-
Notifications
You must be signed in to change notification settings - Fork 274
133 lines (113 loc) · 3.88 KB
/
integration-tests.yml
File metadata and controls
133 lines (113 loc) · 3.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Tests
on:
push:
branches: ['main']
pull_request:
branches: ['**']
jobs:
integration-tests:
name: Tests (${{ matrix.os }} / ${{ matrix.arch }})
runs-on: ${{ matrix.runner }}
strategy:
fail-fast: false
matrix:
include:
- arch: x86-64
runner: ubuntu-latest
os: linux
- arch: arm64
runner: ubuntu-24.04-arm
os: linux
- arch: x86-64
runner: macos-15-large
os: macos
- arch: arm64
runner: macos-14
os: macos
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.1
- name: Install system dependencies (Linux)
if: matrix.os == 'linux'
run: |
sudo apt-get update
sudo apt-get install -y bubblewrap libseccomp-dev gcc socat ripgrep apparmor-profiles zsh
- name: Enable unprivileged user namespaces (Linux)
if: matrix.os == 'linux'
run: |
# Ubuntu 24.04+ sets kernel.apparmor_restrict_unprivileged_userns=1 which
# allows unshare(CLONE_NEWUSER) but grants the new namespace zero
# capabilities. Disable it so bwrap and apply-seccomp can nest
# namespaces without needing setuid.
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
sudo sysctl -w kernel.unprivileged_userns_clone=1 || true
# Verify bwrap can create namespaces
echo "Testing bwrap namespace creation..."
bwrap --ro-bind / / --unshare-net true && echo "✓ bwrap namespace creation works" || echo "✗ bwrap namespace creation still fails"
- name: Install system dependencies (macOS)
if: matrix.os == 'macos'
run: |
brew install ripgrep zsh
- name: Install Node dependencies
run: npm install
- name: Build project
run: npm run build
- name: Run tests
run: npm test
- name: Run Node.js fallback tests
run: node test/utils/which-node-test.mjs
- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.os }}-${{ matrix.arch }}
path: |
test-results/
*.log
if-no-files-found: ignore
docker-tests:
name: Tests (docker / ${{ matrix.arch }})
runs-on: ${{ matrix.runner }}
strategy:
fail-fast: false
matrix:
include:
- arch: x86-64
runner: ubuntu-latest
- arch: arm64
runner: ubuntu-24.04-arm
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Enable unprivileged user namespaces on host
run: |
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
sudo sysctl -w kernel.unprivileged_userns_clone=1 || true
- name: Run srt end-to-end in unprivileged container
run: |
docker run --rm \
--security-opt seccomp=unconfined \
--security-opt apparmor=unconfined \
-v "${{ github.workspace }}:/work" \
-w /work \
-e SRT_E2E_DOCKER=1 \
ubuntu:24.04 \
bash -euo pipefail -c '
apt-get update -qq
apt-get install -y -qq bubblewrap socat ripgrep python3 curl ca-certificates unzip
curl -fsSL https://bun.sh/install | bash
export PATH="$HOME/.bun/bin:$PATH"
curl -fsSL https://deb.nodesource.com/setup_18.x | bash -
apt-get install -y -qq nodejs
npm ci
npm run build
bun test test/docker-weak-sandbox.test.ts
'