Merge pull request #5960 from kmk3/ci-split-jobs

ci: whitelist paths, reorganize workflows & speed-up tests

10 files changed, 556 insertions, 310 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 3fc71a299..1629733ae 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -1,52 +1,36 @@
-name: Build-extra CI
+# Builds the project with alternative tools.
+
+name: Build-extra
 
 on:
   push:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/syntax/**'
-      - 'contrib/vim/**'
-      - 'etc/**'
-      - 'src/man/*.in'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build.yml
-      - .github/workflows/codeql-analysis.yml
-      - .github/workflows/codespell.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
-      - COPYING
-      - README
-      - README.md
-      - RELNOTES
-      - SECURITY.md
-      - src/firecfg/firecfg.config
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/build-extra.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
   pull_request:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/syntax/**'
-      - 'contrib/vim/**'
-      - 'etc/**'
-      - 'src/man/*.in'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build.yml
-      - .github/workflows/codeql-analysis.yml
-      - .github/workflows/codespell.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
-      - COPYING
-      - README
-      - README.md
-      - RELNOTES
-      - SECURITY.md
-      - src/firecfg/firecfg.config
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/build-extra.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -86,82 +70,3 @@ jobs:
       run: sudo make install
     - name: print version
       run: command -V firejail && firejail --version
-  scan-build:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          archive.ubuntu.com:80
-          azure.archive.ubuntu.com:80
-          github.com:443
-          packages.microsoft.com:443
-          ppa.launchpadcontent.net:443
-          security.ubuntu.com:80
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install clang-tools-14 and dependencies
-      run: >
-        sudo apt-get install -qy
-        clang-tools-14 libapparmor-dev libselinux1-dev
-    - name: print env
-      run: ./ci/printenv.sh
-    - name: configure
-      run: >
-        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
-        --enable-selinux
-        || (cat config.log; exit 1)
-    - name: scan-build
-      run: scan-build-14 --status-bugs make
-  cppcheck:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          archive.ubuntu.com:80
-          azure.archive.ubuntu.com:80
-          github.com:443
-          packages.microsoft.com:443
-          ppa.launchpadcontent.net:443
-          security.ubuntu.com:80
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install cppcheck
-      run: sudo apt-get install -qy cppcheck
-    - run: cppcheck --version
-    - name: cppcheck
-      run: >
-        cppcheck -q --force --error-exitcode=1 --enable=warning,performance
-        -i src/firejail/checkcfg.c -i src/firejail/main.c .
-  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
-  # scan all files also with older cppcheck version from ubuntu 20.04.
-  cppcheck_old:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          archive.ubuntu.com:80
-          azure.archive.ubuntu.com:80
-          github.com:443
-          packages.microsoft.com:443
-          ppa.launchpad.net:80
-          ppa.launchpadcontent.net:443
-          security.ubuntu.com:80
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install cppcheck
-      run: sudo apt-get install -qy cppcheck
-    - run: cppcheck --version
-    - name: cppcheck
-      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 489ed4335..d923f8b2b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,68 +1,69 @@
-name: Build CI
+# Checks that `make dist` works and builds the project with the default
+# configuration.
 
+name: Build
+
+# Note: Keep this list in sync with DISTFILES in ../../Makefile.
 on:
   push:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build-extra.yml
-      - .github/workflows/codeql-analysis.yml
-      - .github/workflows/codespell.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
+    paths:
+      - 'contrib/**'
+      - 'etc/**'
+      - 'm4/**'
+      - 'platform/**'
+      - 'src/**'
+      - 'test/**'
+      - .github/workflows/build.yml
       - COPYING
+      - Makefile
       - README
-      - README.md
       - RELNOTES
-      - SECURITY.md
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+      - install.sh
+      - mkdeb.sh
+      - mketc.sh
   pull_request:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build-extra.yml
-      - .github/workflows/codeql-analysis.yml
-      - .github/workflows/codespell.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
+    paths:
+      - 'contrib/**'
+      - 'etc/**'
+      - 'm4/**'
+      - 'platform/**'
+      - 'src/**'
+      - 'test/**'
+      - .github/workflows/build.yml
       - COPYING
+      - Makefile
       - README
-      - README.md
       - RELNOTES
-      - SECURITY.md
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+      - install.sh
+      - mkdeb.sh
+      - mketc.sh
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
 
 jobs:
-  build_and_test:
+  build:
     runs-on: ubuntu-22.04
-    env:
-      SHELL: /bin/bash
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
       with:
         egress-policy: block
         allowed-endpoints: >
-          1.1.1.1:1025
           azure.archive.ubuntu.com:80
-          debian.org:80
-          dns.quad9.net:53
           github.com:443
           packages.microsoft.com:443
           ppa.launchpadcontent.net:443
-          whois.pir.org:43
-          www.debian.org:443
-          www.debian.org:80
-          yahoo.com:1025
     - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
     - name: update package information
       run: sudo apt-get update -qy
@@ -84,19 +85,3 @@ jobs:
       run: sudo make install
     - name: print firejail version
       run: command -V firejail && firejail --version
-    - run: make lab-setup
-    - run: make test-seccomp-extra
-    - run: make test-firecfg
-    - run: make test-capabilities
-    - run: make test-apparmor
-    - run: make test-appimage
-    - run: make test-chroot
-    - run: make test-sysutils
-    - run: make test-private-etc
-    - run: make test-profiles
-    - run: make test-fcopy
-    - run: make test-fnetfilter
-    - run: make test-fs
-    - run: make test-utils
-    - run: make test-environment
-    - run: make test-network
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml
new file mode 100644
index 000000000..d8751ddc7
--- /dev/null
+++ b/.github/workflows/check-c.yml
@@ -0,0 +1,161 @@
+# Checks for potential issues in the source code.
+
+name: Check-C
+
+on:
+  push:
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/check-c.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+  pull_request:
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - .github/workflows/check-c.yml
+      - Makefile
+      - ci/printenv.sh
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+  schedule:
+    - cron: '0 7 * * 2'
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  scan-build:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install clang-tools-14 and dependencies
+      run: >
+        sudo apt-get install -qy
+        clang-tools-14 libapparmor-dev libselinux1-dev
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
+        --enable-selinux
+        || (cat config.log; exit 1)
+    - name: scan-build
+      run: scan-build-14 --status-bugs make
+
+  cppcheck:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install cppcheck
+      run: sudo apt-get install -qy cppcheck
+    - run: cppcheck --version
+    - name: cppcheck
+      run: >
+        cppcheck -q --force --error-exitcode=1 --enable=warning,performance
+        -i src/firejail/checkcfg.c -i src/firejail/main.c .
+
+  # new cppcheck version currently chokes on checkcfg.c and main.c, therefore
+  # scan all files also with older cppcheck version from ubuntu 20.04.
+  cppcheck_old:
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpad.net:80
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install cppcheck
+      run: sudo apt-get install -qy cppcheck
+    - run: cppcheck --version
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
+
+  codeql-cpp:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
+          objects.githubusercontent.com:443
+          uploads.github.com:443
+
+    - name: Checkout repository
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+
+    - name: print env
+      run: ./ci/printenv.sh
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624
+      with:
+        languages: cpp
+
+    - name: configure
+      run: ./configure
+
+    - name: make
+      run: make -j "$(nproc)"
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/check-profiles.yml
index c44012768..193cfcb9f 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/check-profiles.yml
@@ -1,18 +1,22 @@
-name: Profile Checks
+# Lints and checks for potential issues in the profiles.
+
+name: Check-Profiles
 
 on:
   push:
     paths:
       - 'ci/check/profiles/**'
       - 'etc/**'
-      - .github/workflows/profile-checks.yml
+      - .github/workflows/check-profiles.yml
+      - ci/printenv.sh
       - contrib/sort.py
       - src/firecfg/firecfg.config
   pull_request:
     paths:
       - 'ci/check/profiles/**'
       - 'etc/**'
-      - .github/workflows/profile-checks.yml
+      - .github/workflows/check-profiles.yml
+      - ci/printenv.sh
       - contrib/sort.py
       - src/firecfg/firecfg.config
 
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml
new file mode 100644
index 000000000..50ddf5669
--- /dev/null
+++ b/.github/workflows/check-python.yml
@@ -0,0 +1,55 @@
+# Lints and checks for potential issues in Python files.
+
+name: Check-Python
+
+on:
+  push:
+    paths:
+      - '**.py'
+      - .github/workflows/check-python.yml
+  pull_request:
+    paths:
+      - '**.py'
+      - .github/workflows/check-python.yml
+  schedule:
+    - cron: '0 7 * * 2'
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  codeql-python:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          files.pythonhosted.org:443
+          github.com:443
+          objects.githubusercontent.com:443
+          pypi.org:443
+          uploads.github.com:443
+
+    - name: Checkout repository
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+
+    - name: print env
+      run: ./ci/printenv.sh
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
+      with:
+        languages: python
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644
index 344090cfd..000000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,125 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-name: "CodeQL"
-
-on:
-  push:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/syntax/**'
-      - 'contrib/vim/**'
-      - 'etc/**'
-      - 'src/man/*.txt'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build-extra.yml
-      - .github/workflows/build.yml
-      - .github/workflows/codespell.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
-      - COPYING
-      - README
-      - README.md
-      - RELNOTES
-      - SECURITY.md
-      - src/firecfg/firecfg.config
-  pull_request:
-    paths-ignore:
-      - '.github/ISSUE_TEMPLATE/*'
-      - 'contrib/syntax/**'
-      - 'contrib/vim/**'
-      - 'etc/**'
-      - 'src/man/*.txt'
-      - .git-blame-ignore-revs
-      - .github/dependabot.yml
-      - .github/pull_request_template.md
-      - .github/workflows/build-extra.yml
-      - .github/workflows/build.yml
-      - .github/workflows/codespell.yml
-      - .github/workflows/profile-checks.yml
-      - .gitignore
-      - .gitlab-ci.yml
-      - CONTRIBUTING.md
-      - COPYING
-      - README
-      - README.md
-      - RELNOTES
-      - SECURITY.md
-      - src/firecfg/firecfg.config
-  schedule:
-    - cron: '0 7 * * 2'
-
-permissions:  # added using https://github.com/step-security/secure-workflows
-  contents: read
-
-jobs:
-  analyze:
-    permissions:
-      actions: read  # for github/codeql-action/init to get workflow details
-      contents: read  # for actions/checkout to fetch code
-      security-events: write  # for github/codeql-action/autobuild to send a status report
-    name: Analyze
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'cpp', 'python' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        disable-sudo: true
-        egress-policy: block
-        allowed-endpoints: >
-          api.github.com:443
-          files.pythonhosted.org:443
-          github.com:443
-          objects.githubusercontent.com:443
-          pypi.org:443
-          uploads.github.com:443
-
-    - name: Checkout repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-
-    - name: print env
-      run: ./ci/printenv.sh
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@5b6282e01c62d02e720b81eb8a51204f527c3624
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index e39755dbd..4eacfb244 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -1,3 +1,5 @@
+# Checks the spelling on all non-third-party files.
+
 name: Codespell
 
 on:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 000000000..0b679c1c8
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,253 @@
+# Checks that the tests are passing.
+
+name: Test
+
+on:
+  push:
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - 'test/**'
+      - .github/workflows/test.yml
+      - Makefile
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+      - src/firecfg/firecfg.config
+  pull_request:
+    paths:
+      - 'm4/**'
+      - 'src/**.c'
+      - 'src/**.h'
+      - 'src/**.mk'
+      - 'src/**Makefile'
+      - 'test/**'
+      - .github/workflows/test.yml
+      - Makefile
+      - config.mk.in
+      - config.sh.in
+      - configure
+      - configure.ac
+      - src/firecfg/firecfg.config
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+#
+# Faster tests
+#
+
+jobs:
+  test-main:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-seccomp-extra
+    - run: make test-firecfg
+    - run: make test-capabilities
+    - run: make test-apparmor
+    - run: make test-appimage
+    - run: make test-chroot
+    - run: make test-fcopy
+
+#
+# Slower tests
+#
+
+  test-fs:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-private-etc
+    - run: make test-fs
+
+  test-environment:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-environment
+    - run: make test-profiles
+
+  test-utils:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          debian.org:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          www.debian.org:443
+          www.debian.org:80
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-utils
+
+  test-network:
+    runs-on: ubuntu-22.04
+    env:
+      SHELL: /bin/bash
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          1.1.1.1:1025
+          azure.archive.ubuntu.com:80
+          debian.org:80
+          dns.quad9.net:53
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          whois.pir.org:43
+          www.debian.org:443
+          www.debian.org:80
+          yahoo.com:1025
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: >
+        sudo apt-get install -qy
+        gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
+        bridge-utils
+    - name: print env
+      run: ./ci/printenv.sh
+    - name: configure
+      run: >
+        CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
+        --enable-analyzer --enable-apparmor --enable-selinux
+        || (cat config.log; exit 1)
+    - name: make
+      run: make -j "$(nproc)"
+    - name: make install
+      run: sudo make install
+    - name: print firejail version
+      run: command -V firejail && firejail --version
+    - run: make lab-setup
+    - run: make test-fnetfilter
+    - run: make test-sysutils
+    - run: make test-network
diff --git a/Makefile b/Makefile
index 043c491c6..450b8a0b4 100644
--- a/Makefile
+++ b/Makefile
@@ -299,6 +299,7 @@ uninstall: config.mk
         rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang
         @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
+# Note: Keep this list in sync with `paths` in .github/workflows/build.yml.
 DISTFILES = \
         COPYING \
         Makefile \
diff --git a/README.md b/README.md
index 781304451..c51137808 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,13 @@
 # Firejail
 
-[![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines)
-[![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
-[![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
+[![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines)
+[![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild)
+[![Build-extra](https://github.com/netblue30/firejail/workflows/Build-extra/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild-extra)
+[![Test](https://github.com/netblue30/firejail/workflows/Test/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ATest)
+[![Check-C](https://github.com/netblue30/firejail/workflows/Check-C/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-C)
+[![Check-Profiles](https://github.com/netblue30/firejail/workflows/Check-Profiles/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Profiles)
+[![Check-Python](https://github.com/netblue30/firejail/workflows/Check-Python/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Python)
+[![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell)
 [![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
 
 Firejail is a SUID sandbox program that reduces the risk of security breaches