fix(ci): make plugins available to rules suggestion checks

.github/compare-rule-files.sh

@@ -13,6 +13,12 @@ set -e pipefail
 rm -f $RESULT_FILE
 touch $RESULT_FILE
 
+extra_flags=""
+loaded_plugins="$(cat $CONFIG_FILE | grep 'library_path: ' | cut -d ':' -f 2 | xargs)"
+for plugin_lib in $loaded_plugins; do
+    extra_flags="${extra_flags} -f /usr/share/falco/plugins/${plugin_lib}"
+done
+
 cur_branch=`git rev-parse HEAD`
 echo Current branch is \"$cur_branch\"
 echo Checking version for rules file \"$RULES_FILE\"...
@@ -26,6 +32,7 @@ $CHECKER_TOOL \
     -c $CONFIG_FILE \
     -l $RULES_FILE \
     -r tmp_rule_file.yaml \
+    ${extra_flags} \
 1>tmp_res.txt
 git switch --detach $cur_branch
 

.github/workflows/ci.yaml

@@ -44,3 +44,19 @@ jobs:
       plugins-artifact: plugins-x86_64-${{ github.event.number }}.tar.gz
       rules-checker: ./rules-checker
       arch: x86_64
+
+  suggest-rules-version:
+    needs: [build-plugins, get-changed-plugins, build-rules-tool]
+    if: needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != ''
+    strategy:
+      fail-fast: false
+      matrix:
+        plugin: ${{ fromJson(needs.get-changed-plugins.outputs.changed-plugins) }}
+    uses: ./.github/workflows/reusable_suggest_rules_version.yaml
+    with:
+      plugin: ${{ matrix.plugin }}
+      falco-image: falcosecurity/falco-no-driver:0.35.1
+      plugins-artifact: plugins-x86_64-${{ github.event.number }}.tar.gz
+      rules-checker: ./rules-checker
+      arch: x86_64
+      job-index: ${{ strategy.job-index }}

.github/workflows/create-comment.yaml

@@ -5,7 +5,7 @@ name: Comment on the pull request
 
 on:
   workflow_run:
-    workflows: ["Rules"]
+    workflows: ["Build Plugins PR"]
     types:
       - completed
 

.github/workflows/rules.yaml → .github/workflows/reusable_suggest_rules_version.yaml

@@ -1,38 +1,37 @@
-name: Rules
-
+# This is a reusable workflow used by the PR CI
 on:
-  pull_request:
-    branches:
-      - master
-
-# Checks if any concurrent jobs under the same pull request or branch are being executed
-# NOTE: this will cancel every workflow that is being ran against a PR as group is just the github ref (without the workflow name)
-concurrency:
-  group: rules-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-env:
-  FALCO_VERSION: 0.35.1
+  workflow_call:
+    inputs:
+      plugin:
+        description: Name of the plugin that needs to be validated
+        required: true
+        type: string
+      falco-image:
+        description: Docker image of Falco to be used for validation
+        required: true
+        type: string
+      plugins-artifact:
+        description: Name of the plugin artifact containing the dev builds
+        required: true
+        type: string
+      rules-checker:
+        description: Path of the rules checker tool built from falcosecurity/rules
+        required: true
+        type: string
+      arch:
+        description: Architecture of the plugins artifacts (x86_64 or aarch64)
+        required: true
+        type: string
+      job-index:
+        description: If used in a matrix, the value of strategy.job-index
+        required: false
+        default: 0
+        type: number
 
 jobs:
-  get-changed-plugins:
-    uses: ./.github/workflows/reusable_get_changed_plugins.yaml
-
-  build-rules-tool:
-    needs: [get-changed-plugins]
-    if: needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != ''
-    uses: ./.github/workflows/reusable_build_rules_tool.yaml
-    with:
-      output: rules-checker
-      repository: falcosecurity/rules
-
+  # note: we don't need anything else than x86_64 since we're validating rules
   check-version:
-    needs: [get-changed-plugins, build-rules-tool]
-    if: github.event_name == 'pull_request' && needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != ''
-    strategy:
-      fail-fast: false
-      matrix:
-        plugin: ${{ fromJson(needs.get-changed-plugins.outputs.changed-plugins) }}
+    if: github.event_name == 'pull_request' && inputs.arch == 'x86_64'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -43,16 +42,39 @@ jobs:
 
       - name: Setup plugin config and rules
         id: get-config
-        run: ./.github/setup-plugin-config-rules.sh ${{ matrix.plugin }}
+        run: ./.github/setup-plugin-config-rules.sh ${{ inputs.plugin }}
 
       - name: Get latest tag
         id: get-tag
-        run: ./.github/get-latest-plugin-version.sh ${{ matrix.plugin }}
+        run: ./.github/get-latest-plugin-version.sh ${{ inputs.plugin }}
 
       - name: Download rules tool
         uses: actions/download-artifact@v3
         with:
           name: rules-tool.tar.gz
+
+      # note: here we're loading the locally-built plugins, whereas another
+      # solution would be to pull them with falcoctl. The flaw with this
+      # approach is that we load the same plugin for both the "old" and the
+      # "new" rulesets. The issue would be that the job would fail whenever
+      # the two rulesets depend on plugins with different majors.
+      # todo(jasondellaluce): fix this corner case in the future
+      - name: Download plugins
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ inputs.plugins-artifact }}
+          path: /tmp/plugins-${{ inputs.arch }}
+
+      - name: Extract plugins
+        run: |
+          for archive in /tmp/plugins-*/*.tar.gz; do
+            echo Extracting archive "$archive"...
+            mkdir -p tmpdir && pushd tmpdir
+            tar -xvf $archive
+            sudo mkdir -p /usr/share/falco/plugins
+            sudo cp -r *.so /usr/share/falco/plugins || true
+            popd && rm -fr tmpdir
+          done    
 
       - name: Compare changed files with previous versions
         id: compare
@@ -66,10 +88,10 @@ jobs:
               ./.github/compare-rule-files.sh \
                   "$rules_file" \
                   ${{ steps.get-config.outputs.config_file }} \
-                  ${{ matrix.plugin }} \
+                  ${{ inputs.plugin }} \
                   rule_result.txt \
-                  ./rules-checker \
-                  "falcosecurity/falco-no-driver:$FALCO_VERSION" \
+                  ${{ inputs.rules-checker }} \
+                  ${{ inputs.falco-image }} \
                   ${{ steps.get-tag.outputs.ref }}
 
               if [ -s rule_result.txt ]; then
@@ -89,19 +111,19 @@ jobs:
         if: steps.compare.outputs.comment_file != ''
         run: |
           mkdir -p ./pr
-          cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ strategy.job-index }}
+          cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ inputs.job-index }}
 
       - name: Upload PR info as artifact
         uses: actions/upload-artifact@v2
         if: steps.compare.outputs.comment_file != ''
         with:
-          name: pr-${{ strategy.job-index }}
+          name: pr-${{ inputs.job-index }}
           path: pr/
           retention-days: 1
 
   upload-pr-info:
-    needs: [get-changed-plugins, check-version]
-    if: github.event_name == 'pull_request' && needs.get-changed-plugins.outputs.changed-plugins != '[]' && needs.get-changed-plugins.outputs.changed-plugins != ''
+    needs: [check-version]
+    if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
       - name: Download PR infos