From 0612697ee2687f46445faccee7035a1c26ba5180 Mon Sep 17 00:00:00 2001 From: cpanato Date: Wed, 9 Oct 2024 10:41:20 +0200 Subject: [PATCH 1/2] clean up and update ci Signed-off-by: cpanato --- .github/workflows/ci.yml | 20 +++---- .../create-comment-kernel-testing.yml | 4 +- .github/workflows/driver-api-version.yml | 3 +- .github/workflows/driver-schema-version.yml | 6 +-- .github/workflows/driverkit.yml | 2 +- .github/workflows/drivers_ci.yml | 30 +++++------ .github/workflows/e2e_ci.yml | 10 ++-- .github/workflows/format.yml | 2 +- .github/workflows/latest-kernel.yml | 10 ++-- .github/workflows/pages.yml | 24 ++++----- .github/workflows/perf.yml | 6 +-- .github/workflows/release-body.yml | 54 +++++++++---------- .github/workflows/reusable_kernel_tests.yaml | 10 ++-- .github/workflows/semgrep_checks.yml | 4 +- .github/workflows/test_coverage_ci.yml | 2 +- .github/workflows/update-syscalls.yml | 4 +- 16 files changed, 95 insertions(+), 96 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index beea94ccc3..34cce0d921 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -49,7 +49,7 @@ jobs: rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/ - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -100,7 +100,7 @@ jobs: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang - name: Checkout Libs ⤵️ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -119,7 +119,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -169,7 +169,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -184,7 +184,7 @@ jobs: runs-on: macos-latest steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -221,7 +221,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -301,15 +301,15 @@ jobs: sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90 - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - + - name: Fix kernel mmap rnd bits # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with # high-entropy ASLR in much newer kernels that GitHub runners are # using leading to random crashes: https://reviews.llvm.org/D148280 - run: sudo sysctl vm.mmap_rnd_bits=28 + run: sudo sysctl vm.mmap_rnd_bits=28 - name: Install deps ⛓️ run: | @@ -354,7 +354,7 @@ jobs: sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) emscripten - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 diff --git a/.github/workflows/create-comment-kernel-testing.yml b/.github/workflows/create-comment-kernel-testing.yml index 60d7a6876a..e7ca7a68bb 100644 --- a/.github/workflows/create-comment-kernel-testing.yml +++ b/.github/workflows/create-comment-kernel-testing.yml @@ -47,14 +47,14 @@ jobs: var fs = require('fs'); var issue_number = Number(fs.readFileSync('./NR')); var comment_body = fs.readFileSync('./COMMENT'); - + // Get the existing comments. const {data: comments} = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, issue_number: issue_number, }); - + // Find any comment already made by the bot. const botComment = comments.find(comment => comment.user.id === 41898282 && comment.body.includes('# X64 kernel testing matrix')); diff --git a/.github/workflows/driver-api-version.yml b/.github/workflows/driver-api-version.yml index 52d2019a20..6e7eff993b 100644 --- a/.github/workflows/driver-api-version.yml +++ b/.github/workflows/driver-api-version.yml @@ -12,7 +12,6 @@ on: - 'driver/ppm_events_public.h' - 'driver/bpf/maps.h' - 'driver/modern_bpf/maps/maps.h' - jobs: paths-filter: @@ -20,7 +19,7 @@ jobs: outputs: driver_api_changed: ${{ steps.filter.outputs.driver_api }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: diff --git a/.github/workflows/driver-schema-version.yml b/.github/workflows/driver-schema-version.yml index 837064cb5c..a379969425 100644 --- a/.github/workflows/driver-schema-version.yml +++ b/.github/workflows/driver-schema-version.yml @@ -19,7 +19,7 @@ jobs: outputs: driver_schema_changed: ${{ steps.filter.outputs.driver_schema }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: @@ -34,14 +34,14 @@ jobs: needs: paths-filter if: needs.paths-filter.outputs.driver_schema_changed == 'false' steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Check driver SCHEMA_VERSION uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1 with: message: | Please double check **driver/SCHEMA_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#schema-version-number). - + /hold - name: Trigger failure diff --git a/.github/workflows/driverkit.yml b/.github/workflows/driverkit.yml index 651babc71a..26753bf0a4 100644 --- a/.github/workflows/driverkit.yml +++ b/.github/workflows/driverkit.yml @@ -37,7 +37,7 @@ jobs: - name: Test drivers build on ${{ matrix.name }} run: | driverkit docker --kernelrelease ${{ matrix.kernelrelease }} --target ${{ matrix.target }} --output-module /tmp/libs.ko --output-probe /tmp/libs.o --driverversion $GITHUB_SHA --loglevel debug --kernelurls ${{ matrix.kernelurls }} - + build-drivers-arm64: strategy: matrix: diff --git a/.github/workflows/drivers_ci.yml b/.github/workflows/drivers_ci.yml index 953d8312b1..921fab6bca 100644 --- a/.github/workflows/drivers_ci.yml +++ b/.github/workflows/drivers_ci.yml @@ -24,7 +24,7 @@ jobs: libscap: ${{ steps.filter.outputs.libscap }} libpman: ${{ steps.filter.outputs.libpman }} steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter with: @@ -48,14 +48,14 @@ jobs: - arch: amd64 enable_gvisor: True - arch: amd64 - enable_gvisor: False - fail-fast: false + enable_gvisor: False + fail-fast: false steps: - name: Checkout Libs ⤵️ # We need to skip each step because of https://github.com/orgs/community/discussions/9141. # This avoids having a skipped job whose name is not the resolved matrix name, like "test-scap-${{ matrix.arch }} 😆 (bundled_deps)" if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -73,14 +73,14 @@ jobs: cd src && sudo make install - name: Install kernel headers (actuated) - uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 + uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 # v2 if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'arm64' - name: Install kernel headers if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64' run: | sudo apt install -y --no-install-recommends linux-headers-$(uname -r) - + - name: Build scap-open and drivers 🏗️ if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' run: | @@ -125,7 +125,7 @@ jobs: steps: - name: Checkout Libs ⤵️ if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -143,7 +143,7 @@ jobs: cd src && sudo make install - name: Install kernel headers (actuated) - uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 + uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 # v2 if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'arm64' - name: Install kernel headers and gcc @@ -175,7 +175,7 @@ jobs: run: | cd build sudo ./test/drivers/drivers_test -k - + test-drivers-ppc64le: name: test-drivers-ppc64le 😁 (system_deps,custom node) runs-on: ubuntu-22.04 @@ -211,7 +211,7 @@ jobs: sudo ./test/drivers/drivers_test -k rc_kmod=$? exit $(($rc_modern + $rc_bpf +$rc_kmod)) - + build-drivers-s390x: name: build-drivers-s390x 😁 (system_deps) runs-on: ubuntu-22.04 @@ -219,7 +219,7 @@ jobs: steps: - name: Checkout Libs ⤵️ if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -232,7 +232,7 @@ jobs: githubToken: ${{ github.token }} install: | - apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic + apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch cd bpftool git submodule update --init @@ -248,7 +248,7 @@ jobs: mkdir -p build cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DENABLE_DRIVERS_TESTS=On -DCREATE_TEST_TARGETS=On -DBUILD_LIBSCAP_GVISOR=OFF ../ KERNELDIR=/lib/modules/$(ls /lib/modules)/build make driver bpf drivers_test -j6 - + build-modern-bpf-skeleton: needs: paths-filter # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 @@ -280,7 +280,7 @@ jobs: build-scap-open-w-extern-bpf-skeleton: env: ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true - needs: [paths-filter,build-modern-bpf-skeleton] + needs: [paths-filter,build-modern-bpf-skeleton] # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 runs-on: 'ubuntu-latest' if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true' @@ -344,7 +344,7 @@ jobs: run: | cd build source /opt/rh/devtoolset-9/enable - make scap-open -j6 + make scap-open -j6 # Only runs on pull request since on master branch it is already triggered by pages CI. kernel-tests-dev: diff --git a/.github/workflows/e2e_ci.yml b/.github/workflows/e2e_ci.yml index 48fcfc4ad2..5a46638b52 100644 --- a/.github/workflows/e2e_ci.yml +++ b/.github/workflows/e2e_ci.yml @@ -22,7 +22,7 @@ jobs: fail-fast: false steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -65,7 +65,7 @@ jobs: cd src && sudo make install - name: Install kernel headers (actuated) - uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 + uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 # v2 if: matrix.arch == 'arm64' - name: Install kernel headers and gcc @@ -118,7 +118,7 @@ jobs: fail-fast: false steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -129,7 +129,7 @@ jobs: path: build key: build-e2e-${{ matrix.arch }}-${{ github.run_id }} restore-keys: build-e2e- - + - name: Fix kernel mmap rnd bits # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with # high-entropy ASLR in much newer kernels that GitHub runners are @@ -150,7 +150,7 @@ jobs: sudo apt install -y --no-install-recommends clang gcc llvm build-essential cmake python3 quota - name: Install kernel headers (actuated) - uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 + uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 # v2 if: matrix.arch == 'arm64' - name: Install kernel headers and gcc diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index fb555b9020..b7e3f5e39f 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout repository 🎉 - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 diff --git a/.github/workflows/latest-kernel.yml b/.github/workflows/latest-kernel.yml index 604a774806..6169c7fa13 100644 --- a/.github/workflows/latest-kernel.yml +++ b/.github/workflows/latest-kernel.yml @@ -21,13 +21,13 @@ jobs: run: | apk update && apk add git git clone https://aur.archlinux.org/linux-mainline.git linux/ - + - name: Generate driverkit config id: latest-version # Note: in case we are building latest mainline, # we grep the linux-mainline aur PKGBUILD "_tag" line, that is made like: "_tag=v6.4-rc1" # We then need to extract the part after the "=" and finally remove the starting "v". - run: | + run: | cd linux/ echo "kernelversion: 1" > dk.yaml echo "architecture: amd64" >> dk.yaml @@ -45,19 +45,19 @@ jobs: echo "target: arch" >> dk.yaml fi echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT - + - name: Upload driverkit config uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: driverkit_config.yaml path: linux/dk.yaml - + - name: Test drivers build id: build run: | echo "Testing build of drivers against: ${{ steps.latest-version.outputs.latest_vers }}" driverkit docker -c linux/dk.yaml -l debug - + - name: Update README badge uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0 if: always() && github.event_name == 'schedule' diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 48fa737f49..79aa83f140 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -2,7 +2,7 @@ name: Deploy Github Pages on: push: branches: [master] - + permissions: contents: read pages: write @@ -21,7 +21,7 @@ jobs: runs-on: [ "self-hosted", "linux", "X64" ] steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Run perf id: perf @@ -41,7 +41,7 @@ jobs: if-no-files-found: error - name: Checkout Flamegraph ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: repository: 'brendangregg/FlameGraph' path: flamegraph @@ -85,24 +85,24 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: Download matrix X64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: matrix_X64 - + - name: Move X64 matrix under docs run: mv matrix.md docs/matrix_X64.md - + - name: Download matrix ARM64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: matrix_ARM64 - + - name: Move ARM64 matrix under docs - run: mv matrix.md docs/matrix_ARM64.md - + run: mv matrix.md docs/matrix_ARM64.md + - name: Disable Table Of Content for matrixes pages run: | sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_X64.md @@ -133,9 +133,9 @@ jobs: python-version: 3.x - run: pip install mkdocs mkdocs-material - + - run: mkdocs build - + - uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0 with: path: 'site' diff --git a/.github/workflows/perf.yml b/.github/workflows/perf.yml index 59fff0179c..d5c1ad4180 100644 --- a/.github/workflows/perf.yml +++ b/.github/workflows/perf.yml @@ -13,10 +13,10 @@ jobs: runs-on: [ "self-hosted", "linux", "X64" ] steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Checkout Google benchmark ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: repository: 'google/benchmark' ref: 'v1.9.0' @@ -40,7 +40,7 @@ jobs: - name: Diff from master - perf scap file run: | - sudo perf diff perf_scap.data ${{ steps.perf.outputs.perf_scap }} -d sinsp-example -b -o 1 --percentage relative -q &> perf_scap_diff.txt + sudo perf diff perf_scap.data ${{ steps.perf.outputs.perf_scap }} -d sinsp-example -b -o 1 --percentage relative -q &> perf_scap_diff.txt - name: Diff from master - heaptrack unit tests run: | diff --git a/.github/workflows/release-body.yml b/.github/workflows/release-body.yml index 8dfb4999bb..de50271ff1 100644 --- a/.github/workflows/release-body.yml +++ b/.github/workflows/release-body.yml @@ -43,13 +43,13 @@ jobs: # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease - + is_driver = "+driver" in tag_name with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp: print(f'is_latest={is_latest}'.lower(), file=ofp) print(f'is_driver={is_driver}'.lower(), file=ofp) - + release-body-libs: needs: [release-settings] if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'false' }} # only for latest releases and not driver ones @@ -58,12 +58,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone repo - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: Create release body file run: | touch release-body.md - + - name: Extract MIN_API version run: | MIN_API_VER=$(grep SCAP_MINIMUM_DRIVER_API_VERSION userspace/libscap/scap.h) @@ -72,7 +72,7 @@ jobs: MIN_API_VER=$(echo $MIN_API_VER | tr -d "(" | tr -d ")") MIN_API_VER=$(echo $MIN_API_VER | sed -r 's/, /./g') echo '!'"[MIN_DRIVER_API](https://img.shields.io/badge/MIN_DRIVER_API-${MIN_API_VER}-yellow)" >> release-body.md - + - name: Extract MIN_SCHEMA version run: | MIN_SCHEMA_VER=$(grep SCAP_MINIMUM_DRIVER_SCHEMA_VERSION userspace/libscap/scap.h) @@ -82,36 +82,36 @@ jobs: MIN_SCHEMA_VER=$(echo $MIN_SCHEMA_VER | sed -r 's/, /./g') echo '!'"[MIN_DRIVER_SCHEMA](https://img.shields.io/badge/MIN_DRIVER_SCHEMA-${MIN_SCHEMA_VER}-yellow)" >> release-body.md echo "" >> release-body.md - + - name: Generate release notes uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73 with: milestone: ${{ github.event.release.tag_name }} output: ./notes.md - + - name: Merge release notes to pre existent body run: cat notes.md >> release-body.md - + - name: Attach release creator to release body run: | echo "" >> release-body.md echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md - + - name: Release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: body_path: ./release-body.md tag_name: ${{ github.event.release.tag_name }} - name: ${{ github.event.release.name }} + name: ${{ github.event.release.name }} kernel-tests-release: needs: [release-settings] - if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases + if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases uses: ./.github/workflows/reusable_kernel_tests.yaml with: libsversion: ${{ github.event.release.tag_name }} - secrets: inherit - + secrets: inherit + release-body-driver: needs: [release-settings, kernel-tests-release] if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases @@ -120,12 +120,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone libs repo - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: Create release body file run: | - touch release-body.md - + touch release-body.md + - name: Extract API and SCHEMA versions run: | touch release-body.md @@ -134,20 +134,20 @@ jobs: echo '!'"[API](https://img.shields.io/badge/API-${API_VERS}-yellow)" >> release-body.md echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md echo "" >> release-body.md - + - name: Download matrix X64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: matrix_X64 - + - name: Rename X64 matrix run: mv matrix.md matrix_X64.md - + - name: Download matrix ARM64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: matrix_ARM64 - + - name: Rename ARM64 matrix run: mv matrix.md matrix_ARM64.md @@ -166,20 +166,20 @@ jobs: sed -i '1s/^/# Driver Testing Matrix amd64\n\n/' matrix_X64.md sed -i '1s/^/# Driver Testing Matrix arm64\n\n/' matrix_ARM64.md cat matrix_X64.md matrix_ARM64.md >> release-body.md - + - name: Generate release notes - uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73 + uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73 # main with: milestone: ${{ github.event.release.tag_name }} output: ./notes.md - + - name: Merge release notes to pre existent body run: cat notes.md >> release-body.md - + - name: Attach release creator to release body run: | echo "" >> release-body.md - echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md + echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md - name: Release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 diff --git a/.github/workflows/reusable_kernel_tests.yaml b/.github/workflows/reusable_kernel_tests.yaml index 9139af94dc..dc425829a1 100644 --- a/.github/workflows/reusable_kernel_tests.yaml +++ b/.github/workflows/reusable_kernel_tests.yaml @@ -13,7 +13,7 @@ on: type: string required: false default: 'falcosecurity/libs' - workflow_call: + workflow_call: inputs: libsversion: description: 'libs version to be tested, eg: master' @@ -29,16 +29,16 @@ on: concurrency: group: kernel-tests cancel-in-progress: false - + jobs: test-kernels: strategy: fail-fast: false matrix: architecture: [X64, ARM64] - runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ] + runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ] steps: - - uses: falcosecurity/kernel-testing@v0.3.2 + - uses: falcosecurity/kernel-testing@f8f0b498e3d2b08e70b8e82f55447ff84f9c43b2 # v0.3.2 id: kernel_tests with: libsversion: ${{ inputs.libsversion }} @@ -49,7 +49,7 @@ jobs: with: name: ansible_output_${{matrix.architecture}} path: ${{ steps.kernel_tests.outputs.ansible_output }} - + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: matrix_${{matrix.architecture}} diff --git a/.github/workflows/semgrep_checks.yml b/.github/workflows/semgrep_checks.yml index 7bdd9f8b75..47c8cd9beb 100644 --- a/.github/workflows/semgrep_checks.yml +++ b/.github/workflows/semgrep_checks.yml @@ -14,7 +14,7 @@ jobs: image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544 steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: Scan PR for insecure API usage 🕵️ @@ -32,7 +32,7 @@ jobs: image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544 steps: - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: Scan PR for libs relateive include paths 🕵️ diff --git a/.github/workflows/test_coverage_ci.yml b/.github/workflows/test_coverage_ci.yml index 4127779459..5d51457a9d 100644 --- a/.github/workflows/test_coverage_ci.yml +++ b/.github/workflows/test_coverage_ci.yml @@ -27,7 +27,7 @@ jobs: gpg gpg-agent gcovr - name: Checkout Libs ⤵️ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 diff --git a/.github/workflows/update-syscalls.yml b/.github/workflows/update-syscalls.yml index 53482c893f..cd81b2a484 100644 --- a/.github/workflows/update-syscalls.yml +++ b/.github/workflows/update-syscalls.yml @@ -13,13 +13,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: ref: master path: libs - name: Bump syscalls - uses: falcosecurity/syscalls-bumper@main + uses: falcosecurity/syscalls-bumper@main # should be pointing to main with: repo-root: ${{ github.workspace }}/libs From 3c2af182f20b17095d3ec793608869621e54b29f Mon Sep 17 00:00:00 2001 From: cpanato Date: Wed, 9 Oct 2024 10:41:46 +0200 Subject: [PATCH 2/2] add initial dependabot config for gh actions Signed-off-by: cpanato --- .github/dependabot.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000000..33dc6d200b --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,12 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + groups: + actions: + update-types: + - "minor" + - "patch"