From b4215d31b32f580edb376a060e383c9b5e6ccf10 Mon Sep 17 00:00:00 2001 From: toofar Date: Tue, 14 Nov 2023 18:47:21 +1300 Subject: py3.12 is released now ref: https://github.com/qutebrowser/qutebrowser/issues/7989 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ccfa69ca3..9e639d949 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -164,7 +164,7 @@ jobs: ### PyQt 6.5 (Python 3.12) - testenv: py312-pyqt65 os: ubuntu-22.04 - python: "3.12-dev" + python: "3.12" ### macOS Big Sur: PyQt 5.15 (Python 3.9 to match PyInstaller env) - testenv: py39-pyqt515 os: macos-11 -- cgit v1.2.3-54-g00ecf From 1683b74aba69cf8ceeeb81b7e8babb515fc99c7d Mon Sep 17 00:00:00 2001 From: toofar Date: Tue, 14 Nov 2023 18:48:49 +1300 Subject: bump py311 and py12 tests to use pyqt6.6 I'm not sure if we need a py3.11 pyqt6.5 variant or a py3.10 pyqt6.6 one? Those might well be combinations that people have (debian has 3.11 and 6.5 at the moment) but how much coverage do we need? ref: https://github.com/qutebrowser/qutebrowser/issues/7989 --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9e639d949..250ee0893 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,12 +157,12 @@ jobs: - testenv: py310-pyqt65 os: ubuntu-22.04 python: "3.10" - ### PyQt 6.5 (Python 3.11) - - testenv: py311-pyqt65 + ### PyQt 6.6 (Python 3.11) + - testenv: py311-pyqt66 os: ubuntu-22.04 python: "3.11" - ### PyQt 6.5 (Python 3.12) - - testenv: py312-pyqt65 + ### PyQt 6.6 (Python 3.12) + - testenv: py312-pyqt66 os: ubuntu-22.04 python: "3.12" ### macOS Big Sur: PyQt 5.15 (Python 3.9 to match PyInstaller env) -- cgit v1.2.3-54-g00ecf From 4227aba7bace9244049146c0a629e026afae832d Mon Sep 17 00:00:00 2001 From: toofar Date: Tue, 14 Nov 2023 18:52:45 +1300 Subject: Update mac and windows CI to target for next release It looks like our last release builds were done with python 3.11 and PyQt 6.5.3. I'm expecting that since PyQt6.6 is out now our next release will be on 6.6. So lets update the CI to match. Questions: * what about python12? I don't think there is a benefit to updating to that, so lets leave it. * what about pyqt6.5? Do we care about testing that? Maybe for homebrew users? We aren't providing new builds with an old Qt right? last release builds: https://github.com/qutebrowser/qutebrowser/actions/runs/6578864884 ref: https://github.com/qutebrowser/qutebrowser/issues/7989 --- .github/workflows/ci.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 250ee0893..c2babf437 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -165,20 +165,20 @@ jobs: - testenv: py312-pyqt66 os: ubuntu-22.04 python: "3.12" - ### macOS Big Sur: PyQt 5.15 (Python 3.9 to match PyInstaller env) - - testenv: py39-pyqt515 + ### macOS Big Sur + - testenv: py311-pyqt66 os: macos-11 - python: "3.9" + python: "3.11" args: "tests/unit" # Only run unit tests on macOS ### macOS Monterey - - testenv: py39-pyqt515 + - testenv: py311-pyqt66 os: macos-12 - python: "3.9" + python: "3.11" args: "tests/unit" # Only run unit tests on macOS - ### Windows: PyQt 5.15 (Python 3.9 to match PyInstaller env) - - testenv: py39-pyqt515 + ### Windows + - testenv: py311-pyqt66 os: windows-2019 - python: "3.9" + python: "3.11" runs-on: "${{ matrix.os }}" steps: - uses: actions/checkout@v4 -- cgit v1.2.3-54-g00ecf From dc072a7825b989d75772338baeb8b0d0d5d5ac6f Mon Sep 17 00:00:00 2001 From: toofar Date: Tue, 14 Nov 2023 19:02:37 +1300 Subject: Allow running nightly builds on any branch The nightly jobs have a `workflow_dispatch` action, which means you can kick the job off on any branch. But the build steps has the branch to build on hardcoded. I would like to be able to build windows and mac builds without having a local build environment setup. The docs for the checkout action says it default to the main branch, so the scheduled actions should keep working fine. But now we'll be able to create builds off of other branches too. docs: https://github.com/actions/checkout#usage ref: https://github.com/qutebrowser/qutebrowser/issues/7989 --- .github/workflows/nightly.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 76332e8ba..433cd3c0b 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -15,24 +15,19 @@ jobs: matrix: include: - os: macos-11 - branch: main toxenv: build-release-qt5 name: qt5-macos - os: windows-2019 - branch: main toxenv: build-release-qt5 name: qt5-windows - os: macos-11 args: --debug - branch: main toxenv: build-release-qt5 name: qt5-macos-debug - os: windows-2019 args: --debug - branch: main toxenv: build-release-qt5 name: qt5-windows-debug - - os: macos-11 toxenv: build-release name: macos @@ -52,7 +47,6 @@ jobs: steps: - uses: actions/checkout@v4 with: - ref: "${{ matrix.branch }}" persist-credentials: false - name: Set up Python uses: actions/setup-python@v4 -- cgit v1.2.3-54-g00ecf From 7444179a2331860ff72d4c675ec832d40d8e343c Mon Sep 17 00:00:00 2001 From: toofar Date: Sat, 18 Nov 2023 18:01:52 +1300 Subject: Update parsing of sandbox page on windows in tests In the linux branch when it was doing: header, *lines, empty, result = text.split("\n") assert not empty It was complaining that "empty" was "}", because the windows sandbox page has JSON at the bottom now. The whole things looks to have changed completely. I'm actually surprised it was working before, why would it have been saying seccomp was enabled on windows? Anyway, I did the debug-dump-text --plain that quteproc is doing in a VM and tested this with sandboxing off an on. No idea how stable that will be! ref: https://github.com/qutebrowser/qutebrowser/issues/7989 --- tests/end2end/test_invocations.py | 84 +++++++++++++++++++++++++++++++-------- 1 file changed, 68 insertions(+), 16 deletions(-) diff --git a/tests/end2end/test_invocations.py b/tests/end2end/test_invocations.py index af81781f6..72e08af96 100644 --- a/tests/end2end/test_invocations.py +++ b/tests/end2end/test_invocations.py @@ -15,6 +15,7 @@ import re import json import platform from contextlib import nullcontext as does_not_raise +from unittest.mock import ANY import pytest from qutebrowser.qt.core import QProcess, QPoint @@ -885,27 +886,78 @@ def test_sandboxing( bpf_text = "Seccomp-BPF sandbox" yama_text = "Ptrace Protection with Yama LSM" - header, *lines, empty, result = text.split("\n") - assert not empty + if not utils.is_windows: + header, *lines, empty, result = text.split("\n") + assert not empty - expected_status = { - "Layer 1 Sandbox": "Namespace" if has_namespaces else "None", + expected_status = { + "Layer 1 Sandbox": "Namespace" if has_namespaces else "None", - "PID namespaces": "Yes" if has_namespaces else "No", - "Network namespaces": "Yes" if has_namespaces else "No", + "PID namespaces": "Yes" if has_namespaces else "No", + "Network namespaces": "Yes" if has_namespaces else "No", - bpf_text: "Yes" if has_seccomp else "No", - f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No", + bpf_text: "Yes" if has_seccomp else "No", + f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No", - f"{yama_text} (Broker)": "Yes" if has_yama else "No", - f"{yama_text} (Non-broker)": "Yes" if has_yama_non_broker else "No", - } - - assert header == "Sandbox Status" - assert result == expected_result + f"{yama_text} (Broker)": "Yes" if has_yama else "No", + f"{yama_text} (Non-broker)": "Yes" if has_yama_non_broker else "No", + } - status = dict(line.split("\t") for line in lines) - assert status == expected_status + assert header == "Sandbox Status" + assert result == expected_result + + status = dict(line.split("\t") for line in lines) + assert status == expected_status + + else: # utils.is_windows + # The sandbox page on Windows if different that Linux and macOS. It's + # a lot more complex. There is a table up top with lots of columns and + # a row per tab and helper process then a json object per row down + # below with even more detail (which we ignore). + # https://www.chromium.org/Home/chromium-security/articles/chrome-sandbox-diagnostics-for-windows/ + + # We're not getting full coverage of the table and there doesn't seem + # to be a simple summary like for linux. The "Sandbox" and "Lockdown" + # column are probably the key ones. + # We are looking at all the rows in the table for the sake of + # completeness, but I expect there will always be just one row with a + # renderer process in it for this test. If other helper processes pop + # up we might want to exclude them. + lines = text.split("\n") + assert lines.pop(0) == "Sandbox Status" + header = lines.pop(0).split("\t") + rows = [] + current_line = lines.pop(0) + while current_line.strip(): + if lines[0].startswith("\t"): + # Continuation line. Not sure how to 100% identify them + # but new rows should start with a process ID. + current_line += lines.pop(0) + continue + + columns = current_line.split("\t") + assert len(header) == len(columns) + rows.append(dict(zip(header, columns))) + current_line = lines.pop(0) + + assert rows + + # I'm using has_namespaces as a proxy for "should be sandboxed" here, + # which is a bit lazy but its either that or match on the text + # "sandboxing" arg. The seccomp-bpf arg does nothing on windows, so + # we only have the off and on states. + for row in rows: + assert row == { + "Process": ANY, + "Type": "Renderer", + "Name": "", + "Sandbox": "Renderer" if has_namespaces else "Not Sandboxed", + "Lockdown": "Lockdown" if has_namespaces else "", + "Integrity": ANY if has_namespaces else "", + "Mitigations": ANY if has_namespaces else "", + "Component Filter": ANY if has_namespaces else "", + "Lowbox/AppContainer": "", + } @pytest.mark.not_frozen -- cgit v1.2.3-54-g00ecf