Skip to content

A minimum patch to fix CVE 2024 21626 #135

A minimum patch to fix CVE 2024 21626

A minimum patch to fix CVE 2024 21626 #135

Workflow file for this run

name: validate
on:
push:
tags:
- v*
branches:
- master
- release-*
pull_request:
env:
GO_VERSION: 1.20.x
jobs:
keyring:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- name: check runc.keyring
run: make validate-keyring
lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 2
- uses: actions/setup-go@v4
with:
go-version: "${{ env.GO_VERSION }}"
cache: false # golangci-lint-action does its own caching
- name: install deps
run: |
sudo apt -q update
sudo apt -q install libseccomp-dev
- uses: golangci/golangci-lint-action@v3
with:
version: v1.53
# Extra linters, only checking new code from a pull request.
- name: lint-extra
if: github.event_name == 'pull_request'
run: |
golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1 --out-format=github-actions
compile-buildtags:
runs-on: ubuntu-20.04
env:
# Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
CGO_CFLAGS: -g -O2 -Werror
steps:
- uses: actions/checkout@v3
- name: install go
uses: actions/setup-go@v4
with:
go-version: "${{ env.GO_VERSION }}"
- name: compile with no build tags
run: make BUILDTAGS=""
codespell:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: install deps
# Version of codespell bundled with Ubuntu is way old, so use pip.
run: pip install codespell
- name: run codespell
run: codespell
shfmt:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: shfmt
run: make shfmt
shellcheck:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: vars
run: |
echo 'VERSION=v0.8.0' >> $GITHUB_ENV
echo 'BASEURL=https://github.com/koalaman/shellcheck/releases/download' >> $GITHUB_ENV
echo 'SHA256SUM=f4bce23c11c3919c1b20bcb0f206f6b44c44e26f2bc95f8aa708716095fa0651' >> $GITHUB_ENV
echo ~/bin >> $GITHUB_PATH
- name: install shellcheck
run: |
mkdir ~/bin
curl -sSfL --retry 5 $BASEURL/$VERSION/shellcheck-$VERSION.linux.x86_64.tar.xz |
tar xfJ - -C ~/bin --strip 1 shellcheck-$VERSION/shellcheck
sha256sum ~/bin/shellcheck | grep -q $SHA256SUM
# make sure to remove the old version
sudo rm -f /usr/bin/shellcheck
- uses: lumaxis/shellcheck-problem-matchers@v2
- name: shellcheck
run: |
make shellcheck
- name: check-config.sh
run : ./script/check-config.sh
deps:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: install go
uses: actions/setup-go@v4
with:
go-version: "${{ env.GO_VERSION }}"
- name: verify deps
run: make verify-dependencies
commit:
runs-on: ubuntu-20.04
# Only check commits on pull requests.
if: github.event_name == 'pull_request'
steps:
- name: get pr commits
id: 'get-pr-commits'
uses: tim-actions/get-pr-commits@v1.1.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: check subject line length
uses: tim-actions/commit-message-checker-with-regex@v0.3.1
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
pattern: '^.{0,72}(\n.*)*$'
error: 'Subject too long (max 72)'
cfmt:
runs-on: ubuntu-20.04
steps:
- name: checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: install deps
run: |
sudo apt -qq update
sudo apt -qq install indent
- name: cfmt
run: |
make cfmt
git diff --exit-code
release:
runs-on: ubuntu-20.04
steps:
- name: checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: check CHANGELOG.md
run: make verify-changelog
# We have to run this under Docker as Ubuntu (host) does not support all
# the architectures we want to compile test against, and Dockerfile uses
# Debian (which does).
#
# XXX: as currently this is the only job that is using Docker, we are
# building and using the runcimage locally. In case more jobs running
# under Docker will emerge, it will be good to have a separate make
# runcimage job and share its result (the docker image) with whoever
# needs it.
- name: build docker image
run: make runcimage
- name: make releaseall
run: make releaseall
- name: upload artifacts
uses: actions/upload-artifact@v3
with:
name: release-${{ github.run_id }}
path: release/*