ci: Catch tests corrupting the source directory #32874

pull maflcko wants to merge 2 commits into bitcoin:master from maflcko:2507-ci-less-corrupt changing 1 files +16 −7
  1. maflcko commented at 9:55 am on July 4, 2025: member

    At best it is annoying when tests delete random files in my source dir, or when they leave around temp files. At worst, it is an attempt to inject a backdoor.

    So try to catch them in CI.

    For example, this should hopefully catch:

    0$ ( echo 'my file content' > streams_tmp ) && ls streams_tmp && ./bld-cmake/bin/bench_bitcoin --filter=FindByte && ls streams_tmp
1streams_tmp
2...
3ls: cannot access 'streams_tmp': No such file or directory
  2. DrahtBot added the label Tests on Jul 4, 2025
  3. DrahtBot commented at 9:55 am on July 4, 2025: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32874.

    Reviews

    See the guideline for information on the review process. A summary of reviews will appear here.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #32880 (ci: Avoid cd into build dir by maflcko)
    • #31349 (ci: detect outbound internet traffic generated while running tests by vasild)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  4. maflcko force-pushed on Jul 4, 2025
  5. DrahtBot added the label CI failed on Jul 4, 2025
  6. maflcko commented at 10:26 am on July 4, 2025: member
    I am a bit confused about the ci failures. I guess it makes sense that chattr doesn’t work on zfs, but is it also known to not work on overlayfs? If it doesn’t work at all, I wonder how commit 5c2185b3b624ce87320ec16412f98ab591a5860c makes sense to enable the use of chattr in ci. Is there a single setup where it is known to work?
  7. maflcko force-pushed on Jul 4, 2025
  8. maflcko force-pushed on Jul 4, 2025
  9. maflcko force-pushed on Jul 4, 2025
  10. ci: Avoid cd into build dir 
    Changing into the build dir is confusing, and brittle. Avoiding this is
required for the next commit.
    5735d815ef
  11. ci: Catch tests corrupting the source directory 2890d3afb1
  12. maflcko force-pushed on Jul 4, 2025
  13. maflcko commented at 12:40 pm on July 4, 2025: member
    so on linux the check doesn’t work and on macos it passed: https://github.com/bitcoin/bitcoin/actions/runs/16073560546/job/45363434537?pr=32874#step:7:2812 :(
  14. maflcko commented at 10:44 am on July 7, 2025: member
    Closing for now. Probably best to move this to a dedicated nightly ci, than to try to force it into the existing ci infra.
  15. maflcko closed this on Jul 7, 2025
  16. maflcko deleted the branch on Jul 7, 2025
  17. luke-jr commented at 8:42 pm on July 7, 2025: member

    Better not to trust CI to do a security audit for you…

    One benefit of CMake is that you can build as another user without write access to the source dir (or indeed, in an isolated container).


maflcko DrahtBot luke-jr

Labels
Tests CI failed

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-07-07 21:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me