Commit Graph

245 Commits

Author SHA1 Message Date
Kir Kolyshkin d8c62c7d0b Makefile: add RUNC_BUILDTAGS, deprecate EXTRA_BUILDTAGS
A bit of history. EXTRA_BUILDTAGS was introduced in commit dac417174,
as a quick way to add some extra Go build tags to the runc build.

Later, commit 767bc008 changed Makefile to not get EXTRA_TAGS from the
shell environment, as the name is quite generic and some unrelated
environment variable with that name can affect runc build. While such
change does make sense, it makes it more complicated to pass build tags
in CI and otherwise (see e.g. commit 0e1fe368a).

Moreover, runc build uses some Go build tags by default (via Makefile),
and while it is easy to add more build tags (via EXTRA_BUILDTAGS), in
order to remove some existing tags one has to redefine BUILDTAGS from
scratch, which is not very convenient (again, see commit 0e1fe368a which
gets the current value of BUILDTAGS from the Makefile in order to remove
a single tag).

To handle all of the above, let's do this:
 - implement RUNC_BUILDTAGS, fixing the issue of not-so-unique name;
 - allow to get RUNC_BUILDTAGS from shell environment;
 - implement a feature to remove a build tag from default set by
   prefixing it with "-" (as in RUNC_BUILDTAGS="-seccomp");
 - document all this in README;
 - make CI use the new feature;
 - keep EXTRA_BUILDTAGS for backward compatibility, add a make warning
   and a TODO to remove it for runc 1.6.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-18 13:17:17 +08:00
Aleksa Sarai 9cf46be341 gha: install libpathrs for conmon test as well
Commit 192e3d416f ("ci: add conmon tests run") was merged without
rebasing on top of commit e2c989b7e1 ("build: enable libpathrs by
default"), causing build failures when it was merged.

The solution is to just use the same install script as the rest of CI
from commit 7322b05f41 ("ci: build and install libpathrs").

Fixes: 192e3d416f ("ci: add conmon tests run")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 20:46:10 +09:00
lfbzhm 7837689f9a Merge pull request #5159 from kolyshkin/add-conmon
ci: add conmon tests run
2026-03-12 19:18:14 +08:00
Aleksa Sarai 0e1fe368a2 gha: test both with and without libpathrs
We do plan to make libpathrs required in the future, but in the meantime
we should test both with and without libpathrs in our CI to catch
regressions for users that will not use libpathrs initially.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:11 +09:00
Aleksa Sarai 7322b05f41 ci: build and install libpathrs
libpathrs will be opt-out in a future patch so we need to test with it
in our CI.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:11 +09:00
Kir Kolyshkin 192e3d416f ci: add conmon tests run
This adds a CI job to run conmon tests with runc.

Related to issue 5151, PR 5153.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-11 16:43:18 -07:00
dependabot[bot] 106f302c54 build(deps): bump actions/upload-artifact from 6 to 7
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-27 04:52:14 +00:00
Kir Kolyshkin 61a1d1b3aa ci: bump golangci-lint to v2.10
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-25 13:48:55 -08:00
Kir Kolyshkin 23effed6eb ci: switch to ubuntu 24.04 for cross-i386 job
Commit 67f6c37b ("ci/gha: switch to ubuntu 24.04") switched most GHA CI
to Ubuntu 24.04 except for one job. It says:

> Leave ubuntu-22.04 for ci/cross-i386 (issue with systemctl restart hang
> after apt install). This can be addressed separately later.

Assuming the issue it already fixed (updated systemd or something),
let's finalize the 24.04 switch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-12 13:31:56 -08:00
Kir Kolyshkin daa5ffcc84 ci: bump Go 1.26rc2 -> 1.26.x
Since Go 1.26.0 is released today.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 13:05:24 -08:00
dependabot[bot] 4c7cf7d503 build(deps): bump bats-core/bats-action from 3.0.1 to 4.0.0
Bumps [bats-core/bats-action](https://github.com/bats-core/bats-action) from 3.0.1 to 4.0.0.
- [Release notes](https://github.com/bats-core/bats-action/releases)
- [Commits](https://github.com/bats-core/bats-action/compare/3.0.1...4.0.0)

---
updated-dependencies:
- dependency-name: bats-core/bats-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-09 04:52:53 +00:00
Kir Kolyshkin e4e05423e4 ci: add go 1.26 rc2
This is mostly to test whether https://go.dev/cl/728642 results in
any test failures in the current CI matrix.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-28 17:34:14 -08:00
Rodrigo Campos a4b2adc566 Merge pull request #5075 from kolyshkin/fix-modernize-url
ci: fix modernize URL
2025-12-20 01:23:04 -03:00
Kir Kolyshkin 428043bcf2 ci: fix modernize URL
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-17 11:57:00 -08:00
dependabot[bot] 3be9a054e7 build(deps): bump actions/upload-artifact from 5 to 6
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 00:53:57 +00:00
Kir Kolyshkin 20bdd0b537 ci: use Go 1.25 for validate jobs
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:05:01 -08:00
Kir Kolyshkin dbc4234607 ci: drop -test from modernize run
The modernize documentation used to suggest -test flag but it's not
needed as it is enabled by default. Drop it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:05:01 -08:00
Kir Kolyshkin 16ee2bbf4c ci: use latest Go for modernize job
Since we use modernize@latest, it may require latest Go as well (and now it does),
so use "go-version: stable" explicitly (which resolves to latest Go).

This fixes the issue with CI:

> go: golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest: golang.org/x/tools/gopls@v0.21.0 requires go >= 1.25 (running go 1.24.11; GOTOOLCHAIN=local)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:04:58 -08:00
dependabot[bot] 18c3adb8dc build(deps): bump actions/cache from 4 to 5
Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-12 04:02:43 +00:00
Kir Kolyshkin 5407cfe4a1 ci: don't fail CI if criu-dev test fails
In view of recent criu-dev failure, let's not fail the
required "all-done" job when criu-dev tests fail.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-05 10:54:00 +08:00
Kir Kolyshkin 68771cfe51 ci: bump shellcheck to v0.11.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Kir Kolyshkin f128234354 ci: bump bats to 1.12.0
This which is already using in CI on Fedora.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
dependabot[bot] 257fb71e45 build(deps): bump actions/checkout from 5 to 6
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-21 04:02:45 +00:00
Kir Kolyshkin df4acc8867 ci: add checking Go version from Dockerfile
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
 - currently supported;
 - used in CI tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-11 20:20:21 -08:00
Kir Kolyshkin 3fe21c54e6 ci: faster git clone
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-11 20:20:21 -08:00
dependabot[bot] c0db4632d2 build(deps): bump golangci/golangci-lint-action from 8 to 9
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 8 to 9.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v8...v9)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-10 04:02:58 +00:00
Aleksa Sarai 96f1962f91 deps: update to github.com/opencontainers/selinux@v0.13.0
This new version includes the fixes for CVE-2025-52881, so we can remove
the internal/third_party copy of the library we added in commit
ed6b1693b8 ("selinux: use safe procfs API for labels") as well as the
"replace" directive in go.mod (which is problematic for "go get"
installs).

Fixes: ed6b1693b8 ("selinux: use safe procfs API for labels")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-08 02:14:38 +11:00
Kir Kolyshkin 49780ce734 ci: bump golangci-lint to v2.6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-05 20:05:05 -08:00
Kir Kolyshkin 96dfa9de54 ci: disable golangci-lint cache
This will result in slower runs but we are having issues with
golangci-lint (false positives) that are most probably related
to caching.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-05 20:04:53 -08:00
Aleksa Sarai ed6b1693b8 selinux: use safe procfs API for labels
Due to the sensitive nature of these fixes, it was not possible to
submit these upstream and vendor the upstream library. Instead, this
patch uses a fork of github.com/opencontainers/selinux, branched at
commit opencontainers/selinux@879a755db5.

In order to permit downstreams to build with this patched version, a
snapshot of the forked version has been included in
internal/third_party/selinux. Note that since we use "go mod vendor",
the patched code is usable even without being "go get"-able. Once the
embargo for this issue is lifted we can submit the patches upstream and
switch back to a proper upstream go.mod entry.

Also, this requires us to temporarily disable the CI job we have that
disallows "replace" directives.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:06 +11:00
dependabot[bot] f5f6056219 build(deps): bump actions/upload-artifact from 4 to 5
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-27 04:09:57 +00:00
Kir Kolyshkin 2a7ce15e68 ci: show criu version in criu-dev testing
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-16 12:09:46 -07:00
Kir Kolyshkin 6af1d637ba ci: bump bats to 1.11.1
Bump bats to the version from Fedora 42 (used in "fedora" job), so we
have the same version everywhere.

This also fixes an issue introduced by commit d31e6b87 (which forgot to
bump bats in GHA CI), and adds a note to the yaml in order to avoid the
same issue in the future.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-16 12:07:55 -07:00
Kir Kolyshkin 1c4dba693f ci: only run lint-extra job on PRs to main
All the new code appears in main (not in the release branches),
and we only want extra linter rules to apply to new code.

Disable lint-extra job if the PR is not to the main branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-15 16:51:22 -07:00
Akihiro Suda c0e6f42427 CI: remove deprecated lima-vm/lima-actions/ssh
`lima-vm/lima-actions/ssh` is now merged into
`lima-vm/lima-actions/setup`.

https://github.com/lima-vm/lima-actions/releases/tag/v1.1.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-10-14 14:41:27 +09:00
Kir Kolyshkin 2aea8617ea ci: bump golangci-lint to v2.5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-07 17:09:28 -07:00
Rodrigo Campos 2998f90507 Merge pull request #4883 from opencontainers/dependabot/github_actions/actions/github-script-8
build(deps): bump actions/github-script from 7 to 8
2025-09-05 12:51:27 -03:00
dependabot[bot] 9408f6643d build(deps): bump actions/github-script from 7 to 8
Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v7...v8)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-05 04:02:37 +00:00
dependabot[bot] edc2eb60f3 build(deps): bump actions/setup-go from 5 to 6
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-05 04:02:34 +00:00
Kir Kolyshkin c04d9c446d ci/validate: add modernize run
Modernize tool [1] basically ensures that the new language features and
packages are used across the code.

The reason to run it in CI is to ensure that
 - PR authors use modern code;
 - our code is modern whether we bump Go version in go.mod.

Shove it into go-fix job which already does a similar thing
but for 'go-fix' and rename the whole job to modernize.

[1]: https://pkg.go.dev/golang.org/x/tools/gopls/internal/analysis/modernize

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-29 15:24:04 -07:00
Kir Kolyshkin 26602650ad Add go 1.25, require go 1.24
Now that Go 1.25 is out, let's switch to go 1.24.0 as a minimally
supported version, drop Go 1.23 and add Go 1.25 to CI matrix.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-27 19:11:01 -07:00
Kir Kolyshkin 96f4a90a6b Switch to packaged criu on arm
The issue on arm [1] is now fixed, so let's get back to using the
packaged criu version for most of the CI matrix.

This reverts commit 105674844e
("ci: use criu built from source on gha arm").

[1]: https://github.com/checkpoint-restore/criu/issues/2709

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-18 10:47:26 -07:00
Kir Kolyshkin 9e0f989015 ci: bump golangci-lint to v2.4.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-17 15:40:58 -07:00
dependabot[bot] cfb22c9a0f build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-15 16:40:45 +00:00
Kir Kolyshkin 105674844e ci: use criu built from source on gha arm
Currently, criu package from opensuse build farm times out on GHA arm,
so let's only use criu-dev (i.e. compiled from source on CI machine).

Once this is fixed, this patch can be reverted.

Related to criu issue 2709.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-12 14:48:05 -07:00
Kir Kolyshkin 1cf096803a CI: switch to GHA for arm
Since GHA now provides ARM, we can switch away from actuated.

Many thanks to @alexellis (@self-actuated) for being the sponsor of this
project.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-12 14:00:13 -07:00
Kir Kolyshkin 1a26cf3a23 ci: speed up criu-dev install
Employ shallow git clone and parallel build, speeding up build.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-25 20:45:15 -07:00
Kir Kolyshkin 1c2810be9e ci: bump golangci-lint to v2.3.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-25 12:37:46 +08:00
Kir Kolyshkin 995a39a4cb ci: add scheduled run of GHA CI
This is to ensure that our CI is not rotting away even if there are no
new PRs or merges. This is especially useful for release branches
which tend to cease working over time due to some external reasons.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:37 -07:00
Kir Kolyshkin 74209b739d ci/gha: allow to run jobs manually
... or from another job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:37 -07:00