summaryrefslogtreecommitdiff
path: root/.github
Commit message (Collapse)AuthorAgeFilesLines
...
* ci: Add/Drop labels on pull request activity and commentDaan De Meyer2022-12-091-0/+40
| | | | | | | | When a pull request is opened/updated, add "please-review" and remove a few other labels. When a comment is made with /please-review on a PR. Add the "please-review" label to the PR.
* Merge pull request #25180 from keszybz/ukifyLennart Poettering2022-12-082-0/+2
|\ | | | | ukify: add helper to create UKIs
| * ci: install pefileZbigniew Jędrzejewski-Szmek2022-12-072-0/+2
| |
* | build(deps): bump ninja from 1.10.2.4 to 1.11.1 in /.github/workflowsdependabot[bot]2022-12-011-15/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [ninja](https://github.com/ninja-build/ninja) from 1.10.2.4 to 1.11.1. - [Release notes](https://github.com/ninja-build/ninja/releases) - [Commits](https://github.com/ninja-build/ninja/commits/v1.11.1) --- updated-dependencies: - dependency-name: ninja dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | build(deps): bump meson from 0.63.3 to 0.64.1 in /.github/workflowsdependabot[bot]2022-12-011-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [meson](https://github.com/mesonbuild/meson) from 0.63.3 to 0.64.1. - [Release notes](https://github.com/mesonbuild/meson/releases) - [Commits](https://github.com/mesonbuild/meson/compare/0.63.3...0.64.1) --- updated-dependencies: - dependency-name: meson dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | build(deps): bump redhat-plumbers-in-action/differential-shellcheckdependabot[bot]2022-12-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [redhat-plumbers-in-action/differential-shellcheck](https://github.com/redhat-plumbers-in-action/differential-shellcheck) from 3.1.1 to 3.2.1. - [Release notes](https://github.com/redhat-plumbers-in-action/differential-shellcheck/releases) - [Changelog](https://github.com/redhat-plumbers-in-action/differential-shellcheck/blob/main/CHANGELOG.md) - [Commits](https://github.com/redhat-plumbers-in-action/differential-shellcheck/compare/1b1b75e42f0694c1012228513b21617a748c866e...f3cd08fcf12680861615270b29494d2b87c3e1cc) --- updated-dependencies: - dependency-name: redhat-plumbers-in-action/differential-shellcheck dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1dependabot[bot]2022-12-012-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3.1.0...83fd05a356d7e2593de66fc9913b3002723633cb) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | build(deps): bump redhat-plumbers-in-action/advanced-issue-labelerdependabot[bot]2022-12-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [redhat-plumbers-in-action/advanced-issue-labeler](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler) from 2.0.0 to 2.0.1. - [Release notes](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/releases) - [Commits](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/compare/fe9c43b7d77bd8bd7fbe86c2c217e74ebeea71f2...88209aef583c66312529c515d41ea6a710a4baba) --- updated-dependencies: - dependency-name: redhat-plumbers-in-action/advanced-issue-labeler dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | GA: do not run codeql on systemd-securityLuca Boccassi2022-11-301-0/+1
| | | | | | | | Scanning is not available on private repositories
* | GA: run development_freeze only on main repositoryLuca Boccassi2022-11-301-0/+1
|/ | | | No point in running this checker on other forks
* Merge pull request #25319 from zx2c4-forks/krngseedLuca Boccassi2022-11-161-1/+1
|\ | | | | boot: implement kernel EFI RNG seed protocol with proper hashing
| * boot: implement kernel EFI RNG seed protocol with proper hashingJason A. Donenfeld2022-11-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rather than passing seeds up to userspace via EFI variables, pass seeds directly to the kernel's EFI stub loader, via LINUX_EFI_RANDOM_SEED_TABLE_GUID. EFI variables can potentially leak and suffer from forward secrecy issues, and processing these with userspace means that they are initialized much too late in boot to be useful. In contrast, LINUX_EFI_RANDOM_SEED_TABLE_GUID uses EFI configuration tables, and so is hidden from userspace entirely, and is parsed extremely early on by the kernel, so that every single call to get_random_bytes() by the kernel is seeded. In order to do this properly, we use a bit more robust hashing scheme, and make sure that each input is properly memzeroed out after use. The scheme is: key = HASH(LABEL || sizeof(input1) || input1 || ... || sizeof(inputN) || inputN) new_disk_seed = HASH(key || 0) seed_for_linux = HASH(key || 1) The various inputs are: - LINUX_EFI_RANDOM_SEED_TABLE_GUID from prior bootloaders - 256 bits of seed from EFI's RNG - The (immutable) system token, from its EFI variable - The prior on-disk seed - The UEFI monotonic counter - A timestamp This also adjusts the secure boot semantics, so that the operation is only aborted if it's not possible to get random bytes from EFI's RNG or a prior boot stage. With the proper hashing scheme, this should make boot seeds safe even on secure boot. There is currently a bug in Linux's EFI stub in which if the EFI stub manages to generate random bytes on its own using EFI's RNG, it will ignore what the bootloader passes. That's annoying, but it means that either way, via systemd-boot or via EFI stub's mechanism, the RNG *does* get initialized in a good safe way. And this bug is now fixed in the efi.git tree, and will hopefully be backported to older kernels. As the kernel recommends, the resultant seeds are 256 bits and are allocated using pool memory of type EfiACPIReclaimMemory, so that it gets freed at the right moment in boot.
* | ci: use mkosi executable directlyZbigniew Jędrzejewski-Szmek2022-11-141-6/+6
| |
* | ci: skip running on docs-only changesZbigniew Jędrzejewski-Szmek2022-11-111-0/+27
|/ | | | | | | | | | | | | | | | | | https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-including-and-excluding-paths > If you define a path with the ! character, you must also define at least one > path without the ! character. If you only want to exclude paths, use > paths-ignore instead. > > The order that you define patterns matters: > A matching negative pattern (prefixed with !) after a positive match will > exclude the path. > A matching positive pattern after a negative match will include the path > again. Even if some of the exluded paths *could* impact the build, generally it's a waste of time to do mkosi builds on them. Let's skip to releave the builders a bit.
* ci(dev-freeze): Use GitHub Action for PR commentsJan Macku2022-11-053-5/+40
| | | | | | | | | GitHub Action `devel-freezer` helps with development freeze notifications during the RC phase. It will create comments using predefined messages on newly created and updated PRs when the RC tag has been released. Also, it will update comments once a new major version has been released. Documentation available at: https://github.com/redhat-plumbers-in-action/devel-freezer
* shutdown: Add Xen kexec supportSamuel Thibault2022-11-021-0/+1
| | | | | | In the Xen case, it's the hypervisor which manages kexec. We thus have to ask it whether a kernel is loaded, instead of relying on /sys/kernel/kexec_loaded.
* build(deps): bump github/codeql-action from 2.1.17 to 2.1.29dependabot[bot]2022-11-012-4/+4
| | | | | | | | | | | | | | | Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.17 to 2.1.29. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v2.1.17...ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump meson from 0.63.2 to 0.63.3 in /.github/workflowsdependabot[bot]2022-11-011-3/+3
| | | | | | | | | | | | | | Bumps [meson](https://github.com/mesonbuild/meson) from 0.63.2 to 0.63.3. - [Release notes](https://github.com/mesonbuild/meson/releases) - [Commits](https://github.com/mesonbuild/meson/compare/0.63.2...0.63.3) --- updated-dependencies: - dependency-name: meson dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump systemd/mkosidependabot[bot]2022-11-011-1/+1
| | | | | | | | | | | | | | Bumps [systemd/mkosi](https://github.com/systemd/mkosi) from 792cbc60eb2dc4a58d66bb3c212bf92f8d50f6ea to 14. This release includes the previously tagged commit. - [Release notes](https://github.com/systemd/mkosi/releases) - [Changelog](https://github.com/systemd/mkosi/blob/main/NEWS.md) - [Commits](https://github.com/systemd/mkosi/compare/792cbc60eb2dc4a58d66bb3c212bf92f8d50f6ea...c9772ec920f1cd03181ba14e6fe2c3d35ccb4f92) --- updated-dependencies: - dependency-name: systemd/mkosi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump ossf/scorecard-action from 2.0.4 to 2.0.6dependabot[bot]2022-11-011-1/+1
| | | | | | | | | | | | | | | Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.0.4 to 2.0.6. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/e363bfca00e752f91de7b7d2a77340e2e523cb18...99c53751e09b9529366343771cc321ec74e9bd3d) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* Disable code freeze bannerLuca Boccassi2022-10-311-0/+0
|
* gh actions: run a unit test iteration without machine-idLuca Boccassi2022-10-251-0/+8
|
* ci: run the Scorecards action in PRs only on config updateFrantisek Sumsal2022-10-201-7/+11
| | | | | | Also, unify the string quotation a bit and drop one unnecessary expression syntax (as everything in `if` statements is automatically evaluated as an expression).
* ci: add a missing SPDX lineFrantisek Sumsal2022-10-201-0/+3
|
* ci: Enable Scorecard Github Action and Badge (#25054)Joyce2022-10-191-0/+63
| | | | | | | | | | | | | | | | | | | * chore: enable scorecard action * chore: add badge to the README file * chore: enable on config file update * chore: update scorecard to 2.0.4 * chore: run scorecard on PR at main branch * chore: add condition to publish_result key * chore: skip upload to code scanning if PR * chore: only runs scorecard in the main repo Resolves: #25042
* mkosi: Switch to Fedora 37Daan De Meyer2022-10-171-1/+1
| | | | Official release date is close so let's switch mkosi CI to it already.
* mkosi: Add Centos Stream 8 back to CIDaan De Meyer2022-10-171-0/+2
| | | | | We can build all of systemd's features again on CentOS Stream 8, so let's add it back to CI.
* Merge pull request #24933 from keszybz/erradicate-strerrorLuca Boccassi2022-10-111-1/+1
|\ | | | | Erradicate strerror
| * Get rid of strerror_safe()Zbigniew Jędrzejewski-Szmek2022-10-111-1/+1
| |
* | mkosi: update to latest commitLuca Boccassi2022-10-101-1/+1
| | | | | | | | | | Require dto fix Debian testing/unstable builds, as the initrd is versioned
* | Enable PR template for RC phaseLuca Boccassi2022-10-071-0/+0
|/
* build(deps): bump ninja from 1.10.2.3 to 1.10.2.4 in /.github/workflowsdependabot[bot]2022-10-011-15/+15
| | | | | | | | | | | | | | Bumps [ninja](https://github.com/ninja-build/ninja) from 1.10.2.3 to 1.10.2.4. - [Release notes](https://github.com/ninja-build/ninja/releases) - [Commits](https://github.com/ninja-build/ninja/commits) --- updated-dependencies: - dependency-name: ninja dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* ci: pin stefanbuck/github-issue-parser to a tagged releaseFrantisek Sumsal2022-10-011-1/+1
| | | | | | | | | | | Since [0] got resolved ([1]) we can finally pin the action to a tagged release (v2.0.4 ATTOW) and let Dependabot to do its job by updating it to the latest tagged release when it becomes available. Replaces: #24886 [0] https://github.com/stefanbuck/github-issue-parser/issues/23 [1] https://github.com/stefanbuck/github-issue-parser/pull/39
* build(deps): bump actions/labeler from 4.0.0 to 4.0.1dependabot[bot]2022-10-011-1/+1
| | | | | | | | | | | | | | Bumps [actions/labeler](https://github.com/actions/labeler) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](https://github.com/actions/labeler/compare/9fd24f1f9d6ceb64ba34d181b329ee72f99978a0...e54e5b338fbd6e6cdb5d60f51c22335fc57c401e) --- updated-dependencies: - dependency-name: actions/labeler dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump redhat-plumbers-in-action/differential-shellcheckdependabot[bot]2022-10-011-1/+1
| | | | | | | | | | | | | | | Bumps [redhat-plumbers-in-action/differential-shellcheck](https://github.com/redhat-plumbers-in-action/differential-shellcheck) from 3.0.1 to 3.1.1. - [Release notes](https://github.com/redhat-plumbers-in-action/differential-shellcheck/releases) - [Changelog](https://github.com/redhat-plumbers-in-action/differential-shellcheck/blob/main/CHANGELOG.md) - [Commits](https://github.com/redhat-plumbers-in-action/differential-shellcheck/compare/a14889568f6210b361eb29e16f3b07f512fca846...1b1b75e42f0694c1012228513b21617a748c866e) --- updated-dependencies: - dependency-name: redhat-plumbers-in-action/differential-shellcheck dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump meson from 0.63.1 to 0.63.2 in /.github/workflowsdependabot[bot]2022-10-011-3/+3
| | | | | | | | | | | | | | Bumps [meson](https://github.com/mesonbuild/meson) from 0.63.1 to 0.63.2. - [Release notes](https://github.com/mesonbuild/meson/releases) - [Commits](https://github.com/mesonbuild/meson/compare/0.63.1...0.63.2) --- updated-dependencies: - dependency-name: meson dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* ci: fix a couple of typosFrantisek Sumsal2022-09-141-8/+8
|
* ci: enable a couple more possibly useful CodeQL queriesFrantisek Sumsal2022-09-141-0/+8
|
* ci: rename codeql-analysis.yml to codeql.ymlFrantisek Sumsal2022-09-141-0/+0
| | | | Just to be consistent with other repos under the systemd umbrella.
* ci: limit scope for the CodeQL scanFrantisek Sumsal2022-09-131-0/+6
| | | | Don't run the workflow unnecessarily for non-{cpp,python} related changes.
* ci: drop LGTM stuff and move remaining bits into a new locationFrantisek Sumsal2022-09-134-1/+181
|
* ci: run CodeQL on push to main/stable branches as wellFrantisek Sumsal2022-09-131-0/+4
| | | | | | | Since we need results for the base branches as well in order to have something to compare against. Follow-up to cbe25d0dccdd3f2901a1e74a665c068f42dae9f5.
* ci: run CodeQL on every PRFrantisek Sumsal2022-09-141-13/+4
| | | | | | Since LGTM is no longer enabled for the systemd repo (as it's going to be discontinued by the EOY), let's run CodeQL on every PR instead to replace it.
* issue-templates: Add note about updating labeling policyJan Macku2022-09-072-0/+4
|
* ci(issue-labeler): Update to `advanced-issue-labeler@v2`Jan Macku2022-09-072-52/+145
| | | | | | | | The new version of `advanced-issue-labeler` GitHub Action introduces new structure of policy that requires adjustments to systemd issue labeling policy. Changes introduced in v2.0.0 - https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/releases/tag/v2.0.0
* ci(issue-labeler): Add missing policy for `coredump` labelJan Macku2022-09-061-0/+1
|
* mkosi: update to latest commitLuca Boccassi2022-09-021-1/+1
| | | | | Required to fix Debian testing/unstable builds, as resolved is now in its own package
* github: update differential shellcheck to v3.0.1Yu Watanabe2022-09-011-1/+1
| | | | v3 supports external sources. Yey!
* build(deps): bump meson from 0.63.0 to 0.63.1 in /.github/workflowsdependabot[bot]2022-09-011-3/+3
| | | | | | | | | | | | | | Bumps [meson](https://github.com/mesonbuild/meson) from 0.63.0 to 0.63.1. - [Release notes](https://github.com/mesonbuild/meson/releases) - [Commits](https://github.com/mesonbuild/meson/compare/0.63.0...0.63.1) --- updated-dependencies: - dependency-name: meson dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump github/super-linter from 4.9.5 to 4.9.6dependabot[bot]2022-09-011-1/+1
| | | | | | | | | | | | | | | Bumps [github/super-linter](https://github.com/github/super-linter) from 4.9.5 to 4.9.6. - [Release notes](https://github.com/github/super-linter/releases) - [Changelog](https://github.com/github/super-linter/blob/main/docs/release-process.md) - [Commits](https://github.com/github/super-linter/compare/2d64ac1c067c34beaf7d24cc12733cd46236f76e...01d3218744765b55c3b5ffbb27e50961e50c33c5) --- updated-dependencies: - dependency-name: github/super-linter dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
View Lorry Controller Status