GitHub actions starter

[tqre]

I have created a simple GitHub Actions workflow that builds the packages with docker using the Dockerfile we have. After the workflow has been completed, the build artifacts (*.pkg.tar.zst) are available for downloading as a one big zip file via the Actions tab and the relevant workflow run.

Ideas/features/issues:

• The workflow triggers when push is made to the workflow file itself, any PKGBUILD file, Dockerfile, or the scripts used in Dockerfile.
• workflow_dispatch enables manual triggering of the workflow.
• Artifact download link works only for users that are logged in.
• The workflow takes about 40 minutes to run. Maybe make workflows for individual packages?
• Further handling of artifacts into GitHub's releases / packages?

Example workflow run with artifact download link: https://github.com/tqre/selinux/actions/runs/408409124

[tqre]

Current working status: https://github.com/tqre/selinux/actions/runs/435154042

[tqre]

Got automatic releases working too now. Latest results are here: https://github.com/tqre/selinux/releases/tag/ArchLinux-SELinux https://github.com/tqre/selinux/actions/runs/436691616

Some more ideas to consider:

• Make an actual pacman repo out of the releases page?
• restorecon -command gives a ton of output, maybe a separate job for that
• More test commands to QEMU VM: Install a package? Other SELinux related commands: setsebool etc.

[fishilico]

This looks great! Some comments:

• The main.yml uses secrets.GITHUB_TOKEN in order to create releases. Does this require some configuration in the repository, or does the GITHUB_TOKEN hold enough privileges to delete/add releases to the GitHub project?
• When inspecting the .BUILDINFO of the build packages, I see packager = Unknown Packager. It would probably make sense to add a reference to GitHub Actions (or to the repository) there.
• It took 44 minutes to build all packages, in sequence. To be faster, it might be possible to parallelize some builds, using workflow dependencies and artifacts to grab the already-built packages to build new ones... Doing so is quite complex and work could be done in this regards after this first PR is merged.
• For "restorecon -command gives a ton of output, maybe a separate job for that", you can also drop the -v in ssh ... 'restorecon -Rv /.
• It is great to be able to run a QEMU VM, despite hardware acceleration not being available for virtualization (this what qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5] means, and the lack of "nested virtualization" was reported to GitHub in https://github.com/actions/virtual-environments/issues/183).

• For some ideas of basic tests that could be added in the VM:

  • toggle some booleans, such as semanage boolean --modify --on user_ping and global_ssp and check their result in getsebool
  • check the label of some files, with matchpathcon /etc/shadow and ls -Z /etc/shadow
  • check that sesearch works, with commands such as sesearch -A -s dmesg_t -t kmsg_device_t -c chr_file -p read (which should return a line meaning that dmesg can read /dev/kmsg: allow dmesg_t kmsg_device_t:chr_file { getattr ioctl lock open read };)

Such tests could be implemented in a shell script which is copied in the VM and executed from there.

Anyway, your Pull Request looks fine as it is. I suggest merging it as-is, so that we can both work on improving it. What do you think? Is this PR ready for merge?

By the way, "Make an actual pacman repo out of the releases page?" would be really great :)

[fishilico]

While testing the action on my repository, I got an error in https://github.com/fishilico/arch-selinux/runs/1610918585?check_suite_focus=true#step:4:11 :

Run qemu-img create -f raw archlinux.raw 8G
/home/runner/work/_temp/f8db4ff7-eb35-417d-b538-ec3b8269f24a.sh: line 1: qemu-img: command not found
Error: Process completed with exit code 127.

I guess this is due to the fact that new repositories use Ubuntu 20.04 runners for when the GH Actions configuration states ubuntu-latest (you are using Ubuntu 18.04 runners in your repository). I guess you need to install qemu-utils too.

[tqre]

Thanks for the comments and good suggestions. Yesterday GH Actions was still using Ubuntu 18.04. Apparently 'soon' is today, so installing qemu-utils is needed from today on. I'll test and fix it.

No additional configurations are needed regarding to secrets.GITHUB_TOKEN, writing rights to the repository are enough.

I wanted to have the -v tag with restorecon to see it work as it generates no output otherwise. I guess the main idea is to have a concise output that the tests and commands work, and having the whole filesystem listed is not the most compact of a solution.

[tqre]

It looks like my GH Actions workflows still take 18.04 when using the latest -tag. Looking at the workflow you linked, the install command doesn't actually install anything. I tried to make it work with 20.04, but I get the same error even after updating and upgrading the runner fully.

The quick solution is to run the workflow on 18.04, as it looks like 20.04 is not yet fully implemented. https://github.com/actions/virtual-environments/issues/1816

[tqre]

I managed to double the commits when merging master into this branch as my workflow is a bit messy I guess. I forgot I had most of the commits already on my fork's master branch for testing the master branch triggers for GH Actions...

You can probably cherry pick the commits avoiding doubles to keep the repo history clean...

EDIT: found a way, still learning to do with git it seems :)

[fishilico]

Thanks for cleaning up your git history! In the mean time I tested it and it ran nicely (using Ubuntu 18.04 runners). So I merged this PR, in order to have a "minimum viable product" live :)