ci: run chcon only if selinux is enforcing, add more CI checks for flagd (#31)

erenatas · web-flow · commit 8a5cf2ea44e3 · 2025-02-24T09:02:26.000-05:00
Signed-off-by: Eren Atas &lt;eren.atas@booking.com&gt;
diff --git a/.github/workflows/flagd-check.yml b/.github/workflows/flagd-check.yml
@@ -0,0 +1,43 @@
+name: Flagd Checks
+
+on:
+  push:
+    paths:
+      - 'crates/flagd/**'
+      - '.github/workflows/flagd-check.yml'
+  pull_request:
+    paths:
+      - 'crates/flagd/**'
+      - '.github/workflows/flagd-check.yml'
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Update git submodules
+        run: git submodule update --init --recursive
+
+      - name: Install protobuf compiler
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y protobuf-compiler
+
+      - name: Install cargo-msrv and cargo-readme
+        working-directory: crates/flagd
+        run: |
+          cargo install cargo-msrv --locked
+          cargo install cargo-readme
+
+      - name: Verify Minimum Supported Rust Version
+        working-directory: crates/flagd
+        run: cargo msrv verify
+
+      - name: Check README is up-to-date
+        working-directory: crates/flagd
+        run: |
+          cargo readme --no-title --no-license > README.md.generated
+          diff README.md README.md.generated
+
diff --git a/crates/flagd/tests/common/mod.rs b/crates/flagd/tests/common/mod.rs
@@ -154,18 +154,30 @@ impl ConfigFile {
 
         // Platform-specific security configuration
         if cfg!(target_os = "linux") {
-            // SELinux context for container access
-            let status = std::process::Command::new("chcon")
-                .arg("--type=container_file_t")
-                .arg(temp_file.path())
-                .status();
-
-            // Fallback to container-specific context if needed
-            if status.is_err() {
-                let _ = std::process::Command::new("chcon")
-                    .arg("--type=svirt_sandbox_file_t")
+            // Check if SELinux is enforcing
+            let selinux_enforcing = std::process::Command::new("getenforce")
+                .output()
+                .map(|output| {
+                    String::from_utf8_lossy(&output.stdout)
+                        .trim()
+                        .eq_ignore_ascii_case("enforcing")
+                })
+                .unwrap_or(false);
+
+            if selinux_enforcing {
+                // SELinux context for container access
+                let status = std::process::Command::new("chcon")
+                    .arg("--type=container_file_t")
                     .arg(temp_file.path())
                     .status();
+
+                // Fallback to container-specific context if needed
+                if status.is_err() {
+                    let _ = std::process::Command::new("chcon")
+                        .arg("--type=svirt_sandbox_file_t")
+                        .arg(temp_file.path())
+                        .status();
+                }
             }
         } else if cfg!(target_os = "macos") {
             // Ensure POSIX permissions for Docker Desktop
