name: validate on: push: tags: - v* branches: - main - release-* pull_request: env: GO_VERSION: 1.24 permissions: contents: read jobs: keyring: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 - name: check runc.keyring run: make validate-keyring lint: timeout-minutes: 30 permissions: contents: read pull-requests: read checks: write # to allow the action to annotate code in the PR. runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 with: fetch-depth: 2 - uses: actions/setup-go@v5 with: go-version: "${{ env.GO_VERSION }}" - name: install deps run: | sudo apt -q update sudo apt -qy install libseccomp-dev - uses: golangci/golangci-lint-action@v7 with: version: v2.0 # Extra linters, only checking new code from a pull request. - name: lint-extra if: github.event_name == 'pull_request' run: | golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1 go-fix: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 with: fetch-depth: 2 - uses: actions/setup-go@v5 with: go-version: "${{ env.GO_VERSION }}" - name: install deps run: | sudo apt -q update sudo apt -qy install libseccomp-dev - name: run go fix run: | go fix ./... git diff --exit-code compile-buildtags: runs-on: ubuntu-24.04 env: # Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them. CGO_CFLAGS: -g -O2 -Werror steps: - uses: actions/checkout@v4 - name: install go uses: actions/setup-go@v5 with: go-version: "${{ env.GO_VERSION }}" - name: install deps run: | sudo apt update sudo apt -y install libseccomp-dev - name: compile with no build tags run: make BUILDTAGS="" - name: compile with runc_nocriu build tag run: make EXTRA_BUILDTAGS="runc_nocriu" codespell: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 - name: install deps # Version of codespell bundled with Ubuntu is way old, so use pip. run: pip install --break-system-packages codespell==v2.3.0 - name: run codespell run: codespell shfmt: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 - name: shfmt run: make shfmt shellcheck: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 - name: install shellcheck env: VERSION: v0.10.0 BASEURL: https://github.com/koalaman/shellcheck/releases/download SHA256: f35ae15a4677945428bdfe61ccc297490d89dd1e544cc06317102637638c6deb run: | mkdir ~/bin curl -sSfL --retry 5 $BASEURL/$VERSION/shellcheck-$VERSION.linux.x86_64.tar.xz | tar xfJ - -C ~/bin --strip 1 shellcheck-$VERSION/shellcheck sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/shellcheck" # make sure to remove the old version sudo rm -f /usr/bin/shellcheck # Add ~/bin to $PATH. echo ~/bin >> $GITHUB_PATH - uses: lumaxis/shellcheck-problem-matchers@v2 - name: run run: make shellcheck - name: check-config.sh run : ./script/check-config.sh space-at-eol: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 - run: rm -fr vendor - run: if git -P grep -I -n '\s$'; then echo "^^^ extra whitespace at EOL, please fix"; exit 1; fi deps: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 - name: install go uses: actions/setup-go@v5 with: go-version: "${{ env.GO_VERSION }}" check-latest: true - name: verify deps run: make verify-dependencies commit: permissions: contents: read pull-requests: read runs-on: ubuntu-24.04 # Only check commits on pull requests. if: github.event_name == 'pull_request' steps: - name: get pr commits id: 'get-pr-commits' uses: tim-actions/get-pr-commits@v1.3.1 with: token: ${{ secrets.GITHUB_TOKEN }} - name: check subject line length uses: tim-actions/commit-message-checker-with-regex@v0.3.2 with: commits: ${{ steps.get-pr-commits.outputs.commits }} pattern: '^.{0,72}(\n.*)*$' error: 'Subject too long (max 72)' cfmt: runs-on: ubuntu-24.04 steps: - name: checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: install deps run: | sudo apt -qq update sudo apt -qqy install indent - name: cfmt run: | make cfmt git diff --exit-code release: timeout-minutes: 30 runs-on: ubuntu-24.04 steps: - name: checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: check CHANGELOG.md run: make verify-changelog # We have to run this under Docker as Ubuntu (host) does not support all # the architectures we want to compile test against, and Dockerfile uses # Debian (which does). # # XXX: as currently this is the only job that is using Docker, we are # building and using the runcimage locally. In case more jobs running # under Docker will emerge, it will be good to have a separate make # runcimage job and share its result (the docker image) with whoever # needs it. - name: build docker image run: make runcimage - name: make releaseall run: make releaseall - name: upload artifacts uses: actions/upload-artifact@v4 with: name: release-${{ github.run_id }} path: release/* get-images: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: install bashbrew env: BASEURL: https://github.com/docker-library/bashbrew/releases/download VERSION: v0.1.7 SHA256: 6b71a6fccfb2025d48a2b23324836b5513c29abfd2d16a57b7a2f89bd02fe53a run: | mkdir ~/bin curl -sSfL --retry 5 -o ~/bin/bashbrew \ $BASEURL/$VERSION/bashbrew-amd64 sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/bashbrew" chmod a+x ~/bin/bashbrew # Add ~/bin to $PATH. echo ~/bin >> $GITHUB_PATH - name: check that get-images.sh is up to date run: | cd tests/integration ./bootstrap-get-images.sh > get-images.sh git diff --exit-code all-done: needs: - cfmt - codespell - commit - compile-buildtags - deps - get-images - go-fix - keyring - lint - release - shellcheck - shfmt - space-at-eol runs-on: ubuntu-24.04 steps: - run: echo "All jobs completed"