ci: Switch to Ubuntu 24.04

(cherry picked from commit d5474f7)

Author: DaanDeMeyer

.github/workflows/build_test.sh

@@ -76,6 +76,14 @@ if [[ "$COMPILER" == clang ]]; then
     CXX="clang++-$COMPILER_VERSION"
     AR="llvm-ar-$COMPILER_VERSION"
 
+    if systemd-analyze compare-versions "$COMPILER_VERSION" ge 17; then
+        CFLAGS="-fno-sanitize=function"
+        CXXFLAGS="-fno-sanitize=function"
+    else
+        CFLAGS=""
+        CXXFLAGS=""
+    fi
+
     # Prefer the distro version if available
     if ! apt-get -y install --dry-run "llvm-$COMPILER_VERSION" >/dev/null; then
         # Latest LLVM stack deb packages provided by https://apt.llvm.org/
@@ -91,6 +99,8 @@ elif [[ "$COMPILER" == gcc ]]; then
     CC="gcc-$COMPILER_VERSION"
     CXX="g++-$COMPILER_VERSION"
     AR="gcc-ar-$COMPILER_VERSION"
+    CFLAGS=""
+    CXXFLAGS=""
 
     if ! apt-get -y install --dry-run "gcc-$COMPILER_VERSION" >/dev/null; then
         # Latest gcc stack deb packages provided by
@@ -103,17 +113,20 @@ else
     fatal "Unknown compiler: $COMPILER"
 fi
 
-# PPA with some newer build dependencies (like zstd)
-sudo add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci
-sudo add-apt-repository -y --no-update --enable-source
+# This is added by default, and it is often broken, but we don't need anything from it
+sudo rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
+# add-apt-repository --enable-source does not work on deb822 style sources.
+for f in /etc/apt/sources.list.d/*.sources; do
+    sudo sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
+done
 sudo apt-get -y update
 sudo apt-get -y build-dep systemd
 sudo apt-get -y install "${PACKAGES[@]}"
 # Install more or less recent meson and ninja with pip, since the distro versions don't
 # always support all the features we need (like --optimization=). Since the build-dep
 # command above installs the distro versions, let's install the pip ones just
 # locally and add the local bin directory to the $PATH.
-pip3 install --user -r .github/workflows/requirements.txt --require-hashes
+pip3 install --user -r .github/workflows/requirements.txt --require-hashes --break-system-packages
 export PATH="$HOME/.local/bin:$PATH"
 
 $CC --version
@@ -126,8 +139,8 @@ for args in "${ARGS[@]}"; do
     info "Checking build with $args"
     # shellcheck disable=SC2086
     if ! AR="$AR" \
-         CC="$CC" CC_LD="$LINKER" CFLAGS="-Werror" \
-         CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="-Werror" \
+         CC="$CC" CC_LD="$LINKER" CFLAGS="$CFLAGS" \
+         CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \
          meson setup \
                -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \
                -Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \

.github/workflows/build_test.yml

@@ -17,7 +17,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ toJSON(matrix.env) }}-${{ github.ref }}
       cancel-in-progress: true

.github/workflows/cflite_pr.yml

@@ -13,7 +13,7 @@ permissions: read-all
 
 jobs:
   PR:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: github.repository != 'systemd/systemd' || github.event.pull_request.user.login == 'dependabot[bot]'
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}

.github/workflows/cifuzz.yml

@@ -22,7 +22,8 @@ on:
       - main
 jobs:
   Fuzzing:
-    runs-on: ubuntu-latest
+    # FIXME: Figure out why 32-bit applications fail to run in docker on Ubuntu 24.04.
+    runs-on: ubuntu-22.04
     if: github.repository == 'systemd/systemd'
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }}

.github/workflows/codeql.yml

@@ -27,7 +27,7 @@ jobs:
   analyze:
     name: Analyze
     if: github.repository != 'systemd/systemd-security'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
       cancel-in-progress: true

.github/workflows/coverity.yml

@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: github.repository == 'systemd/systemd'
     env:
       # Set in repo settings -> secrets -> actions

.github/workflows/development_freeze.yml

@@ -21,7 +21,7 @@ jobs:
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success' &&
       github.repository == 'systemd/systemd'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     permissions:
       pull-requests: write

.github/workflows/differential-shellcheck.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   lint:
     if: github.event.repository.name != 'systemd-security'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     permissions:
       security-events: write

.github/workflows/gather-pr-metadata.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   gather-metadata:
     if: github.repository == 'systemd/systemd'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Repository checkout

.github/workflows/issue_labeler.yml

@@ -10,7 +10,7 @@ permissions:
 
 jobs:
   label-component:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     permissions:
       issues: write

.github/workflows/labeler.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   triage:
     if: github.repository == 'systemd/systemd'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       pull-requests: write
 

.github/workflows/linter.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   build:
     name: Lint Code Base
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 0
 
       - name: Lint Code Base
-        uses: github/super-linter/slim@45fc0d88288beee4701c62761281edfee85655d7
+        uses: super-linter/super-linter/slim@88ea3923a7e1f89dd485d079f6eb5f5e8f937589
         env:
           DEFAULT_BRANCH: main
           VALIDATE_ALL_CODEBASE: false

.github/workflows/make_release.yml

@@ -11,7 +11,7 @@ permissions:
 jobs:
   release:
     if: github.repository == 'systemd/systemd' || github.repository == 'systemd/systemd-stable'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     permissions:
       contents: write

.github/workflows/mkosi.yml

@@ -46,7 +46,7 @@ permissions:
 
 jobs:
   ci:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }}
       cancel-in-progress: true

.github/workflows/scorecards.yml

@@ -23,7 +23,7 @@ jobs:
   analysis:
     name: Scorecards analysis
     if: github.repository == 'systemd/systemd'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write # Used to receive a badge.
 

.github/workflows/unit_tests.sh

@@ -46,18 +46,23 @@ for phase in "${PHASES[@]}"; do
     case $phase in
         SETUP)
             info "Setup phase"
-            # PPA with some newer build dependencies
-            add-apt-repository -y --no-update ppa:upstream-systemd-ci/systemd-ci
-            add-apt-repository -y --no-update --enable-source
+            # This is added by default, and it is often broken, but we don't need anything from it
+            rm -f /etc/apt/sources.list.d/microsoft-prod.{list,sources}
+            # add-apt-repository --enable-source does not work on deb822 style sources.
+            for f in /etc/apt/sources.list.d/*.sources; do
+                sed -i "s/Types: deb/Types: deb deb-src/g" "$f"
+            done
             apt-get -y update
             apt-get -y build-dep systemd
             apt-get -y install "${ADDITIONAL_DEPS[@]}"
-            pip3 install -r .github/workflows/requirements.txt --require-hashes
+            pip3 install -r .github/workflows/requirements.txt --require-hashes --break-system-packages
             ;;
         RUN|RUN_GCC|RUN_CLANG|RUN_CLANG_RELEASE)
             if [[ "$phase" =~ ^RUN_CLANG ]]; then
                 export CC=clang
                 export CXX=clang++
+                export CFLAGS="-fno-sanitize=function"
+                export CXXFLAGS="-fno-sanitize=function"
                 if [[ "$phase" == RUN_CLANG ]]; then
                     # The docs build is slow and is not affected by compiler/flags, so do it just once
                     MESON_ARGS+=(-Dman=enabled)
@@ -82,6 +87,8 @@ for phase in "${PHASES[@]}"; do
             if [[ "$phase" =~ ^RUN_CLANG_ASAN_UBSAN ]]; then
                 export CC=clang
                 export CXX=clang++
+                export CFLAGS="-fno-sanitize=function"
+                export CXXFLAGS="-fno-sanitize=function"
                 # Build fuzzer regression tests only with clang (for now),
                 # see: https://github.com/systemd/systemd/pull/15886#issuecomment-632689604
                 # -Db_lundef=false: See https://github.com/mesonbuild/meson/issues/764

.github/workflows/unit_tests.yml

@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }}
       cancel-in-progress: true

mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf

@@ -4,5 +4,10 @@
 Distribution=centos
 
 [Content]
+Environment=
+        # The kernel versions in CentOS Stream 9 doesn't support orphan_file, but later versions of
+        # mkfs.ext4 enabled it by default, so we disable it explicitly.
+        Environment=SYSTEMD_REPART_MKFS_OPTIONS_EXT4="-O ^orphan_file"
+
 Packages=
         kernel-modules # For squashfs support