Commit Graph

28 Commits

Author SHA1 Message Date
Amulyam24
b32b54c4af github: do not run agent checks for Power on ubuntu-24.04-ppc64le
The new environment of Power runners for agent checks is causing two test case failures
w.r.to selinux and inode which needs further understanding and is mostly an issue
due to environemnt change and not to do with the agent.

Fall back to running agent checks on original ppc64le self hosted runners.

Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
2025-11-13 15:56:43 +05:30
Hyounggyu Choi
4ee2037974 GHA: Run runtime tests on self-hosted runners for P/Z
On IBM actionspz P/Z runners, the following error was observed during
runtime tests:

```
host system doesn't support vsock: stat /dev/vhost-vsock: no such file or directory
```

Since loading the vsock module on the fly is not permitted, this commit
moves the runtime tests back to self-hosted runners for P/Z.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-11-05 16:35:04 +00:00
stevenhorsman
8ce714cf97 ci: Add protobuf-compiler dependencies
We are seeing more protoc related failures on the new
runners, so try adding the protobuf-compiler dependency
to these steps to see if it helps.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-10-14 10:58:58 +01:00
Aurélien Bombo
07645cf58b ci: actionlint: Address issues and set as required
Address issues just introduced and set actionlint as a required by removing
the path filter.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 16:55:27 -05:00
Aurélien Bombo
5a4ddb8c71 ci: zizmor: Fix all template-injection alerts
Fix all instances of template injection by using environment variables as
recommended by Zizmor, instead of directly injecting values into the
commands.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 16:55:26 -05:00
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
alex.lyn
b23d094928 CI: Introduce CI for libs to Improve code quality and reduce noises
Currently, runtime-rs related code within the libs directory lacks
sufficient CI protection. We frequently observe the following issues:
- Inconsistent Code Formatting: Code that has not been properly
  formatted
is merged.
- Failing Tests: Code with failing unit or integration tests is merged.

To address these issues, we need introduce stricter CI checks for the
libs directory. This may specifically include:
- Code Formatting Checks
- Mandatory Test Runs

Fixes #11512

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-08-20 15:36:09 +08:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-21 08:14:13 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-10 10:33:41 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
stevenhorsman
f8fcd032ef workflow: Set RUST_LIB_BACKTRACE=0
As discussed in #9538, with anyhow >=1.0.77 we have test failures due to backtrace behaviour
changing, so set RUST_LIB_BACKTRACE=0,
so that we only have backtrace on panics

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-30 19:38:13 +01:00
stevenhorsman
ccfdf59607 workflows: Add apt update before install
Add apt/apt-get updates before we do
apt/apt-get installs to try and help with
issues where we fail to fetch packages

Co-authored-by: Fabiano Fidêncio <fidencio@northflank.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-23 09:06:08 +01:00
Ruoqing He
5e81f67ceb ci: Generalize GITHUB_RUNNER_CI_ARM64
`GITHUB_RUNNER_CI_ARM64` is turned on for self hosted runners without
virtualization to skipped those tests depend on virtualization. This may
happen to other archs/runners as well, let's generalize it to
`GITHUB_RUNNER_CI_NON_VIRT` so we can reuse it on other archs.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-21 09:49:44 +08:00
Ruoqing He
186c88b1d5 ci: Move musl-tools installation into Setup rust
`musl-tools` is only needed when a component needs `rust`, and the
`instance` running is of `x86_64` or `aarch64`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-05 09:43:19 +08:00
Ruoqing He
09030ee96e ci: Refactor build-checks workflow
Refator matrix setup and according dependencies installation logic in
`build-checks.yaml` and `build-checks-preview-riscv64.yaml` to provide
better readability and maintainability.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-28 09:47:25 +08:00
Ruoqing He
eb94700590 ci: Drop install-libseccomp matrix variant
`install-libseccomp` is applied only for `agent` component, and we are
already combining matrix with `if`s in steps, drop `install-libseccomp`
in matrix to reduce complexity.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-28 09:44:53 +08:00
Fabiano Fidêncio
e18e1ec3a8 ci: arm64: Skip tests that depend on virt on non-virt capable runners
The GitHub hosted runners for ARM64 do not provide virtualisation
support, thus we're just skipping the tests as those would check whether
or not the system is "VMContainerCapable".

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-27 14:43:21 +01:00
stevenhorsman
5d7c5bdfa4 workflows: linting: Fix shellcheck SC2015
> A && B || C is not if-then-else. C may run when A is true

Refactor the echo so that we can't get into a situation where
the retry of workspace delete happens if the original one was
successful

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
9113606d45 workflows: linting: Fix shellcheck SC2086
> Double quote to prevent globbing and word splitting.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
stevenhorsman
a5f1a5a0ee workflow: Remove/skip runk CI
As discussed in the AC meeting, we don't have a maintainer,
(or users?) of runk, and the CI is unstable, so giving we can't
support it, we shouldn't waste CI cycles on it.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-11-07 14:16:30 +00:00
Sumedh Alok Sharma
bc195d758a ci: Install build dependencies for building agent-ctl with image pull.
Adds dependencies of 'clang' & 'protobuf' to be installed in runners
when building agent-ctl sources having image pull support.

Fixes #10400

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
2024-10-14 10:36:04 +05:30
Fabiano Fidêncio
35c7f8d1ba ci: Bump ubuntu 20.04 runners to 22.04
Azure internal mirrors for Ubuntu 20.04 have gone awry, leading to a
situation where dependencies cannot be installed (such as
libdevmapper-dev), blocking then our CI.

Let's bump the runners to 22.04 regardless, even knowing it'll cause an
issue with the runk tests, as the agent check tests are considered more
crucial to the project at this point.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-09-19 12:29:20 +02:00
Beraldo Leal
4f6732595d ci: skip go version check
golang.mk is not ready to deal with non GOPATH installs. This is
breaking test on s390x.

Since previous steps here are installing go and yq our way, we could
skip this aditional check. A full refactor to golang.mk would be needed
to work with different paths.

Signed-off-by: Beraldo Leal <bleal@redhat.com>
2024-05-31 13:28:34 -04:00
Saul Paredes
51498ba99a genpolicy: toggle containerd pull in tests
- Add v1 image test case
- Install protobuf-compiler in build check
- Reset containerd config to default in kubernetes test if we are testing genpolicy
- Update docker_credential crate
- Add test that uses default pull method
- Use GENPOLICY_PULL_METHOD in test

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-04-08 19:28:29 -07:00
Hyounggyu Choi
4493459937 GHA: Implement secondary GITHUB_WORKSPACE cleanup on 1st failure
Occasionally, the removal of GITHUB_WORKSPACE fails for self-hosted runners
because one of the subdirectories is not empty. This is likely due to another
process occupying the directory at the time.
Implementing a secondary cleanup resolves this issue.
This commit focuses on the implementation for the secondary cleanup.

Fixes: #9317

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-04-05 11:41:51 +02:00
ChengyuZhu6
3cc55ff8af build-checks: Install protoc in the ci environments
To test PR #8484 for pulling image in the guest with image-rs, the compilation process for the kata-agent relies on
protoc:
https://github.com/kata-containers/kata-containers/actions/runs/8016317290/job/21898040849?pr=8484
https://github.com/kata-containers/kata-containers/actions/runs/8016534530/job/21898654435?pr=8484

Fixes: #9141

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2024-02-23 17:38:13 +08:00
Hyounggyu Choi
40b2b2a43a gha: Run static-checks on self-hosted runners conditionally
Due to the restrictions on instance provisioning for self-hosted runners, performing
static checks (36 jobs at the time of writing) on them each time a PR is updated could
significantly burden them, consequently slowing down the entire CI system. To address
this, the decision is to trigger these checks only when an 'ok-to-test' label is added.
Meanwhile, the checks for x86_64, which are supported by GitHub-hosted runners, will
remain unchanged.

Fixes: #8998

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-02-05 15:24:21 +01:00