From 035dcde9bad1f6b2bcbdb94d408b2704738e6b64 Mon Sep 17 00:00:00 2001 From: Abhinav Agarwal Date: Mon, 18 May 2026 21:04:29 -0700 Subject: [PATCH] ci: harden workflow with SHA pins, permissions, timeouts, and dependabot - Pin all actions to Node 24-capable full SHAs (checkout v6.0.2, setup-python v6.2.0, upload-artifact v7.0.1) - Add least-privilege permissions (contents: read) and concurrency cancellation - Pin python-version to 3.12, pin runner to ubuntu-24.04 - Add pytest --timeout=300, --maxfail=99 (overrides pytest.ini -x), JUnit XML output - Add explicit SSH setup with sshd start and connectivity preflight - Hard-fail FUSE preflight (job stops if /dev/fuse or fusermount3 missing) - Upload test results and meson logs as artifacts - Add dependabot config for weekly action version updates --- .github/dependabot.yml | 10 ++++++ .github/workflows/build-ubuntu.yml | 58 +++++++++++++++++++++++------- 2 files changed, 55 insertions(+), 13 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..6c5049e2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/build-ubuntu.yml b/.github/workflows/build-ubuntu.yml index a6eb30df..970d17d0 100644 --- a/.github/workflows/build-ubuntu.yml +++ b/.github/workflows/build-ubuntu.yml @@ -7,45 +7,77 @@ on: workflow_dispatch: # this is a nice option that will enable a button w/ inputs inputs: git-ref: - description: Git Ref (Optional) + description: Git Ref (Optional) required: false + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: build-and-test: name: Build and test - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-python@v4 + - name: Set up Python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: '3.12' - name: Install build dependencies run: | sudo apt-get update - sudo apt-get install valgrind gcc ninja-build meson libglib2.0-dev libfuse3-dev + sudo apt-get install -y valgrind gcc ninja-build libglib2.0-dev libfuse3-dev openssh-server openssh-client fuse3 + + - name: Check FUSE availability + run: | + test -e /dev/fuse + command -v fusermount3 - name: Install meson - run: pip3 install meson pytest + run: pip3 install meson pytest pytest-timeout - name: build run: | - mkdir build; cd build - meson .. - ninja + meson setup build + ninja -C build # cd does not persist across steps - name: upload build artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: sshfs path: build/sshfs + if-no-files-found: ignore - - name: make ssh into localhost without prompt possible for tests + - name: Setup SSH run: | - ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N "" + mkdir -p ~/.ssh + chmod 700 ~/.ssh + ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N "" cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys + chmod 600 ~/.ssh/authorized_keys + sudo systemctl start ssh || sudo service ssh start + ssh -o StrictHostKeyChecking=no -o BatchMode=yes localhost true - name: run tests run: | cd build - python3 -m pytest test/ + python3 -m pytest test/ --timeout=300 --junitxml=test-results.xml --maxfail=99 + timeout-minutes: 20 + + - name: upload test results + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + if: always() + with: + name: test-results + path: | + build/test-results.xml + build/meson-logs/