wip: introduce RuntimeSecurityPolicy #8262
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Run static checks | |
on: | |
push: | |
branches: | |
- main | |
- v* | |
paths-ignore: | |
- 'docs/**' | |
- '**.md' | |
pull_request: | |
paths-ignore: | |
- 'docs/**' | |
- '**.md' | |
permissions: | |
# For golangci/golangci-lint to have read access to pull request for `only-new-issues` option. | |
contents: read | |
jobs: | |
ensure-no-binary-checkin: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
- name: Ensure No Binary Files Checked In | |
run: | | |
echo "Checking for any checked in binary files not in allowlist..." | |
outfile="$(mktemp)" | |
find . -type f -size +0 -not -wholename '**/vendor/**' -not -wholename '**/_vendor/**' -not -wholename '**/.git/**' -not -name '*.png' -not -name '*.jpg' -not -name '*.ico' | xargs -n 100 grep -IL '' | tee "$outfile" | |
test -z "$(cat $outfile)" | |
golangci-lint: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
- name: Install Go | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
with: | |
# renovate: datasource=golang-version depName=go | |
go-version: '1.22.4' | |
# using golangci-lint cache instead | |
cache: false | |
- name: Run golangci-lint | |
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 | |
with: | |
# renovate: datasource=docker depName=docker.io/golangci/golangci-lint | |
version: v1.59.0 | |
args: --config=.golangci.yml --verbose | |
format: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
- name: Install Go | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
with: | |
# renovate: datasource=golang-version depName=go | |
go-version: '1.22.4' | |
- name: Check gofmt formatting | |
run: | | |
go fmt ./... | |
git diff --exit-code || (echo "gofmt checks failed. Please run 'go -w fmt ./...', and submit your changes"; exit 1) | |
- name: Build clang-format Docker image | |
run: docker build -f Dockerfile.clang-format -t "isovalent/clang-format:latest" . | |
- name: Verify clang-format on BPF code | |
run: | | |
set -o pipefail | |
find bpf -name '*.c' -o -name '*.h' -not -path 'bpf/include/vmlinux.h' \ | |
-not -path 'bpf/include/api.h' -not -path 'bpf/libbpf/*' | xargs -n 1000 \ | |
docker run -v $(realpath .):/tetragon "isovalent/clang-format:latest" --Werror -n -style=file | |
if [ $? != 0 ]; then | |
echo "clang-format checks failed. Please run 'make format' and submit your changes."; exit 1 | |
fi | |
vendoring: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
- name: Install Go | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
with: | |
# renovate: datasource=golang-version depName=go | |
go-version: '1.22.4' | |
- name: Check module vendoring | |
run: | | |
make vendor | |
echo "git status --porcelain:" `git status --porcelain` | |
test -z "$(git status --porcelain)" || (echo "Module vendoring checks failed. Please run 'make vendor', and submit your changes"; exit 1) | |
build-cli: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
- name: Build CLI release binaries | |
run: make cli-release |