diff --git a/.circleci/config.yml b/.circleci/config.yml index 897d366e804..a9413121907 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -755,78 +755,78 @@ workflows: - "tests-driver-loader-integration": requires: - "build-centos7" - - "rpm-sign": - context: falco - filters: - tags: - ignore: /.*/ - branches: - only: master - requires: - - "tests-integration" - - "tests-integration-arm64" - - "publish-packages-dev": - context: - - falco - - test-infra - filters: - tags: - ignore: /.*/ - branches: - only: master - requires: - - "rpm-sign" - - "tests-integration-static" - - "publish-packages-deb-dev": - context: - - falco - - test-infra - filters: - tags: - ignore: /.*/ - branches: - only: master - requires: - - "tests-integration" - - "tests-integration-arm64" - - "build-docker-dev": - context: - - falco - - test-infra - filters: - tags: - ignore: /.*/ - branches: - only: master - requires: - - "publish-packages-dev" - - "publish-packages-deb-dev" - - "tests-driver-loader-integration" - - "build-docker-dev-arm64": - context: - - falco - - test-infra - filters: - tags: - ignore: /.*/ - branches: - only: master - requires: - - "publish-packages-dev" - - "publish-packages-deb-dev" - - "tests-driver-loader-integration" - - "publish-docker-dev": - context: - - falco - - test-infra - filters: - tags: - ignore: /.*/ - branches: - only: master - requires: - - "build-docker-dev" - - "build-docker-dev-arm64" + # - "rpm-sign": + # context: falco + # filters: + # tags: + # ignore: /.*/ + # branches: + # only: master + # requires: + # - "tests-integration" + # - "tests-integration-arm64" + # - "publish-packages-dev": + # context: + # - falco + # - test-infra + # filters: + # tags: + # ignore: /.*/ + # branches: + # only: master + # requires: + # - "rpm-sign" + # - "tests-integration-static" + # - "publish-packages-deb-dev": + # context: + # - falco + # - test-infra + # filters: + # tags: + # ignore: /.*/ + # branches: + # only: master + # requires: + # - "tests-integration" + # - "tests-integration-arm64" + # - "build-docker-dev": + # context: + # - falco + # - test-infra + # filters: + # tags: + # ignore: /.*/ + # branches: + # only: master + # requires: + # - "publish-packages-dev" + # - "publish-packages-deb-dev" + # - "tests-driver-loader-integration" + # - "build-docker-dev-arm64": + # context: + # - falco + # - test-infra + # filters: + # tags: + # ignore: /.*/ + # branches: + # only: master + # requires: + # - "publish-packages-dev" + # - "publish-packages-deb-dev" + # - "tests-driver-loader-integration" + # - "publish-docker-dev": + # context: + # - falco + # - test-infra + # filters: + # tags: + # ignore: /.*/ + # branches: + # only: master + # requires: + # - "build-docker-dev" + # - "build-docker-dev-arm64" # - "quality/static-analysis" # This is temporarily disabled: https://github.com/falcosecurity/falco/issues/1526 release: jobs: @@ -848,73 +848,73 @@ workflows: only: /.*/ branches: ignore: /.*/ - - "rpm-sign": - context: falco - requires: - - "build-centos7" - - "build-arm64" - filters: - tags: - only: /.*/ - branches: - ignore: /.*/ - - "publish-packages": - context: - - falco - - test-infra - requires: - - "build-musl" - - "rpm-sign" - filters: - tags: - only: /.*/ - branches: - ignore: /.*/ - - "publish-packages-deb": - context: - - falco - - test-infra - requires: - - "build-centos7" - - "build-arm64" - filters: - tags: - only: /.*/ - branches: - ignore: /.*/ - - "build-docker": - context: - - falco - - test-infra - requires: - - "publish-packages" - - "publish-packages-deb" - filters: - tags: - only: /.*/ - branches: - ignore: /.*/ - - "build-docker-arm64": - context: - - falco - - test-infra - requires: - - "publish-packages" - - "publish-packages-deb" - filters: - tags: - only: /.*/ - branches: - ignore: /.*/ - - "publish-docker": - context: - - falco - - test-infra - requires: - - "build-docker" - - "build-docker-arm64" - filters: - tags: - only: /.*/ - branches: - ignore: /.*/ + # - "rpm-sign": + # context: falco + # requires: + # - "build-centos7" + # - "build-arm64" + # filters: + # tags: + # only: /.*/ + # branches: + # ignore: /.*/ + # - "publish-packages": + # context: + # - falco + # - test-infra + # requires: + # - "build-musl" + # - "rpm-sign" + # filters: + # tags: + # only: /.*/ + # branches: + # ignore: /.*/ + # - "publish-packages-deb": + # context: + # - falco + # - test-infra + # requires: + # - "build-centos7" + # - "build-arm64" + # filters: + # tags: + # only: /.*/ + # branches: + # ignore: /.*/ + # - "build-docker": + # context: + # - falco + # - test-infra + # requires: + # - "publish-packages" + # - "publish-packages-deb" + # filters: + # tags: + # only: /.*/ + # branches: + # ignore: /.*/ + # - "build-docker-arm64": + # context: + # - falco + # - test-infra + # requires: + # - "publish-packages" + # - "publish-packages-deb" + # filters: + # tags: + # only: /.*/ + # branches: + # ignore: /.*/ + # - "publish-docker": + # context: + # - falco + # - test-infra + # requires: + # - "build-docker" + # - "build-docker-arm64" + # filters: + # tags: + # only: /.*/ + # branches: + # ignore: /.*/ diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7b7b05d8ed1..79631af2ad0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,12 +2,10 @@ name: CI Build on: pull_request: branches: [master] - push: - branches: [master] workflow_dispatch: # Checks if any concurrent jobs under the same pull request or branch are being executed -# NOTE: this will cancel every workflow that is being ran as group is just the github ref (without the workflow name) +# NOTE: this will cancel every workflow that is being ran against a PR as group is just the github ref (without the workflow name) concurrency: group: ${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml new file mode 100644 index 00000000000..11c7693612a --- /dev/null +++ b/.github/workflows/master.yaml @@ -0,0 +1,54 @@ +name: Dev Packages and Docker images +on: + push: + branches: [master] + +# Checks if any concurrent jobs is running for master CI and eventually cancel it +concurrency: + group: ci-master + cancel-in-progress: true + +jobs: + build-dev-packages: + uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master + with: + arch: x86_64 + secrets: inherit + + build-dev-packages-arm64: + uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master + with: + arch: aarch64 + secrets: inherit + + publish-dev-packages: + needs: [build-dev-packages, build-dev-packages-arm64] + uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master + with: + bucket: '-dev' + version: ${{ needs.build-dev-packages.outputs.version }} + secrets: inherit + + # Both build-dev-docker and its arm64 counterpart require build-dev-packages because they use its output + build-dev-docker: + needs: [build-dev-packages, publish-dev-packages] + uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master + with: + arch: x86_64 + bucket: '-dev' + version: ${{ needs.build-dev-packages.outputs.version }} + secrets: inherit + + build-dev-docker-arm64: + needs: [build-dev-packages, publish-dev-packages] + uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master + with: + arch: aarch64 + bucket: '-dev' + version: ${{ needs.build-dev-packages.outputs.version }} + secrets: inherit + + publish-dev-docker: + needs: [build-dev-docker, build-dev-docker-arm64] + uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master + secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 00000000000..b1688d1f108 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,53 @@ +name: Release Packages and Docker images +on: + push: + tags: + - '[0-9]+.[0-9]+.[0-9]+' + +# Checks if any concurrent jobs is running for release CI and eventually cancel it. +concurrency: + group: ci-release + cancel-in-progress: true + +jobs: + build-packages: + uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master + with: + arch: x86_64 + secrets: inherit + + build-packages-arm64: + uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master + with: + arch: aarch64 + secrets: inherit + + publish-packages: + needs: [build-packages, build-packages-arm64] + uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master + with: + version: ${{ needs.build-packages.outputs.version }} + secrets: inherit + + # Both build-docker and its arm64 counterpart require build-packages because they use its output + build-docker: + needs: [build-packages, publish-packages] + uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master + with: + arch: x86_64 + version: ${{ needs.build-packages.outputs.version }} + secrets: inherit + + build-docker-arm64: + needs: [build-packages, publish-packages] + uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master + with: + arch: aarch64 + version: ${{ needs.build-packages.outputs.version }} + secrets: inherit + + publish-docker: + needs: [build-docker, build-docker-arm64] + uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master + secrets: inherit + diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml new file mode 100644 index 00000000000..af3ec72bfea --- /dev/null +++ b/.github/workflows/reusable_build_docker.yaml @@ -0,0 +1,115 @@ +# This is a reusable workflow used by master and release CI +on: + workflow_call: + inputs: + arch: + description: x86_64 or aarch64 + required: true + type: string + bucket_suffix: + description: bucket suffix for packages + required: false + default: '' + type: string + version: + description: 'Falco version extracted from userspace/falco/config_falco.h' + required: true + type: string + +# Here we just build all docker images as tarballs, +# then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow. +# In this way, we don't need to publish any arch specific image, +# and this "build" workflow is actually only building images. +jobs: + build-docker: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }} + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Build no-driver image + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/no-driver/ + build-args: | + VERSION_BUCKET=bin${{ inputs.bucket_suffix }} + FALCO_VERSION=${{ inputs.version }} + tags: | + falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }} + falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim + public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim + outputs: type=docker,dest=/tmp/falco-no-driver-${{ inputs.arch }}.tar + + - name: Build falco image + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/falco/ + build-args: | + VERSION_BUCKET=deb${{ inputs.bucket_suffix }} + FALCO_VERSION=${{ inputs.version }} + tags: | + falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }} + outputs: type=docker,dest=/tmp/falco-${{ inputs.arch }}.tar + + - name: Build falco-driver-loader image + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/driver-loader/ + build-args: | + FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ github.ref_name }} + tags: | + falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }} + public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }} + outputs: type=docker,dest=/tmp/falco-driver-loader-${{ inputs.arch }}.tar + + - name: Build no-driver latest image + if: ${{ github.ref_name != 'master' }} + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/no-driver/ + build-args: | + VERSION_BUCKET=bin + FALCO_VERSION=${{ github.ref_name }} + tags: | + falcosecurity/falco-no-driver:${{ inputs.arch }}-latest + falcosecurity/falco:${{ inputs.arch }}-latest-slim + public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-latest + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-latest-slim + outputs: type=docker,dest=/tmp/falco-no-driver-latest-${{ inputs.arch }}.tar + + - name: Build falco latest image + if: ${{ github.ref_name != 'master' }} + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/falco/ + build-args: | + VERSION_BUCKET=deb + FALCO_VERSION=${{ github.ref_name }} + tags: | + falcosecurity/falco:${{ inputs.arch }}-latest + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-latest + outputs: type=docker,dest=/tmp/falco-latest-${{ inputs.arch }}.tar + + - name: Build falco-driver-loader latest image + if: ${{ github.ref_name != 'master' }} + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/driver-loader/ + build-args: | + FALCO_IMAGE_TAG=${{ inputs.arch }}-latest + tags: | + falcosecurity/falco-driver-loader:${{ inputs.arch }}-latest + public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-latest + outputs: type=docker,dest=/tmp/falco-driver-loader-latest-${{ inputs.arch }}.tar + + - name: Upload images tarballs + uses: actions/upload-artifact@v3 + with: + name: falco-images + path: /tmp/falco-*.tar diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml new file mode 100644 index 00000000000..330dea7bcc1 --- /dev/null +++ b/.github/workflows/reusable_build_packages.yaml @@ -0,0 +1,167 @@ +# This is a reusable workflow used by master and release CI +on: + workflow_call: + inputs: + arch: + description: x86_64 or aarch64 + required: true + type: string + outputs: + version: + description: 'Falco version extracted from config_falco.h' + value: ${{ jobs.build-packages.outputs.version }} + +jobs: + build-modern-bpf-skeleton: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }} + container: fedora:latest + steps: + # Always install deps before invoking checkout action, to properly perform a full clone. + - name: Install build dependencies + run: | + dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel + + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Build modern BPF skeleton + run: | + mkdir skeleton-build && cd skeleton-build + cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off .. + make ProbeSkeleton -j6 + + - name: Upload skeleton + uses: actions/upload-artifact@v3 + with: + name: bpf_probe_${{ inputs.arch }}.skel.h + path: skeleton-build/skel_dir/bpf_probe.skel.h + + build-packages: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }} + needs: build-modern-bpf-skeleton + container: centos:7 + # Map the job outputs to step outputs + outputs: + version: ${{ steps.store_version.outputs.version }} + steps: + # Always install deps before invoking checkout action, to properly perform a full clone. + - name: Install build dependencies + run: | + yum -y install centos-release-scl + yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++ + source /opt/rh/devtoolset-9/enable + yum install -y git wget make m4 rpm-build + + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Download skeleton + uses: actions/download-artifact@v3 + with: + name: bpf_probe_${{ inputs.arch }}.skel.h + path: /tmp + + - name: Install updated cmake + run: | + curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz + gzip -d /tmp/cmake.tar.gz + tar -xpf /tmp/cmake.tar --directory=/tmp + cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr + rm -rf /tmp/cmake-3.22.5-linux-$(uname -m) + + - name: Prepare project + run: | + mv /tmp/bpf_probe_${{ inputs.arch }}.skel.h /tmp/bpf_probe.skel.h + mkdir build && cd build + source /opt/rh/devtoolset-9/enable + cmake \ + -DCMAKE_BUILD_TYPE=Release \ + -DUSE_BUNDLED_DEPS=On \ + -DFALCO_ETC_DIR=/etc/falco \ + -DBUILD_FALCO_MODERN_BPF=ON \ + -DMODERN_BPF_SKEL_DIR=/tmp \ + -DBUILD_DRIVER=Off \ + -DBUILD_BPF=Off \ + .. + + - name: Load and store Falco version output + id: store_version + run: | + FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') + echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT + + - name: Build project + run: | + cd build + make falco -j6 + + - name: Build packages + run: | + cd build + make package + + - name: Upload Falco tar.gz package + uses: actions/upload-artifact@v3 + with: + name: falco-${{ steps.store_version.outputs.version }}-${{ inputs.arch }}.tar.gz + path: | + ${{ github.workspace }}/build/packages/falco-*.tar.gz + + - name: Upload Falco deb package + uses: actions/upload-artifact@v3 + with: + name: falco-${{ steps.store_version.outputs.version }}-${{ inputs.arch }}.deb + path: | + ${{ github.workspace }}/build/packages/falco-*.deb + + - name: Upload Falco rpm package + uses: actions/upload-artifact@v3 + with: + name: falco-${{ steps.store_version.outputs.version }}-${{ inputs.arch }}.rpm + path: | + ${{ github.workspace }}/build/packages/falco-*.rpm + + build-musl-package: + needs: build-packages + # x86_64 only for now + if: ${{ inputs.arch == 'x86_64' }} + runs-on: ubuntu-latest + container: alpine:3.17 + steps: + # Always install deps before invoking checkout action, to properly perform a full clone. + - name: Install build dependencies + run: | + apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang + + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Prepare project + run: | + mkdir build && cd build + cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ + + - name: Build project + run: | + cd build + make -j6 all + + - name: Build packages + run: | + cd build + make -j6 package + + - name: Upload Falco static package + uses: actions/upload-artifact@v3 + with: + name: falco-${{ needs.build-packages.outputs.version }}-static-x86_64.tar.gz + path: | + ${{ github.workspace }}/build/falco-*.tar.gz diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml new file mode 100644 index 00000000000..7b033a6d079 --- /dev/null +++ b/.github/workflows/reusable_publish_docker.yaml @@ -0,0 +1,169 @@ +# This is a reusable workflow used by master and release CI +on: + workflow_call: + +permissions: + id-token: write + contents: read + +env: + AWS_S3_REGION: eu-west-1 + +jobs: + publish-docker: + runs-on: ubuntu-latest + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Download images tarballs + uses: actions/download-artifact@v3 + with: + name: falco-images + path: /tmp + + - name: Load all images + run: | + for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done + + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_SECRET }} + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr" + aws-region: ${{ env.AWS_S3_REGION }} + + - name: Login to Amazon ECR + id: login-ecr-public + uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0 + with: + registry-type: public + + - name: Login to Amazon ECR Public + run: | + aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity + + - name: Create and push no-driver manifest + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: falcosecurity/falco-no-driver:${{ github.ref_name }} + images: falcosecurity/falco-no-driver:aarch64-${{ github.ref_name }},falcosecurity/falco-no-driver:x86_64-${{ github.ref_name }} + push: true + + - name: Create and push slim manifest + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: falcosecurity/falco:${{ github.ref_name }}-slim + images: falcosecurity/falco:aarch64-${{ github.ref_name }}-slim,falcosecurity/falco:x86_64-${{ github.ref_name }}-slim + push: true + + - name: Create and push no-driver manifest for ecr + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: public.ecr.aws/falcosecurity/falco-no-driver:${{ github.ref_name }} + images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${{ github.ref_name }} + push: true + + - name: Create and push slim manifest for ecr + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: public.ecr.aws/falcosecurity/falco:${{ github.ref_name }}-slim + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ github.ref_name }}-slim,public.ecr.aws/falcosecurity/falco:x86_64-${{ github.ref_name }}-slim + push: true + + - name: Create and push no-driver latest manifest + if: ${{ github.ref_name != 'master' }} + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: falcosecurity/falco-no-driver:latest + images: falcosecurity/falco-no-driver:aarch64-latest,falcosecurity/falco-no-driver:x86_64-latest + push: true + + - name: Create and push slim latest manifest + if: ${{ github.ref_name != 'master' }} + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: falcosecurity/falco:latest-slim + images: falcosecurity/falco:aarch64-latest-slim,falcosecurity/falco:x86_64-latest-slim + push: true + + - name: Create and push no-driver latest manifest for ecr + if: ${{ github.ref_name != 'master' }} + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: public.ecr.aws/falcosecurity/falco-no-driver:latest + images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-latest,public.ecr.aws/falcosecurity/falco-no-driver:x86_64-latest + push: true + + - name: Create and push slim latest manifest for ecr + if: ${{ github.ref_name != 'master' }} + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: public.ecr.aws/falcosecurity/falco:latest-slim + images: public.ecr.aws/falcosecurity/falco:aarch64-latest-slim,public.ecr.aws/falcosecurity/falco:x86_64-latest-slim + push: true + + - name: Create and push falco manifest + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: falcosecurity/falco:${{ github.ref_name }} + images: falcosecurity/falco:aarch64-${{ github.ref_name }},falcosecurity/falco:x86_64-${{ github.ref_name }} + push: true + + - name: Create and push falco manifest for ecr + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: public.ecr.aws/falcosecurity/falco:${{ github.ref_name }} + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco:x86_64-${{ github.ref_name }} + push: true + + - name: Create and push falco latest manifest + if: ${{ github.ref_name != 'master' }} + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: falcosecurity/falco:latest + images: falcosecurity/falco:aarch64-latest,falcosecurity/falco:x86_64-latest + push: true + + - name: Create and push falco latest manifest for ecr + if: ${{ github.ref_name != 'master' }} + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: public.ecr.aws/falcosecurity/falco:latest + images: public.ecr.aws/falcosecurity/falco:aarch64-latest,public.ecr.aws/falcosecurity/falco:x86_64-latest + push: true + + - name: Create and push falco-driver-loader manifest + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: falcosecurity/falco-driver-loader:${{ github.ref_name }} + images: falcosecurity/falco-driver-loader:aarch64-${{ github.ref_name }},falcosecurity/falco-driver-loader:x86_64-${{ github.ref_name }} + push: true + + - name: Create and push falco-driver-loader manifest for ecr + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: public.ecr.aws/falcosecurity/falco-driver-loader:${{ github.ref_name }} + images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${{ github.ref_name }} + push: true + + - name: Create and push falco-driver-loader latest manifest + if: ${{ github.ref_name != 'master' }} + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: falcosecurity/falco-driver-loader:latest + images: falcosecurity/falco-driver-loader:aarch64-latest,falcosecurity/falco-driver-loader:x86_64-latest + push: true + + - name: Create and push falco-driver-loader latest manifest for ecr + if: ${{ github.ref_name != 'master' }} + uses: Noelware/docker-manifest-action@0.3.1 + with: + inputs: public.ecr.aws/falcosecurity/falco-driver-loader:latest + images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-latest,public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-latest + push: true diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml new file mode 100644 index 00000000000..fe19e4b7895 --- /dev/null +++ b/.github/workflows/reusable_publish_packages.yaml @@ -0,0 +1,118 @@ +# This is a reusable workflow used by master and release CI +on: + workflow_call: + inputs: + version: + description: 'Falco version extracted from userspace/falco/config_falco.h' + required: true + type: string + bucket_suffix: + description: bucket suffix for packages + required: false + default: '' + type: string + +permissions: + id-token: write + contents: read + +env: + AWS_S3_REGION: eu-west-1 + GPG_KEY: ${{ secrets.GPG_KEY }} + +jobs: + publish-packages: + runs-on: ubuntu-latest + container: docker.io/centos:7 + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Install dependencies + run: | + yum install epel-release -y + yum update -y + yum install rpm-sign expect which createrepo gpg python python-pip -y + pip install awscli==1.19.47 + + # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102 + # Note: master CI can only push dev packages as we have 2 different roles for master and release. + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3" + aws-region: ${{ env.AWS_S3_REGION }} + + - name: Download all artifacts + uses: actions/download-artifact@v3 + with: + name: falco-* + path: /tmp + + - name: Import gpg key + run: printenv GPG_KEY | gpg --import - + + - name: Sign rpms + run: | + echo "%_signature gpg" > ~/.rpmmacros + echo "%_gpg_name Falcosecurity Package Signing" >> ~/.rpmmacros + echo "%__gpg_sign_cmd %{__gpg} --force-v3-sigs --batch --no-armor --passphrase-fd 3 --no-secmem-warning -u \"%{_gpg_name}\" -sb --digest-algo sha256 %{__plaintext_filename}'" >> ~/.rpmmacros + cat > ~/sign \<