Skip to content

Merge pull request #4393 from cyphar/mkdirall-inroot-securejoin #126

Merge pull request #4393 from cyphar/mkdirall-inroot-securejoin

Merge pull request #4393 from cyphar/mkdirall-inroot-securejoin #126

Workflow file for this run

name: validate
on:
push:
tags:
- v*
branches:
- main
- release-*
pull_request:
env:
GO_VERSION: 1.22.x
permissions:
contents: read
jobs:
keyring:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: check runc.keyring
run: make validate-keyring
lint:
timeout-minutes: 30
permissions:
contents: read
pull-requests: read
checks: write # to allow the action to annotate code in the PR.
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 2
- uses: actions/setup-go@v5
with:
go-version: "${{ env.GO_VERSION }}"
- name: install deps
run: |
sudo apt -q update
sudo apt -qy install libseccomp-dev
- uses: golangci/golangci-lint-action@v6
with:
version: v1.60
# Extra linters, only checking new code from a pull request.
- name: lint-extra
if: github.event_name == 'pull_request'
run: |
golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1
go-fix:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 2
- uses: actions/setup-go@v5
with:
go-version: "${{ env.GO_VERSION }}"
- name: install deps
run: |
sudo apt -q update
sudo apt -qy install libseccomp-dev
- name: run go fix
run: |
go fix ./...
git diff --exit-code
compile-buildtags:
runs-on: ubuntu-24.04
env:
# Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
CGO_CFLAGS: -g -O2 -Werror
steps:
- uses: actions/checkout@v4
- name: install go
uses: actions/setup-go@v5
with:
go-version: "${{ env.GO_VERSION }}"
- name: compile with no build tags
run: make BUILDTAGS=""
codespell:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: install deps
# Version of codespell bundled with Ubuntu is way old, so use pip.
run: pip install --break-system-packages codespell==v2.3.0
- name: run codespell
run: codespell
shfmt:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: shfmt
run: make shfmt
shellcheck:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: install shellcheck
env:
VERSION: v0.9.0
BASEURL: https://github.com/koalaman/shellcheck/releases/download
SHA256: 7087178d54de6652b404c306233264463cb9e7a9afeb259bb663cc4dbfd64149
run: |
mkdir ~/bin
curl -sSfL --retry 5 $BASEURL/$VERSION/shellcheck-$VERSION.linux.x86_64.tar.xz |
tar xfJ - -C ~/bin --strip 1 shellcheck-$VERSION/shellcheck
sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/shellcheck"
# make sure to remove the old version
sudo rm -f /usr/bin/shellcheck
# Add ~/bin to $PATH.
echo ~/bin >> $GITHUB_PATH
- uses: lumaxis/shellcheck-problem-matchers@v2
- name: run
run: make shellcheck
- name: check-config.sh
run : ./script/check-config.sh
space-at-eol:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: rm -fr vendor
- run: if git -P grep -I -n '\s$'; then echo "^^^ extra whitespace at EOL, please fix"; exit 1; fi
deps:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: install go
uses: actions/setup-go@v5
with:
go-version: "${{ env.GO_VERSION }}"
check-latest: true
- name: verify deps
run: make verify-dependencies
commit:
permissions:
contents: read
pull-requests: read
runs-on: ubuntu-24.04
# Only check commits on pull requests.
if: github.event_name == 'pull_request'
steps:
- name: get pr commits
id: 'get-pr-commits'
uses: tim-actions/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: check subject line length
uses: tim-actions/[email protected]
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
pattern: '^.{0,72}(\n.*)*$'
error: 'Subject too long (max 72)'
cfmt:
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: install deps
run: |
sudo apt -qq update
sudo apt -qqy install indent
- name: cfmt
run: |
make cfmt
git diff --exit-code
release:
timeout-minutes: 30
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: check CHANGELOG.md
run: make verify-changelog
# We have to run this under Docker as Ubuntu (host) does not support all
# the architectures we want to compile test against, and Dockerfile uses
# Debian (which does).
#
# XXX: as currently this is the only job that is using Docker, we are
# building and using the runcimage locally. In case more jobs running
# under Docker will emerge, it will be good to have a separate make
# runcimage job and share its result (the docker image) with whoever
# needs it.
- name: build docker image
run: make runcimage
- name: make releaseall
run: make releaseall
- name: upload artifacts
uses: actions/upload-artifact@v4
with:
name: release-${{ github.run_id }}
path: release/*
get-images:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: install bashbrew
env:
BASEURL: https://github.com/docker-library/bashbrew/releases/download
VERSION: v0.1.7
SHA256: 6b71a6fccfb2025d48a2b23324836b5513c29abfd2d16a57b7a2f89bd02fe53a
run: |
mkdir ~/bin
curl -sSfL --retry 5 -o ~/bin/bashbrew \
$BASEURL/$VERSION/bashbrew-amd64
sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/bashbrew"
chmod a+x ~/bin/bashbrew
# Add ~/bin to $PATH.
echo ~/bin >> $GITHUB_PATH
- name: check that get-images.sh is up to date
run: |
cd tests/integration
./bootstrap-get-images.sh > get-images.sh
git diff --exit-code
all-done:
needs:
- cfmt
- codespell
- commit
- compile-buildtags
- deps
- get-images
- go-fix
- keyring
- lint
- release
- shellcheck
- shfmt
- space-at-eol
runs-on: ubuntu-24.04
steps:
- run: echo "All jobs completed"