ci: Rework to be based on FAH + priv container

Installing build dependencies directly on a host should be
considered an anti-pattern.  Steal some of the bits from
rpm-ostree's PAPR bits.

Another benefit here is we avoid duplicating the build dependencies again, since
we start using `yum-builddep.

We only have one context now, `f25-primary`, rather than having Clang
show up as a separate thing, since IMO it's not worth its own context.

.papr.yml

@@ -1,81 +1,39 @@
+# This PAPR file is mostly inspired by the one in projectatomic/rpm-ostree;
+# if making enhancements here, consider doing them there first.
 branches:
     - master
     - auto
     - try
 
-host:
-    distro: fedora/25/cloud
+required: true
+context: f25-primary
 
-packages:
-    - gcc
-    - sudo
-    - which
-    - attr
-    - fuse
-    - gjs
-    - parallel
-    - clang
-    - libubsan
-    - gnome-desktop-testing
-    - pkgconfig(fuse)
-    - pkgconfig(gio-unix-2.0)
-    - pkgconfig(gobject-introspection-1.0) >= 1.40.0
-    - pkgconfig(json-glib-1.0)
-    - pkgconfig(libarchive) >= 2.8.0
-    - pkgconfig(libelf) >= 0.8.12
-    - pkgconfig(libsoup-2.4)
-    - pkgconfig(ostree-1) >= %{ostree_version}
-    - pkgconfig(polkit-gobject-1)
-    - pkgconfig(libseccomp)
-    - pkgconfig(xau)
-    - bubblewrap >= %{bubblewrap_version}
-    - docbook-dtds
-    - docbook-style-xsl
-    - intltool
-    - libattr-devel
-    - libcap-devel
-    - libdwarf-devel
-    - elfutils
-    - systemd
-    - ostree
-    - gpgme-devel
-    - /usr/bin/xmlto
-    - /usr/bin/xsltproc
-    - redhat-rpm-config
-    - /usr/bin/update-mime-database
-    - /usr/bin/update-desktop-database
-    - /usr/bin/gtk-update-icon-cache
+# This test case wants an "unprivileged container with bubblewrap",
+# which we don't have right now; so just provision a VM and do a
+# docker --privileged run.
+host:
+  distro: fedora/25/atomic
 
 env:
-    CFLAGS: '-fsanitize=undefined'
-
-build:
-    config-opts: >
-      --prefix=/usr
-      --libdir=/usr/lib64
-      --enable-installed-tests
-      --enable-gtk-doc
+    # TODO: CFLAGS: Readd -fsanitize-undefined-trap-on-error -fsanitize=address after debugging
+    # https://github.com/flatpak/flatpak/pull/849#issuecomment-308483205
+    CFLAGS: '-fsanitize=undefined -O2 -Wp,-D_FORTIFY_SOURCE=2'
+    ASAN_OPTIONS: 'detect_leaks=0'  # Right now we're not fully clean, but this gets us use-after-free etc
+    # TODO when we're doing leak checks: G_SLICE: "always-malloc"
 
+# copy yum.repos.d to get any injected repos from the host, which
+# will point to a closer mirror
 tests:
-    - make check
+  - docker run --privileged --rm
+    -e "CFLAGS=${CFLAGS:-}"
+    -e "ASAN_OPTIONS=${ASAN_OPTIONS:-}"
+    -v /etc/yum.repos.d:/etc/yum.repos.d.host:ro
+    -v $(pwd):/srv/code -w /srv/code
+    registry.fedoraproject.org/fedora:25 /bin/sh -c
+    "cp -fv /etc/yum.repos.d{.host/*.repo,} &&
+     ./ci/build-check.sh"
 
 timeout: 30m
 
 artifacts:
-    - test-suite.log
-
----
-
-inherit: true
-
-context: Clang
-
-container:
-    image: fedora:25
-
-env:
-    CC: 'clang'
-    CFLAGS: '-Werror=unused-variable'
-
-tests:
-artifacts:
+  - test-suite.log

ci/build-check.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/bash
+# Install build dependencies, run unit tests and installed tests.
+
+set -xeuo pipefail
+
+dn=$(dirname $0)
+. ${dn}/libbuild.sh
+${dn}/build.sh
+make check
+
+if test -x /usr/bin/clang; then
+    git clean -dfx && git submodule foreach git clean -dfx
+    # And now a clang build to find unused variables; perhaps
+    # in the future these could parallelize
+    export CC=clang
+    export CFLAGS='-Werror=unused-variable'
+    build
+fi

ci/build.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/bash
+# Install build dependencies, run unit tests and installed tests.
+
+set -xeuo pipefail
+
+dn=$(dirname $0)
+. ${dn}/libbuild.sh
+
+pkg_install_builddeps flatpak
+pkg_install sudo which attr fuse \
+    libubsan libasan libtsan \
+    elfutils ostree \
+    /usr/bin/{update-mime-database,update-desktop-database,gtk-update-icon-cache}
+pkg_install_if_os fedora gjs parallel clang
+
+build --enable-gtk-doc ${CONFIGOPTS:-}

ci/libbuild.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/bash
+
+make() {
+    /usr/bin/make -j $(getconf _NPROCESSORS_ONLN) "$@"
+}
+
+build() {
+    env NOCONFIGURE=1 ./autogen.sh
+    ./configure --prefix=/usr --libdir=/usr/lib64 "$@"
+    make V=1
+}
+
+pkg_install() {
+    yum -y install "$@"
+}
+
+pkg_install_if_os() {
+    os=$1
+    shift
+    (. /etc/os-release;
+         if test "${os}" = "${ID}"; then
+            pkg_install "$@"
+         else
+             echo "Skipping installation on OS ${ID}: $@"
+         fi
+    )
+}
+
+pkg_builddep() {
+    # This is sadly the only case where it's a different command
+    if test -x /usr/bin/dnf; then
+        dnf builddep -y "$@"
+    else
+        yum-builddep -y "$@"
+    fi
+}
+
+pkg_install_builddeps() {
+    pkg=$1
+    if test -x /usr/bin/dnf; then
+        yum -y install dnf-plugins-core
+        yum install -y 'dnf-command(builddep)'
+        # Base buildroot
+        pkg_install @buildsys-build
+    else
+        yum -y install yum-utils
+        # Base buildroot, copied from the mock config sadly
+        yum -y install bash bzip2 coreutils cpio diffutils system-release findutils gawk gcc gcc-c++ grep gzip info make patch redhat-rpm-config rpm-build sed shadow-utils tar unzip util-linux which xz
+    fi
+    # builddeps+runtime deps
+    pkg_builddep $pkg
+    pkg_install $pkg
+    rpm -e $pkg
+}