Document that symlinks that point to a resource outside the sandbox n… #898
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: fedora-cmake | |
on: [push, pull_request] | |
env: | |
BUILD_TYPE: Release | |
jobs: | |
build: | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- container: fedora:38 | |
compiler: gcc | |
compiler-version: 13 | |
ignore-errors: false | |
- container: fedora:38 | |
compiler: clang | |
compiler-version: 16 | |
ignore-errors: false | |
runs-on: ubuntu-latest | |
continue-on-error: ${{ matrix.ignore-errors }} | |
env: | |
RUN_CMD: docker exec --tty ${{matrix.compiler}}-build-container | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Cache dependencies | |
uses: actions/cache@v3 | |
with: | |
key: ${{matrix.container}}-${{matrix.compiler}}${{matrix.compiler-version}} | |
path: | | |
${{github.workspace}}/build/_deps | |
- name: Prepare container | |
# Note: For the sandbox tests to work, we need a privileged, unconfined | |
# container that retains its capabilities. | |
run: | | |
docker run --name ${{matrix.compiler}}-build-container \ | |
--tty \ | |
--privileged \ | |
--cap-add ALL \ | |
--security-opt apparmor:unconfined \ | |
-v $GITHUB_WORKSPACE:$GITHUB_WORKSPACE \ | |
-e TERM=dumb \ | |
-e BUILD_TYPE \ | |
-e GITHUB_WORKSPACE \ | |
-d ${{matrix.container}} \ | |
sleep infinity | |
- name: Install build tools | |
run: | | |
$RUN_CMD dnf update -y --quiet | |
$RUN_CMD dnf install -y --quiet \ | |
git make automake diffutils file patch glibc-static \ | |
libstdc++-static cmake ninja-build python3 python3-pip \ | |
python3-clang clang-devel libcap-devel | |
- name: Create Build Environment | |
run: | | |
$RUN_CMD pip3 install --progress-bar=off absl-py | |
$RUN_CMD cmake -E make_directory $GITHUB_WORKSPACE/build | |
- name: Configure CMake | |
run: | | |
$RUN_CMD cmake \ | |
-S $GITHUB_WORKSPACE \ | |
-B $GITHUB_WORKSPACE/build \ | |
-G Ninja \ | |
-DCMAKE_BUILD_TYPE=$BUILD_TYPE | |
- name: Build | |
run: | | |
$RUN_CMD cmake \ | |
--build $GITHUB_WORKSPACE/build \ | |
--config $BUILD_TYPE | |
- name: Test | |
run: | | |
$RUN_CMD ctest \ | |
--test-dir $GITHUB_WORKSPACE/build \ | |
-C $BUILD_TYPE \ | |
--output-on-failure \ | |
-R SapiTest |