ci: inline guix apparmor workaround

diff --git a/.github/workflows/guix b/.github/workflows/guix
deleted file mode 100644 (file)
index 1d07710..0000000
--- a/.github/workflows/guix
+++ /dev/null
@@ -1,11 +0,0 @@
-abi <abi/4.0>,
-include <tunables/global>
-
-# https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115
-
-profile guix /usr/bin/guix flags=(unconfined) {
-  userns,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/guix>
-}

diff --git a/.github/workflows/guix.yml b/.github/workflows/guix.yml
index 8f06f96ad5a1f6bcafa474d3d058a4852bc7dc8b..08445d7fabfa87ac1e7c630632f6b805018720b7 100644 (file)
--- a/.github/workflows/guix.yml
+++ b/.github/workflows/guix.yml
@@ -56,10 +56,20 @@ jobs:
           key: sources-${{ hashFiles('contrib/depends/packages/*') }}
       - name: install dependencies
         run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils
-      - name: fix apparmor
-        run: sudo cp .github/workflows/guix /etc/apparmor.d/guix; sudo /etc/init.d/apparmor reload; sudo aa-enforce guix || echo "failed"
-      - name: purge apparmor
-        run: sudo apt purge apparmor
+      - name: apparmor workaround
+        # https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115
+        run: |
+          sudo tee /etc/apparmor.d/guix << EOF
+          abi <abi/4.0>,
+          include <tunables/global>
+          profile guix /usr/bin/guix flags=(unconfined) {
+            userns,
+            include if exists <local/guix>
+          }
+          EOF
+          sudo /etc/init.d/apparmor reload
+          sudo aa-enforce guix || true
+          sudo apt purge apparmor
       - name: build
         run: SUBSTITUTE_URLS='http://bordeaux.guix.gnu.org' HOSTS="${{ matrix.toolchain.target }}" ./contrib/guix/guix-build
       - name: virustotal scan