For some reason Ubuntu Focal repositories now have `llvm-13` virtual
package which can't be installed, but successfully fools our check,
resulting in no clang/llvm being installed...
```
$ apt show llvm-13
Package: llvm-13
State: not a real package (virtual)
N: Can't select candidate version from package llvm-13 as it has no candidate
N: Can't select versions from package 'llvm-13' as it is purely virtual
N: No packages found
$ apt install --dry-run llvm-13
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package llvm-13 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package 'llvm-13' has no installation candidate
```
The packages are installed to provide the dhcpd binary, used by
test/test-network/systemd-networkd-tests.py, but we don't need the units
to run, and in fact in some cases the image fails to boot because of
them:
Spawning container image on /home/runner/work/systemd/systemd/image.raw.
Press ^] three times within 1s to kill container.
● isc-dhcp-server.service loaded failed failed ISC DHCP IPv4 server
● isc-dhcp-server6.service loaded failed failed ISC DHCP IPv6 server
Container image failed with error code 1.
Error: Process completed with exit code 1.
Mask the units with an --extra-tree.
to, hopefully, get rid of the following error:
```
2022-02-13 13:32:12 [ERROR] Failed to get [GITHUB_TOKEN]!
2022-02-13 13:32:12 [ERROR] []
2022-02-13 13:32:12 [ERROR] Please set a [GITHUB_TOKEN] from the main workflow environment to take advantage of multiple status reports!
```
The 'slim' version drops certain storage-heavy linters[0] which we don't
use anyway, so let's make the job a bit faster by downloading and using
a smaller image.
[0] https://github.com/github/super-linter#slim-image
CIFuzz has been kind of broken for a couple months because
coverage reports downloaded from OSS-Fuzz contain absolute
paths while paths to files changed in PRs are relative and they
don't match. It makes it kind of hard for CIFuzz to figure out
what it should run so it runs either all fuzz targets or just new
fuzz targets. Until that issue is fixed let's just always predictably run
all fuzz targets.
Judging by
ERROR! Failed to call GitHub Status API!
it doesn't seem to work. Even if it did it would just clutter the status
checks I think so let's just remove MULTI_STATUS along with
GITHUB_TOKEN.
some actions like Coverity and CFLite aren't run on every PR so to make
sure they are more or less fine when they are changed it makes sense to
at least check them with superlinter/actionlint: https://github.com/rhysd/actionlint
The following warnings were fixed along the way:
```
.github/workflows/mkosi.yml:55:7: shellcheck reported issue in this script: SC2086:info:6:14: Double quote to prevent globbing and word splitting [shellcheck]
|
55 | run: |
| ^~~~
.github/workflows/mkosi.yml:55:7: shellcheck reported issue in this script: SC2046⚠️6:40: Quote this to prevent word splitting [shellcheck]
|
55 | run: |
| ^~~~
.github/workflows/mkosi.yml:55:7: shellcheck reported issue in this script: SC2006:style:6:40: Use $(...) notation instead of legacy backticked `...` [shellcheck]
|
55 | run: |
| ^~~~
```
```
.github/workflows/coverity.yml:31:9: shellcheck reported issue in this script: SC2086:info:1:93: Double quote to prevent globbing and word splitting [shellcheck]
|
31 | run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> $GITHUB_ENV
| ^~~~
```
The idea behind this action is to make it possible to compare the
latest fuzz targets with PRs to figure out whether bugs are really
reproducible in PRs only. Since forks (including systemd-stable) are
usually based on the upstream repository where almost all the bugs
are fixed before releases are cut it should be safe to assume that
if CFLite finds bugs in PRs they are most likely introduced in those
PRs.
It should probably be brought back once https://github.com/google/clusterfuzzlite/issues/84
is fixed.
It's like CIFuzz but unlike CIFuzz it's compatible with forks and
it should make it possible to run the fuzzers to make sure that
patches backported to them are backported correctly without introducing
new bugs and regressions.
Those dependencies are also used by Coverity and Codeql so
it should be installed there to get them to analyze that code.
Judging by https://github.com/systemd/systemd/pull/22137 it seems
to be working.
to make it easier to figure out why it fails.
For example in https://github.com/systemd/systemd/runs/4799774735?check_suite_focus=true
it failed with
```
meson.build:1003:8: ERROR: Command "/usr/bin/clang -print-targets" failed with status 1.
A full log can be found at /home/runner/work/systemd/systemd/build/meson-logs/meson-log.txt
Error: Process completed with exit code 1.
```
and it wasn't clear what exactly happened there.
Let's assign a specific -Dcryptolib= value to each job to have at least
some coverage for all supported cryptolibs without unnecessarily
multiplying the test matrix.
Should provide coverage for #21880.
So we can mitigate (to some degree) the reoccurring "dissect timeout"
issue:
```
Run sudo python3 -m mkosi boot systemd.unit=mkosi-check-and-shutdown.service !quiet systemd.log_level=debug systemd.log_target=console udev.log_level=info systemd.default_standard_output=journal+console
Failed to dissect image '/home/runner/work/systemd/systemd/image.raw': Connection timed out
Error: Process completed with exit code 1.
```
otherwise we end up with more than one job with the same identifier in
one run, causing some of them to get cancelled unexpectedly.
A quick follow-up to 85bd394df5.
