From 7cef024bbe43c0b78865a8602c4f8132d2d96e39 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 4 Jun 2024 20:12:39 +0200
Subject: [PATCH 1/8] build.yml: No longer stop at first failure

---
 .github/workflows/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5e528866..362493c0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,6 +9,7 @@ jobs:
 
     runs-on: ubuntu-22.04
     strategy:
+      fail-fast: false
       matrix:
         config:
         - {

From 37da3b851bd657f1cd3a35abfb3b40740dc0e3f5 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 4 Jun 2024 20:27:44 +0200
Subject: [PATCH 2/8] docker.yml: Migrate from end-of-life Alpine 3.15 to 3.20

.. because the build started failing.

Symptom was (with line breaks added):
> /usr/lib/gcc/x86_64-alpine-linux-musl/10.3.1/../../../../x86_64-alpine-linux-musl/bin/ld:
> /usr/lib/gcc/x86_64-alpine-linux-musl/10.3.1/../../../../lib/libqb.so: unknown type [0x13] section `.relr.dyn'
> /usr/lib/gcc/x86_64-alpine-linux-musl/10.3.1/../../../../x86_64-alpine-linux-musl/bin/ld:
> skipping incompatible /usr/lib/gcc/x86_64-alpine-linux-musl/10.3.1/../../../../lib/libqb.so when searching for -lqb

Dependency Bash is no longer installed by default with 3.20,
so it needs installation now.
---
 .github/workflows/docker.yml                                   | 2 +-
 ...x_3_15.Dockerfile => build_on_alpine_linux_3_20.Dockerfile} | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)
 rename scripts/docker/{build_on_alpine_linux_3_15.Dockerfile => build_on_alpine_linux_3_20.Dockerfile} (98%)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 7a6cee0b..60fc4f4a 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -26,7 +26,7 @@ jobs:
       fail-fast: false
       matrix:
         linux_distro:
-        - Alpine Linux 3.15  # with musl
+        - Alpine Linux 3.20  # with musl
         - CentOS 8.2         # with GCC 8.5.0
         - Debian Buster with GCC 9.2  # stock buster has GCC 8.3
         - Ubuntu 22.04       # because super popular
diff --git a/scripts/docker/build_on_alpine_linux_3_15.Dockerfile b/scripts/docker/build_on_alpine_linux_3_20.Dockerfile
similarity index 98%
rename from scripts/docker/build_on_alpine_linux_3_15.Dockerfile
rename to scripts/docker/build_on_alpine_linux_3_20.Dockerfile
index 5b20958d..84b16e51 100644
--- a/scripts/docker/build_on_alpine_linux_3_15.Dockerfile
+++ b/scripts/docker/build_on_alpine_linux_3_20.Dockerfile
@@ -14,13 +14,14 @@
 ## You should have received a copy of the GNU General Public License
 ## along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM alpine:3.15
+FROM alpine:3.20
 RUN echo '@edge-testing https://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories \
         && \
     apk add --update \
             asciidoc \
             autoconf \
             automake \
+            bash \
             dbus-glib-dev \
             file \
             g++ \

From 9fdd33e57bbaa8446a0b2420c808bc0d2cca8893 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 4 Jun 2024 20:29:46 +0200
Subject: [PATCH 3/8] RuleSet.cpp: Reformat RuleSet::assignID to fix CI

---
 src/Library/public/usbguard/RuleSet.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Library/public/usbguard/RuleSet.cpp b/src/Library/public/usbguard/RuleSet.cpp
index b4bd953b..a35c7676 100644
--- a/src/Library/public/usbguard/RuleSet.cpp
+++ b/src/Library/public/usbguard/RuleSet.cpp
@@ -224,10 +224,10 @@ namespace usbguard
   uint32_t RuleSet::assignID()
   {
     const auto next_id = _id_next + 1;
-    if (next_id >= Rule::LastID) [[unlikely]]
-        {
-            throw std::out_of_range("Rule ID too high");
-        }
+    if (next_id >= Rule::LastID)
+      [[unlikely]] {
+      throw std::out_of_range("Rule ID too high");
+    }
     _id_next = next_id;
     return next_id;
   }

From 59a23ceb5818b3e84c5737ae16b11f1f0273808b Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 5 Jun 2024 00:34:13 +0200
Subject: [PATCH 4/8] RuleSet.cpp: Drop C++20 feature of questionable value

---
 src/Library/public/usbguard/RuleSet.cpp | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/Library/public/usbguard/RuleSet.cpp b/src/Library/public/usbguard/RuleSet.cpp
index a35c7676..45101e73 100644
--- a/src/Library/public/usbguard/RuleSet.cpp
+++ b/src/Library/public/usbguard/RuleSet.cpp
@@ -224,8 +224,7 @@ namespace usbguard
   uint32_t RuleSet::assignID()
   {
     const auto next_id = _id_next + 1;
-    if (next_id >= Rule::LastID)
-      [[unlikely]] {
+    if (next_id >= Rule::LastID) {
       throw std::out_of_range("Rule ID too high");
     }
     _id_next = next_id;

From 1a8325ee6d7724f41b1eb20f95ed5f019e1e445d Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 5 Jun 2024 00:46:56 +0200
Subject: [PATCH 5/8] Get us notified of CI breakage with no more delay than a
 week

---
 .github/workflows/build.yml  | 2 ++
 .github/workflows/docker.yml | 2 ++
 .github/workflows/polkit.yml | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 362493c0..633d1aca 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,6 +3,8 @@ name: C/C++ CI
 on:
   push:
   pull_request:
+  schedule:
+    - cron: '0 4 * * 5'  # Every Friday at 4am
 
 jobs:
   build:
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 60fc4f4a..6fbd8fa4 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,6 +19,8 @@ name: Build on non-Ubuntu Linux using Docker
 on:
   push:
   pull_request:
+  schedule:
+    - cron: '0 4 * * 5'  # Every Friday at 4am
 
 jobs:
   build_docker:
diff --git a/.github/workflows/polkit.yml b/.github/workflows/polkit.yml
index 379381e9..62069973 100644
--- a/.github/workflows/polkit.yml
+++ b/.github/workflows/polkit.yml
@@ -19,6 +19,8 @@ name: Check for Polkit policy parse errors
 on:
   push:
   pull_request:
+  schedule:
+    - cron: '0 4 * * 5'  # Every Friday at 4am
 
 jobs:
   polkit_policies:

From eb3d78443e30fe6ddf50730c6896d701ee40f591 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 5 Jun 2024 00:49:47 +0200
Subject: [PATCH 6/8] Drop GitHub Actions permissions to minimum for security

---
 .github/workflows/build.yml  | 4 ++++
 .github/workflows/docker.yml | 4 ++++
 .github/workflows/polkit.yml | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 633d1aca..9529164e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,10 @@ on:
   schedule:
     - cron: '0 4 * * 5'  # Every Friday at 4am
 
+# Drop permissions to minimum for security
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6fbd8fa4..a3cc32cb 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -22,6 +22,10 @@ on:
   schedule:
     - cron: '0 4 * * 5'  # Every Friday at 4am
 
+# Drop permissions to minimum for security
+permissions:
+  contents: read
+
 jobs:
   build_docker:
     strategy:
diff --git a/.github/workflows/polkit.yml b/.github/workflows/polkit.yml
index 62069973..fa42b473 100644
--- a/.github/workflows/polkit.yml
+++ b/.github/workflows/polkit.yml
@@ -22,6 +22,10 @@ on:
   schedule:
     - cron: '0 4 * * 5'  # Every Friday at 4am
 
+# Drop permissions to minimum for security
+permissions:
+  contents: read
+
 jobs:
   polkit_policies:
 

From 668ed0de9294103d01104c5c6a6a5a306d953fe1 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 5 Jun 2024 00:56:04 +0200
Subject: [PATCH 7/8] RuleSet.cpp: Fix RuleSet::assignID return value
 regression

Commit 3672e9f84d2ed55994a0df739c4d6d43316c2272
changed the return value of `RuleSet::assignID`
from "return x++" to "return ++x" which broke CI
and skipped value 0.  This commits restores the old
behavior.

This approach does not win prices in purity,
elegance or performance, but performance doesn't matter
in that function and you are invited to claim those prices
for yourself if you can prvide a pull request that humans
understand and that fully passes existing CI...
---
 src/Library/public/usbguard/RuleSet.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Library/public/usbguard/RuleSet.cpp b/src/Library/public/usbguard/RuleSet.cpp
index 45101e73..f1dceee1 100644
--- a/src/Library/public/usbguard/RuleSet.cpp
+++ b/src/Library/public/usbguard/RuleSet.cpp
@@ -228,7 +228,7 @@ namespace usbguard
       throw std::out_of_range("Rule ID too high");
     }
     _id_next = next_id;
-    return next_id;
+    return next_id - 1;
   }
 
   void RuleSet::setWritable()

From 29f40fa9d0a772b35990998e044eb0f5971a6e65 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 5 Jun 2024 01:27:00 +0200
Subject: [PATCH 8/8] RuleSet.cpp: Fix formatting to match CI checks

---
 src/Library/public/usbguard/RuleSet.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Library/public/usbguard/RuleSet.cpp b/src/Library/public/usbguard/RuleSet.cpp
index f1dceee1..a7184013 100644
--- a/src/Library/public/usbguard/RuleSet.cpp
+++ b/src/Library/public/usbguard/RuleSet.cpp
@@ -224,9 +224,11 @@ namespace usbguard
   uint32_t RuleSet::assignID()
   {
     const auto next_id = _id_next + 1;
+
     if (next_id >= Rule::LastID) {
       throw std::out_of_range("Rule ID too high");
     }
+
     _id_next = next_id;
     return next_id - 1;
   }