58773088ac
This mounts a new tmpfs on /tmp so any files residing there would be hidden from the sandbox. Many programs store some files in there that might be useful to an attacker. It also drops all capabilities incase it is ever run with extra capabilities for whatever reason.
83 lines
2.3 KiB
YAML
83 lines
2.3 KiB
YAML
variables:
|
|
CONTAINER_REGISTRY: $CI_REGISTRY/georg/mat2-ci-images
|
|
|
|
stages:
|
|
- linting
|
|
- test
|
|
|
|
.prepare_env: &prepare_env
|
|
before_script: # This is needed to not run the testsuite as root
|
|
- useradd --home-dir ${CI_PROJECT_DIR} mat2
|
|
- chown -R mat2 .
|
|
|
|
linting:bandit:
|
|
image: $CONTAINER_REGISTRY:linting
|
|
stage: linting
|
|
script: # TODO: remove B405 and B314
|
|
- bandit ./mat2 --format txt --skip B101
|
|
- bandit -r ./nautilus/ --format txt --skip B101
|
|
- bandit -r ./libmat2 --format txt --skip B101,B404,B603,B405,B314,B108
|
|
|
|
linting:codespell:
|
|
image: $CONTAINER_REGISTRY:linting
|
|
stage: linting
|
|
script:
|
|
# Run codespell to check for spelling errors; ignore errors about binary
|
|
# files, use a config with ignored words and exclude the git directory,
|
|
# which might contain false positives
|
|
- codespell -q 2 -I utils/ci/codespell/ignored_words.txt -S .git
|
|
|
|
linting:pylint:
|
|
image: $CONTAINER_REGISTRY:linting
|
|
stage: linting
|
|
script:
|
|
- pylint3 --disable=no-else-return --extension-pkg-whitelist=cairo,gi ./libmat2 ./mat2
|
|
# Once nautilus-python is in Debian, decomment it form the line below
|
|
- pylint3 --disable=no-else-return --extension-pkg-whitelist=Nautilus,GObject,Gtk,Gio,GLib,gi ./nautilus/mat2.py
|
|
|
|
linting:pyflakes:
|
|
image: $CONTAINER_REGISTRY:linting
|
|
stage: linting
|
|
script:
|
|
- pyflakes3 ./libmat2 ./mat2 ./tests/ ./nautilus
|
|
|
|
linting:mypy:
|
|
image: $CONTAINER_REGISTRY:linting
|
|
stage: linting
|
|
script:
|
|
- mypy --ignore-missing-imports mat2 libmat2/*.py ./nautilus/mat2.py
|
|
|
|
tests:archlinux:
|
|
image: $CONTAINER_REGISTRY:archlinux
|
|
stage: test
|
|
script:
|
|
- python3 setup.py test
|
|
|
|
tests:debian:
|
|
image: $CONTAINER_REGISTRY:debian
|
|
stage: test
|
|
script:
|
|
- apt-get -qqy purge bubblewrap
|
|
- python3 setup.py test
|
|
|
|
tests:debian_with_bubblewrap:
|
|
image: $CONTAINER_REGISTRY:debian
|
|
stage: test
|
|
<<: *prepare_env
|
|
script:
|
|
- su - mat2 -c "python3-coverage run --branch -m unittest discover -s tests/"
|
|
- su - mat2 -c "python3-coverage report --fail-under=100 -m --include 'libmat2/*'"
|
|
|
|
tests:fedora:
|
|
image: $CONTAINER_REGISTRY:fedora
|
|
stage: test
|
|
script:
|
|
- python3 setup.py test
|
|
|
|
tests:gentoo:
|
|
image: $CONTAINER_REGISTRY:gentoo
|
|
stage: test
|
|
<<: *prepare_env
|
|
script:
|
|
- su - mat2 -c "python3 -m unittest discover -v"
|