ci: Enable fsverity on / in GHA runner

This is just cleaner than dealing with loopback.

Signed-off-by: Colin Walters <[email protected]>

.github/workflows/test.yaml

@@ -156,6 +156,8 @@ jobs:
       - run: sudo apt-get update -y
       - name: Install erofs kmod
         run: sudo apt install linux-modules-extra-$(uname -r)
+      - name: Enable verity
+        run: sudo tune2fs -O verity $(findmnt -vno SOURCE /)
       - name: Install dependencies
         run: sudo apt install libasan6 libubsan1 fsverity
       - name: Checkout repository
@@ -166,9 +168,7 @@ jobs:
           name: composefs.tar
       - run: sudo tar -C / -xvf composefs.tar
       - name: Integration tests
-        run: sudo ./tests/integration.sh
-      - name: Integration tests (fsverity required)
-        run: sudo env WITH_TEMP_VERITY=1 unshare -m ./tests/integration.sh
+        run: sudo env CI_VERITY_REQUIRED=1 ./tests/integration.sh
   rust:
     needs: build-noasan
     runs-on: ubuntu-latest

tests/integration.sh

@@ -4,18 +4,6 @@
 # the output of ls -lR (without hardlink counts).
 set -xeuo pipefail
 
-# Set to setup an explicit temporary ext4 loopback mounted fs with fsverity
-WITH_TEMP_VERITY=${WITH_TEMP_VERITY:-}
-if test -n "${WITH_TEMP_VERITY}"; then
-    tmpdisk=$(mktemp -p /var/tmp)
-    truncate -s 100G ${tmpdisk}
-    mkfs.ext4 -O verity ${tmpdisk}
-    tmp_mnt=$(mktemp -d)
-    mount -o loop ${tmpdisk} ${tmp_mnt}
-    rm -f ${tmpdisk}
-    cfsroot=${tmp_mnt}
-fi
-
 orig=$(pwd)
 cfsroot=${cfsroot:-/composefs}
 rm ${cfsroot}/tmp -rf
@@ -68,7 +56,7 @@ echo "fsverity test" > ${cfsroot}/test-fsverity
 if fsverity enable ${cfsroot}/test-fsverity; then
     echo "fsverity is supported"
 else
-    if test -n "${WITH_TEMP_VERITY}"; then
+    if test -n "${CI_VERITY_REQUIRED}"; then
         echo "fsverity unsupported, but is required" 1>&2
         exit 1
     fi