Commit Graph

64 Commits

Author SHA1 Message Date
dependabot[bot] 8206f5b2aa build(deps): bump actions/cache from 3.0.7 to 3.0.8
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.7 to 3.0.8.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.7...v3.0.8)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 04:19:26 +00:00
Sebastiaan van Stijn 7b6f5153b8 Merge pull request #3514 from kolyshkin/go119
Add go 1.19, require go 1.18, drop go 1.17
2022-08-16 22:38:40 +02:00
Kir Kolyshkin b7dcdcecb4 Add go 1.19, require go 1.18, drop go 1.17
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
Kir Kolyshkin 0f4bf2c840 ci/gha: bump golangci-lint to 1.48
This version works with go 1.19, i.e. it fixes
https://github.com/golangci/golangci-lint/issues/2922.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
dependabot[bot] bf8d7c713b build(deps): bump actions/cache from 3.0.5 to 3.0.7
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.5 to 3.0.7.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.5...v3.0.7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-13 16:56:03 +00:00
Aleksa Sarai c0d44ea9fc merge branch 'pr-3523'
Kir Kolyshkin (1):
  CHANGELOG.md: forward-port 1.1.x changes

LGTMs: AkihiroSuda cyphar
Closes #3523
2022-07-20 14:26:51 +10:00
dependabot[bot] 5fd3d09e25 build(deps): bump actions/cache from 3.0.4 to 3.0.5
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 04:15:30 +00:00
Kir Kolyshkin d2a5acd22a CHANGELOG.md: forward-port 1.1.x changes
This is a forward-port of commit 91fa032da4 ("ci: add basic checks for
CHANGELOG.md"), plus whatever changes were made in release-1.1 branch
(up to v1.1.3).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-01 15:57:34 -07:00
Kir Kolyshkin 7481c3c97b ci: bump golangci-lint to 1.46
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-16 16:33:55 -07:00
dependabot[bot] cc0feb4b6c build(deps): bump actions/cache from 3.0.2 to 3.0.4
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.2 to 3.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.2...v3.0.4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-08 04:12:16 +00:00
Kir Kolyshkin 6b96cbdd59 ci: improve shellcheck job
1. Use env directive instead of adding to $GITHUB_ENV.

2. Use bash herefile to feed sha256sum instead of pipe to grep.

3. Fix the hardcoded checksum (it was missing the first character).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:57:25 -07:00
Kir Kolyshkin fbafaf315e ci: drop docker layer caching from release job
This job is failing with "No space left on device" lately, and this
helps to fix it.

Besides, it seems that caching does not help to shorten execution times
(validate/release job succeeds in under 8 minutes now; ymmv).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-24 11:22:27 -07:00
Sebastiaan van Stijn 255fe4099e Merge pull request #3445 from kolyshkin/gha-ro
ci/gha: limit jobs permissions
2022-04-22 20:44:37 +02:00
Sebastiaan van Stijn 238717ddd3 Merge pull request #3457 from kolyshkin/ci-merge-lint-extra
ci/gha: convert lint-extra from a job to a step
2022-04-14 13:42:40 +02:00
Sebastiaan van Stijn 727aa42fd7 Merge pull request #3378 from kolyshkin/ci-verify-more
shellcheck/shfmt more files; run check-config in CI
2022-04-14 13:39:29 +02:00
Kir Kolyshkin 4642d5282e Merge pull request #3458 from opencontainers/dependabot/github_actions/actions/cache-3.0.2
build(deps): bump actions/cache from 3.0.1 to 3.0.2
2022-04-13 22:35:00 -07:00
Kir Kolyshkin fa83a17c57 ci/gha: convert lint-extra from a job to a step
There is no need to parallelize lint and lint-extra jobs,
and they only differ with the arguments to golangci-lint.
Given that the longest time spent in these jobs is installing
libseccomp-dev, and that the second linter run can probably
benefit a lot from caching, it makes sense to merge them.

Move lint-extra from a separate job to a step in lint job.

The implementation is motivated by [1] and relies on the fact
that the last commit being fetched is the merge commit. So,
we need to set fetch-depth to 2 to be able to see the diff of
the merge commit -- and this is what golangci-lint is using.

[1] https://github.com/golangci/golangci-lint-action/issues/449#issuecomment-1096995821

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-13 20:20:15 -07:00
Kir Kolyshkin 98d3b5a495 Merge pull request #3455 from opencontainers/dependabot/github_actions/actions/upload-artifact-3
build(deps): bump actions/upload-artifact from 2 to 3
2022-04-12 14:31:53 -07:00
dependabot[bot] d73579cabc build(deps): bump actions/cache from 3.0.1 to 3.0.2
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-12 06:35:18 +00:00
dependabot[bot] b6eb94762a build(deps): bump actions/upload-artifact from 2 to 3
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:44 +00:00
dependabot[bot] 9d2268b9db build(deps): bump actions/setup-go from 2 to 3
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:41 +00:00
Kir Kolyshkin 67e06706ef ci/gha: limit jobs permissions
Most jobs only require to read the repo. Some require to read PRs as
well.

For details, see
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

Reported-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-06 14:25:22 -07:00
dependabot[bot] 7260bae675 build(deps): bump actions/cache from 2 to 3.0.1
Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3.0.1.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v2...v3.0.1)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-31 04:15:06 +00:00
Kir Kolyshkin cacc823724 ci: add call to check-config.sh
This is done to make sure the script is working correctly in different
environments (distro and kernel versions). In addition, we can see in
test logs which kernel features are enabled.

Note that I didn't want to have a separate job for GHA CI, so I just
added this to the end of shellcheck one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin 01f30162d2 ci/gha: run on main branch
Since we have renamed our default branch, GHA CI is no longer testing
it (see https://github.com/opencontainers/runc/actions).

Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 11:06:25 -07:00
Kir Kolyshkin 5211cc3f7e Add / switch to Go 1.18
Switch to Go 1.18 as the default Go version.

Support for Go 1.16 is removed by the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:22:22 -07:00
Kir Kolyshkin fcab941e4d ci: switch to golangci-lint 1.45
For release notes, see
https://github.com/golangci/golangci-lint/releases/tag/v1.45.0

Notably, it adds support for Go 1.18.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:16:23 -07:00
Kir Kolyshkin f7637defb8 ci: use golangci-lint-action v3, GO_VERSION
golangci-lint-action v3 no longer installs golang itself, and the
version that comes with Ubuntu is not new/good enough.

Install go 1.17.x explicitly.

Introduce GO_VERSION environment variable to avoid duplication,
and use it instead of 1.x in other places, so that implicit go update
won't bring some unexpected failures.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 10:57:35 -08:00
Kir Kolyshkin f7d4613492 ci: bump golangci-lint to v1.44
Also, remove "must be specified without patch version" as this is no
longer true.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 10:42:01 -08:00
dependabot[bot] a43485c92c build(deps): bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 04:20:24 +00:00
Kir Kolyshkin be00ae07c3 ci: shellcheck: update to 0.8.0, fix/suppress new warnings
1. This valid warning is reported by shellcheck v0.8.0:

	In tests/integration/helpers.bash line 38:
	KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
				       ^-----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

	Did you mean:
	KERNEL_MINOR="${KERNEL_VERSION#"$KERNEL_MAJOR".}"

Fix this.

2. These (invalid) warnings are also reported by the new version:

	In tests/integration/events.bats line 13:
	@test "events --stats" {
	^-- SC2030 (info): Modification of status is local (to subshell caused by @bats test).

	In tests/integration/events.bats line 41:
		[ "$status" -eq 0 ]
		   ^-----^ SC2031 (info): status was modified in a subshell. That change might be lost.

Basically, this is happening because shellcheck do not really track
the call tree and/or local variables. This is a known (and reported)
deficiency, and the alternative to disabling these warnings is moving
the code around, which is worse due to more changes in git history.

So we have to silence/disable these.

3. Update shellcheck to 0.8.0.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-10 17:24:04 -08:00
dependabot[bot] 0767b782c4 build(deps): bump tim-actions/get-pr-commits from 1.1.0 to 1.2.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.1.0 to 1.2.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.1.0...v1.2.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-31 04:15:58 +00:00
Kir Kolyshkin c4a61aa918 ci: enable extra linters for new code
This adds a new GHA CI job which runs a few extra linters. This is only
done for pull requests, and should only warn about new code.

The justification is simple: we want more linters, but since this is not
a new project, adding a new linter meaning we have to fix all the
existing warnings. In some cases having all the warnings fixed is
difficult and takes time, plus it is usually a low priority task.

Therefore, we are stuck with inability to add new linters because we
can't fix all their warnings. Meanwhile, new pull requests add more
code which is not linted.

This is an attempt to break this vicious cycle. Let's enable godot
and revive for now and see how it is going.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-30 16:51:55 -08:00
Kir Kolyshkin 3d98676626 ci/gha: install latest stable Go version
Jobs verify/compile-buildtags and verify/deps relied on whatever Go
version is available from the Ubuntu-20.04 image, which seems to be
1.15.x).

Job test/cross-i386 was installing whatever Go version is considered to
be the default one by actions/setup-go@v2, which seems to be go 1.15.15
at the moment.

Fix all three jobs to install Go 1.x (which should translate to latest
stable Go version, i.e. 1.17.2 as of now).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Kir Kolyshkin f30244ee1b make release: add cross-build
This implements cross-build for "make release", moving the build into a
container. This way we can support arm, arm64, ppc, and whatnot.

* script/seccomp.sh: separate out of script/release.sh, amend to support
  cross-compile and save needed environment variables to a file.

* Dockerfile: add installing libseccomp from source, as this is needed
  for release builds.

* script/release.sh: amend to support more architectures in addition to
  the native build. Additional arches can be added by specifying
  "-a <arch>" argument (can be specified multiple times), or
  "make RELEASE_ARGS="-a arm64" release" if called via make.
  All supported architectures can be enabled via "make releaseall".

* Makefile: move "release" target to "localrelease", add "release" and
  "releaseall" targets to build via the Dockerfile. This is done because
  most distros (including Fedora and openSUSE) lack cross-glibc, which is
  needed to cross-compile libseccomp.

* Makefile: remove 'cross' and 'localcross' targets, as this is now done
  by the release script.

* .github/workflows/validate.yum: amend the release CI job to cross-build
  for supported architectures, remove cross job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-20 10:05:58 -07:00
Sebastiaan van Stijn 2eaeea77c2 Merge pull request #3207 from kolyshkin/update-shfmt
ci/gha: bump shfmt to 3.3.1
2021-09-10 23:36:56 +02:00
Kir Kolyshkin 47abdceef1 ci/gha: update golangci-lint to 1.42.1
v1.42.1 was released tagged a few days ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 17:06:48 -07:00
Kir Kolyshkin 49137c2aa0 ci/gha: bump shfmt to 3.3.1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 16:37:00 -07:00
Rodrigo Campos 347c371bf4 CI: Mark CGO warnings as errors
Treat warning as errors only in the CI. We can enforce it in the source
code (like setting CFLAGS in libcontainer/nsenter/nsenter.go), but that
can force other downstream to patch the code if thei C compiler produces
warnings. For that reason, we do it only on the CI.

Todays CGO warnings are quite hidden in the CI (only shown for the
compilation step, that is collapsed) and CI is green anyways. With this
patch, CI fails if a warning is introduced.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-31 18:08:29 +02:00
Kir Kolyshkin 75761bccf7 Fix codespell warnings, add codespell to ci
The two exceptions I had to add to codespellrc are:
 - CLOS (used by intelrtd);
 - creat (syscall name used in tests/integration/testdata/seccomp_*.json).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 16:12:35 -07:00
Rodrigo Campos 844d6774e0 CI: Validate compilation without buildtags
Today we support the seccomp build tag only that is used by default.
However, we are not testing that compiling without any build tag works.

I found the CI didn't catch this when working on #2682, that the CI was
green but compilation without build tags was broken.

We test compilation without build tags only, compilation with the only
build tag supported is done extensively in other actions.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-16 17:44:54 +02:00
Kir Kolyshkin d02b0061d2 ci/gha: run on release-* branches after a push
A CI is needed after PR merges.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 09:42:10 -07:00
dependabot[bot] 01f5dcaeb7 build(deps): bump tim-actions/get-pr-commits from 1.0.0 to 1.1.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-11 06:31:30 +00:00
Aleksa Sarai 37767c0510 ci: lint: show all errors in PRs
It seems that golangci-lint didn't warn us about new lint errors that
were added after we enabled it, so just run the full thing and give us
all the errors on every PR run -- as long as we keep master lint-clean
it doesn't matter whether we set this or not.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:33:02 +10:00
Aleksa Sarai 07ca0be07b *: clean up remaining golangci-lint failures
Most of these were false positives or cases where we want to ignore the
lint, but the change to the BPF generation is actually useful.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:19:39 +10:00
Kir Kolyshkin af2e03c50f ci/gha: bump shellcheck 0.7.1 -> 0.7.2
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:11:09 -07:00
Kir Kolyshkin 2d1bb91dca ci/gha: bump shfmt 3.2.0 -> 3.2.4
Changes: https://github.com/mvdan/sh/releases

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:09:52 -07:00
Kir Kolyshkin d748280aa9 make release: build/include libseccomp
libseccomp is LGPL, meaning if we statically link it, we have to include
the source code of the library.

Amend "make release" to download and build libseccomp, build runc
against it, and include its sources into the release directory.

The only caveat is I found no way to stop go build from using the
stock (distro-provided) libseccomp.a, so the script checks that
the stock libseccomp.a is not available, and aborts otherwise.

While at it:
 - enable shellcheck for script/release.sh
 - remove libseccomp installation from the gha job
 - add dependecies needed for libseccomp build to the gha job

[v2: also include libseccomp .asc file]
[v3: rebase]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:43:02 -07:00
Kir Kolyshkin 3eb46d89d2 ci: make static built binary available
This uploads the results of make release step (static binary and
a source tarball) so that they are available. I am not very sure if
it's of any use, but at least one can download and play with a static
binary from any PR.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:42:34 -07:00
Kir Kolyshkin 522bd64187 Fix checking C code formatting
Apparently, scripts/validate-c is not working in CI (or maybe
maintainers ignored the failures from it) -- current C code
gets some changes if we run indent on it.

This commit fixes this, simplifying things along the way.

 In particular:

1. Remove "validate" make target, add "cfmt" target that just runs
   indent on all *.c files in the repository (NOTE that *.h files
   are not included, as before).

   This may help a contributor to fix their code -- they just need
   to run "make cfmt" now instead of running "make validate" and
   copy-pasting the indent command and options from the hint.

2. Split GHA validate/misc into validate/release and validate/cfmt.
   The latter checks that the sources are not changed after "make cfmt".

3. Adds a few more options to indent. This was mostly motivated by
   trying to save the existing formatting, minimizing the amount of
   changes indent produces.

   The new options are:

   * -il0: sets the offset for goto labels to 0 (currently all labels
     but one are not indented -- let's keep it that way);

   * -ppi2: sets the indentation for nested preprocessor directives
     to 2 spaces (same as it is done in "SYS_memfd_create" defines);

   * -cp1: sets the indentation between #else / #endif and the
     following comment to 1 space.

4. Reformat the code using the new indent options.

5. Remove the now-unused script/{.validate,validate-c}.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-18 16:56:09 -07:00