Skip to content

wip: introduce RuntimeSecurityPolicy #8262

wip: introduce RuntimeSecurityPolicy

wip: introduce RuntimeSecurityPolicy #8262

name: Run static checks
on:
push:
branches:
- main
- v*
paths-ignore:
- 'docs/**'
- '**.md'
pull_request:
paths-ignore:
- 'docs/**'
- '**.md'
permissions:
# For golangci/golangci-lint to have read access to pull request for `only-new-issues` option.
contents: read
jobs:
ensure-no-binary-checkin:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Ensure No Binary Files Checked In
run: |
echo "Checking for any checked in binary files not in allowlist..."
outfile="$(mktemp)"
find . -type f -size +0 -not -wholename '**/vendor/**' -not -wholename '**/_vendor/**' -not -wholename '**/.git/**' -not -name '*.png' -not -name '*.jpg' -not -name '*.ico' | xargs -n 100 grep -IL '' | tee "$outfile"
test -z "$(cat $outfile)"
golangci-lint:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Install Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
# renovate: datasource=golang-version depName=go
go-version: '1.22.4'
# using golangci-lint cache instead
cache: false
- name: Run golangci-lint
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
with:
# renovate: datasource=docker depName=docker.io/golangci/golangci-lint
version: v1.59.0
args: --config=.golangci.yml --verbose
format:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Install Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
# renovate: datasource=golang-version depName=go
go-version: '1.22.4'
- name: Check gofmt formatting
run: |
go fmt ./...
git diff --exit-code || (echo "gofmt checks failed. Please run 'go -w fmt ./...', and submit your changes"; exit 1)
- name: Build clang-format Docker image
run: docker build -f Dockerfile.clang-format -t "isovalent/clang-format:latest" .
- name: Verify clang-format on BPF code
run: |
set -o pipefail
find bpf -name '*.c' -o -name '*.h' -not -path 'bpf/include/vmlinux.h' \
-not -path 'bpf/include/api.h' -not -path 'bpf/libbpf/*' | xargs -n 1000 \
docker run -v $(realpath .):/tetragon "isovalent/clang-format:latest" --Werror -n -style=file
if [ $? != 0 ]; then
echo "clang-format checks failed. Please run 'make format' and submit your changes."; exit 1
fi
vendoring:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Install Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
# renovate: datasource=golang-version depName=go
go-version: '1.22.4'
- name: Check module vendoring
run: |
make vendor
echo "git status --porcelain:" `git status --porcelain`
test -z "$(git status --porcelain)" || (echo "Module vendoring checks failed. Please run 'make vendor', and submit your changes"; exit 1)
build-cli:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Build CLI release binaries
run: make cli-release