Merge pull request #3319 from inspektor-gadget/burak/k8s/owner_enrich… #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Inspektor Gadget CI | |
env: | |
REGISTRY: ghcr.io | |
CONTAINER_REPO: ${{ github.repository }} | |
GO_VERSION: 1.22.0 | |
# controller-gen with go >1.21 panics, but we can't update controller-gen itself | |
GO_VERSION_DOC_CHECK: 1.21.3 | |
AZURE_AKS_CLUSTER_PREFIX: ig-ci-aks- | |
DEFAULT_DNSTESTER_IMAGE: ghcr.io/inspektor-gadget/dnstester:latest | |
DEFAULT_EBPF_BUILDER_IMAGE: ghcr.io/inspektor-gadget/ebpf-builder:latest | |
# With the recent update of docker/build-push-action to v6, this action | |
# started creating docker build summary files (i.e. .dockerbuild). | |
# Sadly, these files create troubles when trying to download artifact in the | |
# release job as they seem to not be downloadable. | |
# So, for now, let's deactivate this feature. | |
DOCKER_BUILD_NO_SUMMARY: true | |
concurrency: | |
group: ${{ github.ref }} | |
# We do not want to cancel job in progress on main to be sure to catch new | |
# regression as soon as they are introduced. | |
cancel-in-progress: ${{ github.ref_name != 'main' }} | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
- 'release-*' | |
- 'citest/**' | |
tags: | |
- 'v*' | |
permissions: read-all | |
# Jobs are given a level in a comment. | |
# Jobs of the same level run in parallel. | |
# Jobs of level N depend of, at least, one job on level N - 1 expect job whom | |
# level is 0. | |
jobs: | |
documentation-checks: | |
name: Documentation checks | |
# level: 0 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION_DOC_CHECK }} | |
cache: true | |
id: go | |
- name: Check if generated files are updated | |
run: | | |
make manifests generate generate-documentation | |
git diff --exit-code HEAD -- | |
- name: Check that there are not broken links | |
uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 | |
with: | |
use-quiet-mode: 'yes' | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
id: filter | |
with: | |
filters: | | |
docs: | |
- 'docs/**' | |
- name: Setup Hugo | |
if: steps.filter.outputs.docs == 'true' | |
uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0 | |
with: | |
hugo-version: '0.89.0' | |
extended: true | |
- name: Check website build | |
if: steps.filter.outputs.docs == 'true' | |
run: | | |
cd $RUNNER_TEMP | |
git clone https://github.com/inspektor-gadget/website/ | |
cd website | |
mkdir -p external-docs/ | |
ln -s $GITHUB_WORKSPACE external-docs/inspektor-gadget.git_mainlatest | |
make | |
actionlint: | |
name: Lint GitHub Actions workflows | |
# level: 0 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Check workflow files | |
shell: bash | |
run: | | |
# As advised from: | |
# https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions | |
curl -o download-actionlint.bash https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash | |
bash download-actionlint.bash | |
# For now, we do not use shellcheck, we may activate it later. | |
./actionlint -color -shellcheck= | |
lint: | |
name: Lint | |
# level: 0 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
id: go | |
- name: Lint | |
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 | |
with: | |
# This version number must be kept in sync with Makefile lint one. | |
version: v1.59.0 | |
working-directory: /home/runner/work/inspektor-gadget/inspektor-gadget | |
# Workaround to display the output: | |
# https://github.com/golangci/golangci-lint-action/issues/119#issuecomment-981090648 | |
args: "--out-${NO_FUTURE}format colored-line-number" | |
skip-pkg-cache: true | |
semgrep: | |
name: semgrep | |
runs-on: ubuntu-latest | |
container: | |
image: returntocorp/semgrep | |
# Skip any PR created by dependabot to avoid permission issues: | |
if: (github.actor != 'dependabot[bot]') | |
steps: | |
# Fetch project source with GitHub Actions Checkout. | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
# Run the "semgrep ci" command on the command line of the docker image. | |
- run: cd $GITHUB_WORKSPACE && semgrep ci --config $GITHUB_WORKSPACE/.semgrep_rules.yaml | |
ebpf-objects-checks: | |
name: eBPF Object checks | |
# level: 1 | |
needs: build-helper-images | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Check ebpf formatting | |
run: | | |
sudo apt-get update && sudo apt-get install -y clang-format | |
make clang-format | |
changes="$(git status --porcelain)" | |
if [ -n "$changes" ] ; then | |
>&2 echo "Use 'make clang-format' to fix the style in the eBPF code:" | |
>&2 git diff | |
exit 1 | |
fi | |
- name: Detect changes for ebpf objects | |
run: | | |
make EBPF_BUILDER=${{ needs.build-helper-images.outputs.ebpf_builder_image }} ebpf-objects | |
changes="$(git status --porcelain)" | |
if [ -n "$changes" ] ; then | |
>&2 echo "$changes" | |
exit 1 | |
fi | |
- name: Check that testdata is updated | |
run: | | |
make testdata | |
changes="$(git status --porcelain)" | |
if [ -n "$changes" ] ; then | |
>&2 echo "$changes" | |
exit 1 | |
fi | |
pr-dependencies-checks: | |
name: PR dependencies checks | |
# level: 0 | |
# We need to run this action only on PR. | |
# Otherwise, for other cases like pushing to main, it will fail because it | |
# searches for base_ref and head_ref which only exists in PR context. | |
if: ${{ github.event.pull_request }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Check if added dependencies do not contain CVE. | |
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 | |
build-clients: | |
name: clients | |
# level: 0 | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
client: [kubectl-gadget, gadgetctl] | |
os: [linux, darwin, windows] | |
arch: [amd64, arm64] | |
exclude: | |
- os: windows | |
arch: arm64 | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 | |
with: | |
languages: go | |
- name: Build ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }} | |
run: | | |
git checkout | |
# Prevent releases with -dirty suffix due to forgotten entries in | |
# .gitignore. | |
changes="$(git status --porcelain)" | |
if [ -n "$changes" ] ; then | |
echo "$changes" | |
exit 1 | |
fi | |
client=${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }} | |
CONTAINER_REPO=${{ steps.set-repo-determine-image-tag.outputs.container-repo }} \ | |
IMAGE_TAG=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} \ | |
make $client | |
# We need to append .exe to windows binaries... | |
dot_exe=$(test ${{ matrix.os }} = 'windows' && echo '.exe' || echo '') | |
# Prepare assets for release and actions artifacts | |
platform='${{ matrix.os }}-${{ matrix.arch }}' | |
mkdir $platform | |
cp "${client}${dot_exe}" "${platform}/${{ matrix.client }}${dot_exe}" | |
cp LICENSE $platform/ | |
tar --sort=name --owner=root:0 --group=root:0 \ | |
-czf ${client}.tar.gz -C $platform \ | |
${{ matrix.client }}${dot_exe} LICENSE | |
rm -rf $platform | |
- name: CWE checks for ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }} | |
uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 | |
with: | |
category: ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }} | |
- name: Add ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}.tar.gz as artifact. | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}-tar-gz | |
path: /home/runner/work/inspektor-gadget/inspektor-gadget/${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}.tar.gz | |
btfgen: | |
name: btfgen | |
# level: 0 | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: [amd64, arm64] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Get btfhub-archive last commmit | |
id: get-btfhub-head | |
run: | | |
echo "head=$(git ls-remote https://github.com/aquasecurity/btfhub-archive/ HEAD | cut -f1)" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Cache BTFGen | |
id: cache-btfgen | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: pkg/btfgen/btfs | |
# key is composed by | |
# - arch: amd64 or arm64 | |
# - latest commit of btfhub | |
# - hash of all bpf objects | |
key: btfgen-${{ matrix.platform }}-${{ steps.get-btfhub-head.outputs.head }}-${{ hashFiles('pkg/**/*.o') }} | |
- name: BTFGen | |
if: ${{ steps.cache-btfgen.outputs.cache-hit != 'true' }} | |
run: | | |
./tools/getbtfhub.sh | |
./tools/getbpftool.sh | |
make btfgen BPFTOOL=/tmp/bpftool \ | |
ARCH=${{ matrix.platform }} BTFHUB_ARCHIVE=$HOME/btfhub-archive/ -j$(nproc) | |
build-ig: | |
name: ig | |
# level: 1 | |
needs: | |
- btfgen | |
- build-helper-images | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: [amd64, arm64] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- name: Get btfhub-archive last commmit | |
id: get-btfhub-head | |
run: | | |
echo "head=$(git ls-remote https://github.com/aquasecurity/btfhub-archive/ HEAD | cut -f1)" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Cache BTFGen | |
id: cache-btfgen | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: pkg/btfgen/btfs | |
# key is composed by | |
# - arch: amd64 or arm64 | |
# - latest commit of btfhub | |
# - hash of all bpf objects | |
key: btfgen-${{ matrix.platform }}-${{ steps.get-btfhub-head.outputs.head }}-${{ hashFiles('pkg/**/*.o') }} | |
- name: Build ig-linux-${{ matrix.platform }} | |
run: | | |
if [ "${{ matrix.platform }}" = 'arm64' ]; then | |
sudo apt-get update | |
sudo apt-get install qemu-user-static | |
fi | |
make EBPF_BUILDER=${{ needs.build-helper-images.outputs.ebpf_builder_image }} ig-linux-${{ matrix.platform }} | |
# Prepare assets for release and actions artifacts | |
mkdir ${{ matrix.platform }} | |
cp ig-linux-${{ matrix.platform }} ${{ matrix.platform }}/ig | |
cp LICENSE ${{ matrix.platform }}/ | |
tar --sort=name --owner=root:0 --group=root:0 \ | |
-czf ig-linux-${{ matrix.platform }}.tar.gz -C ${{ matrix.platform }} \ | |
ig LICENSE | |
rm -rf ${{ matrix.platform }} | |
- name: Add ig-linux-${{ matrix.platform }}.tar.gz as artifact. | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: ig-linux-${{ matrix.platform }}-tar-gz | |
path: /home/runner/work/inspektor-gadget/inspektor-gadget/ig-linux-${{ matrix.platform }}.tar.gz | |
build-ig-cwe: | |
name: Check ig CWE | |
# level: 0 | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: [amd64, arm64] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 | |
with: | |
languages: go | |
- name: Build ig-linux-${{ matrix.platform }} for CWE checks | |
run: | | |
# We need to build ig using go build otherwise CodeQL will not detect | |
# that the binary was built and will try to autobuild it which adds | |
# extra time in the CI pipeline. | |
CGO_ENABLED=0 GOARCH=${{ matrix.platform }} go build \ | |
-ldflags "-extldflags '-static'" \ | |
github.com/inspektor-gadget/inspektor-gadget/cmd/ig | |
- name: CWE checks for ig-linux-${{ matrix.platform }} | |
uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 | |
with: | |
category: ig-linux-${{ matrix.platform }} | |
build-gadget-container-deps: | |
# We only build this dependencies to check if they do not contain CWE. | |
name: Build gadget-container-deps | |
# level: 0 | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 | |
with: | |
languages: go | |
- name: Build gadget-container-deps | |
run: | | |
make -C gadget-container | |
- name: CWE checks for gadget-container-deps | |
uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 | |
with: | |
category: gadget-container-deps | |
build-gadget-container-images: | |
name: gadget img | |
# level: 1 | |
needs: btfgen | |
runs-on: ubuntu-latest | |
permissions: | |
# allow publishing container image | |
# in case of public fork repo/packages permissions will always be read | |
contents: read | |
packages: write | |
outputs: | |
digest-amd64: ${{ steps.published-gadget-container-images.outputs.amd64 }} | |
digest-arm64: ${{ steps.published-gadget-container-images.outputs.arm64 }} | |
sbom-digest-amd64: ${{ steps.gadget-container-images-attach-sbom.outputs.sbom-amd64 }} | |
sbom-digest-arm64: ${{ steps.gadget-container-images-attach-sbom.outputs.sbom-arm64 }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ linux ] | |
# For the moment, we only support these two platforms. | |
platform: [ arm64, amd64 ] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Cache Docker layers | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-docker-${{ matrix.platform }}-${{ hashFiles('Dockerfiles/gadget.Dockerfile') }} | |
restore-keys: | | |
${{ runner.os }}-docker-${{ matrix.platform }}- | |
- name: Login to Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Get btfhub-archive last commmit | |
id: get-btfhub-head | |
run: | | |
echo "head=$(git ls-remote https://github.com/aquasecurity/btfhub-archive/ HEAD | cut -f1)" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Cache BTFGen | |
id: cache-btfgen | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: pkg/btfgen/btfs | |
# key is composed by | |
# - arch: amd64 or arm64 | |
# - latest commit of btfhub | |
# - hash of all bpf objects | |
key: btfgen-${{ matrix.platform }}-${{ steps.get-btfhub-head.outputs.head }}-${{ hashFiles('pkg/**/*.o') }} | |
# we are using cache-to mode=min (default) implying that only final image layers are cached, using cache | |
# mode=max results in builder image layer of ~7GB because of btfhub files in a layer, which is too | |
# large (gloabal limit 10GB) to work with GH caches. (TODO: if we can work with mode=max in future?) | |
- name: Build gadget ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts | |
uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 | |
with: | |
context: /home/runner/work/inspektor-gadget/inspektor-gadget/ | |
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/gadget.Dockerfile | |
outputs: type=docker,dest=/tmp/gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar | |
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new | |
platforms: ${{ matrix.os }}/${{ matrix.platform }} | |
build-args: | | |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
- name: Publish gadget ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar | |
path: /tmp/gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar | |
retention-days: 1 | |
- name: Generate SBOM for gadget ${{ matrix.os }} ${{ matrix.platform }} image | |
uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 | |
with: | |
context: /home/runner/work/inspektor-gadget/inspektor-gadget/ | |
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/gadget.Dockerfile | |
outputs: type=local,dest=/tmp/gadget-container-image-${{ matrix.os }}-${{ matrix.platform }} | |
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new | |
platforms: ${{ matrix.os }}/${{ matrix.platform }} | |
# The following permits to generate SBOM: | |
# https://github.com/moby/buildkit/issues/2773#issue-1194754388 | |
build-args: BUILDKIT_SYNTAX=crazymax/dockerfile:sbom | |
# build time will not be increased with this workflow because of internal cache | |
# buildx is used here since it allows push-by-digest to avoid platform specific tags | |
- name: Publish gadget ${{ matrix.os }} ${{ matrix.platform }} container image to registry | |
id: publish-gadget-container-images | |
if: github.event_name != 'pull_request' | |
uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 | |
with: | |
context: /home/runner/work/inspektor-gadget/inspektor-gadget/ | |
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/gadget.Dockerfile | |
outputs: type=registry,name=${{ steps.set-repo-determine-image-tag.outputs.container-repo }},push=true,push-by-digest=true | |
cache-from: type=local,src=/tmp/.buildx-cache-new | |
platforms: ${{ matrix.os }}/${{ matrix.platform }} | |
build-args: | | |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
- name: Setup oras | |
if: github.event_name != 'pull_request' | |
uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1.2.0 | |
- name: Attach SBOM to container image | |
if: github.event_name != 'pull_request' | |
id: gadget-container-images-attach-sbom | |
run: | | |
# We need to get the image digest from the manifest. | |
# Otherwise, we will attach the SBOM to the manifest and the SBOM will | |
# be lost when using imagetools as this command creates a new manifest | |
# and attaches only the images, not the existing manifests. | |
# This way, we are sure the new manifest will point to the images which | |
# have SBOM attached. | |
manifest=$(oras manifest fetch ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ steps.publish-gadget-container-images.outputs.digest }}) | |
image_digest=$(echo $manifest | jq -e '[.manifests[] | select ( .platform.architecture == "${{ matrix.platform }}" and .platform.os == "${{ matrix.os }}" )] | if length != 1 then empty else .[0].digest end') | |
image_digest=$(echo "$image_digest" | tr -d '"') | |
sbom_digest=$(oras attach ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${image_digest} /tmp/gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}/sbom_cyclonedx.json --disable-path-validation --artifact-type example/sbom | grep 'Digest:' | awk '{ print $2 }') | |
echo "sbom-${{ matrix.platform }}=${sbom_digest}" >> $GITHUB_OUTPUT | |
- name: Save gadget ${{ matrix.os }} ${{ matrix.platform }} container image digest output | |
id: published-gadget-container-images | |
if: github.event_name != 'pull_request' | |
run: | | |
echo "${{ matrix.platform }}=${{ steps.publish-gadget-container-images.outputs.digest }}" >> $GITHUB_OUTPUT | |
# old cache entries aren’t deleted, so the cache size keeps growing | |
# remove old cache and move new cache to cache path to workaround the issue | |
# https://github.com/docker/build-push-action/issues/252 | |
- name: Move gadget ${{ matrix.os }} ${{ matrix.platform }} container image cache to correct location | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
build-ig-container-images: | |
name: ig img | |
# level: 1 | |
needs: | |
- btfgen | |
- build-helper-images | |
runs-on: ubuntu-latest | |
permissions: | |
# allow publishing container image | |
# in case of public fork repo/packages permissions will always be read | |
contents: read | |
packages: write | |
outputs: | |
digest-amd64: ${{ steps.published-ig-container-images.outputs.amd64 }} | |
digest-arm64: ${{ steps.published-ig-container-images.outputs.arm64 }} | |
sbom-digest-amd64: ${{ steps.ig-container-images-attach-sbom.outputs.sbom-amd64 }} | |
sbom-digest-arm64: ${{ steps.ig-container-images-attach-sbom.outputs.sbom-arm64 }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ linux ] | |
# For the moment, we only support these two platforms. | |
platform: [ arm64, amd64 ] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Cache Docker layers | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-docker-${{ matrix.platform }}-${{ hashFiles('Dockerfiles/ig.Dockerfile') }} | |
restore-keys: | | |
${{ runner.os }}-docker-${{ matrix.platform }}- | |
- name: Login to Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ github.repository_owner }}/ig | |
- name: Get btfhub-archive last commmit | |
id: get-btfhub-head | |
run: | | |
echo "head=$(git ls-remote https://github.com/aquasecurity/btfhub-archive/ HEAD | cut -f1)" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Cache BTFGen | |
id: cache-btfgen | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: pkg/btfgen/btfs | |
# key is composed by | |
# - arch: amd64 or arm64 | |
# - latest commit of btfhub | |
# - hash of all bpf objects | |
key: btfgen-${{ matrix.platform }}-${{ steps.get-btfhub-head.outputs.head }}-${{ hashFiles('pkg/**/*.o') }} | |
- name: Build ig ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts | |
uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 | |
with: | |
context: /home/runner/work/inspektor-gadget/inspektor-gadget/ | |
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/ig.Dockerfile | |
outputs: type=docker,dest=/tmp/ig-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar | |
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new | |
platforms: ${{ matrix.os }}/${{ matrix.platform }} | |
build-args: | | |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
EBPF_BUILDER=${{ needs.build-helper-images.outputs.ebpf_builder_image }} | |
- name: Publish ig ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: ig-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar | |
path: /tmp/ig-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar | |
retention-days: 1 | |
- name: Generate ig ${{ matrix.os }} ${{ matrix.platform }} container image SBOM | |
uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 | |
with: | |
context: /home/runner/work/inspektor-gadget/inspektor-gadget/ | |
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/ig.Dockerfile | |
outputs: type=local,dest=/tmp/ig-container-image-${{ matrix.os }}-${{ matrix.platform }} | |
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new | |
platforms: ${{ matrix.os }}/${{ matrix.platform }} | |
build-args: | | |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
EBPF_BUILDER=${{ needs.build-helper-images.outputs.ebpf_builder_image }} | |
BUILDKIT_SYNTAX=crazymax/dockerfile:sbom | |
# build time will not be increased with this workflow because of internal cache | |
# buildx is used here since it allows push-by-digest to avoid platform specific tags | |
- name: Publish ig ${{ matrix.os }} ${{ matrix.platform }} container image to registry | |
id: publish-ig-container-images | |
if: github.event_name != 'pull_request' | |
uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 | |
with: | |
context: /home/runner/work/inspektor-gadget/inspektor-gadget/ | |
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/ig.Dockerfile | |
outputs: type=registry,name=${{ steps.set-repo-determine-image-tag.outputs.container-repo }},push=true,push-by-digest=true | |
cache-from: type=local,src=/tmp/.buildx-cache-new | |
platforms: ${{ matrix.os }}/${{ matrix.platform }} | |
build-args: | | |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
EBPF_BUILDER=${{ needs.build-helper-images.outputs.ebpf_builder_image }} | |
- name: Setup oras | |
if: github.event_name != 'pull_request' | |
uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1.2.0 | |
- name: Attach SBOM to container image | |
if: github.event_name != 'pull_request' | |
id: ig-container-images-attach-sbom | |
run: | | |
# We need to get the image digest from the manifest. | |
# Otherwise, we will attach the SBOM to the manifest and the SBOM will | |
# be lost when using imagetools as this command creates a new manifest | |
# and attaches only the images, not the existing manifests. | |
# This way, we are sure the new manifest will point to the images which | |
# have SBOM attached. | |
manifest=$(oras manifest fetch ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ steps.publish-ig-container-images.outputs.digest }}) | |
image_digest=$(echo $manifest | jq -e '[.manifests[] | select ( .platform.architecture == "${{ matrix.platform }}" and .platform.os == "${{ matrix.os }}" )] | if length != 1 then empty else .[0].digest end') | |
image_digest=$(echo "$image_digest" | tr -d '"') | |
sbom_digest=$(oras attach ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${image_digest} /tmp/ig-container-image-${{ matrix.os }}-${{ matrix.platform }}/sbom_cyclonedx.json --disable-path-validation --artifact-type example/sbom | grep 'Digest:' | awk '{ print $2 }') | |
echo "sbom-${{ matrix.platform }}=${sbom_digest}" >> $GITHUB_OUTPUT | |
- name: Save ig ${{ matrix.os }} ${{ matrix.platform }} container image digest output | |
id: published-ig-container-images | |
if: github.event_name != 'pull_request' | |
run: | | |
echo "${{ matrix.platform }}=${{ steps.publish-ig-container-images.outputs.digest }}" >> $GITHUB_OUTPUT | |
# old cache entries aren’t deleted, so the cache size keeps growing | |
# remove old cache and move new cache to cache path to workaround the issue | |
# https://github.com/docker/build-push-action/issues/252 | |
- name: Move ig ${{ matrix.os }} ${{ matrix.platform }} container image cache to correct location | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
scan-gadget-container-images: | |
name: Scan gadget img | |
# level: 2 | |
needs: build-gadget-container-images | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ linux ] | |
platform: [ amd64 ] | |
steps: | |
- name: Download gadget ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar | |
path: ${{ github.workspace }} | |
- name: Scan gadget ${{ matrix.os }} ${{ matrix.platform }} container image | |
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 | |
with: | |
input: gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar | |
format: 'table' | |
exit-code: 1 | |
severity: CRITICAL,HIGH | |
# uncomment to ignore vulnerabilities | |
ignore-unfixed: true | |
# ignore-policy: .github/trivy/ignore-policy.yaml | |
publish-gadget-images-manifest: | |
name: Publish gadget img manifest | |
# level: 2 | |
if: github.event_name != 'pull_request' | |
needs: | |
- build-gadget-container-images | |
- check-secrets | |
runs-on: ubuntu-latest | |
permissions: | |
# allow publishing container image | |
# in case of public fork repo/packages permissions will always be read | |
contents: read | |
packages: write | |
outputs: | |
image-digest: ${{ steps.publish-manifest-list.outputs.image-digest }} | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Login to Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Publish the manifest list | |
id: publish-manifest-list | |
run: | | |
IMAGE_TAG=${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
IMAGE_SOURCE="https://github.com/inspektor-gadget/inspektor-gadget" | |
IMAGE_DOCUMENTATION="https://inspektor-gadget.io/docs" | |
IMAGE_LICENSES="Apache-2.0" | |
IMAGE_TITLE="Inspektor Gadget k8s DaemonSet" | |
IMAGE_DESCRIPTION="Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes resources and applications. This image is used as a long-running DaemonSet in Kubernetes via the kubectl-gadget deploy command or via the Helm charts." | |
docker buildx imagetools create \ | |
-t $IMAGE_TAG \ | |
--annotation index:org.opencontainers.image.documentation="$IMAGE_DOCUMENTATION" \ | |
--annotation index:org.opencontainers.image.description="$IMAGE_DESCRIPTION" \ | |
--annotation index:org.opencontainers.image.licenses="$IMAGE_LICENSES" \ | |
--annotation index:org.opencontainers.image.source="$IMAGE_SOURCE" \ | |
--annotation index:org.opencontainers.image.title="$IMAGE_TITLE" \ | |
${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ needs.build-gadget-container-images.outputs.digest-amd64 }} \ | |
${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ needs.build-gadget-container-images.outputs.sbom-digest-amd64 }} \ | |
${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ needs.build-gadget-container-images.outputs.digest-arm64 }} \ | |
${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ needs.build-gadget-container-images.outputs.sbom-digest-arm64 }} | |
image_digest=$(docker buildx imagetools inspect --format '{{json .Manifest.Digest}}' $IMAGE_TAG | jq -r) | |
echo "image-digest=${image_digest}" >> $GITHUB_OUTPUT | |
- name: Sign the manifest list | |
if: needs.check-secrets.outputs.cosign == 'true' | |
uses: ./.github/actions/sign-container-image | |
with: | |
password: '${{ secrets.COSIGN_PASSWORD }}' | |
private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
image: "${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ steps.publish-manifest-list.outputs.image-digest }}" | |
publish-ig-images-manifest: | |
name: Publish ig img manifest | |
# level: 2 | |
if: github.event_name != 'pull_request' | |
needs: | |
- build-ig-container-images | |
- check-secrets | |
runs-on: ubuntu-latest | |
permissions: | |
# allow publishing container image | |
# in case of public fork repo/packages permissions will always be read | |
contents: read | |
packages: write | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Login to Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ github.repository_owner }}/ig | |
- name: Publish the manifest list | |
id: publish-manifest-list | |
run: | | |
IMAGE_TAG=${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
IMAGE_SOURCE="https://github.com/inspektor-gadget/inspektor-gadget" | |
IMAGE_DOCUMENTATION="https://inspektor-gadget.io/docs" | |
IMAGE_LICENSES="Apache-2.0" | |
IMAGE_TITLE="Inspektor Gadget ig tool" | |
IMAGE_DESCRIPTION="Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes resources and applications. This image only includes the ig binary, a standalone tool to run the gadgets." | |
docker buildx imagetools create \ | |
-t $IMAGE_TAG \ | |
${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ needs.build-ig-container-images.outputs.digest-amd64 }} \ | |
${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ needs.build-ig-container-images.outputs.sbom-digest-amd64 }} \ | |
${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ needs.build-ig-container-images.outputs.digest-arm64 }} \ | |
${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ needs.build-ig-container-images.outputs.sbom-digest-arm64 }} \ | |
--annotation index:org.opencontainers.image.documentation="$IMAGE_DOCUMENTATION" \ | |
--annotation index:org.opencontainers.image.description="$IMAGE_DESCRIPTION" \ | |
--annotation index:org.opencontainers.image.licenses="$IMAGE_LICENSES" \ | |
--annotation index:org.opencontainers.image.source="$IMAGE_SOURCE" \ | |
--annotation index:org.opencontainers.image.title="$IMAGE_TITLE" | |
image_digest=$(docker buildx imagetools inspect --format '{{json .Manifest.Digest}}' $IMAGE_TAG | jq -r) | |
echo "image-digest=${image_digest}" >> $GITHUB_OUTPUT | |
- name: Sign the manifest list | |
if: needs.check-secrets.outputs.cosign == 'true' | |
uses: ./.github/actions/sign-container-image | |
with: | |
password: '${{ secrets.COSIGN_PASSWORD }}' | |
private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
image: "${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ steps.publish-manifest-list.outputs.image-digest }}" | |
build-helper-images: | |
# level: 2 | |
name: helper images | |
runs-on: ubuntu-latest | |
needs: | |
- check-secrets | |
outputs: | |
dnstester_image: ${{ steps.image-tag.outputs.dnstester }} | |
ebpf_builder_image: ${{ steps.image-tag.outputs.ebpf-builder }} | |
permissions: | |
# allow publishing container image | |
# in case of public fork repo/packages permissions will always be read | |
contents: read | |
packages: write | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- name: "dnstester" | |
context: "tools/dnstester" | |
dockerfile: "tools/dnstester/Dockerfile" | |
platform: "linux/amd64,linux/arm64" | |
filter-patterns: | |
- "tools/dnstester/*" | |
- name: "ebpf-builder" | |
context: "/home/runner/work/inspektor-gadget/inspektor-gadget" | |
dockerfile: "Dockerfiles/ebpf-builder.Dockerfile" | |
platform: "linux/amd64,linux/arm64" | |
filter-patterns: | |
- "include/**" | |
- "Dockerfiles/ebpf-builder.Dockerfile" | |
- "cmd/common/image/Makefile.build" | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
id: filter | |
with: | |
# https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-type-check-expression | |
filters: | | |
pattern: ${{ toJson(matrix.image.filter-patterns) }} | |
- name: Check if we should build helpers | |
id: check-build-helpers | |
# always build the images on release, merge to main or to a release branch | |
if: steps.filter.outputs.pattern == 'true' || startsWith(github.ref_name, 'v') || startsWith(github.ref_name, 'release-') || github.ref_name == 'main' | |
run: | | |
echo "build=true" >> $GITHUB_OUTPUT | |
- name: Set up Docker Buildx | |
if: steps.check-build-helpers.outputs.build == 'true' | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Login to Container Registry | |
if: steps.check-build-helpers.outputs.build == 'true' | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set container repository and determine image tag | |
if: steps.check-build-helpers.outputs.build == 'true' | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ github.repository_owner }}/${{ matrix.image.name }} | |
- name: Build ${{ matrix.image.name }} image | |
id: build-image | |
if: steps.check-build-helpers.outputs.build == 'true' | |
uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 | |
with: | |
context: ${{ matrix.image.context }} | |
file: ${{ matrix.image.dockerfile }} | |
# The repository should have the variable PUSH_HELPERS set to | |
# ENABLE_PUSH_HELPERS, see: | |
# https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository | |
push: ${{ vars.PUSH_HELPERS == 'ENABLE_PUSH_HELPERS' }} | |
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
platforms: ${{ matrix.image.platform }} | |
- name: Save ${{ matrix.image.name }} image tag output | |
id: image-tag | |
run: | | |
if [ -n "${{ steps.build-image.outputs.digest }}" ]; then | |
image="${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ steps.build-image.outputs.digest }}" | |
else | |
if [ ${{ matrix.image.name }} == "dnstester" ]; then | |
image=${{ env.DEFAULT_DNSTESTER_IMAGE }} | |
elif [ ${{ matrix.image.name }} == "ebpf-builder" ]; then | |
image=${{ env.DEFAULT_EBPF_BUILDER_IMAGE }} | |
else | |
>&2 echo "No default image for ${{ matrix.image.name }}!" | |
exit 1 | |
fi | |
fi | |
echo "${{ matrix.image.name }}=${image}" >> $GITHUB_OUTPUT | |
- name: Sign ${{ matrix.image.name }} image | |
if: steps.check-build-helpers.outputs.build == 'true' && needs.check-secrets.outputs.cosign == 'true' && vars.PUSH_HELPERS == 'ENABLE_PUSH_HELPERS' | |
uses: ./.github/actions/sign-container-image | |
with: | |
password: '${{ secrets.COSIGN_PASSWORD }}' | |
private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
image: "${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ steps.build-image.outputs.digest }}" | |
build-examples: | |
name: example | |
# level: 0 | |
runs-on: ubuntu-latest | |
permissions: | |
# allow publishing container image | |
# in case of public fork repo/packages permissions will always be read | |
contents: read | |
packages: write | |
strategy: | |
fail-fast: false | |
matrix: | |
example: [runc-hook, kube-container-collection] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Login to Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Build example container | |
uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6.6.1 | |
with: | |
context: /home/runner/work/inspektor-gadget/inspektor-gadget | |
file: /home/runner/work/inspektor-gadget/inspektor-gadget/examples/${{ matrix.example }}/Dockerfile | |
push: ${{ secrets.PUSH_EXAMPLES == 'ENABLE_PUSH_EXAMPLES' }} | |
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}-${{ matrix.example }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
build-gadgets-examples: | |
name: Gadgets examples | |
# level: 0 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
- name: Build builtin gadgets example binaries | |
run: | | |
cd examples | |
for dir in $(dirname $(find builtin-gadgets -name README.md)); do | |
go build ./$dir; | |
done | |
- name: Build gadgets example binaries | |
run: | | |
cd examples | |
for dir in $(dirname $(find gadgets -name main.go)); do | |
go build ./$dir; | |
done | |
test-unit: | |
name: Unit tests | |
# level: 0 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- name: Basic unit tests | |
run: | | |
make test | |
- name: Gadgets unit tests | |
run: | | |
make gadgets-unit-tests | |
- name: Controller unit tests | |
run: | | |
make controller-tests | |
benchmarks: | |
name: Benchmarks | |
# level: 0 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- name: Show repository setup | |
run: | | |
echo "github.event_name: ${{ github.event_name }}" | |
echo "github.event.pull_request.head.repo.full_name: ${{ github.event.pull_request.head.repo.full_name }}" | |
echo "github.repository: ${{ github.repository }}" | |
- name: Run benchmarks | |
run: go test -exec sudo -bench=. -run=Benchmark ./pkg/gadgets/... ./internal/benchmarks/... | tee output.txt | |
#- name: Download previous benchmark data | |
# uses: actions/cache@v1 | |
# with: | |
# path: ./cache | |
# key: ${{ runner.os }}-benchmark | |
- name: Store benchmark result | |
uses: benchmark-action/github-action-benchmark@4de1bed97a47495fc4c5404952da0499e31f5c29 # v1.20.3 | |
# Disable push from forks or PR from forks. | |
# $BENCHMARKS_TOKEN will not be available in those cases. | |
if: | | |
(github.event_name == 'push' && | |
github.repository == 'inspektor-gadget/inspektor-gadget') || | |
(github.event_name == 'pull_request' && | |
github.event.pull_request.head.repo.full_name == 'inspektor-gadget/inspektor-gadget') | |
with: | |
name: Gadget benchmarks | |
# What benchmark tool the output.txt came from | |
tool: 'go' | |
# Where the output from the benchmark tool is stored | |
output-file-path: output.txt | |
# Where the previous data file is stored | |
# external-data-json-path: ./cache/benchmark-data.json | |
# Workflow will fail when an alert happens | |
fail-on-alert: false | |
# GitHub API token to make a commit comment | |
github-token: ${{ secrets.BENCHMARKS_TOKEN }} | |
# Enable alert commit comment | |
comment-on-alert: true | |
# Enable Job Summary for PRs | |
# summary-always: true | |
# Mention people in the commit comment | |
alert-comment-cc-users: '@alban' | |
# Push and deploy GitHub pages branch automatically | |
auto-push: ${{ github.repository == 'inspektor-gadget/inspektor-gadget' }} | |
gh-pages-branch: gh-pages | |
gh-repository: github.com/inspektor-gadget/ig-benchmarks | |
benchmark-data-dir-path: dev/bench | |
package-helm-charts: | |
name: Lint and package Helm charts | |
# level: 0 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Install Helm | |
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
# chart version needs to be semver compliant so we remove the leading 'v' | |
- name: Set Chart Version for release | |
if: startsWith(github.ref, 'refs/tags/v') | |
run: | | |
TAG=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
echo "CHART_VERSION=${TAG#v}" >> $GITHUB_ENV | |
- name: Lint Helm charts | |
run: | | |
export IMAGE_TAG=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
make -C charts lint | |
- name: Detect changes for deploy.yaml | |
run: | | |
make generate-manifests | |
changes="$(git status --porcelain)" | |
if [ -n "$changes" ] ; then | |
echo "$changes" | |
exit 1 | |
fi | |
- name: Package Helm charts | |
run: | | |
export IMAGE_TAG=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
make -C charts package | |
- name: Upload Helm charts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: gadget-charts-tgz | |
path: charts/bin/*.tgz | |
test-ig: | |
name: Unit tests for ig | |
# level: 0 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- name: Unit tests for ig (as root) | |
run: | | |
KERNEL=$(uname -r) | |
ARCH=$(uname -m) | |
if test -f /sys/kernel/btf/vmlinux; then | |
echo "BTF is available at /sys/kernel/btf/vmlinux" | |
else | |
echo "BTF is not available: Trying BTFHub" | |
source /etc/os-release | |
URL="https://github.com/aquasecurity/btfhub-archive/raw/main/$ID/$VERSION_ID/$ARCH/$KERNEL.btf.tar.xz" | |
echo "Trying to download vmlinux from $URL" | |
if [[ $(wget -S --spider "$URL" 2>&1 | grep 'HTTP/1.1 200 OK') ]]; then | |
wget -q -O /tmp/vmlinux.btf.tar.xz "$URL" | |
tar -xvf /tmp/vmlinux.btf.tar.xz | |
# Use objcopy to put the btf info in an ELF file as libbpf and cilium/ebpf | |
# by default check if there is an ELF file with the .BTF section at | |
# /boot/vmlinux-$KERNEL. | |
sudo objcopy --input binary --output elf64-little --rename-section .data=.BTF *.btf /boot/vmlinux-$KERNEL | |
rm *.btf | |
echo "vmlinux downloaded at /boot/vmlinux-$KERNEL" | |
else | |
echo "vmlinux not found" | |
fi | |
fi | |
make ig-tests | |
test-components: | |
name: Test components | |
# level: 1 | |
runs-on: ubuntu-latest | |
needs: | |
- build-helper-images | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
- name: Run component tests | |
run: | | |
make EBPF_BUILDER=${{ needs.build-helper-images.outputs.ebpf_builder_image }} component-tests | |
check-secrets: | |
name: Check repo secrets | |
# level: 0 | |
runs-on: ubuntu-latest | |
outputs: | |
aro: ${{ steps.set_output.outputs.aro }} | |
aks: ${{ steps.set_output.outputs.aks }} | |
gke: ${{ steps.set_output.outputs.gke }} | |
cosign: ${{ steps.set_output.outputs.cosign }} | |
steps: | |
# Secrets cannot be used as if condition, use job output as workaround. | |
# https://github.com/actions/runner/issues/520 | |
- id: set_output | |
env: | |
OPENSHIFT_SERVER: '${{ secrets.OPENSHIFT_SERVER }}' | |
OPENSHIFT_USER: '${{ secrets.OPENSHIFT_USER }}' | |
OPENSHIFT_PASSWORD: '${{ secrets.OPENSHIFT_PASSWORD }}' | |
AZURE_AKS_CLIENT_ID: '${{ secrets.AZURE_AKS_CLIENT_ID }}' | |
AZURE_AKS_TENANT_ID: '${{ secrets.AZURE_AKS_TENANT_ID }}' | |
AZURE_AKS_SUBSCRIPTION_ID: '${{ secrets.AZURE_AKS_SUBSCRIPTION_ID }}' | |
AZURE_AKS_RESOURCE_GROUP: '${{ secrets.AZURE_AKS_RESOURCE_GROUP }}' | |
COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' | |
COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
GKE_PROJECT: '${{ secrets.GKE_PROJECT }}' | |
GKE_SERVICE_ACCOUNT: '${{ secrets.GKE_SERVICE_ACCOUNT }}' | |
GKE_WORKLOAD_IDENTITY_PROVIDER: '${{ secrets.GKE_WORKLOAD_IDENTITY_PROVIDER }}' | |
run: | | |
if [[ "${OPENSHIFT_SERVER}" != "" && \ | |
"${OPENSHIFT_USER}" != "" && \ | |
"${OPENSHIFT_PASSWORD}" != "" ]]; \ | |
then | |
echo "Secrets to use an ARO cluster were configured in the repo" | |
echo "aro=true" >> $GITHUB_OUTPUT | |
else | |
echo "Secrets to use an ARO cluster were not configured in the repo" | |
echo "aro=false" >> $GITHUB_OUTPUT | |
fi | |
if [[ "${AZURE_AKS_CLIENT_ID}" != "" && \ | |
"${AZURE_AKS_TENANT_ID}" != "" && \ | |
"${AZURE_AKS_SUBSCRIPTION_ID}" != "" && \ | |
"${AZURE_AKS_RESOURCE_GROUP}" != "" ]]; \ | |
then | |
echo "Secrets to use an AKS cluster were configured in the repo" | |
echo "aks=true" >> $GITHUB_OUTPUT | |
else | |
echo "Secrets to use an AKS cluster were not configured in the repo" | |
echo "aks=false" >> $GITHUB_OUTPUT | |
fi | |
if [[ "${COSIGN_PASSWORD}" != "" && \ | |
"${COSIGN_PRIVATE_KEY}" != "" ]]; \ | |
then | |
echo "Secrets to use cosign were configured in the repo" | |
echo "cosign=true" >> $GITHUB_OUTPUT | |
else | |
echo "Secrets to use cosign were not configured in the repo" | |
echo "cosign=false" >> $GITHUB_OUTPUT | |
fi | |
if [[ "${GKE_PROJECT}" != "" && \ | |
"${GKE_SERVICE_ACCOUNT}" != "" && \ | |
"${GKE_WORKLOAD_IDENTITY_PROVIDER}" != "" ]]; \ | |
then | |
echo "Secrets to use a GKE cluster were configured in the repo" | |
echo "gke=true" >> $GITHUB_OUTPUT | |
else | |
echo "Secrets to use a GKE cluster were not configured in the repo" | |
echo "gke=false" >> $GITHUB_OUTPUT | |
fi | |
public-key-check: | |
name: Public key check | |
# level: 1 | |
needs: check-secrets | |
runs-on: ubuntu-latest | |
# The first check means that job will only run if the secrets are present. So it will be skipped | |
# for forks, PRs from forks and dependabot PRs (if no dependabot secret are configured). | |
# The second check ensures if we forgot configuring the secrets in main repo | |
# (inspektor-gadget/inspektor-gadget) so we can catch it early. | |
if: needs.check-secrets.outputs.cosign == 'true' || (github.event_name == 'push' && github.repository == 'inspektor-gadget/inspektor-gadget') | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
- name: Check if public key is up-to-date. | |
env: | |
COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' | |
COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
run: | | |
cosign public-key --key env://COSIGN_PRIVATE_KEY > pkg/resources/inspektor-gadget.pub | |
changes="$(git status --porcelain)" | |
if [ -n "$changes" ] ; then | |
>&2 echo "$changes" | |
exit 1 | |
fi | |
test-integration-k8s-ig: | |
name: Test ig w/ k8s | |
# level: 3 | |
needs: [ test-unit, test-ig, build-ig, build-helper-images ] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
runtime: [ docker, containerd, cri-o ] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
- name: Get ig-linux-amd64.tar.gz from artifact. | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ig-linux-amd64-tar-gz | |
path: /home/runner/work/inspektor-gadget/ | |
- name: Unpack ig-linux-amd64.tar.gz | |
run: | | |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz | |
mv ig ig-linux-amd64 | |
- name: Setup minikube | |
uses: ./.github/actions/setup-minikube | |
with: | |
runtime: ${{ matrix.runtime }} | |
- name: Run integration for container runtime ${{ matrix.runtime }} | |
id: integration-tests | |
run: | | |
set -o pipefail | |
make -C integration/k8s \ | |
CONTAINER_RUNTIME=${{ matrix.runtime }} \ | |
DNSTESTER_IMAGE=${{ needs.build-helper-images.outputs.dnstester_image }} \ | |
-o build test |& tee integration.log | |
- name: Prepare and publish test report for container runtime ${{ matrix.runtime }} | |
if: always() | |
continue-on-error: true | |
uses: ./.github/actions/prepare-and-publish-test-reports | |
with: | |
test-log-file: integration.log | |
test-step-conclusion: ${{ steps.integration-tests.conclusion }} | |
test-summary-suffix: ${{ matrix.runtime }} | |
build-and-push-gadgets: | |
name: Build and push gadgets | |
# level: 2 | |
needs: | |
- build-ig | |
- build-helper-images | |
- check-secrets | |
runs-on: ubuntu-latest | |
permissions: | |
# allow publishing container image | |
# in case of public fork repo/packages permissions will always be read | |
contents: read | |
packages: write | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Login to Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Get ig-linux-amd64.tar.gz from artifact. | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ig-linux-amd64-tar-gz | |
path: /home/runner/work/inspektor-gadget/ | |
- name: Unpack ig-linux-amd64.tar.gz | |
run: | | |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz | |
sudo mv ig /usr/bin/ig | |
- name: Install Cosign | |
if: needs.check-secrets.outputs.cosign == 'true' | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
- name: Verify eBPF builder image | |
if: needs.check-secrets.outputs.cosign == 'true' | |
run: | | |
cosign verify --key pkg/resources/inspektor-gadget.pub ${{ needs.build-helper-images.outputs.ebpf_builder_image }} | |
- name: Build gadgets | |
run: | | |
export GADGET_REPOSITORY=${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }} | |
export GADGET_TAG=${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }} | |
export BUILDER_IMAGE=${{ needs.build-helper-images.outputs.ebpf_builder_image }} | |
make build-gadgets -o install/ig | |
# Check that metadata files are updated | |
git diff --exit-code HEAD -- | |
# Avoid building the gadgets again | |
make -C gadgets/ push -o build | |
- name: Sign the gadgets | |
if: needs.check-secrets.outputs.cosign == 'true' | |
env: | |
COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' | |
COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
run: | | |
GADGET_REPOSITORY=${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }} make -C gadgets/ sign -o push | |
test-gadgets-local: | |
name: Test gadgets locally | |
#level 3 | |
needs: | |
- build-ig | |
- build-helper-images | |
- build-and-push-gadgets | |
- check-secrets | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
runtime: [docker, containerd] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Get ig-linux-amd64.tar.gz from artifact. | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ig-linux-amd64-tar-gz | |
path: /home/runner/work/inspektor-gadget/ | |
- name: Unpack ig-linux-amd64.tar.gz | |
run: | | |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz | |
sudo mv ig /usr/bin/ig | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- name: Gadgets tests | |
id: gadgets-tests | |
shell: bash | |
run: | | |
set -o pipefail | |
make \ | |
GADGET_REPOSITORY=${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }} \ | |
GADGET_TAG=${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }} \ | |
IG_FLAGS="--verify-image=${{ needs.check-secrets.outputs.cosign }}" \ | |
IG_RUNTIME=${{ matrix.runtime }} \ | |
-C gadgets/ test-local -o build |& tee gadgets-tests.log & wait $! | |
- name: Prepare and publish test reports | |
if: always() | |
continue-on-error: true | |
uses: ./.github/actions/prepare-and-publish-test-reports | |
with: | |
test-log-file: gadgets-tests.log | |
test-step-conclusion: ${{ steps.gadgets-tests.conclusion }} | |
test-summary-suffix: "test-gadgets-local-${{ matrix.runtime }}" | |
test-gadgets-k8s: | |
name: Test gadgets K8s | |
#level 3 | |
needs: | |
- build-ig | |
- build-gadget-container-images | |
- build-helper-images | |
- build-and-push-gadgets | |
- check-secrets | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
runtime: [docker, containerd, cri-o] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- name: Setup minikube | |
uses: ./.github/actions/setup-minikube | |
with: | |
runtime: ${{ matrix.runtime }} | |
multi-node: true | |
- name: Get gadget-container-image-linux-amd64.tar from artifact. | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: gadget-container-image-linux-amd64.tar | |
path: /home/runner/work/inspektor-gadget/ | |
- name: Prepare minikube by loading gadget-container-image-linux-amd64.tar | |
run: | | |
# 'docker load' ensures the image is named correctly e.g podman has issues loading untagged images from archive | |
docker load -i /home/runner/work/inspektor-gadget/gadget-container-image-linux-amd64.tar | |
minikube image load ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
- name: Get kubectl-gadget-linux-amd64.tar.gz from artifact. | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: kubectl-gadget-linux-amd64-tar-gz | |
path: /home/runner/work/inspektor-gadget/inspektor-gadget/ | |
- name: Gadgets tests | |
id: gadgets-tests | |
shell: bash | |
run: | | |
set -o pipefail | |
tar zxvf /home/runner/work/inspektor-gadget/inspektor-gadget/kubectl-gadget-linux-amd64.tar.gz | |
./kubectl-gadget deploy --verify-gadgets=${{ needs.check-secrets.outputs.cosign }} --image-pull-policy=Never --debug --experimental --image=${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
make \ | |
GADGET_REPOSITORY=${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }} \ | |
GADGET_TAG=${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }} \ | |
KUBECTL_GADGET=/home/runner/work/inspektor-gadget/inspektor-gadget/kubectl-gadget \ | |
IG_RUNTIME=kubernetes \ | |
-C gadgets/ test-k8s -o build |& tee gadgets-tests.log & wait $! | |
- name: Undeploy Inspektor Gadget | |
id: undeploy-ig | |
if: always() | |
shell: bash | |
run: ./kubectl-gadget undeploy | |
- name: Prepare and publish test reports | |
if: always() | |
continue-on-error: true | |
uses: ./.github/actions/prepare-and-publish-test-reports | |
with: | |
test-log-file: gadgets-tests.log | |
test-step-conclusion: ${{ steps.gadgets-tests.conclusion }} | |
test-summary-suffix: "test-gadgets-k8s-${{ matrix.runtime }}" | |
test-integration-non-k8s-ig: | |
name: Test ig w/o k8s | |
# level: 3 | |
needs: | |
- test-unit | |
- test-ig | |
- build-ig | |
- build-helper-images | |
- build-and-push-gadgets | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
runtime: [ docker, containerd ] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
- name: Get ig-linux-amd64.tar.gz from artifact. | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ig-linux-amd64-tar-gz | |
path: /home/runner/work/inspektor-gadget/ | |
- name: Unpack ig-linux-amd64.tar.gz | |
run: | | |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz | |
mv ig ig-linux-amd64 | |
- name: Run integration for container runtime ${{ matrix.runtime }} | |
id: integration-tests | |
run: | | |
set -o pipefail | |
make -C integration/ig/non-k8s \ | |
CONTAINER_RUNTIME=${{ matrix.runtime }} \ | |
DNSTESTER_IMAGE=${{ needs.build-helper-images.outputs.dnstester_image }} \ | |
-o build test-${{ matrix.runtime }} |& tee integration.log | |
- name: Prepare and publish test report for container runtime ${{ matrix.runtime }} | |
if: always() | |
continue-on-error: true | |
uses: ./.github/actions/prepare-and-publish-test-reports | |
with: | |
test-log-file: integration.log | |
test-step-conclusion: ${{ steps.integration-tests.conclusion }} | |
test-summary-suffix: ${{ matrix.runtime }} | |
test-integration-aks: | |
name: Integration tests on AKS | |
# level: 4 | |
needs: | |
- check-secrets | |
- test-unit | |
- build-clients | |
- build-gadget-container-images | |
- publish-gadget-images-manifest | |
- build-and-push-gadgets | |
if: needs.check-secrets.outputs.aks == 'true' | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
os-sku: [Ubuntu, AzureLinux] | |
arch: [amd64, arm64] | |
environment: aks | |
permissions: | |
# This is needed to use federated credentials: | |
# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux#set-up-azure-login-with-openid-connect-authentication | |
id-token: write | |
contents: read | |
env: | |
AZURE_AKS_RESOURCE_GROUP: '${{ secrets.AZURE_AKS_RESOURCE_GROUP }}' | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 | |
name: Login to Azure | |
with: | |
client-id: ${{ secrets.AZURE_AKS_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_AKS_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_AKS_SUBSCRIPTION_ID }} | |
- name: Craft cluster name | |
shell: bash | |
run: | | |
echo "CLUSTER_NAME=${{ env.AZURE_AKS_CLUSTER_PREFIX }}${{ matrix.arch }}-${{ matrix.os-sku }}-${RANDOM}" >> $GITHUB_ENV | |
- name: Create AKS cluster ${{ env.CLUSTER_NAME }} | |
shell: bash | |
run: | | |
node_size='Standard_D2s_v5' | |
if [ ${{ matrix.arch }} = 'arm64' ]; then | |
# 'p' means the node size corresponds to arm64 hardware. | |
node_size='Standard_D2ps_v5' | |
fi | |
# Enable the aks-preview extension to use AzureLinux as --os-sku. | |
# This should lead to AKS being deployed on top of AzureLinux. | |
# We do not upgrade az because there is a problem doing so in the | |
# GitHub Action. | |
az extension add --name aks-preview | |
az aks create -l eastus2 -g ${AZURE_AKS_RESOURCE_GROUP} -n ${{ env.CLUSTER_NAME }} -s $node_size --os-sku ${{ matrix.os-sku }} --no-ssh-key | |
- uses: azure/aks-set-context@37037e33d3a2fc08abe40c887d81c3f6e1eb93b9 # v4.0.0 | |
name: Set AKS cluster ${{ env.CLUSTER_NAME }} context | |
with: | |
cluster-name: ${{ env.CLUSTER_NAME }} | |
resource-group: ${{ secrets.AZURE_AKS_RESOURCE_GROUP }} | |
admin: false | |
- name: Run integration tests | |
uses: ./.github/actions/run-integration-tests | |
with: | |
kubernetes_distribution: "aks-${{ matrix.os-sku }}" | |
kubernetes_architecture: "${{ matrix.arch }}" | |
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }} | |
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }} | |
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }} | |
test_summary_suffix: "${{ matrix.os-sku }}-${{ matrix.arch }}" | |
# This step ensures we get fresh credentials before removing the cluster | |
- uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 | |
if: always() | |
name: Login to Azure | |
with: | |
client-id: ${{ secrets.AZURE_AKS_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_AKS_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_AKS_SUBSCRIPTION_ID }} | |
- name: Delete AKS cluster ${{ env.CLUSTER_NAME }} | |
if: always() | |
shell: bash | |
run: | | |
az aks delete -g ${AZURE_AKS_RESOURCE_GROUP} -n ${{ env.CLUSTER_NAME }} --no-wait --yes | |
# Integration tests for ARO are separated from others distributions because it | |
# is a pre-created cluster. It implies that we need to use a concurrency group | |
# to ensure that only one test-integration-aro job runs at a time so that we | |
# never try to use IG on that unique ARO cluster from different workflow runs. | |
test-integration-aro: | |
name: Integration tests on ARO | |
# level: 4 | |
needs: | |
- check-secrets | |
- test-unit | |
- build-clients | |
- build-gadget-container-images | |
- publish-gadget-images-manifest | |
- build-and-push-gadgets | |
# Run this job only if an ARO cluster is available on repo secrets. See | |
# docs/devel/ci.md for further details. | |
if: needs.check-secrets.outputs.aro == 'true' | |
runs-on: ubuntu-latest | |
concurrency: | |
group: no-simultaneous-test-integration-aro | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
- name: Authenticate and set ARO cluster context | |
# NOTE: This action generates the Kubernetes config file in the current | |
# directory. Therefore, it must be run after checking out code otherwise | |
# the file will be cleaned up. | |
uses: redhat-actions/oc-login@5eb45e848b168b6bf6b8fe7f1561003c12e3c99d # v1.3 | |
with: | |
# API Server URL | |
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} | |
# Credentials (TODO: Use a functional Service Account, see issue #574) | |
openshift_username: ${{ secrets.OPENSHIFT_USER }} | |
openshift_password: ${{ secrets.OPENSHIFT_PASSWORD }} | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Run integration tests | |
uses: ./.github/actions/run-integration-tests | |
with: | |
kubernetes_distribution: "aro" | |
kubernetes_architecture: "amd64" | |
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }} | |
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }} | |
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }} | |
test_summary_suffix: "aro" | |
test-integration-eks: | |
name: Integration tests on EKS | |
# level: 4 | |
needs: | |
- test-unit | |
- build-clients | |
- build-gadget-container-images | |
- publish-gadget-images-manifest | |
- build-and-push-gadgets | |
if: ${{ vars.AWS_ROLE != '' }} | |
runs-on: ubuntu-latest | |
# These permissions are needed to interact with GitHub's OIDC Token endpoint. | |
permissions: | |
id-token: write | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: [amd64, arm64] | |
env: | |
AWS_REGION: us-east-2 | |
AWS_EKS_CLUSTER_PREFIX: ig-ci-eks- | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Craft cluster name | |
shell: bash | |
run: | | |
echo "CLUSTER_NAME=${{ env.AWS_EKS_CLUSTER_PREFIX }}${{ matrix.arch }}-${RANDOM}" >> $GITHUB_ENV | |
# Install eksctl following https://eksctl.io/installation/#for-unix | |
- name: Install eksctl | |
run: | | |
ARCH=$(dpkg-architecture -qDEB_HOST_ARCH) | |
PLATFORM=$(uname -s)_$ARCH | |
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz" | |
curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check | |
tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz | |
sudo mv /tmp/eksctl /usr/local/bin | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: ${{ vars.AWS_ROLE }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Create EKS cluster ${{ env.CLUSTER_NAME }} | |
shell: bash | |
run: | | |
# We need to use big nodes, otherwise integration tests fail because the node can't handle | |
# many gadgets running on parallel | |
node_type='t2.xlarge' | |
if [ ${{ matrix.arch }} = 'arm64' ]; then | |
node_type='a1.xlarge' | |
fi | |
eksctl create cluster --name ${{ env.CLUSTER_NAME }} --tags "ig-ci=true,ig-ci-timestamp=$(date -u +'%Y-%m-%dT%H:%M:%S%:z')" --node-type $node_type | |
- name: Run integration tests | |
uses: ./.github/actions/run-integration-tests | |
with: | |
kubernetes_distribution: "eks-AmazonLinux" | |
kubernetes_architecture: "${{ matrix.arch }}" | |
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }} | |
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }} | |
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }} | |
test_summary_suffix: "EKS-${{ matrix.arch }}" | |
- name: Delete EKS cluster ${{ env.CLUSTER_NAME }} | |
if: always() | |
shell: bash | |
run: | | |
eksctl delete cluster --name ${{ env.CLUSTER_NAME }} --force | |
test-integration-gke: | |
name: Integration tests on GKE | |
# level: 4 | |
if: needs.check-secrets.outputs.gke == 'true' | |
needs: | |
- check-secrets | |
- test-unit | |
- build-clients | |
- build-gadget-container-images | |
- publish-gadget-images-manifest | |
- build-and-push-gadgets | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
flavor: | |
- arch: amd64 | |
region: us-east1 | |
machine_type: e2-standard-2 | |
- arch: arm64 | |
region: us-central1 | |
machine_type: t2a-standard-2 | |
# Following permissions are needed to use OIDC authentication with GKE. | |
permissions: | |
id-token: write | |
contents: read | |
env: | |
GKE_CLUSTER_PREFIX: 'ig-ci-gke-' | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Authenticate with GKE | |
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 | |
with: | |
project_id: ${{ secrets.GKE_PROJECT }} | |
service_account: ${{ secrets.GKE_SERVICE_ACCOUNT }} | |
workload_identity_provider: ${{ secrets.GKE_WORKLOAD_IDENTITY_PROVIDER }} | |
- name: Set up Cloud SDK | |
uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 | |
- name: Craft cluster name | |
shell: bash | |
run: | | |
echo "CLUSTER_NAME=${{ env.GKE_CLUSTER_PREFIX }}${{ matrix.flavor.arch }}-${RANDOM}" >> $GITHUB_ENV | |
- name: Create GKE cluster | |
run: | | |
# arm64 machine types are only available in zones (us-central1-a, us-central1-b, us-central1-f, us-central1-d) in us-central1 region | |
extra_args="" | |
if [ ${{ matrix.flavor.arch }} = "arm64" ]; then | |
extra_args="--node-locations us-central1-a,us-central1-b,us-central1-f" | |
fi | |
gcloud container clusters create ${{ env.CLUSTER_NAME }} --project ${{ secrets.GKE_PROJECT }} \ | |
--region ${{ matrix.flavor.region }} --machine-type ${{ matrix.flavor.machine_type }} --num-nodes 1 --disk-size 50 $extra_args | |
- name: Set GKE cluster ${{ env.CLUSTER_NAME }} context | |
uses: google-github-actions/get-gke-credentials@c544a3d7e92276d24e03a5632a53aa3913ad5d8a # v2.2.0 | |
with: | |
cluster_name: ${{ env.CLUSTER_NAME }} | |
location: ${{ matrix.flavor.region }} | |
# ARM nodes come with a taint that prevents pods from being scheduled on them. | |
# https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment | |
- name: Remove taint for arm64 nodes | |
if: ${{ matrix.flavor.arch == 'arm64' }} | |
run: | | |
kubectl taint nodes --all kubernetes.io/arch=arm64:NoSchedule- | |
- name: Run integration tests | |
uses: ./.github/actions/run-integration-tests | |
with: | |
kubernetes_distribution: "gke-COS_containerd" | |
kubernetes_architecture: ${{ matrix.flavor.arch }} | |
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }} | |
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }} | |
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }} | |
test_summary_suffix: "GKE-${{ matrix.flavor.arch }}" | |
- name: Delete GKE cluster | |
if: always() | |
# default shell is "bash -e {0}" which will fail-fast if the command returns a non-zero exit code | |
# See: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell | |
shell: bash {0} | |
run: | | |
while [ "$(gcloud container operations list \ | |
--project ${{ secrets.GKE_PROJECT }} --region ${{ matrix.flavor.region }} \ | |
--filter="status=RUNNING AND targetLink~${{ env.CLUSTER_NAME }}" --format="value(name)")" ] | |
do | |
echo "cluster has an ongoing operation, waiting for all operations to finish" | |
sleep 15 | |
done | |
gcloud container clusters delete --project ${{ secrets.GKE_PROJECT }} --region ${{ matrix.flavor.region }} ${{ env.CLUSTER_NAME }} --async --quiet | |
test-integration-minikube: | |
name: Integr. tests | |
# level: 3 | |
needs: | |
- test-unit | |
- build-clients | |
- build-gadget-container-images | |
- build-helper-images | |
- build-and-push-gadgets | |
- check-secrets | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
runtime: [docker, containerd, cri-o] | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
- name: Setup minikube | |
uses: ./.github/actions/setup-minikube | |
with: | |
runtime: ${{ matrix.runtime }} | |
multi-node: true | |
- name: Get gadget-container-image-linux-amd64.tar from artifact. | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: gadget-container-image-linux-amd64.tar | |
path: /home/runner/work/inspektor-gadget/ | |
- name: Set container repository and determine image tag | |
id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Prepare minikube by loading gadget-container-image-linux-amd64.tar | |
run: | | |
# 'docker load' ensures the image is named correctly e.g podman has issues loading untagged images from archive | |
docker load -i /home/runner/work/inspektor-gadget/gadget-container-image-linux-amd64.tar | |
minikube image load ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
- name: Run integration tests | |
uses: ./.github/actions/run-integration-tests | |
with: | |
kubernetes_distribution: "minikube-github" | |
kubernetes_architecture: "amd64" | |
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }} | |
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
dnstester_image: ${{ needs.build-helper-images.outputs.dnstester_image }} | |
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }} | |
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }} | |
gadget_verify_image: ${{ needs.check-secrets.outputs.cosign }} | |
test_summary_suffix: ${{ matrix.runtime }} | |
publish-test-reports: | |
name: Publish test reports | |
# level: 5 | |
needs: | |
- test-integration-minikube | |
- test-integration-aks | |
- test-integration-aro | |
- test-integration-eks | |
- test-integration-gke | |
- test-integration-k8s-ig | |
- test-integration-non-k8s-ig | |
- test-gadgets-local | |
- test-gadgets-k8s | |
runs-on: ubuntu-latest | |
# Skip this job when running on a fork or a PR from a fork. | |
if: always() && ( | |
(github.event_name == 'push' && github.repository == 'inspektor-gadget/inspektor-gadget') || | |
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'inspektor-gadget/inspektor-gadget')) | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Get all reports | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: "test-reports" | |
- name: Store test reports | |
shell: bash {0} | |
run: ./tools/store-test-reports.sh | |
env: | |
TEST_REPORTS_TOKEN: ${{ secrets.TEST_REPORTS_TOKEN }} | |
release: | |
name: Release | |
# level: 5 | |
needs: | |
- ebpf-objects-checks | |
- lint | |
- semgrep | |
- test-integration-minikube | |
- test-integration-aks | |
- test-components | |
- build-ig-cwe | |
- test-ig | |
- test-gadgets-local | |
- test-integration-k8s-ig | |
- test-integration-non-k8s-ig | |
- build-examples | |
- build-gadgets-examples | |
- package-helm-charts | |
- check-secrets | |
- scan-gadget-container-images | |
- publish-gadget-images-manifest | |
- public-key-check | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- id: set-repo-determine-image-tag | |
uses: ./.github/actions/set-container-repo-and-determine-image-tag | |
with: | |
registry: ${{ env.REGISTRY }} | |
container-image: ${{ env.CONTAINER_REPO }} | |
- name: Build release YAML | |
run: | | |
export IMAGE_TAG=${{ steps.set-repo-determine-image-tag.outputs.image-tag }} | |
export IMAGE="${{ env.REGISTRY }}/${{ env.CONTAINER_REPO }}:${IMAGE_TAG}" | |
# Use echo of cat to avoid printing a new line between files. | |
echo "$(cat pkg/resources/manifests/deploy.yaml) $(cat pkg/resources/crd/bases/gadget.kinvolk.io_traces.yaml)" > inspektor-gadget-${{ github.ref_name }}.yaml | |
perl -pi -e 's@(image:) ".+\"@$1 "$ENV{IMAGE}"@; s@"latest"@"$ENV{IMAGE_TAG}"@;' inspektor-gadget-${{ github.ref_name }}.yaml | |
- name: Create Draft Release | |
id: create_release | |
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
name: Release ${{ github.ref_name }} | |
draft: true | |
- name: Get all artifacts. | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
- name: Setup go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
cache: true | |
id: go | |
- name: Build ig distributions packages | |
run: | | |
go install github.com/goreleaser/nfpm/v2/cmd/nfpm@d33a9233bb7acf04621b78114114476196d7977 # v2.38.0 | |
mkdir ig_packages | |
for ig_archive in ig-*-*-tar-gz/ig-*-*.tar.gz; do | |
cp .nfpm_template.yaml nfpm.yaml | |
mkdir archive_output | |
tar zxvf $ig_archive -C archive_output | |
export path=$(find archive_output -name 'ig') | |
# Fill the template file with corresponding information. | |
export arch=$(echo $ig_archive | cut -d'-' -f3) | |
perl -pi -e 's/IG_ARCH/$ENV{arch}/; s/IG_VERSION/${{ github.ref_name }}/; s/IG_PATH/$ENV{path}/' nfpm.yaml | |
# Build the packages | |
for distro in apk deb rpm archlinux; do | |
package=$(nfpm package -p $distro | grep 'created package' | cut -d':' -f2) | |
mv $package ig_packages | |
done | |
rm -r archive_output | |
rm nfpm.yaml | |
done | |
- name: Rename all artifacts to *-${{ github.ref_name }}.tar.gz | |
shell: bash | |
run: | | |
for i in kubectl-gadget-*-*-tar-gz/kubectl-gadget-*-*.tar.gz ig-*-*-tar-gz/ig-*-*.tar.gz gadgetctl-*-*-tar-gz/gadgetctl-*-*.tar.gz; do | |
mv $i $(dirname $i)/$(basename $i .tar.gz)-${{ github.ref_name }}.tar.gz | |
done | |
- name: Compute checksums for all artifacts | |
shell: bash | |
run: | | |
for i in kubectl-gadget-*-*-tar-gz/kubectl-gadget-*-*.tar.gz ig-*-*-tar-gz/ig-*-*.tar.gz gadgetctl-*-*-tar-gz/gadgetctl-*-*.tar.gz inspektor-gadget-${{ github.ref_name }}.yaml ig_packages/*; do | |
hash=$(sha256sum $i | cut -d' ' -f1) | |
echo "${hash} $(basename $i)" >> SHA256SUMS | |
done | |
- name: Install cyclonedx-gomod | |
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0 | |
- name: Compute SBOM for all binary artifacts | |
shell: bash | |
run: | | |
mkdir sbom | |
for i in kubectl-gadget-*-*-tar-gz/kubectl-gadget-*-*.tar.gz ig-*-*-tar-gz/ig-*-*.tar.gz gadgetctl-*-*-tar-gz/gadgetctl-*-*.tar.gz; do | |
temp_dir=$(mktemp -d) | |
tar zxvf $i -C $temp_dir | |
exe=$(find $temp_dir -type f -executable) | |
cyclonedx-gomod bin -json -output sbom/$(basename $i .tar.gz).bom.json -version ${{ github.ref_name }} $exe | |
rm -fr $temp_dir | |
done | |
- name: Install Cosign | |
if: needs.check-secrets.outputs.cosign == 'true' | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
- name: Sign checksums file | |
if: needs.check-secrets.outputs.cosign == 'true' | |
shell: bash | |
env: | |
COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' | |
COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
run: | | |
checksums_file=SHA256SUMS | |
cosign sign-blob --key env://COSIGN_PRIVATE_KEY --yes $checksums_file --output-signature="${checksums_file}.sig" --bundle="${checksums_file}.bundle" | |
# Derivate public key from private key to publish it as release | |
# artifact, so people can verify our signature. | |
cosign public-key --key env://COSIGN_PRIVATE_KEY > inspektor-gadget.pub | |
- name: Login to Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload kubectl-gadget binary | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
pattern: "kubectl-gadget-*-*-tar-gz/kubectl-gadget-*-*.tar.gz" | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload IG *.tar.gz binary | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
pattern: "ig-*-*-tar-gz/ig-*-*.tar.gz" | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload gadgetctl *.tar.gz binary | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
pattern: "gadgetctl-*-*-tar-gz/gadgetctl-*-*.tar.gz" | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload YAML | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
file: inspektor-gadget-${{ github.ref_name }}.yaml | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload checksums file | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
file: SHA256SUMS | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload IG distributions packages | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
pattern: "ig_packages/ig*" | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload Inpektor Gadget Helm Charts | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
pattern: "gadget-charts-tgz/gadget-*.tgz" | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload public key | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
pattern: "*.pub" | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload bundle | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
pattern: "*.bundle" | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload signature | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
pattern: "*.sig" | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} | |
- name: Upload binaries SBOMs | |
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3 | |
with: | |
pattern: "sbom/*.bom.json" | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release-url: ${{ steps.create_release.outputs.upload_url }} |