diff --git a/.github/workflows/reusable-publish-oci-artifacts.yaml b/.github/workflows/reusable-publish-oci-artifacts.yaml index 942ca357..c1d89d4a 100644 --- a/.github/workflows/reusable-publish-oci-artifacts.yaml +++ b/.github/workflows/reusable-publish-oci-artifacts.yaml @@ -23,13 +23,13 @@ jobs: steps: - name: Download x86_64 plugins - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: plugins-x86_64-${{ inputs.suffix }}.tar.gz path: /tmp/plugins-x86_64 - name: Download aarch64 plugins - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: plugins-aarch64-${{ inputs.suffix }}.tar.gz path: /tmp/plugins-aarch64 @@ -42,7 +42,7 @@ jobs: - name: Setup Golang uses: actions/setup-go@v3 with: - go-version: '^1.21' + go-version: "^1.21" - name: Build registry artifact tool working-directory: build/registry @@ -68,7 +68,7 @@ jobs: # Create signatures of the plugin artifacts as OCI artifacts sign-oci-artifacts: - needs: [ publish-oci-artifacts ] + needs: [publish-oci-artifacts] runs-on: ubuntu-latest if: ${{ needs.publish-oci-artifacts.outputs.matrix != '[]' }} diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index 468b6542..08144d8e 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -10,11 +10,11 @@ on: description: Suffix for uploading packages (dev or stable) required: true type: string - + jobs: build-packages: name: build-packages-${{ matrix.arch }} - runs-on: ${{ (matrix.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }} + runs-on: ${{ (matrix.arch == 'aarch64' && 'github-arm64-2c-8gb') || 'ubuntu-22.04' }} strategy: matrix: arch: [x86_64, aarch64] @@ -42,12 +42,12 @@ jobs: - name: Safe directory run: git config --global --add safe.directory $GITHUB_WORKSPACE - + - name: Run build ๐Ÿ—๏ธ run: ${{ inputs.makecommand }} - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: plugins-${{ matrix.arch }}-${{ inputs.suffix }}.tar.gz path: output/*.tar.gz diff --git a/.github/workflows/reusable_build_rules_tool.yaml b/.github/workflows/reusable_build_rules_tool.yaml index 3e07ea6e..6999bc6d 100644 --- a/.github/workflows/reusable_build_rules_tool.yaml +++ b/.github/workflows/reusable_build_rules_tool.yaml @@ -12,7 +12,7 @@ on: required: false default: falcosecurity/rules type: string - + jobs: build-rules-checker: runs-on: ubuntu-latest @@ -20,7 +20,7 @@ jobs: - name: Setup Golang uses: actions/setup-go@v3 with: - go-version: '1.19.0' + go-version: "1.19.0" - name: Checkout rules uses: actions/checkout@v3 @@ -30,13 +30,13 @@ jobs: - name: Build checker tool working-directory: build/checker run: go build -o ${{ inputs.output }} - + - name: Test checker tool working-directory: build/checker run: go test ./... -cover - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: rules-tool.tar.gz path: build/checker/${{ inputs.output }} diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml index 1b34557c..59acca67 100644 --- a/.github/workflows/reusable_publish_packages.yaml +++ b/.github/workflows/reusable_publish_packages.yaml @@ -6,7 +6,7 @@ on: description: Suffix for uploading packages (dev or stable) required: true type: string - + permissions: id-token: write contents: read @@ -14,24 +14,24 @@ permissions: env: AWS_S3_BUCKET: falco-distribution AWS_S3_PREFIX: plugins - AWS_S3_REGION: eu-west-1 - + AWS_S3_REGION: eu-west-1 + jobs: publish-packages: runs-on: ubuntu-latest steps: - name: Download x86_64 plugins - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: plugins-x86_64-${{ inputs.suffix }}.tar.gz path: /tmp/plugins-x86_64 - + - name: Download aarch64 plugins - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: plugins-aarch64-${{ inputs.suffix }}.tar.gz path: /tmp/plugins-aarch64 - + - name: Configure AWS credentials ๐Ÿ”งโš™๏ธ uses: aws-actions/configure-aws-credentials@v2 with: @@ -42,5 +42,4 @@ jobs: run: | for package in /tmp/plugins-*/*.tar.gz; do aws s3 cp --no-progress $package s3://${{ env.AWS_S3_BUCKET}}/${{ env.AWS_S3_PREFIX }}/${{ inputs.suffix }}/ - done - + done diff --git a/.github/workflows/reusable_suggest_rules_version.yaml b/.github/workflows/reusable_suggest_rules_version.yaml index a868ef0a..8553272c 100644 --- a/.github/workflows/reusable_suggest_rules_version.yaml +++ b/.github/workflows/reusable_suggest_rules_version.yaml @@ -52,10 +52,10 @@ jobs: run: ./.github/get-latest-plugin-version.sh ${{ inputs.plugin }} - name: Download rules tool - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: rules-tool.tar.gz - + # note: here we're loading the locally-built plugins, whereas another # solution would be to pull them with falcoctl. The flaw with this # approach is that we load the same plugin for both the "old" and the @@ -63,11 +63,11 @@ jobs: # the two rulesets depend on plugins with different majors. # todo(jasondellaluce): fix this corner case in the future - name: Download plugins - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: ${{ inputs.plugins-artifact }} path: /tmp/plugins-${{ inputs.arch }} - + - name: Extract plugins run: | for archive in /tmp/plugins-*/*.tar.gz; do @@ -77,7 +77,7 @@ jobs: sudo mkdir -p /usr/share/falco/plugins sudo cp -r *.so /usr/share/falco/plugins || true popd && rm -fr tmpdir - done + done - name: Compare changed files with previous versions id: compare @@ -114,7 +114,7 @@ jobs: cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ inputs.job-index }} - name: Upload PR info as artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: steps.compare.outputs.comment_file != '' with: name: pr-${{ inputs.job-index }} @@ -127,10 +127,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Download PR infos - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: path: tmp-artifacts - + - name: Save PR info run: | mkdir -p ./pr @@ -149,7 +149,7 @@ jobs: echo "" - name: Upload PR info as artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: pr path: pr/ diff --git a/.github/workflows/reusable_validate_plugins.yaml b/.github/workflows/reusable_validate_plugins.yaml index 44953e05..130b48bc 100644 --- a/.github/workflows/reusable_validate_plugins.yaml +++ b/.github/workflows/reusable_validate_plugins.yaml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest container: golang:1.18 env: - GOFLAGS: '-buildvcs=false' + GOFLAGS: "-buildvcs=false" steps: - name: Checkout code uses: actions/checkout@v3 @@ -47,12 +47,12 @@ jobs: run: ./.github/setup-plugin-config-rules.sh ${{ inputs.plugin }} - name: Download rules tool - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: rules-tool.tar.gz - name: Download plugins - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: ${{ inputs.plugins-artifact }} path: /tmp/plugins-${{ inputs.arch }} @@ -66,13 +66,13 @@ jobs: mkdir -p /etc/falco/falco mkdir -p /usr/share/falco/plugins - + # avoids git exit status 128: detected dubious ownership in repository git config --global --add safe.directory $(pwd) for plugin_name in $loaded_plugins; do echo Installing locally-built plugin "$plugin_name"... - + # At release time we only build the released plugin, so it's possible # that validation requires a plugin that we haven't built locally. # in those cases, we build it on-the-fly perform validation with it. @@ -122,20 +122,20 @@ jobs: uses: actions/checkout@v3 - name: Install system dependencies - run: sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq - + run: sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq + - name: Setup plugin config and rules id: get-config run: ./.github/setup-plugin-config-rules.sh ${{ inputs.plugin }} - name: Download plugins - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: ${{ inputs.plugins-artifact }} path: /tmp/plugins-${{ inputs.arch }} - name: Download rules tool - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: rules-tool.tar.gz @@ -143,7 +143,7 @@ jobs: run: | curl --fail -LS "https://github.com/falcosecurity/falcoctl/releases/download/v${{ inputs.falcoctl-version }}/falcoctl_${{ inputs.falcoctl-version }}_linux_${{ inputs.arch == 'x86_64' && 'amd64' || 'arm64' }}.tar.gz" | tar -xz sudo install -o root -g root -m 0755 falcoctl /usr/local/bin/falcoctl - + # note(jsondellaluce): exploring the set of all dependencies including their # alternatives and all the possible combinations of different versions would # result in a combinatorial explosion. As such, we take the simple route @@ -223,4 +223,4 @@ jobs: "${{ inputs.rules-checker }}" \ "${{ steps.get-config.outputs.config_file }}" \ "$rules_files" - done + done