Commit Graph

79 Commits

Author SHA1 Message Date
Kir Kolyshkin 5929b01989 ci/gha: add space-at-eol check, fix existing issues
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-07 11:27:27 -07:00
dependabot[bot] 2a3470456e build(deps): bump tim-actions/get-pr-commits from 1.2.0 to 1.3.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.2.0...v1.3.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-17 05:00:09 +00:00
Kir Kolyshkin 62cc13ea1a gha: disable setup-go cache for golangci job
Since commit e3cf217cf1 actions/setup-go@v4 uses caching
implicitly, and olangci/golangci-lint-action also uses caching.

These two caches clash, resulting in multiple warnings in CI logs.

The official golangci-lint-action solution is to disable caching
for setup-go job (see [1]). Do the same.

[1] https://github.com/golangci/golangci-lint-action/pull/704

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-16 11:22:31 -07:00
Kir Kolyshkin 083e9789b8 ci/gha: rm actions/cache from validate/deps job
Since commit e3cf217cf1 actions/setup-go@v4 uses caching
implicitly, so it is no longer required.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-16 11:22:31 -07:00
Aleksa Sarai 22538f896a keyring: verify runc.keyring has legitimate maintainer keys
These checks ensure that all of the keys in the runc.keyring list are
actually the keys of the specified user and that the users themselves
are actually maintainers.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-19 13:48:14 +10:00
Kir Kolyshkin 953e1cc485 ci/gha: switch to or add ubuntu 22.04
For test jobs, add ubuntu 22.04 into the matrix, so we can test of both
cgroup v1 and v2.

For validate jobs, just switch to ubuntu 22.04

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-10 10:32:02 -07:00
dependabot[bot] 1034cfa826 build(deps): bump lumaxis/shellcheck-problem-matchers from 1 to 2
Bumps [lumaxis/shellcheck-problem-matchers](https://github.com/lumaxis/shellcheck-problem-matchers) from 1 to 2.
- [Release notes](https://github.com/lumaxis/shellcheck-problem-matchers/releases)
- [Commits](https://github.com/lumaxis/shellcheck-problem-matchers/compare/v1...v2)

---
updated-dependencies:
- dependency-name: lumaxis/shellcheck-problem-matchers
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-04 17:44:14 +00:00
dependabot[bot] e3cf217cf1 build(deps): bump actions/setup-go from 3 to 4
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-16 05:11:04 +00:00
Austin Vazquez 5ecd40b9bd Add Go 1.20, require Go 1.19, drop Go 1.18
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2023-02-02 19:56:26 +00:00
Kir Kolyshkin 3fbc5ba7ca ci: add tests/int/get-images.sh check
This is to check that tests/integration/get-images.sh is in sync
with tests/integration/bootstrap-get-images.sh.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-01-24 16:43:12 -08:00
Kir Kolyshkin 56edc41ca6 ci: bump shfmt to 3.5.1, simplify CI setup
1. Bump shfmt to v3.5.1. Release notes:
   https://github.com/mvdan/sh/releases

2. Since shfmt v3.5.0, specifying -l bash (or -l bats) is no longer
   necessary. Therefore, we can use shfmt to find all the files.
   Add .editorconfig to ignore vendor subdirectory.

3. Use shfmt docker image, so that we don't have to install anything
   explicitly. This greatly simplifies the shfmt CI job. Add
   localshfmt target so developers can still use a local shfmt binary
   when necessary.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-02 11:08:36 -07:00
Kir Kolyshkin 6bf2c3b67e ci/gha: use v3 tag for actions/cache
This tag points to the latest v3 version (currently v3.0.11). Mainly
done to avoid cluttering git history with multiple minor v3 upgrades.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-10-17 10:05:17 -07:00
dependabot[bot] a04363c1b9 build(deps): bump actions/cache from 3.0.10 to 3.0.11
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.10 to 3.0.11.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.10...v3.0.11)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 04:11:15 +00:00
dependabot[bot] 8584900e50 build(deps): bump actions/cache from 3.0.9 to 3.0.10
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.9 to 3.0.10.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.9...v3.0.10)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-04 04:12:20 +00:00
dependabot[bot] 79a5c1109b build(deps): bump actions/cache from 3.0.8 to 3.0.9
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.8 to 3.0.9.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.8...v3.0.9)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 04:15:17 +00:00
dependabot[bot] 8206f5b2aa build(deps): bump actions/cache from 3.0.7 to 3.0.8
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.7 to 3.0.8.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.7...v3.0.8)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 04:19:26 +00:00
Sebastiaan van Stijn 7b6f5153b8 Merge pull request #3514 from kolyshkin/go119
Add go 1.19, require go 1.18, drop go 1.17
2022-08-16 22:38:40 +02:00
Kir Kolyshkin b7dcdcecb4 Add go 1.19, require go 1.18, drop go 1.17
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
Kir Kolyshkin 0f4bf2c840 ci/gha: bump golangci-lint to 1.48
This version works with go 1.19, i.e. it fixes
https://github.com/golangci/golangci-lint/issues/2922.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
dependabot[bot] bf8d7c713b build(deps): bump actions/cache from 3.0.5 to 3.0.7
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.5 to 3.0.7.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.5...v3.0.7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-13 16:56:03 +00:00
Aleksa Sarai c0d44ea9fc merge branch 'pr-3523'
Kir Kolyshkin (1):
  CHANGELOG.md: forward-port 1.1.x changes

LGTMs: AkihiroSuda cyphar
Closes #3523
2022-07-20 14:26:51 +10:00
dependabot[bot] 5fd3d09e25 build(deps): bump actions/cache from 3.0.4 to 3.0.5
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 04:15:30 +00:00
Kir Kolyshkin d2a5acd22a CHANGELOG.md: forward-port 1.1.x changes
This is a forward-port of commit 91fa032da4 ("ci: add basic checks for
CHANGELOG.md"), plus whatever changes were made in release-1.1 branch
(up to v1.1.3).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-01 15:57:34 -07:00
Kir Kolyshkin 7481c3c97b ci: bump golangci-lint to 1.46
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-16 16:33:55 -07:00
dependabot[bot] cc0feb4b6c build(deps): bump actions/cache from 3.0.2 to 3.0.4
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.2 to 3.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.2...v3.0.4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-08 04:12:16 +00:00
Kir Kolyshkin 6b96cbdd59 ci: improve shellcheck job
1. Use env directive instead of adding to $GITHUB_ENV.

2. Use bash herefile to feed sha256sum instead of pipe to grep.

3. Fix the hardcoded checksum (it was missing the first character).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:57:25 -07:00
Kir Kolyshkin fbafaf315e ci: drop docker layer caching from release job
This job is failing with "No space left on device" lately, and this
helps to fix it.

Besides, it seems that caching does not help to shorten execution times
(validate/release job succeeds in under 8 minutes now; ymmv).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-24 11:22:27 -07:00
Sebastiaan van Stijn 255fe4099e Merge pull request #3445 from kolyshkin/gha-ro
ci/gha: limit jobs permissions
2022-04-22 20:44:37 +02:00
Sebastiaan van Stijn 238717ddd3 Merge pull request #3457 from kolyshkin/ci-merge-lint-extra
ci/gha: convert lint-extra from a job to a step
2022-04-14 13:42:40 +02:00
Sebastiaan van Stijn 727aa42fd7 Merge pull request #3378 from kolyshkin/ci-verify-more
shellcheck/shfmt more files; run check-config in CI
2022-04-14 13:39:29 +02:00
Kir Kolyshkin 4642d5282e Merge pull request #3458 from opencontainers/dependabot/github_actions/actions/cache-3.0.2
build(deps): bump actions/cache from 3.0.1 to 3.0.2
2022-04-13 22:35:00 -07:00
Kir Kolyshkin fa83a17c57 ci/gha: convert lint-extra from a job to a step
There is no need to parallelize lint and lint-extra jobs,
and they only differ with the arguments to golangci-lint.
Given that the longest time spent in these jobs is installing
libseccomp-dev, and that the second linter run can probably
benefit a lot from caching, it makes sense to merge them.

Move lint-extra from a separate job to a step in lint job.

The implementation is motivated by [1] and relies on the fact
that the last commit being fetched is the merge commit. So,
we need to set fetch-depth to 2 to be able to see the diff of
the merge commit -- and this is what golangci-lint is using.

[1] https://github.com/golangci/golangci-lint-action/issues/449#issuecomment-1096995821

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-13 20:20:15 -07:00
Kir Kolyshkin 98d3b5a495 Merge pull request #3455 from opencontainers/dependabot/github_actions/actions/upload-artifact-3
build(deps): bump actions/upload-artifact from 2 to 3
2022-04-12 14:31:53 -07:00
dependabot[bot] d73579cabc build(deps): bump actions/cache from 3.0.1 to 3.0.2
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-12 06:35:18 +00:00
dependabot[bot] b6eb94762a build(deps): bump actions/upload-artifact from 2 to 3
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:44 +00:00
dependabot[bot] 9d2268b9db build(deps): bump actions/setup-go from 2 to 3
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:41 +00:00
Kir Kolyshkin 67e06706ef ci/gha: limit jobs permissions
Most jobs only require to read the repo. Some require to read PRs as
well.

For details, see
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

Reported-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-06 14:25:22 -07:00
dependabot[bot] 7260bae675 build(deps): bump actions/cache from 2 to 3.0.1
Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3.0.1.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v2...v3.0.1)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-31 04:15:06 +00:00
Kir Kolyshkin cacc823724 ci: add call to check-config.sh
This is done to make sure the script is working correctly in different
environments (distro and kernel versions). In addition, we can see in
test logs which kernel features are enabled.

Note that I didn't want to have a separate job for GHA CI, so I just
added this to the end of shellcheck one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin 01f30162d2 ci/gha: run on main branch
Since we have renamed our default branch, GHA CI is no longer testing
it (see https://github.com/opencontainers/runc/actions).

Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 11:06:25 -07:00
Kir Kolyshkin 5211cc3f7e Add / switch to Go 1.18
Switch to Go 1.18 as the default Go version.

Support for Go 1.16 is removed by the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:22:22 -07:00
Kir Kolyshkin fcab941e4d ci: switch to golangci-lint 1.45
For release notes, see
https://github.com/golangci/golangci-lint/releases/tag/v1.45.0

Notably, it adds support for Go 1.18.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:16:23 -07:00
Kir Kolyshkin f7637defb8 ci: use golangci-lint-action v3, GO_VERSION
golangci-lint-action v3 no longer installs golang itself, and the
version that comes with Ubuntu is not new/good enough.

Install go 1.17.x explicitly.

Introduce GO_VERSION environment variable to avoid duplication,
and use it instead of 1.x in other places, so that implicit go update
won't bring some unexpected failures.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 10:57:35 -08:00
Kir Kolyshkin f7d4613492 ci: bump golangci-lint to v1.44
Also, remove "must be specified without patch version" as this is no
longer true.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 10:42:01 -08:00
dependabot[bot] a43485c92c build(deps): bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 04:20:24 +00:00
Kir Kolyshkin be00ae07c3 ci: shellcheck: update to 0.8.0, fix/suppress new warnings
1. This valid warning is reported by shellcheck v0.8.0:

	In tests/integration/helpers.bash line 38:
	KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
				       ^-----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

	Did you mean:
	KERNEL_MINOR="${KERNEL_VERSION#"$KERNEL_MAJOR".}"

Fix this.

2. These (invalid) warnings are also reported by the new version:

	In tests/integration/events.bats line 13:
	@test "events --stats" {
	^-- SC2030 (info): Modification of status is local (to subshell caused by @bats test).

	In tests/integration/events.bats line 41:
		[ "$status" -eq 0 ]
		   ^-----^ SC2031 (info): status was modified in a subshell. That change might be lost.

Basically, this is happening because shellcheck do not really track
the call tree and/or local variables. This is a known (and reported)
deficiency, and the alternative to disabling these warnings is moving
the code around, which is worse due to more changes in git history.

So we have to silence/disable these.

3. Update shellcheck to 0.8.0.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-10 17:24:04 -08:00
dependabot[bot] 0767b782c4 build(deps): bump tim-actions/get-pr-commits from 1.1.0 to 1.2.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.1.0 to 1.2.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.1.0...v1.2.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-31 04:15:58 +00:00
Kir Kolyshkin c4a61aa918 ci: enable extra linters for new code
This adds a new GHA CI job which runs a few extra linters. This is only
done for pull requests, and should only warn about new code.

The justification is simple: we want more linters, but since this is not
a new project, adding a new linter meaning we have to fix all the
existing warnings. In some cases having all the warnings fixed is
difficult and takes time, plus it is usually a low priority task.

Therefore, we are stuck with inability to add new linters because we
can't fix all their warnings. Meanwhile, new pull requests add more
code which is not linted.

This is an attempt to break this vicious cycle. Let's enable godot
and revive for now and see how it is going.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-30 16:51:55 -08:00
Kir Kolyshkin 3d98676626 ci/gha: install latest stable Go version
Jobs verify/compile-buildtags and verify/deps relied on whatever Go
version is available from the Ubuntu-20.04 image, which seems to be
1.15.x).

Job test/cross-i386 was installing whatever Go version is considered to
be the default one by actions/setup-go@v2, which seems to be go 1.15.15
at the moment.

Fix all three jobs to install Go 1.x (which should translate to latest
stable Go version, i.e. 1.17.2 as of now).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Kir Kolyshkin f30244ee1b make release: add cross-build
This implements cross-build for "make release", moving the build into a
container. This way we can support arm, arm64, ppc, and whatnot.

* script/seccomp.sh: separate out of script/release.sh, amend to support
  cross-compile and save needed environment variables to a file.

* Dockerfile: add installing libseccomp from source, as this is needed
  for release builds.

* script/release.sh: amend to support more architectures in addition to
  the native build. Additional arches can be added by specifying
  "-a <arch>" argument (can be specified multiple times), or
  "make RELEASE_ARGS="-a arm64" release" if called via make.
  All supported architectures can be enabled via "make releaseall".

* Makefile: move "release" target to "localrelease", add "release" and
  "releaseall" targets to build via the Dockerfile. This is done because
  most distros (including Fedora and openSUSE) lack cross-glibc, which is
  needed to cross-compile libseccomp.

* Makefile: remove 'cross' and 'localcross' targets, as this is now done
  by the release script.

* .github/workflows/validate.yum: amend the release CI job to cross-build
  for supported architectures, remove cross job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-20 10:05:58 -07:00