From 9f7ce86b83d251c53b98853b8a5229a051984309 Mon Sep 17 00:00:00 2001
From: Gerardo Ravago <gcr@amazon.com>
Date: Tue, 20 Aug 2024 15:22:23 -0400
Subject: [PATCH] Migrate CI to Github Actions

We are hitting the 1 hour time limit of Circle CI (Issue #166). This migrates the existing CircleCI job completely to Github Actions which has a 5 hour time limit.

For the most part, this is pretty much a one-to-one migration. The one oddity I noticed is a regression in one of the unit tests. I've root-caused it to a change in how Github's Ubuntu host + OQS' CI container handles zombie processes. In this configuration, they don't seem to reap zombies as aggressively as it did in CircleCI. This causes the test to "fail" because it counts a zombie as "alive". The creation of a zombie is by design due to how ssh-agent's subprocess mode works (ssh-agent forks into a child process to allow an arbitrary parent to take over, the child then becomes a zombie when it recognizes its orphaned status). To work around this, I added a check to the assertion to count zombies as "not alive" and this allows the test to pass on Github Actions.

Since upstream OpenSSH provided its own set of Github Actions, I simply moved those to the `upstream-github` directory to avoid conflicts and preserve the source.
---
 .circleci/config.yml                          | 52 -------------------
 .github/workflows/ubuntu.yaml                 | 24 +++++++++
 regress/agent-subprocess.sh                   |  6 ++-
 {.github => upstream-github}/ci-status.md     |  0
 {.github => upstream-github}/configs          |  0
 {.github => upstream-github}/configure.sh     |  0
 {.github => upstream-github}/run_test.sh      |  0
 {.github => upstream-github}/setup_ci.sh      |  0
 .../workflows/c-cpp.yml                       |  0
 .../workflows/cifuzz.yml                      |  0
 .../workflows/selfhosted.yml                  |  0
 .../workflows/upstream.yml                    |  0
 12 files changed, 29 insertions(+), 53 deletions(-)
 delete mode 100644 .circleci/config.yml
 create mode 100644 .github/workflows/ubuntu.yaml
 rename {.github => upstream-github}/ci-status.md (100%)
 rename {.github => upstream-github}/configs (100%)
 rename {.github => upstream-github}/configure.sh (100%)
 rename {.github => upstream-github}/run_test.sh (100%)
 rename {.github => upstream-github}/setup_ci.sh (100%)
 rename {.github => upstream-github}/workflows/c-cpp.yml (100%)
 rename {.github => upstream-github}/workflows/cifuzz.yml (100%)
 rename {.github => upstream-github}/workflows/selfhosted.yml (100%)
 rename {.github => upstream-github}/workflows/upstream.yml (100%)

diff --git a/.circleci/config.yml b/.circleci/config.yml
deleted file mode 100644
index 6593c2fc4586..000000000000
--- a/.circleci/config.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-version: 2.1
-
-# This is here just to make CircleCI
-# happy, but might be useful in the future.
-parameters:
-  run_downstream_tests:
-    type: boolean
-    default: false
-
-jobs:
-  ubuntu_build:
-    description: A template for running BoringSSL tests on x64 Ubuntu Bionic Docker VMs
-    parameters:
-      WITH_OPENSSL:
-        description: "Compile OpenSSH with OpenSSL."
-        type: boolean
-        default: true
-    docker:
-      - image: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-        auth:
-          username: $DOCKER_LOGIN
-          password: $DOCKER_PASSWORD
-    steps:
-      - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally
-      - run:
-          name: Set up SSH environment
-          command: |
-            mkdir -p -m 0755 /var/empty
-            groupadd sshd
-            useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
-      - run:
-          name: Clone liboqs
-          command: ./oqs-scripts/clone_liboqs.sh
-      - run:
-          name: Build liboqs
-          command: ./oqs-scripts/build_liboqs.sh
-      - run:
-          name: Build OpenSSH
-          command: env WITH_OPENSSL=<< parameters.WITH_OPENSSL >> ./oqs-scripts/build_openssh.sh
-      - run:
-          name: Run tests documented to pass
-          command: ./oqs-test/run_tests.sh
-      - run:
-          name: Ensure we have the ssh and sshd syntax right once for each algorithm
-          command: python3 oqs-test/try_connection.py doone
-workflows:
-  version: 2.1
-  build:
-    jobs:
-      - ubuntu_build:
-          name: with-openssl
-          context: openquantumsafe
diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml
new file mode 100644
index 000000000000..79e18f505863
--- /dev/null
+++ b/.github/workflows/ubuntu.yaml
@@ -0,0 +1,24 @@
+name: CI Checks
+on: [ push, pull_request ]
+jobs:
+  ubuntu_build:
+    runs-on: ubuntu-latest
+    container:
+      image: openquantumsafe/ci-ubuntu-focal-x86_64:latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up SSH environment
+      run: |
+        mkdir -p -m 0755 /var/empty
+        groupadd sshd
+        useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
+    - name: Clone liboqs
+      run: ./oqs-scripts/clone_liboqs.sh
+    - name: Build liboqs
+      run: ./oqs-scripts/build_liboqs.sh
+    - name: Build OpenSSH
+      run: env WITH_OPENSSL=true ./oqs-scripts/build_openssh.sh
+    - name: Run tests documented to pass
+      run: ./oqs-test/run_tests.sh
+    - name: Ensure we have the ssh and sshd syntax right once for each algorithm
+      run: python3 oqs-test/try_connection.py doone
diff --git a/regress/agent-subprocess.sh b/regress/agent-subprocess.sh
index 2f36d70cccae..93d7cd2da332 100644
--- a/regress/agent-subprocess.sh
+++ b/regress/agent-subprocess.sh
@@ -3,6 +3,10 @@
 
 tid="agent subprocess"
 
+is_alive() {
+	kill -0 ${1} >/dev/null 2>&1 && [ `ps -p ${1} -o state=` != "Z" ]
+}
+
 trace "ensure agent exits when run as subprocess"
 ${SSHAGENT} sh -c "echo \$SSH_AGENT_PID >$OBJ/pidfile; sleep 1"
 
@@ -10,7 +14,7 @@ pid=`cat $OBJ/pidfile`
 
 # Currently ssh-agent polls every 10s so we need to wait at least that long.
 n=12
-while kill -0 $pid >/dev/null 2>&1 && test "$n" -gt "0"; do
+while is_alive ${pid} && test "$n" -gt "0"; do
 	n=$(($n - 1))
 	sleep 1
 done
diff --git a/.github/ci-status.md b/upstream-github/ci-status.md
similarity index 100%
rename from .github/ci-status.md
rename to upstream-github/ci-status.md
diff --git a/.github/configs b/upstream-github/configs
similarity index 100%
rename from .github/configs
rename to upstream-github/configs
diff --git a/.github/configure.sh b/upstream-github/configure.sh
similarity index 100%
rename from .github/configure.sh
rename to upstream-github/configure.sh
diff --git a/.github/run_test.sh b/upstream-github/run_test.sh
similarity index 100%
rename from .github/run_test.sh
rename to upstream-github/run_test.sh
diff --git a/.github/setup_ci.sh b/upstream-github/setup_ci.sh
similarity index 100%
rename from .github/setup_ci.sh
rename to upstream-github/setup_ci.sh
diff --git a/.github/workflows/c-cpp.yml b/upstream-github/workflows/c-cpp.yml
similarity index 100%
rename from .github/workflows/c-cpp.yml
rename to upstream-github/workflows/c-cpp.yml
diff --git a/.github/workflows/cifuzz.yml b/upstream-github/workflows/cifuzz.yml
similarity index 100%
rename from .github/workflows/cifuzz.yml
rename to upstream-github/workflows/cifuzz.yml
diff --git a/.github/workflows/selfhosted.yml b/upstream-github/workflows/selfhosted.yml
similarity index 100%
rename from .github/workflows/selfhosted.yml
rename to upstream-github/workflows/selfhosted.yml
diff --git a/.github/workflows/upstream.yml b/upstream-github/workflows/upstream.yml
similarity index 100%
rename from .github/workflows/upstream.yml
rename to upstream-github/workflows/upstream.yml