Skip to content
Inspektor Gadget CI

ci: bump actions/upload-artifact from 4.6.0 to 4.6.1 #2304

Sign in to view logs

ci: bump actions/upload-artifact from 4.6.0 to 4.6.1

ci: bump actions/upload-artifact from 4.6.0 to 4.6.1 #2304

Workflow file for this run

.github/workflows/inspektor-gadget.yml at fa56974
name: Inspektor Gadget CI
env:
REGISTRY: ghcr.io
CONTAINER_REPO: ${{ github.repository }}
GO_VERSION: 1.23.4
# controller-gen with go >1.21 panics, but we can't update controller-gen itself
GO_VERSION_DOC_CHECK: 1.21.3
AZURE_AKS_CLUSTER_PREFIX: ig-ci-aks-
DEFAULT_DNSTESTER_IMAGE: ghcr.io/inspektor-gadget/dnstester:latest
DEFAULT_EBPF_BUILDER_IMAGE: ghcr.io/inspektor-gadget/ebpf-builder:latest
# With the recent update of docker/build-push-action to v6, this action
# started creating docker build summary files (i.e. .dockerbuild).
# Sadly, these files create troubles when trying to download artifact in the
# release job as they seem to not be downloadable.
# So, for now, let's deactivate this feature.
DOCKER_BUILD_NO_SUMMARY: true
concurrency:
group: ${{ github.ref }}
# We do not want to cancel job in progress on main to be sure to catch new
# regression as soon as they are introduced.
cancel-in-progress: ${{ github.ref_name != 'main' }}
on:
pull_request:
push:
branches:
- main
- 'release-*'
- 'citest/**'
tags:
- 'v*'
workflow_dispatch:
permissions: read-all
# Jobs are given a level in a comment.
# Jobs of the same level run in parallel.
# Jobs of level N depend of, at least, one job on level N - 1 expect job whom
# level is 0.
jobs:
documentation-checks:
name: Documentation checks
# level: 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION_DOC_CHECK }}
cache: true
id: go
- name: Check if generated files are updated
run: |
make manifests generate generate-documentation
git diff --exit-code HEAD --
- name: Replace tag constant
run: |
# Replace tag and branch constants to be able to check links
find docs/ -type f -exec sed -i 's/%IG_BRANCH%/main/g' {} +
find docs/ -type f -exec sed -i 's/%IG_TAG%/latest/g' {} +
- name: Check that there are not broken links
uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1
with:
use-quiet-mode: 'yes'
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
filters: |
docs:
- 'docs/**'
- name: Setup Node
if: steps.filter.outputs.docs == 'true'
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: 18
- name: Check website build
if: steps.filter.outputs.docs == 'true'
run: |
cd "$RUNNER_TEMP"
git clone https://github.com/inspektor-gadget/website/
cd website
IG_DOCS=$GITHUB_WORKSPACE/inspektor-gadget/docs make docs && npm install && npm run build
actionlint:
name: Lint GitHub Actions workflows
# level: 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check workflow files
shell: bash
run: |
# As advised from:
# https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions
curl -o download-actionlint.bash https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash
bash download-actionlint.bash
# For now, we do not use shellcheck, we may activate it later.
./actionlint -color -shellcheck=
lint:
name: Lint
# level: 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
id: go
- name: Lint
uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
with:
# This version number must be kept in sync with Makefile lint one.
version: v1.63.4
working-directory: /home/runner/work/inspektor-gadget/inspektor-gadget
# Workaround to display the output:
# https://github.com/golangci/golangci-lint-action/issues/119#issuecomment-981090648
args: "--out-${NO_FUTURE}format colored-line-number"
skip-pkg-cache: true
semgrep:
name: semgrep
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# Run the "semgrep ci" command on the command line of the docker image.
- run: cd "$GITHUB_WORKSPACE" && semgrep ci --config "$GITHUB_WORKSPACE/.semgrep_rules.yaml"
ebpf-objects-checks:
name: eBPF Object checks
# level: 1
needs: build-helper-images
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check ebpf formatting
run: |
make clang-format
changes="$(git status --porcelain)"
if [ -n "$changes" ] ; then
>&2 echo "Use 'make clang-format' to fix the style in the eBPF code:"
>&2 git diff
exit 1
fi
- name: Detect changes for ebpf objects
env:
EBPF_BUILDER: ${{ needs.build-helper-images.outputs.ebpf_builder_image }}
run: |
make ebpf-objects
changes="$(git status --porcelain)"
if [ -n "$changes" ] ; then
>&2 echo "$changes"
exit 1
fi
- name: Check that testdata is updated
run: |
make testdata
changes="$(git status --porcelain)"
if [ -n "$changes" ] ; then
>&2 echo "$changes"
exit 1
fi
pr-dependencies-checks:
name: PR dependencies checks
# level: 0
# We need to run this action only on PR.
# Otherwise, for other cases like pushing to main, it will fail because it
# searches for base_ref and head_ref which only exists in PR context.
if: ${{ github.event.pull_request }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check if added dependencies do not contain CVE.
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
build-clients:
name: clients
# level: 0
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
client: [kubectl-gadget, gadgetctl]
os: [linux, darwin, windows]
arch: [amd64, arm64]
exclude:
- os: windows
arch: arm64
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
with:
languages: go
- name: Build ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}
env:
CONTAINER_REPO: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
IMAGE_TAG: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
run: |
git checkout
# Prevent releases with -dirty suffix due to forgotten entries in
# .gitignore.
changes="$(git status --porcelain)"
if [ -n "$changes" ] ; then
echo "$changes"
exit 1
fi
client=${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}
make "$client"
# We need to append .exe to windows binaries...
dot_exe=$(test ${{ matrix.os }} = 'windows' && echo '.exe' || echo '')
# Prepare assets for release and actions artifacts
platform='${{ matrix.os }}-${{ matrix.arch }}'
mkdir "$platform"
cp "${client}${dot_exe}" "${platform}/${{ matrix.client }}${dot_exe}"
cp LICENSE "$platform/"
tar --sort=name --owner=root:0 --group=root:0 \
-czf "${client}.tar.gz" -C "$platform" \
${{ matrix.client }}${dot_exe} LICENSE
rm -rf "$platform"
- name: CWE checks for ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}
uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
with:
category: ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}
- name: Add ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}.tar.gz as artifact.
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: ${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}-tar-gz
path: /home/runner/work/inspektor-gadget/inspektor-gadget/${{ matrix.client }}-${{ matrix.os }}-${{ matrix.arch }}.tar.gz
btfgen:
name: btfgen
# level: 0
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
platform: [amd64, arm64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get btfhub-archive last commmit
id: get-btfhub-head
run: |
echo "head=$(git ls-remote https://github.com/aquasecurity/btfhub-archive/ HEAD | cut -f1)" >> $GITHUB_OUTPUT
shell: bash
- name: Cache BTFGen
id: cache-btfgen
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: pkg/btfgen/btfs
# key is composed by
# - arch: amd64 or arm64
# - latest commit of btfhub
# - hash of all bpf objects
key: btfgen-${{ matrix.platform }}-${{ steps.get-btfhub-head.outputs.head }}-${{ hashFiles('pkg/**/*.o') }}
- name: BTFGen
if: ${{ steps.cache-btfgen.outputs.cache-hit != 'true' }}
run: |
./tools/getbtfhub.sh
./tools/getbpftool.sh
make btfgen BPFTOOL=/tmp/bpftool \
ARCH=${{ matrix.platform }} BTFHUB_ARCHIVE="$HOME/btfhub-archive/" -j$(nproc)
build-ig:
name: ig
# level: 1
needs:
- btfgen
- build-helper-images
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
platform: [amd64, arm64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Get btfhub-archive last commmit
id: get-btfhub-head
run: |
echo "head=$(git ls-remote https://github.com/aquasecurity/btfhub-archive/ HEAD | cut -f1)" >> $GITHUB_OUTPUT
shell: bash
- name: Cache BTFGen
id: cache-btfgen
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: pkg/btfgen/btfs
# key is composed by
# - arch: amd64 or arm64
# - latest commit of btfhub
# - hash of all bpf objects
key: btfgen-${{ matrix.platform }}-${{ steps.get-btfhub-head.outputs.head }}-${{ hashFiles('pkg/**/*.o') }}
- name: Build ig-linux-${{ matrix.platform }}
env:
EBPF_BUILDER: ${{ needs.build-helper-images.outputs.ebpf_builder_image }}
run: |
if [ "${{ matrix.platform }}" = 'arm64' ]; then
sudo apt-get update
sudo apt-get install qemu-user-static
fi
make ig-linux-${{ matrix.platform }}
# Prepare assets for release and actions artifacts
mkdir ${{ matrix.platform }}
cp ig-linux-${{ matrix.platform }} ${{ matrix.platform }}/ig
cp LICENSE ${{ matrix.platform }}/
tar --sort=name --owner=root:0 --group=root:0 \
-czf ig-linux-${{ matrix.platform }}.tar.gz -C ${{ matrix.platform }} \
ig LICENSE
rm -rf ${{ matrix.platform }}
- name: Add ig-linux-${{ matrix.platform }}.tar.gz as artifact.
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: ig-linux-${{ matrix.platform }}-tar-gz
path: /home/runner/work/inspektor-gadget/inspektor-gadget/ig-linux-${{ matrix.platform }}.tar.gz
build-ig-cwe:
name: Check ig CWE
# level: 0
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
platform: [amd64, arm64]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
with:
languages: go
- name: Build ig-linux-${{ matrix.platform }} for CWE checks
run: |
# We need to build ig using go build otherwise CodeQL will not detect
# that the binary was built and will try to autobuild it which adds
# extra time in the CI pipeline.
CGO_ENABLED=0 GOARCH=${{ matrix.platform }} go build \
-ldflags "-extldflags '-static'" \
github.com/inspektor-gadget/inspektor-gadget/cmd/ig
- name: CWE checks for ig-linux-${{ matrix.platform }}
uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
with:
category: ig-linux-${{ matrix.platform }}
build-gadget-container-deps:
# We only build this dependencies to check if they do not contain CWE.
name: Build gadget-container-deps
# level: 0
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
with:
languages: go
- name: Build gadget-container-deps
run: |
make -C gadget-container
- name: CWE checks for gadget-container-deps
uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
with:
category: gadget-container-deps
build-gadget-container-images:
name: gadget img
# level: 1
needs: btfgen
runs-on: ubuntu-latest
permissions:
# allow publishing container image
# in case of public fork repo/packages permissions will always be read
contents: read
packages: write
outputs:
digest-amd64: ${{ steps.published-gadget-container-images.outputs.amd64 }}
digest-arm64: ${{ steps.published-gadget-container-images.outputs.arm64 }}
sbom-digest-amd64: ${{ steps.gadget-container-images-attach-sbom.outputs.sbom-amd64 }}
sbom-digest-arm64: ${{ steps.gadget-container-images-attach-sbom.outputs.sbom-arm64 }}
strategy:
fail-fast: false
matrix:
os: [ linux ]
# For the moment, we only support these two platforms.
platform: [ arm64, amd64 ]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
- name: Cache Docker layers
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-docker-${{ matrix.platform }}-${{ hashFiles('Dockerfiles/gadget.Dockerfile') }}
restore-keys: |
${{ runner.os }}-docker-${{ matrix.platform }}-
- name: Login to Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Get btfhub-archive last commmit
id: get-btfhub-head
run: |
echo "head=$(git ls-remote https://github.com/aquasecurity/btfhub-archive/ HEAD | cut -f1)" >> $GITHUB_OUTPUT
shell: bash
- name: Cache BTFGen
id: cache-btfgen
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: pkg/btfgen/btfs
# key is composed by
# - arch: amd64 or arm64
# - latest commit of btfhub
# - hash of all bpf objects
key: btfgen-${{ matrix.platform }}-${{ steps.get-btfhub-head.outputs.head }}-${{ hashFiles('pkg/**/*.o') }}
# we are using cache-to mode=min (default) implying that only final image layers are cached, using cache
# mode=max results in builder image layer of ~7GB because of btfhub files in a layer, which is too
# large (gloabal limit 10GB) to work with GH caches. (TODO: if we can work with mode=max in future?)
- name: Build gadget ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: /home/runner/work/inspektor-gadget/inspektor-gadget/
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/gadget.Dockerfile
outputs: type=docker,dest=/tmp/gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new
platforms: ${{ matrix.os }}/${{ matrix.platform }}
build-args: |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
- name: Publish gadget ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar
path: /tmp/gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar
retention-days: 1
- name: Generate SBOM for gadget ${{ matrix.os }} ${{ matrix.platform }} image
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: /home/runner/work/inspektor-gadget/inspektor-gadget/
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/gadget.Dockerfile
outputs: type=local,dest=/tmp/gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new
platforms: ${{ matrix.os }}/${{ matrix.platform }}
# The following permits to generate SBOM:
# https://github.com/moby/buildkit/issues/2773#issue-1194754388
build-args: BUILDKIT_SYNTAX=crazymax/dockerfile:sbom
# build time will not be increased with this workflow because of internal cache
# buildx is used here since it allows push-by-digest to avoid platform specific tags
- name: Publish gadget ${{ matrix.os }} ${{ matrix.platform }} container image to registry
id: publish-gadget-container-images
if: github.event_name != 'pull_request'
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: /home/runner/work/inspektor-gadget/inspektor-gadget/
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/gadget.Dockerfile
outputs: type=registry,name=${{ steps.set-repo-determine-image-tag.outputs.container-repo }},push=true,push-by-digest=true
cache-from: type=local,src=/tmp/.buildx-cache-new
platforms: ${{ matrix.os }}/${{ matrix.platform }}
build-args: |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
- name: Setup oras
if: github.event_name != 'pull_request'
uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
- name: Attach SBOM to container image
if: github.event_name != 'pull_request'
id: gadget-container-images-attach-sbom
env:
CONTAINER_REPO: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
DIGEST: ${{ steps.publish-gadget-container-images.outputs.digest }}
run: |
# We need to get the image digest from the manifest.
# Otherwise, we will attach the SBOM to the manifest and the SBOM will
# be lost when using imagetools as this command creates a new manifest
# and attaches only the images, not the existing manifests.
# This way, we are sure the new manifest will point to the images which
# have SBOM attached.
manifest=$(oras manifest fetch "${CONTAINER_REPO}@${DIGEST}")
image_digest=$(echo "$manifest" | jq -e '[.manifests[] | select ( .platform.architecture == "${{ matrix.platform }}" and .platform.os == "${{ matrix.os }}" )] | if length != 1 then empty else .[0].digest end')
image_digest=$(echo "$image_digest" | tr -d '"')
sbom_digest=$(oras attach "${CONTAINER_REPO}@${image_digest}" /tmp/gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}/sbom_cyclonedx.json --disable-path-validation --artifact-type example/sbom | grep 'Digest:' | awk '{ print $2 }')
echo "sbom-${{ matrix.platform }}=${sbom_digest}" >> $GITHUB_OUTPUT
- name: Save gadget ${{ matrix.os }} ${{ matrix.platform }} container image digest output
id: published-gadget-container-images
if: github.event_name != 'pull_request'
env:
DIGEST: ${{ steps.publish-gadget-container-images.outputs.digest }}
run: |
echo "${{ matrix.platform }}=$DIGEST" >> $GITHUB_OUTPUT
# old cache entries aren’t deleted, so the cache size keeps growing
# remove old cache and move new cache to cache path to workaround the issue
# https://github.com/docker/build-push-action/issues/252
- name: Move gadget ${{ matrix.os }} ${{ matrix.platform }} container image cache to correct location
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
build-ig-container-images:
name: ig img
# level: 1
needs:
- btfgen
- build-helper-images
runs-on: ubuntu-latest
permissions:
# allow publishing container image
# in case of public fork repo/packages permissions will always be read
contents: read
packages: write
outputs:
digest-amd64: ${{ steps.published-ig-container-images.outputs.amd64 }}
digest-arm64: ${{ steps.published-ig-container-images.outputs.arm64 }}
sbom-digest-amd64: ${{ steps.ig-container-images-attach-sbom.outputs.sbom-amd64 }}
sbom-digest-arm64: ${{ steps.ig-container-images-attach-sbom.outputs.sbom-arm64 }}
strategy:
fail-fast: false
matrix:
os: [ linux ]
# For the moment, we only support these two platforms.
platform: [ arm64, amd64 ]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
- name: Cache Docker layers
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-docker-${{ matrix.platform }}-${{ hashFiles('Dockerfiles/ig.Dockerfile') }}
restore-keys: |
${{ runner.os }}-docker-${{ matrix.platform }}-
- name: Login to Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ github.repository_owner }}/ig
- name: Get btfhub-archive last commmit
id: get-btfhub-head
run: |
echo "head=$(git ls-remote https://github.com/aquasecurity/btfhub-archive/ HEAD | cut -f1)" >> $GITHUB_OUTPUT
shell: bash
- name: Cache BTFGen
id: cache-btfgen
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: pkg/btfgen/btfs
# key is composed by
# - arch: amd64 or arm64
# - latest commit of btfhub
# - hash of all bpf objects
key: btfgen-${{ matrix.platform }}-${{ steps.get-btfhub-head.outputs.head }}-${{ hashFiles('pkg/**/*.o') }}
- name: Build ig ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: /home/runner/work/inspektor-gadget/inspektor-gadget/
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/ig.Dockerfile
outputs: type=docker,dest=/tmp/ig-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new
platforms: ${{ matrix.os }}/${{ matrix.platform }}
build-args: |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
EBPF_BUILDER=${{ needs.build-helper-images.outputs.ebpf_builder_image }}
- name: Publish ig ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: ig-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar
path: /tmp/ig-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar
retention-days: 1
- name: Generate ig ${{ matrix.os }} ${{ matrix.platform }} container image SBOM
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: /home/runner/work/inspektor-gadget/inspektor-gadget/
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/ig.Dockerfile
outputs: type=local,dest=/tmp/ig-container-image-${{ matrix.os }}-${{ matrix.platform }}
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new
platforms: ${{ matrix.os }}/${{ matrix.platform }}
build-args: |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
EBPF_BUILDER=${{ needs.build-helper-images.outputs.ebpf_builder_image }}
BUILDKIT_SYNTAX=crazymax/dockerfile:sbom
# build time will not be increased with this workflow because of internal cache
# buildx is used here since it allows push-by-digest to avoid platform specific tags
- name: Publish ig ${{ matrix.os }} ${{ matrix.platform }} container image to registry
id: publish-ig-container-images
if: github.event_name != 'pull_request'
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: /home/runner/work/inspektor-gadget/inspektor-gadget/
file: /home/runner/work/inspektor-gadget/inspektor-gadget/Dockerfiles/ig.Dockerfile
outputs: type=registry,name=${{ steps.set-repo-determine-image-tag.outputs.container-repo }},push=true,push-by-digest=true
cache-from: type=local,src=/tmp/.buildx-cache-new
platforms: ${{ matrix.os }}/${{ matrix.platform }}
build-args: |
VERSION=${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
EBPF_BUILDER=${{ needs.build-helper-images.outputs.ebpf_builder_image }}
- name: Setup oras
if: github.event_name != 'pull_request'
uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
- name: Attach SBOM to container image
if: github.event_name != 'pull_request'
id: ig-container-images-attach-sbom
env:
CONTAINER_REPO: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
DIGEST: ${{ steps.publish-ig-container-images.outputs.digest }}
run: |
# We need to get the image digest from the manifest.
# Otherwise, we will attach the SBOM to the manifest and the SBOM will
# be lost when using imagetools as this command creates a new manifest
# and attaches only the images, not the existing manifests.
# This way, we are sure the new manifest will point to the images which
# have SBOM attached.
manifest=$(oras manifest fetch "${CONTAINER_REPO}@${DIGEST}")
image_digest=$(echo $manifest | jq -e '[.manifests[] | select ( .platform.architecture == "${{ matrix.platform }}" and .platform.os == "${{ matrix.os }}" )] | if length != 1 then empty else .[0].digest end')
image_digest=$(echo "$image_digest" | tr -d '"')
sbom_digest=$(oras attach "${CONTAINER_REPO}@${image_digest}" /tmp/ig-container-image-${{ matrix.os }}-${{ matrix.platform }}/sbom_cyclonedx.json --disable-path-validation --artifact-type example/sbom | grep 'Digest:' | awk '{ print $2 }')
echo "sbom-${{ matrix.platform }}=${sbom_digest}" >> $GITHUB_OUTPUT
- name: Save ig ${{ matrix.os }} ${{ matrix.platform }} container image digest output
id: published-ig-container-images
if: github.event_name != 'pull_request'
env:
DIGEST: ${{ steps.publish-ig-container-images.outputs.digest }}
run: |
echo "${{ matrix.platform }}=$DIGEST" >> $GITHUB_OUTPUT
# old cache entries aren’t deleted, so the cache size keeps growing
# remove old cache and move new cache to cache path to workaround the issue
# https://github.com/docker/build-push-action/issues/252
- name: Move ig ${{ matrix.os }} ${{ matrix.platform }} container image cache to correct location
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
analyse-ig-binary-size:
name: IG binary size analysis
runs-on: ubuntu-latest
needs:
- build-ig
strategy:
matrix:
platform: [amd64, arm64]
steps:
- name: Set up Go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Install go-size-analyzer
run: |
go install github.com/Zxilly/go-size-analyzer/cmd/gsa@e47aa2561e70b937f2be7441b2eeca984ff60e8b # v1.7.6
- name: Get ig-linux-${{matrix.platform}}.tar.gz from artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ig-linux-${{matrix.platform}}-tar-gz
path: /home/runner/work/inspektor-gadget/
- name: Unpack ig-linux-${{matrix.platform}}.tar.gz
run: |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-${{matrix.platform}}.tar.gz
gsa ./ig -f "json" --compact | tee out.json
jq '[.packages | to_entries[] | {package: .key, size: .value.size, type: .value.type}] | sort_by(.size) | reverse' out.json | tee ig-packages.json
shell: bash
- name: Generate Markdown Table
uses: buildingcash/json-to-markdown-table-action@b442169239ef35f1dc4e5c8c3d47686c081a7e65 #v1.1.0
id: table
with:
json_file_path: ig-packages.json
- name: Add Markdown Table
env:
TABLE_OUTPUT: ${{ steps.table.outputs.table }}
run: |
echo '### Package Size Summary' >> $GITHUB_STEP_SUMMARY
echo "$TABLE_OUTPUT" >> $GITHUB_STEP_SUMMARY
analyze-ig-memory:
name: IG memory analysis with pprof
runs-on: ubuntu-latest
needs:
- build-ig
- build-and-push-gadgets
steps:
- name: Set up Go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: '1.23.4'
cache: true
id: go
- name: Get ig-linux-amd64.tar.gz from artifact.
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ig-linux-amd64-tar-gz
path: /home/runner/work/inspektor-gadget/
- name: Unpack ig-linux-amd64.tar.gz & Analyze memory
run: |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz
sudo ./ig run trace_dns:latest --pprof-addr=localhost:6060 &
sleep 10
curl http://localhost:6060/debug/pprof/heap | tee heap.out
go tool pprof -top -inuse_space ./ig heap.out | tee inuse_space.txt
go tool pprof -top -alloc_space ./ig heap.out | tee alloc_space.txt
- name: Add Markdown Table
run: |
# The inuse_space.txt contains the following header:
# File: ig
# Type: inuse_space
# Time: Jan 22, 2025 at 1:49pm (UTC)
# Showing nodes accounting for 50626.69kB, 100% of 50626.69kB total
# flat flat% sum% cum cum%
# And alloc_space.txt this one:
# File: ig
# Type: alloc_space
# Time: Jan 22, 2025 at 1:49pm (UTC)
# Showing nodes accounting for 12345.67kB, 100% of 12345.67kB total
# flat flat% sum% cum cum%
# awk will filter it out.
declare -A files=([inuse_space.txt]='Inuse Space' [alloc_space.txt]='Alloc Space')
for file in "${!files[@]}"; do
echo "### Memory Usage Summary (${files[$file]})"| tee -a $GITHUB_STEP_SUMMARY
echo '| Flat Memory | Flat% | Sum% | Cumulative Memory | Cumulative% | Function |' | tee -a $GITHUB_STEP_SUMMARY
echo '|-------------|-------|------|--------------------|-------------|----------|' | tee -a $GITHUB_STEP_SUMMARY
awk 'NR > 6 { printf "| %s | %s | %s | %s | %s | %s |\n", $1, $2, $3, $4, $5, $6 }' $file | tee -a $GITHUB_STEP_SUMMARY
echo '' | tee -a $GITHUB_STEP_SUMMARY
done
scan-gadget-container-images:
name: Scan gadget img
# level: 2
needs: build-gadget-container-images
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os: [ linux ]
platform: [ amd64 ]
steps:
- name: Download gadget ${{ matrix.os }} ${{ matrix.platform }} container image as artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar
path: ${{ github.workspace }}
- name: Scan gadget ${{ matrix.os }} ${{ matrix.platform }} container image
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
with:
input: gadget-container-image-${{ matrix.os }}-${{ matrix.platform }}.tar
format: 'table'
exit-code: 1
severity: CRITICAL,HIGH
# uncomment to ignore vulnerabilities
ignore-unfixed: true
# ignore-policy: .github/trivy/ignore-policy.yaml
publish-gadget-images-manifest:
name: Publish gadget img manifest
# level: 2
if: github.event_name != 'pull_request'
needs:
- build-gadget-container-images
- check-secrets
runs-on: ubuntu-latest
permissions:
# allow publishing container image
# in case of public fork repo/packages permissions will always be read
contents: read
packages: write
outputs:
image-digest: ${{ steps.publish-manifest-list.outputs.image-digest }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
- name: Login to Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Publish the manifest list
id: publish-manifest-list
env:
CONTAINER_REPO: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
IMAGE_TAG: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
DIGEST_AMD64: ${{ needs.build-gadget-container-images.outputs.digest-amd64 }}
DIGEST_ARM64: ${{ needs.build-gadget-container-images.outputs.digest-arm64 }}
SBOM_DIGEST_AMD64: ${{ needs.build-gadget-container-images.outputs.sbom-digest-amd64 }}
SBOM_DIGEST_ARM64: ${{ needs.build-gadget-container-images.outputs.sbom-digest-arm64 }}
run: |
IMAGE_REF="${CONTAINER_REPO}:${IMAGE_TAG}"
IMAGE_SOURCE="https://github.com/inspektor-gadget/inspektor-gadget"
IMAGE_DOCUMENTATION="https://inspektor-gadget.io/docs"
IMAGE_LICENSES="Apache-2.0"
IMAGE_TITLE="Inspektor Gadget k8s DaemonSet"
IMAGE_DESCRIPTION="Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes resources and applications. This image is used as a long-running DaemonSet in Kubernetes via the kubectl-gadget deploy command or via the Helm charts."
docker buildx imagetools create \
-t "$IMAGE_REF" \
--annotation index:org.opencontainers.image.documentation="$IMAGE_DOCUMENTATION" \
--annotation index:org.opencontainers.image.description="$IMAGE_DESCRIPTION" \
--annotation index:org.opencontainers.image.licenses="$IMAGE_LICENSES" \
--annotation index:org.opencontainers.image.source="$IMAGE_SOURCE" \
--annotation index:org.opencontainers.image.title="$IMAGE_TITLE" \
"${CONTAINER_REPO}@${DIGEST_AMD64}" \
"${CONTAINER_REPO}@${SBOM_DIGEST_AMD64}" \
"${CONTAINER_REPO}@${DIGEST_ARM64}" \
"${CONTAINER_REPO}@${SBOM_DIGEST_ARM64}"
image_digest=$(docker buildx imagetools inspect --format '{{json .Manifest.Digest}}' $IMAGE_REF | jq -r)
echo "image-digest=${image_digest}" >> $GITHUB_OUTPUT
- name: Sign the manifest list
if: needs.check-secrets.outputs.cosign == 'true'
uses: ./.github/actions/sign-container-image
with:
password: '${{ secrets.COSIGN_PASSWORD }}'
private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}'
image: "${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ steps.publish-manifest-list.outputs.image-digest }}"
publish-ig-images-manifest:
name: Publish ig img manifest
# level: 2
if: github.event_name != 'pull_request'
needs:
- build-ig-container-images
- check-secrets
runs-on: ubuntu-latest
permissions:
# allow publishing container image
# in case of public fork repo/packages permissions will always be read
contents: read
packages: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
- name: Login to Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ github.repository_owner }}/ig
- name: Publish the manifest list
id: publish-manifest-list
env:
CONTAINER_REPO: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
IMAGE_TAG: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
DIGEST_AMD64: ${{ needs.build-ig-container-images.outputs.digest-amd64 }}
DIGEST_ARM64: ${{ needs.build-ig-container-images.outputs.digest-arm64 }}
SBOM_DIGEST_AMD64: ${{ needs.build-ig-container-images.outputs.sbom-digest-amd64 }}
SBOM_DIGEST_ARM64: ${{ needs.build-ig-container-images.outputs.sbom-digest-arm64 }}
run: |
IMAGE_REF="${CONTAINER_REPO}:${IMAGE_TAG}"
IMAGE_SOURCE="https://github.com/inspektor-gadget/inspektor-gadget"
IMAGE_DOCUMENTATION="https://inspektor-gadget.io/docs"
IMAGE_LICENSES="Apache-2.0"
IMAGE_TITLE="Inspektor Gadget ig tool"
IMAGE_DESCRIPTION="Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes resources and applications. This image only includes the ig binary, a standalone tool to run the gadgets."
docker buildx imagetools create \
-t "$IMAGE_REF" \
"${CONTAINER_REPO}@${DIGEST_AMD64}" \
"${CONTAINER_REPO}@${SBOM_DIGEST_AMD64}" \
"${CONTAINER_REPO}@${DIGEST_ARM64}" \
"${CONTAINER_REPO}@${SBOM_DIGEST_ARM64}" \
--annotation index:org.opencontainers.image.documentation="$IMAGE_DOCUMENTATION" \
--annotation index:org.opencontainers.image.description="$IMAGE_DESCRIPTION" \
--annotation index:org.opencontainers.image.licenses="$IMAGE_LICENSES" \
--annotation index:org.opencontainers.image.source="$IMAGE_SOURCE" \
--annotation index:org.opencontainers.image.title="$IMAGE_TITLE"
image_digest=$(docker buildx imagetools inspect --format '{{json .Manifest.Digest}}' "$IMAGE_REF" | jq -r)
echo "image-digest=${image_digest}" >> $GITHUB_OUTPUT
- name: Sign the manifest list
if: needs.check-secrets.outputs.cosign == 'true'
uses: ./.github/actions/sign-container-image
with:
password: '${{ secrets.COSIGN_PASSWORD }}'
private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}'
image: "${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ steps.publish-manifest-list.outputs.image-digest }}"
build-helper-images:
# level: 2
name: helper images
runs-on: ubuntu-latest
needs:
- check-secrets
outputs:
dnstester_image: ${{ steps.image-tag.outputs.dnstester }}
ebpf_builder_image: ${{ steps.image-tag.outputs.ebpf-builder }}
permissions:
# allow publishing container image
# in case of public fork repo/packages permissions will always be read
contents: read
packages: write
strategy:
fail-fast: false
matrix:
image:
- name: "dnstester"
context: "tools/dnstester"
dockerfile: "tools/dnstester/Dockerfile"
platform: "linux/amd64,linux/arm64"
filter-patterns:
- "tools/dnstester/*"
- name: "ebpf-builder"
context: "/home/runner/work/inspektor-gadget/inspektor-gadget"
dockerfile: "Dockerfiles/ebpf-builder.Dockerfile"
platform: "linux/amd64,linux/arm64"
filter-patterns:
- "include/**"
- "Dockerfiles/ebpf-builder.Dockerfile"
- "cmd/common/image/Makefile.build"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
# https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-type-check-expression
filters: |
pattern: ${{ toJson(matrix.image.filter-patterns) }}
- name: Check if we should build helpers
id: check-build-helpers
# always build the images on release, merge to main or to a release branch
if: steps.filter.outputs.pattern == 'true' || startsWith(github.ref_name, 'v') || startsWith(github.ref_name, 'release-') || github.ref_name == 'main'
run: |
echo "build=true" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
if: steps.check-build-helpers.outputs.build == 'true'
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
- name: Login to Container Registry
if: steps.check-build-helpers.outputs.build == 'true'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set container repository and determine image tag
if: steps.check-build-helpers.outputs.build == 'true'
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ github.repository_owner }}/${{ matrix.image.name }}
- name: Build ${{ matrix.image.name }} image
id: build-image
if: steps.check-build-helpers.outputs.build == 'true'
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: ${{ matrix.image.context }}
file: ${{ matrix.image.dockerfile }}
# The repository should have the variable PUSH_HELPERS set to
# ENABLE_PUSH_HELPERS, see:
# https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository
push: ${{ vars.PUSH_HELPERS == 'ENABLE_PUSH_HELPERS' }}
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
platforms: ${{ matrix.image.platform }}
- name: Save ${{ matrix.image.name }} image tag output
id: image-tag
env:
CONTAINER_REPO: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
DIGEST: ${{ steps.build-image.outputs.digest }}
run: |
if [ -n "$DIGEST" ]; then
image="${CONTAINER_REPO}@${DIGEST}"
else
if [ ${{ matrix.image.name }} == "dnstester" ]; then
image=${{ env.DEFAULT_DNSTESTER_IMAGE }}
elif [ ${{ matrix.image.name }} == "ebpf-builder" ]; then
image=${{ env.DEFAULT_EBPF_BUILDER_IMAGE }}
else
>&2 echo "No default image for ${{ matrix.image.name }}!"
exit 1
fi
fi
echo "${{ matrix.image.name }}=${image}" >> $GITHUB_OUTPUT
- name: Sign ${{ matrix.image.name }} image
if: steps.check-build-helpers.outputs.build == 'true' && needs.check-secrets.outputs.cosign == 'true' && vars.PUSH_HELPERS == 'ENABLE_PUSH_HELPERS'
uses: ./.github/actions/sign-container-image
with:
password: '${{ secrets.COSIGN_PASSWORD }}'
private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}'
image: "${{ steps.set-repo-determine-image-tag.outputs.container-repo }}@${{ steps.build-image.outputs.digest }}"
build-examples:
name: example
# level: 0
runs-on: ubuntu-latest
permissions:
# allow publishing container image
# in case of public fork repo/packages permissions will always be read
contents: read
packages: write
strategy:
fail-fast: false
matrix:
example: [container-hook, kube-container-collection]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
- name: Login to Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Build example container
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: /home/runner/work/inspektor-gadget/inspektor-gadget
file: /home/runner/work/inspektor-gadget/inspektor-gadget/examples/${{ matrix.example }}/Dockerfile
push: ${{ secrets.PUSH_EXAMPLES == 'ENABLE_PUSH_EXAMPLES' }}
tags: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}-${{ matrix.example }}:${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
build-gadgets-examples:
name: Gadgets examples
# level: 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Build builtin gadgets example binaries
run: |
cd examples
for dir in $(dirname $(find builtin-gadgets -name README.md)); do
go build "./$dir";
done
- name: Build gadgets example binaries
run: |
cd examples
for dir in $(dirname $(find gadgets -name main.go)); do
go build "./$dir";
done
test-unit:
needs:
- build-ig
name: Unit tests
# level: 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Get ig-linux-amd64.tar.gz from artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ig-linux-amd64-tar-gz
path: /home/runner/work/inspektor-gadget/
- name: Unpack ig-linux-amd64.tar.gz
run: |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz
sudo mv ig /usr/local/bin/ig
- name: Unit tests
run: |
sudo make test
- name: Controller unit tests
run: |
make controller-tests
benchmarks:
name: Benchmarks
# level: 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Show repository setup
env:
EVENT_NAME: ${{ github.event_name }}
EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
REPOSITORY: ${{ github.repository }}
run: |
echo "github.event_name: $EVENT_NAME"
echo "github.event.pull_request.head.repo.full_name: $EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME"
echo "github.repository: $REPOSITORY"
- name: Run benchmarks
run: go test -exec sudo -bench=. -run=Benchmark ./pkg/gadgets/... ./internal/benchmarks/... | tee output.txt
#- name: Download previous benchmark data
# uses: actions/cache@v1
# with:
# path: ./cache
# key: ${{ runner.os }}-benchmark
- name: Store benchmark result
uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7 # v1.20.4
# Disable push from forks or PR from forks.
# $BENCHMARKS_TOKEN will not be available in those cases.
if: |
(github.event_name == 'push' &&
github.repository == 'inspektor-gadget/inspektor-gadget') ||
(github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == 'inspektor-gadget/inspektor-gadget')
with:
name: Gadget benchmarks
# What benchmark tool the output.txt came from
tool: 'go'
# Where the output from the benchmark tool is stored
output-file-path: output.txt
# Where the previous data file is stored
# external-data-json-path: ./cache/benchmark-data.json
# Workflow will fail when an alert happens
fail-on-alert: false
# GitHub API token to make a commit comment
github-token: ${{ secrets.BENCHMARKS_TOKEN }}
# Enable alert commit comment
comment-on-alert: true
# Enable Job Summary for PRs
# summary-always: true
# Mention people in the commit comment
alert-comment-cc-users: '@alban'
# Push and deploy GitHub pages branch automatically
auto-push: ${{ github.repository == 'inspektor-gadget/inspektor-gadget' }}
gh-pages-branch: gh-pages
gh-repository: github.com/inspektor-gadget/ig-benchmarks
benchmark-data-dir-path: dev/bench
package-helm-charts:
name: Lint and package Helm charts
# level: 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Install Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
# chart version needs to be semver compliant so we remove the leading 'v'
- name: Set Chart Version for release
if: startsWith(github.ref, 'refs/tags/v')
env:
TAG: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
run: |
echo "CHART_VERSION=${TAG#v}" >> $GITHUB_ENV
- name: Lint Helm charts
env:
IMAGE_TAG: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
run: |
make -C charts lint
- name: Detect changes for deploy.yaml
run: |
make generate-manifests
changes="$(git status --porcelain)"
if [ -n "$changes" ] ; then
echo "$changes"
exit 1
fi
- name: Package Helm charts
env:
IMAGE_TAG: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
run: |
make -C charts package
- name: Upload Helm charts
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: gadget-charts-tgz
path: charts/bin/*.tgz
test-ig:
name: Unit tests for ig
# level: 0
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Unit tests for ig (as root)
run: |
KERNEL=$(uname -r)
ARCH=$(uname -m)
if test -f /sys/kernel/btf/vmlinux; then
echo "BTF is available at /sys/kernel/btf/vmlinux"
else
echo "BTF is not available: Trying BTFHub"
source /etc/os-release
URL="https://github.com/aquasecurity/btfhub-archive/raw/main/$ID/$VERSION_ID/$ARCH/$KERNEL.btf.tar.xz"
echo "Trying to download vmlinux from $URL"
if [[ $(wget -S --spider "$URL" 2>&1 | grep 'HTTP/1.1 200 OK') ]]; then
wget -q -O /tmp/vmlinux.btf.tar.xz "$URL"
tar -xvf /tmp/vmlinux.btf.tar.xz
# Use objcopy to put the btf info in an ELF file as libbpf and cilium/ebpf
# by default check if there is an ELF file with the .BTF section at
# /boot/vmlinux-$KERNEL.
sudo objcopy --input binary --output elf64-little --rename-section .data=.BTF *.btf "/boot/vmlinux-$KERNEL"
rm *.btf
echo "vmlinux downloaded at /boot/vmlinux-$KERNEL"
else
echo "vmlinux not found"
fi
fi
make ig-tests
test-components:
name: Test components
# level: 1
runs-on: ubuntu-latest
needs:
- build-helper-images
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Run component tests
env:
EBPF_BUILDER: ${{ needs.build-helper-images.outputs.ebpf_builder_image }}
run: |
make component-tests
check-secrets:
name: Check repo secrets
# level: 0
runs-on: ubuntu-latest
outputs:
aro: ${{ steps.set_output.outputs.aro }}
aks: ${{ steps.set_output.outputs.aks }}
gke: ${{ steps.set_output.outputs.gke }}
cosign: ${{ steps.set_output.outputs.cosign }}
steps:
# Secrets cannot be used as if condition, use job output as workaround.
# https://github.com/actions/runner/issues/520
- id: set_output
env:
OPENSHIFT_SERVER: '${{ secrets.OPENSHIFT_SERVER }}'
OPENSHIFT_USER: '${{ secrets.OPENSHIFT_USER }}'
OPENSHIFT_PASSWORD: '${{ secrets.OPENSHIFT_PASSWORD }}'
AZURE_AKS_CLIENT_ID: '${{ secrets.AZURE_AKS_CLIENT_ID }}'
AZURE_AKS_TENANT_ID: '${{ secrets.AZURE_AKS_TENANT_ID }}'
AZURE_AKS_SUBSCRIPTION_ID: '${{ secrets.AZURE_AKS_SUBSCRIPTION_ID }}'
AZURE_AKS_RESOURCE_GROUP: '${{ secrets.AZURE_AKS_RESOURCE_GROUP }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
GKE_PROJECT: '${{ secrets.GKE_PROJECT }}'
GKE_SERVICE_ACCOUNT: '${{ secrets.GKE_SERVICE_ACCOUNT }}'
GKE_WORKLOAD_IDENTITY_PROVIDER: '${{ secrets.GKE_WORKLOAD_IDENTITY_PROVIDER }}'
run: |
if [[ "${OPENSHIFT_SERVER}" != "" && \
"${OPENSHIFT_USER}" != "" && \
"${OPENSHIFT_PASSWORD}" != "" ]]; \
then
echo "Secrets to use an ARO cluster were configured in the repo"
echo "aro=true" >> $GITHUB_OUTPUT
else
echo "Secrets to use an ARO cluster were not configured in the repo"
echo "aro=false" >> $GITHUB_OUTPUT
fi
if [[ "${AZURE_AKS_CLIENT_ID}" != "" && \
"${AZURE_AKS_TENANT_ID}" != "" && \
"${AZURE_AKS_SUBSCRIPTION_ID}" != "" && \
"${AZURE_AKS_RESOURCE_GROUP}" != "" ]]; \
then
echo "Secrets to use an AKS cluster were configured in the repo"
echo "aks=true" >> $GITHUB_OUTPUT
else
echo "Secrets to use an AKS cluster were not configured in the repo"
echo "aks=false" >> $GITHUB_OUTPUT
fi
if [[ "${COSIGN_PASSWORD}" != "" && \
"${COSIGN_PRIVATE_KEY}" != "" ]]; \
then
echo "Secrets to use cosign were configured in the repo"
echo "cosign=true" >> $GITHUB_OUTPUT
else
echo "Secrets to use cosign were not configured in the repo"
echo "cosign=false" >> $GITHUB_OUTPUT
fi
if [[ "${GKE_PROJECT}" != "" && \
"${GKE_SERVICE_ACCOUNT}" != "" && \
"${GKE_WORKLOAD_IDENTITY_PROVIDER}" != "" ]]; \
then
echo "Secrets to use a GKE cluster were configured in the repo"
echo "gke=true" >> $GITHUB_OUTPUT
else
echo "Secrets to use a GKE cluster were not configured in the repo"
echo "gke=false" >> $GITHUB_OUTPUT
fi
public-key-check:
name: Public key check
# level: 1
needs: check-secrets
runs-on: ubuntu-latest
# The first check means that job will only run if the secrets are present. So it will be skipped
# for forks, PRs from forks and dependabot PRs (if no dependabot secret are configured).
# The second check ensures if we forgot configuring the secrets in main repo
# (inspektor-gadget/inspektor-gadget) so we can catch it early.
if: needs.check-secrets.outputs.cosign == 'true' || (github.event_name == 'push' && github.repository == 'inspektor-gadget/inspektor-gadget')
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Cosign
uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
- name: Check if public key is up-to-date.
env:
COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
run: |
cosign public-key --key env://COSIGN_PRIVATE_KEY > pkg/resources/inspektor-gadget.pub
changes="$(git status --porcelain)"
if [ -n "$changes" ] ; then
>&2 echo "$changes"
exit 1
fi
test-integration-k8s-ig:
name: Test ig w/ k8s
# level: 3
needs: [ test-unit, test-ig, build-ig, build-helper-images ]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
runtime: [ docker, containerd, cri-o ]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Get ig-linux-amd64.tar.gz from artifact.
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ig-linux-amd64-tar-gz
path: /home/runner/work/inspektor-gadget/
- name: Unpack ig-linux-amd64.tar.gz
run: |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz
mv ig ig-linux-amd64
- name: Setup minikube
uses: ./.github/actions/setup-minikube
with:
runtime: ${{ matrix.runtime }}
- name: Run integration for container runtime ${{ matrix.runtime }}
id: integration-tests
env:
DNSTESTER_IMAGE: ${{ needs.build-helper-images.outputs.dnstester_image }}
run: |
set -o pipefail
make -C integration/k8s \
CONTAINER_RUNTIME=${{ matrix.runtime }} \
-o build test |& tee integration.log
- name: Prepare and publish test report for container runtime ${{ matrix.runtime }}
if: always()
continue-on-error: true
uses: ./.github/actions/prepare-and-publish-test-reports
with:
test-log-file: integration.log
test-step-conclusion: ${{ steps.integration-tests.conclusion }}
test-summary-suffix: ${{ matrix.runtime }}
build-and-push-gadgets:
name: Build and push gadgets
# level: 2
needs:
- build-ig
- build-helper-images
- check-secrets
runs-on: ubuntu-latest
permissions:
# allow publishing container image
# in case of public fork repo/packages permissions will always be read
contents: read
packages: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Login to Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Get ig-linux-amd64.tar.gz from artifact.
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ig-linux-amd64-tar-gz
path: /home/runner/work/inspektor-gadget/
- name: Unpack ig-linux-amd64.tar.gz
run: |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz
sudo mv ig /usr/bin/ig
- name: Install Cosign
if: needs.check-secrets.outputs.cosign == 'true'
uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
- name: Verify eBPF builder image
if: needs.check-secrets.outputs.cosign == 'true'
run: |
cosign verify --key pkg/resources/inspektor-gadget.pub ${{ needs.build-helper-images.outputs.ebpf_builder_image }}
- name: Build gadgets
env:
BUILDER_IMAGE: ${{ needs.build-helper-images.outputs.ebpf_builder_image }}
GADGET_REPOSITORY: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}
GADGET_TAG: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}
run: |
make build-gadgets -o install/ig -j$(nproc)
# Check that metadata files are updated
git diff --exit-code HEAD --
# Avoid building the gadgets again
make -C gadgets/ push-existing -j$(nproc)
- name: Sign the gadgets
if: needs.check-secrets.outputs.cosign == 'true'
env:
COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
GADGET_REPOSITORY: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}
GADGET_TAG: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}
run: |
make -C gadgets/ sign-existing -j$(nproc)
gadgets-unittest:
name: Gadgets unit tests
needs:
- build-and-push-gadgets
- build-helper-images
- check-secrets
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Gadgets tests
id: gadgets-tests
shell: bash
env:
GADGET_REPOSITORY: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}
GADGET_TAG: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}
IG_VERIFY_IMAGE: ${{ needs.check-secrets.outputs.cosign }}
run: |
set -o pipefail
make -C gadgets/ test-unit -o build |& tee gadgets-tests.log & wait $!
- name: Prepare and publish test reports
if: always()
continue-on-error: true
uses: ./.github/actions/prepare-and-publish-test-reports
with:
test-log-file: gadgets-tests.log
test-step-conclusion: ${{ steps.gadgets-tests.conclusion }}
test-summary-suffix: "gadgets-unittest"
gadgets-kernel-unittest:
name: Gadgets unit tests on kernel
needs:
- build-ig
- build-and-push-gadgets
- build-helper-images
- check-secrets
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
kernel:
- "6.11"
- "6.10"
- "6.6"
- "6.1"
- "5.15"
- "5.10"
- "5.4"
# - "4.19"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Get ig-linux-amd64.tar.gz from artifact.
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ig-linux-amd64-tar-gz
path: /home/runner/work/inspektor-gadget/
- name: Unpack ig-linux-amd64.tar.gz
run: |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz
sudo mv ig /usr/bin/ig
- name: Set up QEMU
run: |
sudo apt-get update
sudo apt-get install -y qemu-system-x86
sudo chmod 666 /dev/kvm
- name: Install vimto
run: |
CGO_ENABLED=0 GOBIN=$(go env GOPATH)/bin go install lmb.io/vimto@latest
ls $(go env GOPATH)/bin | grep vimto
- name: Run gadget unit tests for kernel ${{ matrix.kernel }}
id: gadgets-kernel-tests
shell: bash
env:
GADGET_REPOSITORY: '${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}'
GADGET_TAG: '${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}'
IG_VERIFY_IMAGE: 'false'
KERNEL_VERSION: '${{ matrix.kernel }}'
run: |
set -o pipefail
export VIMTO=$(go env GOPATH)/bin/vimto
make -C gadgets/ pull
make -C gadgets/ test-unit -o build |& tee gadgets-kernel-tests.log & wait $!
- name: Prepare and publish test reports
if: always()
continue-on-error: true
uses: ./.github/actions/prepare-and-publish-test-reports
with:
test-log-file: gadgets-kernel-tests.log
test-step-conclusion: ${{ steps.gadgets-kernel-tests.conclusion }}
test-summary-suffix: "gadgets-unittest-kernel-${{ matrix.kernel }}"
test-gadgets-local:
name: Test gadgets locally
#level 3
needs:
- build-ig
- build-clients
- build-helper-images
- build-and-push-gadgets
- check-secrets
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
runtime: [docker, containerd]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Get ig-linux-amd64.tar.gz from artifact.
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ig-linux-amd64-tar-gz
path: /home/runner/work/inspektor-gadget/
- name: Unpack ig-linux-amd64.tar.gz
run: |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz
sudo mv ig /usr/bin/ig
- name: Get gadgetctl-linux-amd64.tar.gz from artifact.
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: gadgetctl-linux-amd64-tar-gz
path: /home/runner/work/inspektor-gadget/
- name: Unpack gadgetctl-linux-amd64.tar.gz
run: |
tar zxvf /home/runner/work/inspektor-gadget/gadgetctl-linux-amd64.tar.gz
sudo mv gadgetctl /usr/bin/gadgetctl
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Gadgets tests
id: gadgets-tests
shell: bash
env:
GADGET_REPOSITORY: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}
GADGET_TAG: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}
VERIFY_IMAGE: ${{ needs.check-secrets.outputs.cosign }}
DNSTESTER_IMAGE: ${{ needs.build-helper-images.outputs.dnstester_image }}
run: |
set -o pipefail
make \
IG_FLAGS="--verify-image=$VERIFY_IMAGE" \
IG_RUNTIME=${{ matrix.runtime }} \
-C gadgets/ test-local -o build |& tee gadgets-tests.log & wait $!
- name: Prepare and publish test reports
if: always()
continue-on-error: true
uses: ./.github/actions/prepare-and-publish-test-reports
with:
test-log-file: gadgets-tests.log
test-step-conclusion: ${{ steps.gadgets-tests.conclusion }}
test-summary-suffix: "test-gadgets-local-${{ matrix.runtime }}"
test-integration-non-k8s-ig:
name: Test ig w/o k8s
# level: 3
needs:
- test-unit
- test-ig
- build-ig
- build-helper-images
- build-and-push-gadgets
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
runtime: [ docker, containerd ]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Get ig-linux-amd64.tar.gz from artifact.
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ig-linux-amd64-tar-gz
path: /home/runner/work/inspektor-gadget/
- name: Unpack ig-linux-amd64.tar.gz
run: |
tar zxvf /home/runner/work/inspektor-gadget/ig-linux-amd64.tar.gz
mv ig ig-linux-amd64
- name: Run integration for container runtime ${{ matrix.runtime }}
id: integration-tests
env:
DNSTESTER_IMAGE: ${{ needs.build-helper-images.outputs.dnstester_image }}
run: |
set -o pipefail
make -C integration/ig/non-k8s \
CONTAINER_RUNTIME=${{ matrix.runtime }} \
-o build test-${{ matrix.runtime }} |& tee integration.log
- name: Prepare and publish test report for container runtime ${{ matrix.runtime }}
if: always()
continue-on-error: true
uses: ./.github/actions/prepare-and-publish-test-reports
with:
test-log-file: integration.log
test-step-conclusion: ${{ steps.integration-tests.conclusion }}
test-summary-suffix: ${{ matrix.runtime }}
test-integration-aks:
name: Integration tests on AKS
# level: 4
needs:
- check-secrets
- test-unit
- build-clients
- build-gadget-container-images
- publish-gadget-images-manifest
- build-and-push-gadgets
if: needs.check-secrets.outputs.aks == 'true'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os-sku: [Ubuntu, AzureLinux]
arch: [amd64, arm64]
environment: aks
permissions:
# This is needed to use federated credentials:
# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux#set-up-azure-login-with-openid-connect-authentication
id-token: write
contents: read
env:
AZURE_AKS_RESOURCE_GROUP: '${{ secrets.AZURE_AKS_RESOURCE_GROUP }}'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
name: Login to Azure
with:
client-id: ${{ secrets.AZURE_AKS_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_AKS_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_AKS_SUBSCRIPTION_ID }}
- name: Craft cluster name
shell: bash
run: |
echo "CLUSTER_NAME=${{ env.AZURE_AKS_CLUSTER_PREFIX }}${{ matrix.arch }}-${{ matrix.os-sku }}-${RANDOM}" >> $GITHUB_ENV
- name: Create AKS cluster ${{ env.CLUSTER_NAME }}
shell: bash
run: |
node_size='Standard_D2s_v5'
if [ ${{ matrix.arch }} = 'arm64' ]; then
# 'p' means the node size corresponds to arm64 hardware.
node_size='Standard_D2ps_v5'
fi
# Enable the aks-preview extension to use AzureLinux as --os-sku.
# This should lead to AKS being deployed on top of AzureLinux.
# We do not upgrade az because there is a problem doing so in the
# GitHub Action.
az extension add --name aks-preview
az aks create -l eastus2 -g "${AZURE_AKS_RESOURCE_GROUP}" -n ${{ env.CLUSTER_NAME }} -s "$node_size" --os-sku ${{ matrix.os-sku }} --no-ssh-key
- uses: azure/aks-set-context@feeca6405be94202afcb1c395616ff29b1811b9f # v4.0.2
name: Set AKS cluster ${{ env.CLUSTER_NAME }} context
with:
cluster-name: ${{ env.CLUSTER_NAME }}
resource-group: ${{ secrets.AZURE_AKS_RESOURCE_GROUP }}
admin: false
- name: Run integration tests
uses: ./.github/actions/run-integration-tests
with:
kubernetes_distribution: "aks-${{ matrix.os-sku }}"
kubernetes_architecture: "${{ matrix.arch }}"
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}
test_summary_suffix: "${{ matrix.os-sku }}-${{ matrix.arch }}"
# This step ensures we get fresh credentials before removing the cluster
- uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
if: always()
name: Login to Azure
with:
client-id: ${{ secrets.AZURE_AKS_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_AKS_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_AKS_SUBSCRIPTION_ID }}
- name: Delete AKS cluster ${{ env.CLUSTER_NAME }}
if: always()
shell: bash
run: |
az aks delete -g "${AZURE_AKS_RESOURCE_GROUP}" -n ${{ env.CLUSTER_NAME }} --no-wait --yes
# Integration tests for ARO are separated from others distributions because it
# is a pre-created cluster. It implies that we need to use a concurrency group
# to ensure that only one test-integration-aro job runs at a time so that we
# never try to use IG on that unique ARO cluster from different workflow runs.
test-integration-aro:
name: Integration tests on ARO
# level: 4
needs:
- check-secrets
- test-unit
- build-clients
- build-gadget-container-images
- publish-gadget-images-manifest
- build-and-push-gadgets
# Run this job only if an ARO cluster is available on repo secrets. See
# docs/devel/ci.md for further details.
if: needs.check-secrets.outputs.aro == 'true'
runs-on: ubuntu-latest
concurrency:
group: no-simultaneous-test-integration-aro
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Authenticate and set ARO cluster context
# NOTE: This action generates the Kubernetes config file in the current
# directory. Therefore, it must be run after checking out code otherwise
# the file will be cleaned up.
uses: redhat-actions/oc-login@5eb45e848b168b6bf6b8fe7f1561003c12e3c99d # v1.3
with:
# API Server URL
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
# Credentials (TODO: Use a functional Service Account, see issue #574)
openshift_username: ${{ secrets.OPENSHIFT_USER }}
openshift_password: ${{ secrets.OPENSHIFT_PASSWORD }}
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Run integration tests
uses: ./.github/actions/run-integration-tests
with:
kubernetes_distribution: "aro"
kubernetes_architecture: "amd64"
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}
test_summary_suffix: "aro"
test-integration-eks:
name: Integration tests on EKS
# level: 4
needs:
- test-unit
- build-clients
- build-gadget-container-images
- publish-gadget-images-manifest
- build-and-push-gadgets
if: ${{ vars.AWS_ROLE != '' }}
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
strategy:
fail-fast: false
matrix:
arch: [amd64, arm64]
env:
AWS_REGION: us-east-2
AWS_EKS_CLUSTER_PREFIX: ig-ci-eks-
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Craft cluster name
shell: bash
run: |
echo "CLUSTER_NAME=${{ env.AWS_EKS_CLUSTER_PREFIX }}${{ matrix.arch }}-${RANDOM}" >> $GITHUB_ENV
# Install eksctl following https://eksctl.io/installation/#for-unix
- name: Install eksctl
run: |
ARCH=$(dpkg-architecture -qDEB_HOST_ARCH)
PLATFORM="$(uname -s)_$ARCH"
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_${PLATFORM}.tar.gz"
curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep "$PLATFORM" | sha256sum --check
tar -xzf "eksctl_${PLATFORM}.tar.gz" -C /tmp && rm "eksctl_${PLATFORM}.tar.gz"
sudo mv /tmp/eksctl /usr/local/bin
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: ${{ vars.AWS_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Create EKS cluster ${{ env.CLUSTER_NAME }}
shell: bash
run: |
# We need to use big nodes, otherwise integration tests fail because the node can't handle
# many gadgets running on parallel
node_type='t2.xlarge'
if [ ${{ matrix.arch }} = 'arm64' ]; then
node_type='a1.xlarge'
fi
eksctl create cluster --name ${{ env.CLUSTER_NAME }} --tags "ig-ci=true,ig-ci-timestamp=$(date -u +'%Y-%m-%dT%H:%M:%S%:z')" --node-type $node_type
- name: Run integration tests
uses: ./.github/actions/run-integration-tests
with:
kubernetes_distribution: "eks-AmazonLinux"
kubernetes_architecture: "${{ matrix.arch }}"
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}
test_summary_suffix: "EKS-${{ matrix.arch }}"
- name: Delete EKS cluster ${{ env.CLUSTER_NAME }}
if: always()
shell: bash
run: |
eksctl delete cluster --name ${{ env.CLUSTER_NAME }} --force
test-integration-gke:
name: Integration tests on GKE
# level: 4
if: needs.check-secrets.outputs.gke == 'true'
needs:
- check-secrets
- test-unit
- build-clients
- build-gadget-container-images
- publish-gadget-images-manifest
- build-and-push-gadgets
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
flavor:
- arch: amd64
region: us-east1
machine_type: e2-standard-2
- arch: arm64
region: us-central1
machine_type: t2a-standard-2
# Following permissions are needed to use OIDC authentication with GKE.
permissions:
id-token: write
contents: read
env:
GKE_CLUSTER_PREFIX: 'ig-ci-gke-'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Authenticate with GKE
uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
with:
project_id: ${{ secrets.GKE_PROJECT }}
service_account: ${{ secrets.GKE_SERVICE_ACCOUNT }}
workload_identity_provider: ${{ secrets.GKE_WORKLOAD_IDENTITY_PROVIDER }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
- name: Craft cluster name
shell: bash
run: |
echo "CLUSTER_NAME=${{ env.GKE_CLUSTER_PREFIX }}${{ matrix.flavor.arch }}-${RANDOM}" >> $GITHUB_ENV
- name: Create GKE cluster
run: |
# arm64 machine types are only available in zones (us-central1-a, us-central1-b, us-central1-f, us-central1-d) in us-central1 region
extra_args=""
if [ ${{ matrix.flavor.arch }} = "arm64" ]; then
extra_args="--node-locations us-central1-a,us-central1-b,us-central1-f"
fi
gcloud container clusters create ${{ env.CLUSTER_NAME }} --project ${{ secrets.GKE_PROJECT }} \
--region ${{ matrix.flavor.region }} --machine-type ${{ matrix.flavor.machine_type }} --num-nodes 1 --disk-size 50 $extra_args
- name: Set GKE cluster ${{ env.CLUSTER_NAME }} context
uses: google-github-actions/get-gke-credentials@7a108e64ed8546fe38316b4086e91da13f4785e1 # v2.3.1
with:
cluster_name: ${{ env.CLUSTER_NAME }}
location: ${{ matrix.flavor.region }}
# ARM nodes come with a taint that prevents pods from being scheduled on them.
# https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment
- name: Remove taint for arm64 nodes
if: ${{ matrix.flavor.arch == 'arm64' }}
run: |
kubectl taint nodes --all kubernetes.io/arch=arm64:NoSchedule-
- name: Run integration tests
uses: ./.github/actions/run-integration-tests
with:
kubernetes_distribution: "gke-COS_containerd"
kubernetes_architecture: ${{ matrix.flavor.arch }}
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}
test_summary_suffix: "GKE-${{ matrix.flavor.arch }}"
- name: Delete GKE cluster
if: always()
# default shell is "bash -e {0}" which will fail-fast if the command returns a non-zero exit code
# See: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell
shell: bash {0}
run: |
while [ "$(gcloud container operations list \
--project ${{ secrets.GKE_PROJECT }} --region ${{ matrix.flavor.region }} \
--filter="status=RUNNING AND targetLink~${{ env.CLUSTER_NAME }}" --format="value(name)")" ]
do
echo "cluster has an ongoing operation, waiting for all operations to finish"
sleep 15
done
gcloud container clusters delete --project ${{ secrets.GKE_PROJECT }} --region ${{ matrix.flavor.region }} ${{ env.CLUSTER_NAME }} --async --quiet
test-integration-minikube:
name: Integr. tests
# level: 3
needs:
- test-unit
- build-clients
- build-gadget-container-images
- build-helper-images
- build-and-push-gadgets
- check-secrets
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
runtime: [docker, containerd, cri-o]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Setup minikube
uses: ./.github/actions/setup-minikube
with:
runtime: ${{ matrix.runtime }}
multi-node: true
- name: Get gadget-container-image-linux-amd64.tar from artifact.
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: gadget-container-image-linux-amd64.tar
path: /home/runner/work/inspektor-gadget/
- name: Set container repository and determine image tag
id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Prepare minikube by loading gadget-container-image-linux-amd64.tar
env:
CONTAINER_REPO: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
IMAGE_TAG: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
run: |
# 'docker load' ensures the image is named correctly e.g podman has issues loading untagged images from archive
docker load -i /home/runner/work/inspektor-gadget/gadget-container-image-linux-amd64.tar
minikube image load "${CONTAINER_REPO}:${IMAGE_TAG}"
- name: Run integration tests
uses: ./.github/actions/run-integration-tests
with:
kubernetes_distribution: "minikube-github"
kubernetes_architecture: "amd64"
container_repo: ${{ steps.set-repo-determine-image-tag.outputs.container-repo }}
image_tag: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
dnstester_image: ${{ needs.build-helper-images.outputs.dnstester_image }}
gadget_repository: ${{ steps.set-repo-determine-image-tag.outputs.gadget-repository }}
gadget_tag: ${{ steps.set-repo-determine-image-tag.outputs.gadget-tag }}
gadget_verify_image: ${{ needs.check-secrets.outputs.cosign }}
test_summary_suffix: ${{ matrix.runtime }}
publish-test-reports:
name: Publish test reports
# level: 5
needs:
- test-integration-minikube
- test-integration-aks
- test-integration-aro
- test-integration-eks
- test-integration-gke
- test-integration-k8s-ig
- test-integration-non-k8s-ig
- test-gadgets-local
runs-on: ubuntu-latest
# Skip this job when running on a fork or a PR from a fork.
if: always() && (
(github.event_name == 'push' && github.repository == 'inspektor-gadget/inspektor-gadget') ||
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'inspektor-gadget/inspektor-gadget'))
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get all reports
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "test-reports"
- name: Store test reports
shell: bash {0}
run: ./tools/store-test-reports.sh
env:
TEST_REPORTS_TOKEN: ${{ secrets.TEST_REPORTS_TOKEN }}
release:
name: Release
# level: 5
needs:
- ebpf-objects-checks
- lint
- semgrep
- test-integration-minikube
- test-integration-aks
- test-components
- build-ig-cwe
- test-ig
- test-gadgets-local
- test-integration-k8s-ig
- test-integration-non-k8s-ig
- build-examples
- build-gadgets-examples
- package-helm-charts
- check-secrets
- scan-gadget-container-images
- publish-gadget-images-manifest
- public-key-check
runs-on: ubuntu-latest
permissions:
contents: write
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- id: set-repo-determine-image-tag
uses: ./.github/actions/set-container-repo-and-determine-image-tag
with:
registry: ${{ env.REGISTRY }}
container-image: ${{ env.CONTAINER_REPO }}
- name: Build release YAML
env:
IMAGE_TAG: ${{ steps.set-repo-determine-image-tag.outputs.image-tag }}
REF_NAME: ${{ github.ref_name }}
run: |
export IMAGE="${{ env.REGISTRY }}/${{ env.CONTAINER_REPO }}:${IMAGE_TAG}"
# Use echo of cat to avoid printing a new line between files.
echo "$(cat pkg/resources/manifests/deploy.yaml) $(cat pkg/resources/crd/bases/gadget.kinvolk.io_traces.yaml)" > "inspektor-gadget-${REF_NAME}.yaml"
perl -pi -e 's@(image:) ".+\"@$1 "$ENV{IMAGE}"@; s@"latest"@"$ENV{IMAGE_TAG}"@;' "inspektor-gadget-${REF_NAME}.yaml"
- name: Create Draft Release
id: create_release
uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
name: Release ${{ github.ref_name }}
draft: true
- name: Get all artifacts.
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
- name: Setup go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
id: go
- name: Build ig distributions packages
env:
REF_NAME: ${{ github.ref_name }}
run: |
go install github.com/goreleaser/nfpm/v2/cmd/nfpm@d33a9233bb7acf04621b78114114476196d7977 # v2.38.0
mkdir ig_packages
for ig_archive in ig-*-*-tar-gz/ig-*-*.tar.gz; do
cp .nfpm_template.yaml nfpm.yaml
mkdir archive_output
tar zxvf "$ig_archive" -C archive_output
export path=$(find archive_output -name 'ig')
# Fill the template file with corresponding information.
export arch=$(echo "$ig_archive" | cut -d'-' -f3)
perl -pi -e 's/IG_ARCH/$ENV{arch}/; s/IG_VERSION/$ENV{REF_NAME}/; s/IG_PATH/$ENV{path}/' nfpm.yaml
# Build the packages
for distro in apk deb rpm archlinux; do
nfpm package -p "$distro" -t ig_packages
done
rm -r archive_output
rm nfpm.yaml
done
- name: Rename all artifacts to *-${{ github.ref_name }}.tar.gz
shell: bash
env:
REF_NAME: ${{ github.ref_name }}
run: |
for i in kubectl-gadget-*-*-tar-gz/kubectl-gadget-*-*.tar.gz ig-*-*-tar-gz/ig-*-*.tar.gz gadgetctl-*-*-tar-gz/gadgetctl-*-*.tar.gz; do
mv $i $(dirname $i)/$(basename $i .tar.gz)-$REF_NAME.tar.gz
done
- name: Compute checksums for all artifacts
shell: bash
env:
REF_NAME: ${{ github.ref_name }}
run: |
for i in kubectl-gadget-*-*-tar-gz/kubectl-gadget-*-*.tar.gz ig-*-*-tar-gz/ig-*-*.tar.gz gadgetctl-*-*-tar-gz/gadgetctl-*-*.tar.gz inspektor-gadget-$REF_NAME.yaml ig_packages/*; do
hash=$(sha256sum $i | cut -d' ' -f1)
echo "${hash} $(basename $i)" >> SHA256SUMS
done
- name: Install cyclonedx-gomod
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
- name: Compute SBOM for all binary artifacts
shell: bash
env:
REF_NAME: ${{ github.ref_name }}
run: |
mkdir sbom
for i in kubectl-gadget-*-*-tar-gz/kubectl-gadget-*-*.tar.gz ig-*-*-tar-gz/ig-*-*.tar.gz gadgetctl-*-*-tar-gz/gadgetctl-*-*.tar.gz; do
temp_dir=$(mktemp -d)
tar zxvf $i -C $temp_dir
exe=$(find "$temp_dir" -type f -executable)
cyclonedx-gomod bin -json -output sbom/$(basename $i .tar.gz).bom.json -version "$REF_NAME" $exe
rm -fr "$temp_dir"
done
- name: Install Cosign
if: needs.check-secrets.outputs.cosign == 'true'
uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
- name: Sign checksums file
if: needs.check-secrets.outputs.cosign == 'true'
shell: bash
env:
COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}'
COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
run: |
checksums_file=SHA256SUMS
cosign sign-blob --key env://COSIGN_PRIVATE_KEY --yes $checksums_file --output-signature="${checksums_file}.sig" --bundle="${checksums_file}.bundle"
# Derivate public key from private key to publish it as release
# artifact, so people can verify our signature.
cosign public-key --key env://COSIGN_PRIVATE_KEY > inspektor-gadget.pub
- name: Login to Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Upload kubectl-gadget binary
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
pattern: "kubectl-gadget-*-*-tar-gz/kubectl-gadget-*-*.tar.gz"
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload IG *.tar.gz binary
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
pattern: "ig-*-*-tar-gz/ig-*-*.tar.gz"
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload gadgetctl *.tar.gz binary
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
pattern: "gadgetctl-*-*-tar-gz/gadgetctl-*-*.tar.gz"
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload YAML
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
file: inspektor-gadget-${{ github.ref_name }}.yaml
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload checksums file
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
file: SHA256SUMS
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload IG distributions packages
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
pattern: "ig_packages/ig*"
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload Inpektor Gadget Helm Charts
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
pattern: "gadget-charts-tgz/gadget-*.tgz"
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload public key
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
pattern: "*.pub"
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload bundle
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
pattern: "*.bundle"
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload signature
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
pattern: "*.sig"
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}
- name: Upload binaries SBOMs
uses: csexton/release-asset-action@3567794e918fa3068116688122a76cdeb57b5f09 # v3
with:
pattern: "sbom/*.bom.json"
github-token: ${{ secrets.GITHUB_TOKEN }}
release-url: ${{ steps.create_release.outputs.upload_url }}