Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: upgrade artifact actions #536

Merged
merged 3 commits into from
Nov 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/reusable-publish-oci-artifacts.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@ jobs:

steps:
- name: Download x86_64 plugins
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: plugins-x86_64-${{ inputs.suffix }}.tar.gz
path: /tmp/plugins-x86_64

- name: Download aarch64 plugins
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: plugins-aarch64-${{ inputs.suffix }}.tar.gz
path: /tmp/plugins-aarch64
Expand All @@ -42,7 +42,7 @@ jobs:
- name: Setup Golang
uses: actions/setup-go@v3
with:
go-version: '^1.21'
go-version: "^1.21"

- name: Build registry artifact tool
working-directory: build/registry
Expand All @@ -68,7 +68,7 @@ jobs:

# Create signatures of the plugin artifacts as OCI artifacts
sign-oci-artifacts:
needs: [ publish-oci-artifacts ]
needs: [publish-oci-artifacts]
runs-on: ubuntu-latest

if: ${{ needs.publish-oci-artifacts.outputs.matrix != '[]' }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/reusable_build_packages.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ on:
description: Suffix for uploading packages (dev or stable)
required: true
type: string

jobs:
build-packages:
name: build-packages-${{ matrix.arch }}
runs-on: ${{ (matrix.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
runs-on: ${{ (matrix.arch == 'aarch64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }}
strategy:
matrix:
arch: [x86_64, aarch64]
Expand Down Expand Up @@ -42,12 +42,12 @@ jobs:

- name: Safe directory
run: git config --global --add safe.directory $GITHUB_WORKSPACE

- name: Run build 🏗️
run: ${{ inputs.makecommand }}

- name: Upload artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: plugins-${{ matrix.arch }}-${{ inputs.suffix }}.tar.gz
path: output/*.tar.gz
8 changes: 4 additions & 4 deletions .github/workflows/reusable_build_rules_tool.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ on:
required: false
default: falcosecurity/rules
type: string

jobs:
build-rules-checker:
runs-on: ubuntu-latest
steps:
- name: Setup Golang
uses: actions/setup-go@v3
with:
go-version: '1.19.0'
go-version: "1.19.0"

- name: Checkout rules
uses: actions/checkout@v3
Expand All @@ -30,13 +30,13 @@ jobs:
- name: Build checker tool
working-directory: build/checker
run: go build -o ${{ inputs.output }}

- name: Test checker tool
working-directory: build/checker
run: go test ./... -cover

- name: Upload artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: rules-tool.tar.gz
path: build/checker/${{ inputs.output }}
Expand Down
17 changes: 8 additions & 9 deletions .github/workflows/reusable_publish_packages.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,32 +6,32 @@ on:
description: Suffix for uploading packages (dev or stable)
required: true
type: string

permissions:
id-token: write
contents: read

env:
AWS_S3_BUCKET: falco-distribution
AWS_S3_PREFIX: plugins
AWS_S3_REGION: eu-west-1
AWS_S3_REGION: eu-west-1

jobs:
publish-packages:
runs-on: ubuntu-latest
steps:
- name: Download x86_64 plugins
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: plugins-x86_64-${{ inputs.suffix }}.tar.gz
path: /tmp/plugins-x86_64

- name: Download aarch64 plugins
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: plugins-aarch64-${{ inputs.suffix }}.tar.gz
path: /tmp/plugins-aarch64

- name: Configure AWS credentials 🔧⚙️
uses: aws-actions/configure-aws-credentials@v2
with:
Expand All @@ -42,5 +42,4 @@ jobs:
run: |
for package in /tmp/plugins-*/*.tar.gz; do
aws s3 cp --no-progress $package s3://${{ env.AWS_S3_BUCKET}}/${{ env.AWS_S3_PREFIX }}/${{ inputs.suffix }}/
done

done
18 changes: 9 additions & 9 deletions .github/workflows/reusable_suggest_rules_version.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -52,22 +52,22 @@ jobs:
run: ./.github/get-latest-plugin-version.sh ${{ inputs.plugin }}

- name: Download rules tool
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: rules-tool.tar.gz

# note: here we're loading the locally-built plugins, whereas another
# solution would be to pull them with falcoctl. The flaw with this
# approach is that we load the same plugin for both the "old" and the
# "new" rulesets. The issue would be that the job would fail whenever
# the two rulesets depend on plugins with different majors.
# todo(jasondellaluce): fix this corner case in the future
- name: Download plugins
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: ${{ inputs.plugins-artifact }}
path: /tmp/plugins-${{ inputs.arch }}

- name: Extract plugins
run: |
for archive in /tmp/plugins-*/*.tar.gz; do
Expand All @@ -77,7 +77,7 @@ jobs:
sudo mkdir -p /usr/share/falco/plugins
sudo cp -r *.so /usr/share/falco/plugins || true
popd && rm -fr tmpdir
done
done

- name: Compare changed files with previous versions
id: compare
Expand Down Expand Up @@ -114,7 +114,7 @@ jobs:
cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ inputs.job-index }}

- name: Upload PR info as artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
if: steps.compare.outputs.comment_file != ''
with:
name: pr-${{ inputs.job-index }}
Expand All @@ -127,10 +127,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Download PR infos
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
path: tmp-artifacts

- name: Save PR info
run: |
mkdir -p ./pr
Expand All @@ -149,7 +149,7 @@ jobs:
echo ""

- name: Upload PR info as artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: pr
path: pr/
Expand Down
22 changes: 11 additions & 11 deletions .github/workflows/reusable_validate_plugins.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
container: golang:1.18
env:
GOFLAGS: '-buildvcs=false'
GOFLAGS: "-buildvcs=false"
steps:
- name: Checkout code
uses: actions/checkout@v3
Expand All @@ -47,12 +47,12 @@ jobs:
run: ./.github/setup-plugin-config-rules.sh ${{ inputs.plugin }}

- name: Download rules tool
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: rules-tool.tar.gz

- name: Download plugins
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: ${{ inputs.plugins-artifact }}
path: /tmp/plugins-${{ inputs.arch }}
Expand All @@ -66,13 +66,13 @@ jobs:

mkdir -p /etc/falco/falco
mkdir -p /usr/share/falco/plugins

# avoids git exit status 128: detected dubious ownership in repository
git config --global --add safe.directory $(pwd)

for plugin_name in $loaded_plugins; do
echo Installing locally-built plugin "$plugin_name"...

# At release time we only build the released plugin, so it's possible
# that validation requires a plugin that we haven't built locally.
# in those cases, we build it on-the-fly perform validation with it.
Expand Down Expand Up @@ -122,28 +122,28 @@ jobs:
uses: actions/checkout@v3

- name: Install system dependencies
run: sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq
run: sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq

- name: Setup plugin config and rules
id: get-config
run: ./.github/setup-plugin-config-rules.sh ${{ inputs.plugin }}

- name: Download plugins
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: ${{ inputs.plugins-artifact }}
path: /tmp/plugins-${{ inputs.arch }}

- name: Download rules tool
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: rules-tool.tar.gz

- name: Download falcoctl
run: |
curl --fail -LS "https://github.com/falcosecurity/falcoctl/releases/download/v${{ inputs.falcoctl-version }}/falcoctl_${{ inputs.falcoctl-version }}_linux_${{ inputs.arch == 'x86_64' && 'amd64' || 'arm64' }}.tar.gz" | tar -xz
sudo install -o root -g root -m 0755 falcoctl /usr/local/bin/falcoctl

# note(jsondellaluce): exploring the set of all dependencies including their
# alternatives and all the possible combinations of different versions would
# result in a combinatorial explosion. As such, we take the simple route
Expand Down Expand Up @@ -223,4 +223,4 @@ jobs:
"${{ inputs.rules-checker }}" \
"${{ steps.get-config.outputs.config_file }}" \
"$rules_files"
done
done
Loading