Migrate CI to Github Actions

We are hitting the 1 hour time limit of Circle CI (Issue open-quantum-safe#166). This migrates the existing CircleCI job completely to Github Actions which has a 5 hour time limit.

For the most part, this is pretty much a one-to-one migration. Since upstream OpenSSH provided its own set of Github Actions, I simply moved those to the `upstream-github` directory to avoid conflicts and preserve the source. I did run into two issues with getting the integration tests to pass. Beyond that, I ran into two issues that arose from migrating to Github Actions which need to be partched around.

The combination of Github Actions' host with the OQS CI container results in a lazier reaping of zombie processes which breaks this test. In this test, ssh-agent is run as a subprocess to some arbitrary user command. This enables exclusive access to ssh-agent to that specific process. The way this works under the hood is that ssh-agent forks into a child process and the parent process exec's into the arbitrary command ([code ref](https://github.com/open-quantum-safe/openssh/blob/OQS-v9/ssh-agent.c#L2384)) which runs to completion. The child process than polls its parent process until it detects its own orphaned status and terminates itself. This, by design, results in a zombie process which must be reaped. The test's assertion uses `kill -0` to check for liveness, but that counts zombies as "alive". The workaround for this then is to add an additional check to assert that zombies are in fact "dead".

The `percent` test tests % expansions inside SSH config files (e.g. home directory, username, port number). The assertion for the home directory uses the `HOME` environmental variable. Unfortunately, when running a container on a Github Runner, they unconditionally override the value of `HOME` with `/github/home` ([issue ref](actions/runner#863)) and this breaks the test assertion. The fix here is to get a more reliable reference for the home directory and use that for the assertion.

Signed-off-by: gcr <[email protected]>

.github/workflows/ubuntu.yaml

@@ -0,0 +1,24 @@
+name: CI Checks
+on: [ push, pull_request, workflow_dispatch ]
+jobs:
+  ubuntu_build:
+    runs-on: ubuntu-latest
+    container:
+      image: openquantumsafe/ci-ubuntu-focal-x86_64:latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up SSH environment
+      run: |
+        mkdir -p -m 0755 /var/empty
+        groupadd sshd
+        useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
+    - name: Clone liboqs
+      run: ./oqs-scripts/clone_liboqs.sh
+    - name: Build liboqs
+      run: ./oqs-scripts/build_liboqs.sh
+    - name: Build OpenSSH
+      run: env WITH_OPENSSL=true ./oqs-scripts/build_openssh.sh
+    - name: Run tests documented to pass
+      run: ./oqs-test/run_tests.sh
+    - name: Ensure we have the ssh and sshd syntax right once for each algorithm
+      run: python3 oqs-test/try_connection.py doone

regress/agent-subprocess.sh

@@ -3,14 +3,18 @@
 
 tid="agent subprocess"
 
+is_alive() {
+	kill -0 ${1} >/dev/null 2>&1 && [ `ps -p ${1} -o state=` != "Z" ]
+}
+
 trace "ensure agent exits when run as subprocess"
 ${SSHAGENT} sh -c "echo \$SSH_AGENT_PID >$OBJ/pidfile; sleep 1"
 
 pid=`cat $OBJ/pidfile`
 
 # Currently ssh-agent polls every 10s so we need to wait at least that long.
 n=12
-while kill -0 $pid >/dev/null 2>&1 && test "$n" -gt "0"; do
+while is_alive ${pid} && test "$n" -gt "0"; do
 	n=$(($n - 1))
 	sleep 1
 done

regress/percent.sh

@@ -13,6 +13,7 @@ USERID=`id -u`
 HOST=`hostname | cut -f1 -d.`
 HOSTNAME=`hostname`
 HASH=""
+HOME=`grep $USER /etc/passwd | cut -d ':' -f6`
 
 # Localcommand is evaluated after connection because %T is not available
 # until then.  Because of this we use a different method of exercising it,