From d8ab8be868abfc984d3b0e1ddafa7e178d4d73d6 Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Sat, 4 Apr 2026 19:22:46 +0200 Subject: [PATCH] Don't use sudo in the CI pipeline scripts Just rely on the fact that we are already root inside the container. --- .ci/deps.sh | 6 +++--- .ci/sanitizers/run.sh | 2 +- .ci/test/prepare.sh | 11 ----------- .ci/test/run.sh | 12 ++++-------- .github/workflows/test.yml | 28 ++++++++++++++-------------- 5 files changed, 22 insertions(+), 37 deletions(-) diff --git a/.ci/deps.sh b/.ci/deps.sh index e57231a7..fa57019b 100755 --- a/.ci/deps.sh +++ b/.ci/deps.sh @@ -8,7 +8,7 @@ deps_linux_alpine() { apk upgrade apk add \ - git pkgconf gcc linux-headers shadow sudo libgcrypt-dev gzip \ + git pkgconf gcc linux-headers shadow libgcrypt-dev gzip \ openssl-dev zlib-dev lzo-dev ncurses-dev readline-dev musl-dev lz4-dev vde2-dev cmocka-dev \ "$@" @@ -57,7 +57,7 @@ deps_linux_debian() { apt update apt upgrade -y - apt install --no-install-recommends -y git pkgconf sudo texinfo + apt install --no-install-recommends -y git pkgconf texinfo HOST=${HOST:-} if [ "$HOST" = mingw ]; then @@ -87,7 +87,7 @@ deps_linux_rhel() { fi yum install -y \ - git pkgconf gcc sudo \ + git pkgconf gcc \ lzo-devel zlib-devel lz4-devel ncurses-devel readline-devel libgcrypt-devel systemd-devel \ libcmocka-devel cmake \ openssl-devel "$@" diff --git a/.ci/sanitizers/run.sh b/.ci/sanitizers/run.sh index 8bf409f3..49fee78e 100755 --- a/.ci/sanitizers/run.sh +++ b/.ci/sanitizers/run.sh @@ -33,7 +33,7 @@ export CC='clang-12' export CPPFLAGS='-DDEBUG' export CFLAGS="-O0 -g -fsanitize=$SANITIZER -fno-omit-frame-pointer -fno-common -fsanitize-blacklist=$dir/ignore.txt $flags" -sudo bash .ci/test/run.sh "$@" +.ci/test/run.sh "$@" # Check that the sanitizer has not created any log files. # If it has, fail the job to notify the developer. diff --git a/.ci/test/prepare.sh b/.ci/test/prepare.sh index 82f103fb..da0269fc 100755 --- a/.ci/test/prepare.sh +++ b/.ci/test/prepare.sh @@ -2,17 +2,6 @@ set -eux -if [ "$(id -u)" != 0 ] && sudo --preserve-env --non-interactive true; then - echo >&2 "sudo already configured" - exit 0 -fi - -useradd --user-group build - -echo 'build ALL=(ALL) NOPASSWD: ALL' >/etc/sudoers.d/build -chmod 440 /etc/sudoers.d/build -visudo --check - if [ -n "${HOST:-}" ]; then update-binfmts --enable rm -f /dev/net/tun diff --git a/.ci/test/run.sh b/.ci/test/run.sh index 70a3a2fc..6b083d66 100755 --- a/.ci/test/run.sh +++ b/.ci/test/run.sh @@ -20,12 +20,12 @@ run_tests() { header "Cleaning up leftovers from previous runs" for name in tinc tincd; do - sudo pkill -TERM -x "$name" || true - sudo pkill -KILL -x "$name" || true + pkill -TERM -x "$name" || true + pkill -KILL -x "$name" || true done if [ "$(id -u)" != 0 ]; then - sudo chown -R "${USER:-$(whoami)}" . || true + chown -R "${USER:-$(whoami)}" . || true fi mkdir -p sanitizer logs @@ -49,15 +49,11 @@ run_tests() { code=0 meson test -C "$flavor" --timeout-multiplier $timeout --verbose || code=$? - sudo tar -c -z -f "logs/tests.$flavor.tar.gz" "$flavor" sanitizer/ || true + tar -c -z -f "logs/tests.$flavor.tar.gz" "$flavor" sanitizer/ || true return $code } -case "$(uname -s)" in -MINGW* | Darwin) sudo() { "$@"; } ;; -esac - flavor=$1 shift diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 57edefa0..0c8b32f5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -40,14 +40,14 @@ jobs: run: .ci/test/prepare.sh - name: Run tests with default settings - run: sudo -Eu build .ci/test/run.sh default + run: .ci/test/run.sh default - name: Run tests without legacy protocol - run: sudo -Eu build .ci/test/run.sh nolegacy + run: .ci/test/run.sh nolegacy if: always() - name: Run tests with libgcrypt - run: sudo -Eu build .ci/test/run.sh gcrypt + run: .ci/test/run.sh gcrypt if: always() - name: Upload test results @@ -88,17 +88,17 @@ jobs: uses: actions/checkout@v6 - name: Install dependencies - run: sudo .ci/deps.sh autoconf automake iperf3 + run: .ci/deps.sh autoconf automake iperf3 - name: Compatibility with older versions of tinc - run: sudo .ci/compat/run.sh + run: .ci/compat/run.sh if: always() - name: Install tools run: | - sudo apt install -y astyle clang-tidy-$CLANG shellcheck shfmt black pylint mypy - sudo update-alternatives --install /usr/bin/clang-tidy clang-tidy /usr/bin/clang-tidy-$CLANG 100 - sudo update-alternatives --install /usr/bin/run-clang-tidy run-clang-tidy /usr/bin/run-clang-tidy-$CLANG 100 + apt install --no-install-recommends -y astyle clang-tidy-$CLANG shellcheck shfmt black pylint mypy + update-alternatives --install /usr/bin/clang-tidy clang-tidy /usr/bin/clang-tidy-$CLANG 100 + update-alternatives --install /usr/bin/run-clang-tidy run-clang-tidy /usr/bin/run-clang-tidy-$CLANG 100 python3 -m venv /tmp/venv . /tmp/venv/bin/activate pip3 install markflow @@ -133,7 +133,7 @@ jobs: if: always() - name: Archive test results - run: sudo tar -caf tests.tar.gz /usr/local/etc + run: tar -caf tests.tar.gz /usr/local/etc continue-on-error: true if: always() @@ -166,8 +166,8 @@ jobs: - name: Install deps run: | - sudo .ci/deps.sh iputils-arping - sudo pip3 install --upgrade cryptography + .ci/deps.sh iputils-arping + pip3 install --upgrade cryptography - name: Sanitize tests with default settings run: .ci/sanitizers/run.sh default @@ -224,15 +224,15 @@ jobs: run: .ci/test/prepare.sh - name: Run tests with default settings - run: sudo -u build .ci/test/run.sh default + run: .ci/test/run.sh default if: always() - name: Run tests without legacy protocol - run: sudo -u build .ci/test/run.sh nolegacy + run: .ci/test/run.sh nolegacy if: always() - name: Run tests with libgcrypt - run: sudo -u build .ci/test/run.sh gcrypt + run: .ci/test/run.sh gcrypt if: always() - name: Upload test results -- 2.47.3