From 4a65ed1e4c16a7a229e1a9235b14c5276c76722d Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Thu, 4 May 2023 15:36:36 +0000 Subject: [PATCH 1/9] new(ci): add RC/prerelease support Signed-off-by: Luca Guerra --- .github/workflows/release.yaml | 41 ++++++++++++++++++- .github/workflows/reusable_build_docker.yaml | 11 +++-- .../workflows/reusable_publish_docker.yaml | 22 ++++++---- 3 files changed, 61 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b1688d1f108..daf83d63b21 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,7 +2,8 @@ name: Release Packages and Docker images on: push: tags: - - '[0-9]+.[0-9]+.[0-9]+' + - '[0-9]+.[0-9]+.[0-9]+' # final release + - '[0-9]+.[0-9]+.[0-9]+-*' # prerelease/RC # Checks if any concurrent jobs is running for release CI and eventually cancel it. concurrency: @@ -10,6 +11,36 @@ concurrency: cancel-in-progress: true jobs: + release-settings: + runs-on: ubuntu-latest + steps: + - name: Get latest release + uses: rez0n/actions-github-release@v2.0 + id: latest_release + env: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + type: "stable" + + - name: Get settings for this release + id: get_settings + shell: python + run: | + import os + is_prerelease = '-' in '${{ github.ref_name }}' + + # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest + is_latest = '${{ steps.latest_release.outputs.release }}' == '${{ github.ref_name }}' and not is_prerelease + + bucket_suffix = '-dev' if is_prerelease else '' + + with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp: + print(f'is_latest={is_latest}'.lower(), file=ofp) + print(f'bucket_suffix={bucket_suffix}', file=ofp) + outputs: + is_latest: ${{ steps.get_settings.outputs.is_latest }} + bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} + build-packages: uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: @@ -26,6 +57,7 @@ jobs: needs: [build-packages, build-packages-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master with: + bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} version: ${{ needs.build-packages.outputs.version }} secrets: inherit @@ -35,6 +67,8 @@ jobs: uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: x86_64 + is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} + bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} version: ${{ needs.build-packages.outputs.version }} secrets: inherit @@ -43,6 +77,8 @@ jobs: uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: aarch64 + is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} + bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} version: ${{ needs.build-packages.outputs.version }} secrets: inherit @@ -50,4 +86,5 @@ jobs: needs: [build-docker, build-docker-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master secrets: inherit - + with: + is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index af3ec72bfea..75a2aa5b6c9 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -15,6 +15,11 @@ on: description: 'Falco version extracted from userspace/falco/config_falco.h' required: true type: string + is_latest: + description: Update the latest tag with the new image + required: false + type: boolean + default: false # Here we just build all docker images as tarballs, # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow. @@ -69,7 +74,7 @@ jobs: outputs: type=docker,dest=/tmp/falco-driver-loader-${{ inputs.arch }}.tar - name: Build no-driver latest image - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: docker/build-push-action@v3 with: context: ${{ github.workspace }}/docker/no-driver/ @@ -84,7 +89,7 @@ jobs: outputs: type=docker,dest=/tmp/falco-no-driver-latest-${{ inputs.arch }}.tar - name: Build falco latest image - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: docker/build-push-action@v3 with: context: ${{ github.workspace }}/docker/falco/ @@ -97,7 +102,7 @@ jobs: outputs: type=docker,dest=/tmp/falco-latest-${{ inputs.arch }}.tar - name: Build falco-driver-loader latest image - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: docker/build-push-action@v3 with: context: ${{ github.workspace }}/docker/driver-loader/ diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index 2d63b703f01..527995007c2 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -1,6 +1,12 @@ # This is a reusable workflow used by master and release CI on: workflow_call: + inputs: + is_latest: + description: Update the latest tag with the new image + required: false + type: boolean + default: false permissions: id-token: write @@ -70,7 +76,7 @@ jobs: push: true - name: Create and push no-driver latest manifest - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: falcosecurity/falco-no-driver:latest @@ -78,7 +84,7 @@ jobs: push: true - name: Create and push slim latest manifest - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: falcosecurity/falco:latest-slim @@ -86,7 +92,7 @@ jobs: push: true - name: Create and push no-driver latest manifest for ecr - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: public.ecr.aws/falcosecurity/falco-no-driver:latest @@ -94,7 +100,7 @@ jobs: push: true - name: Create and push slim latest manifest for ecr - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: public.ecr.aws/falcosecurity/falco:latest-slim @@ -116,7 +122,7 @@ jobs: push: true - name: Create and push falco latest manifest - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: falcosecurity/falco:latest @@ -124,7 +130,7 @@ jobs: push: true - name: Create and push falco latest manifest for ecr - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: public.ecr.aws/falcosecurity/falco:latest @@ -146,7 +152,7 @@ jobs: push: true - name: Create and push falco-driver-loader latest manifest - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: falcosecurity/falco-driver-loader:latest @@ -154,7 +160,7 @@ jobs: push: true - name: Create and push falco-driver-loader latest manifest for ecr - if: ${{ github.ref_name != 'master' }} + if: ${{ inputs.is_latest }} uses: Noelware/docker-manifest-action@0.3.1 with: inputs: public.ecr.aws/falcosecurity/falco-driver-loader:latest From c4ccbed08ab6db4427997b32bec88f742d264715 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 8 May 2023 13:07:17 +0000 Subject: [PATCH 2/9] update(ci): react to release publishing, rewire variables Signed-off-by: Luca Guerra --- .github/workflows/release.yaml | 43 +++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index daf83d63b21..da19bc0ee6b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,9 +1,7 @@ name: Release Packages and Docker images on: - push: - tags: - - '[0-9]+.[0-9]+.[0-9]+' # final release - - '[0-9]+.[0-9]+.[0-9]+-*' # prerelease/RC + release: + types: [published] # Checks if any concurrent jobs is running for release CI and eventually cancel it. concurrency: @@ -27,63 +25,76 @@ jobs: shell: python run: | import os - is_prerelease = '-' in '${{ github.ref_name }}' + import re + + semver_no_meta = '''^(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)(?:-(?P(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$''' + tag_name = '${{ github.event.release.tag_name }}' + + should_publish = re.match(semver_no_meta, tag_name) is not None + + is_prerelease = '-' in tag_name # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest - is_latest = '${{ steps.latest_release.outputs.release }}' == '${{ github.ref_name }}' and not is_prerelease + is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease bucket_suffix = '-dev' if is_prerelease else '' with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp: print(f'is_latest={is_latest}'.lower(), file=ofp) + print(f'should_publish={should_publish}'.lower(), file=ofp) print(f'bucket_suffix={bucket_suffix}', file=ofp) - outputs: - is_latest: ${{ steps.get_settings.outputs.is_latest }} - bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} build-packages: + needs: [release-settings] + if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: x86_64 secrets: inherit build-packages-arm64: + needs: [release-settings] + if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: aarch64 secrets: inherit publish-packages: - needs: [build-packages, build-packages-arm64] + needs: [release-settings, build-packages, build-packages-arm64] + if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master with: - bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} + bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} version: ${{ needs.build-packages.outputs.version }} secrets: inherit # Both build-docker and its arm64 counterpart require build-packages because they use its output build-docker: - needs: [build-packages, publish-packages] + needs: [release-settings, build-packages, publish-packages] + if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: x86_64 is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} - bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} + bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} version: ${{ needs.build-packages.outputs.version }} secrets: inherit build-docker-arm64: - needs: [build-packages, publish-packages] + needs: [release-settings, build-packages, publish-packages] + if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: aarch64 is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} - bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} + bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} version: ${{ needs.build-packages.outputs.version }} secrets: inherit publish-docker: - needs: [build-docker, build-docker-arm64] + needs: [release-settings, build-docker, build-docker-arm64] + if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master secrets: inherit with: From 51c79f837e808c8ebf2422d651cffe43cdf7ecb0 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 8 May 2023 13:12:59 +0000 Subject: [PATCH 3/9] update(ci): move release outputs declaration Signed-off-by: Luca Guerra --- .github/workflows/release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index da19bc0ee6b..154263cb18e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,6 +11,10 @@ concurrency: jobs: release-settings: runs-on: ubuntu-latest + outputs: + is_latest: ${{ steps.get_settings.outputs.is_latest }} + bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} + should_publish: ${{ steps.get_settings.outputs.should_publish }} steps: - name: Get latest release uses: rez0n/actions-github-release@v2.0 From 014b1592764b67caf351c859548edd9059a11bd6 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 8 May 2023 15:38:23 +0000 Subject: [PATCH 4/9] update(ci): move version computation logic to main jobs master/release Signed-off-by: Luca Guerra --- .github/workflows/master.yaml | 54 +++++++++++++--- .github/workflows/release.yaml | 11 +++- .github/workflows/reusable_build_docker.yaml | 28 +++++---- .../workflows/reusable_build_packages.yaml | 61 ++++--------------- .../workflows/reusable_publish_docker.yaml | 36 ++++++----- .../workflows/reusable_publish_packages.yaml | 2 +- 6 files changed, 105 insertions(+), 87 deletions(-) diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index 7f35686411e..e8afd338d34 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -9,46 +9,86 @@ concurrency: cancel-in-progress: true jobs: + # We need to use an ubuntu-latest to fetch Falco version because + # Falco version is computed by some cmake scripts that do git sorceries + # to get the current version. + # But centos7 jobs have a git version too old and actions/checkout does not + # fully clone the repo, but uses http rest api instead. + fetch-version: + runs-on: ubuntu-latest + # Map the job outputs to step outputs + outputs: + version: ${{ steps.store_version.outputs.version }} + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Install build dependencies + run: | + sudo apt update + sudo apt install -y cmake build-essential + + - name: Configure project + run: | + mkdir build && cd build + cmake -DUSE_BUNDLED_DEPS=On .. + + - name: Load and store Falco version output + id: store_version + run: | + FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') + echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT + build-dev-packages: + needs: [fetch-version] uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: x86_64 + version: ${{ needs.fetch-version.outputs.version }} secrets: inherit build-dev-packages-arm64: + needs: [fetch-version] uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: aarch64 + version: ${{ needs.fetch-version.outputs.version }} secrets: inherit publish-dev-packages: - needs: [build-dev-packages, build-dev-packages-arm64] + needs: [fetch-version, build-dev-packages, build-dev-packages-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master with: bucket_suffix: '-dev' - version: ${{ needs.build-dev-packages.outputs.version }} + version: ${{ needs.fetch-version.outputs.version }} secrets: inherit # Both build-dev-docker and its arm64 counterpart require build-dev-packages because they use its output build-dev-docker: - needs: [build-dev-packages, publish-dev-packages] + needs: [fetch-version, build-dev-packages, publish-dev-packages] uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: x86_64 bucket_suffix: '-dev' - version: ${{ needs.build-dev-packages.outputs.version }} + version: ${{ needs.fetch-version.outputs.version }} + tag: ${{ github.ref_name }} secrets: inherit build-dev-docker-arm64: - needs: [build-dev-packages, publish-dev-packages] + needs: [fetch-version, build-dev-packages, publish-dev-packages] uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: aarch64 bucket_suffix: '-dev' - version: ${{ needs.build-dev-packages.outputs.version }} + version: ${{ needs.fetch-version.outputs.version }} + tag: ${{ github.ref_name }} secrets: inherit publish-dev-docker: - needs: [build-dev-docker, build-dev-docker-arm64] + needs: [fetch-version, build-dev-docker, build-dev-docker-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master + with: + tag: ${{ github.ref_name }} secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 154263cb18e..9b554fdbb8c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -54,6 +54,7 @@ jobs: uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: x86_64 + version: ${{ github.event.release.tag_name }} secrets: inherit build-packages-arm64: @@ -62,6 +63,7 @@ jobs: uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: aarch64 + version: ${{ github.event.release.tag_name }} secrets: inherit publish-packages: @@ -70,7 +72,7 @@ jobs: uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master with: bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} - version: ${{ needs.build-packages.outputs.version }} + version: ${{ github.event.release.tag_name }} secrets: inherit # Both build-docker and its arm64 counterpart require build-packages because they use its output @@ -82,7 +84,8 @@ jobs: arch: x86_64 is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} - version: ${{ needs.build-packages.outputs.version }} + version: ${{ github.event.release.tag_name }} + tag: ${{ github.event.release.tag_name }} secrets: inherit build-docker-arm64: @@ -93,7 +96,8 @@ jobs: arch: aarch64 is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} - version: ${{ needs.build-packages.outputs.version }} + version: ${{ github.event.release.tag_name }} + tag: ${{ github.event.release.tag_name }} secrets: inherit publish-docker: @@ -103,3 +107,4 @@ jobs: secrets: inherit with: is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} + tag: ${{ github.event.release.tag_name }} diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index 75a2aa5b6c9..c1f7dc6977d 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -12,7 +12,11 @@ on: default: '' type: string version: - description: 'Falco version extracted from userspace/falco/config_falco.h' + description: The Falco version to use when building images + required: true + type: string + tag: + description: The tag to use (e.g. "master" or "0.35.0") required: true type: string is_latest: @@ -44,10 +48,10 @@ jobs: VERSION_BUCKET=bin${{ inputs.bucket_suffix }} FALCO_VERSION=${{ inputs.version }} tags: | - falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }} - falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim - public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }} - public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim + falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} + falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-slim + public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-slim outputs: type=docker,dest=/tmp/falco-no-driver-${{ inputs.arch }}.tar - name: Build falco image @@ -58,8 +62,8 @@ jobs: VERSION_BUCKET=deb${{ inputs.bucket_suffix }} FALCO_VERSION=${{ inputs.version }} tags: | - falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }} - public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }} + falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} + public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} outputs: type=docker,dest=/tmp/falco-${{ inputs.arch }}.tar - name: Build falco-driver-loader image @@ -67,10 +71,10 @@ jobs: with: context: ${{ github.workspace }}/docker/driver-loader/ build-args: | - FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ github.ref_name }} + FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} tags: | - falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }} - public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }} + falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} + public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} outputs: type=docker,dest=/tmp/falco-driver-loader-${{ inputs.arch }}.tar - name: Build no-driver latest image @@ -80,7 +84,7 @@ jobs: context: ${{ github.workspace }}/docker/no-driver/ build-args: | VERSION_BUCKET=bin - FALCO_VERSION=${{ github.ref_name }} + FALCO_VERSION=${{ inputs.version }} tags: | falcosecurity/falco-no-driver:${{ inputs.arch }}-latest falcosecurity/falco:${{ inputs.arch }}-latest-slim @@ -95,7 +99,7 @@ jobs: context: ${{ github.workspace }}/docker/falco/ build-args: | VERSION_BUCKET=deb - FALCO_VERSION=${{ github.ref_name }} + FALCO_VERSION=${{ inputs.version }} tags: | falcosecurity/falco:${{ inputs.arch }}-latest public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-latest diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index 1a8a1f0c909..9ff23a9a378 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -6,49 +6,15 @@ on: description: x86_64 or aarch64 required: true type: string - outputs: version: - description: 'Falco version extracted from config_falco.h' - value: ${{ jobs.fetch-version.outputs.version }} + description: The Falco version to use when building packages + required: true + type: string jobs: - # We need to use an ubuntu-latest to fetch Falco version because - # Falco version is computed by some cmake scripts that do git sorceries - # to get the current version. - # But centos7 jobs have a git version too old and actions/checkout does not - # fully clone the repo, but uses http rest api instead. - fetch-version: - runs-on: ubuntu-latest - # Map the job outputs to step outputs - outputs: - version: ${{ steps.store_version.outputs.version }} - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Install build dependencies - run: | - sudo apt update - sudo apt install -y cmake build-essential - - - name: Configure project - run: | - mkdir build && cd build - cmake -DUSE_BUNDLED_DEPS=On .. - - - name: Load and store Falco version output - id: store_version - run: | - FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//') - echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT - - build-modern-bpf-skeleton: # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }} - needs: fetch-version container: fedora:latest steps: # Always install deps before invoking checkout action, to properly perform a full clone. @@ -62,7 +28,7 @@ jobs: - name: Build modern BPF skeleton run: | mkdir skeleton-build && cd skeleton-build - cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ needs.fetch-version.outputs.version }} .. + cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }} .. make ProbeSkeleton -j6 - name: Upload skeleton @@ -74,7 +40,7 @@ jobs: build-packages: # See https://github.com/actions/runner/issues/409#issuecomment-1158849936 runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }} - needs: [fetch-version, build-modern-bpf-skeleton] + needs: [build-modern-bpf-skeleton] container: centos:7 steps: # Always install deps before invoking checkout action, to properly perform a full clone. @@ -114,7 +80,7 @@ jobs: -DMODERN_BPF_SKEL_DIR=/tmp \ -DBUILD_DRIVER=Off \ -DBUILD_BPF=Off \ - -DFALCO_VERSION=${{ needs.fetch-version.outputs.version }} \ + -DFALCO_VERSION=${{ inputs.version }} \ .. - name: Build project @@ -132,26 +98,25 @@ jobs: - name: Upload Falco tar.gz package uses: actions/upload-artifact@v3 with: - name: falco-${{ needs.fetch-version.outputs.version }}-${{ inputs.arch }}.tar.gz + name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz path: | ${{ github.workspace }}/build/falco-*.tar.gz - name: Upload Falco deb package uses: actions/upload-artifact@v3 with: - name: falco-${{ needs.fetch-version.outputs.version }}-${{ inputs.arch }}.deb + name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb path: | ${{ github.workspace }}/build/falco-*.deb - name: Upload Falco rpm package uses: actions/upload-artifact@v3 with: - name: falco-${{ needs.fetch-version.outputs.version }}-${{ inputs.arch }}.rpm + name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm path: | ${{ github.workspace }}/build/falco-*.rpm build-musl-package: - needs: fetch-version # x86_64 only for now if: ${{ inputs.arch == 'x86_64' }} runs-on: ubuntu-latest @@ -170,7 +135,7 @@ jobs: - name: Prepare project run: | mkdir build && cd build - cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ -DFALCO_VERSION=${{ needs.fetch-version.outputs.version }} + cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ -DFALCO_VERSION=${{ inputs.version }} - name: Build project run: | @@ -185,11 +150,11 @@ jobs: - name: Rename static package run: | cd build - mv falco-${{ needs.fetch-version.outputs.version }}-x86_64.tar.gz falco-${{ needs.fetch-version.outputs.version }}-static-x86_64.tar.gz + mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz - name: Upload Falco static package uses: actions/upload-artifact@v3 with: - name: falco-${{ needs.fetch-version.outputs.version }}-static-x86_64.tar.gz + name: falco-${{ inputs.version }}-static-x86_64.tar.gz path: | - ${{ github.workspace }}/build/falco-${{ needs.fetch-version.outputs.version }}-static-x86_64.tar.gz + ${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index 527995007c2..e674c2131ec 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -2,6 +2,10 @@ on: workflow_call: inputs: + tag: + description: The tag to push + required: true + type: string is_latest: description: Update the latest tag with the new image required: false @@ -50,29 +54,29 @@ jobs: - name: Create and push no-driver manifest uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: falcosecurity/falco-no-driver:${{ github.ref_name }} - images: falcosecurity/falco-no-driver:aarch64-${{ github.ref_name }},falcosecurity/falco-no-driver:x86_64-${{ github.ref_name }} + inputs: falcosecurity/falco-no-driver:${{ inputs.tag }} + images: falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} push: true - name: Create and push slim manifest uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: falcosecurity/falco:${{ github.ref_name }}-slim - images: falcosecurity/falco:aarch64-${{ github.ref_name }}-slim,falcosecurity/falco:x86_64-${{ github.ref_name }}-slim + inputs: falcosecurity/falco:${{ inputs.tag }}-slim + images: falcosecurity/falco:aarch64-${{ inputs.tag }}-slim,falcosecurity/falco:x86_64-${{ inputs.tag }}-slim push: true - name: Create and push no-driver manifest for ecr uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: public.ecr.aws/falcosecurity/falco-no-driver:${{ github.ref_name }} - images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${{ github.ref_name }} + inputs: public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} + images: public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }} push: true - name: Create and push slim manifest for ecr uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: public.ecr.aws/falcosecurity/falco:${{ github.ref_name }}-slim - images: public.ecr.aws/falcosecurity/falco:aarch64-${{ github.ref_name }}-slim,public.ecr.aws/falcosecurity/falco:x86_64-${{ github.ref_name }}-slim + inputs: public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ inputs.tag }}-slim,public.ecr.aws/falcosecurity/falco:x86_64-${{ inputs.tag }}-slim push: true - name: Create and push no-driver latest manifest @@ -110,15 +114,15 @@ jobs: - name: Create and push falco manifest uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: falcosecurity/falco:${{ github.ref_name }} - images: falcosecurity/falco:aarch64-${{ github.ref_name }},falcosecurity/falco:x86_64-${{ github.ref_name }} + inputs: falcosecurity/falco:${{ inputs.tag }} + images: falcosecurity/falco:aarch64-${{ inputs.tag }},falcosecurity/falco:x86_64-${{ inputs.tag }} push: true - name: Create and push falco manifest for ecr uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: public.ecr.aws/falcosecurity/falco:${{ github.ref_name }} - images: public.ecr.aws/falcosecurity/falco:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco:x86_64-${{ github.ref_name }} + inputs: public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} + images: public.ecr.aws/falcosecurity/falco:aarch64-${{ inputs.tag }},public.ecr.aws/falcosecurity/falco:x86_64-${{ inputs.tag }} push: true - name: Create and push falco latest manifest @@ -140,15 +144,15 @@ jobs: - name: Create and push falco-driver-loader manifest uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: falcosecurity/falco-driver-loader:${{ github.ref_name }} - images: falcosecurity/falco-driver-loader:aarch64-${{ github.ref_name }},falcosecurity/falco-driver-loader:x86_64-${{ github.ref_name }} + inputs: falcosecurity/falco-driver-loader:${{ inputs.tag }} + images: falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }} push: true - name: Create and push falco-driver-loader manifest for ecr uses: Noelware/docker-manifest-action@0.3.1 with: - inputs: public.ecr.aws/falcosecurity/falco-driver-loader:${{ github.ref_name }} - images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${{ github.ref_name }},public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${{ github.ref_name }} + inputs: public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} + images: public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }} push: true - name: Create and push falco-driver-loader latest manifest diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml index 8dc7f7faca8..dc959afc4a3 100644 --- a/.github/workflows/reusable_publish_packages.yaml +++ b/.github/workflows/reusable_publish_packages.yaml @@ -3,7 +3,7 @@ on: workflow_call: inputs: version: - description: 'Falco version extracted from userspace/falco/config_falco.h' + description: The Falco version to use when publishing packages required: true type: string bucket_suffix: From 25b7fdbcfeb5e5e0017145cd9e068147bdc845f7 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Mon, 8 May 2023 16:16:19 +0000 Subject: [PATCH 5/9] update(readme): add pre-release instructions to RELEASE.md Signed-off-by: Luca Guerra --- RELEASE.md | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/RELEASE.md b/RELEASE.md index 713cbed8fe9..0a205ccd04c 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -113,26 +113,27 @@ The release PR is meant to be made against the respective `release/M.m.x` branch - Close the completed milestone as soon as the PR is merged into the release branch - Cherry pick the PR on master too -## Release +## Publishing Pre-Releases (RCs and tagged development versions) -Assume `M.m.p` is the new version. +Core maintainers and/or the release manager can decide to publish pre-releases at any time before the final release +is live for development and testing purposes. -### 1. Create a tag +The prerelease tag must be formatted as `M.m.p-r`where `r` is the prerelease version information (e.g. `0.35.0-rc1`.) -- Once the release PR has got merged both on the release branch and on master, and the master CI has done its job, git tag the new release on the release branch: +To do so: - ``` - git pull - git checkout release/M.m.x - git tag M.m.p - git push origin M.m.p - ``` +- [Draft a new release](https://github.com/falcosecurity/falco/releases/new) +- Use `M.m.p-r` both as tag version and release title. +- Check the "Set as a pre-release" checkbox and make sure "Set as the latest release" is unchecked +- It is recommended to add a brief description so that other contributors will understand the reason why the prerelease is published +- Publish the prerelease! +- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag. -> **N.B.**: do NOT use an annotated tag. For reference https://git-scm.com/book/en/v2/Git-Basics-Tagging +## Release -- Wait for the CI to complete +Assume `M.m.p` is the new version. -### 2. Update the GitHub release +### 1. Create the release with GitHub - [Draft a new release](https://github.com/falcosecurity/falco/releases/new) - Use `M.m.p` both as tag version and release title @@ -176,8 +177,9 @@ Assume `M.m.p` is the new version. ``` - Finally, publish the release! +- The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories. -### 3. Update the meeting notes +### 2. Update the meeting notes For each release we archive the meeting notes in git for historical purposes. From 282c2436f6b5e2913dacb2381e5c96a2203b911f Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Tue, 9 May 2023 12:57:55 +0000 Subject: [PATCH 6/9] update(docs): clarify release checking in the readme Signed-off-by: Luca Guerra --- RELEASE.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/RELEASE.md b/RELEASE.md index 0a205ccd04c..76857db2b9b 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -129,6 +129,8 @@ To do so: - Publish the prerelease! - The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag. +In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release. + ## Release Assume `M.m.p` is the new version. @@ -179,6 +181,8 @@ Assume `M.m.p` is the new version. - Finally, publish the release! - The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories. +In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release. + ### 2. Update the meeting notes For each release we archive the meeting notes in git for historical purposes. From 03f398ba226618497aee208563d7228dbec7e328 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Tue, 9 May 2023 13:11:38 +0000 Subject: [PATCH 7/9] update(ci): explicit branch name in action Signed-off-by: Luca Guerra Co-authored-by: Federico Di Pierro --- .github/workflows/master.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index e8afd338d34..b0aebb8980d 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -73,7 +73,7 @@ jobs: arch: x86_64 bucket_suffix: '-dev' version: ${{ needs.fetch-version.outputs.version }} - tag: ${{ github.ref_name }} + tag: master secrets: inherit build-dev-docker-arm64: @@ -83,12 +83,12 @@ jobs: arch: aarch64 bucket_suffix: '-dev' version: ${{ needs.fetch-version.outputs.version }} - tag: ${{ github.ref_name }} + tag: master secrets: inherit publish-dev-docker: needs: [fetch-version, build-dev-docker, build-dev-docker-arm64] uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master with: - tag: ${{ github.ref_name }} + tag: master secrets: inherit From 1c835319eddc4ca3b3c6a6668c220aa0317ea5df Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Tue, 9 May 2023 13:16:34 +0000 Subject: [PATCH 8/9] update(ci): update needs for build docker Signed-off-by: Luca Guerra Co-authored-by: Federico Di Pierro --- .github/workflows/master.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index b0aebb8980d..921f4805e41 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -65,9 +65,8 @@ jobs: version: ${{ needs.fetch-version.outputs.version }} secrets: inherit - # Both build-dev-docker and its arm64 counterpart require build-dev-packages because they use its output build-dev-docker: - needs: [fetch-version, build-dev-packages, publish-dev-packages] + needs: [fetch-version, publish-dev-packages] uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: x86_64 @@ -77,7 +76,7 @@ jobs: secrets: inherit build-dev-docker-arm64: - needs: [fetch-version, build-dev-packages, publish-dev-packages] + needs: [fetch-version, publish-dev-packages] uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: aarch64 From 227252edee2c49194675ce76bd5c7696517cdf36 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Wed, 10 May 2023 08:23:25 +0000 Subject: [PATCH 9/9] update(ci): fail on non-semver release Signed-off-by: Luca Guerra Co-authored-by: Federico Di Pierro --- .github/workflows/release.yaml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9b554fdbb8c..37344eec65f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,7 +14,6 @@ jobs: outputs: is_latest: ${{ steps.get_settings.outputs.is_latest }} bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} - should_publish: ${{ steps.get_settings.outputs.should_publish }} steps: - name: Get latest release uses: rez0n/actions-github-release@v2.0 @@ -30,11 +29,15 @@ jobs: run: | import os import re + import sys semver_no_meta = '''^(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)(?:-(?P(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$''' tag_name = '${{ github.event.release.tag_name }}' - should_publish = re.match(semver_no_meta, tag_name) is not None + is_valid_version = re.match(semver_no_meta, tag_name) is not None + if not is_valid_version: + print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.') + sys.exit(1) is_prerelease = '-' in tag_name @@ -45,12 +48,10 @@ jobs: with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp: print(f'is_latest={is_latest}'.lower(), file=ofp) - print(f'should_publish={should_publish}'.lower(), file=ofp) print(f'bucket_suffix={bucket_suffix}', file=ofp) build-packages: needs: [release-settings] - if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: x86_64 @@ -59,7 +60,6 @@ jobs: build-packages-arm64: needs: [release-settings] - if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master with: arch: aarch64 @@ -68,7 +68,6 @@ jobs: publish-packages: needs: [release-settings, build-packages, build-packages-arm64] - if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master with: bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} @@ -78,7 +77,6 @@ jobs: # Both build-docker and its arm64 counterpart require build-packages because they use its output build-docker: needs: [release-settings, build-packages, publish-packages] - if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: x86_64 @@ -90,7 +88,6 @@ jobs: build-docker-arm64: needs: [release-settings, build-packages, publish-packages] - if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master with: arch: aarch64 @@ -102,7 +99,6 @@ jobs: publish-docker: needs: [release-settings, build-docker, build-docker-arm64] - if: ${{ needs.release-settings.outputs.should_publish == 'true' }} uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master secrets: inherit with: