github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-11 11:02:08 +00:00
Code Issues Projects Releases Wiki Activity

chore(gha): pin actions with hash, add TODO for upgrades

Browse Source 
Signed-off-by: Luca Guerra <luca@guerra.sh>
This commit is contained in:
Luca Guerra 2023-09-29 16:42:24 +00:00 committed by poiana
parent 27ad4c3aec
commit f1dec8f444
10 changed files with 35 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/codeql.yaml vendored
View File

@ -36,13 +36,13 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with: with:
fetch-depth: 0 fetch-depth: 0
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file. # If you wish to specify custom queries, you can do so here or in a config file.
@ -72,4 +72,4 @@ jobs:
popd popd
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9

2
.github/workflows/codespell.yml vendored
View File

@ -6,7 +6,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: codespell-project/actions-codespell@master - uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0
with: with:
skip: .git skip: .git
ignore_words_file: .codespellignore ignore_words_file: .codespellignore

4
.github/workflows/engine-version-weakcheck.yaml vendored
View File

@ -16,7 +16,7 @@ jobs:
engine_version_changed: ${{ steps.filter.outputs.engine_version }} engine_version_changed: ${{ steps.filter.outputs.engine_version }}
steps: steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: dorny/paths-filter@v2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter id: filter
with: with:
filters: | filters: |
@ -31,7 +31,7 @@ jobs:
if: needs.paths-filter.outputs.engine_version_changed == 'false' if: needs.paths-filter.outputs.engine_version_changed == 'false'
steps: steps:
- name: Check driver Falco engine version - name: Check driver Falco engine version
uses: mshick/add-pr-comment@v2 uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
with: with:
message: | message: |
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped. This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

2
.github/workflows/release.yaml vendored
View File

@ -161,7 +161,7 @@ jobs:
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Release - name: Release
uses: softprops/action-gh-release@v1 uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with: with:
body_path: ./release-body.md body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }} tag_name: ${{ github.event.release.tag_name }}

2
.github/workflows/reusable_build_docker.yaml vendored
View File

@ -87,7 +87,7 @@ jobs:
docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar
- name: Upload images tarballs - name: Upload images tarballs
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: falco-images name: falco-images
path: /tmp/falco-*.tar path: /tmp/falco-*.tar

19
.github/workflows/reusable_build_packages.yaml vendored
View File

@ -32,7 +32,7 @@ jobs:
make ProbeSkeleton -j6 make ProbeSkeleton -j6
- name: Upload skeleton - name: Upload skeleton
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: bpf_probe_${{ inputs.arch }}.skel.h name: bpf_probe_${{ inputs.arch }}.skel.h
path: skeleton-build/skel_dir/bpf_probe.skel.h path: skeleton-build/skel_dir/bpf_probe.skel.h
@ -53,10 +53,11 @@ jobs:
yum install -y wget git make m4 rpm-build perl-IPC-Cmd yum install -y wget git make m4 rpm-build perl-IPC-Cmd
- name: Checkout - name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Download skeleton - name: Download skeleton
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: bpf_probe_${{ inputs.arch }}.skel.h name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp path: /tmp
@ -97,21 +98,21 @@ jobs:
make package make package
- name: Upload Falco tar.gz package - name: Upload Falco tar.gz package
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
path: | path: |
${{ github.workspace }}/build/falco-*.tar.gz ${{ github.workspace }}/build/falco-*.tar.gz
- name: Upload Falco deb package - name: Upload Falco deb package
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
path: | path: |
${{ github.workspace }}/build/falco-*.deb ${{ github.workspace }}/build/falco-*.deb
- name: Upload Falco rpm package - name: Upload Falco rpm package
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
path: | path: |
@ -154,7 +155,7 @@ jobs:
mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz
- name: Upload Falco static package - name: Upload Falco static package
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: falco-${{ inputs.version }}-static-x86_64.tar.gz name: falco-${{ inputs.version }}-static-x86_64.tar.gz
path: | path: |
@ -171,7 +172,7 @@ jobs:
sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential git emscripten -y sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential git emscripten -y
- name: Select node version - name: Select node version
uses: actions/setup-node@v3 uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with: with:
node-version: 14 node-version: 14
@ -210,7 +211,7 @@ jobs:
emmake make -j6 package emmake make -j6 package
- name: Upload Falco WASM package - name: Upload Falco WASM package
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: falco-${{ inputs.version }}-wasm.tar.gz name: falco-${{ inputs.version }}-wasm.tar.gz
path: | path: |

10
.github/workflows/reusable_publish_docker.yaml vendored
View File

@ -26,10 +26,10 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2 # TODO needs to be updated
- name: Download images tarballs - name: Download images tarballs
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: falco-images name: falco-images
path: /tmp/falco-images path: /tmp/falco-images
@ -39,7 +39,7 @@ jobs:
for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
- name: Login to Docker Hub - name: Login to Docker Hub
uses: docker/login-action@v2 uses: docker/login-action@v2 # TODO needs to be updated
with: with:
username: ${{ secrets.DOCKERHUB_USER }} username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_SECRET }} password: ${{ secrets.DOCKERHUB_SECRET }}
@ -57,7 +57,7 @@ jobs:
registry-type: public registry-type: public
- name: Setup Crane - name: Setup Crane
uses: imjasonh/setup-crane@v0.3 uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
with: with:
version: v0.15.1 version: v0.15.1
@ -76,7 +76,7 @@ jobs:
docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }} docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
- name: Create no-driver manifest on Docker Hub - name: Create no-driver manifest on Docker Hub
uses: Noelware/docker-manifest-action@0.3.1 uses: Noelware/docker-manifest-action@0.3.1 # TODO needs to be updated (it might have cosign integration!)
with: with:
inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}

16
.github/workflows/reusable_publish_packages.yaml vendored
View File

@ -38,37 +38,37 @@ jobs:
# Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102 # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
# Note: master CI can only push dev packages as we have 2 different roles for master and release. # Note: master CI can only push dev packages as we have 2 different roles for master and release.
- name: Configure AWS credentials - name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2 uses: aws-actions/configure-aws-credentials@v2 # TODO needs to be updated
with: with:
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3" role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
aws-region: ${{ env.AWS_S3_REGION }} aws-region: ${{ env.AWS_S3_REGION }}
- name: Download RPM x86_64 - name: Download RPM x86_64
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: falco-${{ inputs.version }}-x86_64.rpm name: falco-${{ inputs.version }}-x86_64.rpm
path: /tmp/falco-build-rpm path: /tmp/falco-build-rpm
- name: Download RPM aarch64 - name: Download RPM aarch64
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: falco-${{ inputs.version }}-aarch64.rpm name: falco-${{ inputs.version }}-aarch64.rpm
path: /tmp/falco-build-rpm path: /tmp/falco-build-rpm
- name: Download binary x86_64 - name: Download binary x86_64
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: falco-${{ inputs.version }}-x86_64.tar.gz name: falco-${{ inputs.version }}-x86_64.tar.gz
path: /tmp/falco-build-bin path: /tmp/falco-build-bin
- name: Download binary aarch64 - name: Download binary aarch64
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: falco-${{ inputs.version }}-aarch64.tar.gz name: falco-${{ inputs.version }}-aarch64.tar.gz
path: /tmp/falco-build-bin path: /tmp/falco-build-bin
- name: Download static binary x86_64 - name: Download static binary x86_64
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: falco-${{ inputs.version }}-static-x86_64.tar.gz name: falco-${{ inputs.version }}-static-x86_64.tar.gz
path: /tmp/falco-build-bin-static path: /tmp/falco-build-bin-static
@ -128,13 +128,13 @@ jobs:
aws-region: ${{ env.AWS_S3_REGION }} aws-region: ${{ env.AWS_S3_REGION }}
- name: Download deb x86_64 - name: Download deb x86_64
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: falco-${{ inputs.version }}-x86_64.deb name: falco-${{ inputs.version }}-x86_64.deb
path: /tmp/falco-build-deb path: /tmp/falco-build-deb
- name: Download deb aarch64 - name: Download deb aarch64
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: falco-${{ inputs.version }}-aarch64.deb name: falco-${{ inputs.version }}-aarch64.deb
path: /tmp/falco-build-deb path: /tmp/falco-build-deb

6
.github/workflows/reusable_test_packages.yaml vendored
View File

@ -28,12 +28,12 @@ jobs:
submodules: 'true' submodules: 'true'
- name: Setup Go - name: Setup Go
uses: actions/setup-go@v3 uses: actions/setup-go@v3 # TODO needs to be updated
with: with:
go-version: '>=1.17.0' go-version: '>=1.17.0'
- name: Download binary - name: Download binary
uses: actions/download-artifact@v3 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz
@ -84,7 +84,7 @@ jobs:
- name: Test Summary - name: Test Summary
if: always() # run this even if previous step fails if: always() # run this even if previous step fails
uses: test-summary/action@v2 uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # v2.1
with: with:
paths: "submodules/falcosecurity-testing/report.xml" paths: "submodules/falcosecurity-testing/report.xml"
show: "fail" show: "fail"

2
.github/workflows/staticanalysis.yaml vendored
View File

@ -25,7 +25,7 @@ jobs:
make -j4 cppcheck_htmlreport make -j4 cppcheck_htmlreport
- name: Upload reports ⬆️ - name: Upload reports ⬆️
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with: with:
name: static-analysis-reports name: static-analysis-reports
path: ./build/static-analysis-reports path: ./build/static-analysis-reports