on: pull_request: types: - opened - edited - reopened - synchronize workflow_dispatch: permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true name: Static checks jobs: skipper: uses: ./.github/workflows/gatekeeper-skipper.yaml with: commit-hash: ${{ github.event.pull_request.head.sha }} target-branch: ${{ github.event.pull_request.base.ref }} check-kernel-config-version: name: check-kernel-config-version needs: skipper if: ${{ needs.skipper.outputs.skip_static != 'yes' }} runs-on: ubuntu-22.04 steps: - name: Checkout the code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - name: Ensure the kernel config version has been updated run: | kernel_dir="tools/packaging/kernel/" kernel_version_file="${kernel_dir}kata_config_version" modified_files=$(git diff --name-only origin/"$GITHUB_BASE_REF"..HEAD) if git diff --name-only origin/"$GITHUB_BASE_REF"..HEAD "${kernel_dir}" | grep "${kernel_dir}"; then echo "Kernel directory has changed, checking if $kernel_version_file has been updated" if echo "$modified_files" | grep -v "README.md" | grep "${kernel_dir}" >>"/dev/null"; then echo "$modified_files" | grep "$kernel_version_file" >>/dev/null || ( echo "Please bump version in $kernel_version_file" && exit 1) else echo "Readme file changed, no need for kernel config version update." fi echo "Check passed" fi build-checks: needs: skipper if: ${{ needs.skipper.outputs.skip_static != 'yes' }} uses: ./.github/workflows/build-checks.yaml with: instance: ubuntu-22.04 build-checks-depending-on-kvm: name: build-checks-depending-on-kvm runs-on: ubuntu-22.04 needs: skipper if: ${{ needs.skipper.outputs.skip_static != 'yes' }} strategy: fail-fast: false matrix: component: - runtime-rs include: - component: runtime-rs command: "sudo -E env PATH=$PATH LIBC=gnu SUPPORT_VIRTUALIZATION=true make test" - component: runtime-rs component-path: src/dragonball steps: - name: Checkout the code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - name: Install system deps run: | sudo apt-get update && sudo apt-get install -y build-essential musl-tools - name: Install yq run: | sudo -E ./ci/install_yq.sh env: INSTALL_IN_GOPATH: false - name: Install rust run: | export PATH="$PATH:/usr/local/bin" ./tests/install_rust.sh - name: Running `${{ matrix.command }}` for ${{ matrix.component }} run: | export PATH="$PATH:${HOME}/.cargo/bin" cd "${COMPONENT_PATH}" eval "${COMMAND}" env: COMMAND: ${{ matrix.command }} COMPONENT_PATH: ${{ matrix.component-path }} RUST_BACKTRACE: "1" RUST_LIB_BACKTRACE: "0" static-checks: name: static-checks runs-on: ubuntu-22.04 needs: skipper if: ${{ needs.skipper.outputs.skip_static != 'yes' }} strategy: fail-fast: false matrix: cmd: - "make static-checks" env: GOPATH: ${{ github.workspace }} permissions: contents: read # for checkout packages: write # for push to ghcr.io steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false path: ./src/github.com/${{ github.repository }} - name: Install yq run: | cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" ./ci/install_yq.sh env: INSTALL_IN_GOPATH: false - name: Install golang run: | cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" ./tests/install_go.sh -f -p echo "/usr/local/go/bin" >> "$GITHUB_PATH" - name: Install system dependencies run: | sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc - name: Install open-policy-agent run: | cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" ./tests/install_opa.sh - name: Install regorus env: ARTEFACT_REPOSITORY: "${{ github.repository }}" ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}" ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}" run: | "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh" - name: Run check env: CMD: ${{ matrix.cmd }} run: | export PATH="${PATH}:${GOPATH}/bin" cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD} govulncheck: needs: skipper if: ${{ needs.skipper.outputs.skip_static != 'yes' }} uses: ./.github/workflows/govulncheck.yaml codegen: name: codegen runs-on: ubuntu-22.04 needs: skipper if: ${{ needs.skipper.outputs.skip_static != 'yes' }} permissions: contents: read # for checkout steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - name: generate run: make -C src/agent generate-protocols - name: check for diff run: | diff=$(git diff) if [[ -z "${diff}" ]]; then echo "No diff detected." exit 0 fi cat << EOF >> "${GITHUB_STEP_SUMMARY}" Run \`make -C src/agent generate-protocols\` to update protobuf bindings. \`\`\`diff ${diff} \`\`\` EOF echo "::error::Golang protobuf bindings need to be regenerated (see Github step summary for diff)." exit 1