From b138e4c9e151ab1fbc43302ccfcf3ae8e7886170 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Mon, 17 Apr 2023 12:11:15 +0200 Subject: [PATCH] new(ci): added github action workflows for dev and release CI (packages + docker images publish). Signed-off-by: Federico Di Pierro --- .github/workflows/dev.yaml | 63 ++++++++ .github/workflows/release.yaml | 61 ++++++++ .github/workflows/reusable_build_docker.yaml | 131 ++++++++++++++++ .../workflows/reusable_build_packages.yaml | 143 ++++++++++++++++++ .../workflows/reusable_publish_docker.yaml | 142 +++++++++++++++++ .../workflows/reusable_publish_packages.yaml | 105 +++++++++++++ 6 files changed, 645 insertions(+) create mode 100644 .github/workflows/dev.yaml create mode 100644 .github/workflows/release.yaml create mode 100644 .github/workflows/reusable_build_docker.yaml create mode 100644 .github/workflows/reusable_build_packages.yaml create mode 100644 .github/workflows/reusable_publish_docker.yaml create mode 100644 .github/workflows/reusable_publish_packages.yaml diff --git a/.github/workflows/dev.yaml b/.github/workflows/dev.yaml new file mode 100644 index 00000000..961bda34 --- /dev/null +++ b/.github/workflows/dev.yaml @@ -0,0 +1,63 @@ +name: Dev Packages +on: + push: + branches: [master] + workflow_dispatch: + +jobs: + build-dev-packages: + uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@main + with: + arch: x86_64 + secrets: inherit + + build-dev-packages-arm64: + uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@main + with: + arch: aarch64 + secrets: inherit + + publish-dev-packages: + needs: [build-dev-packages, build-dev-packages-arm64] + outputs: + version: ${{ steps.expose_version.outputs.version }} + + steps: + - name: Publish packages + uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@main + with: + bucket: '-dev' + version: ${{ needs.build-dev-packages.outputs.version }} + secrets: inherit + + - name: Expose FALCO_VERSION + id: expose_version + run: | + echo "version=${{ needs.build-dev-packages.outputs.version }}" >> $GITHUB_OUTPUT + + build-dev-docker: + needs: publish-dev-packages + uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@main + with: + arch: x86_64 + tagname: master + bucket: '-dev' + version: ${{ needs.publish-dev-packages.outputs.version }} + secrets: inherit + + build-dev-docker-arm64: + needs: publish-dev-packages + uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@main + with: + arch: aarch64 + tagname: master + bucket: '-dev' + version: ${{ needs.publish-dev-packages.outputs.version }} + secrets: inherit + + publish-dev-docker: + needs: [build-dev-docker, build-dev-docker-arm64] + uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@main + with: + tagname: master + secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 00000000..09b1b6bc --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,61 @@ +name: Release Packages +on: + push: + tags: + - '[0-9]+.[0-9]+.[0-9]+' + +jobs: + build-packages: + uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@main + with: + arch: x86_64 + secrets: inherit + + build-packages-arm64: + uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@main + with: + arch: aarch64 + secrets: inherit + + publish-packages: + needs: [build-packages, build-packages-arm64] + outputs: + version: ${{ steps.expose_version.outputs.version }} + + steps: + - name: Publish packages + uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@main + with: + version: ${{ needs.build-packages.outputs.version }} + secrets: inherit + + - name: Expose FALCO_VERSION + id: expose_version + run: | + echo "version=${{ needs.build-packages.outputs.version }}" >> $GITHUB_OUTPUT + + build-docker: + needs: publish-packages + uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@main + with: + arch: x86_64 + tagname: ${{ github.ref_name }} + version: ${{ needs.publish-packages.outputs.version }} + secrets: inherit + + build-docker-arm64: + needs: publish-dev-packages + uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@main + with: + arch: aarch64 + tagname: ${{ github.ref_name }} + version: ${{ needs.publish-packages.outputs.version }} + secrets: inherit + + publish-docker: + needs: [build-docker, build-docker-arm64] + uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@main + with: + tagname: ${{ github.ref_name }} + secrets: inherit + diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml new file mode 100644 index 00000000..5fdd9de6 --- /dev/null +++ b/.github/workflows/reusable_build_docker.yaml @@ -0,0 +1,131 @@ +# This is a reusable workflow used by dev_packages and release_packages +on: + workflow_call: + inputs: + arch: + description: x86_64 or aarch64 + required: true + type: string + tagname: + description: master or tag name + required: true + type: string + bucket: + description: bucket suffix for packages + required: false + default: '' + type: string + version: + description: 'Falco version extracted from userspace/falco/config_falco.h' + required: true + type: string + +jobs: + build-docker: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: ${{ (inputs.arch == "aarch64") && fromJSON('[ "self-hosted", "linux", "ARM64" ]') || 'ubuntu-latest' }} + container: + image: ubuntu:22.04 + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Install deps + run: | + apt update + DEBIAN_FRONTEND=noninteractive apt install docker awscli -y + + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_SECRET }} + + - name: Login to Amazon ECR Public + run: | + aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity + + - name: Build and publish no-driver + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/no-driver/ + push: true + provenance: false # https://github.com/Noelware/docker-manifest-action/issues/131 + build-args: | + VERSION_BUCKET=bin${{ inputs.bucket }} + FALCO_VERSION=${{ inputs.version }} + tags: | + falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tagname }} + falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tagname }}-slim + public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tagname }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tagname }}-slim + + - name: Build and publish falco + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/falco/ + push: true + provenance: false # https://github.com/Noelware/docker-manifest-action/issues/131 + build-args: | + VERSION_BUCKET=deb${{ inputs.bucket }} + FALCO_VERSION=${{ inputs.version }} + tags: | + falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tagname }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tagname }} + + - name: Build and publish falco-driver-loader + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/driver-loader/ + push: true + provenance: false # https://github.com/Noelware/docker-manifest-action/issues/131 + build-args: | + FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tagname }} + tags: | + falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tagname }} + public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tagname }} + + - name: Build and publish no-driver latest + if: ${{ inputs.tagname != 'master' }} + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/no-driver/ + push: true + provenance: false # https://github.com/Noelware/docker-manifest-action/issues/131 + build-args: | + VERSION_BUCKET=bin + FALCO_VERSION=${{ inputs.tagname }} + tags: | + falcosecurity/falco-no-driver:${{ inputs.arch }}-latest + falcosecurity/falco:${{ inputs.arch }}-latest-slim + public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-latest + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-latest-slim + + - name: Build and publish falco latest + if: ${{ inputs.tagname != 'master' }} + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/falco/ + push: true + provenance: false # https://github.com/Noelware/docker-manifest-action/issues/131 + build-args: | + VERSION_BUCKET=deb + FALCO_VERSION=${{ inputs.tagname }} + tags: | + falcosecurity/falco:${{ inputs.arch }}-latest + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-latest + + - name: Build and publish falco-driver-loader latest + if: ${{ inputs.tagname != 'master' }} + uses: docker/build-push-action@v3 + with: + context: ${{ github.workspace }}/docker/driver-loader/ + push: true + provenance: false # https://github.com/Noelware/docker-manifest-action/issues/131 + build-args: | + FALCO_IMAGE_TAG=${{ inputs.arch }}-latest + tags: | + falcosecurity/falco-driver-loader:${{ inputs.arch }}-latest + public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-latest diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml new file mode 100644 index 00000000..a9b2963d --- /dev/null +++ b/.github/workflows/reusable_build_packages.yaml @@ -0,0 +1,143 @@ +# This is a reusable workflow used by master_packages and release_packages +on: + workflow_call: + inputs: + arch: + description: x86_64 or aarch64 + required: true + type: string + outputs: + version: + description: 'Falco version extracted from config_falco.h' + value: ${{ jobs.build-packages.outputs.version }} + +jobs: + build-packages: + # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 + runs-on: ${{ (inputs.arch == "aarch64") && fromJSON('[ "self-hosted", "linux", "ARM64" ]') || 'ubuntu-latest' }} + container: + image: ubuntu:22.04 + # Map the job outputs to step outputs + outputs: + version: ${{ steps.store_version.outputs.version }} + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + path: source + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + + - name: Install build dependencies + run: | + mkdir deps + pushd deps + apt update -y + DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev + update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90 + update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90 + git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch + cd bpftool + git submodule update --init + cd src && make install + popd + + - name: Build modern BPF skeleton + run: | + pushd source + mkdir skeleton-build + pushd skeleton-build + cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off .. + make ProbeSkeleton + popd + popd + + - name: Build Falco packages + run: | + mkdir -p source/build + DOCKER_BUILDKIT=1 docker build \ + -f ${{ github.workspace }}/source/docker/builder/modern-falco-builder.Dockerfile \ + --output type=local,dest=${{ github.workspace }}/source/build \ + --build-arg CMAKE_OPTIONS="\ + -DCMAKE_BUILD_TYPE=Release \ + -DUSE_BUNDLED_DEPS=On \ + -DFALCO_ETC_DIR=/etc/falco \ + -DBUILD_FALCO_MODERN_BPF=ON \ + -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir \ + -DBUILD_DRIVER=Off \ + -DBUILD_BPF=Off" \ + --build-arg DEST_BUILD_DIR=${{ github.workspace }}/source/build \ + ${{ github.workspace }}/source + + - name: Load and store Falco version output + id: store_version + run: | + FALCO_VERSION=$(cat ${{ github.workspace }}/source/build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') + echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT + + - name: Upload Falco tar.gz package + uses: actions/upload-artifact@v3 + with: + name: falco-${{ steps.store_version.outputs.version }}-${{ inputs.arch }}.tar.gz + path: | + ${{ github.workspace }}/source/build/packages/falco-*.tar.gz + + - name: Upload Falco deb package + uses: actions/upload-artifact@v3 + with: + name: falco-${{ steps.store_version.outputs.version }}-${{ inputs.arch }}.deb + path: | + ${{ github.workspace }}/source/build/packages/falco-*.deb + + - name: Upload Falco rpm package + uses: actions/upload-artifact@v3 + with: + name: falco-${{ steps.store_version.outputs.version }}-${{ inputs.arch }}.rpm + path: | + ${{ github.workspace }}/source/build/packages/falco-*.rpm + + build-musl-package: + needs: build-packages + # x86_64 only for now + if: ${{ inputs.arch == 'x86_64' }} + runs-on: ubuntu-latest + container: + image: alpine:3.17 + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + path: source + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + + - name: Install build dependencies + run: | + apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang + + - name: Prepare project + run: | + mkdir build + pushd build + cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco + popd + + - name: Build project + run: | + pushd build + make -j6 all + popd + + - name: Build packages + run: | + pushd build + make -j6 package + popd + + - name: Upload Falco static package + uses: actions/upload-artifact@v3 + with: + name: falco-${{ needs.build-packages.outputs.version }}-static-x86_64.tar.gz + path: | + ${{ github.workspace }}/build/falco-*.tar.gz diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml new file mode 100644 index 00000000..3628e6fd --- /dev/null +++ b/.github/workflows/reusable_publish_docker.yaml @@ -0,0 +1,142 @@ +# This is a reusable workflow used by dev_packages and release_packages +on: + workflow_call: + inputs: + tagname: + description: master or tag name + required: true + type: string + +jobs: + publish-docker: + runs-on: ubuntu-latest + steps: + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_SECRET }} + + - name: Login to Amazon ECR Public + run: | + aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity + + - name: Create and push no-driver manifest + uses: Noelware/docker-manifest-action@master + with: + inputs: falcosecurity/falco-no-driver:${{ inputs.tagname }} + images: falcosecurity/falco-no-driver:aarch64-${{ inputs.tagname }},falcosecurity/falco-no-driver:x86_64-${{ inputs.tagname }} + push: true + + - name: Create and push slim manifest + uses: Noelware/docker-manifest-action@master + with: + inputs: falcosecurity/falco:${{ inputs.tagname }}-slim + images: falcosecurity/falco:aarch64-${{ inputs.tagname }}-slim,falcosecurity/falco:x86_64-${{ inputs.tagname }}-slim + push: true + + - name: Create and push no-driver manifest for ecr + uses: Noelware/docker-manifest-action@master + with: + inputs: public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tagname }} + images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${{ inputs.tagname }},public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${{ inputs.tagname }} + push: true + + - name: Create and push slim manifest for ecr + uses: Noelware/docker-manifest-action@master + with: + inputs: public.ecr.aws/falcosecurity/falco:${{ inputs.tagname }}-slim + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ inputs.tagname }}-slim,public.ecr.aws/falcosecurity/falco:x86_64-${{ inputs.tagname }}-slim + push: true + + - name: Create and push no-driver latest manifest + if: ${{ inputs.tagname != 'master' }} + uses: Noelware/docker-manifest-action@master + with: + inputs: falcosecurity/falco-no-driver:latest + images: falcosecurity/falco-no-driver:aarch64-latest,falcosecurity/falco-no-driver:x86_64-latest + push: true + + - name: Create and push slim latest manifest + if: ${{ inputs.tagname != 'master' }} + uses: Noelware/docker-manifest-action@master + with: + inputs: falcosecurity/falco:latest-slim + images: falcosecurity/falco:aarch64-latest-slim,falcosecurity/falco:x86_64-latest-slim + push: true + + - name: Create and push no-driver latest manifest for ecr + if: ${{ inputs.tagname != 'master' }} + uses: Noelware/docker-manifest-action@master + with: + inputs: public.ecr.aws/falcosecurity/falco-no-driver:latest + images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-latest,public.ecr.aws/falcosecurity/falco-no-driver:x86_64-latest + push: true + + - name: Create and push slim latest manifest for ecr + if: ${{ inputs.tagname != 'master' }} + uses: Noelware/docker-manifest-action@master + with: + inputs: public.ecr.aws/falcosecurity/falco:latest-slim + images: public.ecr.aws/falcosecurity/falco:aarch64-latest-slim,public.ecr.aws/falcosecurity/falco:x86_64-latest-slim + push: true + + - name: Create and push falco manifest + uses: Noelware/docker-manifest-action@master + with: + inputs: falcosecurity/falco:${{ inputs.tagname }} + images: falcosecurity/falco:aarch64-${{ inputs.tagname }},falcosecurity/falco:x86_64-${{ inputs.tagname }} + push: true + + - name: Create and push falco manifest for ecr + uses: Noelware/docker-manifest-action@master + with: + inputs: public.ecr.aws/falcosecurity/falco:${{ inputs.tagname }} + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ inputs.tagname }},public.ecr.aws/falcosecurity/falco:x86_64-${{ inputs.tagname }} + push: true + + - name: Create and push falco latest manifest + if: ${{ inputs.tagname != 'master' }} + uses: Noelware/docker-manifest-action@master + with: + inputs: falcosecurity/falco:latest + images: falcosecurity/falco:aarch64-latest,falcosecurity/falco:x86_64-latest + push: true + + - name: Create and push falco latest manifest for ecr + if: ${{ inputs.tagname != 'master' }} + uses: Noelware/docker-manifest-action@master + with: + inputs: public.ecr.aws/falcosecurity/falco:latest + images: public.ecr.aws/falcosecurity/falco:aarch64-latest,public.ecr.aws/falcosecurity/falco:x86_64-latest + push: true + + - name: Create and push falco-driver-loader manifest + uses: Noelware/docker-manifest-action@master + with: + inputs: falcosecurity/falco-driver-loader:${{ inputs.tagname }} + images: falcosecurity/falco-driver-loader:aarch64-${{ inputs.tagname }},falcosecurity/falco-driver-loader:x86_64-${{ inputs.tagname }} + push: true + + - name: Create and push falco-driver-loader manifest for ecr + uses: Noelware/docker-manifest-action@master + with: + inputs: public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tagname }} + images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tagname }},public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tagname }} + push: true + + - name: Create and push falco-driver-loader latest manifest + if: ${{ inputs.tagname != 'master' }} + uses: Noelware/docker-manifest-action@master + with: + inputs: falcosecurity/falco-driver-loader:latest + images: falcosecurity/falco-driver-loader:aarch64-latest,falcosecurity/falco-driver-loader:x86_64-latest + push: true + + - name: Create and push falco-driver-loader latest manifest for ecr + if: ${{ inputs.tagname != 'master' }} + uses: Noelware/docker-manifest-action@master + with: + inputs: public.ecr.aws/falcosecurity/falco-driver-loader:latest + images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-latest,public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-latest + push: true diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml new file mode 100644 index 00000000..ef0ab8d2 --- /dev/null +++ b/.github/workflows/reusable_publish_packages.yaml @@ -0,0 +1,105 @@ +# This is a reusable workflow used by dev_packages and release_packages +on: + workflow_call: + inputs: + version: + description: 'Falco version extracted from userspace/falco/config_falco.h' + required: true + type: string + bucket: + description: bucket suffix for packages + required: false + default: '' + type: string + +jobs: + publish-packages: + runs-on: ubuntu-latest + container: + image: docker.io/centos:7 + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + path: source + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + + - name: Install dependencies + run: | + yum install epel-release -y + yum update -y + yum install rpm-sign expect which createrepo gpg python python-pip -y + pip install awscli==1.19.47 + + - name: Download all artifacts + uses: actions/download-artifact@v3 + with: + path: $RUNNER_TEMP + + - name: Import gpg key + run: | + echo $GPG_KEY | base64 -d | gpg --import + + - name: Sign rpms + run: | + echo "%_signature gpg" > ~/.rpmmacros + echo "%_gpg_name Falcosecurity Package Signing" >> ~/.rpmmacros + echo "%__gpg_sign_cmd %{__gpg} --force-v3-sigs --batch --no-armor --passphrase-fd 3 --no-secmem-warning -u \"%{_gpg_name}\" -sb --digest-algo sha256 %{__plaintext_filename}'" >> ~/.rpmmacros + cat > ~/sign \<