Merge branch 'polkit-org:main' into main

.editorconfig

@@ -0,0 +1,33 @@
+# EditorConfig configuration for polkit
+# http://EditorConfig.org
+
+# NOTE: If you update this file make sure to update .dir-locals.el and .vimrc,
+# too.
+
+# Top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file, utf-8 charset
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+
+[NEWS]
+indent_style = space
+indent_size = 2
+
+[*.{c,h}]
+indent_style = space
+indent_size = 2
+max_line_length = 109
+
+[meson.build]
+indent_style = space
+indent_size = 2
+
+[*.{html,xml}]
+indent_size = 2
+indent_style = space
+

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,37 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS (including version):
+ - Desktop Environment [Gnome, KDE, ...]:
+ - Version of polkit:
+
+**Additional context**
+Add any other context about the problem here.
+
+**Please...**
+If possible, provide information from journal/logs. If using systemd, this can be retrieved with `journalctl -u polkit.service` command.  
+This will speed up the process of helping you a lot!  
+Thank you.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly

.github/workflows/ci.sh

@@ -3,23 +3,15 @@ set -eux
 set -o pipefail
 
 # TODO
-#   - enable --werror
-#       - currently there's a lot of warnings which need to be taken care of first
-#   - re-enable test-polkitbackendjsauthority
-#       - mocklibc overrides LD_PRELOAD, causing ASan to report false positives
-#         (with asan_verify_no_link=0)
-#   - re-enable unit tests built with ASan + sanitizers
-#       - currently polkit fails to build with clang >= 17 completely, and
-#         with older clang it needs to be built with -shared-libasan, which
-#         requires another set of tweaks to the environment
+#   - drop -Wno-deprecated-declarations
 
 PHASE="${1:?}"
 COMMON_BUILD_OPTS=(
     -Dauthfw=pam
     -Dexamples=true
     -Dgtk_doc=true
     -Dintrospection=true
-    -Dsession_tracking=libsystemd-login
+    -Dsession_tracking=logind
     -Dtests=true
 )
 
@@ -40,9 +32,17 @@ case "$PHASE" in
         )
 
         for opt in "${BUILD_TEST_FLAGS[@]}"; do
+            COMPILER_FLAGS=(-Wno-deprecated-declarations)
+
+            if [[ "$opt" != --optimization=0 ]]; then
+                COMPILER_FLAGS+=(-D_FORTIFY_SOURCE=2)
+            fi
+
             meson setup build \
                 -Dman=true \
-                -Dcpp_args="-D_FORTIFY_SOURCE=2" \
+                --werror \
+                -Dc_args="${COMPILER_FLAGS[*]}" \
+                -Dcpp_args="${COMPILER_FLAGS[*]}" \
                 "${COMMON_BUILD_OPTS[@]}" \
                 "$opt"
             meson compile -C build -v
@@ -55,6 +55,7 @@ case "$PHASE" in
 
         meson setup build \
             -Dman=true \
+            -Dc_args="-D_FORTIFY_SOURCE=2" \
             -Dcpp_args="-D_FORTIFY_SOURCE=2" \
             "${COMMON_BUILD_OPTS[@]}"
 
@@ -73,8 +74,7 @@ case "$PHASE" in
             -Db_lundef=false \
             "${COMMON_BUILD_OPTS[@]}"
 
-        # Note: we need to set verify_asan_link_order=0 as polkit LD_PRELOADs libmocklibc in unit tests
-        export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:verify_asan_link_order=0
+        export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1
         export UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
 
         meson compile -C build -v

.github/workflows/ci.yml

@@ -16,7 +16,9 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
-    container: registry.fedoraproject.org/fedora:latest
+    container:
+      image: registry.fedoraproject.org/fedora:latest
+      options: "--privileged"
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.phase }}
       cancel-in-progress: true
@@ -30,7 +32,7 @@ jobs:
 
       - name: Install build & test dependencies
         run: |
-          sudo dnf install -y dnf-plugins-core python3-dbusmock clang compiler-rt libasan libubsan
+          sudo dnf install -y dnf-plugins-core python3-dbusmock clang compiler-rt libasan libubsan mozjs115-devel
           sudo dnf builddep -y polkit
 
       - name: Build & test

.github/workflows/codeql.yml

@@ -13,11 +13,11 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       security-events: write
     concurrency:
-      group: ${{ github.workflow }}-${{ matrix.ref }}-${{ matrix.language }}
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.language }}
       cancel-in-progress: true
     strategy:
       fail-fast: false
@@ -37,7 +37,7 @@ jobs:
     - name: Install dependencies
       if: ${{ matrix.language == 'c-cpp' }}
       run: |
-        sudo add-apt-repository -y --no-update --enable-source
+        sudo sed -i 's/^Types: deb/Types: deb deb-src/g' /etc/apt/sources.list.d/*.sources
         sudo apt update
         sudo apt build-dep -y policykit-1
         # polkit in Ubuntu Jammy (ATTOW) doesn't have the latest build dependencies yet

.github/workflows/coverity.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.0-or-later
+
+set -eux
+
+COVERITY_SCAN_TOOL_BASE="/tmp/coverity-scan-analysis"
+COVERITY_SCAN_PROJECT_NAME="polkit"
+
+coverity_install_script() {
+    local platform tool_url tool_archive
+
+    platform=$(uname)
+    tool_url="https://scan.coverity.com/download/${platform}"
+    tool_archive="/tmp/cov-analysis-${platform}.tgz"
+
+    set +x # this is supposed to hide COVERITY_SCAN_TOKEN
+    echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m"
+    wget -nv -O "$tool_archive" "$tool_url" --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=${COVERITY_SCAN_TOKEN:?}"
+    set -x
+
+    mkdir -p "$COVERITY_SCAN_TOOL_BASE"
+    pushd "$COVERITY_SCAN_TOOL_BASE"
+    tar xzf "$tool_archive"
+    popd
+}
+
+run_coverity() {
+    local results_dir tool_dir results_archive sha response status_code
+
+    results_dir="cov-int"
+    tool_dir=$(find "$COVERITY_SCAN_TOOL_BASE" -type d -name 'cov-analysis*')
+    results_archive="analysis-results.tgz"
+    sha=$(git rev-parse --short HEAD)
+
+    meson setup build -Dtests=true -Dexamples=true
+    COVERITY_UNSUPPORTED=1 "$tool_dir/bin/cov-build" --dir "$results_dir" sh -c "ninja -C ./build -v"
+    "$tool_dir/bin/cov-import-scm" --dir "$results_dir" --scm git --log "$results_dir/scm_log.txt"
+
+    tar czf "$results_archive" "$results_dir"
+
+    set +x # this is supposed to hide COVERITY_SCAN_TOKEN
+    echo -e "\033[33;1mUploading Coverity Scan Analysis results...\033[0m"
+    response=$(curl \
+               --silent --write-out "\n%{http_code}\n" \
+               --form project="$COVERITY_SCAN_PROJECT_NAME" \
+               --form token="${COVERITY_SCAN_TOKEN:?}" \
+               --form email="${COVERITY_SCAN_NOTIFICATION_EMAIL:?}" \
+               --form file="@$results_archive" \
+               --form version="$sha" \
+               --form description="Daily build" \
+               https://scan.coverity.com/builds)
+    printf "\033[33;1mThe response is\033[0m\n%s\n" "$response"
+    status_code=$(echo "$response" | sed -n '$p')
+    if [ "$status_code" != "200" ]; then
+        echo -e "\033[33;1mCoverity Scan upload failed: $(echo "$response" | sed '$d').\033[0m"
+        return 1
+    fi
+    set -x
+}
+
+coverity_install_script
+run_coverity

.github/workflows/coverity.yml

@@ -0,0 +1,36 @@
+---
+# vi: ts=2 sw=2 et:
+
+name: Coverity
+
+on:
+  schedule:
+    # Run Coverity daily at midnight
+    - cron:  '0 0 * * *'
+  pull_request:
+    paths:
+      - ".github/workflows/coverity.*"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    if: github.repository == 'polkit-org/polkit'
+    env:
+      # Set in repo settings -> Secrets and variables -> Actions -> Repository secrets
+      COVERITY_SCAN_TOKEN:              "${{ secrets.COVERITY_SCAN_TOKEN }}"
+      COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
+    steps:
+      - name: Repository checkout
+        uses: actions/checkout@v4
+
+      - name: Install build dependencies
+        run: |
+          sudo sed -i 's/^Types: deb/Types: deb deb-src/g' /etc/apt/sources.list.d/*.sources
+          sudo apt update
+          sudo apt build-dep -y policykit-1
+
+      - name: Build & upload the results
+        run: .github/workflows/coverity.sh

.github/workflows/differential-shellcheck.yml

@@ -0,0 +1,35 @@
+name: Differential ShellCheck
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Repository checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - id: ShellCheck
+        name: Differential ShellCheck
+        uses: redhat-plumbers-in-action/differential-shellcheck@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - if: ${{ always() }}
+        name: Upload artifact with ShellCheck defects in SARIF format
+        uses: actions/upload-artifact@v4
+        with:
+          name: Differential ShellCheck SARIF
+          path: ${{ steps.ShellCheck.outputs.sarif }}