feat: improved installation mechanism (#564)

2025-10-30 18:07:45 +00:00 · 2024-11-18 09:50:57 -08:00
parent 944a9e80b9
commit 85ca395515
8 changed files with 349 additions and 231 deletions
--- a/.github/workflows/linkspector.yml
+++ b/.github/workflows/linkspector.yml
@@ -1,4 +1,4 @@
-name: Linkspector
+name: linkspector-scan
 on: 
  pull_request:
    branches:
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -0,0 +1,26 @@
+name: run-tests
+on:
+  pull_request:
+    branches:
+      - live
+    paths-ignore:
+      - "**.md"
+  workflow_dispatch: # allow manually triggering 
+jobs:
+  run_tests:
+    runs-on: ubuntu-latest
+    name: Install Bats and run tests
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Bats and bats libs
+        id: setup-bats
+        uses: bats-core/bats-action@2104b40bb7b6c2d5110b23a26b0bf265ab8027db #v3.0.0
+
+      - name: Run tests
+        shell: bash
+        env:
+          INSTALL_SCRIPT: install/install_secureblue.sh
+        run: |
+          bats -p -t --verbose-run .github/workflows/tests
--- a/.github/workflows/tests/install_script_tests.bats
+++ b/.github/workflows/tests/install_script_tests.bats
@@ -0,0 +1,107 @@
+#!/usr/bin/env bats
+
+@test "Script exits with error if rpm-ostree is not installed" {
+  sudo bash -c 'rm -f /usr/bin/rpm-ostree'
+  run bash "$INSTALL_SCRIPT"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"This script only runs on Fedora Atomic"* ]]
+}
+
+@test "Script passes rpm-ostree check if it is installed" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash "$INSTALL_SCRIPT"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"Welcome to the secureblue interactive installer"* ]]
+}
+
+@test "Test command for silverblue-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n1\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"silverblue-main-userns-hardened"* ]]
+}
+
+@test "Test command for silverblue-nvidia-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n1\nyes\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"silverblue-nvidia-userns-hardened"* ]]
+}
+
+@test "Test command for silverblue-nvidia-open-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n1\nyes\nyes\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"silverblue-nvidia-open-userns-hardened"* ]]
+}
+
+@test "Test command for silverblue-nvidia-open-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n1\nyes\nyes\no\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"silverblue-nvidia-open-hardened"* ]]
+}
+
+@test "Test command for kinoite-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n2\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"kinoite-main-userns-hardened"* ]]
+}
+
+@test "Test command for sericea-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n3\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"sericea-main-userns-hardened"* ]]
+}
+
+@test "Test command for wayblue-wayfire-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n4\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"wayblue-wayfire-main-userns-hardened"* ]]
+}
+
+@test "Test command for wayblue-sway-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n5\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"wayblue-sway-main-userns-hardened"* ]]
+}
+
+@test "Test command for wayblue-river-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n6\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"wayblue-river-main-userns-hardened"* ]]
+}
+
+@test "Test command for wayblue-hyprland-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n7\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"wayblue-hyprland-main-userns-hardened"* ]]
+}
+
+@test "Test command for cosmic-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'no\n8\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"cosmic-main-userns-hardened"* ]]
+}
+
+@test "Test command for securecore-zfs-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'yes\nyes\nno\nyes\no' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"securecore-zfs-main-userns-hardened"* ]]
+}
+
+@test "Test command for securecore-main-userns-hardened" {
+  sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
+  run bash -c "echo -e 'yes\nno\nno\nyes\no' | bash '$INSTALL_SCRIPT'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"securecore-main-userns-hardened"* ]]
+}
+
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,4 +1,4 @@
-name: trivy
+name: trivy-scan
 on:
  schedule:
    - cron: "00 8 * * *" # build at 8:00 UTC every day 
@@ -6,6 +6,8 @@ on:
  push:
    branches:
      - live
+    paths-ignore:
+      - "**.md"

  workflow_dispatch: # allow manually triggering builds
 jobs: