Merge branch 'maint/6.6_in_ci'

PyQt 6.6 has been out for a while. Git uses on arch are already using it. Likely our next pyinstaller release will be using it. This change adds it to our test matrix, beyond the arch docker tests. * Removing -dev tag from python 3.12 job * Update ubuntu python 3.11 and 3.12 tests to use PyQt6.6 * Update macOS and windows tests to use PyQt6.6 * Allow running the nightly CI job on any branch, to get a pyinstaller build binary from your own branch Closes: #7989
2023-11-19 19:45:59 +13:00 · 2023-11-19 19:45:59 +13:00 · 9f8e9d96c8
parent 27c5cc8cae 7444179a23
commit 9f8e9d96c8
3 changed files with 80 additions and 34 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -157,28 +157,28 @@ jobs:
          - testenv: py310-pyqt65
            os: ubuntu-22.04
            python: "3.10"
-          ### PyQt 6.5 (Python 3.11)
-          - testenv: py311-pyqt65
+          ### PyQt 6.6 (Python 3.11)
+          - testenv: py311-pyqt66
            os: ubuntu-22.04
            python: "3.11"
-          ### PyQt 6.5 (Python 3.12)
-          - testenv: py312-pyqt65
+          ### PyQt 6.6 (Python 3.12)
+          - testenv: py312-pyqt66
            os: ubuntu-22.04
-            python: "3.12-dev"
-          ### macOS Big Sur: PyQt 5.15 (Python 3.9 to match PyInstaller env)
-          - testenv: py39-pyqt515
+            python: "3.12"
+          ### macOS Big Sur
+          - testenv: py311-pyqt66
            os: macos-11
-            python: "3.9"
+            python: "3.11"
            args: "tests/unit"  # Only run unit tests on macOS
          ### macOS Monterey
-          - testenv: py39-pyqt515
+          - testenv: py311-pyqt66
            os: macos-12
-            python: "3.9"
+            python: "3.11"
            args: "tests/unit"  # Only run unit tests on macOS
-          ### Windows: PyQt 5.15 (Python 3.9 to match PyInstaller env)
-          - testenv: py39-pyqt515
+          ### Windows
+          - testenv: py311-pyqt66
            os: windows-2019
-            python: "3.9"
+            python: "3.11"
    runs-on: "${{ matrix.os }}"
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -15,24 +15,19 @@ jobs:
      matrix:
        include:
          - os: macos-11
-            branch: main
            toxenv: build-release-qt5
            name: qt5-macos
          - os: windows-2019
-            branch: main
            toxenv: build-release-qt5
            name: qt5-windows
          - os: macos-11
            args: --debug
-            branch: main
            toxenv: build-release-qt5
            name: qt5-macos-debug
          - os: windows-2019
            args: --debug
-            branch: main
            toxenv: build-release-qt5
            name: qt5-windows-debug
-
          - os: macos-11
            toxenv: build-release
            name: macos
@ -52,7 +47,6 @@ jobs:
    steps:
      - uses: actions/checkout@v4
        with:
-          ref: "${{ matrix.branch }}"
          persist-credentials: false
      - name: Set up Python
        uses: actions/setup-python@v4
--- a/tests/end2end/test_invocations.py
+++ b/tests/end2end/test_invocations.py
@ -15,6 +15,7 @@ import re
 import json
 import platform
 from contextlib import nullcontext as does_not_raise
+from unittest.mock import ANY

 import pytest
 from qutebrowser.qt.core import QProcess, QPoint
@ -885,27 +886,78 @@ def test_sandboxing(
    bpf_text = "Seccomp-BPF sandbox"
    yama_text = "Ptrace Protection with Yama LSM"

-    header, *lines, empty, result = text.split("\n")
-    assert not empty
+    if not utils.is_windows:
+        header, *lines, empty, result = text.split("\n")
+        assert not empty

-    expected_status = {
-        "Layer 1 Sandbox": "Namespace" if has_namespaces else "None",
+        expected_status = {
+            "Layer 1 Sandbox": "Namespace" if has_namespaces else "None",

-        "PID namespaces": "Yes" if has_namespaces else "No",
-        "Network namespaces": "Yes" if has_namespaces else "No",
+            "PID namespaces": "Yes" if has_namespaces else "No",
+            "Network namespaces": "Yes" if has_namespaces else "No",

-        bpf_text: "Yes" if has_seccomp else "No",
-        f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No",
+            bpf_text: "Yes" if has_seccomp else "No",
+            f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No",

-        f"{yama_text} (Broker)": "Yes" if has_yama else "No",
-        f"{yama_text} (Non-broker)": "Yes" if has_yama_non_broker else "No",
-    }
+            f"{yama_text} (Broker)": "Yes" if has_yama else "No",
+            f"{yama_text} (Non-broker)": "Yes" if has_yama_non_broker else "No",
+        }

-    assert header == "Sandbox Status"
-    assert result == expected_result
+        assert header == "Sandbox Status"
+        assert result == expected_result

-    status = dict(line.split("\t") for line in lines)
-    assert status == expected_status
+        status = dict(line.split("\t") for line in lines)
+        assert status == expected_status
+
+    else:  # utils.is_windows
+        # The sandbox page on Windows if different that Linux and macOS. It's
+        # a lot more complex. There is a table up top with lots of columns and
+        # a row per tab and helper process then a json object per row down
+        # below with even more detail (which we ignore).
+        # https://www.chromium.org/Home/chromium-security/articles/chrome-sandbox-diagnostics-for-windows/
+
+        # We're not getting full coverage of the table and there doesn't seem
+        # to be a simple summary like for linux. The "Sandbox" and "Lockdown"
+        # column are probably the key ones.
+        # We are looking at all the rows in the table for the sake of
+        # completeness, but I expect there will always be just one row with a
+        # renderer process in it for this test. If other helper processes pop
+        # up we might want to exclude them.
+        lines = text.split("\n")
+        assert lines.pop(0) == "Sandbox Status"
+        header = lines.pop(0).split("\t")
+        rows = []
+        current_line = lines.pop(0)
+        while current_line.strip():
+            if lines[0].startswith("\t"):
+                # Continuation line. Not sure how to 100% identify them
+                # but new rows should start with a process ID.
+                current_line += lines.pop(0)
+                continue
+
+            columns = current_line.split("\t")
+            assert len(header) == len(columns)
+            rows.append(dict(zip(header, columns)))
+            current_line = lines.pop(0)
+
+        assert rows
+
+        # I'm using has_namespaces as a proxy for "should be sandboxed" here,
+        # which is a bit lazy but its either that or match on the text
+        # "sandboxing" arg. The seccomp-bpf arg does nothing on windows, so
+        # we only have the off and on states.
+        for row in rows:
+            assert row == {
+                "Process": ANY,
+                "Type": "Renderer",
+                "Name": "",
+                "Sandbox": "Renderer" if has_namespaces else "Not Sandboxed",
+                "Lockdown": "Lockdown" if has_namespaces else "",
+                "Integrity": ANY if has_namespaces else "",
+                "Mitigations": ANY if has_namespaces else "",
+                "Component Filter": ANY if has_namespaces else "",
+                "Lowbox/AppContainer": "",
+            }


@pytest.mark.not_frozen