From 1c3aa7a83bcd2e089673f48cabc47e430f72c1be Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Tue, 18 Apr 2023 17:41:26 +0200 Subject: [PATCH] chore(ci): multiple fixes to new master and release ci jobs. Signed-off-by: Federico Di Pierro --- .github/workflows/master.yaml | 4 - .github/workflows/release.yaml | 4 - .github/workflows/reusable_build_docker.yaml | 27 ++-- .../workflows/reusable_build_packages.yaml | 116 +++++++++++------- .../workflows/reusable_publish_docker.yaml | 37 +++--- .../workflows/reusable_publish_packages.yaml | 33 ++--- 6 files changed, 113 insertions(+), 108 deletions(-) diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index 2372c086..1824d612 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -34,7 +34,6 @@ jobs: uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@main with: arch: x86_64 - tagname: master bucket: '-dev' version: ${{ needs.build-dev-packages.outputs.version }} secrets: inherit @@ -44,7 +43,6 @@ jobs: uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@main with: arch: aarch64 - tagname: master bucket: '-dev' version: ${{ needs.build-dev-packages.outputs.version }} secrets: inherit @@ -52,6 +50,4 @@ jobs: publish-dev-docker: needs: [build-dev-docker, build-dev-docker-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@main - with: - tagname: master secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9817e84b..7f4f7102 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -34,7 +34,6 @@ jobs: uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@main with: arch: x86_64 - tagname: ${{ github.ref_name }} version: ${{ needs.build-packages.outputs.version }} secrets: inherit @@ -43,14 +42,11 @@ jobs: uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@main with: arch: aarch64 - tagname: ${{ github.ref_name }} version: ${{ needs.build-packages.outputs.version }} secrets: inherit publish-docker: needs: [build-docker, build-docker-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@main - with: - tagname: ${{ github.ref_name }} secrets: inherit diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index 3b536d90..6ff74a30 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -24,13 +24,10 @@ jobs: build-docker: # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 runs-on: ${{ (inputs.arch == "aarch64") && fromJSON('[ "self-hosted", "linux", "ARM64" ]') || 'ubuntu-latest' }} - container: - image: ubuntu:22.04 + container: ubuntu:22.04 steps: - name: Checkout uses: actions/checkout@v3 - with: - fetch-depth: 0 - name: Install deps run: | @@ -57,10 +54,10 @@ jobs: VERSION_BUCKET=bin${{ inputs.bucket }} FALCO_VERSION=${{ inputs.version }} tags: | - falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tagname }} - falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tagname }}-slim - public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tagname }} - public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tagname }}-slim + falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }} + falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim + public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim - name: Build and publish falco uses: docker/build-push-action@v3 @@ -72,8 +69,8 @@ jobs: VERSION_BUCKET=deb${{ inputs.bucket }} FALCO_VERSION=${{ inputs.version }} tags: | - falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tagname }} - public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tagname }} + falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }} - name: Build and publish falco-driver-loader uses: docker/build-push-action@v3 @@ -82,10 +79,10 @@ jobs: push: true provenance: false # https://github.com/Noelware/docker-manifest-action/issues/131 build-args: | - FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tagname }} + FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ github.ref_name }} tags: | - falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tagname }} - public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tagname }} + falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }} + public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }} - name: Build and publish no-driver latest if: ${{ inputs.tagname != 'master' }} @@ -96,7 +93,7 @@ jobs: provenance: false # https://github.com/Noelware/docker-manifest-action/issues/131 build-args: | VERSION_BUCKET=bin - FALCO_VERSION=${{ inputs.tagname }} + FALCO_VERSION=${{ github.ref_name }} tags: | falcosecurity/falco-no-driver:${{ inputs.arch }}-latest falcosecurity/falco:${{ inputs.arch }}-latest-slim @@ -112,7 +109,7 @@ jobs: provenance: false # https://github.com/Noelware/docker-manifest-action/issues/131 build-args: | VERSION_BUCKET=deb - FALCO_VERSION=${{ inputs.tagname }} + FALCO_VERSION=${{ github.ref_name }} tags: | falcosecurity/falco:${{ inputs.arch }}-latest public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-latest diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index e38e1a93..738f383d 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -12,11 +12,37 @@ on: value: ${{ jobs.build-packages.outputs.version }} jobs: + build-modern-bpf-skeleton: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: ${{ (inputs.arch == "aarch64") && fromJSON('[ "self-hosted", "linux", "ARM64" ]') || 'ubuntu-latest' }} + container: fedora:latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Install build dependencies + run: | + dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel + + - name: Build modern BPF skeleton + run: | + mkdir skeleton-build && cd skeleton-build + cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off .. + make ProbeSkeleton -j6 + + - name: Upload skeleton + uses: actions/upload-artifact@v3 + with: + name: bpf_probe_${{ inputs.arch }}.skel.h + path: skeleton-build/skel_dir/bpf_probe.skel.h + build-packages: # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 runs-on: ${{ (inputs.arch == "aarch64") && fromJSON('[ "self-hosted", "linux", "ARM64" ]') || 'ubuntu-latest' }} - container: - image: ubuntu:22.04 + needs: build-modern-bpf-skeleton + container: centos:7 # Map the job outputs to step outputs outputs: version: ${{ steps.store_version.outputs.version }} @@ -24,88 +50,92 @@ jobs: - name: Checkout uses: actions/checkout@v3 with: - path: source fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - + + - name: Download skeleton + uses: actions/download-artifact@v3 + with: + name: bpf_probe_${{ inputs.arch }}.skel.h + path: /tmp + - name: Install build dependencies run: | - mkdir deps && cd deps - apt update -y - DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev - update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90 - update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90 - git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch - cd bpftool - git submodule update --init - cd src && make install - - - name: Build modern BPF skeleton + yum -y install centos-release-scl + yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++ + source /opt/rh/devtoolset-9/enable + yum install -y git wget make m4 rpm-build + + - name: Install updated cmake run: | - cd source - mkdir skeleton-build && cd skeleton-build - cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off .. - make ProbeSkeleton - - - name: Build Falco packages + curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz + gzip -d /tmp/cmake.tar.gz + tar -xpf /tmp/cmake.tar --directory=/tmp + cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr + rm -rf /tmp/cmake-3.22.5-linux-$(uname -m) + + - name: Prepare project run: | - mkdir -p source/build - DOCKER_BUILDKIT=1 docker build \ - -f ${{ github.workspace }}/source/docker/builder/modern-falco-builder.Dockerfile \ - --output type=local,dest=${{ github.workspace }}/source/build \ - --build-arg CMAKE_OPTIONS="\ + mv /tmp/bpf_probe_${{ inputs.arch }}.skel.h /tmp/bpf_probe.skel.h + mkdir build && cd build + source /opt/rh/devtoolset-9/enable + cmake \ -DCMAKE_BUILD_TYPE=Release \ -DUSE_BUNDLED_DEPS=On \ -DFALCO_ETC_DIR=/etc/falco \ -DBUILD_FALCO_MODERN_BPF=ON \ - -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir \ + -DMODERN_BPF_SKEL_DIR=/tmp \ -DBUILD_DRIVER=Off \ - -DBUILD_BPF=Off" \ - --build-arg DEST_BUILD_DIR=${{ github.workspace }}/source/build \ - ${{ github.workspace }}/source - + -DBUILD_BPF=Off \ + .. + - name: Load and store Falco version output id: store_version run: | - FALCO_VERSION=$(cat ${{ github.workspace }}/source/build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') - echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT + FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') + echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT + + - name: Build project + run: | + cd build + make falco -j6 + + - name: Build packages + run: | + cd build + make package - name: Upload Falco tar.gz package uses: actions/upload-artifact@v3 with: name: falco-${{ steps.store_version.outputs.version }}-${{ inputs.arch }}.tar.gz path: | - ${{ github.workspace }}/source/build/packages/falco-*.tar.gz + ${{ github.workspace }}/build/packages/falco-*.tar.gz - name: Upload Falco deb package uses: actions/upload-artifact@v3 with: name: falco-${{ steps.store_version.outputs.version }}-${{ inputs.arch }}.deb path: | - ${{ github.workspace }}/source/build/packages/falco-*.deb + ${{ github.workspace }}/build/packages/falco-*.deb - name: Upload Falco rpm package uses: actions/upload-artifact@v3 with: name: falco-${{ steps.store_version.outputs.version }}-${{ inputs.arch }}.rpm path: | - ${{ github.workspace }}/source/build/packages/falco-*.rpm + ${{ github.workspace }}/build/packages/falco-*.rpm build-musl-package: needs: build-packages # x86_64 only for now if: ${{ inputs.arch == 'x86_64' }} runs-on: ubuntu-latest - container: - image: alpine:3.17 - + container: alpine:3.17 steps: - name: Checkout uses: actions/checkout@v3 with: - path: source fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - name: Install build dependencies run: | @@ -114,7 +144,7 @@ jobs: - name: Prepare project run: | mkdir build && cd build - cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco + cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ - name: Build project run: | diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index 54460347..ca225152 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -1,11 +1,6 @@ # This is a reusable workflow used by master and release CI on: workflow_call: - inputs: - tagname: - description: master or tag name - required: true - type: string jobs: publish-docker: @@ -24,29 +19,29 @@ jobs: - name: Create and push no-driver manifest uses: Noelware/docker-manifest-action@master with: - inputs: falcosecurity/falco-no-driver:${{ inputs.tagname }} - images: falcosecurity/falco-no-driver:aarch64-${{ inputs.tagname }},falcosecurity/falco-no-driver:x86_64-${{ inputs.tagname }} + inputs: falcosecurity/falco-no-driver:${{ github.ref_name }} + images: falcosecurity/falco-no-driver:aarch64-${{ github.ref_name }},falcosecurity/falco-no-driver:x86_64-${{ github.ref_name }} push: true - name: Create and push slim manifest uses: Noelware/docker-manifest-action@master with: - inputs: falcosecurity/falco:${{ inputs.tagname }}-slim - images: falcosecurity/falco:aarch64-${{ inputs.tagname }}-slim,falcosecurity/falco:x86_64-${{ inputs.tagname }}-slim + inputs: falcosecurity/falco:${{ github.ref_name }}-slim + images: falcosecurity/falco:aarch64-${{ github.ref_name }}-slim,falcosecurity/falco:x86_64-${{ github.ref_name }}-slim push: true - name: Create and push no-driver manifest for ecr uses: Noelware/docker-manifest-action@master with: - inputs: public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tagname }} - images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${{ inputs.tagname }},public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${{ inputs.tagname }} + inputs: public.ecr.aws/falcosecurity/falco-no-driver:${{ github.ref_name }} + images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${{ github.ref_name }} push: true - name: Create and push slim manifest for ecr uses: Noelware/docker-manifest-action@master with: - inputs: public.ecr.aws/falcosecurity/falco:${{ inputs.tagname }}-slim - images: public.ecr.aws/falcosecurity/falco:aarch64-${{ inputs.tagname }}-slim,public.ecr.aws/falcosecurity/falco:x86_64-${{ inputs.tagname }}-slim + inputs: public.ecr.aws/falcosecurity/falco:${{ github.ref_name }}-slim + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ github.ref_name }}-slim,public.ecr.aws/falcosecurity/falco:x86_64-${{ github.ref_name }}-slim push: true - name: Create and push no-driver latest manifest @@ -84,15 +79,15 @@ jobs: - name: Create and push falco manifest uses: Noelware/docker-manifest-action@master with: - inputs: falcosecurity/falco:${{ inputs.tagname }} - images: falcosecurity/falco:aarch64-${{ inputs.tagname }},falcosecurity/falco:x86_64-${{ inputs.tagname }} + inputs: falcosecurity/falco:${{ github.ref_name }} + images: falcosecurity/falco:aarch64-${{ github.ref_name }},falcosecurity/falco:x86_64-${{ github.ref_name }} push: true - name: Create and push falco manifest for ecr uses: Noelware/docker-manifest-action@master with: - inputs: public.ecr.aws/falcosecurity/falco:${{ inputs.tagname }} - images: public.ecr.aws/falcosecurity/falco:aarch64-${{ inputs.tagname }},public.ecr.aws/falcosecurity/falco:x86_64-${{ inputs.tagname }} + inputs: public.ecr.aws/falcosecurity/falco:${{ github.ref_name }} + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco:x86_64-${{ github.ref_name }} push: true - name: Create and push falco latest manifest @@ -114,15 +109,15 @@ jobs: - name: Create and push falco-driver-loader manifest uses: Noelware/docker-manifest-action@master with: - inputs: falcosecurity/falco-driver-loader:${{ inputs.tagname }} - images: falcosecurity/falco-driver-loader:aarch64-${{ inputs.tagname }},falcosecurity/falco-driver-loader:x86_64-${{ inputs.tagname }} + inputs: falcosecurity/falco-driver-loader:${{ github.ref_name }} + images: falcosecurity/falco-driver-loader:aarch64-${{ github.ref_name }},falcosecurity/falco-driver-loader:x86_64-${{ github.ref_name }} push: true - name: Create and push falco-driver-loader manifest for ecr uses: Noelware/docker-manifest-action@master with: - inputs: public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tagname }} - images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tagname }},public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tagname }} + inputs: public.ecr.aws/falcosecurity/falco-driver-loader:${{ github.ref_name }} + images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${{ github.ref_name }} push: true - name: Create and push falco-driver-loader latest manifest diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml index 17500182..f4c6b28f 100644 --- a/.github/workflows/reusable_publish_packages.yaml +++ b/.github/workflows/reusable_publish_packages.yaml @@ -15,15 +15,10 @@ on: jobs: publish-packages: runs-on: ubuntu-latest - container: - image: docker.io/centos:7 + container: docker.io/centos:7 steps: - name: Checkout uses: actions/checkout@v3 - with: - path: source - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - name: Install dependencies run: | @@ -35,7 +30,8 @@ jobs: - name: Download all artifacts uses: actions/download-artifact@v3 with: - path: $RUNNER_TEMP + name: falco-* + path: /tmp - name: Import gpg key run: | @@ -54,33 +50,28 @@ jobs: expect eof EOF chmod +x ~/sign - ~/sign $RUNNER_TEMP/falco-*.rpm - rpm --qf %{SIGPGP:pgpsig} -qp $RUNNER_TEMP/falco-*.rpm | grep SHA256 + ~/sign /tmp/falco-*.rpm + rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-*.rpm | grep SHA256 - name: Publish rpm run: | - ./scripts/publish-rpm -f $RUNNER_TEMP/falco-${{ inputs.version }}-x86_64.rpm -f $RUNNER_TEMP/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket }} + ./scripts/publish-rpm -f /tmp/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket }} - name: Publish bin run: | - ./scripts/publish-bin -f $RUNNER_TEMP/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket }} -a x86_64 - ./scripts/publish-bin -f $RUNNER_TEMP/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket }} -a aarch64 + ./scripts/publish-bin -f /tmp/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket }} -a x86_64 + ./scripts/publish-bin -f /tmp/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket }} -a aarch64 - name: Publish static run: | - ./scripts/publish-bin -f $RUNNER_TEMP/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket }} -a x86_64 + ./scripts/publish-bin -f /tmp/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket }} -a x86_64 publish-packages-deb: runs-on: ubuntu-latest - container: - image: docker.io/debian:stable + container: docker.io/debian:stable steps: - name: Checkout uses: actions/checkout@v3 - with: - path: source - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - name: Install dependencies run: | @@ -92,7 +83,7 @@ jobs: uses: actions/download-artifact@v3 with: name: falco-${{ inputs.version }}-*.deb - path: $RUNNER_TEMP + path: /tmp - name: Import gpg key run: | @@ -100,6 +91,6 @@ jobs: - name: Publish deb run: | - ./scripts/publish-deb -f $RUNNER_TEMP/falco-${{ inputs.version }}-x86_64.deb -f $RUNNER_TEMP/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket }} + ./scripts/publish-deb -f /tmp/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket }}