From 743ed07f17819a1fb54cc52fdc2f74a68e063de8 Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Tue, 29 Aug 2023 15:10:37 +0000 Subject: [PATCH] fix(ci): make rules suggestion checks use built plugins Signed-off-by: Jason Dellaluce --- .github/workflows/ci.yaml | 16 +++ .github/workflows/create-comment.yaml | 2 +- ...ml => reusable_suggest_rules_version.yaml} | 104 +++++++++++------- 3 files changed, 81 insertions(+), 41 deletions(-) rename .github/workflows/{rules.yaml => reusable_suggest_rules_version.yaml} (50%) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 98ef079e..fa495c23 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -44,3 +44,19 @@ jobs: plugins-artifact: plugins-x86_64-${{ github.event.number }}.tar.gz rules-checker: ./rules-checker arch: x86_64 + + suggest-rules-version: + needs: [build-plugins, get-changed-plugins, build-rules-tool] + if: needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != '' + strategy: + fail-fast: false + matrix: + plugin: ${{ fromJson(needs.get-changed-plugins.outputs.changed-plugins) }} + uses: ./.github/workflows/reusable_suggest_rules_version.yaml + with: + plugin: ${{ matrix.plugin }} + falco-image: falcosecurity/falco-no-driver:0.35.1 + plugins-artifact: plugins-x86_64-${{ github.event.number }}.tar.gz + rules-checker: ./rules-checker + arch: x86_64 + job-index: ${{ strategy.job-index }} diff --git a/.github/workflows/create-comment.yaml b/.github/workflows/create-comment.yaml index 50e0a868..1a9e8dcb 100644 --- a/.github/workflows/create-comment.yaml +++ b/.github/workflows/create-comment.yaml @@ -5,7 +5,7 @@ name: Comment on the pull request on: workflow_run: - workflows: ["Rules"] + workflows: ["Build Plugins PR"] types: - completed diff --git a/.github/workflows/rules.yaml b/.github/workflows/reusable_suggest_rules_version.yaml similarity index 50% rename from .github/workflows/rules.yaml rename to .github/workflows/reusable_suggest_rules_version.yaml index 9ef75367..4605defa 100644 --- a/.github/workflows/rules.yaml +++ b/.github/workflows/reusable_suggest_rules_version.yaml @@ -1,38 +1,37 @@ -name: Rules - +# This is a reusable workflow used by the PR CI on: - pull_request: - branches: - - master - -# Checks if any concurrent jobs under the same pull request or branch are being executed -# NOTE: this will cancel every workflow that is being ran against a PR as group is just the github ref (without the workflow name) -concurrency: - group: rules-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -env: - FALCO_VERSION: 0.35.1 + workflow_call: + inputs: + plugin: + description: Name of the plugin that needs to be validated + required: true + type: string + falco-image: + description: Docker image of Falco to be used for validation + required: true + type: string + plugins-artifact: + description: Name of the plugin artifact containing the dev builds + required: true + type: string + rules-checker: + description: Path of the rules checker tool built from falcosecurity/rules + required: true + type: string + arch: + description: Architecture of the plugins artifacts (x86_64 or aarch64) + required: true + type: string + job-index: + description: If used in a matrix, the value of strategy.job-index + required: false + default: 0 + type: number jobs: - get-changed-plugins: - uses: ./.github/workflows/reusable_get_changed_plugins.yaml - - build-rules-tool: - needs: [get-changed-plugins] - if: needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != '' - uses: ./.github/workflows/reusable_build_rules_tool.yaml - with: - output: rules-checker - repository: falcosecurity/rules - + # note: we don't need anything else than x86_64 since we're validating rules check-version: - needs: [get-changed-plugins, build-rules-tool] - if: github.event_name == 'pull_request' && needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != '' - strategy: - fail-fast: false - matrix: - plugin: ${{ fromJson(needs.get-changed-plugins.outputs.changed-plugins) }} + if: github.event_name == 'pull_request' && inputs.arch == 'x86_64' runs-on: ubuntu-latest steps: - name: Checkout code @@ -43,16 +42,41 @@ jobs: - name: Setup plugin config and rules id: get-config - run: ./.github/setup-plugin-config-rules.sh ${{ matrix.plugin }} + run: ./.github/setup-plugin-config-rules.sh ${{ inputs.plugin }} - name: Get latest tag id: get-tag - run: ./.github/get-latest-plugin-version.sh ${{ matrix.plugin }} + run: ./.github/get-latest-plugin-version.sh ${{ inputs.plugin }} - name: Download rules tool uses: actions/download-artifact@v3 with: name: rules-tool.tar.gz + + # note: here we're loading the locally-built plugins, whereas another + # solution would be to pull them with falcoctl. The flaw with this + # approach is that we load the same plugin for both the "old" and the + # "new" rulesets. The issue would be that the job would fail whenever + # the two rulesets depend on plugins with different majors. However, + # this is an issue for falcosecurity/rules too and the check tool + # does not support this case currently. + # todo(jasondellaluce): fix this corner case in the future + - name: Download plugins + uses: actions/download-artifact@v3 + with: + name: ${{ inputs.plugins-artifact }} + path: /tmp/plugins-${{ inputs.arch }} + + - name: Extract plugins + run: | + for archive in /tmp/plugins-*/*.tar.gz; do + echo Extracting archive "$archive"... + mkdir -p tmpdir && pushd tmpdir + tar -xvf $archive + sudo mkdir -p /usr/share/falco/plugins + sudo cp -r *.so /usr/share/falco/plugins || true + popd && rm -fr tmpdir + done - name: Compare changed files with previous versions id: compare @@ -66,10 +90,10 @@ jobs: ./.github/compare-rule-files.sh \ "$rules_file" \ ${{ steps.get-config.outputs.config_file }} \ - ${{ matrix.plugin }} \ + ${{ inputs.plugin }} \ rule_result.txt \ - ./rules-checker \ - "falcosecurity/falco-no-driver:$FALCO_VERSION" \ + ${{ inputs.rules-checker }} \ + ${{ inputs.falco-image }} \ ${{ steps.get-tag.outputs.ref }} if [ -s rule_result.txt ]; then @@ -89,19 +113,19 @@ jobs: if: steps.compare.outputs.comment_file != '' run: | mkdir -p ./pr - cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ strategy.job-index }} + cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ inputs.job-index }} - name: Upload PR info as artifact uses: actions/upload-artifact@v2 if: steps.compare.outputs.comment_file != '' with: - name: pr-${{ strategy.job-index }} + name: pr-${{ inputs.job-index }} path: pr/ retention-days: 1 upload-pr-info: - needs: [get-changed-plugins, check-version] - if: github.event_name == 'pull_request' && needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != '' + needs: [check-version] + if: github.event_name == 'pull_request' runs-on: ubuntu-latest steps: - name: Download PR infos