Merge pull request #111 from linagora/machine-accounts #394
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, desktop-sso ] | |
| # Restrict GITHUB_TOKEN permissions to read-only by default | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build and Test (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| strategy: | |
| matrix: | |
| os: [ubuntu-22.04, ubuntu-24.04] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| build-essential \ | |
| cmake \ | |
| libcurl4-openssl-dev \ | |
| libjson-c-dev \ | |
| libpam0g-dev \ | |
| libsodium-dev \ | |
| curl \ | |
| jq | |
| - name: Configure CMake | |
| run: cmake -B build -DCMAKE_BUILD_TYPE=Release -DUSE_LIBSODIUM=ON | |
| - name: Build | |
| run: cmake --build build --parallel | |
| - name: Run tests | |
| run: | | |
| cd build | |
| ctest --output-on-failure | |
| - name: Check PAM module symbols | |
| run: | | |
| echo "Checking exported PAM symbols..." | |
| nm -D build/pam_openbastion.so.* | grep -E "pam_sm_(authenticate|setcred|acct_mgmt)" || exit 1 | |
| echo "All required PAM symbols found" | |
| - name: Verify all script syntax | |
| run: | | |
| for script in scripts/ob-*; do | |
| echo "Checking syntax: $script" | |
| bash -n "$script" | |
| done | |
| - name: Run script unit tests | |
| run: | | |
| for test in tests/test_ob_*.sh; do | |
| echo "Running: $test" | |
| bash "$test" | |
| done | |
| build-debug: | |
| name: Build Debug with Sanitizers | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| build-essential \ | |
| cmake \ | |
| libcurl4-openssl-dev \ | |
| libjson-c-dev \ | |
| libpam0g-dev \ | |
| libsodium-dev | |
| - name: Configure CMake with Debug and Sanitizers | |
| run: | | |
| cmake -B build \ | |
| -DCMAKE_BUILD_TYPE=Debug \ | |
| -DUSE_LIBSODIUM=ON \ | |
| -DCMAKE_C_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" | |
| - name: Build | |
| run: cmake --build build --parallel | |
| - name: Run tests with sanitizers | |
| env: | |
| ASAN_OPTIONS: detect_leaks=1 | |
| run: | | |
| cd build | |
| ctest --output-on-failure | |
| package-deb: | |
| name: Build Debian Package | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| build-essential \ | |
| cmake \ | |
| libcurl4-openssl-dev \ | |
| libjson-c-dev \ | |
| libpam0g-dev \ | |
| libsodium-dev | |
| - name: Configure and build | |
| run: | | |
| cmake -B build -DCMAKE_BUILD_TYPE=Release -DUSE_LIBSODIUM=ON | |
| cmake --build build --parallel | |
| - name: Create Debian package | |
| run: | | |
| cd build | |
| cpack -G DEB | |
| - name: Upload Debian package | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: debian-package | |
| path: build/*.deb | |
| retention-days: 7 | |
| build-rpm: | |
| name: Build RPM (Rocky Linux ${{ matrix.version }}) | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| contents: read | |
| container: rockylinux:${{ matrix.version }} | |
| strategy: | |
| matrix: | |
| version: [9] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: | | |
| dnf install -y epel-release dnf-plugins-core | |
| dnf config-manager --set-enabled crb | |
| dnf install -y \ | |
| cmake \ | |
| gcc \ | |
| make \ | |
| pam-devel \ | |
| libcurl-devel \ | |
| json-c-devel \ | |
| openssl-devel \ | |
| libsodium-devel \ | |
| rpm-build \ | |
| systemd-rpm-macros | |
| - name: Build RPM | |
| run: | | |
| VERSION=$(grep -oP 'project\(open-bastion VERSION \K[0-9.]+' CMakeLists.txt) | |
| mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | |
| tar czf ~/rpmbuild/SOURCES/open-bastion-${VERSION}.tar.gz \ | |
| --transform "s,^,open-bastion-${VERSION}/," \ | |
| --exclude='.git' . | |
| rpmbuild -ba rpm/open-bastion.spec | |
| - name: Upload RPM package | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: rpm-package-el${{ matrix.version }} | |
| path: ~/rpmbuild/RPMS/*/*.rpm | |
| retention-days: 7 | |
| shellcheck: | |
| name: ShellCheck | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run ShellCheck | |
| uses: ludeeus/action-shellcheck@master | |
| with: | |
| scandir: './scripts' | |
| severity: warning | |
| integration-test: | |
| name: Integration Tests (Docker) | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install llng CLI | |
| run: | | |
| # Install simple-oidc-client (llng CLI) | |
| git clone --depth 1 https://github.com/linagora/simple-oidc-client.git /tmp/simple-oidc-client | |
| sudo cp /tmp/simple-oidc-client/sh/llng /usr/local/bin/ | |
| sudo cp /tmp/simple-oidc-client/sh/llng-lib.sh /usr/local/bin/ | |
| sudo chmod +x /usr/local/bin/llng | |
| - name: Install test dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y jq curl openssh-client | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Run integration tests | |
| run: | | |
| chmod +x tests/test_integration_docker.sh | |
| ./tests/test_integration_docker.sh --verbose | |
| timeout-minutes: 15 | |
| - name: Show container logs on failure | |
| if: failure() | |
| run: | | |
| cd docker-demo-cert | |
| docker compose logs || true | |
| integration-test-maxsec: | |
| name: Integration Tests - Mode E (Docker) | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install llng CLI | |
| run: | | |
| git clone --depth 1 https://github.com/linagora/simple-oidc-client.git /tmp/simple-oidc-client | |
| sudo cp /tmp/simple-oidc-client/sh/llng /usr/local/bin/ | |
| sudo cp /tmp/simple-oidc-client/sh/llng-lib.sh /usr/local/bin/ | |
| sudo chmod +x /usr/local/bin/llng | |
| - name: Install test dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y jq curl openssh-client | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Run Mode E integration tests | |
| run: | | |
| chmod +x tests/test_integration_maxsec.sh | |
| ./tests/test_integration_maxsec.sh --verbose | |
| timeout-minutes: 15 | |
| - name: Show container logs on failure | |
| if: failure() | |
| run: | | |
| cd docker-demo-maxsec | |
| docker compose logs || true |