diff options
author | toofar <toofar@spalge.com> | 2023-11-19 19:45:59 +1300 |
---|---|---|
committer | toofar <toofar@spalge.com> | 2023-11-19 19:48:52 +1300 |
commit | 9f8e9d96c85c85a605e382f1510bd08563afc566 (patch) | |
tree | a9050b2c893686b3047b3a291555a68e58b9cf67 | |
parent | 27c5cc8caef409b432338518e192fe7fae31c671 (diff) | |
parent | 7444179a2331860ff72d4c675ec832d40d8e343c (diff) | |
download | qutebrowser-9f8e9d96c85c85a605e382f1510bd08563afc566.tar.gz qutebrowser-9f8e9d96c85c85a605e382f1510bd08563afc566.zip |
Merge branch 'maint/6.6_in_ci'
PyQt 6.6 has been out for a while. Git uses on arch are already using
it. Likely our next pyinstaller release will be using it. This change
adds it to our test matrix, beyond the arch docker tests.
* Removing -dev tag from python 3.12 job
* Update ubuntu python 3.11 and 3.12 tests to use PyQt6.6
* Update macOS and windows tests to use PyQt6.6
* Allow running the nightly CI job on any branch, to get a pyinstaller
build binary from your own branch
Closes: #7989
-rw-r--r-- | .github/workflows/ci.yml | 26 | ||||
-rw-r--r-- | .github/workflows/nightly.yml | 6 | ||||
-rw-r--r-- | tests/end2end/test_invocations.py | 84 |
3 files changed, 81 insertions, 35 deletions
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ccfa69ca3..c2babf437 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,28 +157,28 @@ jobs: - testenv: py310-pyqt65 os: ubuntu-22.04 python: "3.10" - ### PyQt 6.5 (Python 3.11) - - testenv: py311-pyqt65 + ### PyQt 6.6 (Python 3.11) + - testenv: py311-pyqt66 os: ubuntu-22.04 python: "3.11" - ### PyQt 6.5 (Python 3.12) - - testenv: py312-pyqt65 + ### PyQt 6.6 (Python 3.12) + - testenv: py312-pyqt66 os: ubuntu-22.04 - python: "3.12-dev" - ### macOS Big Sur: PyQt 5.15 (Python 3.9 to match PyInstaller env) - - testenv: py39-pyqt515 + python: "3.12" + ### macOS Big Sur + - testenv: py311-pyqt66 os: macos-11 - python: "3.9" + python: "3.11" args: "tests/unit" # Only run unit tests on macOS ### macOS Monterey - - testenv: py39-pyqt515 + - testenv: py311-pyqt66 os: macos-12 - python: "3.9" + python: "3.11" args: "tests/unit" # Only run unit tests on macOS - ### Windows: PyQt 5.15 (Python 3.9 to match PyInstaller env) - - testenv: py39-pyqt515 + ### Windows + - testenv: py311-pyqt66 os: windows-2019 - python: "3.9" + python: "3.11" runs-on: "${{ matrix.os }}" steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 76332e8ba..433cd3c0b 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -15,24 +15,19 @@ jobs: matrix: include: - os: macos-11 - branch: main toxenv: build-release-qt5 name: qt5-macos - os: windows-2019 - branch: main toxenv: build-release-qt5 name: qt5-windows - os: macos-11 args: --debug - branch: main toxenv: build-release-qt5 name: qt5-macos-debug - os: windows-2019 args: --debug - branch: main toxenv: build-release-qt5 name: qt5-windows-debug - - os: macos-11 toxenv: build-release name: macos @@ -52,7 +47,6 @@ jobs: steps: - uses: actions/checkout@v4 with: - ref: "${{ matrix.branch }}" persist-credentials: false - name: Set up Python uses: actions/setup-python@v4 diff --git a/tests/end2end/test_invocations.py b/tests/end2end/test_invocations.py index af81781f6..72e08af96 100644 --- a/tests/end2end/test_invocations.py +++ b/tests/end2end/test_invocations.py @@ -15,6 +15,7 @@ import re import json import platform from contextlib import nullcontext as does_not_raise +from unittest.mock import ANY import pytest from qutebrowser.qt.core import QProcess, QPoint @@ -885,27 +886,78 @@ def test_sandboxing( bpf_text = "Seccomp-BPF sandbox" yama_text = "Ptrace Protection with Yama LSM" - header, *lines, empty, result = text.split("\n") - assert not empty + if not utils.is_windows: + header, *lines, empty, result = text.split("\n") + assert not empty - expected_status = { - "Layer 1 Sandbox": "Namespace" if has_namespaces else "None", + expected_status = { + "Layer 1 Sandbox": "Namespace" if has_namespaces else "None", - "PID namespaces": "Yes" if has_namespaces else "No", - "Network namespaces": "Yes" if has_namespaces else "No", + "PID namespaces": "Yes" if has_namespaces else "No", + "Network namespaces": "Yes" if has_namespaces else "No", - bpf_text: "Yes" if has_seccomp else "No", - f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No", + bpf_text: "Yes" if has_seccomp else "No", + f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No", - f"{yama_text} (Broker)": "Yes" if has_yama else "No", - f"{yama_text} (Non-broker)": "Yes" if has_yama_non_broker else "No", - } - - assert header == "Sandbox Status" - assert result == expected_result + f"{yama_text} (Broker)": "Yes" if has_yama else "No", + f"{yama_text} (Non-broker)": "Yes" if has_yama_non_broker else "No", + } - status = dict(line.split("\t") for line in lines) - assert status == expected_status + assert header == "Sandbox Status" + assert result == expected_result + + status = dict(line.split("\t") for line in lines) + assert status == expected_status + + else: # utils.is_windows + # The sandbox page on Windows if different that Linux and macOS. It's + # a lot more complex. There is a table up top with lots of columns and + # a row per tab and helper process then a json object per row down + # below with even more detail (which we ignore). + # https://www.chromium.org/Home/chromium-security/articles/chrome-sandbox-diagnostics-for-windows/ + + # We're not getting full coverage of the table and there doesn't seem + # to be a simple summary like for linux. The "Sandbox" and "Lockdown" + # column are probably the key ones. + # We are looking at all the rows in the table for the sake of + # completeness, but I expect there will always be just one row with a + # renderer process in it for this test. If other helper processes pop + # up we might want to exclude them. + lines = text.split("\n") + assert lines.pop(0) == "Sandbox Status" + header = lines.pop(0).split("\t") + rows = [] + current_line = lines.pop(0) + while current_line.strip(): + if lines[0].startswith("\t"): + # Continuation line. Not sure how to 100% identify them + # but new rows should start with a process ID. + current_line += lines.pop(0) + continue + + columns = current_line.split("\t") + assert len(header) == len(columns) + rows.append(dict(zip(header, columns))) + current_line = lines.pop(0) + + assert rows + + # I'm using has_namespaces as a proxy for "should be sandboxed" here, + # which is a bit lazy but its either that or match on the text + # "sandboxing" arg. The seccomp-bpf arg does nothing on windows, so + # we only have the off and on states. + for row in rows: + assert row == { + "Process": ANY, + "Type": "Renderer", + "Name": "", + "Sandbox": "Renderer" if has_namespaces else "Not Sandboxed", + "Lockdown": "Lockdown" if has_namespaces else "", + "Integrity": ANY if has_namespaces else "", + "Mitigations": ANY if has_namespaces else "", + "Component Filter": ANY if has_namespaces else "", + "Lowbox/AppContainer": "", + } @pytest.mark.not_frozen |