mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-02 07:02:16 +00:00
Package and ship the dispatcher built in the previous commit so the
job-mode Helm chart has an image to run.
- Dockerfile.components: build kata-deploy and kata-deploy-job-dispatcher
from the same rust-builder stage (one compile), and run fmt/clippy/
test for both crates.
- job-dispatcher/Dockerfile: a minimal distroless/static image containing
only the dispatcher binary and CA certs - it is an API client, so it
needs nothing from the host.
- local-build: kata-deploy-job-dispatcher becomes its own build component
with its own static tarball
(kata-deploy-static-kata-deploy-job-dispatcher.tar.zst); the shared
rust-builder output is reused so the two components do not recompile
the workspace locally. The payload script builds and pushes a separate
"<kata-deploy registry>-job-dispatcher" image with the same tag scheme,
and release.sh publishes its multi-arch manifest symmetrically.
- CI: add kata-deploy-job-dispatcher to the build-kata-deploy-components
matrices (its tarball is picked up by the existing kata-artifacts-*
glob), and gate it in the kata-deploy rust static checks.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
299 lines
10 KiB
YAML
299 lines
10 KiB
YAML
on:
|
|
pull_request:
|
|
types:
|
|
- opened
|
|
- edited
|
|
- reopened
|
|
- synchronize
|
|
workflow_dispatch:
|
|
|
|
permissions: {}
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
name: Static checks
|
|
jobs:
|
|
skipper:
|
|
uses: ./.github/workflows/gatekeeper-skipper.yaml
|
|
with:
|
|
commit-hash: ${{ github.event.pull_request.head.sha }}
|
|
target-branch: ${{ github.event.pull_request.base.ref }}
|
|
|
|
check-kernel-config-version:
|
|
name: check-kernel-config-version
|
|
needs: skipper
|
|
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: Ensure the kernel config version has been updated
|
|
run: |
|
|
kernel_dir="tools/packaging/kernel/"
|
|
kernel_version_file="${kernel_dir}kata_config_version"
|
|
modified_files=$(git diff --name-only origin/"$GITHUB_BASE_REF"..HEAD)
|
|
if git diff --name-only origin/"$GITHUB_BASE_REF"..HEAD "${kernel_dir}" | grep "${kernel_dir}"; then
|
|
echo "Kernel directory has changed, checking if $kernel_version_file has been updated"
|
|
if echo "$modified_files" | grep -v "README.md" | grep "${kernel_dir}" >>"/dev/null"; then
|
|
echo "$modified_files" | grep "$kernel_version_file" >>/dev/null || ( echo "Please bump version in $kernel_version_file" && exit 1)
|
|
else
|
|
echo "Readme file changed, no need for kernel config version update."
|
|
fi
|
|
echo "Check passed"
|
|
fi
|
|
|
|
build-checks:
|
|
needs: skipper
|
|
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
|
|
uses: ./.github/workflows/build-checks.yaml
|
|
with:
|
|
instance: ubuntu-22.04
|
|
|
|
build-checks-depending-on-kvm:
|
|
name: build-checks-depending-on-kvm
|
|
runs-on: ubuntu-22.04
|
|
needs: skipper
|
|
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
component:
|
|
- runtime-rs
|
|
include:
|
|
- component: runtime-rs
|
|
command: "sudo -E env PATH=$PATH LIBC=gnu SUPPORT_VIRTUALIZATION=true make test"
|
|
- component: runtime-rs
|
|
component-path: src/dragonball
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: Install system deps
|
|
run: |
|
|
sudo apt-get update && sudo apt-get install -y build-essential musl-tools
|
|
- name: Install yq
|
|
run: |
|
|
sudo -E ./ci/install_yq.sh
|
|
env:
|
|
INSTALL_IN_GOPATH: false
|
|
- name: Install rust
|
|
run: |
|
|
export PATH="$PATH:/usr/local/bin"
|
|
./tests/install_rust.sh
|
|
- name: Running `${{ matrix.command }}` for ${{ matrix.component }}
|
|
run: |
|
|
export PATH="$PATH:${HOME}/.cargo/bin"
|
|
cd "${COMPONENT_PATH}"
|
|
eval "${COMMAND}"
|
|
env:
|
|
COMMAND: ${{ matrix.command }}
|
|
COMPONENT_PATH: ${{ matrix.component-path }}
|
|
RUST_BACKTRACE: "1"
|
|
RUST_LIB_BACKTRACE: "0"
|
|
|
|
kata-deploy-binary-build-check:
|
|
name: kata-deploy-binary-build-check
|
|
runs-on: ubuntu-22.04
|
|
needs: skipper
|
|
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: Install rust
|
|
run: |
|
|
export PATH="$PATH:/usr/local/bin"
|
|
./tests/install_rust.sh
|
|
- name: Run kata-deploy rust checks
|
|
run: |
|
|
export PATH="$PATH:${HOME}/.cargo/bin"
|
|
cargo fmt -p kata-deploy --check
|
|
cargo clippy -p kata-deploy --all-targets --all-features -- -D warnings
|
|
RUSTFLAGS="-D warnings" cargo test -p kata-deploy -- --test-threads=1
|
|
cargo fmt -p kata-deploy-job-dispatcher --check
|
|
cargo clippy -p kata-deploy-job-dispatcher --all-targets --all-features -- -D warnings
|
|
RUSTFLAGS="-D warnings" cargo test -p kata-deploy-job-dispatcher -- --test-threads=1
|
|
|
|
static-checks:
|
|
name: static-checks
|
|
runs-on: ubuntu-22.04
|
|
needs: skipper
|
|
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
cmd:
|
|
- "make static-checks"
|
|
env:
|
|
GOPATH: ${{ github.workspace }}
|
|
permissions:
|
|
contents: read # for checkout
|
|
packages: write # for push to ghcr.io
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
path: ./src/github.com/${{ github.repository }}
|
|
- name: Install yq
|
|
run: |
|
|
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
|
|
./ci/install_yq.sh
|
|
env:
|
|
INSTALL_IN_GOPATH: false
|
|
- name: Read properties from versions.yaml
|
|
run: |
|
|
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
|
|
go_version="$(yq '.languages.golang.version' versions.yaml)"
|
|
[ -n "$go_version" ]
|
|
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
|
|
- name: Setup Golang version ${{ env.GO_VERSION }}
|
|
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
- name: Install system dependencies
|
|
run: |
|
|
sudo apt-get update && sudo apt-get -y install moreutils
|
|
- name: Install open-policy-agent
|
|
run: |
|
|
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
|
|
./tests/install_opa.sh
|
|
- name: Install regorus
|
|
env:
|
|
ARTEFACT_REPOSITORY: "${{ github.repository }}"
|
|
ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
|
|
ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
|
|
run: |
|
|
"${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh"
|
|
- name: Run check
|
|
env:
|
|
CMD: ${{ matrix.cmd }}
|
|
run: |
|
|
export PATH="${PATH}:${GOPATH}/bin"
|
|
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD}
|
|
|
|
govulncheck:
|
|
needs: skipper
|
|
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
|
|
uses: ./.github/workflows/govulncheck.yaml
|
|
|
|
codegen:
|
|
name: codegen
|
|
runs-on: ubuntu-22.04
|
|
needs: skipper
|
|
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
|
|
permissions:
|
|
contents: read # for checkout
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: generate
|
|
run: make -C src/agent generate-protocols
|
|
- name: check for diff
|
|
run: |
|
|
diff=$(git diff)
|
|
if [[ -z "${diff}" ]]; then
|
|
echo "No diff detected."
|
|
exit 0
|
|
fi
|
|
|
|
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
|
|
Run \`make -C src/agent generate-protocols\` to update protobuf bindings.
|
|
|
|
\`\`\`diff
|
|
${diff}
|
|
\`\`\`
|
|
EOF
|
|
|
|
echo "::error::Golang protobuf bindings need to be regenerated (see Github step summary for diff)."
|
|
exit 1
|
|
|
|
go-mod-tidy:
|
|
name: go-mod-tidy
|
|
runs-on: ubuntu-22.04
|
|
needs: skipper
|
|
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
|
|
permissions:
|
|
contents: read # for checkout
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: Check if Go-related files changed
|
|
id: check_go_changes
|
|
run: |
|
|
if [[ -z "${GITHUB_BASE_REF}" ]]; then
|
|
echo "run_go_mod_tidy=true" >> "${GITHUB_OUTPUT}"
|
|
echo "Called from workflow_dispatch, will run go mod tidy check"
|
|
exit 0
|
|
fi
|
|
modified_files=$(git diff --name-only origin/"${GITHUB_BASE_REF}"..HEAD)
|
|
if echo "${modified_files}" | grep -E '\.(go|mod|sum)$|^versions\.yaml$' > /dev/null; then
|
|
echo "run_go_mod_tidy=true" >> "${GITHUB_OUTPUT}"
|
|
echo "Go-related files changed, will run go mod tidy check"
|
|
else
|
|
echo "run_go_mod_tidy=false" >> "${GITHUB_OUTPUT}"
|
|
echo "No Go-related files changed, skipping go mod tidy check"
|
|
fi
|
|
- name: Install yq
|
|
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
|
|
run: ./ci/install_yq.sh
|
|
env:
|
|
INSTALL_IN_GOPATH: false
|
|
- name: Read properties from versions.yaml
|
|
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
|
|
run: |
|
|
go_version="$(yq '.languages.golang.version' versions.yaml)"
|
|
[ -n "${go_version}" ]
|
|
echo "GO_VERSION=${go_version}" >> "${GITHUB_ENV}"
|
|
- name: Setup Golang version ${{ env.GO_VERSION }}
|
|
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
|
|
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
- name: Run go mod tidy
|
|
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
|
|
run: |
|
|
# Run go mod tidy in all directories with go.mod files
|
|
mapfile -t go_mod_dirs < <(find . -name 'go.mod' -exec dirname {} \;)
|
|
for dir in "${go_mod_dirs[@]}"; do
|
|
echo "Running go mod tidy in ${dir}"
|
|
(cd "${dir}" && go mod tidy)
|
|
done
|
|
- name: Check for diff
|
|
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
|
|
run: |
|
|
diff=$(git diff)
|
|
if [[ -z "${diff}" ]]; then
|
|
echo "No diff detected."
|
|
exit 0
|
|
fi
|
|
|
|
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
|
|
Run \`go mod tidy\` in the affected modules to update go.mod and go.sum files.
|
|
|
|
\`\`\`diff
|
|
${diff}
|
|
\`\`\`
|
|
EOF
|
|
|
|
echo "::error::Go modules are not up-to-date (see Github step summary for diff)."
|
|
exit 1
|