Commit Graph

126 Commits

Author SHA1 Message Date
Aleksa Sarai ed6b1693b8 selinux: use safe procfs API for labels
Due to the sensitive nature of these fixes, it was not possible to
submit these upstream and vendor the upstream library. Instead, this
patch uses a fork of github.com/opencontainers/selinux, branched at
commit opencontainers/selinux@879a755db5.

In order to permit downstreams to build with this patched version, a
snapshot of the forked version has been included in
internal/third_party/selinux. Note that since we use "go mod vendor",
the patched code is usable even without being "go get"-able. Once the
embargo for this issue is lifted we can submit the patches upstream and
switch back to a proper upstream go.mod entry.

Also, this requires us to temporarily disable the CI job we have that
disallows "replace" directives.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:06 +11:00
dependabot[bot] f5f6056219 build(deps): bump actions/upload-artifact from 4 to 5
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-27 04:09:57 +00:00
Kir Kolyshkin 1c4dba693f ci: only run lint-extra job on PRs to main
All the new code appears in main (not in the release branches),
and we only want extra linter rules to apply to new code.

Disable lint-extra job if the PR is not to the main branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-15 16:51:22 -07:00
Kir Kolyshkin 2aea8617ea ci: bump golangci-lint to v2.5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-07 17:09:28 -07:00
dependabot[bot] edc2eb60f3 build(deps): bump actions/setup-go from 5 to 6
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-05 04:02:34 +00:00
Kir Kolyshkin c04d9c446d ci/validate: add modernize run
Modernize tool [1] basically ensures that the new language features and
packages are used across the code.

The reason to run it in CI is to ensure that
 - PR authors use modern code;
 - our code is modern whether we bump Go version in go.mod.

Shove it into go-fix job which already does a similar thing
but for 'go-fix' and rename the whole job to modernize.

[1]: https://pkg.go.dev/golang.org/x/tools/gopls/internal/analysis/modernize

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-29 15:24:04 -07:00
Kir Kolyshkin 9e0f989015 ci: bump golangci-lint to v2.4.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-17 15:40:58 -07:00
dependabot[bot] cfb22c9a0f build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-15 16:40:45 +00:00
Kir Kolyshkin 1c2810be9e ci: bump golangci-lint to v2.3.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-25 12:37:46 +08:00
Kir Kolyshkin 74209b739d ci/gha: allow to run jobs manually
... or from another job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:37 -07:00
Kir Kolyshkin 62e6ab6dda gha/ci: allow validate/all-done to succeed for non-PRs
When we run CI not on a pull request, the commit job is skipped, as a
result, all-done is also skipped.

To allow all-done to succeed, modify the commit job to succeed for
non-PRs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:33 -07:00
dependabot[bot] c1958d8844 build(deps): bump golangci/golangci-lint-action from 7 to 8
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7 to 8.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v7...v8)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-05 04:31:04 +00:00
Rodrigo Campos 9f86496c33 ci: Check for exclude/replace directives
To not accidentally break `go install`, let's add CI to check it. If in
the future we need those directives, we can remove the CI check.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-30 17:30:10 +02:00
Kir Kolyshkin b0aa863fc8 ci: bump golangci-lint to v2.1
(The current v2.1 release is v2.1.5 as of today).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-25 15:35:40 -07:00
Antti Kervinen d7285e46d8 Fix "invalid workflow file" github actions error
The colon after "Error:" caused actionlint to report error on map in
context where map is not allowed.

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
2025-04-16 14:16:55 +03:00
Kir Kolyshkin c899193643 ci: add check for toolchain in go.mod
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-09 10:04:37 -07:00
Sebastiaan van Stijn e8a97bae27 Merge pull request #4692 from kolyshkin/golangci-v2
ci: switch to golangci-lint v2
2025-03-31 16:31:28 +02:00
Kir Kolyshkin 127e8e68d3 ci: bump to golangci-lint v2.0
The new configuration file was initially generated by golangci-lint
migrate, when tweaked to minimize and simplify.

golangci-lint v2 switches to a new version of staticcheck which shows
much more warnings. Some of them were fixed by a few previous commits,
and the rest of them are disabled.

In particular, ST1005 had to be disabled (an attempt to fix it was made
in https://github.com/opencontainers/runc/pull/3857 but it wasn't
merged).

Also, golangci-extra was modified to include ALL staticcheck linters.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-25 16:06:44 -07:00
Kir Kolyshkin d00c3be986 ci: bump codespell to v2.4.1, fix some typos
All but one were found by codespell.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-24 10:05:22 -07:00
Kir Kolyshkin b48dd65114 ci: bump shellcheck to v0.10.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Kir Kolyshkin 874207492e CI: add Go 1.24, drop go1.22
Also, bump golangci-lint to v1.64 (v1.64.2 added Go 1.24 support).

NOTE we still use Go 1.23.x for official builds.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:02:48 -08:00
Kir Kolyshkin 9468986a49 ci: use a specific ubuntu version
GHA shows a warning telling that "ubuntu-latest" is going to be switched
to ubuntu-24.04 soon. Let's specify the version explicitly (and switch
to 24.04 for this job ahead of github).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:52:16 -08:00
Kir Kolyshkin e845f4be86 ci: bump golangci-lint to v1.62
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:50:44 -08:00
Kir Kolyshkin 47dc185880 Add runc_nocriu build tag
This allows to make a 17% smaller runc binary by not compiling in
checkpoint/restore support.

It turns out that google.golang.org/protobuf package, used by go-criu,
is quite big, and go linker can't drop unused stuff if reflection is
used anywhere in the code.

Currently there's no alternative to using protobuf in go-criu, and since
not all users use c/r, let's provide them an option for a smaller
binary.

For the reference, here's top10 biggest vendored packages, as reported
by gsa[1]:

$ gsa runc | grep vendor | head
│ 8.59%   │ google.golang.org/protobuf                  │ 1.3 MB │ vendor    │
│ 5.76%   │ github.com/opencontainers/runc              │ 865 kB │ vendor    │
│ 4.05%   │ github.com/cilium/ebpf                      │ 608 kB │ vendor    │
│ 2.86%   │ github.com/godbus/dbus/v5                   │ 429 kB │ vendor    │
│ 1.25%   │ github.com/urfave/cli                       │ 188 kB │ vendor    │
│ 0.90%   │ github.com/vishvananda/netlink              │ 135 kB │ vendor    │
│ 0.59%   │ github.com/sirupsen/logrus                  │ 89 kB  │ vendor    │
│ 0.56%   │ github.com/checkpoint-restore/go-criu/v6    │ 84 kB  │ vendor    │
│ 0.51%   │ golang.org/x/sys                            │ 76 kB  │ vendor    │
│ 0.47%   │ github.com/seccomp/libseccomp-golang        │ 71 kB  │ vendor    │

And here is a total binary size saving when `runc_nocriu` is used.

For non-stripped binaries:

$ gsa runc-cr runc-nocr | tail -3
│ -17.04% │ runc-cr                                  │ 15 MB    │ 12 MB    │ -2.6 MB │
│         │ runc-nocr                                │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

And for stripped binaries:

│ -17.01% │ runc-cr-stripped                         │ 11 MB    │ 8.8 MB   │ -1.8 MB │
│         │ runc-nocr-stripped                       │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

[1]: https://github.com/Zxilly/go-size-analyzer

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-09 11:19:23 -08:00
Kir Kolyshkin cbb9b309cd ci: use Go 1.23
Where we only use one Go version, let's use Go 1.23.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-23 00:04:17 -07:00
Kir Kolyshkin 2cd24a4dae ci/gha: add all-done jobs
The sole reason is to simplify branch protection rules,
requiring just these to be passed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 17:00:59 -07:00
Kir Kolyshkin 606257c6e1 Bump golangci-lint to v1.60, fix new warnings
The warnings fixed were:

libcontainer/configs/config_test.go:205:12: printf: non-constant format string in call to (*testing.common).Errorf (govet)
		t.Errorf(fmt.Sprintf("Expected error to not occur but it was %+v", err))
		         ^
libcontainer/cgroups/fs/blkio_test.go:481:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^
libcontainer/cgroups/fs/blkio_test.go:595:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00
Kir Kolyshkin 15ec295bb1 ci/gha: bump golangci-lint to v1.59
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-10 16:25:30 -07:00
Kir Kolyshkin 309a6d91a4 ci/gha: add go-fix job
Add a CI job to ensure go fix produces no result. Quoting
`go doc cmd/fix`:

> Fix finds Go programs that use old APIs and rewrites them to use newer
> ones. After you update to a new Go release, fix helps make the
> necessary changes to your programs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-03 10:12:25 -07:00
Kir Kolyshkin a3302f2054 ci: switch to go 1.22 as main version
Now when Go 1.22.4 is out it should no longer be a problem.

Leave Go 1.21 for CentOS testing (CentOS 7 and 8 have older glibc)
and Dockerfile (Debian 11 have older glibc).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin 67f6c37bc2 ci/gha: switch to ubuntu 24.04
Let's replace ubuntu-22.04 with ubuntu-24.04 where we can, and keep
ubuntu-20.04 to test cgroup v1 stuff.

Leave ubuntu-22.04 for ci/cross-i386 (issue with systemctl restart hang
after apt install). This can be addressed separately later.

The only kludge we have to add is enable userns for runc binary being
tested (as userns is disabled by apparmor system-wide by default now,
see [1]).

[1] https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-04 23:43:12 -07:00
Kir Kolyshkin b24fc9d2c4 ci: pin codespell
CI should not fail and require attention every time a new codespell
version is released.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-02 10:51:43 -07:00
Kir Kolyshkin f452f667c0 ci/gha: bump golangci-lint-action from 5 to 6
Note that github-actions output format is deprecated and no longer supported,
and it is also no longer needed since setup-go problem matcher already
handles default golangci-lint output format ("colored-line-number").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-07 14:26:41 -07:00
Kir Kolyshkin d63018c252 ci/gha: bump golangci-lint to v1.57
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:39:26 -07:00
Kir Kolyshkin 6bcc736122 ci/gha: bump golangci/golangci-lint-action to v5
Since v5 removes caching [1], re-enable setup-go cache.

[1] https://github.com/golangci/golangci-lint-action/pull/1024

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:25:02 -07:00
Akihiro Suda 30dc98f577 CI: run apt with -y
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:10:09 +09:00
dependabot[bot] 935d586b39 build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-27 04:45:06 +00:00
Kir Kolyshkin 93e377233f ci/golangci-lint: add checks permission
This permission is now needed so that the linter can annotate code in a
PR (see [1]).

[1] https://github.com/golangci/golangci-lint-action/pull/931/commits/bc1904f0c946172fc1821908fc41649db49f0334

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 22:14:41 -08:00
dependabot[bot] 27cbabd00d build(deps): bump golangci/golangci-lint-action from 3 to 4
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 04:07:38 +00:00
dependabot[bot] 7b655782bf build(deps): bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-15 04:57:18 +00:00
dependabot[bot] e66ba70f50 build(deps): bump actions/setup-go from 4 to 5
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-07 04:18:24 +00:00
dependabot[bot] 2d0cd0b381 build(deps): bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-05 04:50:22 +00:00
dependabot[bot] fe6f33b2c0 build(deps): bump tim-actions/commit-message-checker-with-regex
Bumps [tim-actions/commit-message-checker-with-regex](https://github.com/tim-actions/commit-message-checker-with-regex) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/tim-actions/commit-message-checker-with-regex/releases)
- [Commits](https://github.com/tim-actions/commit-message-checker-with-regex/compare/v0.3.1...v0.3.2)

---
updated-dependencies:
- dependency-name: tim-actions/commit-message-checker-with-regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 04:21:42 +00:00
Kir Kolyshkin 17e7e230bd ci/gha: bump golangci-lint to v1.54
Currently, it is at v1.54.2.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-24 17:22:23 -07:00
Kir Kolyshkin b22073c5fe ci/gha: add job timeouts
The default timeout is 360 minutes, which is way long for these jobs.
If the CI (or a test) has stuck, we'd better know about it earlier than
in 6 hours.

Set the timeouts for some [relatively] long running jobs conservatively:
 - test and release jobs usually take ~10 minutes;
 - lint job takes 1 minute (but can be a few times slower when we switch
   Go or golangci-lint version);
 - cross-386 job takes about 2 minutes;
 - the rest is seconds (and I am lazy to set timeouts everywhere).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-16 16:08:35 -07:00
Kir Kolyshkin 98317c16ed ci: bump golangci-lint, remove fixed exception
The exception was fixed by https://github.com/polyfloyd/go-errorlint/pull/12
which eventually made its way into golangci-lint.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-07-16 15:02:26 +08:00
Kir Kolyshkin 5e53e6592a ci: bump shellcheck to 0.9.0, fix new SC2016 warnings
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-27 08:44:21 -07:00
Kir Kolyshkin 5929b01989 ci/gha: add space-at-eol check, fix existing issues
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-07 11:27:27 -07:00
dependabot[bot] 2a3470456e build(deps): bump tim-actions/get-pr-commits from 1.2.0 to 1.3.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.2.0...v1.3.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-17 05:00:09 +00:00
Kir Kolyshkin 62cc13ea1a gha: disable setup-go cache for golangci job
Since commit e3cf217cf1 actions/setup-go@v4 uses caching
implicitly, and olangci/golangci-lint-action also uses caching.

These two caches clash, resulting in multiple warnings in CI logs.

The official golangci-lint-action solution is to disable caching
for setup-go job (see [1]). Do the same.

[1] https://github.com/golangci/golangci-lint-action/pull/704

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-16 11:22:31 -07:00