selinux-refpolicy/.github/workflows/build-policy.yml

name: Build refpolicy

on:
  workflow_call:
    inputs:
      version:
        description: "Refpolicy version (a git commit ID, tag, or branch)"
        required: false
        type: string
        default: ""
      path:
        description: "Path to store the refpolicy sources"
        required: false
        type: string
        default: "refpolicy-src"
      python-version:
        description: "Python version to use"
        required: true
        type: string
      artifact-name:
        description: "Artifact name to use; suffixed with policy build options (distro, mls/mcs, etc.)"
        required: false
        type: string
        default: "refpolicy"

jobs:
  build:
    runs-on: ubuntu-22.04

    strategy:
      matrix:
        # matrix updates must also be duplicated to validate-policy.yml and diff-policy.yml
        distro: ["redhat", "debian", "gentoo"]
        type: ["standard", "mcs", "mls"]
        monolithic: ["y", "n"]
        systemd: ["y", "n"]
        direct_initrc: ["y", "n"]
        apps-off: ["unconfined", ""]
        exclude:
          - { distro: "redhat", systemd: "n" }
          - { distro: "redhat", direct_initrc: "y" }
          - { distro: "debian", systemd: "n" }
          - { distro: "debian", direct_initrc: "y" }
          - { type: "mls", apps-off: "" }
          - { systemd: "y", direct_initrc: "y" }

    steps:
    - name: Checkout refpolicy sources
      uses: actions/checkout@v4
      with:
        ref: "${{ inputs.version }}"
        path: "${{ inputs.path }}"

    - name: Download userspace binary artifact
      uses: actions/download-artifact@v4
      id: dl-userspace
      with:
        name: selinux-bin

      # actions/upload-artifact does not preserve permissions.
    - name: Fix userspace file permissions
      shell: bash
      working-directory: "${{ steps.dl-userspace.outputs.download-path }}"
      run: chmod +x usr/bin/* lib/*.so* usr/lib/*.so* usr/libexec/selinux/hll/pp sbin/* usr/sbin/*

    # This should be the minimum required Python version to build refpolicy.
    # or the standard Python version on Ubuntu.
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: "${{ inputs.python-version }}"

    - name: Configure environment
      shell: bash
      run: |
        echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
        echo "PYTHON=python${{ inputs.python-version }}" >> $GITHUB_ENV
        echo "TYPE=${{ matrix.type }}" >> $GITHUB_ENV
        echo "DISTRO=${{ matrix.distro }}" >> $GITHUB_ENV
        echo "MONOLITHIC=${{ matrix.monolithic }}" >> $GITHUB_ENV
        echo "SYSTEMD=${{ matrix.systemd }}" >> $GITHUB_ENV
        echo "APPS_OFF=${{ matrix.apps-off }}" >> $GITHUB_ENV
        echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV
        echo "WERROR=y" >> $GITHUB_ENV
        echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV

    - name: Build refpolicy
      shell: bash
      working-directory: "${{ inputs.path }}"
      run: |
        # Drop build.conf settings to listen to env vars
        sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf

        make bare
        make conf
        make

    - name: Validate output policy
      working-directory: ${{ inputs.path }}
      shell: bash
      run: |
        make validate

    - name: Build docs
      working-directory: ${{ inputs.path }}
      shell: bash
      run: |
        make xml
        make html

    - name: Test installation
      working-directory: ${{ inputs.path }}
      shell: bash
      run: |
        make install
        make install-headers
        make install-src
        make install-docs
        make install-udica-templates
        make install-appconfig
      env:
        DESTDIR: /tmp/refpolicy-install

    # normalize to "sepolicy" and "file_contexts"
    - name: Normalize artifacts
      working-directory: ${{ inputs.path }}
      shell: bash
      run: |
        if [[ $MONOLITHIC == "y" ]]; then
          policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename)
          mv "${policy_file}" sepolicy
        else
          mv tmp/policy.bin sepolicy
          mv tmp/all_mods.fc file_contexts
        fi

    - name: Upload artifact
      uses: actions/upload-artifact@v4
      with:
        name: ${{ inputs.artifact-name }}-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}
        path: |
          ${{ inputs.path }}/sepolicy
          ${{ inputs.path }}/file_contexts
tests.yml: Divide into reusable workflows. Keep artifacts from each to allow analysis when there are failures. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2024-06-18 16:59:12 +00:00			`name: Build refpolicy`

			`on:`
			`workflow_call:`
			`inputs:`
			`version:`
			`description: "Refpolicy version (a git commit ID, tag, or branch)"`
			`required: false`
			`type: string`
			`default: ""`
			`path:`
			`description: "Path to store the refpolicy sources"`
			`required: false`
			`type: string`
			`default: "refpolicy-src"`
			`python-version:`
			`description: "Python version to use"`
			`required: true`
			`type: string`
			`artifact-name:`
			`description: "Artifact name to use; suffixed with policy build options (distro, mls/mcs, etc.)"`
			`required: false`
			`type: string`
			`default: "refpolicy"`

			`jobs:`
			`build:`
			`runs-on: ubuntu-22.04`

			`strategy:`
			`matrix:`
			`# matrix updates must also be duplicated to validate-policy.yml and diff-policy.yml`
			`distro: ["redhat", "debian", "gentoo"]`
			`type: ["standard", "mcs", "mls"]`
			`monolithic: ["y", "n"]`
			`systemd: ["y", "n"]`
			`direct_initrc: ["y", "n"]`
			`apps-off: ["unconfined", ""]`
			`exclude:`
			`- { distro: "redhat", systemd: "n" }`
			`- { distro: "redhat", direct_initrc: "y" }`
			`- { distro: "debian", systemd: "n" }`
			`- { distro: "debian", direct_initrc: "y" }`
			`- { type: "mls", apps-off: "" }`
			`- { systemd: "y", direct_initrc: "y" }`

			`steps:`
			`- name: Checkout refpolicy sources`
			`uses: actions/checkout@v4`
			`with:`
			`ref: "${{ inputs.version }}"`
			`path: "${{ inputs.path }}"`

			`- name: Download userspace binary artifact`
			`uses: actions/download-artifact@v4`
			`id: dl-userspace`
			`with:`
			`name: selinux-bin`

			`# actions/upload-artifact does not preserve permissions.`
			`- name: Fix userspace file permissions`
			`shell: bash`
			`working-directory: "${{ steps.dl-userspace.outputs.download-path }}"`
			`run: chmod +x usr/bin/* lib/.so usr/lib/.so usr/libexec/selinux/hll/pp sbin/* usr/sbin/*`

			`# This should be the minimum required Python version to build refpolicy.`
			`# or the standard Python version on Ubuntu.`
			`- name: Set up Python`
			`uses: actions/setup-python@v5`
			`with:`
			`python-version: "${{ inputs.python-version }}"`

			`- name: Configure environment`
			`shell: bash`
			`run: \|`
			`echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV`
			`echo "PYTHON=python${{ inputs.python-version }}" >> $GITHUB_ENV`
			`echo "TYPE=${{ matrix.type }}" >> $GITHUB_ENV`
			`echo "DISTRO=${{ matrix.distro }}" >> $GITHUB_ENV`
			`echo "MONOLITHIC=${{ matrix.monolithic }}" >> $GITHUB_ENV`
			`echo "SYSTEMD=${{ matrix.systemd }}" >> $GITHUB_ENV`
			`echo "APPS_OFF=${{ matrix.apps-off }}" >> $GITHUB_ENV`
			`echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV`
			`echo "WERROR=y" >> $GITHUB_ENV`
			`echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV`

			`- name: Build refpolicy`
			`shell: bash`
			`working-directory: "${{ inputs.path }}"`
			`run: \|`
			`# Drop build.conf settings to listen to env vars`
			`sed -r -i -e '/(MONOLITHIC\|TYPE\|DISTRO\|SYSTEMD\|DIRECT_INITRC\|WERROR)/d' build.conf`

			`make bare`
			`make conf`
			`make`

			`- name: Validate output policy`
			`working-directory: ${{ inputs.path }}`
			`shell: bash`
			`run: \|`
			`make validate`

			`- name: Build docs`
			`working-directory: ${{ inputs.path }}`
			`shell: bash`
			`run: \|`
			`make xml`
			`make html`

			`- name: Test installation`
			`working-directory: ${{ inputs.path }}`
			`shell: bash`
			`run: \|`
			`make install`
			`make install-headers`
			`make install-src`
			`make install-docs`
			`make install-udica-templates`
			`make install-appconfig`
			`env:`
			`DESTDIR: /tmp/refpolicy-install`

			`# normalize to "sepolicy" and "file_contexts"`
			`- name: Normalize artifacts`
			`working-directory: ${{ inputs.path }}`
			`shell: bash`
			`run: \|`
			`if [[ $MONOLITHIC == "y" ]]; then`
			`policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename)`
			`mv "${policy_file}" sepolicy`
			`else`
			`mv tmp/policy.bin sepolicy`
			`mv tmp/all_mods.fc file_contexts`
			`fi`

			`- name: Upload artifact`
			`uses: actions/upload-artifact@v4`
			`with:`
			`name: ${{ inputs.artifact-name }}-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}`
			`path: \|`
			`${{ inputs.path }}/sepolicy`
			`${{ inputs.path }}/file_contexts`