Files
kata-containers/.github/workflows/static-checks.yaml
Fabiano Fidêncio d4205c7fcc kata-deploy: build and publish the kata-deploy-job-dispatcher image
Package and ship the dispatcher built in the previous commit so the
job-mode Helm chart has an image to run.

  - Dockerfile.components: build kata-deploy and kata-deploy-job-dispatcher
    from the same rust-builder stage (one compile), and run fmt/clippy/
    test for both crates.
  - job-dispatcher/Dockerfile: a minimal distroless/static image containing
    only the dispatcher binary and CA certs - it is an API client, so it
    needs nothing from the host.
  - local-build: kata-deploy-job-dispatcher becomes its own build component
    with its own static tarball
    (kata-deploy-static-kata-deploy-job-dispatcher.tar.zst); the shared
    rust-builder output is reused so the two components do not recompile
    the workspace locally. The payload script builds and pushes a separate
    "<kata-deploy registry>-job-dispatcher" image with the same tag scheme,
    and release.sh publishes its multi-arch manifest symmetrically.
  - CI: add kata-deploy-job-dispatcher to the build-kata-deploy-components
    matrices (its tarball is picked up by the existing kata-artifacts-*
    glob), and gate it in the kata-deploy rust static checks.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-06-12 18:58:33 +02:00

299 lines
10 KiB
YAML

on:
pull_request:
types:
- opened
- edited
- reopened
- synchronize
workflow_dispatch:
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
name: Static checks
jobs:
skipper:
uses: ./.github/workflows/gatekeeper-skipper.yaml
with:
commit-hash: ${{ github.event.pull_request.head.sha }}
target-branch: ${{ github.event.pull_request.base.ref }}
check-kernel-config-version:
name: check-kernel-config-version
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
runs-on: ubuntu-22.04
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Ensure the kernel config version has been updated
run: |
kernel_dir="tools/packaging/kernel/"
kernel_version_file="${kernel_dir}kata_config_version"
modified_files=$(git diff --name-only origin/"$GITHUB_BASE_REF"..HEAD)
if git diff --name-only origin/"$GITHUB_BASE_REF"..HEAD "${kernel_dir}" | grep "${kernel_dir}"; then
echo "Kernel directory has changed, checking if $kernel_version_file has been updated"
if echo "$modified_files" | grep -v "README.md" | grep "${kernel_dir}" >>"/dev/null"; then
echo "$modified_files" | grep "$kernel_version_file" >>/dev/null || ( echo "Please bump version in $kernel_version_file" && exit 1)
else
echo "Readme file changed, no need for kernel config version update."
fi
echo "Check passed"
fi
build-checks:
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
uses: ./.github/workflows/build-checks.yaml
with:
instance: ubuntu-22.04
build-checks-depending-on-kvm:
name: build-checks-depending-on-kvm
runs-on: ubuntu-22.04
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
strategy:
fail-fast: false
matrix:
component:
- runtime-rs
include:
- component: runtime-rs
command: "sudo -E env PATH=$PATH LIBC=gnu SUPPORT_VIRTUALIZATION=true make test"
- component: runtime-rs
component-path: src/dragonball
steps:
- name: Checkout the code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Install system deps
run: |
sudo apt-get update && sudo apt-get install -y build-essential musl-tools
- name: Install yq
run: |
sudo -E ./ci/install_yq.sh
env:
INSTALL_IN_GOPATH: false
- name: Install rust
run: |
export PATH="$PATH:/usr/local/bin"
./tests/install_rust.sh
- name: Running `${{ matrix.command }}` for ${{ matrix.component }}
run: |
export PATH="$PATH:${HOME}/.cargo/bin"
cd "${COMPONENT_PATH}"
eval "${COMMAND}"
env:
COMMAND: ${{ matrix.command }}
COMPONENT_PATH: ${{ matrix.component-path }}
RUST_BACKTRACE: "1"
RUST_LIB_BACKTRACE: "0"
kata-deploy-binary-build-check:
name: kata-deploy-binary-build-check
runs-on: ubuntu-22.04
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Install rust
run: |
export PATH="$PATH:/usr/local/bin"
./tests/install_rust.sh
- name: Run kata-deploy rust checks
run: |
export PATH="$PATH:${HOME}/.cargo/bin"
cargo fmt -p kata-deploy --check
cargo clippy -p kata-deploy --all-targets --all-features -- -D warnings
RUSTFLAGS="-D warnings" cargo test -p kata-deploy -- --test-threads=1
cargo fmt -p kata-deploy-job-dispatcher --check
cargo clippy -p kata-deploy-job-dispatcher --all-targets --all-features -- -D warnings
RUSTFLAGS="-D warnings" cargo test -p kata-deploy-job-dispatcher -- --test-threads=1
static-checks:
name: static-checks
runs-on: ubuntu-22.04
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
strategy:
fail-fast: false
matrix:
cmd:
- "make static-checks"
env:
GOPATH: ${{ github.workspace }}
permissions:
contents: read # for checkout
packages: write # for push to ghcr.io
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
path: ./src/github.com/${{ github.repository }}
- name: Install yq
run: |
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
./ci/install_yq.sh
env:
INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml
run: |
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
go_version="$(yq '.languages.golang.version' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
- name: Setup Golang version ${{ env.GO_VERSION }}
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install system dependencies
run: |
sudo apt-get update && sudo apt-get -y install moreutils
- name: Install open-policy-agent
run: |
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
./tests/install_opa.sh
- name: Install regorus
env:
ARTEFACT_REPOSITORY: "${{ github.repository }}"
ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
run: |
"${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh"
- name: Run check
env:
CMD: ${{ matrix.cmd }}
run: |
export PATH="${PATH}:${GOPATH}/bin"
cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD}
govulncheck:
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
uses: ./.github/workflows/govulncheck.yaml
codegen:
name: codegen
runs-on: ubuntu-22.04
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
permissions:
contents: read # for checkout
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: generate
run: make -C src/agent generate-protocols
- name: check for diff
run: |
diff=$(git diff)
if [[ -z "${diff}" ]]; then
echo "No diff detected."
exit 0
fi
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
Run \`make -C src/agent generate-protocols\` to update protobuf bindings.
\`\`\`diff
${diff}
\`\`\`
EOF
echo "::error::Golang protobuf bindings need to be regenerated (see Github step summary for diff)."
exit 1
go-mod-tidy:
name: go-mod-tidy
runs-on: ubuntu-22.04
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
permissions:
contents: read # for checkout
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Check if Go-related files changed
id: check_go_changes
run: |
if [[ -z "${GITHUB_BASE_REF}" ]]; then
echo "run_go_mod_tidy=true" >> "${GITHUB_OUTPUT}"
echo "Called from workflow_dispatch, will run go mod tidy check"
exit 0
fi
modified_files=$(git diff --name-only origin/"${GITHUB_BASE_REF}"..HEAD)
if echo "${modified_files}" | grep -E '\.(go|mod|sum)$|^versions\.yaml$' > /dev/null; then
echo "run_go_mod_tidy=true" >> "${GITHUB_OUTPUT}"
echo "Go-related files changed, will run go mod tidy check"
else
echo "run_go_mod_tidy=false" >> "${GITHUB_OUTPUT}"
echo "No Go-related files changed, skipping go mod tidy check"
fi
- name: Install yq
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
run: ./ci/install_yq.sh
env:
INSTALL_IN_GOPATH: false
- name: Read properties from versions.yaml
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
run: |
go_version="$(yq '.languages.golang.version' versions.yaml)"
[ -n "${go_version}" ]
echo "GO_VERSION=${go_version}" >> "${GITHUB_ENV}"
- name: Setup Golang version ${{ env.GO_VERSION }}
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Run go mod tidy
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
run: |
# Run go mod tidy in all directories with go.mod files
mapfile -t go_mod_dirs < <(find . -name 'go.mod' -exec dirname {} \;)
for dir in "${go_mod_dirs[@]}"; do
echo "Running go mod tidy in ${dir}"
(cd "${dir}" && go mod tidy)
done
- name: Check for diff
if: steps.check_go_changes.outputs.run_go_mod_tidy == 'true'
run: |
diff=$(git diff)
if [[ -z "${diff}" ]]; then
echo "No diff detected."
exit 0
fi
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
Run \`go mod tidy\` in the affected modules to update go.mod and go.sum files.
\`\`\`diff
${diff}
\`\`\`
EOF
echo "::error::Go modules are not up-to-date (see Github step summary for diff)."
exit 1