add an initial version of GitHub Actions testing

This is also adapting the code in some aspects to make it compatible
with older versions of Python and pygit2. Those adaptions are in
particular:
- Older versions of pygit2 didn't have enums FileMode and ObjectType. We
  define the needed values if they are missing.
- Older versions of Python didn't provide default values for the
  to_bytes function. We provide the values ourselves now.
- Older versions of pygit2 didn't convert object ids to strings
  implicitly. We do this explicitly now wherever needed.
- Older versions of Python were less robust in parsing quotes nested in
  f-string literals. Work around those constructs that found to be
  problematic.

The Windows build is currently disabled since there is still an issue
with the remote helper that I need to debug.

Ubuntuo 20.04 on ARM is also disbled because the machine currently does
not seem to start up on GitHub.

Author: schiele

.github/workflows/test.yml

@@ -0,0 +1,69 @@
+name: Test
+on: [push]
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os:
+          - ubuntu-20.04
+          #- ubuntu-20.04-arm
+          - ubuntu-22.04
+          - ubuntu-22.04-arm
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+          - macos-13
+          - macos-14
+          - macos-15
+          #- windows-2019
+    steps:
+      - name: Install system dependencies (Ubuntu)
+        if: startsWith(matrix.os, 'ubuntu')
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y asciidoc python3-pygit2 python3-pip
+      - name: Install system dependencies (MacOS)
+        if: startsWith(matrix.os, 'macos')
+        run : |
+          brew update
+          brew install asciidoc xmlto libgit2
+          HOMEBREW_PREFIX=$(brew --prefix)
+          echo "XML_CATALOG_FILES=${HOMEBREW_PREFIX}/etc/xml/catalog" >> $GITHUB_ENV
+      - name: Install Python packages (Posix)
+        if: runner.os != 'Windows'
+        run: |
+          python3 -m venv ~/venv
+          source ~/venv/bin/activate
+          python3 -m pip install --upgrade pip
+          python3 -m pip install pylint pycodestyle pygit2 cryptography asciidoc
+      - name: Install Python packages (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          python3 -m venv $env:USERPROFILE\venv
+          "$env:USERPROFILE\venv\Scripts\activate"
+          python3 -m pip install --upgrade pip
+          python3 -m pip install pylint pycodestyle pygit2 cryptography asciidoc
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Test (Posix)
+        if: runner.os != 'Windows'
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "Test User"
+          gpg --batch --gen-key .github/workflows/testkey.conf
+          source ~/venv/bin/activate
+          make KEY:=$(gpg --list-keys --with-colons | awk -F: '/^pub/ {print $5; exit}') test
+      - name: Test (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "Test User"
+          gpg --batch --gen-key .github/workflows/testkey.conf
+          dir
+          "$env:USERPROFILE/venv/Scripts/activate"
+          rm git-remote-incrypt
+          cp git-incrypt git-remote-incrypt
+          dir
+          make KEY:=$(gpg --list-keys --with-colons | awk -F: '/^pub/ {print $5; exit}') NODOC:=1 VERBOSE:=-vvv test

.github/workflows/testkey.conf

@@ -0,0 +1,9 @@
+%no-protection
+Key-Type: RSA
+Key-Length: 2048
+Subkey-Type: RSA
+Subkey-Length: 2048
+Name-Real: Test User
+Name-Email: [email protected]
+Expire-Date: 0
+%commit

Makefile

@@ -1,5 +1,10 @@
-export PATH := $(CURDIR):$(PATH)
-export MANPATH := $(CURDIR):$(MANPATH)
+ifeq ($(OS),Windows_NT)
+  PATHSEP = ;
+else
+  PATHSEP = :
+endif
+export GIT_EXEC_PATH := $(CURDIR)$(PATHSEP)$(shell git --exec-path)
+export MANPATH := $(CURDIR)$(PATHSEP)$(MANPATH)
 VERBOSE :=
 TESTREPO := $(CURDIR)
 KEY := 5A8A11E44AD2A1623B84E5AFC5C0C5C7218D18D7
@@ -8,7 +13,15 @@ REPO := incrypt::$(CURDIR)/crypt
 .PHONY: all man test clean
 
 all: man
+
+ifndef NODOC
 man: man1/git-incrypt.1
+testman: man
+	PAGER= git incrypt --help
+else
+man:
+testman:
+endif
 
 man1/%.1: man1/%.xml manpage-normal.xsl manpage-bold-literal.xsl
 	cd man1 && xmlto $(patsubst %,-m ../%,$(wordlist 2, 3, $^)) man ../$<
@@ -17,22 +30,21 @@ man1/%.xml: %.adoc asciidoc.conf
 	mkdir -p man1
 	asciidoc -f $(word 2, $^) -b docbook -d manpage -o $@ $<
 
-test: man
-	PAGER= git incrypt --help
+test: testman
 	rm -rf crypt tst
 	mkdir crypt
 	git -C crypt init --bare -b _
 	git ls-remote $(TESTREPO)
 	git incrypt init $(REPO) $(KEY)
 	git -C $(TESTREPO) fetch $(REPO) || git -C $(TESTREPO) incrypt trust $(REPO)
-	git -C $(TESTREPO) push $(VERBOSE) $(REPO) master~2:refs/heads/master
+	git -C $(TESTREPO) push $(VERBOSE) $(REPO) HEAD~2:refs/heads/master
 	git clone $(VERBOSE) $(REPO) tst
 	git -C $(TESTREPO) push $(VERBOSE) $(REPO) v0.9.0
 	git -C tst pull $(VERBOSE)
-	git -C $(TESTREPO) push $(VERBOSE) $(REPO) master
-	git -C tst pull $(VERBOSE)
-	git -C $(TESTREPO) push $(VERBOSE) --all $(REPO)
+	git -C $(TESTREPO) push $(VERBOSE) $(REPO) HEAD:master
 	git -C tst pull $(VERBOSE)
+	git -C $(TESTREPO) push $(VERBOSE) -f --all $(REPO)
+	git -C tst pull --no-rebase -X theirs --no-edit $(VERBOSE)
 	git ls-remote crypt
 	git -C tst ls-remote $(REPO)
 	git ls-remote tst

git-incrypt

@@ -35,6 +35,27 @@ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 from cryptography.hazmat.primitives import padding
 from cryptography.hazmat.backends import default_backend
 
+if not hasattr(pygit2.enums, 'FileMode'):
+    class FileMode(enum.IntFlag):
+        'definitions missing in older versions of pygit2'
+        # pylint: disable=c-extension-no-member disable=protected-access
+        TREE = pygit2._pygit2.GIT_FILEMODE_TREE
+        # pylint: disable=c-extension-no-member disable=protected-access
+        BLOB = pygit2._pygit2.GIT_FILEMODE_BLOB
+    pygit2.enums.FileMode = FileMode
+if not hasattr(pygit2.enums, 'ObjectType'):
+    class ObjectType(enum.IntEnum):
+        'definitions missing in older versions of pygit2'
+        # pylint: disable=c-extension-no-member disable=protected-access
+        COMMIT = pygit2._pygit2.GIT_OBJ_COMMIT
+        # pylint: disable=c-extension-no-member disable=protected-access
+        TREE = pygit2._pygit2.GIT_OBJ_TREE
+        # pylint: disable=c-extension-no-member disable=protected-access
+        BLOB = pygit2._pygit2.GIT_OBJ_BLOB
+        # pylint: disable=c-extension-no-member disable=protected-access
+        TAG = pygit2._pygit2.GIT_OBJ_TAG
+    pygit2.enums.ObjectType = ObjectType
+
 CRYPTREADME = '''# 401 Unauthorized
 
 This is an encrypted git repository.  You can clone it, but you will not be
@@ -275,8 +296,8 @@ class CryptRepo:
             'encrypt an object'
             clear = self.clearrepo.get(oid)
             cryptobjs[clear.id] = self.repo.create_blob(encryptdata(
-                clear.id.raw + clear.type.to_bytes(1) + clear.read_raw(),
-                self.meta.key))
+                clear.id.raw + clear.type.to_bytes(1, byteorder='big') +
+                clear.read_raw(), self.meta.key))
 
         def createcommit(oid):
             'create a commit'
@@ -304,12 +325,12 @@ class CryptRepo:
                              pygit2.enums.FileMode.BLOB)
             colid = collector.write()
             cryptmap[str(obj.id)] = self.meta.secretcommit(
-                colid, [cryptmap[c] for c in obj.parent_ids]
+                colid, [cryptmap[str(c)] for c in obj.parent_ids]
                 if obj.type == pygit2.enums.ObjectType.COMMIT
-                else [cryptmap[obj.target]])
+                else [cryptmap[str(obj.target)]])
 
         xrefs = [[r[0], r[1], r[3],
-                  f'{'+' if r[2] else ''}{r[3] if r[0] else ''}:{r[3]}',
+                  f"{'+' if r[2] else ''}{r[3] if r[0] else ''}:{r[3]}",
                   self.clearrepo.revparse_single(r[0]) if r[0] else None]
                  for r in [[r[0], r[1], r[2], encryptrefname(r[1],
                            self.meta.key)] for r in refs]]
@@ -325,7 +346,7 @@ class CryptRepo:
         self.meta.write(cryptmap)
         for r in xrefs:
             if r[4]:
-                self.repo.create_reference(r[2], cryptmap[r[4].id],
+                self.repo.create_reference(r[2], cryptmap[str(r[4].id)],
                                            force=True)
             else:
                 try:
@@ -379,9 +400,9 @@ def remotehelperloop():
             refs.append([src, dst, force])
             line = sys.stdin.readline().strip()
         results = crypt.push(refs)
-        sys.stdout.write(f'{
+        sys.stdout.write('{}\n'.format(
             ''.join([(f'error {r} {e}\n' if e else f'ok {r}\n')
-                     for r, e in results.items()])}\n')
+                     for r, e in results.items()])))
 
     crypt = CryptRepo(os.environ.pop('GIT_DIR', None), sys.argv[2])
     while True:
@@ -393,8 +414,8 @@ def remotehelperloop():
         if command[0] == 'capabilities':
             sys.stdout.write('fetch\npush\noption\n\n')
         elif command[0] == 'list':
-            sys.stdout.write(f'{''.join([f'{r[1]} {r[0]}\n'
-                                         for r in crypt.getrefs()])}\n')
+            sys.stdout.write('{}\n'.format(
+                ''.join([f'{r[1]} {r[0]}\n' for r in crypt.getrefs()])))
         elif command[0] == 'fetch':
             fetchcommand(line)
         elif command[0] == 'push':