diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index 7f35686411e..921f4805e41 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -9,46 +9,85 @@ concurrency: cancel-in-progress: true jobs: + # We need to use an ubuntu-latest to fetch Falco version because + # Falco version is computed by some cmake scripts that do git sorceries + # to get the current version. + # But centos7 jobs have a git version too old and actions/checkout does not + # fully clone the repo, but uses http rest api instead. + fetch-version: + runs-on: ubuntu-latest + # Map the job outputs to step outputs + outputs: + version: ${{ steps.store_version.outputs.version }} + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Install build dependencies + run: | + sudo apt update + sudo apt install -y cmake build-essential + + - name: Configure project + run: | + mkdir build && cd build + cmake -DUSE_BUNDLED_DEPS=On .. + + - name: Load and store Falco version output + id: store_version + run: | + FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') + echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT + build-dev-packages: + needs: [fetch-version] uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: x86_64 + version: ${{ needs.fetch-version.outputs.version }} secrets: inherit build-dev-packages-arm64: + needs: [fetch-version] uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: aarch64 + version: ${{ needs.fetch-version.outputs.version }} secrets: inherit publish-dev-packages: - needs: [build-dev-packages, build-dev-packages-arm64] + needs: [fetch-version, build-dev-packages, build-dev-packages-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master with: bucket_suffix: '-dev' - version: ${{ needs.build-dev-packages.outputs.version }} + version: ${{ needs.fetch-version.outputs.version }} secrets: inherit - # Both build-dev-docker and its arm64 counterpart require build-dev-packages because they use its output build-dev-docker: - needs: [build-dev-packages, publish-dev-packages] + needs: [fetch-version, publish-dev-packages] uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: x86_64 bucket_suffix: '-dev' - version: ${{ needs.build-dev-packages.outputs.version }} + version: ${{ needs.fetch-version.outputs.version }} + tag: master secrets: inherit build-dev-docker-arm64: - needs: [build-dev-packages, publish-dev-packages] + needs: [fetch-version, publish-dev-packages] uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: aarch64 bucket_suffix: '-dev' - version: ${{ needs.build-dev-packages.outputs.version }} + version: ${{ needs.fetch-version.outputs.version }} + tag: master secrets: inherit publish-dev-docker: - needs: [build-dev-docker, build-dev-docker-arm64] + needs: [fetch-version, build-dev-docker, build-dev-docker-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master + with: + tag: master secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b1688d1f108..37344eec65f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,8 +1,7 @@ name: Release Packages and Docker images on: - push: - tags: - - '[0-9]+.[0-9]+.[0-9]+' + release: + types: [published] # Checks if any concurrent jobs is running for release CI and eventually cancel it. concurrency: @@ -10,44 +9,98 @@ concurrency: cancel-in-progress: true jobs: + release-settings: + runs-on: ubuntu-latest + outputs: + is_latest: ${{ steps.get_settings.outputs.is_latest }} + bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} + steps: + - name: Get latest release + uses: rez0n/actions-github-release@v2.0 + id: latest_release + env: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + type: "stable" + + - name: Get settings for this release + id: get_settings + shell: python + run: | + import os + import re + import sys + + semver_no_meta = '''^(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)(?:-(?P(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$''' + tag_name = '${{ github.event.release.tag_name }}' + + is_valid_version = re.match(semver_no_meta, tag_name) is not None + if not is_valid_version: + print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.') + sys.exit(1) + + is_prerelease = '-' in tag_name + + # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest + is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease + + bucket_suffix = '-dev' if is_prerelease else '' + + with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp: + print(f'is_latest={is_latest}'.lower(), file=ofp) + print(f'bucket_suffix={bucket_suffix}', file=ofp) + build-packages: + needs: [release-settings] uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: x86_64 + version: ${{ github.event.release.tag_name }} secrets: inherit build-packages-arm64: + needs: [release-settings] uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: aarch64 + version: ${{ github.event.release.tag_name }} secrets: inherit publish-packages: - needs: [build-packages, build-packages-arm64] + needs: [release-settings, build-packages, build-packages-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master with: - version: ${{ needs.build-packages.outputs.version }} + bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} + version: ${{ github.event.release.tag_name }} secrets: inherit # Both build-docker and its arm64 counterpart require build-packages because they use its output build-docker: - needs: [build-packages, publish-packages] + needs: [release-settings, build-packages, publish-packages] uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: x86_64 - version: ${{ needs.build-packages.outputs.version }} + is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} + bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} + version: ${{ github.event.release.tag_name }} + tag: ${{ github.event.release.tag_name }} secrets: inherit build-docker-arm64: - needs: [build-packages, publish-packages] + needs: [release-settings, build-packages, publish-packages] uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: aarch64 - version: ${{ needs.build-packages.outputs.version }} + is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} + bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} + version: ${{ github.event.release.tag_name }} + tag: ${{ github.event.release.tag_name }} secrets: inherit publish-docker: - needs: [build-docker, build-docker-arm64] + needs: [release-settings, build-docker, build-docker-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master secrets: inherit - + with: + is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} + tag: ${{ github.event.release.tag_name }} diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index af3ec72bfea..c1f7dc6977d 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -12,9 +12,18 @@ on: default: '' type: string version: - description: 'Falco version extracted from userspace/falco/config_falco.h' + description: The Falco version to use when building images required: true type: string + tag: + description: The tag to use (e.g. "master" or "0.35.0") + required: true + type: string + is_latest: + description: Update the latest tag with the new image + required: false + type: boolean + default: false # Here we just build all docker images as tarballs, # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow. @@ -39,10 +48,10 @@ jobs: VERSION_BUCKET=bin${{ inputs.bucket_suffix }} FALCO_VERSION=${{ inputs.version }} tags: | - falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }} - falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim - public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }} - public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim + falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} + falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-slim + public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-slim outputs: type=docker,dest=/tmp/falco-no-driver-${{ inputs.arch }}.tar - name: Build falco image @@ -53,8 +62,8 @@ jobs: VERSION_BUCKET=deb${{ inputs.bucket_suffix }} FALCO_VERSION=${{ inputs.version }} tags: | - falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }} - public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }} + falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} outputs: type=docker,dest=/tmp/falco-${{ inputs.arch }}.tar - name: Build falco-driver-loader image @@ -62,20 +71,20 @@ jobs: with: context: ${{ github.workspace }}/docker/driver-loader/ build-args: | - FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ github.ref_name }} + FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} tags: | - falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }} - public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }} + falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} + public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} outputs: type=docker,dest=/tmp/falco-driver-loader-${{ inputs.arch }}.tar - name: Build no-driver latest image - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: docker/build-push-action@v3 with: context: ${{ github.workspace }}/docker/no-driver/ build-args: | VERSION_BUCKET=bin - FALCO_VERSION=${{ github.ref_name }} + FALCO_VERSION=${{ inputs.version }} tags: | falcosecurity/falco-no-driver:${{ inputs.arch }}-latest falcosecurity/falco:${{ inputs.arch }}-latest-slim @@ -84,20 +93,20 @@ jobs: outputs: type=docker,dest=/tmp/falco-no-driver-latest-${{ inputs.arch }}.tar - name: Build falco latest image - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: docker/build-push-action@v3 with: context: ${{ github.workspace }}/docker/falco/ build-args: | VERSION_BUCKET=deb - FALCO_VERSION=${{ github.ref_name }} + FALCO_VERSION=${{ inputs.version }} tags: | falcosecurity/falco:${{ inputs.arch }}-latest public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-latest outputs: type=docker,dest=/tmp/falco-latest-${{ inputs.arch }}.tar - name: Build falco-driver-loader latest image - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: docker/build-push-action@v3 with: context: ${{ github.workspace }}/docker/driver-loader/ diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index 1a8a1f0c909..9ff23a9a378 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -6,49 +6,15 @@ on: description: x86_64 or aarch64 required: true type: string - outputs: version: - description: 'Falco version extracted from config_falco.h' - value: ${{ jobs.fetch-version.outputs.version }} + description: The Falco version to use when building packages + required: true + type: string jobs: - # We need to use an ubuntu-latest to fetch Falco version because - # Falco version is computed by some cmake scripts that do git sorceries - # to get the current version. - # But centos7 jobs have a git version too old and actions/checkout does not - # fully clone the repo, but uses http rest api instead. - fetch-version: - runs-on: ubuntu-latest - # Map the job outputs to step outputs - outputs: - version: ${{ steps.store_version.outputs.version }} - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Install build dependencies - run: | - sudo apt update - sudo apt install -y cmake build-essential - - - name: Configure project - run: | - mkdir build && cd build - cmake -DUSE_BUNDLED_DEPS=On .. - - - name: Load and store Falco version output - id: store_version - run: | - FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') - echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT - - build-modern-bpf-skeleton: # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }} - needs: fetch-version container: fedora:latest steps: # Always install deps before invoking checkout action, to properly perform a full clone. @@ -62,7 +28,7 @@ jobs: - name: Build modern BPF skeleton run: | mkdir skeleton-build && cd skeleton-build - cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ needs.fetch-version.outputs.version }} .. + cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }} .. make ProbeSkeleton -j6 - name: Upload skeleton @@ -74,7 +40,7 @@ jobs: build-packages: # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }} - needs: [fetch-version, build-modern-bpf-skeleton] + needs: [build-modern-bpf-skeleton] container: centos:7 steps: # Always install deps before invoking checkout action, to properly perform a full clone. @@ -114,7 +80,7 @@ jobs: -DMODERN_BPF_SKEL_DIR=/tmp \ -DBUILD_DRIVER=Off \ -DBUILD_BPF=Off \ - -DFALCO_VERSION=${{ needs.fetch-version.outputs.version }} \ + -DFALCO_VERSION=${{ inputs.version }} \ .. - name: Build project @@ -132,26 +98,25 @@ jobs: - name: Upload Falco tar.gz package uses: actions/upload-artifact@v3 with: - name: falco-${{ needs.fetch-version.outputs.version }}-${{ inputs.arch }}.tar.gz + name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz path: | ${{ github.workspace }}/build/falco-*.tar.gz - name: Upload Falco deb package uses: actions/upload-artifact@v3 with: - name: falco-${{ needs.fetch-version.outputs.version }}-${{ inputs.arch }}.deb + name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb path: | ${{ github.workspace }}/build/falco-*.deb - name: Upload Falco rpm package uses: actions/upload-artifact@v3 with: - name: falco-${{ needs.fetch-version.outputs.version }}-${{ inputs.arch }}.rpm + name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm path: | ${{ github.workspace }}/build/falco-*.rpm build-musl-package: - needs: fetch-version # x86_64 only for now if: ${{ inputs.arch == 'x86_64' }} runs-on: ubuntu-latest @@ -170,7 +135,7 @@ jobs: - name: Prepare project run: | mkdir build && cd build - cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ -DFALCO_VERSION=${{ needs.fetch-version.outputs.version }} + cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ -DFALCO_VERSION=${{ inputs.version }} - name: Build project run: | @@ -185,11 +150,11 @@ jobs: - name: Rename static package run: | cd build - mv falco-${{ needs.fetch-version.outputs.version }}-x86_64.tar.gz falco-${{ needs.fetch-version.outputs.version }}-static-x86_64.tar.gz + mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz - name: Upload Falco static package uses: actions/upload-artifact@v3 with: - name: falco-${{ needs.fetch-version.outputs.version }}-static-x86_64.tar.gz + name: falco-${{ inputs.version }}-static-x86_64.tar.gz path: | - ${{ github.workspace }}/build/falco-${{ needs.fetch-version.outputs.version }}-static-x86_64.tar.gz + ${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index 2d63b703f01..e674c2131ec 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -1,6 +1,16 @@ # This is a reusable workflow used by master and release CI on: workflow_call: + inputs: + tag: + description: The tag to push + required: true + type: string + is_latest: + description: Update the latest tag with the new image + required: false + type: boolean + default: false permissions: id-token: write @@ -44,33 +54,33 @@ jobs: - name: Create and push no-driver manifest uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: falcosecurity/falco-no-driver:${{ github.ref_name }} - images: falcosecurity/falco-no-driver:aarch64-${{ github.ref_name }},falcosecurity/falco-no-driver:x86_64-${{ github.ref_name }} + inputs: falcosecurity/falco-no-driver:${{ inputs.tag }} + images: falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} push: true - name: Create and push slim manifest uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: falcosecurity/falco:${{ github.ref_name }}-slim - images: falcosecurity/falco:aarch64-${{ github.ref_name }}-slim,falcosecurity/falco:x86_64-${{ github.ref_name }}-slim + inputs: falcosecurity/falco:${{ inputs.tag }}-slim + images: falcosecurity/falco:aarch64-${{ inputs.tag }}-slim,falcosecurity/falco:x86_64-${{ inputs.tag }}-slim push: true - name: Create and push no-driver manifest for ecr uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: public.ecr.aws/falcosecurity/falco-no-driver:${{ github.ref_name }} - images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${{ github.ref_name }} + inputs: public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} + images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} push: true - name: Create and push slim manifest for ecr uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: public.ecr.aws/falcosecurity/falco:${{ github.ref_name }}-slim - images: public.ecr.aws/falcosecurity/falco:aarch64-${{ github.ref_name }}-slim,public.ecr.aws/falcosecurity/falco:x86_64-${{ github.ref_name }}-slim + inputs: public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ inputs.tag }}-slim,public.ecr.aws/falcosecurity/falco:x86_64-${{ inputs.tag }}-slim push: true - name: Create and push no-driver latest manifest - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: falcosecurity/falco-no-driver:latest @@ -78,7 +88,7 @@ jobs: push: true - name: Create and push slim latest manifest - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: falcosecurity/falco:latest-slim @@ -86,7 +96,7 @@ jobs: push: true - name: Create and push no-driver latest manifest for ecr - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: public.ecr.aws/falcosecurity/falco-no-driver:latest @@ -94,7 +104,7 @@ jobs: push: true - name: Create and push slim latest manifest for ecr - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: public.ecr.aws/falcosecurity/falco:latest-slim @@ -104,19 +114,19 @@ jobs: - name: Create and push falco manifest uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: falcosecurity/falco:${{ github.ref_name }} - images: falcosecurity/falco:aarch64-${{ github.ref_name }},falcosecurity/falco:x86_64-${{ github.ref_name }} + inputs: falcosecurity/falco:${{ inputs.tag }} + images: falcosecurity/falco:aarch64-${{ inputs.tag }},falcosecurity/falco:x86_64-${{ inputs.tag }} push: true - name: Create and push falco manifest for ecr uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: public.ecr.aws/falcosecurity/falco:${{ github.ref_name }} - images: public.ecr.aws/falcosecurity/falco:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco:x86_64-${{ github.ref_name }} + inputs: public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ inputs.tag }},public.ecr.aws/falcosecurity/falco:x86_64-${{ inputs.tag }} push: true - name: Create and push falco latest manifest - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: falcosecurity/falco:latest @@ -124,7 +134,7 @@ jobs: push: true - name: Create and push falco latest manifest for ecr - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: public.ecr.aws/falcosecurity/falco:latest @@ -134,19 +144,19 @@ jobs: - name: Create and push falco-driver-loader manifest uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: falcosecurity/falco-driver-loader:${{ github.ref_name }} - images: falcosecurity/falco-driver-loader:aarch64-${{ github.ref_name }},falcosecurity/falco-driver-loader:x86_64-${{ github.ref_name }} + inputs: falcosecurity/falco-driver-loader:${{ inputs.tag }} + images: falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }} push: true - name: Create and push falco-driver-loader manifest for ecr uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: public.ecr.aws/falcosecurity/falco-driver-loader:${{ github.ref_name }} - images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${{ github.ref_name }} + inputs: public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} + images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }} push: true - name: Create and push falco-driver-loader latest manifest - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: falcosecurity/falco-driver-loader:latest @@ -154,7 +164,7 @@ jobs: push: true - name: Create and push falco-driver-loader latest manifest for ecr - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: public.ecr.aws/falcosecurity/falco-driver-loader:latest diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml index 8dc7f7faca8..dc959afc4a3 100644 --- a/.github/workflows/reusable_publish_packages.yaml +++ b/.github/workflows/reusable_publish_packages.yaml @@ -3,7 +3,7 @@ on: workflow_call: inputs: version: - description: 'Falco version extracted from userspace/falco/config_falco.h' + description: The Falco version to use when publishing packages required: true type: string bucket_suffix: diff --git a/RELEASE.md b/RELEASE.md index 713cbed8fe9..76857db2b9b 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -113,26 +113,29 @@ The release PR is meant to be made against the respective `release/M.m.x` branch - Close the completed milestone as soon as the PR is merged into the release branch - Cherry pick the PR on master too -## Release +## Publishing Pre-Releases (RCs and tagged development versions) -Assume `M.m.p` is the new version. +Core maintainers and/or the release manager can decide to publish pre-releases at any time before the final release +is live for development and testing purposes. -### 1. Create a tag +The prerelease tag must be formatted as `M.m.p-r`where `r` is the prerelease version information (e.g. `0.35.0-rc1`.) -- Once the release PR has got merged both on the release branch and on master, and the master CI has done its job, git tag the new release on the release branch: +To do so: - ``` - git pull - git checkout release/M.m.x - git tag M.m.p - git push origin M.m.p - ``` +- [Draft a new release](https://github.com/falcosecurity/falco/releases/new) +- Use `M.m.p-r` both as tag version and release title. +- Check the "Set as a pre-release" checkbox and make sure "Set as the latest release" is unchecked +- It is recommended to add a brief description so that other contributors will understand the reason why the prerelease is published +- Publish the prerelease! +- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag. -> **N.B.**: do NOT use an annotated tag. For reference https://git-scm.com/book/en/v2/Git-Basics-Tagging +In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release. -- Wait for the CI to complete +## Release + +Assume `M.m.p` is the new version. -### 2. Update the GitHub release +### 1. Create the release with GitHub - [Draft a new release](https://github.com/falcosecurity/falco/releases/new) - Use `M.m.p` both as tag version and release title @@ -176,8 +179,11 @@ Assume `M.m.p` is the new version. ``` - Finally, publish the release! +- The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories. + +In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release. -### 3. Update the meeting notes +### 2. Update the meeting notes For each release we archive the meeting notes in git for historical purposes.