Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump actions/upload-artifact from 2.3.1 to 3.1.2 #161

Open
wants to merge 92 commits into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 1, 2023

Bumps actions/upload-artifact from 2.3.1 to 3.1.2.

Release notes

Sourced from actions/upload-artifact's releases.

v3.1.2

  • Update all @actions/* NPM packages to their latest versions- #374
  • Update all dev dependencies to their most recent versions - #375

v3.1.1

  • Update actions/core package to latest version to remove set-output deprecation warning #351

v3.1.0

What's Changed

v3.0.0

What's Changed

  • Update default runtime to node16 (#293)
  • Update package-lock.json file version to 2 (#302)

Breaking Changes

With the update to Node 16, all scripts will now be run with Node 16 rather than Node 12.

Commits
  • 0b7f8ab ci(github): update action/download-artifact from v1 to v3 (#312)
  • 013d2b8 Create devcontainer for codespaces + update all dev dependencies (#375)
  • 055b8b3 Bump Actions NPM dependencies (#374)
  • 7a5d483 ci(github): update action/checkout from v2 to v3 (#315)
  • e0057a5 README: Bump actions/checkout to v3 (#352)
  • 7fe6c13 Update to latest actions/publish-action (#363)
  • 83fd05a Bump actions-core to v1.10.0 (#356)
  • 3cea537 Merge pull request #327 from actions/robherley/artifact-1.1.0
  • 849aa77 nvm use 12 & npm run release
  • 4d39869 recompile with correct ncc version
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

DaanDeMeyer and others added 30 commits May 24, 2022 15:27
This backports the same fix from 6e91653
in systemd upstream that we can't backport directly because that commit
introduces a new feature.
This reverts commit 75d7b59.

This commit was confirmed to have introduced a regression with LUKS,
so revert it for now.

systemd/systemd#23429

Conflicts:
	src/core/device.c
kernel's 'make install' invokes install.sh which calls /sbin/install-kernel.
Thus we are invoked as e.g.
  /sbin/installkernel 5.18.0 arch/x86/boot/bzImage System.map /boot
The last two arguments would be passed as "initrds".

Before , we would just quitely ignore
/boot, because it doesn't pass the 'test -f' test, and possibly try to do
something with System.map. 742561e tightened
the check, so we now throw an error.

It seems that the correct thing is to ignore those two arguments, because
our plugin syntax has no notion of System.map. And the installation directory
we can figure out ourselves better. Effectively, this makes things behave
like before, but less by accident.

Fixes #23490.

(cherry picked from commit 620ecc9)
This should cover cases regarding devices with `OPTIONS+="db_persist"`
during initrd->sysroot transition.

See:
  * systemd/systemd#23429
  * systemd/systemd#23218
  * systemd/systemd#23489
  * https://bugzilla.redhat.com/show_bug.cgi?id=2087225
(cherry picked from commit 1fb7f8e)
Co-Authored-By: Yu Watanabe <[email protected]>
(cherry picked from commit b22d90e)
dm-crypt device units generated by systemd-cryptsetup-generator
habe BindsTo= dependencies on their backend devices. The dm-crypt
devices have the db_persist flag set, and thus survive the udev db
cleanup while switching root. But backend devices usually don't survive.
These devices are neither mounted nor used for swap, thus they will
seen as DEVICE_NOT_FOUND after switching root.

The BindsTo dependency will cause systemd to schedule a stop
job for the dm-crypt device, breaking boot:

[   68.929457] krypton systemd[1]: systemd-cryptsetup@cr_root.service: Unit is stopped because bound to inactive unit dev-disk-by\x2duuid-3bf91f73\x2d1ee8\x2d4cfc\x2d9048\x2d93ba349b786d.device.
[   68.945660] krypton systemd[1]: systemd-cryptsetup@cr_root.service: Trying to enqueue job systemd-cryptsetup@cr_root.service/stop/replace
[   69.473459] krypton systemd[1]: systemd-cryptsetup@cr_root.service: Installed new job systemd-cryptsetup@cr_root.service/stop as 343

Avoid this by not setting the state of the backend devices to
DEVICE_DEAD.

Fixes the LUKS setup issue reported in #23429.

(cherry picked from commit cf1ac0c)
On switching root, a device may have a persistent databse. In that case,
Device.enumerated_found may have DEVICE_FOUND_UDEV flag, and it is not
necessary to downgrade the Device.deserialized_found and
Device.deserialized_state. Otherwise, the state of the device unit may
be changed plugged -> dead -> plugged, if the device has not been mounted.

Fixes #23429.

[mwilck: cherry-picked from #23437]

(cherry picked from commit 4fc69e8)
shmat() requires the CAP_IPC_OWNER capability. When running test-seccomp
in environments with root + CAP_SYS_ADMIN, but not CAP_IPC_OWNER,
memory_deny_write_execute_shmat would fail. This fixes it.

(cherry picked from commit 7e46a5c)
Fixes #21832.

(cherry picked from commit 223a359)
Fixes #23401

(cherry picked from commit 5ee38ad)
Fixes #22816.

(cherry picked from commit 8f24777)
Fixes #22966. Since there are competing conventions, let's not
change our code, but make the docs match what is implemented.

(cherry picked from commit b72308d)
as it may take a bit longer on slower machines:

```
[  OK  ] Reached target System Reboot.
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Failed to open watchdog device /dev/watchdog0, ignoring: No such file or directory
binfmt_misc is not mounted, not detaching entries.
Sending SIGTERM to remaining processes...
ERROR:test-shutdown:Timeout exceeded.
<pexpect.pty_spawn.spawn object at 0x7f3d4bcd20b0>
command: /systemd-meson-build/systemd-nspawn
<...snip...>
buffer (last 100 chars): 'mbinfmt_misc is not mounted, not detaching entries.\x1b[0m\r\nSending SIGTERM to remaining processes...\r\n'
before (last 100 chars): 'mbinfmt_misc is not mounted, not detaching entries.\x1b[0m\r\nSending SIGTERM to remaining processes...\r\n'
after: <class 'pexpect.exceptions.TIMEOUT'>
match: None
match_index: None
exitstatus: None
flag_eof: False
pid: 572528
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
    0: re.compile('H login: ')
INFO:test-shutdown:killing child pid 572528
E: nspawn failed with exit code 1
```

(cherry picked from commit 3e624bb)
Include this header to fix errors when including hwdb-internal.h:
  ../src/libsystemd/sd-hwdb/hwdb-internal.h:16:21: error: field ‘st’ has incomplete type
     16 |         struct stat st;

(cherry picked from commit 9745b51)
Fixes #23486.

(cherry picked from commit 89b6a3f)
Some compiler wrappers like honggfuzz pass -fno-builtin explicitly
and because of that the tests where fabs is used fail to compile
with something like
```
FAILED: test-bus-marshal
...
/usr/bin/ld: test-bus-marshal.p/src_libsystemd_sd-bus_test-bus-marshal.c.o: undefined reference to symbol 'fabs@@GLIBC_2.2.5'
/usr/bin/ld: /usr/lib64/libm.so.6: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
```

Fun fact: it took honggfuzz less than a minute to discover
GHSA-gmc7-pqv9-966m used by
systemd to compress/descompress some stuff.

(cherry picked from commit f232c83)
… after SIGKILL but processes still remain

After sending a SIGKILL to a process, the process might disappear from
`cgroup.threads` but still show up in `cgroup.procs` and still remains in the
cgroup and cause migrating new processes to `Delegate=yes` cgroups to fail with
`-EBUSY`. This is especially likely for heavyweight processes that consume more
kernel CPU time to clean up.

Fix this by only returning 0 when both `cgroup.threads` and
`cgroup.procs` are empty.

(cherry picked from commit 37f0289)
This just adds an unused parameter for future use. No change in
behaviour.

(cherry picked from commit 1661833)
Fixes #23520. Replaces #23555.

The problem started with cdf3706 and
90b1ec0 which together started printing the
wall message in more cases. The motivation for those change was reasonable, but
this clearly causes problems described in #23520: users are getting unexpected
wall messages. Xterm, urxvt, (anything using libutempter?), and tmux (in some
configurations), register local pty sessions in utmp.

So let's try to suppress the message for local pseudo-terminal logins. This
patch based on #23538, but instead of filtering just on /dev/pts, it uses the
.ut_addr_v6 to only filter out local entries.

(cherry picked from commit 51a2b57)
…hibernate

Fixes: #23520

[zjs: I added the comment and tweaked the patch a bit.

The call to reset_scheduled_shutdown() is moved down a bit to allow the
callback to have access to information about the operation being cancelled.
This all happens within the same function, so there should be no observable
change in behaviour.]

(cherry picked from commit ea74f39)
DnsPacket.ifindex=1 (loopback) is normalized to 0 whenever a message is
received on the loopback iface, so for both listeners, 127.0.0.53 and
127.0.0.54, the ifindex will be set to 0 by manager_recv() for queries
that have a local origin.

Replies to such local messages need to set a proper ifindex in any
case, as the supplied source-address would otherwise be ignored in
manager_ipv4_send() (CMSG generation is skipped due to ifindex > 0 check).

Note that this change only forces `ifindex` to loopback if it was actually
normalized to `0` before (due to a loopback detection) in order to keep the
nat-to-127.0.0.54-from-another-interface usecase that was described in
a8d0906 intact.
Also note that nat is not supported for the main stub 127.0.0.53 which is
why forcing LOOPBACK_IFINDEX was/is fine for that case.

Fixes #23495

(cherry picked from commit dfa14e2)
dsd and others added 26 commits July 22, 2022 21:24
In T6455 we disabled suspend by default on all non-laptop systems,
with the option of enabling suspend via a whitelist.

However we never whitelisted any models, and now we work with a number
of All-in-One PCs that have a suspend key on the keyboard that does
not do anything.

Enable suspend on all machine types by default, as long as they
are not blacklisted.

https://phabricator.endlessm.com/T16887
We detected a regression here where USB input devices do not work after
resuming from suspend. Let's disable suspend while we investigate a more
permanent solution, and on the stable branch (currently eos3.7) as well.

The Mission One is based on the Gigabyte Brix GB-BXBT-2807, so we are
disabling both product names here.

https://phabricator.endlessm.com/T29497
On PAYG images we mount the ESP to /boot and install the boot loader
configuration and entries there, as this is a requirement of
sysytemd-boot. The GPT auto generator finds the ESP and generates an
automount unit for it at /boot in a way that makes it only accessible
and readable by root. OSTree needs to read the contents of
/boot/loader/entries for non-root `ostree admin status`, and probably
other similar actions.

This commit changes the umask used in boot.mount to allow for group and
others to read files and access directories in the ESP mounted to /boot.

https://phabricator.endlessm.com/T29520
We use unified /usr on Endless OS, but our CI environment has a split
/usr setup, so we need to make sure /sbin and /bin are included in PATH.

Without this change the build fails with the following errors:

 145/251 test-path-util                          FAIL     0.39 s

 --- command ---
 PATH='/src/_build:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' SYSTEMD_KBD_MODEL_MAP='/src/src/locale/kbd-model-map' SYSTEMD_LANGUAGE_FALLBACK_MAP='/src/src/locale/language-fallback-map' /src/_build/test-path-util
 --- stdout ---
 /bin/sh
 /src/_build/test-path-util
 /bin/sh
 --- stderr ---
 Found container virtualization none.
 ---/a/b/c/d---
 ---/a/b/c---
 ---/a/b---
 ---/a---
 ------
 ---/a/b/c---
 ---/a/b---
 ---/a---
 ------
 Assertion 'fsck_exists("minix") == 1' failed at ../src/test/test-path-util.c:253, function test_fsck_exists(). Aborting.
 -------

 428/556 test-path-util                            FAIL           0.01s (killed by signal 6 SIGABRT)

 --- command ---
 22:00:16 SYSTEMD_LANGUAGE_FALLBACK_MAP='/usr/src/packages/BUILD/src/locale/language-fallback-map' SYSTEMD_KBD_MODEL_MAP='/usr/src/packages/BUILD/src/locale/kbd-model-map' PATH='/usr/src/packages/BUILD/build-deb:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' /usr/src/packages/BUILD/build-deb/test-path-util
 --- stderr ---
 Failed to read $container of PID 1, ignoring: Permission denied
 Found container virtualization none.
 DEFAULT_PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
 DEFAULT_USER_PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
 /* test_path */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_simplify */
 /* test_path_equal_root */
 /* test_find_executable_full */
 Assertion 'find_executable_full("sh", false, &p) == 0' failed at src/test/test-path-util.c:170, function test_find_executable_full(). Aborting.
 -------

https://phabricator.endlessm.com/T21201
https://phabricator.endlessm.com/T31222
Make the kernel pipe coredump data to /bin/false by default.

https://phabricator.endlessm.com/T6048
In Debian's glibc package, ld-linux-x86-64.so.2 symlinks are created in /lib64
and /usr/lib/x86_64-linux-gnu. If /lib is a symlink to usr/lib and /lib64 is a
symlink to usr/lib/x86_64-linux-gnu, these links end up at the same path. In
that case, dpkg may remove them both on upgrade, making the system unusable
because there's no longer a /lib64/ld-linux-x86-64.so.2 linker available.

I'm not sure why you would ever want /lib64 -> usr/lib/x86_64-linux-gnu, but
it's definitely wrong on Endless. There should already be a /lib64 -> usr/lib64
symlink in place, but unfortunately eos-convert-system was missing support to
copy that from the deployment.

https://phabricator.endlessm.com/T11645
This also sets the on-disk granularity to about 1 MiB per journal file.
When the maximum storage is used, journald will delete the oldest
journal file and allocate a new one to continue writing. Finer
granularity results in larger journal retention but more-frequent file
deletion and creation.

With these settings, this retains about 20k lines of messages which
roughly corresponds to 40 active hours on a relatively busy system.

For the purposes of classrooms, this would likely span multiple weeks.

NOTE: these changes only apply to the on-disk (persistent) journal and
that only gets used if /var/log/journal exists and is writable. That is
not true as of this writing but will soon be true for machines with
durable (non-MMC/-SD) storage.

https://phabricator.endlessm.com/T21771
The boot process relies on systemd-fsck return value when verifing the
root filesystem in order to continue booting. Even if the root
filesystem check fails with errors that can't be automatically recovered
from, we should continue booting in read-only mode (per the filesystem
mount options), to give the user the opportunity to backup their data
before an manual recovery can be performed.

This was working previously only with our downstream commit "fsck: disable fsck
emergency mode", but a change in the code flow introduced by commit 9013653
"fsck: configure logging before use and define main through macro" affected the
return value and half-disabled our downstream customization.

https://phabricator.endlessm.com/T27126
EOS-2.1.0 shipped with /sysroot mounted here as read-only, and "ro" in
the kernel boot args, and a static /etc/machine-id in ostree for all
installations.

To correct the machine-id situation, machine-id has been removed from
ostree. So when upgrading from EOS-2.1.0, /sysroot must be mounted rw
so that machine-id can be generated early during first boot into the
upgraded OS.

We don't have any mechanism to fix up the boot args during the upgrade;
we can't fix this in ostree because the upgrade is driven by the ostree
version already shipped in EOS-2.1.0.

Instead, this change makes the ro/rw parameters be ignored at the
initramfs
level, now we always mount sysroot rw.

https://github.com/endlessm/eos-shell/issues/3171
udisk (and udiskctl) relies on ID_FS_TYPE key when detecting the fs on
the CDROM. In our current setup ID_FS_TYPE is not set and udisk is
unable to detect any filesystem on the CDROM, refusing to mount it
using udiskctl (or programmatically).

ID_FS_TYPE (among other things) is set by 'blkid' in
60-persistent-storage.rules with the rule:

KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", \
 ENV{ID_CDROM_MEDIA_TRACK_COUNT_DATA}=="?*", \
 ENV{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}=="", \
 MPORT{builtin}="blkid --noraid"

Unfortunately this rule is never matched/executed since
ID_CDROM_MEDIA_TRACK_COUNT_DATA is never set.

ID_CDROM_MEDIA_TRACK_COUNT_DATA should be set by 'cdrom_id' in
60-cdrom_id.rules but on our system 'cdrom_id /dev/sr0' fails with
-EBUSY.

The problem is that 'cdrom_id' tries to open /dev/sr0 using O_EXCL.
O_EXCL on block devices fails with EBUSY if, and only if, there's
someone else also opening the device with O_EXCL [1]. In our case this call
fails since we are already booting from /dev/sr0 keeping it already
opened with O_EXCL.

As suggested here [2] we fix this by not relying anymore on
ID_CDROM_MEDIA_TRACK_COUNT_DATA for executing 'blkid' and importing
ID_FS_*.

[1] https://lists.freedesktop.org/archives/systemd-devel/2014-September/023160.html
[2] https://bugs.freedesktop.org/show_bug.cgi?id=52474

Signed-off-by: Carlo Caione <[email protected]>
Arduino devices expose a USB modem interface for communication. We want
these to be accessible by all users in the system. Ideally we would add
all real users to the dialout group, but this is not straightforward on
an OSTree-based system at the moment.

https://phabricator.endlessm.com/T21435
ostree uses symlinks on the boot filesystem, this isn't great when that
filesystem is vfat, which can't do symlinks. Since the EFI ESP must be
vfat on most implementation, this makes ostree incompaible with sd-boot.

To allow ostree to keep making symlinks, we make a fake symlink that's
just a text file with the name of the file that would be linked to.

https://phabricator.endlessm.com/T27040
We want a combination of the built in parameters from the efi image
and safe parameters from the loader config.

https://phabricator.endlessm.com/T27591
…ot mode

If secure boot is off it could be useful to pass arbitrary parameters
for debug purposes.

https://phabricator.endlessm.com/T27591
We've encountered firmware that searches the boot loader for the string
"Microsoft" and uses that to determine which ACPI table to deliver to
the kernel.

Make sure that string is present so these computers do the right thing.

https://phabricator.endlessm.com/T27753
This service stores a random-seed in the ESP so it can be passed to the
kernel by systemd-boot on the next boot, to seed the kernel's entropy
pool. This unit is only active if a boot loader fully supporting the
Boot Loader Specificiation is detected (via a LoaderFeatures EFI var),
which currently is only true for Endless PAYG images, which use
systemd-boot instead of GRUB. This random seed is stored in
/boot/loader/random-seed, with /boot/loader being created if it does not
exist.

The problem here is that in our systemd-boot + OSTree setup on PAYG
images we need /boot/loader to be a symbolic link pointing to either
/boot/loader.1 or /boot/loader.0 (OSTree requirement) living in the ESP
(systemd-boot requirement) which is FAT32 (UEFI spec) and does not
support symlinks. To solve that we implemented a fake symlink as a file
in /boot/loader.lnk containing the path that should be the /boot/loader
target, and taught OSTree about it, giving higher precedence to the real
/boot/loader in case it exists. So if systemd-boot-system-token.service
creates /boot/loader, most OSTree operations break, because the entries/
directory is not found.

Let's disable this service here to avoid that problem. This unit is
enabled by the build system at install time instead of using the more
traditional approach of having a [Install] section and using systemctl
and the preset system, so we have to disable it in units/meson.build.

There is also an accompanying commit in the packaging branch that
removes the installation of the symbolic link in
sysinit.target.wants/systemd-boot-system-token.service.

https://phabricator.endlessm.com/T29475
…espace"

This reverts commit af918c4.

This fixes a test-mountpoint-util failure:
The output from the failed tests:

354/574 test-mountpoint-util                      FAIL           0.64s (killed by signal 6 SIGABRT)

--- command ---
18:44:42 SYSTEMD_KBD_MODEL_MAP='/build/src/src/locale/kbd-model-map' PATH='/build/src/_build:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' SYSTEMD_LANGUAGE_FALLBACK_MAP='/build/src/src/locale/language-fallback-map' /build/src/_build/test-mountpoint-util
--- stderr ---
Found container virtualization none.
Assertion 'mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL) >= 0' failed at src/test/test-mountpoint-util.c:301, function main(). Aborting.
-------

https://phabricator.endlessm.com/T31222
For some reason passing this through debian/rules is not working.

https://phabricator.endlessm.com/T33712
Revert "[Endless] sd-boot: Work around odd behaviour in some firmware"
This reverts commit 9746125.

Debian's policy is to never clean-up /var/tmp to keep consistency with
the SysV init system. Flatpak creates temporary files in /var/tmp during
app updates but does not remove them on error, to avoid re-downloading
them on a future update attempt, and expects these files to be
automatically cleaned-up by the system eventually, according to the
site's policy. With this policy in place these files are never removed,
wasting the user's storage space.

Revert this commit back to upstream's default policy of cleaning up /tmp
every 10 days and /var/tmp every 30 days.

https://phabricator.endlessm.com/T23762
https://phabricator.endlessm.com/T33887
Revert "[DEB] Bring tmpfiles.d/tmp.conf in line with Debian defaults"
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2.3.1 to 3.1.2.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@82c141c...0b7f8ab)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code
Projects
None yet
Development

Successfully merging this pull request may close these issues.