diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e30c7eac..2dbfad0e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,8 +40,8 @@ jobs: with: arch: x86_64 git_ref: ${{ github.event.pull_request.head.sha }} - minimal: 'true' - build_type: 'Debug' + minimal: true + build_type: Debug # builds using system deps, checking out the PR's code # note: this also runs a command that generates an output of form: " ", @@ -54,8 +54,8 @@ jobs: with: arch: x86_64 git_ref: ${{ github.event.pull_request.head.sha }} - minimal: 'false' - build_type: 'Debug' + minimal: false + build_type: Debug cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-syscall-events | sort) | sha256sum)" # checks the falco engine checksum for consistency @@ -71,13 +71,16 @@ jobs: - name: Check Engine checksum run: | - prev_hash=$(grep FALCO_ENGINE_CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g') + prev_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g') cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2) + echo "encoded checksum: $prev_hash" + echo "current checksum: $cur_hash" if [ $prev_hash != $cur_hash ]; then - echo "actual engine checksum differs from the one encoded in userspace/engine/falco_engine_version.h:" - echo "encoded: $prev_hash" - echo "current: $cur_hash" + echo "current engine checksum differs from the one encoded in userspace/engine/falco_engine_version.h" + exit 1 + else + echo "current and encoded engine checksum are matching" fi # checks the falco engine version and enforce bumping when necessary @@ -93,22 +96,22 @@ jobs: - name: Check Engine version run: | - base_hash=$(grep FALCO_ENGINE_CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g') - base_engine_ver=$(grep FALCO_ENGINE_VERSION "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g') + base_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g') + base_engine_ver=$(grep ENGINE_VERSION "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g') cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2) cur_engine_ver=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 1) - if [ $base_hash != $cur_hash ]; then - echo "engine checksum for baseref and headref differ:" - echo "baseref: $base_hash" - echo "headref: $cur_hash" - if [ $base_engine_ver == $cur_engine_ver ]; then - echo "engine version must be bumped:" - echo $cur_engine_ver - else - echo "engine version for baseref and headref differ too, so no bump is required:" - echo "baseref: $base_engine_ver" - echo "headref: $cur_engine_ver" - fi + echo "baseref checksum: $base_hash" + echo "baseref engine version: $base_engine_ver" + echo "headref checksum: $cur_hash" + echo "headref engine version: $cur_engine_ver" + if [ "$base_hash" != "$cur_hash" ]; then + echo "engine checksum for baseref and headref differ" + if [ "$base_engine_ver" == "$cur_engine_ver" ]; then + echo "engine version must be bumped" + exit 1 + else + echo "engine version for baseref and headref differ too, so no bump is required" + fi fi diff --git a/.github/workflows/reusable_build_dev.yaml b/.github/workflows/reusable_build_dev.yaml index df0a0e89..55950bc0 100644 --- a/.github/workflows/reusable_build_dev.yaml +++ b/.github/workflows/reusable_build_dev.yaml @@ -17,7 +17,7 @@ on: build_type: description: One of 'Debug' or 'Release' required: true - type: boolean + type: string git_ref: description: Git ref used for checking out the code required: true @@ -49,7 +49,7 @@ jobs: run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libelf-dev libyaml-cpp-dev cmake build-essential git -y - name: Install build dependencies (non-minimal) - if: inputs.minimal == 'true' + if: inputs.minimal != true run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y - name: Prepare project @@ -59,9 +59,9 @@ jobs: cmake \ -DBUILD_FALCO_UNIT_TESTS=On \ -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ - -DBUILD_BPF=${{ inputs.minimal == 'true' && 'OFF' || 'ON' }} \ - -DBUILD_DRIVER=${{ inputs.minimal == 'true' && 'OFF' || 'ON' }} \ - -DMINIMAL_BUILD=${{ inputs.minimal == 'true' && 'ON' || 'OFF' }} \ + -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ + -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ + -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \ .. popd diff --git a/userspace/engine/falco_engine_version.h b/userspace/engine/falco_engine_version.h index a275a6c3..3d0fbda3 100644 --- a/userspace/engine/falco_engine_version.h +++ b/userspace/engine/falco_engine_version.h @@ -22,8 +22,9 @@ limitations under the License. // at build time to detect a changed set of fields. // This is the result of running the following command: -// echo $(falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(falco -c ./falco.yaml --list-syscall-events | sort) | sha256sum) +// FALCO="falco -c ./falco.yaml" +// echo $($FALCO --version | grep 'Engine:' | awk '{print $2}') $(echo $($FALCO --version | grep 'Schema version:' | awk '{print $3}') $($FALCO --list --markdown | grep '^`' | sort) $($FALCO --list-syscall-events | sort) | sha256sum) // It represents the fields supported by this version of Falco, // the event types, and the underlying driverevent schema. It's used to // detetect changes in engine version in our CI jobs. -#define FALCO_ENGINE_CHECKSUM "1d7f91f22d40074c56c705f5e494b7fae51aee1b7ababc8c70cfa63c6d6671c2" +#define FALCO_ENGINE_CHECKSUM "96d8d3fc828e5c8c16184d66d0e7d5970864249e9b20cd736acaf70dc6431e0f"