Merge pull request #2490 from containers/dependabot/github_actions/cr… #6248
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | |
on: | |
pull_request: {} | |
push: | |
tags: | |
- "*" | |
branches: | |
- main | |
env: | |
CARGO_TERM_COLOR: always | |
GO_VERSION: "1.23" | |
ACTION_MSRV_TOOLCHAIN: 1.66.1 | |
NIX_VERSION: "2.21.0" | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Cache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
target | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- run: .github/install-deps | |
- name: Select Toolchain | |
uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa | |
with: | |
toolchain: ${{ env['ACTION_MSRV_TOOLCHAIN'] }} | |
components: rustfmt | |
- run: cargo build && git diff --exit-code | |
dependencies: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- run: make verify-dependencies | |
go-lint: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 | |
with: | |
version: v1.60.3 | |
only-new-issues: true | |
get-script: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- run: scripts/get | |
release-static: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Cache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
target | |
key: ${{ runner.os }}-cargo-release-static-${{ hashFiles('**/Cargo.lock') }} | |
- run: .github/install-deps | |
- name: Select Toolchain | |
uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa | |
with: | |
# Ubuntu 22.04 glibc static is not compatible with rustc 1.58.1 (see | |
# ACTION_MSRV_TOOLCHAIN). Means we now just use the latest one, since | |
# the static builds are made for the community. | |
toolchain: ${{ env['ACTION_MSRV_TOOLCHAIN'] }} | |
components: rustfmt | |
- run: make release-static | |
- run: | | |
mkdir ${{ github.sha }} | |
mv target/x86_64-unknown-linux-gnu/release/conmonrs ${{ github.sha }} | |
- run: ./${{ github.sha }}/conmonrs -v | |
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
- name: Sign binary | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
run: | | |
cd ${{ github.sha }} | |
cosign sign-blob -y conmonrs \ | |
--output-signature conmonrs.sig \ | |
--output-certificate conmonrs.cert | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: conmonrs | |
path: ${{ github.sha }}/* | |
- uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
with: | |
credentials_json: ${{ secrets.GCS_CRIO_SA }} | |
- uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
with: | |
path: ${{ github.sha }} | |
destination: cri-o/conmon-rs | |
create-marker: | |
runs-on: ubuntu-latest | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
needs: | |
- release-static | |
- build-static | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- run: .github/create-marker | |
- uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
with: | |
credentials_json: ${{ secrets.GCS_CRIO_SA }} | |
- uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 | |
with: | |
path: . | |
glob: latest-*.txt | |
destination: cri-o/conmon-rs | |
build-static: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: [amd64, arm64, ppc64le, s390x] | |
name: build-static-${{ matrix.arch }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v28 | |
with: | |
install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install | |
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 | |
with: | |
name: conmon-rs | |
authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
pushFilter: "(conmon-rs|cargo-vendor)" | |
- run: nix-build nix/default-${{ matrix.arch }}.nix | |
- run: file result/bin/conmonrs | grep static | grep stripped | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: build-static-${{ matrix.arch }} | |
path: | | |
result/bin/conmonrs | |
- run: | | |
mkdir ${{ github.sha }} | |
cp result/bin/conmonrs ${{ github.sha }}/conmonrs.${{ matrix.arch }} | |
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
- name: Sign binary | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
run: | | |
cd ${{ github.sha }} | |
cosign sign-blob -y conmonrs.${{ matrix.arch }} \ | |
--output-signature conmonrs.${{ matrix.arch }}.sig \ | |
--output-certificate conmonrs.${{ matrix.arch }}.cert | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: conmonrs-${{ matrix.arch }} | |
path: ${{ github.sha }}/* | |
- uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
with: | |
credentials_json: ${{ secrets.GCS_CRIO_SA }} | |
- uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
with: | |
path: ${{ github.sha }} | |
destination: cri-o/conmon-rs | |
doc: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Cache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
target | |
key: ${{ runner.os }}-cargo-doc-${{ hashFiles('**/Cargo.lock') }} | |
- run: .github/install-deps | |
- name: Select Toolchain | |
uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa | |
with: | |
toolchain: ${{ env['ACTION_MSRV_TOOLCHAIN'] }} | |
components: rustfmt | |
- name: Cargo doc | |
run: cargo doc --no-deps | |
lint-clippy: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Cache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
target | |
key: ${{ runner.os }}-cargo-clippy-${{ hashFiles('**/Cargo.lock') }} | |
- run: .github/install-deps | |
- name: Select Toolchain | |
uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa | |
with: | |
toolchain: nightly | |
components: clippy, rustfmt | |
- name: Clippy Lint | |
run: cargo +nightly clippy --all-targets --all-features -- -D warnings | |
vendor: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Cache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
target | |
key: ${{ runner.os }}-cargo-vendor-${{ hashFiles('**/Cargo.lock') }} | |
- run: .github/install-deps | |
- name: Select Toolchain | |
uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa | |
with: | |
toolchain: stable | |
- name: Vendor | |
run: cargo vendor .cargo-vendor && git diff --exit-code | |
lint-rustfmt: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Select Toolchain | |
uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa | |
with: | |
toolchain: ${{ env['ACTION_MSRV_TOOLCHAIN'] }} | |
components: rustfmt | |
- name: Rustfmt | |
run: cargo fmt && git diff --exit-code | |
test-unit: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- run: .github/install-deps | |
- name: Install cargo-llvm-cov | |
uses: taiki-e/install-action@cargo-llvm-cov | |
- name: Generate code coverage | |
run: cargo llvm-cov --all-features --lcov --output-path lcov.info | |
- name: Upload Results | |
uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.7 | |
with: | |
files: lcov.info | |
test-integration: | |
needs: release-static | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Setup Rust and Golang Cache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
target | |
~/go/pkg/mod | |
~/.cache/go-build | |
key: ${{ runner.os }}-cargo-test-integration-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/go.sum') }} | |
- name: Setup Testfiles Cache | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: | | |
/tmp/conmon-test-images | |
key: ${{ runner.os }}-cargo-test-files-${{ hashFiles('pkg/client/files_test.go') }} | |
- run: rm -rf target/x86_64-unknown-linux-gnu/release/conmonrs | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: conmonrs | |
path: target/x86_64-unknown-linux-gnu/release | |
- run: chmod +x target/x86_64-unknown-linux-gnu/release/conmonrs | |
- run: .github/install-deps | |
- name: create symlink | |
run: sudo ln -f -s $(go env GOROOT)/bin/* /usr/bin/ | |
- name: Integration tests | |
run: sudo -E RUNTIME_PATH="/usr/sbin/runc" make integration-static | |
- name: Chown cache | |
run: | | |
sudo chown -R $(id -u):$(id -g) ~/go/pkg/mod | |
sudo chown -R $(id -u):$(id -g) ~/.cache/go-build | |
test-critest: | |
needs: release-static | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: conmonrs | |
path: target/x86_64-unknown-linux-musl/release | |
- run: .github/setup | |
- name: Install ginkgo | |
run: | | |
sudo chown -R $(id -u):$(id -g) ~/go | |
sudo chown -R $(id -u):$(id -g) ~/.cache | |
go install github.com/onsi/ginkgo/v2/ginkgo@latest | |
ginkgo version | |
sudo cp $(command -v ginkgo) /usr/local/bin | |
- name: Run critest | |
shell: bash | |
run: | | |
set -euox pipefail | |
sudo cp target/x86_64-unknown-linux-musl/release/conmonrs /usr/libexec/crio/conmonrs | |
sudo chmod +x /usr/libexec/crio/conmonrs | |
set +o errexit | |
sudo -E PATH=$PATH critest \ | |
--runtime-endpoint=unix:///var/run/crio/crio.sock \ | |
--parallel=$(nproc) \ | |
--ginkgo.flake-attempts=3 \ | |
--ginkgo.randomize-all \ | |
--ginkgo.timeout=2m \ | |
--ginkgo.trace \ | |
--ginkgo.vv | |
TEST_RC=$? | |
set -o errexit | |
sudo journalctl --no-pager > journal.log | |
test $TEST_RC -ne 0 && cat journal.log | |
exit $TEST_RC | |
- name: Upload logs | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: journal.log | |
path: journal.log | |
typos: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: crate-ci/typos@bd36f89fcd3424dcefd442894589e6ee572a59f2 # v1.28.1 | |
with: | |
config: .github/typos.toml | |
prettier: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: creyD/prettier_action@31355f8eef017f8aeba2e0bc09d8502b13dbbad1 # v4.3 | |
with: | |
dry: true | |
prettier_options: --write . |