landlock 0.4.4

name: Rust checks

permissions: {}

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

env:
  CARGO_TERM_COLOR: always
  RUSTDOCFLAGS: -D warnings
  RUSTFLAGS: -D warnings
  LANDLOCK_TEST_TOOLS_COMMIT: fad769c39b42183fb2a2e1263fe00dfa5b9f2bda

# Ubuntu versions: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources

jobs:
  commit_list:
    runs-on: ubuntu-24.04
    steps:

    - uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Get commit list (push)
      id: get_commit_list_push
      if: ${{ github.event_name == 'push' }}
      run: |
        echo "id0=$GITHUB_SHA" > $GITHUB_OUTPUT
        echo "List of tested commits:" > $GITHUB_STEP_SUMMARY
        sed -n 's,^id[0-9]\+=\(.*\),- https://github.com/landlock-lsm/rust-landlock/commit/\1,p' -- $GITHUB_OUTPUT >> $GITHUB_STEP_SUMMARY

    - name: Get commit list (PR)
      id: get_commit_list_pr
      if: ${{ github.event_name == 'pull_request' }}
      run: |
        git rev-list --reverse refs/remotes/origin/${{ github.base_ref }}..${{ github.event.pull_request.head.sha }} | awk '{ print "id" NR "=" $1 }' > $GITHUB_OUTPUT
        git diff --quiet ${{ github.event.pull_request.head.sha }} ${{ github.sha }} || echo "id0=$GITHUB_SHA" >> $GITHUB_OUTPUT
        echo "List of tested commits:" > $GITHUB_STEP_SUMMARY
        sed -n 's,^id[0-9]\+=\(.*\),- https://github.com/landlock-lsm/rust-landlock/commit/\1,p' -- $GITHUB_OUTPUT >> $GITHUB_STEP_SUMMARY

    outputs:
      commits: ${{ toJSON(steps.*.outputs.*) }}

  kernel_list:
    runs-on: ubuntu-24.04
    outputs:
      kernels: ${{ toJSON(steps.id.outputs.*) }}
    steps:

    - name: Identify latest Linux versions
      id: id
      run: |
        echo "List of tested kernels:" > $GITHUB_STEP_SUMMARY
        abi=0
        for version in 5.10 5.15 6.1 6.4 6.7 6.10 6.12; do
          commit="$(git ls-remote https://github.com/landlock-lsm/linux refs/heads/linux-${version}.y | awk 'NR == 1 { print $1 }')"
          if [[ -z "${commit}" ]]; then
            echo "ERROR: Failed to fetch Linux ${version}" >&2
            exit 1
          fi
          echo "kernel_${abi}={ \"version\":\"${version}\",  \"abi\":\"${abi}\",  \"commit\":\"${commit}\" }" >> $GITHUB_OUTPUT
          echo "- Linux ${version}.y with Landlock ABI ${abi}: https://github.com/landlock-lsm/linux/commit/${commit}" >> $GITHUB_STEP_SUMMARY
          let abi++ || :
        done

  get_kernels:
    runs-on: ubuntu-24.04
    needs: kernel_list
    strategy:
      fail-fast: false
      matrix:
        kernel: ${{ fromJSON(needs.kernel_list.outputs.kernels) }}
    steps:

    - name: Cache Linux ${{ fromJSON(matrix.kernel).version}}.y
      id: cache_linux
      uses: actions/cache@v4
      with:
        path: linux-${{ fromJSON(matrix.kernel).version }}
        key: linux-${{ fromJSON(matrix.kernel).commit }}-${{ env.LANDLOCK_TEST_TOOLS_COMMIT }}

    - name: Clone Landlock test tools
      if: steps.cache_linux.outputs.cache-hit != 'true'
      uses: actions/checkout@v4
      with:
        repository: landlock-lsm/landlock-test-tools
        ref: ${{ env.LANDLOCK_TEST_TOOLS_COMMIT }}
        path: landlock-test-tools

    - name: Clone Linux ${{ fromJSON(matrix.kernel).version}}.y
      if: steps.cache_linux.outputs.cache-hit != 'true'
      uses: actions/checkout@v4
      with:
        repository: landlock-lsm/linux
        ref: ${{ fromJSON(matrix.kernel).commit }}
        path: linux

    - name: Build Linux ${{ fromJSON(matrix.kernel).version}}.y
      if: steps.cache_linux.outputs.cache-hit != 'true'
      working-directory: linux
      run: |
        O=. ../landlock-test-tools/check-linux.sh build_light
        mv linux ../linux-${{ fromJSON(matrix.kernel).version}}

  ubuntu_24_rust_msrv:
    runs-on: ubuntu-24.04
    needs: commit_list
    strategy:
      fail-fast: false
      matrix:
        commit: ${{ fromJSON(needs.commit_list.outputs.commits) }}
    env:
      LANDLOCK_CRATE_TEST_ABI: 5
    steps:

    - uses: actions/checkout@v4
      with:
        ref: ${{ matrix.commit }}

    - name: Clone Landlock test tools
      uses: actions/checkout@v4
      with:
        repository: landlock-lsm/landlock-test-tools
        ref: ${{ env.LANDLOCK_TEST_TOOLS_COMMIT }}
        path: landlock-test-tools

    - name: Get MSRV
      run: sed -n 's/^rust-version = "\([0-9.]\+\)"$/RUST_TOOLCHAIN=\1/p' Cargo.toml >> $GITHUB_ENV

    - name: Install 32-bit development libraries
      run: |
        sudo apt update
        sudo apt install gcc-multilib libc6-dev-i386

    - name: Install Rust MSRV
      run: |
        rm ~/.cargo/bin/{cargo-fmt,rustfmt} || :
        rustup self update
        rustup default ${{ env.RUST_TOOLCHAIN }}
        rustup update ${{ env.RUST_TOOLCHAIN }}
        rustup target add i686-unknown-linux-gnu
        rustup target add x86_64-unknown-linux-gnu

    - name: Build (x86_64)
      run: rustup run ${{ env.RUST_TOOLCHAIN }} cargo build --target x86_64-unknown-linux-gnu --verbose

    - name: Build (x86)
      run: rustup run ${{ env.RUST_TOOLCHAIN }} cargo build --target i686-unknown-linux-gnu --verbose

    - name: Run tests against the local kernel (Landlock ABI ${{ env.LANDLOCK_CRATE_TEST_ABI }} on x86_64)
      run: rustup run ${{ env.RUST_TOOLCHAIN }} cargo test --target x86_64-unknown-linux-gnu --verbose

    - name: Run tests against the local kernel (Landlock ABI ${{ env.LANDLOCK_CRATE_TEST_ABI }} on x86)
      run: rustup run ${{ env.RUST_TOOLCHAIN }} cargo test --target i686-unknown-linux-gnu --verbose

    - name: Run tests against Linux 6.1
      run: CARGO="rustup run ${{ env.RUST_TOOLCHAIN }} cargo" ./landlock-test-tools/test-rust.sh linux-6.1 2

  ubuntu_22_rust_stable:
    runs-on: ubuntu-22.04
    needs: commit_list
    strategy:
      fail-fast: false
      matrix:
        commit: ${{ fromJSON(needs.commit_list.outputs.commits) }}
    env:
      LANDLOCK_CRATE_TEST_ABI: 4
    steps:

    - name: Install Rust stable
      run: |
        rm ~/.cargo/bin/{cargo-fmt,rustfmt} || :
        rustup self update
        rustup default stable
        rustup component add rustfmt clippy
        rustup update

    - uses: actions/checkout@v4
      with:
        ref: ${{ matrix.commit }}

    - name: Build
      run: rustup run stable cargo build --verbose

    - name: Run tests against the local kernel (Landlock ABI ${{ env.LANDLOCK_CRATE_TEST_ABI }})
      run: rustup run stable cargo test --verbose

    - name: Check format
      run: rustup run stable cargo fmt --all -- --check

    - name: Check source with Clippy
      run: rustup run stable cargo clippy -- --deny warnings

    - name: Check tests with Clippy
      run: rustup run stable cargo clippy --tests -- --deny warnings

    - name: Check documentation
      run: rustup run stable cargo doc --no-deps

  ubuntu_24_rust_stable:
    runs-on: ubuntu-24.04
    needs: [commit_list, kernel_list, get_kernels]
    strategy:
      fail-fast: false
      matrix:
        commit: ${{ fromJSON(needs.commit_list.outputs.commits) }}
        kernel: ${{ fromJSON(needs.kernel_list.outputs.kernels) }}
    env:
      LANDLOCK_CRATE_TEST_ABI: 4
      # $CARGO is used by landlock-test-tools/test-rust.sh
      CARGO: rustup run stable cargo
    steps:

    - name: Install Rust stable
      run: |
        rm ~/.cargo/bin/{cargo-fmt,rustfmt} || :
        rustup self update
        rustup default stable
        rustup update

    - name: Clone Landlock test tools
      uses: actions/checkout@v4
      with:
        repository: landlock-lsm/landlock-test-tools
        ref: ${{ env.LANDLOCK_TEST_TOOLS_COMMIT }}
        path: landlock-test-tools

    - name: Clone rust-landlock
      uses: actions/checkout@v4
      with:
        ref: ${{ matrix.commit }}
        path: rust-landlock

    - name: Get Linux ${{ fromJSON(matrix.kernel).version}}.y
      uses: actions/cache/restore@v4
      with:
        path: linux-${{ fromJSON(matrix.kernel).version }}
        key: linux-${{ fromJSON(matrix.kernel).commit }}-${{ env.LANDLOCK_TEST_TOOLS_COMMIT }}
        fail-on-cache-miss: true

    - name: Run tests against Linux ${{ fromJSON(matrix.kernel).version }}.y
      working-directory: rust-landlock
      run: ../landlock-test-tools/test-rust.sh ../linux-${{ fromJSON(matrix.kernel).version }} ${{ fromJSON(matrix.kernel).abi }}