Commit graph

19 commits

Author SHA1 Message Date
Adrian Reber
2ab9053bfc ci: add dmesg step to GitHub Actions jobs
Add a "Print dmesg" step with if: always() to every GitHub
Actions job that runs CRIU tests. For VM-based tests (CentOS
Stream, VM Fedora) dmesg runs inside the VM via lima. Jobs
that only compile or run non-CRIU tests are left unchanged.

Assisted-by: Claude Code (claude-opus-4-6)
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-07-16 11:57:16 +01:00
Adrian Reber
ef136c6a89 ci: annotate cross-compilation dependency failures
When cross-compile dependency packages cannot be installed, emit
a ::error:: annotation so that the failure reason is visible in
the GitHub Actions summary. Use \r to ensure the annotation is
recognized even inside Docker BuildKit output which prefixes
each line with step and timing information.

Assisted-by: Claude Code (claude-opus-4-6)
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-07-16 09:29:39 +01:00
Adrian Reber
8851c1a26d ci: run flaky nftables test on 26.04
The kernel for the github actions 26.04 images fixed the kernel to no
longer have the bug that lead to the `socket-tcbuf*` failures.

Signed-off-by: Adrian Reber <areber@redhat.com>
2026-07-09 10:32:52 +01:00
Andrei Vagin
6e858d1446 github: bupm up the ubuntu version for arm jobs
ubuntu-24.04-arm currently has a buggy kernel where socket-tcbbuf tests
fail.

Update #3042

Signed-off-by: Andrei Vagin <avagin@google.com>
2026-07-08 20:27:12 -07:00
Radostin Stoyanov
341c9fa7de ci: pin third-party actions to SHAs
Third-party GitHub Actions referenced by tags can change without a CRIU
patch if the upstream action repository moves or compromises a tag. That
is especially sensitive for actions that receive CI credentials such as
CODECOV_TOKEN or GITHUB_TOKEN.

Pin the remaining non-GitHub actions used by regular workflows to the
full commit IDs currently behind their version tags. Keep the version
tag in a comment next to each SHA so reviewers can see the intended
release and future updates remain explicit.

Leave GitHub-owned actions on version tags to match the existing
linux-next workflow policy, which already pins non-GitHub actions while
using tags for actions/* refs. This keeps the hardening focused on
third-party supply chain risk without forcing the repository-wide SHA
policy that would also require pinning GitHub-authored actions.

Fixes: #3068

Assisted-by: Codex:gpt-5
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
2026-07-02 07:55:32 +02:00
Adrian Reber
e30fe51618 ci: update GitHub Actions to latest major versions
- actions/checkout v4 -> v7
- actions/stale v5 -> v10
- actions/cache v4 -> v6
- codecov/codecov-action v5 -> v7
- mondeja/remove-labels-gh-action v1 -> v2

Assisted-by: claude-code:claude-opus-4-6
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-06-29 14:16:28 +01:00
Radostin Stoyanov
b17769b930 ci: disable fail-fast for CI matrix jobs
By default GitHub Actions cancels all in-progress and queued matrix
legs as soon as one leg fails (fail-fast: true). Re-running only the
failed job afterwards does not bring back the cancelled siblings, so
recovering from a single failure requires re-running the whole job.

Cancelling the siblings also hides information: whether the other
shards or environments would have passed or failed is exactly
what we want to know from a CI run, not something to discard
on the first failure. Set fail-fast: false on the matrix jobs
that were still inheriting the default, so every leg runs
to completion independently.

Assisted-by: Claude Code:claude-opus-4-8
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
2026-06-11 08:12:06 +02:00
Adrian Reber
1d482bd43e ci: port no-VDSO and non-root tests from Cirrus CI to GHA
Move the two remaining Cirrus CI Vagrant-based tests (no-VDSO and
non-root) into the existing vm-fedora-rawhide-test GitHub Actions
matrix job using Lima VMs.

Add fedora-no-vdso-{setup,test} and fedora-non-root-{setup,test}
functions to scripts/ci/lima.sh, expand the matrix in ci.yml with
the two new variants, make the reboot step conditional on
matrix.reboot, and remove .cirrus.yml and scripts/ci/vagrant.sh
along with their Makefile targets.

Assisted-by: Claude Code (claude-opus-4-6):claude-opus-4-6@default
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-06-10 12:29:26 +01:00
Adrian Reber
6cb5080761 ci: remove the word "vagrant" from lima based test
The tests are no longer vagrant based. Remove it. Instead of naming it
lima based tests, just name it VM based tests.

Signed-off-by: Adrian Reber <areber@redhat.com>
2026-06-10 12:29:26 +01:00
Adrian Reber
07d496e43d ci: port CentOS Stream test to GitHub Actions using Lima
Move the CentOS Stream 9 based test from Cirrus CI to GitHub
Actions using Lima VMs. Expand coverage to a matrix of CentOS
Stream 9 and 10 on x86_64.

Extract the common Lima VM setup steps (Lima install, image
caching, KVM enablement, VM start, source copy) into a reusable
composite action at .github/actions/lima-vm-setup.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-06-10 12:29:26 +01:00
Adrian Reber
5a3d9211b1 ci: shard Arch Linux test across 4 runners
Apply the same ZDTM test sharding strategy used by the Alpine CI
job to the Arch Linux CI job (GCC only). The ZDTM tests are split
across 4 shards (indices 0-3) with a 5th shard for non-shardable
tests (lazy pages, fault injection, plugins, etc.).

This reduces the Arch Linux CI time from ~30 minutes to ~10 minutes.

Assisted-by: Claude Code (https://claude.ai/code):claude-opus-4-6
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-06-09 14:51:44 -07:00
Adrian Reber
4d76d1acdc ci: shard alpine-test into parallel jobs to reduce CI time
The alpine-test CI job runs all ~483 zdtm tests sequentially three
times (normal, mntns-compat-mode, criu-config), followed by many
non-shardable tests. This dominates overall CI wait time. With only
2 jobs running in parallel (GCC and CLANG) the alpine tests take
around 30 minutes.

Use the existing --test-shard-index and --test-shard-count flags
already built into test/zdtm.py to split the zdtm test suite across
four parallel runners (shards 0-3). A fifth shard runs all
non-shardable tests (lazy pages, fault injection, test/others/*,
rootless, compel, plugins, etc.) independently and in parallel with
the zdtm shards. This increases parallelism from 2 to 10 jobs and
reduces the alpine test wall-clock time from ~30 to ~10 minutes.

Changes:
- run-ci-tests.sh: Build SHARD_OPTS from ZDTM_SHARD_INDEX/COUNT
  env vars and pass them to zdtm.py. Extract all non-shardable
  tests into a run_non_shardable_tests() function. Dispatch based
  on shard index: 0-3 run zdtm slices, 4 runs non-shardable
  tests, unset runs everything sequentially (preserving existing
  behavior). Validate that ZDTM_SHARD_INDEX is set when
  ZDTM_SHARD_COUNT is set.
- Makefile: Pass ZDTM_SHARD_INDEX and ZDTM_SHARD_COUNT into the
  container when set. Split long container run command across
  multiple lines for readability.
- ci.yml: Add shard: [0, 1, 2, 3, 4] to the alpine-test matrix,
  producing 10 jobs (2 compilers x 5 shards). Job labels now show
  descriptive shard names (e.g. "zdtm 1/4", "non-zdtm") instead
  of raw indices.

When sharding is not configured the script behaves identically to
before, so other CI jobs (aarch64, compat, gcov, etc.) are
unaffected.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-05-24 07:19:51 +01:00
Adrian Reber
09d7f7a2ec ci: Add vanilla next kernel test variant to Lima CI job
Refactor lima.sh to extract shared helpers (_common_setup and
_common_test) and add a second variant that uses the
@kernel-vanilla/next COPR repository. Convert the Lima CI job
to a matrix with both stable and next variants so we catch
upstream kernel changes (such as the UDPLITE removal in 7.1)
early.

Assisted-by: Claude Code (claude-opus-4-6):claude-opus-4-6@default
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-04-22 08:22:50 +01:00
Adrian Reber
81f26b6b10 ci: add aarch64 matrix build for Fedora Rawhide test
Convert the fedora-rawhide-test job to a matrix build that runs
on both ubuntu-22.04 (x86_64) and ubuntu-24.04-arm (aarch64).
This replaces the aarch64 Fedora Rawhide build-only test
previously running on Cirrus CI with a full test run on GitHub
Actions.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-03-29 20:26:45 -07:00
Adrian Reber
711b4ebfb8 ci: port Vagrant Fedora Rawhide test to GitHub Actions
Cirrus CI reports "Failed to start an instance:
FAILED_PRECONDITION: Monthly compute limit exceeded!" making the
Vagrant Fedora Rawhide test unusable.

Replace the Cirrus CI Vagrant-based Fedora Rawhide test with a
Lima VM-based equivalent in GitHub Actions. This follows the same
pattern used by the runc project (lima-vm/lima-actions).

The new vagrant-fedora-rawhide-test job:
- Starts a Lima Fedora VM with KVM acceleration
- Installs the latest vanilla kernel
- Reboots the VM to activate the new kernel
- Runs the fedora-rawhide CI target inside a podman container

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Adrian Reber <areber@redhat.com>
2026-03-25 04:31:18 +01:00
Andrei Vagin
af3f4be066 ci: remove mips64el-stable-cross and mips64el-unstable-cross
These jobs are failing for a long time. Debian is in the process of
removing mips64el:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105972.

Signed-off-by: Andrei Vagin <avagin@google.com>
2026-03-13 07:51:33 +00:00
Ahmed Elaidy
c9a0190f07 ci: mark archlinux-test as continue-on-error
archlinux:latest is a rolling-release image and pacman -Syu pulls
the latest packages on every build. Failures caused by upstream
package churn or mirror outages are beyond CRIU's control and
should not block merges.

The cross-compile job already uses continue-on-error: true for
its experimental targets; apply the same treatment to
archlinux-test.

Fixes: #2911
Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com>
2026-03-11 15:42:34 -07:00
Ahmed Elaidy
e6bea0372b ci: stabilize gcov-test coverage upload
Two problems made gcov-test unreliable:

1. The gcov step ran with --max-procs 4, causing multiple gcov
   processes to concurrently read and update the same .gcda files.
   GCC does not protect these files against concurrent access, so
   this can silently corrupt coverage data or produce
   non-deterministic failures. Drop --max-procs to serialize gcov.

2. 'make codecov' curls the uploader binary from
   https://uploader.codecov.io/latest/linux/codecov at job
   runtime. This fails on Codecov CDN outages and on pull requests
   from forks where CODECOV_TOKEN is not forwarded. Replace this
   step with the pinned codecov/codecov-action@v5, which avoids
   the runtime curl and handles both authenticated and
   unauthenticated cases gracefully.

Fixes: #2911
Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com>
2026-03-11 15:10:23 -07:00
Andrei Vagin
8c29a7ccd5 ci: Consolidate test workflows and gate them by Alpine Test
Rework GitHub workflows to consolidate all test-related jobs into a
single ci.yml file. This ensures that the alpine-test job runs first,
and all other tests are executed only if it passes.

This reduces redundant triggers and provides a clear dependency path
for CI runs.

Signed-off-by: Andrei Vagin <avagin@gmail.com>
2026-03-03 14:08:03 +00:00