forked from spack/spack
-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bootstrap: clean up CI workflows a bit (spack#30574)
- [x] Add `mkdir -p` and `chmod` to ensure `/home/spack-test` exists and
has correct permissions.
- [x] Remove version comments from dependabot-managed action commits
- [x] Don't duplicate comment describing required fixes for distros with
patched git- Loading branch information
Showing
1 changed file
with
58 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -29,20 +29,20 @@ jobs: | |
| bzip2 curl file gcc-c++ gcc gcc-gfortran git gnupg2 gzip \ | ||
| make patch unzip which xz python3 python3-devel tree \ | ||
| cmake bison bison-devel libstdc++-static | ||
| - name: Work around CVE-2022-24765 | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - name: Setup non-root user | ||
| run: | | ||
| # See: | ||
| # - https://github.blog/2022-04-12-git-security-vulnerability-announced/ | ||
| # - https://github.com/actions/checkout/issues/760 | ||
| # See [1] below | ||
| git config --global --add safe.directory /__w/spack/spack | ||
| - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # @v2 | ||
| - name: Setup repo and non-root user | ||
| useradd spack-test && mkdir -p ~spack-test | ||
| chown -R spack-test . ~spack-test | ||
| - name: Setup repo | ||
| shell: runuser -u spack-test -- bash {0} | ||
| run: | | ||
| git --version | ||
| git fetch --unshallow | ||
| . .github/workflows/setup_git.sh | ||
| useradd spack-test | ||
| chown -R spack-test . | ||
| - name: Bootstrap clingo | ||
| shell: runuser -u spack-test -- bash {0} | ||
| run: | | ||
|
|
@@ -65,22 +65,20 @@ jobs: | |
| bzip2 curl file g++ gcc gfortran git gnupg2 gzip \ | ||
| make patch unzip xz-utils python3 python3-dev tree \ | ||
| cmake bison | ||
| - name: Work around CVE-2022-24765 | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - name: Setup non-root user | ||
| run: | | ||
| # Apparently Ubuntu patched git v2.25.1 with a security patch that introduces | ||
| # a breaking behavior. See: | ||
| # - https://github.blog/2022-04-12-git-security-vulnerability-announced/ | ||
| # - https://github.com/actions/checkout/issues/760 | ||
| # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog | ||
| # See [1] below | ||
| git config --global --add safe.directory /__w/spack/spack | ||
| - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # @v2 | ||
| - name: Setup repo and non-root user | ||
| useradd spack-test && mkdir -p ~spack-test | ||
| chown -R spack-test . ~spack-test | ||
| - name: Setup repo | ||
| shell: runuser -u spack-test -- bash {0} | ||
| run: | | ||
| git --version | ||
| git fetch --unshallow | ||
| . .github/workflows/setup_git.sh | ||
| useradd -m spack-test | ||
| chown -R spack-test . | ||
| - name: Bootstrap clingo | ||
| shell: runuser -u spack-test -- bash {0} | ||
| run: | | ||
|
|
@@ -101,12 +99,13 @@ jobs: | |
| bzip2 curl file gcc-c++ gcc gcc-fortran tar git gpg2 gzip \ | ||
| make patch unzip which xz python3 python3-devel tree \ | ||
| cmake bison | ||
| - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # @v2 | ||
| - name: Setup repo and non-root user | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - name: Setup repo | ||
| run: | | ||
| git --version | ||
| # See http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog | ||
| # See [1] below | ||
| git config --global --add safe.directory /__w/spack/spack | ||
| git --version | ||
| git fetch --unshallow | ||
| . .github/workflows/setup_git.sh | ||
| - name: Bootstrap clingo | ||
|
|
@@ -123,7 +122,8 @@ jobs: | |
| - name: Install dependencies | ||
| run: | | ||
| brew install cmake [email protected] tree | ||
| - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # @v2 | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - name: Bootstrap clingo | ||
| run: | | ||
| source share/spack/setup-env.sh | ||
|
|
@@ -142,8 +142,9 @@ jobs: | |
| - name: Install dependencies | ||
| run: | | ||
| brew install tree | ||
| - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # @v2 | ||
| - uses: actions/setup-python@dc73133d4da04e56a135ae2246682783cc7c7cb6 # @v2 | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Bootstrap clingo | ||
|
|
@@ -159,11 +160,12 @@ jobs: | |
| matrix: | ||
| python-version: ['2.7', '3.5', '3.6', '3.7', '3.8', '3.9'] | ||
| steps: | ||
| - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # @v2 | ||
| - uses: actions/setup-python@dc73133d4da04e56a135ae2246682783cc7c7cb6 # @v2 | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Setup repo and non-root user | ||
| - name: Setup repo | ||
| run: | | ||
| git --version | ||
| git fetch --unshallow | ||
|
|
@@ -187,22 +189,20 @@ jobs: | |
| apt-get install -y \ | ||
| bzip2 curl file g++ gcc patchelf gfortran git gzip \ | ||
| make patch unzip xz-utils python3 python3-dev tree | ||
| - name: Work around CVE-2022-24765 | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - name: Setup non-root user | ||
| run: | | ||
| # Apparently Ubuntu patched git v2.25.1 with a security patch that introduces | ||
| # a breaking behavior. See: | ||
| # - https://github.blog/2022-04-12-git-security-vulnerability-announced/ | ||
| # - https://github.com/actions/checkout/issues/760 | ||
| # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog | ||
| # See [1] below | ||
| git config --global --add safe.directory /__w/spack/spack | ||
| - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 | ||
| - name: Setup repo and non-root user | ||
| useradd spack-test && mkdir -p ~spack-test | ||
| chown -R spack-test . ~spack-test | ||
| - name: Setup repo | ||
| shell: runuser -u spack-test -- bash {0} | ||
| run: | | ||
| git --version | ||
| git fetch --unshallow | ||
| . .github/workflows/setup_git.sh | ||
| useradd -m spack-test | ||
| chown -R spack-test . | ||
| - name: Bootstrap GnuPG | ||
| shell: runuser -u spack-test -- bash {0} | ||
| run: | | ||
|
|
@@ -224,22 +224,20 @@ jobs: | |
| bzip2 curl file g++ gcc patchelf gfortran git gzip \ | ||
| make patch unzip xz-utils python3 python3-dev tree \ | ||
| gawk | ||
| - name: Work around CVE-2022-24765 | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - name: Setup non-root user | ||
| run: | | ||
| # Apparently Ubuntu patched git v2.25.1 with a security patch that introduces | ||
| # a breaking behavior. See: | ||
| # - https://github.blog/2022-04-12-git-security-vulnerability-announced/ | ||
| # - https://github.com/actions/checkout/issues/760 | ||
| # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog | ||
| # See [1] below | ||
| git config --global --add safe.directory /__w/spack/spack | ||
| - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 | ||
| - name: Setup repo and non-root user | ||
| useradd spack-test && mkdir -p ~spack-test | ||
| chown -R spack-test . ~spack-test | ||
| - name: Setup repo | ||
| shell: runuser -u spack-test -- bash {0} | ||
| run: | | ||
| git --version | ||
| git fetch --unshallow | ||
| . .github/workflows/setup_git.sh | ||
| useradd -m spack-test | ||
| chown -R spack-test . | ||
| - name: Bootstrap GnuPG | ||
| shell: runuser -u spack-test -- bash {0} | ||
| run: | | ||
|
|
@@ -257,7 +255,8 @@ jobs: | |
| brew install tree | ||
| # Remove GnuPG since we want to bootstrap it | ||
| sudo rm -rf /usr/local/bin/gpg | ||
| - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - name: Bootstrap GnuPG | ||
| run: | | ||
| source share/spack/setup-env.sh | ||
|
|
@@ -273,11 +272,20 @@ jobs: | |
| brew install gawk tree | ||
| # Remove GnuPG since we want to bootstrap it | ||
| sudo rm -rf /usr/local/bin/gpg | ||
| - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 | ||
| - name: Checkout | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| - name: Bootstrap GnuPG | ||
| run: | | ||
| source share/spack/setup-env.sh | ||
| spack solve zlib | ||
| spack bootstrap untrust github-actions | ||
| spack -d gpg list | ||
| tree ~/.spack/bootstrap/store/ | ||
| # [1] Distros that have patched git to resolve CVE-2022-24765 (e.g. Ubuntu patching v2.25.1) | ||
| # introduce breaking behaviorso we have to set `safe.directory` in gitconfig ourselves. | ||
| # See: | ||
| # - https://github.blog/2022-04-12-git-security-vulnerability-announced/ | ||
| # - https://github.com/actions/checkout/issues/760 | ||
| # - http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.25.1-1ubuntu3.3/changelog | ||