: nested-ubuntu-20.04 | |
backend: google-nested | |
systems: 'ubuntu-20.04-64' | |
tasks: 'tests/nested/...' | |
rules: 'nested' | |
- group: nested-ubuntu-22.04 | |
backend: google-nested | |
systems: 'ubuntu-22.04-64' | |
tasks: 'tests/nested/...' | |
rules: 'nested' | |
- group: nested-ubuntu-24.04 | |
backend: google-nested | |
systems: 'ubuntu-24.04-64' | |
tasks: 'tests/nested/...' | |
rules: 'nested' |