Adjust PAM/NSS snprintf overflow checks for increased robustness (#…
#22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow will install Python C-extension dependencies, run tests and | |
| # lint with a single version of Python. | |
| # For more information see: | |
| # https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python | |
| name: Python C-Extension Sanity Checks | |
| on: | |
| # Triggers the workflow on push or pull request events but only for this git branch | |
| push: | |
| paths-ignore: | |
| - 'README' | |
| - 'COPYING' | |
| - 'NEWS' | |
| - '*.txt' | |
| - 'doc/**' | |
| - 'doc-src/**' | |
| - 'user-projects/**' | |
| - 'state/**' | |
| - 'certs/**' | |
| - 'MiG-certificates/**' | |
| - 'mig/images/**' | |
| - 'mig/assets/**' | |
| - 'mig/apache/**' | |
| - 'mig/bin/**' | |
| - 'mig/java-bin/**' | |
| - '**/*.py' | |
| - '**/*.js' | |
| branches: | |
| - experimental | |
| - next | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| - ready_for_review | |
| paths-ignore: | |
| - 'README' | |
| - 'COPYING' | |
| - 'NEWS' | |
| - '*.txt' | |
| - 'doc/**' | |
| - 'doc-src/**' | |
| - 'user-projects/**' | |
| - 'state/**' | |
| - 'certs/**' | |
| - 'MiG-certificates/**' | |
| - 'mig/images/**' | |
| - 'mig/assets/**' | |
| - 'mig/apache/**' | |
| - 'mig/bin/**' | |
| - 'mig/java-bin/**' | |
| - '**/*.py' | |
| - '**/*.js' | |
| branches: | |
| - experimental | |
| - next | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint-c-ext-python3-latest: | |
| name: Sanity check c-extension module code in latest stable python3 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set up latest stable python 3.x | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.x" | |
| - name: Set up git, findutils and make with apt | |
| run: | | |
| sudo apt install -y git findutils make | |
| - name: Install dependencies | |
| run: | | |
| sudo apt install -y libnss3-dev libpam-dev splint | |
| # We may need git installed to get a full repo clone rather than unpacked archive | |
| - name: Check out source repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # This is necessary to get the commits | |
| - name: Lint with splint | |
| run: | | |
| # NOTE: we only run splint error check for changed c files to limit noise | |
| # NOTE: point splint to Ubuntu's custom /usr/include/python3.x for Python.h | |
| echo "Lint changed code files: $(git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.(c|h)$')" | |
| git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.(c|h)$' | xargs -r splint +posixlib -D__gnuc_va_list=va_list $(python3-config --includes) | |
| lint-c-ext-python3-ubuntu-lts: | |
| name: Sanity check c-extension module code in latest Ubuntu LTS python3 | |
| if: ${{ false }} # Disabled now that the above job works | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Set up git, findutils and make with apt | |
| run: | | |
| sudo apt install -y git findutils make | |
| - name: Install dependencies | |
| run: | | |
| sudo apt install -y python3-dev libnss3-dev libpam-dev splint | |
| # We may need git installed to get a full repo clone rather than unpacked archive | |
| - name: Check out source repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # This is necessary to get the commits | |
| - name: Lint with splint | |
| run: | | |
| # NOTE: we only run splint error check for changed c files to limit noise | |
| # NOTE: point splint to Ubuntu's custom /usr/include/python3.x for Python.h | |
| echo "Lint changed code files: $(git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.(c|h)$')" | |
| git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.(c|h)$' | xargs -r splint +posixlib -D__gnuc_va_list=va_list $(python3-config --includes) | |
| lint-c-ext-python3-rocky9: | |
| name: Sanity check c-extension module code in default python3 on Rocky9 | |
| # TODO: figure out how to get splint installed on rocky where it's not in repos | |
| # - ancient upstream static binary doesn't work ('no such file') | |
| # - installing fedora rpm fails with glibc incompatibility | |
| # - building from git clone fails (autoconf and configure failures) | |
| # TODO: enable once we have figured out how to instal splint on rocky | |
| if: ${{ false }} # Disabled until we figure out how to run splint on rocky | |
| runs-on: ubuntu-latest | |
| container: | |
| image: rockylinux/rockylinux:9 | |
| steps: | |
| - name: Set up git, findutils, make and python3 with dnf and make the latter default | |
| run: | | |
| dnf install -y git findutils make python3 python3-pip python-unversioned-command | |
| - name: Install dependencies | |
| run: | | |
| dnf install -y python3-devel nss-devel pam-devel | |
| wget https://www.splint.org/downloads/binaries/splint-3.1.1.Linux.tgz | |
| tar -xzf splint-3.1.1.Linux.tgz | |
| cp splint-3.1.1/bin/splint /bin/ | |
| chmod 755 /bin/splint | |
| rm -rf splint-3.1.1.Linux.tgz splint-3.1.1 | |
| # We need git installed to get a full repo clone rather than unpacked archive | |
| - name: Check out source repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # This is necessary to get the commits | |
| - name: Lint with splint | |
| run: | | |
| # NOTE: we only run splint error check for changed c files to limit noise | |
| # NOTE: perms are not right inside container so repeat what checkout module does. | |
| # NOTE: include tests here as they should be fully python3 compatible | |
| git config --global --add safe.directory "$PWD" | |
| echo "Lint changed code files: $(git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.(c|h)$')" | |
| echo "with splint from $(which splint)" | |
| ls -l /bin/splint | |
| git diff --diff-filter=ACMRTB --name-only HEAD^1 -- | grep -E '\.(c|h)$' | xargs -r splint +posixlib -D__gnuc_va_list=va_list |