Commit Graph

149 Commits

Author SHA1 Message Date
dependabot[bot] b01a783897 build(deps): bump actions/checkout from 6 to 7
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-19 04:52:10 +00:00
Aleksa Sarai d47bf88349 deps: update to libpathrs v0.2.5
This update includes a few breaking API changes that I needed to get in
before an actual runc release depends on it, so that we don't need to
deal with compatibility shims for them (or bumping the SOVERSION).

From a Go API perspective, there were no major changes -- though this
bump did also require a bump to github.com/cyphar/filepath-securejoin
because one of the wrapped APIs changed from int to uint64 as a flag
argument type. Again, better to get this done before we really depend on
this in a public way.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-06-18 11:57:38 +02:00
Kir Kolyshkin d8c62c7d0b Makefile: add RUNC_BUILDTAGS, deprecate EXTRA_BUILDTAGS
A bit of history. EXTRA_BUILDTAGS was introduced in commit dac417174,
as a quick way to add some extra Go build tags to the runc build.

Later, commit 767bc008 changed Makefile to not get EXTRA_TAGS from the
shell environment, as the name is quite generic and some unrelated
environment variable with that name can affect runc build. While such
change does make sense, it makes it more complicated to pass build tags
in CI and otherwise (see e.g. commit 0e1fe368a).

Moreover, runc build uses some Go build tags by default (via Makefile),
and while it is easy to add more build tags (via EXTRA_BUILDTAGS), in
order to remove some existing tags one has to redefine BUILDTAGS from
scratch, which is not very convenient (again, see commit 0e1fe368a which
gets the current value of BUILDTAGS from the Makefile in order to remove
a single tag).

To handle all of the above, let's do this:
 - implement RUNC_BUILDTAGS, fixing the issue of not-so-unique name;
 - allow to get RUNC_BUILDTAGS from shell environment;
 - implement a feature to remove a build tag from default set by
   prefixing it with "-" (as in RUNC_BUILDTAGS="-seccomp");
 - document all this in README;
 - make CI use the new feature;
 - keep EXTRA_BUILDTAGS for backward compatibility, add a make warning
   and a TODO to remove it for runc 1.6.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-18 13:17:17 +08:00
Aleksa Sarai 9cf46be341 gha: install libpathrs for conmon test as well
Commit 192e3d416f ("ci: add conmon tests run") was merged without
rebasing on top of commit e2c989b7e1 ("build: enable libpathrs by
default"), causing build failures when it was merged.

The solution is to just use the same install script as the rest of CI
from commit 7322b05f41 ("ci: build and install libpathrs").

Fixes: 192e3d416f ("ci: add conmon tests run")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 20:46:10 +09:00
lfbzhm 7837689f9a Merge pull request #5159 from kolyshkin/add-conmon
ci: add conmon tests run
2026-03-12 19:18:14 +08:00
Aleksa Sarai 7322b05f41 ci: build and install libpathrs
libpathrs will be opt-out in a future patch so we need to test with it
in our CI.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:11 +09:00
Kir Kolyshkin 192e3d416f ci: add conmon tests run
This adds a CI job to run conmon tests with runc.

Related to issue 5151, PR 5153.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-11 16:43:18 -07:00
dependabot[bot] 106f302c54 build(deps): bump actions/upload-artifact from 6 to 7
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-27 04:52:14 +00:00
Kir Kolyshkin 61a1d1b3aa ci: bump golangci-lint to v2.10
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-25 13:48:55 -08:00
Rodrigo Campos a4b2adc566 Merge pull request #5075 from kolyshkin/fix-modernize-url
ci: fix modernize URL
2025-12-20 01:23:04 -03:00
Kir Kolyshkin 428043bcf2 ci: fix modernize URL
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-17 11:57:00 -08:00
dependabot[bot] 3be9a054e7 build(deps): bump actions/upload-artifact from 5 to 6
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 00:53:57 +00:00
Kir Kolyshkin 20bdd0b537 ci: use Go 1.25 for validate jobs
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:05:01 -08:00
Kir Kolyshkin dbc4234607 ci: drop -test from modernize run
The modernize documentation used to suggest -test flag but it's not
needed as it is enabled by default. Drop it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:05:01 -08:00
Kir Kolyshkin 16ee2bbf4c ci: use latest Go for modernize job
Since we use modernize@latest, it may require latest Go as well (and now it does),
so use "go-version: stable" explicitly (which resolves to latest Go).

This fixes the issue with CI:

> go: golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest: golang.org/x/tools/gopls@v0.21.0 requires go >= 1.25 (running go 1.24.11; GOTOOLCHAIN=local)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:04:58 -08:00
Kir Kolyshkin 68771cfe51 ci: bump shellcheck to v0.11.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
dependabot[bot] 257fb71e45 build(deps): bump actions/checkout from 5 to 6
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-21 04:02:45 +00:00
Kir Kolyshkin df4acc8867 ci: add checking Go version from Dockerfile
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
 - currently supported;
 - used in CI tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-11 20:20:21 -08:00
Kir Kolyshkin 3fe21c54e6 ci: faster git clone
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-11 20:20:21 -08:00
dependabot[bot] c0db4632d2 build(deps): bump golangci/golangci-lint-action from 8 to 9
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 8 to 9.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v8...v9)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-10 04:02:58 +00:00
Aleksa Sarai 96f1962f91 deps: update to github.com/opencontainers/selinux@v0.13.0
This new version includes the fixes for CVE-2025-52881, so we can remove
the internal/third_party copy of the library we added in commit
ed6b1693b8 ("selinux: use safe procfs API for labels") as well as the
"replace" directive in go.mod (which is problematic for "go get"
installs).

Fixes: ed6b1693b8 ("selinux: use safe procfs API for labels")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-08 02:14:38 +11:00
Kir Kolyshkin 49780ce734 ci: bump golangci-lint to v2.6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-05 20:05:05 -08:00
Kir Kolyshkin 96dfa9de54 ci: disable golangci-lint cache
This will result in slower runs but we are having issues with
golangci-lint (false positives) that are most probably related
to caching.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-05 20:04:53 -08:00
Aleksa Sarai ed6b1693b8 selinux: use safe procfs API for labels
Due to the sensitive nature of these fixes, it was not possible to
submit these upstream and vendor the upstream library. Instead, this
patch uses a fork of github.com/opencontainers/selinux, branched at
commit opencontainers/selinux@879a755db5.

In order to permit downstreams to build with this patched version, a
snapshot of the forked version has been included in
internal/third_party/selinux. Note that since we use "go mod vendor",
the patched code is usable even without being "go get"-able. Once the
embargo for this issue is lifted we can submit the patches upstream and
switch back to a proper upstream go.mod entry.

Also, this requires us to temporarily disable the CI job we have that
disallows "replace" directives.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:06 +11:00
dependabot[bot] f5f6056219 build(deps): bump actions/upload-artifact from 4 to 5
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-27 04:09:57 +00:00
Kir Kolyshkin 1c4dba693f ci: only run lint-extra job on PRs to main
All the new code appears in main (not in the release branches),
and we only want extra linter rules to apply to new code.

Disable lint-extra job if the PR is not to the main branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-15 16:51:22 -07:00
Kir Kolyshkin 2aea8617ea ci: bump golangci-lint to v2.5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-07 17:09:28 -07:00
dependabot[bot] edc2eb60f3 build(deps): bump actions/setup-go from 5 to 6
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-05 04:02:34 +00:00
Kir Kolyshkin c04d9c446d ci/validate: add modernize run
Modernize tool [1] basically ensures that the new language features and
packages are used across the code.

The reason to run it in CI is to ensure that
 - PR authors use modern code;
 - our code is modern whether we bump Go version in go.mod.

Shove it into go-fix job which already does a similar thing
but for 'go-fix' and rename the whole job to modernize.

[1]: https://pkg.go.dev/golang.org/x/tools/gopls/internal/analysis/modernize

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-29 15:24:04 -07:00
Kir Kolyshkin 9e0f989015 ci: bump golangci-lint to v2.4.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-17 15:40:58 -07:00
dependabot[bot] cfb22c9a0f build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-15 16:40:45 +00:00
Kir Kolyshkin 1c2810be9e ci: bump golangci-lint to v2.3.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-25 12:37:46 +08:00
Kir Kolyshkin 74209b739d ci/gha: allow to run jobs manually
... or from another job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:37 -07:00
Kir Kolyshkin 62e6ab6dda gha/ci: allow validate/all-done to succeed for non-PRs
When we run CI not on a pull request, the commit job is skipped, as a
result, all-done is also skipped.

To allow all-done to succeed, modify the commit job to succeed for
non-PRs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:33 -07:00
dependabot[bot] c1958d8844 build(deps): bump golangci/golangci-lint-action from 7 to 8
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7 to 8.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v7...v8)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-05 04:31:04 +00:00
Rodrigo Campos 9f86496c33 ci: Check for exclude/replace directives
To not accidentally break `go install`, let's add CI to check it. If in
the future we need those directives, we can remove the CI check.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-30 17:30:10 +02:00
Kir Kolyshkin b0aa863fc8 ci: bump golangci-lint to v2.1
(The current v2.1 release is v2.1.5 as of today).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-25 15:35:40 -07:00
Antti Kervinen d7285e46d8 Fix "invalid workflow file" github actions error
The colon after "Error:" caused actionlint to report error on map in
context where map is not allowed.

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
2025-04-16 14:16:55 +03:00
Kir Kolyshkin c899193643 ci: add check for toolchain in go.mod
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-09 10:04:37 -07:00
Sebastiaan van Stijn e8a97bae27 Merge pull request #4692 from kolyshkin/golangci-v2
ci: switch to golangci-lint v2
2025-03-31 16:31:28 +02:00
Kir Kolyshkin 127e8e68d3 ci: bump to golangci-lint v2.0
The new configuration file was initially generated by golangci-lint
migrate, when tweaked to minimize and simplify.

golangci-lint v2 switches to a new version of staticcheck which shows
much more warnings. Some of them were fixed by a few previous commits,
and the rest of them are disabled.

In particular, ST1005 had to be disabled (an attempt to fix it was made
in https://github.com/opencontainers/runc/pull/3857 but it wasn't
merged).

Also, golangci-extra was modified to include ALL staticcheck linters.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-25 16:06:44 -07:00
Kir Kolyshkin d00c3be986 ci: bump codespell to v2.4.1, fix some typos
All but one were found by codespell.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-24 10:05:22 -07:00
Kir Kolyshkin b48dd65114 ci: bump shellcheck to v0.10.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Kir Kolyshkin 874207492e CI: add Go 1.24, drop go1.22
Also, bump golangci-lint to v1.64 (v1.64.2 added Go 1.24 support).

NOTE we still use Go 1.23.x for official builds.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:02:48 -08:00
Kir Kolyshkin 9468986a49 ci: use a specific ubuntu version
GHA shows a warning telling that "ubuntu-latest" is going to be switched
to ubuntu-24.04 soon. Let's specify the version explicitly (and switch
to 24.04 for this job ahead of github).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:52:16 -08:00
Kir Kolyshkin e845f4be86 ci: bump golangci-lint to v1.62
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:50:44 -08:00
Kir Kolyshkin 47dc185880 Add runc_nocriu build tag
This allows to make a 17% smaller runc binary by not compiling in
checkpoint/restore support.

It turns out that google.golang.org/protobuf package, used by go-criu,
is quite big, and go linker can't drop unused stuff if reflection is
used anywhere in the code.

Currently there's no alternative to using protobuf in go-criu, and since
not all users use c/r, let's provide them an option for a smaller
binary.

For the reference, here's top10 biggest vendored packages, as reported
by gsa[1]:

$ gsa runc | grep vendor | head
│ 8.59%   │ google.golang.org/protobuf                  │ 1.3 MB │ vendor    │
│ 5.76%   │ github.com/opencontainers/runc              │ 865 kB │ vendor    │
│ 4.05%   │ github.com/cilium/ebpf                      │ 608 kB │ vendor    │
│ 2.86%   │ github.com/godbus/dbus/v5                   │ 429 kB │ vendor    │
│ 1.25%   │ github.com/urfave/cli                       │ 188 kB │ vendor    │
│ 0.90%   │ github.com/vishvananda/netlink              │ 135 kB │ vendor    │
│ 0.59%   │ github.com/sirupsen/logrus                  │ 89 kB  │ vendor    │
│ 0.56%   │ github.com/checkpoint-restore/go-criu/v6    │ 84 kB  │ vendor    │
│ 0.51%   │ golang.org/x/sys                            │ 76 kB  │ vendor    │
│ 0.47%   │ github.com/seccomp/libseccomp-golang        │ 71 kB  │ vendor    │

And here is a total binary size saving when `runc_nocriu` is used.

For non-stripped binaries:

$ gsa runc-cr runc-nocr | tail -3
│ -17.04% │ runc-cr                                  │ 15 MB    │ 12 MB    │ -2.6 MB │
│         │ runc-nocr                                │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

And for stripped binaries:

│ -17.01% │ runc-cr-stripped                         │ 11 MB    │ 8.8 MB   │ -1.8 MB │
│         │ runc-nocr-stripped                       │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

[1]: https://github.com/Zxilly/go-size-analyzer

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-09 11:19:23 -08:00
Kir Kolyshkin cbb9b309cd ci: use Go 1.23
Where we only use one Go version, let's use Go 1.23.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-23 00:04:17 -07:00
Kir Kolyshkin 2cd24a4dae ci/gha: add all-done jobs
The sole reason is to simplify branch protection rules,
requiring just these to be passed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 17:00:59 -07:00
Kir Kolyshkin 606257c6e1 Bump golangci-lint to v1.60, fix new warnings
The warnings fixed were:

libcontainer/configs/config_test.go:205:12: printf: non-constant format string in call to (*testing.common).Errorf (govet)
		t.Errorf(fmt.Sprintf("Expected error to not occur but it was %+v", err))
		         ^
libcontainer/cgroups/fs/blkio_test.go:481:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^
libcontainer/cgroups/fs/blkio_test.go:595:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00