install: tpm2-luks: Do not bind to any PCRs with cryptenroll #66
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
permissions: | |
actions: read | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
workflow_dispatch: {} | |
env: | |
CARGO_TERM_COLOR: always | |
jobs: | |
tests: | |
runs-on: ubuntu-latest | |
container: quay.io/coreos-assembler/fcos-buildroot:testing-devel | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install deps | |
run: ./ci/installdeps.sh | |
- name: Mark git checkout as safe | |
run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
# xref containers/containers-image-proxy-rs | |
- name: Cache Dependencies | |
uses: Swatinem/rust-cache@v2 | |
with: | |
key: "tests" | |
- name: cargo fmt (check) | |
run: cargo fmt -- --check -l | |
- name: Build | |
run: cargo test --no-run | |
- name: Build lib without default features | |
run: cd lib && cargo check --no-default-features | |
- name: Individual checks | |
run: (cd cli && cargo check) && (cd lib && cargo check) | |
- name: Lints | |
run: cargo xtask custom-lints | |
- name: Run tests | |
run: cargo test -- --nocapture --quiet | |
- name: Manpage generation | |
run: mkdir -p target/man && cargo run --features=docgen -- man --directory target/man | |
- name: Clippy (gate on correctness and suspicous) | |
run: cargo clippy -- -D clippy::correctness -D clippy::suspicious | |
build-fedora: | |
runs-on: ubuntu-latest | |
container: quay.io/coreos-assembler/fcos-buildroot:testing-devel | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install deps | |
run: ./ci/installdeps.sh | |
- name: Cache Dependencies | |
uses: Swatinem/rust-cache@v2 | |
with: | |
key: "build" | |
- name: Build | |
run: make test-bin-archive | |
- name: Upload binary | |
uses: actions/upload-artifact@v4 | |
with: | |
name: bootc.tar.zst | |
path: target/bootc.tar.zst | |
build-c9s: | |
runs-on: ubuntu-latest | |
container: quay.io/centos/centos:stream9 | |
steps: | |
- run: dnf -y install git-core | |
- uses: actions/checkout@v4 | |
- name: Install deps | |
run: ./ci/installdeps.sh | |
- name: Cache Dependencies | |
uses: Swatinem/rust-cache@v2 | |
with: | |
key: "build-c9s" | |
- name: Build | |
run: make test-bin-archive | |
- name: Upload binary | |
uses: actions/upload-artifact@v4 | |
with: | |
name: bootc-c9s.tar.zst | |
path: target/bootc.tar.zst | |
cargo-deny: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: EmbarkStudios/cargo-deny-action@v1 | |
with: | |
log-level: warn | |
command: check bans sources licenses | |
privtest: | |
name: "Privileged testing" | |
needs: build-fedora | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Download | |
uses: actions/download-artifact@v4 | |
with: | |
name: bootc.tar.zst | |
- name: Install | |
run: sudo tar -C / -xvf bootc.tar.zst | |
- name: Integration tests | |
run: sudo podman run --rm -ti --privileged -v /run/systemd:/run/systemd -v /:/run/host -v /usr/bin/bootc:/usr/bin/bootc --pid=host quay.io/fedora/fedora-coreos:testing-devel bootc internal-tests run-privileged-integration | |
container-tests: | |
name: "Container testing" | |
needs: build-fedora | |
runs-on: ubuntu-latest | |
container: quay.io/centos-bootc/fedora-bootc:eln-1708320930 | |
steps: | |
- name: Download | |
uses: actions/download-artifact@v4 | |
with: | |
name: bootc.tar.zst | |
- name: Install | |
run: sudo tar -C / -xvf bootc.tar.zst | |
- name: Integration tests | |
run: bootc internal-tests run-container-integration | |
privtest-alongside: | |
name: "Test install-alongside" | |
needs: [build-c9s] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Ensure host skopeo is disabled | |
run: sudo rm -f /bin/skopeo /usr/bin/skopeo | |
- name: Download | |
uses: actions/download-artifact@v4 | |
with: | |
name: bootc-c9s.tar.zst | |
- name: Install | |
run: tar -xvf bootc.tar.zst | |
- name: Integration tests | |
run: | | |
set -xeuo pipefail | |
image=quay.io/centos-bootc/centos-bootc-dev:stream9 | |
echo 'ssh-ed25519 ABC0123 [email protected]' > test_authorized_keys | |
sudo podman run --rm -ti --privileged -v ./test_authorized_keys:/test_authorized_keys --env RUST_LOG=debug -v /:/target -v /var/lib/containers:/var/lib/containers -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \ | |
${image} bootc install to-filesystem \ | |
--karg=foo=bar --disable-selinux --replace=alongside --root-ssh-authorized-keys=/test_authorized_keys /target | |
ls -al /boot/loader/ | |
sudo grep foo=bar /boot/loader/entries/*.conf | |
grep authorized_keys /ostree/deploy/default/deploy/*/etc/tmpfiles.d/bootc-root-ssh.conf | |
# TODO fix https://github.com/containers/bootc/pull/137 | |
sudo chattr -i /ostree/deploy/default/deploy/* | |
sudo rm /ostree/deploy/default -rf | |
sudo podman run --rm -ti --privileged --env RUST_LOG=debug -v /:/target -v /var/lib/containers:/var/lib/containers -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \ | |
${image} bootc install to-existing-root | |
sudo podman run --rm -ti --privileged -v /:/target -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable ${image} bootc internal-tests verify-selinux /target/ostree --warn |